From: Jean-Christian Imbeault <jc@mega-bucks.co.jp>
To: netfilter@lists.netfilter.org
Subject: Newbie: need help with table rules
Date: Fri, 14 Feb 2003 15:49:59 +0900 [thread overview]
Message-ID: <3E4C9197.6000806@mega-bucks.co.jp> (raw)
I've written my first set of iptable rules but they're still buggy =) I
keep locking myself out. So I'm trying to enable logging to see why I
can't SSH to my box but I can't seem to get logging to work.
I have set the default policy to DROP and added only ACCEPT rules, so
nothing gets DROPPED or REJECTED before making to the last (logging)
rule. The last rule should LOG anything that didn't match ... but I
can't find any iptables entries in /var/log/messages ...
Two questions:
#1 why isn't logging working
#2 What is wrong with my rules :)
My network setup is like this:
LAN ---- FIREWALL ---- WAN
| |
| |
JC LINUX
I don't control the Firewall. But it's settings are fine I think since I
can connect from JC <-> LINUX just fine. But if I try my iptable rules I
lock myself out.
The services I'd like to allow access to are:
HTTP, HTTPS, SMTP, DNS from anywhere and
SSH from JC --> LINUX
My rules are:
IPT="/usr/local/sbin/iptables"
LINUX="x.x.x.x"
JC="x.x.x.x"
for i in filter
do
$IPT -t $i -F
$IPT -t $i -X
done
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
# Loopback accepts everything
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow all other icmp
$IPT -A INPUT -p icmp -j ACCEPT
# Allow previously established connections
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP, HTTPS
$IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $LINUX --dport 80 -j ACCEPT
$IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $LINUX --dport 443 -j ACCEPT
# SSH FROM JC --> LINUX
$IPT -A INPUT -p TCP -s $JC -i eth0 -d $LINUX --dport 22 -j ACCEPT
# SMTP
$IPT -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s
--limit-burst 10 -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT
# DNS
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
# LOG anything that didn't get accepted ...
$IPT -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG --log-level
debug --log-prefix "Firewalled packet:"
My /etc/syslog.conf has this entry to send all debug messages to
/var/log/firewall:
kern.debug /var/log/firewall
Yet even when I telnet to my machine I don't see any iptables related
messages ...
What did I miss to get logging enabled? (and if anyone can spot why I
can't SSH to my box from my PC (JC) please let me know ;)
Thanks,
Jc
next reply other threads:[~2003-02-14 6:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-14 6:49 Jean-Christian Imbeault [this message]
2003-02-15 7:44 ` Newbie: need help with table rules Joel Newkirk
2003-02-15 8:19 ` Joel Newkirk
-- strict thread matches above, loose matches on Subject: below --
2003-02-14 7:02 Eugene Joubert
2003-02-14 7:16 ` Jean-Christian Imbeault
2003-02-14 11:25 hclfm
2003-02-14 13:33 Peter Hurley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E4C9197.6000806@mega-bucks.co.jp \
--to=jc@mega-bucks.co.jp \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.