| View previous topic :: View next topic |
| Author |
Message |
Zidge
Tux's lil' helper
Joined: 20 Aug 2003
Posts: 86
|
 Posted: Wed Mar 03, 2004 6:33 pm Post subject: [iptable] what's wrong ? |
 |
|
I just set up a few rules on my iptable firewall
I checked them twice but it reaaly doesn't work
no network at all !!
here is my config script
| Code: |
#!/bin/sh
######## Refuse spoofing #############
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
#then
# for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
# do
# echo 1 > $filtre
# done
#fi
######## refuse ping (ICMP) #########
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
###### first flush all rules ########
iptables -F
iptables -X
############ log all that is droped #############
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
############# log accepted packets ###############
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT
###### default behavior (drop all) ############
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
####### refuse it, it's like deactivate the network ########
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
####### SSH ###############
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport 22 -j LOG_ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED -p tcp --sport 22 -j ACCEPT
####### FTP ###########
#etablissement de la connexion
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j LOG_ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#connexion pour les donnees (actif mode)
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#connexion pour les donnees (passive mode)
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -j LOG_DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP
####### LAL Proxy ########
#INBOUND DATAs
iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 888 -j ACCEPT
#OUTBOUND DATAs and HTTPS connexions
iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --sport 443 -j ACCEPT
|
after that I do a
| Code: |
sh firewall.sh
/etc/init.d/iptables save
/etc/init.d/iptables start
|
iptables -L gives me
| Quote: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG_ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ssh
LOG_ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
LOG_DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:888
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:https
Chain FORWARD (policy DROP)
target prot opt source destination
LOG_DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
LOG_DROP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp spt:https
Chain LOG_ACCEPT (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[IPTABLES ACCEPT] : '
ACCEPT all -- anywhere anywhere
Chain LOG_DROP (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[IPTABLES DROP] : '
DROP all -- anywhere anywhere
|
so do you see anything wrong here ? |
|
| Back to top |
|
 |
scout
Veteran
Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E
|
| Posted: Thu Mar 04, 2004 4:10 am Post subject: Re: [iptable] what's wrong ? |
|
|
| Zidge wrote: | | no network at all !! |
Your firewall sems ok, however, http or dns doesn't pass through.
Is this why you can't reach any hosts ?
Otherwise, try to test you firewall with tcpdump, it gives information on every packet that arrives to your computer, and tell us more about your lack of network.
_________________
http://petition.eurolinux.org/ - Petition against ePatents
L'essence de la finesse |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
