Re: some reality about iptables, please
On Wed, 2003-08-27 at 23:13, Jacob Anawalt wrote:
> #192.168.1.1 doesn't get any traffic from us
> iptables -A OUTPUT -d 192.168.1.1 -j DROP
>
> That's the 'plumbing' level access to iptables which works for all Linux kernels supporting iptables, irreguardless of distribution. In other words, your rules failing on Debian should fail on RH or Mandrake.
I think I've gotten a lot of the concept now, but this isn't what I
meant. Initially I was coming from an understanding of "fstab is a
static file of rules the system reads to set up mounts, .gtkrc is a
static file of rules the system reads to set up GUI"...
Later, there is the issue of when is the system in a configuration where
it needs firewall rules? The Debian manual says runlevels 2-5 are user
runlevels - these are enshrined in the update-rc.d defaults. K(ill)
links are created by default in runlevels 0, 1, 6. Ok.
But my network is up in runlevel 1. (From "telinit 1". I haven't tried
it from the boot prompt.)
And then there's the question of coordination with who-knows-what other
systems that are or aren't starting, stopping, etc.
I meant a picture of where the rules are kept, how they're initialized,
and what the implications are. I can find many sites with info about
how to write rules that do X. I couldn't find a site that told me what
file to put them in.
Now I know there isn't one, and some other things about it all...
> A better post might be:
> What am I doing wrong with iptables rules
>
> Here are my rules. They block all access to the internet, but I cant see
> why.
> #iptables -L
> <output from command>
> #iptables -t <other table(s)> -L
> <output from command(s)>
I've appended my current rules. Email fetches from my pop3 account ok,
but the browser doesn't connect.
> It's pretty apparent that this text has bothered you. Perhaps you could
> post a bug against /etc/default/ipchains with a patch adding additional
> helpfull text, like a pointer to netfilter.org and the
> /usr/share/doc/ipchains/README.Debian.gz file and whatever other
> information you think is helpful for newbies.
>
> The solution isn't broken. 'Works for me' :) It just isn't optimal as
> the other posters have pointed out. The ifup-down method sounds very
> sensible. I didn't have an issue with the text, infact I had a good
> laugh reading it when I set up my sysem for /etc/init.d/iptables.
I may. For now, I am going to keep studying until I do understand.
Then I'll be in a better position to say why I think this isn't good
language (if I still think it isn't when I get there).
Cheers,
Bret
eth0: 192.168.2.30 assigned by DHCP from gateway/router on cable
modem. This is where I browse from.
vmnet1: 192.168.174.1 virtual network device to communicate with
VMware Windows 98 session. Requires no access
to the outside. A bridge to eth0 provides
Internet access from VMware. (I think.)
iptables -t nat -L:
Chain PREROUTING (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain POSTROUTING (policy DROP)
target prot opt source destination
MASQUERADE all -- 192.168.174.0/24 anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- ganesha anywhere
ACCEPT all -- 192.168.2.30 anywhere
ACCEPT all -- 192.168.174.1 anywhere
DROPl all -- anywhere 255.255.255.255
DROPl all -- anywhere 192.168.174.255
DROPl all -- anywhere !192.168.2.30
DROPl all -- !192.168.174.0/24 anywhere
DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux
DROPl tcp -- anywhere anywhere tcp dpt:daytime
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpt:sunrpc
DROPl tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
DROPl tcp -- anywhere anywhere tcp dpts:161:162
DROPl tcp -- anywhere anywhere tcp dpt:445
DROPl tcp -- anywhere anywhere tcp dpt:1214
DROPl tcp -- anywhere anywhere tcp dpt:1999
DROPl tcp -- anywhere anywhere tcp dpt:2049
DROPl tcp -- anywhere anywhere tcp dpt:3049
DROPl tcp -- anywhere anywhere tcp dpt:4329
DROPl tcp -- anywhere anywhere tcp dpt:6346
DROPl tcp -- anywhere anywhere tcp dpt:3128
DROPl tcp -- anywhere anywhere tcp dpt:8000
DROPl tcp -- anywhere anywhere tcp dpt:www
DROPl tcp -- anywhere anywhere tcp dpt:8
