Re: [PLUG] IPTables Help..

LeRoy Cressy on 18 Nov 2003 18:23:02 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] IPTables Help..

From: LeRoy Cressy <ldc@lrcressy.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] IPTables Help..

Date: Tue, 18 Nov 2003 18:23:33 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Chris wrote:

Can anyone tell me what im doing wrong? All in_bound port filtering works like a charm coming in.

Problem lies on the Output. Once DROPS are applied the machine can no longer make any outbound connections. Even after any / any / all accept is applied. Any iptables gurus want to help me with this?

It seems that you do not have a nat table for your private IP addresses to communicate to the Internet.

root@mysql:/etc/firewall# telnet 64.115.34.114 22 Trying 64.115.34.114... Connected to 64.115.34.114. Escape character is '^]'. SSH-2.0-3.2.0 SSH Secure Shell (non-commercial) ^] telnet> quit Connection closed. root@mysql:/etc/firewall# ./eth0 Flush IPTables: ..done Setting ICMP Rules: ..done Setting INPUT Rules: ..done Setting OUTPUT Rules: ..done root@mysql:/etc/firewall# telnet 64.115.34.114 22 Trying 64.115.34.114... telnet: Unable to connect to remote host: Connection timed out root@mysql:/etc/firewall# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere mysql.jynx.net tcp dpt:85 ACCEPT tcp -- user216-178-70-3.netcarrier.net mysql.jynx.net tcp dpt:ssh ACCEPT tcp -- pcp01341770pcs.wilog301.pa.comcast.net mysql.jynx.net tcp dpt:ssh ACCEPT udp -- anywhere ns3.jynx.net udp dpt:domain ACCEPT udp -- anywhere ns3.jynx.net udp spt:domain ACCEPT tcp -- 10.10.10.0/24 10.0.0.2 tcp dpts:tcpmux:65535 ACCEPT udp -- 10.10.10.0/24 10.0.0.2 udp dpts:1:65535 DROP tcp -- anywhere mysql.jynx.net tcp dpts:tcpmux:65535 DROP udp -- anywhere mysql.jynx.net udp dpts:1:65535 DROP tcp -- anywhere ns3.jynx.net tcp dpts:tcpmux:65535 DROP udp -- anywhere ns3.jynx.net udp dpts:1:65535

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- localhost anywhere ACCEPT all -- anywhere anywhere

#!/bin/sh IPT="/usr/local/sbin/iptables" EX_IP="64.115.34.115" IN_IP="10.0.0.2" AL_IP="64.115.34.116" IN_NET="10.10.10.0/24"

echo -n "Flush IPTables: " $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT

# Flush it. #$IPT -F

echo " ..done"

echo -n "Setting ICMP Rules: " #$IPT -N icmp_packets #$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: " #$IPT -A icmp_packets --fragment -p ICMP -j DROP #$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #$IPT -A icmp_packets -p ICMP -j RETURN echo " ..done"

echo -n "Setting INPUT Rules: " # Webmin $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 85 -j ACCEPT # SSH $IPT -A INPUT -p tcp -s 216.178.70.3 -d $EX_IP -i eth0 --dport 22 -j ACCEPT $IPT -A INPUT -p tcp -s 68.81.114.30 -d $EX_IP -i eth0 --dport 22 -j ACCEPT # DNS $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 53 -j ACCEPT # DNS $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --source-port 53 -j ACCEPT # Internal $IPT -A INPUT -p tcp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j ACCEPT # Internal $IPT -A INPUT -p udp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j ACCEPT # Allow Inside Out

echo " ..done"

echo -n "Setting OUTPUT Rules: " echo " " $IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT $IPT -A OUTPUT -p ALL -o lo -j ACCEPT $IPT -A OUTPUT -o eth0 -j ACCEPT

$IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP $IPT -A INPUT -p udp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP

$IPT -A INPUT -p tcp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP

echo " ..done"

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ < FAX: 215-535-4285

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

For info on enigmail: http://lrcressy.com/linux/mozilla.pdf For info on gpg: http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/uqn9P+/m2oUBr+oRAjjzAJ47YWYPXQPPsUVsJqkc+bq7s6dU4wCgmPEk 6xydwOyyxG7w64Z7ptMGhFo= =piXL -----END PGP SIGNATURE-----

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

RE: [PLUG] IPTables Help..
From: "Chris" <chris@jynx.net>

References:

[PLUG] IPTables Help..
From: "Chris" <chris@jynx.net>

Prev by Date: Re: top-replies was Re: [PLUG] kernel parameters for memory usage?

Next by Date: RE: [PLUG] IPTables Help..

Previous by thread: [PLUG] IPTables Help..

Next by thread: RE: [PLUG] IPTables Help..

Index(es):

Date

Thread