LeRoy Cressy on 25 Jan 2004 14:56:02 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] New thinkpad with sarge


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Lavin wrote:
I'm a bit further along - I've been getting the laptop configured the
way I want it.  I've been fooling with firewalling this thing for the
better part of the day and can't figure out exactly what's wrong.

I've used gShield to script the iptables rules and generally, its worked
great out of the box, but I've been having no end to troubles with
trying to get it to work on this box.  I don't know if anyone's familiar
I'm a bit further along - I've been getting the laptop configured the
way I want it.  I've been fooling with firewalling this thing for the
better part of the day and can't figure out exactly what's wrong.

I've used gShield to script the iptables rules and generally, its worked
great out of the box, but I've been having no end to troubles with
trying to get it to work on this box. I don't know if anyone's familiar
with it, but usually all you got to do is download the tarball, dump it
to /etc/firewall, change a few well-documented values in the conf file and add it to init scripts and you're done.


With this install, I've got a 2.4.22 stock 686 kernel from sarge - seems
to load all the right modules:
ipt_TOS                 1048  22  (autoclean)
ipt_MASQUERADE          1336   1  (autoclean)
ipt_state                568   3  (autoclean)
ipt_REJECT              3000   8  (autoclean)
ipt_LOG                 3384   9  (autoclean)
ipt_limit                888   3  (autoclean)
iptable_nat            15854   1  (autoclean) [ipt_MASQUERADE]
ip_conntrack           18532   2  (autoclean) [ipt_MASQUERADE ipt_state
iptable_nat]
iptable_mangle          2168   1  (autoclean)
iptable_filter          1740   1  (autoclean)
ip_tables              12032  11  [ipt_TOS ipt_MASQUERADE ipt_state
ipt_REJECT ipt_LOG ipt_limit iptable_nat iptable_mangle iptable_filter]

... but when I activate the firewall, I can't do get off of my box to ping, ssh or browse the web. From outside, I want all ports blocked with the exception of ssh, but when I do a nmap to the laptop, they're all blocked.

One more twist - If I flush everything, browse to a site, then start the
firewall, I can continue to browse that site *only* but if I were ssh'ing to someplace and activated the firewall, it will shut me down.


I'm not good at reading iptables so somebody might see something here. Here's a snapshot of my iptables --list:

http://wayreth.net/iptables.txt

Thoughts?

Thanks,
-john

John Lavin said:

Whew- Not too difficult.  Got my Thinkpad R40 in the mail tonight and I
took this opportunity to try out the beta 2 of the sarge installer.


I think it might be helpful to look at the script and see how the masquerading rules are written.

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <
FAX: 215-535-4285


gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFAE9hnP+/m2oUBr+oRAlodAKCWiKcSe8HibTYZIHEeoUeAw7bjGQCdE5ke
7Dcdb/1pvj7ZjlquduF7DSQ=
=gxwc
-----END PGP SIGNATURE-----

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug