tomashek
n00b
Joined: 16 Sep 2005
Posts: 1
|
 Posted: Fri Sep 16, 2005 7:55 pm Post subject: rp-pppoe changes iptables rules |
 |
|
Hello
Some time ago I noticed that whenever I start a DSL connection using rp-pppoe the iptable rules are modified. I have defined these rules in /var/lib/iptables/rules-save and the iptables service is started during boot up. Now I should add that I have defined my DSL connection by means of both tkpppoe and adsl-setup to not apply firewall rules. I.e. :
tkpppoe tab options value for firewalling reads 'None'
In the configuration f/etc/ppp/pppoe.conf it says FIREWALL=NONE.
So as far as I can tell my iptables rules should not be changed when I start the DSL connection, but they are. Does anybody have an idea what else I can do to avoid this?
Please find my iptables rules before the DSL connection is up and running
| Code: | Chain INPUT (policy DROP 327 packets, 15147 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 any anywhere anywhere
2 100 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp0 any anywhere anywhere udp dpt:4666
0 0 ACCEPT tcp -- ppp0 any anywhere anywhere tcp dpt:4662
0 0 ACCEPT tcp -- ppp0 any anywhere anywhere tcp dpt:4672
0 0 LOG tcp -- eth1 any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN LOG level alert prefix `NEW INPUT not syn:'
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- ppp0 any anywhere anywhere state NEW tcp
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `input ----------------------'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `FORWARDING -------'
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any ppp0 anywhere anywhere
2 100 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT all -- any eth1 anywhere anywhere
0 0 LOG all -- any any 192.168.2.0/24 anywhere LOG level alert prefix `OUTPUT ???????:'
0 0 LOG tcp -- any any 192.168.2.0/24 anywhere state NEW tcp flags:!SYN,RST,ACK/SYN LOG level alert prefix `New OUTPUT not syn:'
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spts:4242:4662
0 0 ACCEPT udp -- any lo localhost anywhere
0 0 DROP udp -- any any anywhere anywhere state NEW
0 0 ACCEPT udp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `output ---------------------' |
and afterwards. Just an excerpt - it's too long
| Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any dns10.arcor-ip.de anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any dns10.arcor-ip.de anywhere
0 0 ACCEPT tcp -- any any dns1.arcor-ip.de anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any dns1.arcor-ip.de anywhere
0 0 ACCEPT tcp -- any any dns10.arcor-ip.de anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any dns10.arcor-ip.de anywhere
0 0 ACCEPT tcp -- any any dns1.arcor-ip.de anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any dns1.arcor-ip.de anywhere
0 0 ACCEPT tcp -- any any dns10.arcor-ip.de anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any dns10.arcor-ip.de anywhere
0 0 ACCEPT tcp -- any any dns1.arcor-ip.de anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any dns1.arcor-ip.de anywhere
0 0 ACCEPT tcp -- any any anywhere dsl-082-083-057-130.arcor-ip.net tcp dpts:4242:4662
0 0 ACCEPT udp -- any any anywhere dsl-082-083-057-130.arcor-ip.net udp dpts:4242:4662
0 0 ACCEPT tcp -- any any anywhere dsl-082-083-057-130.arcor-ip.net tcp dpt:4242
0 0 ACCEPT udp -- any any anywhere dsl-082-083-057-130.arcor-ip.net udp dpt:4242
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp echo-request
0 0 LD udp -- any any anywhere dsl-082-083-057-130.arcor-ip.net udp dpt:traceroute
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp destination-unreachable
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp host-unreachable
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp timestamp-request
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp timestamp-reply
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp address-mask-request
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp address-mask-reply
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp redirect
0 0 LD icmp -- any any anywhere dsl-082-083-057-130.arcor-ip.net icmp source-quench
0 0 LD all -- any any anywhere anywhere state INVALID
0 0 LD all -f any any anywhere anywhere limit: avg 10/min burst 5
0 0 ACCEPT all -- any any localhost/24 anywhere
0 0 LD all -- ppp0 any 0.0.0.0/8 dsl-082-083-057-130.arcor-ip.net
0 0 LD all -- ppp0 any 1.0.0.0/8 dsl-082-083-057-130.arcor-ip.net
0 0 LD all -- ppp0 any 2.0.0.0/8 dsl-082-083-057-130.arcor-ip.net
0 0 LD all -- ppp0 any 5.0.0.0/8 dsl-082-083-057-130.arcor-ip.net
0 0 LD all -- ppp0 any 7.0.0.0/8 dsl-082-083-057-130.arcor-ip.net |
Thanks in advance,
Tomashek |
|
Networking & Security
