Re: Firewall/iptables question

From: Hilco Wijbenga <hilco.wijbenga@xxxxxxxxx>
Date: Tue, 3 May 2011 18:34:39 -0700

On 3 May 2011 16:21, Hilco Wijbenga <hilco.wijbenga@xxxxxxxxx> wrote:

Hi all,

I'm attempting to set up a simple firewall on a virtual server. I have
the following:

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

(And iptables -L shows that this setup has been accepted.)

This was supposed to only allow my box (or at least my public IP)
access to port 80 on this server. I can not access port 80 at all,
however. (Please note that without --source it works as expected.)

What am I doing wrong?

Mmmh, it does work after all. You have to be careful to restart
everything, I guess.

I've moved the --source to the SSH line. That works too but it seems
like I can only have 1 connection open at the same time. Sort of. I
have a reverse connection from a local server with a non-routable IP
to this public server. That works. But then I can't access the public
server anymore. If I kill the reverse connection and wait a few
minutes, I can login again. Switch the reverse connection back on ...
and I can't login anymore. Strange.

On a related note, the logging only logs the packet, but no timestamp.
Is that configurable somewhere?

Cheers,
Hilco

--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_=g@xxxxxxxxxxxxxx

References:
- Firewall/iptables question
  - From: Hilco Wijbenga

Prev by Date: Re: I have installed Debian on my Thinkpad but mouse Cursor is not displayed.
Next by Date: Remove unused language from GDM?
Previous by thread: Firewall/iptables question
Next by thread: Re: Firewall/iptables question
Index(es):
- Date
- Thread

Relevant Pages

Re: NIS client couldnt log in
... >> off iptables, the client bound to the server and all the yptools ... and ypbind in broadcast mode (ypcat and ypwhich would ... >> work at all if i specified the server). ... Further, ypbind uses the ...
(RedHat)
Need help configuring IPtables w/ DMZ, 2 LAN, and INET
... I am desperately in need of assistance in configuring an IPtables ... firewall on a Red Hat Linux 9.0 server. ... Chain FORWARD ... tcp dpt:25 flags:0x16/0x02 ...
(comp.os.linux.networking)
Static IP w/ PPPoe xDSL Firewall
... iptables -F -t nat ... # Kill malformed XMAS packets ... # Refuse incoming packets pretending to be from the external address. ... # server/client to server query or response ...
(comp.os.linux.networking)
Re: Modprobe question
... >> Made some minor changes to iptables and did a restart. ... >> modprobe seems to be doing something but I can't tell what. ... >> course the server seems to be running fine. ...
(alt.linux)
connection lost when scanned with nmap - iptables
... The iptables script applied to the NIC is shown below. ... the web server or ssh into the server when I do this scan. ... echo 2> $f ... # Refuse packets claiming to be from a Class A private network. ...
(comp.os.linux.security)