| View previous topic :: View next topic |
| Author |
Message |
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
 Posted: Sat Jun 24, 2006 2:03 am Post subject: Iptables |
 |
|
maybe this could be a catch all for iptables. I don't know how many times I've had to ask questions on iptables.
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
http://www.gentoo.org/doc/en/home-router-howto.xml
| Code: | iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT |
the only way I've EVER been able to get FORWARDING to work is to with a policy of DROP is to | Code: | | iptables -A FORWARD -j ACCEPT |
which completely defeats the purpose of having the policy as drop. I've looked at numerous examples on the web none of them work...
<edit>my current forwarding code that doesn't work | Code: | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -m state --state NEW -j ACCEPT |
</edit>
I also would like to know why THIS doesn't work? | Code: | | iptables -A INPUT -i eth0 -p tcp --sport 80 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
In theory I should be able to browse non https websites with that but I can't.
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
 |
ld50
Tux's lil' helper
Joined: 13 Feb 2005
Posts: 135
|
| Posted: Sat Jun 24, 2006 2:45 am Post subject: |
|
|
| Code: |
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -m state --state NEW -j ACCEPT
|
shouldn't you be using a SNAT target also?
| Code: |
iptables -A INPUT -i eth0 -p tcp --sport 80 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
What are you trying to do with this? Remember that when you connect to a http server dport is 80 but your local port (sport) is random. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Sat Jun 24, 2006 2:58 am Post subject: |
|
|
| Code: | iptables -t nat -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 3517 packets, 220K bytes)
pkts bytes target prot opt in out source destination
23451 1440K MASQUERADE all -- any eth0 anywhere anywhere |
that takes care of the postrouting. like I said it works if I accept all packets to be forwarded.
hmm... didnt' realise that about the source port. learn something new every day  . however I still can't get on the internet with
| Code: | | iptables -A INPUT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
<edit>basically what I'd like to do is only allow certain ports in certain states and not necessarily every port that is getting RELATED, ESTABLISHED packets
</edit>
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Sat Jun 24, 2006 3:55 am Post subject: |
|
|
| Code: | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p udp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT |
this seems to work. I started generating logs and am trying to understand every component. | Code: | | Jun 23 23:47:35 slave-i IN=eth0 OUT= MAC=00:04:61:70:d4:51:00:30:b8:c3:25:91:08:00 SRC=68.87.77.130 DST=24.11.220.16 LEN=111 TOS=0x00 PREC=0x00 TTL=54 ID=46845 DF PROTO=UDP SPT=53 DPT=33297 LEN=91 |
obviously: (date) (time) (hostname) (inbound) (outbound) (website) (myip) (LEN?) (TOS?) (PREC?) (TTL?) (ID?) (DF?) (protocol) (source port) (destination port) (LEN?)
_________________
I don't hang out here anymore, try asking on http://unix.stackexchange.com/ if you want my help. |
|
| Back to top |
|
|
|
Networking & Security
