default policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* default policy
@ 2003-08-26  8:35 Payal Rathod
  2003-08-25  8:59 ` Ralf Spenneberg
  0 siblings, 1 reply; 8+ messages in thread
From: Payal Rathod @ 2003-08-26  8:35 UTC (permalink / raw)
  To: netfilter

Hi,
I am trying a routing firewall which will route internal machines to
internet as well as redirect machines from outside to 1 ftp server
inside.

But I am not able to get even the first part working.
I use policy as default on FORWARD and,

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

$IPTABLES -A INPUT -p tcp -s 0/0  --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0  --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT

$IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT

When I make FORWARD POLICY as ACCEPT it works, but not when I make it
to DROP? Is there any bad rule anywhere?
Is the MASQUERADE rule ok? (Traffic is coming form 2 interfaces).
Is the ESTABLISHED,RELATED rule ok and at right position?

Please help me in this.
Thanks a lot and bye.
With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: default policy
  2003-08-26  8:35 default policy Payal Rathod
@ 2003-08-25  8:59 ` Ralf Spenneberg
  2003-08-25 14:56   ` Payal Rathod
  0 siblings, 1 reply; 8+ messages in thread
From: Ralf Spenneberg @ 2003-08-25  8:59 UTC (permalink / raw)
  To: Payal Rathod; +Cc: Netfilter

Am Die, 2003-08-26 um 10.35 schrieb Payal Rathod:
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -t nat -A POSTROUTING -j MASQUERADE
> 
> $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
> 
> When I make FORWARD POLICY as ACCEPT it works, but not when I make it
> to DROP? Is there any bad rule anywhere?
Yes, apply masquerading only to the external interface, like
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
If 125.125.125.0 is your internal ip-range you should be able to browse
to:
http://217.160.128.61
But since you do not allow any DNS traffic you can't resolve any
hostnames.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: default policy
  2003-08-25  8:59 ` Ralf Spenneberg
@ 2003-08-25 14:56   ` Payal Rathod
  0 siblings, 0 replies; 8+ messages in thread
From: Payal Rathod @ 2003-08-25 14:56 UTC (permalink / raw)
  To: Ralf Spenneberg; +Cc: Netfilter

On Mon, Aug 25, 2003 at 10:59:42AM +0200, Ralf Spenneberg wrote:
> Am Die, 2003-08-26 um 10.35 schrieb Payal Rathod:
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -P FORWARD DROP
> > 
> > $IPTABLES -t nat -A POSTROUTING -j MASQUERADE
> > 
> > $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
> > $IPTABLES -A FORWARD -s 125.125.125.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
> > 
> > When I make FORWARD POLICY as ACCEPT it works, but not when I make it
> > to DROP? Is there any bad rule anywhere?
> Yes, apply masquerading only to the external interface, like
> $IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Both the ips are connected to real world. One is connected to the ISDN
router (internal ip) and the other to lease line.
Some people use ISDN route some lease line route.
I have 1 default gateway for each interface.
Is this OK?

> If 125.125.125.0 is your internal ip-range you should be able to browse
> to:
> http://217.160.128.61
> But since you do not allow any DNS traffic you can't resolve any
> hostnames.
> 

Yes I releasied that. I have added tcp and udp for dns too.
Waiting for the mail.
With regards,
-Payal

-- 
For GNU/Linux Success Stories and Articles visit:
          http://payal.staticky.com


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Default policy
@ 2002-12-21 13:16 system
  2002-12-21 13:28 ` Rob Sterenborg
  2002-12-21 18:12 ` Giorgio Zarrelli
  0 siblings, 2 replies; 8+ messages in thread
From: system @ 2002-12-21 13:16 UTC (permalink / raw)
  To: iptables

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

Hi All,

Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. I am opening all other required ports. When I comment the last two lines my script works fine.

******Script*******

#Set default policies to DROP 

$IPTABLES -F INPUT 
$IPTABLES -F OUTPUT 
$IPTABLES -F FORWARD 
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP 
$IPTABLES -P FORWARD DROP

# Rejecting all Packets

#$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
#$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP

Can anyone help me.

thanks in advance.

Regards,


[-- Attachment #2: Type: text/html, Size: 1541 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: Default policy
  2002-12-21 13:16 Default policy system
@ 2002-12-21 13:28 ` Rob Sterenborg
  2002-12-21 18:12 ` Giorgio Zarrelli
  1 sibling, 0 replies; 8+ messages in thread
From: Rob Sterenborg @ 2002-12-21 13:28 UTC (permalink / raw)
  To: iptables

> Following is the policy that my firewall generation script
> gives, but my system hangs when i execute this, I am using
> ssh to execute this script. I am opening all other required
> ports. When I comment the last two lines my script works fine.
>
> ******Script*******
>
> #Set default policies to DROP
>
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>

This ok.
This will drop everything you didn't ACCEPT or REJECT or something.

