From: Warpme <warpme@o2.pl>
To: "Gáspár Lajos" <swifty@freemail.hu>, netfilter@lists.netfilter.org
Subject: Re: error - but I don't know where....
Date: Wed, 15 Aug 2007 14:38:06 +0200 [thread overview]
Message-ID: <46C2F3AE.2020505@o2.pl> (raw)
In-Reply-To: <46C18BC1.3010600@freemail.hu>
[-- Attachment #1: Type: text/plain, Size: 4467 bytes --]
Gaspar,
Thanx for trying help !
It looks like I found problem. Probably somewhere in file was non-ASCII
chars which are not visible in my editor and causing problem.
I rewrite manually script and now works as expected :-)
I also change little bit approach: default policy for FORWARD chain is
now DROP.
I'm allowing forwarding only new connections from LAN to WAN and accept
only already established
connections from WAN to LAN:
iptables -A FORWARD -i $WAN_intf -o $LAN_intf -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_intf -o $WAN_intf -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
BTW: I have some comments to Your hints (see inline):
br
Gáspár Lajos wrote:
> warpme írta:
>> Hi *
>>
>> I just try setup firewall. Config is following:
>>
>> Desktop Firewll (192.168.1.1) ------Eth0
>> Eth1(91.189.74.10)---------ISP
>>
>> Script below is working OK for all LAN hosts, but not for for
>> firewall PC itself (i tested it with i.e. ping www.ibm.com)
>> Commenting line "iptables -P INPUT DROP" allows to ping from
>> firewall, but it effectivelly turning off firewall....
>> It is probably simple error - but I can't find where it is...
>> Can somebody verify thid script and tell me what is wrong ?
>>
>> thx in advance
>>
>> #Config area
>> BEGIN--------------------------------------------------------------
>>
>> LAN_intf=eth0
>> LAN_subnetwork=192.168.1.0/255.255.255.0
>>
>> WAN_intf=eth1
>> WAN_ip=91.189.74.10
>>
>> Open_WAN_TCP_ports=20,21,80,500,1352,4500
>> Open_WAN_UDP_ports=500,1352,4500,5060
>> Open_WAN_RTP_port_range=7070:7080
>>
>>
>> #Config area
>> END----------------------------------------------------------------
>>
>>
>>
>>
>> #--Flushing all iptables
>> tables-------------------------------------------------
>> iptables -F
>> iptables -X iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>>
>>
>>
>>
>> #--Setting up SNAT for outgoing to WAN DATA
>> connections------------------------
>> iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j
>> SNAT --to-source $WAN_ip
> I would write like this:
>
> iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT
> --to-source $WAN_ip
I'm understand advantage of such approach is that any non WAN_ip host
will be NAT'ed. But for non-LAN addressed hosts it will require
additional entries in routing table for packets received from WAN and
destinated to LAN host. Effectively it will require touch to firewall
- and by this I'm considering this as no beneficial.
>> #--Allowing self access by loopback
>> interface----------------------------------
>> iptables -A INPUT -i lo -p all -j ACCEPT
>>
>>
> "-p all" not needed... And I would rather set up the OUTPUT rule than
> the INPUT rule because the "lo" interface only accepts connections
> from itself... if a new connection is made then first step is to send
> OUT something to the other host... :D
> iptables -A OUTPUT -o lo -j ACCEPT
Well, default iptables policy for all chains is ACCEPT, so this rule is
redundant.
>
>>
>> #--Allowing local access to
>> LAN------------------------------------------------
>> iptables -A INPUT -i $LAN_intf -p all -j ACCEPT
>>
>>
> no need for "-p all"
Right !
>
>>
>> #--Allowing WAN incoming traffic form already established
>> connections----------
>> iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>>
>>
>> #--Allowing WAN incoming traffic for desired
>> services--------------------------
>> #Open WAN TCP ports
>> iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport
>> $Open_WAN_TCP_ports -j ACCEPT
>>
>> #Open WAN UDP ports
>> iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport
>> $Open_WAN_UDP_ports -j ACCEPT
>>
>> #Open VoIP UDP port ranges
>> iptables -A INPUT -p udp -i $WAN_intf --dport
>> $Open_WAN_RTP_port_range -j ACCEPT
>>
>>
> For "ping" you need the following line:
> iptables -A INPUT -p icmp -j ACCEPT
Well - it is not needed when only outgoing pings are allowed (my case).
I think incoming pings should be rather disabled - it will help to
protect host from potential DoS via ping flood.
>> #--Drop all other incoming connection. Only above will be
>> allowed-------------
>> iptables -P INPUT DROP
>>
>>
>>
>
>
>
prev parent reply other threads:[~2007-08-15 12:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-14 9:59 error - but I don't know where warpme
2007-08-14 11:02 ` Gáspár Lajos
2007-08-15 12:38 ` Warpme [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46C2F3AE.2020505@o2.pl \
--to=warpme@o2.pl \
--cc=netfilter@lists.netfilter.org \
--cc=swifty@freemail.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.