| View previous topic :: View next topic |
| Author |
Message |
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
 Posted: Tue Dec 18, 2007 9:18 pm Post subject: can't connect to internet with my iptables |
 |
|
I have a script of iptables that I want to use. The problem is that I can't connect to internet when I enable it. Can someone tell me what's wrong with the script? Here is the script: | Code: |
#!/bin/sh
# Set location of iptables
IPTABLES=/sbin/iptables
# Define interfaces
PUBLIC_IF="eth2"
# Flush current rules
#$IPTABLES -t nat -F
$IPTABLES -t filter -F
#$IPTABLES -t mangle -F
# Delete custom chains
#$IPTABLES -t nat -X
$IPTABLES -t filter -X
#$IPTABLES -t mangle -X
# Set default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
#$IPTABLES -t nat -P PREROUTING ACCEPT
#$IPTABLES -t nat -P OUTPUT ACCEPT
#$IPTABLES -t nat -P POSTROUTING ACCEPT
#$IPTABLES -t mangle -P PREROUTING ACCEPT
#$IPTABLES -t mangle -P INPUT ACCEPT
#$IPTABLES -t mangle -P FORWARD ACCEPT
#$IPTABLES -t mangle -P OUTPUT ACCEPT
#$IPTABLES -t mangle -P POSTROUTING ACCEPT
# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow https
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 443 --syn -j ACCEPT
# Allow http
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 80 --syn -j ACCEPT
# Allow inbound DNS requests from the wireless network.
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp --dport 53 -j ACCEPT
# Allow BitTorrent traffic -- avoid ISP blocking defaults
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT
# Allow BitTorrent tracker capability
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6969 --syn -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6969 -j ACCEPT
# Allow SSH
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT
# Allow linuxdc
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 29800 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 29800 -j ACCEPT
# Allow Donkey capability
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 8726 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 8730 -j ACCEPT
# Allow Kad in emule capability
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 16687 -j ACCEPT
# Allow Msn capability to get files
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6891 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6891 -j ACCEPT
# Allow Msn
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1863 -j ACCEPT
# Allow ICQ
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5190 -j ACCEPT
## Allow GTALK
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5223 -j ACCEPT
# Allow rsync
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 873 -j ACCEPT
|
|
|
| Back to top |
|
 |
gentoo_dude
l33t
Joined: 08 May 2004
Posts: 645
Location: Washington, DC
|
| Posted: Tue Dec 18, 2007 10:36 pm Post subject: |
|
|
You cannot establish new connections from your computer on the outside
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o $PUBLIC_IP -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
NOTE:
SOrry I just saw that your default table for OUTPUT table is set to ACCEPT. What does /sbin/iptables -L look like? |
|
| Back to top |
|
|
didymos
Advocate
Joined: 10 Oct 2005
Posts: 4798
Location: California
|
| Posted: Tue Dec 18, 2007 10:56 pm Post subject: |
|
|
Try changing this:
| Code: |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
to
| Code: |
$IPTABLES -A INPUT -i ! <interface connected to Internet> -j ACCEPT
|
and change this:
| Code: |
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
|
to this:
| Code: |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
It'd help to see what you've got in /etc/conf.d/net and to know whether or not you're also going through a router.
_________________
Thomas S. Howard |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23076
|
| Posted: Wed Dec 19, 2007 4:13 am Post subject: |
|
|
| Instead of iptables -L, use iptables-save -c. The latter produces a machine-readable definition that gives us all the details. The former omits detailed hit counters, interface restrictions, and all but one of the netfilter tables. Also, going along with the request from didymos, please provide the output of ip addr ; ip route. If you are directly on a public IP address, feel free to remove that from the output. |
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Wed Dec 19, 2007 6:33 am Post subject: |
|
|
I am going through a router. The router is with spi firewall enabled. I want to disable the spi firewall and use myiptables. I get a direct ip for browsing from the ISP. Router is linksys wrt54gc.
