thank you all for the replies, new version of the rule-set attached > I'm new to this list, and apologize for my English. i am not native speaker of english myself, so no worries... > I do not see anything in your ruleset that may cause such behaviour. > What surprises me is that the SSH session is lost only after a minute > and not immediately after the filtering rules are created. it was firewall blocking the ospf traffic on eth1. the box would loose ospf connection to the other routers and then traffic would stop. enabling the ospf protocol on eth1 solved the problem. > Also, I notice that your ruleset does not take incoming ICMP requests > into account. the new rule-set accepts the ICMP but does not forward it to the "maths" side. i will have to decide if i want anyone pinging the machines or not... or is it a good practise that ICMP echo-request should reach any machine connected to the internet? > I suppose that the OUTPUT default policy is implicitly set to ACCEPT. > Explicitly may be better. done... > iptables -A INPUT -i eth1 -p tcp -m state --state NEW \ > -m multiport --dports 346,2600,2601,2604 -j ACCEPT this one was wrong, i enabled access to the control interfaces of quagga (zebra successor) instead of enabling the ospf protocol itself... > > # ssh (all interfaces) > > iptables -A INPUT -s <allowed-network>/16 -p tcp -m state --state NEW -m > > tcp --dport 22 -j ACCEPT > > iptables -A INPUT -s <allowed-network>/16 -p udp -m state --state NEW -m > > udp --dport 22 -j ACCEPT > > The UDP rule is useless. SSH only uses TCP. just that the /etc/services says both (that confused me). > <rules about forwarding> > Also, are you aware that these rules are bidirectional and allow access > from the internet to SSH, HTTP and SMTP services running on *any* > machine in your network ? yes i am aware of that, i will limit those later as required... > > # jet direct > > iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 9100 -j > > ACCEPT > > Do you really need to allow a printing protocol between your network and > the internet ? forgot to put "-s <network>" to the rule, our networked boxes on the eth1 side have to reach printers behind this router... > > At the end of your ruleset you should consider REJECTing valid but > undesired packets instead of DROPping them, in order to remain compliant > with the IP specifications and avoid those annoying time-outs and > retries resulting from DROP rules or default policies. thanks, done accordingly... vlad
Attachment:
ruleset
Description: application/shellscript