unsubscribe

To: debian-firewall@lists.debian.org
Subject: unsubscribe
From: Guilherme Rocha_Sul Soluções <guilherme@sulsolucoes.com.br>
Date: Wed, 9 Feb 2005 11:31:05 -0200
Message-id: <[🔎] 200502091131.05493.guilherme@sulsolucoes.com.br>
Reply-to: guilherme@sulsolucoes.com.br
In-reply-to: <[🔎] 420A0B13.1090303@rsklan.com>
References: <[🔎] 1107952215.4706.17.camel@localhost.localdomain> <[🔎] 420A0B13.1090303@rsklan.com>

Em Qua 09 Fev 2005 11:07, Tomaz Kravcar escreveu:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Manfred Sampl wrote:
> | Hi,
> |
> | My input ruleset doesn't work as it should... I'm using woody /
> | netfilter on 2.4.27 (debian kernel I think) for doing the routing
> | on a DSL connection.
> |
> | I can't reach ssh on the external interface.
> |
> | First here is my ruleset:
> |
> | # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 240.0.0.0/5 -j DROP
> |
> | # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s
> | $UNIVERSE -d $UNIVERSE -j ACCEPT
> |
> | # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem
> | -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j
> | ACCEPT
> |
> | # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22
> | -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
> |
> |
> | # DHCPd - Enable the following lines if you run an INTERNAL DHCPd
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j
> | ACCEPT
> |
> | # SMB - Enable the following lines if you run an INTERNAL SMB
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j
> | ACCEPT
> |
> | # local interface, local machines, going anywhere is valid
> | $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> |
> | # external interface, from any source, for ICMP traffic is valid -
> | ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j
> | ACCEPT
> |
> | # Allow any related traffic coming back to the MASQ server in echo
> | "        INPUT: Allow connections OUT and only existing/related IN"
> |  $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state
> | --state \ ESTABLISHED,RELATED -j ACCEPT
> |
> | What is wrong? and are the spoofing rules not redundant? The
> | default policy is DROP.
> |
> | I can use any help or hint,
> |
> | Regards Manfred
>
> Did you notice that you have only roules for INPUT, what about OUTPUT ?
> For every INPUT you need apropriate OUTPUT rule :)
> I don't know your configuration or how exactly you are connected to the
> network but for ssh you should probably have to add:
>
> $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
>
> But this wont make your firewall to work as expected, since you have
> to make
> some OUTPUT(maybe FORWARD) rules. You should consider useing something
> like
> firehol, firestarter or some other frontend for iptables, since that
> is much
> easier and safer.
>
> Regards
> Tomaz
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
>
> iD8DBQFCCgsS6Zdbmk3K9rwRAo+qAJ96iwdqZrLWvwV0G2m1w5733a0ScgCfenhl
> ldhdIZOx1MQW6qorpQUWesk=
> =Pidy
> -----END PGP SIGNATURE-----

-- 
Guilherme Rocha
Analista de Sistemas e Serviços
Sul Soluções Informática Ltda.
http://www.sulsolucoes.com.br
+55-71-240-2026/240-3975

Reply to:

References:
- iptables ruleset ...
  - From: Manfred Sampl <msampl@gmx.net>
- Re: iptables ruleset ...
  - From: Tomaz Kravcar <tomaz.kravcar@rsklan.com>

Prev by Date: Re: iptables ruleset ...
Next by Date: [solved] Re: iptables ruleset ...
Previous by thread: Re: iptables ruleset ...
Next by thread: [solved] Re: iptables ruleset ...
Index(es):
- Date
- Thread