|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
RE: [PLUG] IPTables Help..
|
Eth1 is crossed over to another machine. The only internet traffic is
over eth0
-----Original Message-----
From: plug-admin@lists.phillylinux.org
[mailto:plug-admin@lists.phillylinux.org] On Behalf Of LeRoy Cressy
Sent: Tuesday, November 18, 2003 6:24 PM
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] IPTables Help..
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris wrote:
>
>
> Can anyone tell me what im doing wrong? All in_bound port filtering
> works like a charm coming in.
>
> Problem lies on the Output. Once DROPS are applied the machine can no
> longer make any outbound connections.
> Even after any / any / all accept is applied. Any iptables gurus
want
> to help me with this?
>
It seems that you do not have a nat table for your private IP addresses
to communicate to the Internet.
>
> root@mysql:/etc/firewall# telnet 64.115.34.114 22
> Trying 64.115.34.114...
> Connected to 64.115.34.114.
> Escape character is '^]'.
> SSH-2.0-3.2.0 SSH Secure Shell (non-commercial)
> ^]
> telnet> quit
> Connection closed.
> root@mysql:/etc/firewall# ./eth0
> Flush IPTables: ..done
> Setting ICMP Rules: ..done
> Setting INPUT Rules: ..done
> Setting OUTPUT Rules: ..done
> root@mysql:/etc/firewall# telnet 64.115.34.114 22
> Trying 64.115.34.114...
> telnet: Unable to connect to remote host: Connection timed out
> root@mysql:/etc/firewall# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- anywhere mysql.jynx.net tcp dpt:85
> ACCEPT tcp -- user216-178-70-3.netcarrier.net mysql.jynx.net
> tcp dpt:ssh
> ACCEPT tcp -- pcp01341770pcs.wilog301.pa.comcast.net
> mysql.jynx.net tcp dpt:ssh
> ACCEPT udp -- anywhere ns3.jynx.net udp
> dpt:domain
> ACCEPT udp -- anywhere ns3.jynx.net udp
> spt:domain
> ACCEPT tcp -- 10.10.10.0/24 10.0.0.2 tcp
> dpts:tcpmux:65535
> ACCEPT udp -- 10.10.10.0/24 10.0.0.2 udp
> dpts:1:65535
> DROP tcp -- anywhere mysql.jynx.net tcp
> dpts:tcpmux:65535
> DROP udp -- anywhere mysql.jynx.net udp
> dpts:1:65535
> DROP tcp -- anywhere ns3.jynx.net tcp
> dpts:tcpmux:65535
> DROP udp -- anywhere ns3.jynx.net udp
> dpts:1:65535
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- localhost anywhere
> ACCEPT all -- anywhere anywhere
>
>
>
>
>
> #!/bin/sh
> IPT="/usr/local/sbin/iptables"
> EX_IP="64.115.34.115"
> IN_IP="10.0.0.2"
> AL_IP="64.115.34.116"
> IN_NET="10.10.10.0/24"
>
> echo -n "Flush IPTables: "
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
>
> # Flush it.
> #$IPT -F
>
> echo " ..done"
>
>
> echo -n "Setting ICMP Rules: "
> #$IPT -N icmp_packets
> #$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP
> Fragment: "
> #$IPT -A icmp_packets --fragment -p ICMP -j DROP
> #$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
> #$IPT -A icmp_packets -p ICMP -j RETURN
> echo " ..done"
>
>
> echo -n "Setting INPUT Rules: "
> # Webmin
> $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 85 -j ACCEPT
> # SSH
> $IPT -A INPUT -p tcp -s 216.178.70.3 -d $EX_IP -i eth0 --dport 22 -j
> ACCEPT
> $IPT -A INPUT -p tcp -s 68.81.114.30 -d $EX_IP -i eth0 --dport 22 -j
> ACCEPT
> # DNS
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 53 -j ACCEPT
> # DNS
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --source-port 53 -j
ACCEPT
> # Internal
> $IPT -A INPUT -p tcp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j
> ACCEPT
> # Internal
> $IPT -A INPUT -p udp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j
> ACCEPT
> # Allow Inside Out
>
> echo " ..done"
>
> echo -n "Setting OUTPUT Rules: "
> echo " "
> $IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> $IPT -A OUTPUT -p ALL -o lo -j ACCEPT
> $IPT -A OUTPUT -o eth0 -j ACCEPT
>
>
> $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP
> $IPT -A INPUT -p udp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP
>
> $IPT -A INPUT -p tcp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP
>
>
> echo " ..done"
>
>
________________________________________________________________________
___
> Philadelphia Linux Users Group --
http://www.phillylinux.org
> Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion --
http://lists.phillylinux.org/mailman/listinfo/plug
>
>
- --
Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <
FAX: 215-535-4285
gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA
For info on enigmail: http://lrcressy.com/linux/mozilla.pdf
For info on gpg: http://www.gnupg.org/
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/uqn9P+/m2oUBr+oRAjjzAJ47YWYPXQPPsUVsJqkc+bq7s6dU4wCgmPEk
6xydwOyyxG7w64Z7ptMGhFo=
=piXL
-----END PGP SIGNATURE-----
________________________________________________________________________
___
Philadelphia Linux Users Group --
http://www.phillylinux.org
Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion --
http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|