> # Rejecting all Packets
>
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP

If you have this in front of the other rules, nothing will reach the
other rules and you just killed (not only) your ssh connection. Not
even on lo (127.0.0.1).
You already have default policy DROP : just put in the ACCEPT and
other rules you need.


Rob



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Default policy
  2002-12-21 13:16 Default policy system
  2002-12-21 13:28 ` Rob Sterenborg
@ 2002-12-21 18:12 ` Giorgio Zarrelli
  1 sibling, 0 replies; 8+ messages in thread
From: Giorgio Zarrelli @ 2002-12-21 18:12 UTC (permalink / raw)
  To: system; +Cc: netfilter

On Saturday 21 December 2002 14:16, you wrote:

> Hi All,
>
> Following is the policy that my firewall generation script gives, but my
> system hangs when i execute this, I am using ssh to execute this script. I
> am opening all other required ports. When I comment the last two lines my
> script works fine.
>
> ******Script*******
>
> #Set default policies to DROP
>
> $IPTABLES -P INPUT DROP
>
> # Rejecting all Packets
>
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
> #$IPTABLES -A INPUT -s 0/0 -d 0/0 -p tcp -j DROP

Ssh hangs because you drop all packets on tcp from and to everywhere.. So, 
your connection to the server is being cut. But policies like yours make no 
sens.

Regards

Giorgio Zarrelli


^ permalink raw reply	[flat|nested] 8+ messages in thread

* default policy
@ 2002-11-01  3:58 Rob
  2002-11-01 23:22 ` Robert P. J. Day
  0 siblings, 1 reply; 8+ messages in thread
From: Rob @ 2002-11-01  3:58 UTC (permalink / raw)
  To: Netfilter

I have been looking at several scripts checking the default policies on
them.
Some include items that others don't.  Oscars tutorial doesn't cover all of
these compared to Ziegler's book.  I have been wondering if the following
covers ALL built-in chains?
iptables -P INPUT   DROP
iptables -P OUTPUT  DROP
iptables -P FORWARD DROP

Ziegler's book states that it should be this (it was never put in these
words but this is what I am gathering from my reading):
iptables -t nat    -P PREROUTING  DROP
iptables -t nat    -P OUTPUT      DROP
iptables -t nat    -P POSTROUTING DROP
iptables -t mangle -P PREROUTING  DROP
iptables -t mangle -P OUTPUT      DROP
iptables -t filter -P INPUT       DROP
iptables -t filter -P OUTPUT      DROP
iptables -t filter -P FORWARD     DROP

The last seems to be the most thorough but i cant find anywhere that covers
this in detail.
Are these all of the built-in chains?

Robert Wideman

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: default policy
  2002-11-01  3:58 default policy Rob
@ 2002-11-01 23:22 ` Robert P. J. Day
  0 siblings, 0 replies; 8+ messages in thread
From: Robert P. J. Day @ 2002-11-01 23:22 UTC (permalink / raw)
  To: netfilter mailing list

On Thu, 31 Oct 2002, Rob wrote:

> I have been looking at several scripts checking the default policies on
> them.
> Some include items that others don't.  Oscars tutorial doesn't cover all of
> these compared to Ziegler's book.  I have been wondering if the following
> covers ALL built-in chains?
> iptables -P INPUT   DROP
> iptables -P OUTPUT  DROP
> iptables -P FORWARD DROP

nope, only for the filter table.
 
> Ziegler's book states that it should be this (it was never put in these
> words but this is what I am gathering from my reading):
> iptables -t nat    -P PREROUTING  DROP
> iptables -t nat    -P OUTPUT      DROP
> iptables -t nat    -P POSTROUTING DROP
> iptables -t mangle -P PREROUTING  DROP
> iptables -t mangle -P OUTPUT      DROP
> iptables -t filter -P INPUT       DROP
> iptables -t filter -P OUTPUT      DROP
> iptables -t filter -P FORWARD     DROP

while this is missing the newer chains in the mangle table, the
bigger issue is what it even means to put DROP policies on chains
in the nat and mangle tables.

apparently, it's legal -- i tried it and it took the policy
assignment.  i just have no idea what it means to do this.

rday



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2003-08-26  8:35 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-26  8:35 default policy Payal Rathod
2003-08-25  8:59 ` Ralf Spenneberg
2003-08-25 14:56   ` Payal Rathod
  -- strict thread matches above, loose matches on Subject: below --
2002-12-21 13:16 Default policy system
2002-12-21 13:28 ` Rob Sterenborg
2002-12-21 18:12 ` Giorgio Zarrelli
2002-11-01  3:58 default policy Rob
2002-11-01 23:22 ` Robert P. J. Day

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.