DROPl tcp -- anywhere anywhere tcp dpt:webcache
DROPl tcp -- anywhere anywhere tcp dpt:12345
DROPl tcp -- anywhere anywhere tcp dpt:65535
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpts:exec:printer
DROPl tcp -- anywhere anywhere tcp dpt:socks
DROPl tcp -- anywhere anywhere tcp dpts:x11:6009
DROPl tcp -- anywhere anywhere tcp dpt:6112
DROPl udp -- anywhere anywhere udp dpts:0:1
DROPl udp -- anywhere anywhere udp dpt:daytime
DROPl udp -- anywhere anywhere udp dpt:98
DROPl udp -- anywhere anywhere udp dpt:sunrpc
DROPl udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:445
DROPl udp -- anywhere anywhere udp dpt:1214
DROPl udp -- anywhere anywhere udp dpt:1999
DROPl udp -- anywhere anywhere udp dpt:2049
DROPl udp -- anywhere anywhere udp dpt:3049
DROPl udp -- anywhere anywhere udp dpt:4329
DROPl udp -- anywhere anywhere udp dpt:6346
DROPl udp -- anywhere anywhere udp dpt:3128
DROPl udp -- anywhere anywhere udp dpt:8000
DROPl udp -- anywhere anywhere udp dpt:www
DROPl udp -- anywhere anywhere udp dpt:8
DROPl udp -- anywhere anywhere udp dpt:webcache
DROPl udp -- anywhere anywhere udp dpt:12345
DROPl udp -- anywhere anywhere udp dpt:65535
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:route
DROPl udp -- anywhere anywhere udp dpt:ntp
DROPl udp -- anywhere anywhere udp dpts:talk:ntalk
DROPl udp -- anywhere anywhere udp dpt:1427
DROPl udp -- anywhere anywhere udp dpt:9000
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:auth flags:SYN,RST,ACK/SYN state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROPl all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROPl all -- anywhere 255.255.255.255
DROPl all -- anywhere 192.168.174.255
DROPl all -- !192.168.174.0/24 anywhere
DROPl icmp -- anywhere anywhere icmp !echo-request
DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux
DROPl tcp -- anywhere anywhere tcp dpt:daytime
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpt:sunrpc
DROPl tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
DROPl tcp -- anywhere anywhere tcp dpts:161:162
DROPl tcp -- anywhere anywhere tcp dpt:445
DROPl tcp -- anywhere anywhere tcp dpt:1214
DROPl tcp -- anywhere anywhere tcp dpt:1999
DROPl tcp -- anywhere anywhere tcp dpt:2049
DROPl tcp -- anywhere anywhere tcp dpt:3049
DROPl tcp -- anywhere anywhere tcp dpt:4329
DROPl tcp -- anywhere anywhere tcp dpt:6346
DROPl tcp -- anywhere anywhere tcp dpt:3128
DROPl tcp -- anywhere anywhere tcp dpt:8000
DROPl tcp -- anywhere anywhere tcp dpt:www
DROPl tcp -- anywhere anywhere tcp dpt:8
DROPl tcp -- anywhere anywhere tcp dpt:webcache
DROPl tcp -- anywhere anywhere tcp dpt:12345
DROPl tcp -- anywhere anywhere tcp dpt:65535
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpts:exec:printer
DROPl tcp -- anywhere anywhere tcp dpt:socks
DROPl tcp -- anywhere anywhere tcp dpts:x11:6009
DROPl tcp -- anywhere anywhere tcp dpt:6112
DROPl udp -- anywhere anywhere udp dpts:0:1
DROPl udp -- anywhere anywhere udp dpt:daytime
DROPl udp -- anywhere anywhere udp dpt:98
DROPl udp -- anywhere anywhere udp dpt:sunrpc
DROPl udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:445
DROPl udp -- anywhere anywhere udp dpt:1214
DROPl udp -- anywhere anywhere udp dpt:1999
DROPl udp -- anywhere anywhere udp dpt:2049
DROPl udp -- anywhere anywhere udp dpt:3049
DROPl udp -- anywhere anywhere udp dpt:4329
DROPl udp -- anywhere anywhere udp dpt:6346
DROPl udp -- anywhere anywhere udp dpt:3128
DROPl udp -- anywhere anywhere udp dpt:8000
DROPl udp -- anywhere anywhere udp dpt:www
DROPl udp -- anywhere anywhere udp dpt:8
DROPl udp -- anywhere anywhere udp dpt:webcache
DROPl udp -- anywhere anywhere udp dpt:12345
DROPl udp -- anywhere anywhere udp dpt:65535
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:route
DROPl udp -- anywhere anywhere udp dpt:ntp
DROPl udp -- anywhere anywhere udp dpts:talk:ntalk
DROPl udp -- anywhere anywhere udp dpt:1427
DROPl udp -- anywhere anywhere udp dpt:9000
