Chris on 18 Nov 2003 18:32:02 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] IPTables Help..


Eth1 is crossed over to another machine. The only internet traffic is
over eth0

-----Original Message-----
From: plug-admin@lists.phillylinux.org
[mailto:plug-admin@lists.phillylinux.org] On Behalf Of LeRoy Cressy
Sent: Tuesday, November 18, 2003 6:24 PM
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] IPTables Help..

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris wrote:
> 
> 
> Can anyone tell me what im doing wrong? All in_bound port filtering
> works like a charm coming in.
> 
> Problem lies on the Output.  Once DROPS are applied the machine can no
> longer make any outbound connections.
> Even after   any / any / all accept is applied. Any iptables gurus
want
> to help me with this?
> 
It seems that you do not have a nat table for your private IP addresses 
to communicate to the Internet.


> 
> root@mysql:/etc/firewall# telnet 64.115.34.114 22
> Trying 64.115.34.114...
> Connected to 64.115.34.114.
> Escape character is '^]'.
> SSH-2.0-3.2.0 SSH Secure Shell (non-commercial)
> ^]
> telnet> quit
> Connection closed.
> root@mysql:/etc/firewall# ./eth0 
> Flush IPTables:  ..done
> Setting ICMP Rules:  ..done
> Setting INPUT Rules:  ..done
> Setting OUTPUT Rules:  ..done
> root@mysql:/etc/firewall# telnet 64.115.34.114 22
> Trying 64.115.34.114...
> telnet: Unable to connect to remote host: Connection timed out
> root@mysql:/etc/firewall# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     tcp  --  anywhere             mysql.jynx.net     tcp dpt:85

> ACCEPT     tcp  --  user216-178-70-3.netcarrier.net  mysql.jynx.net
> tcp dpt:ssh 
> ACCEPT     tcp  --  pcp01341770pcs.wilog301.pa.comcast.net
> mysql.jynx.net     tcp dpt:ssh 
> ACCEPT     udp  --  anywhere             ns3.jynx.net       udp
> dpt:domain 
> ACCEPT     udp  --  anywhere             ns3.jynx.net       udp
> spt:domain 
> ACCEPT     tcp  --  10.10.10.0/24        10.0.0.2           tcp
> dpts:tcpmux:65535 
> ACCEPT     udp  --  10.10.10.0/24        10.0.0.2           udp
> dpts:1:65535 
> DROP       tcp  --  anywhere             mysql.jynx.net     tcp
> dpts:tcpmux:65535 
> DROP       udp  --  anywhere             mysql.jynx.net     udp
> dpts:1:65535 
> DROP       tcp  --  anywhere             ns3.jynx.net       tcp
> dpts:tcpmux:65535 
> DROP       udp  --  anywhere             ns3.jynx.net       udp
> dpts:1:65535 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     all  --  localhost            anywhere           
> ACCEPT     all  --  anywhere             anywhere           
> 
> 
> 
> 
> 
> #!/bin/sh
> IPT="/usr/local/sbin/iptables"
> EX_IP="64.115.34.115"
> IN_IP="10.0.0.2"
> AL_IP="64.115.34.116"
> IN_NET="10.10.10.0/24"
> 
> echo -n "Flush IPTables: "
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> 
> # Flush it.
> #$IPT -F
> 
>         echo " ..done"
> 
> 
>                 echo -n "Setting ICMP Rules: "
> #$IPT -N icmp_packets
> #$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP
> Fragment: "
> #$IPT -A icmp_packets --fragment -p ICMP -j DROP
> #$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
> #$IPT -A icmp_packets -p ICMP -j RETURN
>                 echo " ..done"
> 
> 
>         echo -n "Setting INPUT Rules: "
> # Webmin
> $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 85 -j ACCEPT
> # SSH
> $IPT -A INPUT -p tcp -s 216.178.70.3 -d $EX_IP -i eth0 --dport 22 -j
> ACCEPT
> $IPT -A INPUT -p tcp -s 68.81.114.30 -d $EX_IP -i eth0 --dport 22 -j
> ACCEPT
> # DNS
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 53 -j ACCEPT
> # DNS
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --source-port 53 -j
ACCEPT
> # Internal
> $IPT -A INPUT -p tcp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j
> ACCEPT
> # Internal
> $IPT -A INPUT -p udp -s $IN_NET -d $IN_IP -i eth1 --dport 1:65535 -j
> ACCEPT
> # Allow Inside Out
> 
>         echo " ..done"
> 
>                 echo -n "Setting OUTPUT Rules: "
>         echo " "
> $IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> $IPT -A OUTPUT -p ALL -o lo -j ACCEPT
> $IPT -A OUTPUT -o eth0 -j ACCEPT
> 
> 
> $IPT -A INPUT -p tcp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP
> $IPT -A INPUT -p udp -s 0/0 -d $EX_IP -i eth0 --dport 1:65535 -j DROP
> 
> $IPT -A INPUT -p tcp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP
> $IPT -A INPUT -p udp -s 0/0 -d $AL_IP -i eth0 --dport 1:65535 -j DROP
> 
> 
>                 echo " ..done"
> 
>
________________________________________________________________________
___
> Philadelphia Linux Users Group         --
http://www.phillylinux.org
> Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --
http://lists.phillylinux.org/mailman/listinfo/plug
> 
> 

- -- 
Rev. LeRoy D. Cressy   mailto:leroy@lrcressy.com   /\_/\
                        http://lrcressy.com        ( o.o )
                        Phone:  215-535-4037        > ^ <
                        FAX:    215-535-4285

gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/uqn9P+/m2oUBr+oRAjjzAJ47YWYPXQPPsUVsJqkc+bq7s6dU4wCgmPEk
6xydwOyyxG7w64Z7ptMGhFo=
=piXL
-----END PGP SIGNATURE-----

________________________________________________________________________
___
Philadelphia Linux Users Group         --
http://www.phillylinux.org
Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --
http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug