[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting


Yes the script is kind of long and tedious in its respects. My initial
purpose was to set this up at a remote facility with around 20 systems. I
have also tried to get info from iptables -L chian, but noticed that the
rules seem to be ok. If people want I can put the output for iptables -L
chain. I am trying to block out everything accept what i need. I think that
my firewall optimization is kind of crap but I am in process of working on
that. The other thing that I just noticed is that my order for rules is not
very properly laid out. I should have had the most active rules up ontop
right before all the drop rules. I am asking for help if anyone notices
anything interesting or decides to just suggest a more optimized approach
to things let me know. I tried some automated firewall scripting programs,
and just feel that a lot of them are just designed to save time for the
lazy, and then you waste a lot of time trying to correct the script. These
programs have their users I am just not one of them. I have also learned
that iptables have some very interesting and helpful modules. If someone
knows anything about that, then I would appreciate if they let me know
where I could get them.

Best Regards


Daniel Pittman wrote:
> On 3 Jul 2005, KC wrote:
>>I need help understanding what goes wrong in this script. I cannot ping
>>anyone and cannot resolve as well. In fact I believe the only thing I can
>>get is an ip address from my isp's dhcp server.
> With sufficiently modern kernels, the DHCP client uses raw sockets, so
> it can (AIUI) bypass firewall rules that would otherwise stop it getting
> through.
> I can't spot anything wrong with your script, which means that it isn't
> an obvious stupid mistake (congratulations ;).  You have some work to
> do, I guess. :)
> Two things that are generally helpful in debugging iptables/firewall
> problems:
> The logs of dropped packets, which I note you have added, may show you
> where things are getting discarded.  A *default* log at the end, showing
> everything else, is also really helpful. 
> Watching the output of 'iptables -L' will show you where packets are
> flowing:  each time they pass a rule, or chain, they bump up the packet
> count.
> This can show that, say, one of your rules is eating all the packets --
> they get that far, then stop. 
> Finally, that is a pretty complex firewall script, and obviously
> somewhat hard to maintain.  Maybe you would get better value for your
> time by using an existing firewall helper like 'firehol', or something,
> than re-doing the work that went into the existing tools?
> Of course, if your aim is to learn iptables rather than just get it
> working, that loses. ;)
>          Daniel

Reply to: