Re: --policy DROP kills everything?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Busby <busby@edoceo.com>
To: netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?
Date: Thu, 09 Jun 2005 13:59:20 -0700	[thread overview]
Message-ID: <42A8ADA8.5000008@edoceo.com> (raw)
In-Reply-To: <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>

Damon Gray wrote:
> David,
>     Sorry, but all I can suggest is getting rid of the -i eth0 on the 
> port 22 and port 80 rules because you won't be able to connect from lo0 
> with that. You also don't need the the --state NEW rule for ssh either, 
> your allow anything to port 22 will be enough for that and anything 
> destined for port 22. And also (like someone else suggested) put the 
> --state ESTABLISHED,RELATED at the top. Other than that your rules look 
> correct to me. Is there anything in any of the other tables? Like if you 
> do a iptables -t nat -nvL or -t mangle? What kernel are you running?
> 
> Sorry I couldn't be of more help.
> 
> -Damon-
> 

I appreciate all the help this list is providing, it seems very odd to me and it's nice to know it's also confusing to
others ;)  I've got no other tables, no nat, no mangle (I didn't even build those modules)  I moved EST,REL to the top,
it was last while I was testing.  I'm still at the same state, my established is OK but NEW (tcp/udp) are not.  I'm
using kernel 2.6.10-gentoo-r6, so it's vanilla with gentoo patches.  I've fetched 2.6.11-gentoo-r9 and am currently
building it, I'll try my rules with it.

I also tried getting rid of the interface parameter rules, no help.  I tried getting rid of destination IP rules, no go.
I ended up with this very loose setup

imperium syslog-ng # iptables -nv -L
Chain INPUT (policy DROP 43 packets, 3392 bytes)
  pkts bytes target     prot opt in     out     source               destination
     6   312 ACCEPT     all  --  *      *       127.0.0.0/8          0.0.0.0/0
  4067 3419K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
     3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    43  3392 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3270 packets, 277K bytes)
  pkts bytes target     prot opt in     out     source               destination

But I still cannot connect :(  My TCP and UDP traffic is still dead.  Do I need to enable something in /proc?  This
machine isn't forwarding or being a router, the rules are only to protect this single host.  I've unloaded and reloaded
the kernel modules no go.

(time passes)

Rebooted with the 2.6.11-gentoo-r9 kernel, set my firewall rules and presto!
Every thing is working perfectly with the above rules.
I then went through and tied the rules to more be more specific and it's all still working perfect.
Glad that's over, thanks to everyone who helped out!

/djb

next prev parent reply	other threads:[~2005-06-09 20:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-09  3:05 --policy DROP kills everything? Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09  5:04   ` Gary W. Smith
2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21   ` David Busby
2005-06-09 18:36     ` Damon Gray
     [not found]       ` <42A8909E.1030104@edoceo.com>
     [not found]         ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
2005-06-09 20:59           ` David Busby [this message]
2005-06-09 18:52     ` R. DuFresne
  -- strict thread matches above, loose matches on Subject: below --
2005-06-08 21:11 David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32   ` David Busby
2005-06-09  6:26     ` Rob Sterenborg
2005-06-10 18:08       ` Jason Opperisano
2005-06-10 14:48 ` Steven M Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42A8ADA8.5000008@edoceo.com \
    --to=busby@edoceo.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.