I will output all the details in a couple of hours, because I have to run. Right now the firewall is not enabled. |
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Fri Dec 21, 2007 9:26 pm Post subject: |
|
|
Hello didymos
It seems that the changing you suggested work. Now I can ping google, browse, etc.
Few notes: before the change i tried the command route and There was no output. Now route gives the output: | Code: |
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
|
Here is my /etc/conf.d/net | Code: |
config_eth0=("dhcp")
#dhcp_eth0="nontp nonis nodns"
dhcp_eth0="nontp nonis"
#dns_servers_eth0="127.0.0.1 208.67.222.222 208.67.220.220"
config_eth2=("dhcp")
modules_eth2=("iwconfig")
#dhcp_eth2="nodns"
dns_servers_eth2="208.67.222.222 208.67.220.220"
routes_eth2=("default gw 192.168.1.1")
|
eth0 is the non wifi card. eth2 is the wifi card. I am behind a router. I would like to disable the spi firewall of the router. I have speed problems and not sure from where the problems come. I try to use opendns ips.
I get internal ip from the router (via dhcp) and have a static ip address to connect directly to the internet.
Can you explain what the changes you suggested do?
| didymos wrote: | Try changing this:
| Code: |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
to
| Code: |
$IPTABLES -A INPUT -i ! <interface connected to Internet> -j ACCEPT
|
and change this:
| Code: |
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
|
to this:
| Code: |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
It'd help to see what you've got in /etc/conf.d/net and to know whether or not you're also going through a router. |
|
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Fri Dec 21, 2007 9:44 pm Post subject: |
|
|
| Hu wrote: | | Instead of iptables -L, use iptables-save -c. The latter produces a machine-readable definition that gives us all the details. The former omits detailed hit counters, interface restrictions, and all but one of the netfilter tables. Also, going along with the request from didymos, please provide the output of ip addr ; ip route. If you are directly on a public IP address, feel free to remove that from the output. |
What is ip route or ip addr? It said command not found. route gave me an output.
here is the output i got from iptables-save -c before I changed the settings that didymos suggested.
| Code: | iptables-save -c
# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007
*nat
:PREROUTING ACCEPT [963:270530]
:POSTROUTING ACCEPT [3142:189427]
:OUTPUT ACCEPT [3142:189427]
COMMIT
# Completed on Fri Dec 21 23:07:44 2007
# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007
*mangle
:PREROUTING ACCEPT [14991:802708]
:INPUT ACCEPT [14209:544608]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19584:855385]
:POSTROUTING ACCEPT [19584:855385]
COMMIT
# Completed on Fri Dec 21 23:07:44 2007
# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007
*filter
:INPUT DROP [2352:165107]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [19007:816911]
[11277:337977] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 6969 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 6969 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 29800 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 29800 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 8726 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 8730 -j ACCEPT
[114:8433] -A INPUT -i eth2 -p udp -m udp --dport 16687 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 6891 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 6891 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 1863 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5190 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5223 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 873 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 21 -j ACCEPT
COMMIT
# Completed on Fri Dec 21 23:07:44 2007 |
|
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Fri Dec 21, 2007 10:10 pm Post subject: |
|
|
One more question:
I have port forwarding in the router. With these rules, I can disable the port fwd in the router? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23076
|
| Posted: Sat Dec 22, 2007 4:31 pm Post subject: |
|
|
| queen wrote: |
What is ip route or ip addr? It said command not found. route gave me an output.
|
/sbin/ip is part of sys-apps/iproute2. It is an alternative to using ifconfig and route. |
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Sat Dec 22, 2007 4:39 pm Post subject: |
|
|
| Hu wrote: | | queen wrote: |
What is ip route or ip addr? It said command not found. route gave me an output.
|
/sbin/ip is part of sys-apps/iproute2. It is an alternative to using ifconfig and route. |
ok. Thanks. I don't have iproute2 installed. |
|
| Back to top |
|
|
|
Networking & Security
