Re: Firewall with Iptables

The marked rule accepts only packets in the NEW state. You need to
accept packets in the ESTABLISHED and RELATED states too, else
connections will hang after the first packet. Usually there is a generic
rule at the beginning of the chain accepting packets in the ESTABLISHED
and RELATED states from any interface. So removing the "-i ppp0" in the
previous rule should do the trick.


Thanks for the advice. I have changed the rule so that it accepts
anything on "! ppp0" regardless of its state and now access to local
services and forwarding works fine without any additional ACCEPT-lines
in the script.

Unfortunately another problem has arisen. I wish for a local service
(mldonkey) to be accessible from the internet, but despite the rules I
set in the marked lines connections from outside are not yet possible.
I have also tried to target the INPUT chain instead of my custom chain
tcprules, but the results are the same.


iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -N tcprules

iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT

iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT

iptables -t filter -A INPUT -j tcprules
iptables -t filter -A FORWARD -j tcprules

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE


Yours sincerely
Stefan
.

Relevant Pages

  • Re: tcpdump and packets filtered by iptables
    ... Tcpdump prints out the headers of packets on a network interface ... If you know your iptables then you know that only the ouput chain of any ... table is filtered; the correct sequence is: ...
    (comp.os.linux.networking)
  • Re: iptables port forwarding for specific source addresses
    ... And since --dport is protocol dependant (not every protocol ... filtered by iptables has source and or destination port), ... Address Packets Bytes ProtocolDest.Port ...
    (comp.os.linux.networking)
  • Re: Best way to filter real time data stream?
    ... > I have root access. ... How would it be done with iptables? ... > goal I am trying to achieve is to filter the input packet stream (as ... undesireable packets before they ever get up to the user level. ...
    (comp.os.linux.misc)
  • Re: IPTables port forwarding issues
    ... tracking of how iptables parses its connections through the various ... You mean how the packets flow through the chains? ... is done in the FORWARD chain, ... packet filter should be found either in /var/log/messages ...
    (comp.security.firewalls)
  • X & Gnome crashes the system with iptables
    ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
    (comp.os.linux.security)