From: Joel Newkirk <netfilter@newkirk.us>
To: JUSTIN GERRY <JGERRY@butchers.com>, netfilter@lists.netfilter.org
Subject: Re: Redhat 8.0 with Iptables and Cisco 2514
Date: Wed, 8 Jan 2003 03:31:33 -0500 [thread overview]
Message-ID: <200301080331.33543.netfilter@newkirk.us> (raw)
In-Reply-To: <se1b0154.064@butchers.com>
On Tuesday 07 January 2003 04:32 pm, JUSTIN GERRY wrote:
> Trying to figure out why, when I enable the firewall on my cisco
> (which is a state checking firewall) and I have my iptables (also
> state checking) firewall enabled on my redhat box I can not establish
> a connection with with my website (either website one as I have two
> interfaces and I am using apache to host both)
>
> It almost seems as if the cisco is destroying the incoming connection
> (probably the outgoing response because I can see people connecting to
> my box) before my box has a chance to send out a response.
>
> If I run no firewall on my redhat box and leave the firewall up on my
> cisco then you can access my website normally.
What about the reverse? If the cisco's firewalling is disabled, but
iptables in use, can you connect?
> If anyone has had this problem please let me know.
>
> FYI, my simple firewall test:
>
> F1="eth0"
> IF2="eth1"
> IP2="xxx" #(real ip address hidden)
> IP1="xxx" #(real ip address hidden)
> UNPRIVPORTS="1024:65535"
>
> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> iptables -A INPUT -p tcp --sport $UNPRIVPORTS \
> --dport 80 -m state --state NEW -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
If the answer above is "it works", then what if you loosen the NEW rule
in INPUT? Try:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
with the cisco's firewall enabled. If this fails, I suspect the cisco's
configuration is blocking outbound replies, so you'd have to dig there.
A quick test with logging in INPUT and OUTPUT chains would tell you if
the request is actually reaching your machine, and being responded to
properly. Just add a log rule at the start and the end of each of those
two chains, with distinct '--log-prefix' strings, and make sure you log
from the first and ONLY the first one in each chain. The first log
tells you it hits the chain, the second that it hits the DROP policy.
j
> Many thanks,
> Justin
prev parent reply other threads:[~2003-01-08 8:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-07 21:32 Redhat 8.0 with Iptables and Cisco 2514 JUSTIN GERRY
2003-01-08 8:31 ` Joel Newkirk [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301080331.33543.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=JGERRY@butchers.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.