[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables: Forward & Input



Lars wrote on 27/10/2005 22:32:
> I got a Sarge server, where one of the NIC is divided into a couple of
> virtuelle NIC's.
>
> # eth1 - master (172.16.0.0/27)
> # eth1:1 - proxy (172.16.0.0/27)
> # eth1:2 - dns (172.16.0.0/27)
> # eth1:6 - file (172.16.0.32/29)
>
> LAN_NET='172.16.0.0/27'
> SERVICE_NET='172.16.0.32/29'
>
> But i'm having problems getting the forwards/input of the iptables
> right. How does Debian react to the virtuel NIC's exactly? When i allow
> INPUT on the file-nic i can't get a connection.

>From which IP to which IP are you trying to connect?

> But when i remove the
> "-d" switch, every thing works flawless. So is the Master (Primary) NIC
> still needed?
> iptables -A INPUT -p tcp  -s $LAN_NET -d $FILE_NIC -m multiport --dport
> 135,137,138,139 -j ACCEPT

What is $FILE_NIC set to?

> The same with Bind, I would like it to used 172.16.0.3, but i cant
(you said 1721.6.0.3, but I corrected that to what you probably meant)
> specify that IP.
> iptables -A INPUT -p tcp -s $LAN_NET --dport 53 -j ACCEPT #DNS

You realize that DNS via TCP is usually only used for transfers and
nslookup? "Normal" requests are sent via UDP (same port though). That's
a problem I also regularly run into even though I should know better.

> Genetally is not a problem, i just dont define the destination. But in
> principle i dont open more than needed.

Which is a good principle.

cu,
sven

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: