Iptables is driving me nuts (beginner)

To: <debian-user@lists.debian.org>
Subject: Iptables is driving me nuts (beginner)
From: "n/a" <test@pandora.be>
Date: Tue, 11 Mar 2003 07:49:16 +0100
Message-id: <[🔎] 000501c2e79a$5556ffe0$0601a8c0@jbox>

Hello there,

For the past couple of days i've been looking into setting up an old pc as a
firewall/router for a couple of students.

To do so i enabled iptables and started looking into configuration issues.
Eventually i came up with a config that worked. haha. Then i realised this
config was fishy and started deleting lines as i went along. Now almost no
lines are left and the darned thing still works even after reboots,
re-loads, restarts.

Apparently there's something i'm not getting thru my thick skull about
packet filtering. Could someone explain to me in text (no diagrams) how a
packet is evaluated and then processed tru the chains, also what is done and
not-done any more after a packet has passed thru a chain. Somehow i have the
idea this config works from the lan to the outside but not from the outside
to the lan or something.

Any good resources, tips, explanations are welcome. I'm to dumb for this i
guess.

Regards,

Joris


The 'final edition ?' is the version i stripped as much as possible.

The 'first edition' is the non-stripped version.

-------------------------------------------
--------- Final edition ?-------------------
-------------------------------------------

kotwall:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  eth1   any     kotwall              anywhere
tcp dpt:webcache
    0     0 ACCEPT     tcp  --  eth1   any     kotwall              anywhere
tcp dpt:www
    0     0 ACCEPT     tcp  --  eth1   any     kotwall              anywhere
tcp dpt:https
   23  1865 ACCEPT     tcp  --  eth0   any     192.168.1.0/24       kotwebb
tcp dpt:www
    0     0 ACCEPT     tcp  --  eth1   any     195.130.132.0/24
192.168.1.0/24     tcp spt:pop3
    0     0 ACCEPT     tcp  --  eth1   any     195.130.132.0/24
192.168.1.0/24     tcp spt:smtp
  139 13284 ACCEPT     all  --  any    any     anywhere             anywhere
state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere
tcp dpt:10000
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere
tcp dpt:20000

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
   74  5199 ACCEPT     all  --  eth0   eth1    192.168.1.0/24       anywhere
   83 24686 ACCEPT     all  --  eth1   eth0    anywhere
192.168.1.0/24

Chain OUTPUT (policy DROP 142 packets, 10072 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  any    eth1    192.168.1.0/24
195.130.132.0/24   tcp dpt:pop3
    0     0 ACCEPT     tcp  --  any    eth1    192.168.1.0/24
195.130.132.0/24   tcp dpt:smtp
  195 46559 ACCEPT     all  --  any    any     anywhere             anywhere
state RELATED,ESTABLISHED
kotwall:~#

-------------------------------------------
----------- works as well -----------------
----------- First edition    -----------------
-------------------------------------------
kotwall:~# iptables -L -v --line-numbers

Chain INPUT (policy DROP 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination

1 0 0 ACCEPT tcp -- eth1 any kotwall anywhere tcp dpt:webcache

2 0 0 ACCEPT tcp -- eth1 any kotwall anywhere tcp dpt:www

3 0 0 ACCEPT tcp -- eth1 any kotwall anywhere tcp dpt:https

4 42 6054 ACCEPT tcp -- eth0 any 192.168.1.0/24 kotwebb tcp dpt:www

5 0 0 ACCEPT tcp -- eth1 any 195.130.132.0/24 192.168.1.0/24 tcp spt:pop3

6 0 0 ACCEPT tcp -- eth1 any 195.130.132.0/24 192.168.1.0/24 tcp spt:smtp

7 555 55369 ACCEPT all -- any any anywhere anywhere state
NEW,RELATED,ESTABLISHED

8 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:10000

9 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:20000

Chain FORWARD (policy DROP 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination

1 327 28253 ACCEPT all -- eth0 eth1 192.168.1.0/24 anywhere

2 0 0 DROP all -- eth0 eth0 192.168.1.0/24 192.168.1.0/24

3 0 0 DROP all -- eth0 eth1 192.168.1.0/24 192.168.1.0/24

4 343 167K ACCEPT all -- eth1 eth0 anywhere 192.168.1.0/24

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)

num pkts bytes target prot opt in out source destination

1 0 0 ACCEPT all -- any any kotwall kotwall

2 0 0 ACCEPT tcp -- any eth1 kotwall anywhere tcp dpt:webcache

3 0 0 ACCEPT tcp -- any eth1 kotwall anywhere tcp dpt:www

4 0 0 ACCEPT tcp -- any eth1 kotwall anywhere tcp dpt:https

5 0 0 ACCEPT tcp -- any eth1 192.168.1.0/24 195.130.132.0/24 tcp dpt:pop3

6 0 0 ACCEPT tcp -- any eth1 192.168.1.0/24 195.130.132.0/24 tcp dpt:smtp

7 0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp spt:10000

8 0 0 ACCEPT tcp -- any eth0 anywhere anywhere tcp spt:20000

9 671 92915 ACCEPT all -- any any anywhere anywhere state
RELATED,ESTABLISHED

kotwall:~#

Reply to:

Follow-Ups:
- Re: Iptables is driving me nuts (beginner)
  - From: Mike Egglestone <megglestone@heritage.sd57.bc.ca>
- Re: Iptables is driving me nuts (beginner)
  - From: Graeme Tank <graemet@umich.edu>
- Re: Iptables is driving me nuts (beginner)
  - From: Kevin Buhr <buhr@telus.net>

Prev by Date: Re: Software RAID and drive failures
Next by Date: Re: howto verify burn?
Previous by thread: Re: Voice on DSL?
Next by thread: Re: Iptables is driving me nuts (beginner)
Index(es):
- Date
- Thread