Re: iptables problem

On Fri, 20 Apr 2007 08:05:07 +0200, Yvan wrote:

Nedavno Douglas Mayne napisa:

The order of IPTables statements is important. The early statement to
drop forwarding looks out of place:

/sbin/iptables -P FORWARD DROP

If I were you, I'd rewrite the script so that you understand what each
line does.

But that script does what I want in FC1. I just copied it to Debian.
I'll check links you posted, thanks.

I looked at your orginal firewall again. The line which specifies the
masquerade also limits the source to a single address. This could be
correct if you were using a squid proxy. Was the former FC1 box running a
squid proxy? If you are not using a proxy, then I think this is the line
which needs to be corrected:

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.6/32 -j \
MASQUERADE

This line says to do nat masquerading for packets going out on the ppp0
interface if the source is from the single address (192.168.0.6). Note: I
also corrected some potential typos on the line above.

I hate to tell people what firewall rules to use, because there can be
subtle differences in network topology and requirements. The script below
is adapted from the links I posted earlier. This may be appropriate for
your situation, and then again, maybe not. Always double check that all
commands are appropriate for your system!

#!/bin/bash
# begin source code: rc.firewall
#
# The contents of this file adapted from Rusty Russell's examples:
#
# http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
#
# Use of this software is subject to this license:
# http://www.gnu.org/copyleft/gpl.txt
#
# Assumed router topology:
# This is a simple router where an untrusted network is via ppp0 to
# a totally trusted local LAN. Local "trust" is because packets from
# other unnamed interfaces are accepted by default.
#
# Insert connection-tracking modules (not needed if built into kernel).
#
# These modules allow active mode ftp transfers (ftp initiated on LAN to
# an external ftp site is allowed (related traffic)).
#
insmod ip_conntrack
insmod ip_conntrack_ftp

# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# end source code: rc.firewall

--
Douglas Mayne

.

Relevant Pages

  • Re: Help with Iptables on with RH linux
    ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ...
    (RedHat)
  • Re: some reality about iptables, please
    ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
    (Debian-User)
  • Re: Getting in to metaprogramming
    ... The GUI designer may use ... Yikes, this is getting hairy- If "the problem" is to generate source code, ... Hypercard 4GL, I used to frequently use Hypercard scripts to generate ... each button with a custom script. ...
    (comp.lang.python)
  • Re: IPTABLES Beginner Example Needed!
    ... after i runned this script nothing works on my computer. ... > I think i just need the translation to iptables. ... $MODPROBE ip_conntrack ... # FORWARD chain rules ...
    (linux.redhat)
  • Re: Linux als Router
    ... Detlef Jockheck wrote: ... > Anbei ein Script, was zumindest bezüglich Forwarding funktioniert. ... iptables -P OUTPUT DROP ...
    (de.comp.os.unix.linux.misc)
Loading