[solved] Re: iptables ruleset ...

To: debian-firewall@lists.debian.org
Subject: [solved] Re: iptables ruleset ...
From: Manfred Sampl <msampl@gmx.net>
Date: Wed, 09 Feb 2005 16:45:47 +0100
Message-id: <[🔎] 1107963947.4706.31.camel@localhost.localdomain>
In-reply-to: <[🔎] 420A0B13.1090303@rsklan.com>
References: <[🔎] 1107952215.4706.17.camel@localhost.localdomain> <[🔎] 420A0B13.1090303@rsklan.com>

Am Mittwoch, den 09.02.2005, 14:07 +0100 schrieb Tomaz Kravcar:
> |
> | First here is my ruleset:
> |
> | # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 240.0.0.0/5 -j DROP
> |
> | # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s
> | $UNIVERSE -d $UNIVERSE -j ACCEPT
> |
> | # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem
> | -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j
> | ACCEPT
> |
> | # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22
> | -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
> |
> |
> | # DHCPd - Enable the following lines if you run an INTERNAL DHCPd
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j
> | ACCEPT
> |
> | # SMB - Enable the following lines if you run an INTERNAL SMB
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j
> | ACCEPT
> |
> | # local interface, local machines, going anywhere is valid
> | $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> |
> | # external interface, from any source, for ICMP traffic is valid -
> | ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j
> | ACCEPT
> |
> | # Allow any related traffic coming back to the MASQ server in echo
> | "        INPUT: Allow connections OUT and only existing/related IN"
> |  $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state
> | --state \ ESTABLISHED,RELATED -j ACCEPT
> |
> |
> | Regards Manfred
> |
> |
> Did you notice that you have only roules for INPUT, what about OUTPUT ?
> For every INPUT you need apropriate OUTPUT rule :)
> I don't know your configuration or how exactly you are connected to the
> network but for ssh you should probably have to add:
> 
> $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT

I didn't include the OUTPUT rules, because I thought the wrong rule is
in the INPUT chain, but I was wrong. Logging and trial and error helped
me find a wrong output rule:

$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -j ACCEPT 
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT

HURRRRRA now it works,

Thanks everybody for fast response and help
Regards
Manfred

Reply to:

Follow-Ups:
- Re: [solved] Re: iptables ruleset ...
  - From: Dave Ewart <davee@sungate.co.uk>

References:
- iptables ruleset ...
  - From: Manfred Sampl <msampl@gmx.net>
- Re: iptables ruleset ...
  - From: Tomaz Kravcar <tomaz.kravcar@rsklan.com>

Prev by Date: unsubscribe
Next by Date: Re: [solved] Re: iptables ruleset ...
Previous by thread: unsubscribe
Next by thread: Re: [solved] Re: iptables ruleset ...
Index(es):
- Date
- Thread