Re: Default deny rule - Gáspár Lajos

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: Gopinath <gopinath.u@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Default deny rule
Date: Fri, 11 May 2007 12:09:08 +0200	[thread overview]
Message-ID: <464440C4.7000605@freemail.hu> (raw)
In-Reply-To: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com>

Gopinath írta:
> Good day everyone,
> I am very new to this list. I am running FC3 and want to convert my
> server to act as firewall, which does static NAT. I had setup
> everything and works fine in simulation. But the only thing is i am
> not able to make restriction in the FORWARD chain. The basic
> functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is
> missing in my firewall. I tried to make it by applicy DROP policy to
> the FORWARD chain & also appending a default DROP rule to the end of
> the FORWARD chain. But when i do so, all the packets were getting
> dropped at the firewall. I have pasted my firewall script below. I
> have enabled ip_conntrack & iptable_nat modules during bootup.
>
> OS: Fedora Core 3
> IPtables Version: v1.2.11
It is kind of old... :D
>
> # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
> *filter
> :INPUT ACCEPT [364:57615]
> :FORWARD ACCEPT [1:52]
> :OUTPUT ACCEPT [211:18044]
The DEFAULT DENYING FUNCTIONALITY is achieved by using these commands:
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
> -A INPUT -s 10.44.x.x -p icmp -j ACCEPT
> -A INPUT -s 10.44.x.x -p icmp -j ACCEPT
> -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j 
> ACCEPT
> -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j 
> ACCEPT
> -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Fri Apr 27 08:16:21 2007
> # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
> *nat
> :PREROUTING ACCEPT [289:55706]
> :POSTROUTING ACCEPT [77:6468]
> :OUTPUT ACCEPT [77:6468]
> -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x
> -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x
> -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
> -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
> COMMIT
> # Completed on Fri Apr 27 08:16:21 2007
>
> Output of iptables -nv -L
>
> Chain INPUT (policy ACCEPT 73 packets, 13040 bytes)
>
> pkts bytes target prot opt in out source destination
> 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0
> 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22
> 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state 
> NEW,RELATED,ESTABLISHED
>
> Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes)
>
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
> 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
> 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state 
> NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
There is no packet that matches your rules....
What are these destinations : 10.44.x.x ???
Do you mean 10.44.0.0/16 ???

fw1:~# whois 10.44.0.0
...
NetRange:   10.0.0.0 - 10.255.255.255
CIDR:       10.0.0.0/8
NetName:    RESERVED-10
NetHandle:  NET-10-0-0-0-1
Parent:
NetType:    IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated:    2002-09-12

>
> Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes)
> pkts bytes target prot opt in out source destination
>
> Any help would be highly appreciated.
>
> Thanks & Regards,
> Gopinath.U
>
>

next prev parent reply	other threads:[~2007-05-11 10:09 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-05-10  5:28 Default deny rule Gopinath
2007-05-11 10:09 ` Gáspár Lajos [this message]
2007-05-14  6:02   ` Gopinath
2007-05-14 12:33     ` Gáspár Lajos
     [not found]       ` <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com>
2007-05-21 16:03         ` Gáspár Lajos
2007-05-28 13:45           ` Gopinath
2007-05-29 13:04             ` Gáspár Lajos
2007-05-29 14:44               ` Gopinath
2007-05-30 10:25                 ` Gáspár Lajos
2007-05-31  5:11                   ` Gopinath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=464440C4.7000605@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=gopinath.u@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.