iptables

[knueven7]

I have this rule that allows the machines behind my firewall to AFP to the outside world:

iptables -A FORWARD -m state --state NEW -s $SUB1 -p TCP --dport 548 -j ACCEPT

I also have a rule allowing all established connections:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I can AFP out from behind the firewall with my test computer. The problem is that I can also AFP from outside of my firewall into my network to my test computer. Why is it able to AFP from outside of my network? I thought the rule above let all computers on $SUB1 create an AFP connection while the established connections rule allows responcses to come back in? What would I have to do to let AFP out, but not in?

Thanks.

[Jeremy_Z]

I assume your policies are set to DROP ?

What do you mean by : The problem is that I can also AFP from outside of my firewall into my network to my test computer ?

A good troubleshooting option would be to use a sniffer like ethereal.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

[knueven7]

I just realized if I add:

iptables -A FORWARD -p TCP -d $SUB1 --dport 548 -j DROP

it does not allow incoming AFP connections. Is there a way to have a generic rule that says just DROP all incoming TCP connections unless there are initiated by the client machines behind the firewall. I thought that was what setting the INPUT, OUTPUT, FORWARD policies to DROP did? Am I missing something?

[Jeremy_Z]

Yep, if the policie is DROP, adding any DROP rule at the end of the chain is useless (unless you put it before an ACCEPT rule), since it just DROPs packets that did not match any rule.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

[knueven7]

What you're saying is if my policies are DROP, it automatically drops anythings that is not stated in the rules? Correct? All of my policies are set to drop, but unless I put a drop statement at the end of my script it doesn't drop anything. For example, If I run a web server on my machine that's behind the firewall even with the drop policies I could still connect to the webserver from the outside world. To fix that problem I had to add the drop rule at the end of my script. Why do I have to do both if just setting the policies to DROP should work?

Thanks for the help.

[Jeremy_Z]

Weird, very weird.

Would you mind posting 'iptables -L' ?
And just to check try to flush all your chains and set all policies to DROP, you should then be completly locked, if not, this is definitely going wrong.

What's your version of iptables ?
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

[knueven7]

iptables version: 1.2.9

iptables -L:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT udp -- x.x.x.0/23 anywhere state NEW udp dpt:domain
ACCEPT tcp -- x.x.x.0/23 anywhere state NEW multiport dports www.https
ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere

iptables script:

#!/bin/sh

sub1="x.x.x.0/23"

### Flush tables
iptables -F
iptables -X
iptables -Z

### Policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

### DNS
iptables -A FORWARD -m state --state NEW -s $sub1 -p UDP --dport 53 -j ACCEPT

### HTTP
iptables -A FORWARD -m state --state NEW -s $sub1 -p TCP -m multiport --dport 80,443 -j ACCEPT
## to block access to the webserver that's sitting behind the firewall (previous post)
iptables -A FORWARD -p TCP -d $sub1 --dport 80 -j DROP

### Accept established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

[Jeremy_Z]

Why your mask is 23 ? should be 24 if you meant 255.255.255.0.
Now, is your webserver is on 192.168.0.0/24, any client from sub 192.168.1.0/24 could connect.

It may be safer to use -i or -o.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals

[knueven7]

it's /23. it covers 128.146.45.0/23

I use a bridging firewall so there are no 192 addresses or NAT/MASQ. This setup is at a University and they do not allow NAT.

The bridge sits in between my gateway and the rest of my network. My (acting) webserver is 128.146.45.241 (just for testing). I can access it from anywhere with the rules in the previous post (except for when I apply the incoming port 80 block).

[Jeremy_Z]

You could try to change

iptables -A FORWARD -m state --state NEW -s $sub1 -p TCP -m multiport --dport 80,443 -j ACCEPT

iptables -A FORWARD -m state --state NEW -s ! $sub1 -p TCP -m multiport --dport 80,443 -j DROP

Or try to accept and log / drop and log using -j LOG --log-level 4 --log-prefix "any descriptive comment:"
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals