Re: iptables blocking eth0 .. why ?

To: Adam Bogacki <afb@paradise.net.nz>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables blocking eth0 .. why ?
From: charlie <charlesk@generalpants.com.au>
Date: Fri, 07 Jan 2005 09:22:27 +1100
Message-id: <1105050147.4796.3.camel@charlie.generalpants.com.au>
In-reply-to: <20050106233923.GA5164@paradise.net.nz>
References: <20050106233923.GA5164@paradise.net.nz>

Have you got ip_forward turned on?

cat /proc/sys/net/ipv4/ip_forward



On Fri, 2005-01-07 at 10:39, Adam Bogacki wrote:
> Hi,
> 
> I'd appreciate a second opinion why this script is blocking eth0,
> confirming or disconfirming the line I've indicated.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> re two interfaces in this server:
> #eth0 - <internet-address>
> #eth1 - <lan-address>
> 
> ### Create Chains
> iptables -N IN_LO
> iptables -N OUT_LO
> iptables -N IN_ETH0
> iptables -N OUT_ETH0
> iptables -N IN_ETH1
> iptables -N OUT_ETH1
> iptables -N BLOCKED_PACKETS
> iptables -N ICMP_PACKETS
> 
> ### POLICIES
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
> ### INPUT
> iptables -A INPUT -j BLOCKED_PACKETS
> iptables -A INPUT -p icmp -j ICMP_PACKETS
> iptables -A INPUT -i lo -j IN_LO
> iptables -A INPUT -i eth0 -j IN_ETH0
> iptables -A INPUT -i eth1 -j IN_ETH1
> 
> ### FORWARD
> iptables -A FORWARD -j BLOCKED_PACKETS
> iptables -A FORWARD -p icmp -j ICMP_PACKETS
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> ### OUTPUT
> iptables -A OUTPUT -j BLOCKED_PACKETS
> iptables -A OUTPUT -p icmp -j ICMP_PACKETS
> iptables -A OUTPUT -o lo -j OUT_LO
> iptables -A OUTPUT -o eth0 -j OUT_ETH0
> iptables -A OUTPUT -o eth1 -j OUT_ETH1
> 
> ### BLOCKING_PACKETS
> iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
> iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> -j DROP
> iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
> # should this be on both interfaces?
> #iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p udp \
> #--dport 135:139 -j DROP
> 
> s the following line why eth0 is blocked on my system ?
> iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
> --dport 67:68 -j DROP
> 
> ### ICMP_PACKETS
> # are all of these really needed?  Which ones should I not accept?
> iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT
> iptables -A ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT
> ### IN_LO (localhost)
> # are these really needed?  Why?
> iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
> #iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
> #iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT
> 
> ### IN_ETH0 (Internet)
> #iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
> #--state RELATED,ESTABLISHED -j ACCEPT
> 
> ### IN_ETH1 (LAN)
> #iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
> #--state RELATED,ESTABLISHED -j ACCEPT
> 
> ### OUT_LO (Localhost)
> # are these really needed?  Why?
> iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
> #iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
> #iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT
> 
> ### OUT_ETH0 (Internet)
> #iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
> #--state RELATED,ESTABLISHED -j ACCEPT
> 
> ### OUT_ETH1 (LAN)
> #iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
> #--state RELATED,ESTABLISHED -j ACCEPT
> 
> #save this setup for next use
> 
> iptables-save
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- 
============================
Charles Kidson
Systems Administrator
General Pants Group
charlesk@generalpants.com.au
ph 02 9290 0813
fx 02 9299 6485
mb 0428 61 7766
============================


Notice: This email and any attachments are confidential and may contain
copyright material of General Pants Co. Pty Ltd., Jetty Surf Pty Ltd. or
third parties. If you are not the intended recipient of this email you
should not read, print, re-transmit, store or act in reliance on this email
or any attachments, and should destroy all copies of them. General Pants Co.
Pty Ltd. and Jetty Surf Pty Ltd. does not guarantee the integrity of any
emails or any attached files. The views or opinions expressed are the
author's own and may not reflect the views or opinions of General Pants Co.
Pty Ltd. and Jetty Surf Pty Ltd..

Reply to:

References:
- iptables blocking eth0 .. why ?
  - From: Adam Bogacki <afb@paradise.net.nz>

Prev by Date: Re: iptables blocking eth0 .. why ?
Next by Date: log_messenger
Previous by thread: Re: iptables blocking eth0 .. why ?
Next by thread: Re: iptables blocking eth0 .. why ?
Index(es):
- Date
- Thread