correct set-up on a router...

To: debian-firewall@lists.debian.org
Subject: correct set-up on a router...
From: Vladimir Konrad <v.konrad@lse.ac.uk>
Date: Tue, 10 Jan 2006 17:24:04 +0000
Message-id: <[🔎] 1136913844.1563.23.camel@localhost.localdomain>

i have a router connected to the internet 24/7 and setting up a
router/firewal for a department of mathematics:

(maths cloud) --- [router/firewall] --- internet

the routing works, dns works but firewall does not. if i run the
configuration script (included), ssh session to the router stops
responding after about a minute (until a cron job re-sets the firewall
to open one).

i have been trying with no success for a while now.

any ideas about what i have done wrong?

vladimir

ps: the configuration script (the ip network string for allowing ssh to
the router is changed to <allowed-network>)

#! /bin/sh
# maths router: netfilter setup

# flush the rules
iptables -F

# drop all input packets by default
iptables -P INPUT DROP

# drop all forward packets by default
iptables -P FORWARD DROP

# loopback:
iptables -A INPUT -i lo -j ACCEPT

# eth0 (the maths side)
# to be changed
iptables -A INPUT -i eth0 -j ACCEPT

# eth1 (the internet side):
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# router daemons
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 346
-j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2600 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2601 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport
2604 -j ACCEPT

# ssh (all interfaces)
iptables -A INPUT -s <allowed-network>/16 -p tcp -m state --state NEW -m
tcp --dport 22 -j ACCEPT
iptables -A INPUT -s <allowed-network>/16 -p udp -m state --state NEW -m
udp --dport 22 -j ACCEPT

# forward (routing)

# accept what was already accepted
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 22 -j
ACCEPT

# http
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 80 -j
ACCEPT

#https
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
iptables -A FORWARD -p udp -m state --state NEW -m udp --dport 443 -j
ACCEPT

# smtp
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 25 -j
ACCEPT

# smtp over ssl
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT

# jet direct
iptables -A FORWARD -p tcp -m state --state NEW -m tcp --dport 9100 -j
ACCEPT

Reply to:

Follow-Ups:
- Re: correct set-up on a router...
  - From: "David A. Parker" <dparker@utica.edu>
- Re: correct set-up on a router...
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: correct set-up on a router...
  - From: Ken Irving <fnkci@uaf.edu>

Prev by Date: Re: I want to know about debian firewall
Next by Date: Re: correct set-up on a router...
Previous by thread: Re: I want to know about debian firewall
Next by thread: Re: correct set-up on a router...
Index(es):
- Date
- Thread