[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] IPTables Help..
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris wrote:
Can anyone tell me what im doing wrong? All in_bound port filtering
works like a charm coming in.
Problem lies on the Output. Once DROPS are applied the machine can no
longer make any outbound connections.
Even after any / any / all accept is applied. Any iptables gurus want
to help me with this?
It seems that you do not have a nat table for your private IP addresses
to communicate to the Internet.
root@mysql:/etc/firewall# telnet 64.115.34.114 22
Trying 64.115.34.114...
Connected to 64.115.34.114.
Escape character is '^]'.
SSH-2.0-3.2.0 SSH Secure Shell (non-commercial)
^]
telnet> quit
Connection closed.
root@mysql:/etc/firewall# ./eth0
Flush IPTables: ..done
Setting ICMP Rules: ..done
Setting INPUT Rules: ..done
Setting OUTPUT Rules: ..done
root@mysql:/etc/firewall# telnet 64.115.34.114 22
Trying 64.115.34.114...
telnet: Unable to connect to remote host: Connection timed out
root@mysql:/etc/firewall# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere mysql.jynx.net tcp dpt:85
ACCEPT tcp -- user216-178-70-3.netcarrier.net mysql.jynx.net
tcp dpt:ssh
ACCEPT tcp -- pcp01341770pcs.wilog301.pa.comcast.net
mysql.jynx.net tcp dpt:ssh
ACCEPT udp -- anywhere ns3.jynx.net udp
dpt:domain
ACCEPT udp -- anywhere ns3.jynx.net udp
spt:domain
ACCEPT tcp -- 10.10.10.0/24 10.0.0.2 tcp
dpts:tcpmux:65535
ACCEPT udp -- 10.10.10.0/24 10.0.0.2 udp
dpts:1:65535
DROP tcp -- anywhere mysql.jynx.net tcp
dpts:tcpmux:65535
DROP udp -- anywhere mysql.jynx.net udp
dpts:1:65535
DROP tcp -- anywhere ns3.jynx.net tcp
dpts:tcpmux:65535
DROP udp -- anywhere ns3.jynx.net udp
dpts:1:65535
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost anywhere
ACCEPT all -- anywhere anywhere
#!/bin/sh
IPT="/usr/local/sbin/iptables"
EX_IP="64.115.34.115"
IN_IP="10.0.0.2"
AL_IP="64.115.34.116"
IN_NET="10.10.10.0/24"
echo -n "Flush IPTables: "
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# Flush it.
#$IPT -F
echo " ..done"
echo -n "Setting ICMP Rules: "
#$IPT -N icmp_packets
#$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP
Fragment: "
#$IPT -A icmp_packets --fragment -p ICMP -j DROP
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#$IPT -A icmp_packets -p ICMP -j RETURN
echo " ..done"
echo -n "Setting INPUT Rules: "
# Webmin
$IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 85 -j ACCEPT
# SSH
$IPT -A INPUT -p tcp -s 216.178.70.3 -d $EX_IP -i eth0 --dport 22 -j
ACCEPT
$IPT -A INPUT -p tcp -s 68.81.114.30 -d $EX_IP -i eth0 --dport 22 -j
ACCEPT
# DNS
$IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 53 -j ACCEPT
# DNS
$IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --source-port 53 -j ACCEPT
# Internal
$IPT -A INPUT -p tcp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j
ACCEPT
# Internal
$IPT -A INPUT -p udp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j
ACCEPT
# Allow Inside Out
echo " ..done"
echo -n "Setting OUTPUT Rules: "
echo " "
$IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPT -A OUTPUT -p ALL -o lo -j ACCEPT
$IPT -A OUTPUT -o eth0 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP
$IPT -A INPUT -p udp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP
$IPT -A INPUT -p tcp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP
$IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP
echo " ..done"
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
- --
Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <
FAX: 215-535-4285
gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA
For info on enigmail: http://lrcressy.com/linux/mozilla.pdf
For info on gpg: http://www.gnupg.org/
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/uqn9P+/m2oUBr+oRAjjzAJ47YWYPXQPPsUVsJqkc+bq7s6dU4wCgmPEk
6xydwOyyxG7w64Z7ptMGhFo=
=piXL
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|