Re: iptables ruleset ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Manfred Sampl wrote:
| Hi,
|
| My input ruleset doesn't work as it should... I'm using woody /
| netfilter on 2.4.27 (debian kernel I think) for doing the routing
| on a DSL connection.
|
| I can't reach ssh on the external interface.
|
| First here is my ruleset:
|
| # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP -s
| 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
| 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
| 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
| 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
| 240.0.0.0/5 -j DROP
|
| # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s
| $UNIVERSE -d $UNIVERSE -j ACCEPT
|
| # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem
| -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j
| ACCEPT
|
| # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22
| -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
|
|
| # DHCPd - Enable the following lines if you run an INTERNAL DHCPd
| server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j
| ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j
| ACCEPT
|
| # SMB - Enable the following lines if you run an INTERNAL SMB
| server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j
| ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j
| ACCEPT
|
| # local interface, local machines, going anywhere is valid
| $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
|
| # external interface, from any source, for ICMP traffic is valid -
| ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j
| ACCEPT
|
| # Allow any related traffic coming back to the MASQ server in echo
| " INPUT: Allow connections OUT and only existing/related IN"
| $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state
| --state \ ESTABLISHED,RELATED -j ACCEPT
|
| What is wrong? and are the spoofing rules not redundant? The
| default policy is DROP.
|
| I can use any help or hint,
|
| Regards Manfred
|
|
Did you notice that you have only roules for INPUT, what about OUTPUT ?
For every INPUT you need apropriate OUTPUT rule :)
I don't know your configuration or how exactly you are connected to the
network but for ssh you should probably have to add:
$IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
But this wont make your firewall to work as expected, since you have
to make
some OUTPUT(maybe FORWARD) rules. You should consider useing something
like
firehol, firestarter or some other frontend for iptables, since that
is much
easier and safer.
Regards
Tomaz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCCgsS6Zdbmk3K9rwRAo+qAJ96iwdqZrLWvwV0G2m1w5733a0ScgCfenhl
ldhdIZOx1MQW6qorpQUWesk=
=Pidy
-----END PGP SIGNATURE-----
Reply to: