From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@vger.kernel.org
Subject: Re: Proxy Filter iptable Settings
Date: Sat, 30 Apr 2011 11:50:41 -0500 [thread overview]
Message-ID: <20110430165041.GN2976@cardinal> (raw)
In-Reply-To: <1304150575.1579.15.camel@andybev>
On Sat, Apr 30, 2011 at 09:02:55AM +0100, Andrew Beverley wrote:
> On Thu, 2011-04-28 at 16:43 -0500, Mike Hendrie wrote:
> > All users can get to Google and do searches just fine. I am
> > having funny issues with the a couple of application.
> >
> > I do not understand why I am having the below issues. Could this
> > be because of the iptables?
>
> Probably, although I would say more accurately because of UFW.
> It's quite difficult to diagnose problems with automatically
> generated iptables rules.
Indeed, and users of such rulesets should be asking elsewhere (at the
provider of the ruleset) for support.
> I would say you are better off disabling UFW, and starting with
> just the rules you need to get everything working:
Yes, but iptables-restore(8) is the recommended means to apply a
ruleset.
> # Flush all tables
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t filter -F
>
> # Set the default policy to ACCEPT:
> iptables -P PREROUTING ACCEPT
The default table, filter, does not have a PREROUTING chain.
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P POSTROUTING ACCEPT
The default table, filter, does not have a POSTROUTING chain.
> # Enable packet forwarding:
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Setup NAT:
> iptables -t nat -A POSTROUTING -o $ext_IF -j MASQUERADE
>
> Once that works, you can then start blocking ports.
>
> > - There is FileMaker application that uses ports 5000 - 5005 to
> > connect to an external server that cannot find the external server.
> > ??StatefulNAT translation.??
>
> Looking at the following website, you'll need to allow more than just
> those ports:
>
> http://sixfriedrice.com/wp/filemaker-firewall/
>
> But, as above, get the firewall working with all ports open, and
> then start closing them.
Otherwise I agree with what you have said.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
next prev parent reply other threads:[~2011-04-30 16:50 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-27 3:07 Proxy Filter iptable Settings Mike Hendrie
2011-04-27 6:16 ` Andrew Beverley
2011-04-27 11:26 ` Mike Hendrie
2011-04-27 12:17 ` Vigneswaran R
2011-04-27 12:45 ` Mike Hendrie
2011-04-27 13:18 ` Vigneswaran R
2011-04-27 13:41 ` Mike Hendrie
2011-04-27 17:24 ` Andrew Beverley
2011-04-28 6:36 ` Vigneswaran R
2011-04-28 21:43 ` Mike Hendrie
2011-04-29 9:16 ` Vigneswaran R
2011-04-30 8:02 ` Andrew Beverley
2011-04-30 16:50 ` /dev/rob0 [this message]
2011-04-30 17:47 ` Mike Hendrie
2011-04-30 18:02 ` Andrew Beverley
2011-04-30 18:23 ` Mike Hendrie
2011-04-30 19:08 ` Andrew Beverley
2011-04-30 19:24 ` /dev/rob0
2011-05-03 17:23 ` Mike Hendrie
2011-04-30 18:04 ` Jan Engelhardt
2011-04-30 18:28 ` /dev/rob0
2011-04-27 16:46 ` Mike Hendrie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110430165041.GN2976@cardinal \
--to=rob0@gmx.co.uk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.