Re: error - but I don't know where....

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: warpme <warpme@o2.pl>
Cc: piotr.oniszczuk@aster.pl, netfilter@lists.netfilter.org
Subject: Re: error - but I don't know where....
Date: Tue, 14 Aug 2007 13:02:25 +0200	[thread overview]
Message-ID: <46C18BC1.3010600@freemail.hu> (raw)
In-Reply-To: <42a76351.4ca18173.46c17ceb.6b792@o2.pl>

warpme írta:
> Hi *
>
> I just try setup firewall. Config is following:
>
> Desktop               Firewll  
> (192.168.1.1) ------Eth0   Eth1(91.189.74.10)---------ISP
>
> Script below is working OK for all LAN hosts, but not for for firewall PC itself (i tested it with i.e. ping www.ibm.com)
> Commenting line "iptables -P INPUT DROP" allows to ping from firewall, but it effectivelly turning off firewall....
> It is probably simple error - but I can't find where it is...
> Can somebody verify thid script and tell me what is wrong ?
>
> thx in advance
>   
>
> #Config area BEGIN--------------------------------------------------------------
>
> LAN_intf=eth0
> LAN_subnetwork=192.168.1.0/255.255.255.0
>
> WAN_intf=eth1
> WAN_ip=91.189.74.10
>
> Open_WAN_TCP_ports=20,21,80,500,1352,4500
> Open_WAN_UDP_ports=500,1352,4500,5060
> Open_WAN_RTP_port_range=7070:7080
>
>
> #Config area END----------------------------------------------------------------
>
>
>
>
> #--Flushing all iptables tables-------------------------------------------------
> iptables -F
> iptables -X 
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
>
>
>
>
> #--Setting up SNAT for outgoing to WAN DATA connections------------------------
> iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j SNAT --to-source $WAN_ip 
I would write like this:

iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT 
--to-source $WAN_ip
>   
> #--Allowing self access by loopback interface----------------------------------
> iptables -A INPUT -i lo -p all -j ACCEPT
>
>   
"-p all" not needed...  And I would rather set up the OUTPUT rule than 
the INPUT rule because the "lo" interface only accepts connections from 
itself... if a new connection is made then first step is to send OUT 
something to the other host... :D
iptables -A OUTPUT -o lo -j ACCEPT
>
> #--Allowing local access to LAN------------------------------------------------
> iptables -A INPUT -i $LAN_intf -p all -j ACCEPT
>
>   
no need for "-p all"
>
> #--Allowing WAN incoming traffic form already established connections----------
> iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> #--Allowing WAN incoming traffic for desired services--------------------------
> #Open WAN TCP ports
> iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport $Open_WAN_TCP_ports -j ACCEPT
>
> #Open WAN UDP ports
> iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport $Open_WAN_UDP_ports -j ACCEPT
>
> #Open VoIP UDP port ranges
> iptables -A INPUT -p udp -i $WAN_intf --dport $Open_WAN_RTP_port_range -j ACCEPT
>
>   
For "ping" you need the following line:
iptables -A INPUT -p icmp -j ACCEPT
> #--Drop all other incoming connection. Only above will be allowed-------------
> iptables -P INPUT DROP
>     
>
>
>

next prev parent reply	other threads:[~2007-08-14 11:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-14  9:59 error - but I don't know where warpme
2007-08-14 11:02 ` Gáspár Lajos [this message]
2007-08-15 12:38   ` Warpme

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46C18BC1.3010600@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=netfilter@lists.netfilter.org \
    --cc=piotr.oniszczuk@aster.pl \
    --cc=warpme@o2.pl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.