From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: FORWARD -P DROP + allow MSN
Date: Thu, 16 Apr 2009 12:10:05 +0200 [thread overview]
Message-ID: <49E703FD.80100@chello.at> (raw)
In-Reply-To: <49E6FAB3.90304@lab.vectoris.fr>
Mihamina Rakotomandimby (R12y) wrote:
> Hi,
> These are my current rules:
> http://lab.vectoris.fr/projects/vectoris/browser/IPTables/trunk/firewall
> (It's a big mess yet because I miss one feature: MSN. I'll clean it
> later)
>
> The box it's running on is the gateway of the LAN to the Internet.
>
> As you noticed, FORWARD is DROP by default.
>
> I would like to allow MSN to my LAN users.
>
> The problem:
> If I "FORWARD -P ACCEPT", MSN works for the LAN users.
>
> If I use it as it is now, MSN doesnt work.
>
> Anyway, when setting the MSN LAN clients to use HTTP, it's OK with
> this config.
>
> Any tips?
> Thank you.
>
> PS: no comments on the crappy Facebook DROP ;-).
Hello,
first let me spend a few words on your current ruleset:
- The whole forwarding is stateless!
I strongly suggest to change that.
Allow that ports for your lan with something like that:
iptables -A FORWARD -i $WAN -o $LAN -d $ACCEPTED_MACHINE -m state
--state ESTABLISHED,RELATED -j ACCEPT
this is the general 'allow all back in, which is tracked by the state
machine' match.
now your ports:
iptables -A FORWARD -i $LAN -o $WAN -s $ACCEPTED_MACHINE -p tcp -m
multiport --dports x,y,z... -m state --state NEW,ESTABLISHED -j ACCEPT
[...]
Same thing maybe on your $ACCEPTED_PORT in INPUT chain.
- Don't allow all icmp. Do you want your firewall to accept icmp
redirects? Guess not...
- I will say some about the Facebook drop:
$IPT -A INPUT -p tcp -i $LAN --destination $IP_FACEBOOK -j DROP
is completely unnecessary. Will never match, unless your box holds a
Facebook hosts IP.
Now, let me think about the MSN thing. Personally I never used it, and
don't know what configuration it may need. Didn't try to look it up now too.
But, one thing I noticed:
You REDIRECT all port 80 traffic to the local port 3128. HTTP proxy I
guess...
Now MSN uses all those ports and as it looks port 80.
If now port 80 traffic goes over the http proxy and the rest of the
traffic does not, that may cause the MSN applications to fail.
How about a socks proxy for MSN? I just guess client applications will
have such a feature. In that case, your socks proxy does all the work,
and you only have to open that port on the inside of the lan.
Hope it helps...
greets
Mart
next prev parent reply other threads:[~2009-04-16 10:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-16 9:30 FORWARD -P DROP + allow MSN Mihamina Rakotomandimby (R12y)
2009-04-16 10:10 ` Mart Frauenlob [this message]
2009-04-16 11:30 ` Mihamina Rakotomandimby (R12y)
2009-04-16 13:31 ` Mart Frauenlob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49E703FD.80100@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.