iptables ruleset ...
Hi,
My input ruleset doesn't work as it should... I'm using woody /
netfilter on 2.4.27 (debian kernel I think) for doing the routing on a
DSL connection.
I can't reach ssh on the external interface.
First here is my ruleset:
# IP spoofing rules
$IPTABLES -A INPUT -i $EXTIF -p TCP -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p TCP -s 192.0.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p TCP -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p TCP -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p TCP -s 240.0.0.0/5 -j DROP
# loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# pptp
# 1+2 line: pptp control + data
$IPTABLES -A INPUT -i $modem -p tcp --sport 1723 -j ACCEPT
$IPTABLES -A INPUT -i $modem -p 47 -j ACCEPT
# ssh IN
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# SMB - Enable the following lines if you run an INTERNAL SMB server
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j ACCEPT
# local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# external interface, from any source, for ICMP traffic is valid - ping
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
echo " INPUT: Allow connections OUT and only existing/related IN"
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
What is wrong? and are the spoofing rules not redundant? The default
policy is DROP.
I can use any help or hint,
Regards
Manfred
Reply to: