From: "Russ Kreigh" <kreigh@onlyinternet.net>
To: netfilter@lists.netfilter.org
Subject: Firewall Help
Date: Tue, 11 Oct 2005 11:42:43 -0500 [thread overview]
Message-ID: <00e501c5ce82$cd6cff30$e21e89ce@ssioi.com> (raw)
Hello -
When I applied the following rules below to my firewall my clients starting
having problems browsing webpages. When I did a tcpdump I could see the
request go to the DNS server, but never saw a reply.
When I commented out the tcp rules, everything worked fine.
Do you think my limits are too low? I would estimate there are around 200
pcs coming through this.
Also, I am unclear if the rules are applied on a collective basis, or per ip
address. I assume it is ALL traffic, not per IP.
$IPTABLES -A INPUT -s X.X.30.0/24 -j ACCEPT # Exclude Management subnet
from below rules
$IPTABLES -A INPUT -d X.X.30.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s X.X.30.0/24 -j ACCEPT
$IPTABLES -A FORWARD -d X.X.30.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 500/s -j REJECT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 500/s -j REJECT
$IPTABLES -A INPUT -p tcp -m limit --limit 2500/s -j REJECT
$IPTABLES -A FORWARD -p tcp -m limit --limit 2500/s -j REJECT
$IPTABLES -A INPUT -p icmp -m limit --limit 200/s -j REJECT
$IPTABLES -A FORWARD -p icmp -m limit --limit 200/s -j REJECT
Thanks,
Russ Kreigh
Network Engineer
OnlyInternet.Net Broadband & Wireless
Supernova Technologies
Office: (800) 363-0989
Direct: (260) 827-2486
Fax: (260) 824-9624
kreigh@onlyinternet.net
http://www.oibw.net
next reply other threads:[~2005-10-11 16:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-11 16:42 Russ Kreigh [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-10-11 16:47 Firewall Help Gary W. Smith
2004-03-02 16:05 firewall help Gilmore, Eric
2002-12-11 19:49 Firewall help DeWet van Rooyen
2002-12-11 20:01 ` Marcello Scacchetti
2002-12-11 20:20 ` Tom Eastep
2002-12-11 22:00 ` Paul Frieden
2002-12-11 21:36 ` Louie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='00e501c5ce82$cd6cff30$e21e89ce@ssioi.com' \
--to=kreigh@onlyinternet.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.