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:www flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:https flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:pop3 flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:pop3s flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:imap3 flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:imaps flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:11371 flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:time flags:SYN,RST,ACK/SYN state NEW
ACCEPT udp -- 192.168.174.0/24 anywhere udp dpt:domain state NEW
ACCEPT udp -- 192.168.174.0/24 anywhere udp dpt:time state NEW
ACCEPT icmp -- 192.168.174.0/24 anywhere icmp echo-request state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROPl all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROPl all -- anywhere 255.255.255.255
DROPl all -- anywhere 192.168.174.255
DROPl all -- anywhere !192.168.174.0/24
DROPl all -- !192.168.2.0/24 anywhere
DROPl icmp -- anywhere anywhere icmp !echo-request
DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux
DROPl tcp -- anywhere anywhere tcp dpt:daytime
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpt:sunrpc
DROPl tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
DROPl tcp -- anywhere anywhere tcp dpts:161:162
DROPl tcp -- anywhere anywhere tcp dpt:445
DROPl tcp -- anywhere anywhere tcp dpt:1214
DROPl tcp -- anywhere anywhere tcp dpt:1999
DROPl tcp -- anywhere anywhere tcp dpt:2049
DROPl tcp -- anywhere anywhere tcp dpt:3049
DROPl tcp -- anywhere anywhere tcp dpt:4329
DROPl tcp -- anywhere anywhere tcp dpt:6346
DROPl tcp -- anywhere anywhere tcp dpt:3128
DROPl tcp -- anywhere anywhere tcp dpt:8000
DROPl tcp -- anywhere anywhere tcp dpt:www
DROPl tcp -- anywhere anywhere tcp dpt:8
DROPl tcp -- anywhere anywhere tcp dpt:webcache
DROPl tcp -- anywhere anywhere tcp dpt:12345
DROPl tcp -- anywhere anywhere tcp dpt:65535
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpts:exec:printer
DROPl tcp -- anywhere anywhere tcp dpt:socks
DROPl tcp -- anywhere anywhere tcp dpts:x11:6009
DROPl tcp -- anywhere anywhere tcp dpt:6112
DROPl udp -- anywhere anywhere udp dpts:0:1
DROPl udp -- anywhere anywhere udp dpt:daytime
DROPl udp -- anywhere anywhere udp dpt:98
DROPl udp -- anywhere anywhere udp dpt:sunrpc
DROPl udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:445
DROPl udp -- anywhere anywhere udp dpt:1214
DROPl udp -- anywhere anywhere udp dpt:1999
DROPl udp -- anywhere anywhere udp dpt:2049
DROPl udp -- anywhere anywhere udp dpt:3049
DROPl udp -- anywhere anywhere udp dpt:4329
DROPl udp -- anywhere anywhere udp dpt:6346
DROPl udp -- anywhere anywhere udp dpt:3128
DROPl udp -- anywhere anywhere udp dpt:8000
DROPl udp -- anywhere anywhere udp dpt:www
DROPl udp -- anywhere anywhere udp dpt:8
DROPl udp -- anywhere anywhere udp dpt:webcache
DROPl udp -- anywhere anywhere udp dpt:12345
DROPl udp -- anywhere anywhere udp dpt:65535
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:route
DROPl udp -- anywhere anywhere udp dpt:ntp
DROPl udp -- anywhere anywhere udp dpts:talk:ntalk
DROPl udp -- anywhere anywhere udp dpt:1427
DROPl udp -- anywhere anywhere udp dpt:9000
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:www flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:https flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:pop3 flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:pop3s flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:imap3 flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:imaps flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:11371 flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:time flags:SYN,RST,ACK/SYN state NEW
ACCEPT udp -- 192.168.2.30 anywhere udp dpt:domain state NEW
ACCEPT udp -- 192.168.2.30 anywhere udp dpt:time state NEW
ACCEPT icmp -- 192.168.2.30 anywhere icmp echo-request state NEW
ACCEPT icmp -- 192.168.174.0/24 anywhere icmp echo-request state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECTl all -- anywhere anywhere
Chain DROPl (168 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `DROPl:'
DROP all -- anywhere anywhere
Chain REJECTl (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `REJECTl:'
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Reply to: