[solved] Re: iptables ruleset ...
Am Mittwoch, den 09.02.2005, 14:07 +0100 schrieb Tomaz Kravcar:
> |
> | First here is my ruleset:
> |
> | # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP -s
> | 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
> | 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
> | 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
> | 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s
> | 240.0.0.0/5 -j DROP
> |
> | # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s
> | $UNIVERSE -d $UNIVERSE -j ACCEPT
> |
> | # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem
> | -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j
> | ACCEPT
> |
> | # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22
> | -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
> |
> |
> | # DHCPd - Enable the following lines if you run an INTERNAL DHCPd
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j
> | ACCEPT
> |
> | # SMB - Enable the following lines if you run an INTERNAL SMB
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j
> | ACCEPT
> |
> | # local interface, local machines, going anywhere is valid
> | $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> |
> | # external interface, from any source, for ICMP traffic is valid -
> | ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j
> | ACCEPT
> |
> | # Allow any related traffic coming back to the MASQ server in echo
> | " INPUT: Allow connections OUT and only existing/related IN"
> | $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state
> | --state \ ESTABLISHED,RELATED -j ACCEPT
> |
> |
> | Regards Manfred
> |
> |
> Did you notice that you have only roules for INPUT, what about OUTPUT ?
> For every INPUT you need apropriate OUTPUT rule :)
> I don't know your configuration or how exactly you are connected to the
> network but for ssh you should probably have to add:
>
> $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
I didn't include the OUTPUT rules, because I thought the wrong rule is
in the INPUT chain, but I was wrong. Logging and trial and error helped
me find a wrong output rule:
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
HURRRRRA now it works,
Thanks everybody for fast response and help
Regards
Manfred
Reply to: