* Nefilter problem
@ 2003-06-20 23:31 MT
0 siblings, 0 replies; 2+ messages in thread
From: MT @ 2003-06-20 23:31 UTC (permalink / raw)
To: NetFilter
I have a RH 7.1 box which has iptables v1.2.5. I've set up my rc.firewall script based and started testing it. Lo and behold I couldn't ssh into the box, although I could ssh out. Nor could I ping the box either. After many attempts and playing around with the code, I boiled it down to the following:
#!/bin/bash
CONNECTION_TRACKING=1
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
# Don't set nat and mangle tables to DROP unless
# you know what you're doing
# nat
# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP
# mangle
# iptables -t mangle --policy PREROUTING DROP
# iptables -t mangle --policy OUTPUT DROP
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Set traffic on the loopback interface to unlimited
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
###############################################################
# allow incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR \
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT
###############################################################
exit 0
As it stands, I still can't ping the box. As soon as I bring down the firewall I can ping again.
Here's what lsmod yields:
Module Size Used by
ipt_state 576 1 (autoclean)
iptable_mangle 1728 0 (autoclean) (unused)
iptable_nat 13904 0 (autoclean) (unused)
iptable_filter 1728 0 (autoclean) (unused)
ip_tables 11168 6 [ipt_state iptable_mangle iptable_nat iptable_filter]
ip_conntrack_ftp 3376 0 (unused)
ip_conntrack 13360 3 [ipt_state iptable_nat ip_conntrack_ftp]
via-rhine 10784 1 (autoclean)
ide-cd 26976 0
cdrom 27456 0 [ide-cd]
I hope this is enough information. Thanks.
Mark
^ permalink raw reply [flat|nested] 2+ messages in thread* Nefilter problem
@ 2003-06-19 23:50 MT
0 siblings, 0 replies; 2+ messages in thread
From: MT @ 2003-06-19 23:50 UTC (permalink / raw)
To: NetFilter
I have a RH 7.1 box which has iptables v1.2.5. I've set up my rc.firewall script based and started testing it. Lo and behold I couldn't ssh into the box, although I could ssh out. Nor could I ping the box either. After many attempts and playing around with the code, I boiled it down to the following:
#!/bin/bash
CONNECTION_TRACKING=1
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
# Don't set nat and mangle tables to DROP unless
# you know what you're doing
# nat
# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP
# mangle
# iptables -t mangle --policy PREROUTING DROP
# iptables -t mangle --policy OUTPUT DROP
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Set traffic on the loopback interface to unlimited
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
###############################################################
# allow incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR \
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT
###############################################################
exit 0
As it stands, I still can't ping the box. As soon as I bring down the firewall I can ping again.
Here's what lsmod yields:
Module Size Used by
ipt_state 576 1 (autoclean)
iptable_mangle 1728 0 (autoclean) (unused)
iptable_nat 13904 0 (autoclean) (unused)
iptable_filter 1728 0 (autoclean) (unused)
ip_tables 11168 6 [ipt_state iptable_mangle iptable_nat iptable_filter]
ip_conntrack_ftp 3376 0 (unused)
ip_conntrack 13360 3 [ipt_state iptable_nat ip_conntrack_ftp]
via-rhine 10784 1 (autoclean)
ide-cd 26976 0
cdrom 27456 0 [ide-cd]
I hope this is enough information. Thanks.
Mark
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-06-20 23:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-20 23:31 Nefilter problem MT
-- strict thread matches above, loose matches on Subject: below --
2003-06-19 23:50 MT
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.