trying to get one blessed thing to work

trying to get one blessed thing to work

[Mark Tessier]

I have a PC running rh7.1., which I'm trying to turn into a firewall. The firewall stands between a DMZ and a LAN. I have an elaborate script which I've been trying to deploy, but so far no luck. Since I really don't know where to begin in terms of diagnosing my problem, I decided to see if I could just ping one machine on the DMZ from another on the LAN.

The first thing I did was to set the policy to drop for the forward chain as in:

iptables --policy FORWARD DROP

Next, I tried to open one door on the forward chain, allowing icmp packets of the echo request type to ping any other machine as in:

iptables -A FORWARD -o eth0 -p icmp --icmp-type echo-request -s 192.168.0.0/24 -m state --state NEW -j ACCEPT

The result is, it doesn't work.

If I do a lsmod I get what I think are the relevant modules that should allow state tracking to work (I haven't included the others):

ip_conntrack 23088 3 [ipt_state ip_conntrack_ftp iptable_nat]
ip_tables 14016 [ipt_state iptables_mangle iptables_filter iptables_nat]

Any recommendations are appreciated.

-- 
Thanks,

Mark

Re: trying to get one blessed thing to work

[riffraff]

---------- Original Message ----------------------------------
From: Mark Tessier <mt@open2web.com>
Date: Mon, 8 Jul 2002 12:32:23 -0400

>The first thing I did was to set the policy to drop for the forward chain as in:
>
>iptables --policy FORWARD DROP
>
>Next, I tried to open one door on the forward chain, allowing icmp packets of the echo request type to ping any other machine as in:
>
>iptables -A FORWARD -o eth0 -p icmp --icmp-type echo-request -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
>
>The result is, it doesn't work.
>
No, it won't  You aren't letting the return packet of echo-reply back through.  I would do it with this:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

You could add the interface and protocol if you'd like.

 
>Thanks,
>
>Mark
>
>
lance

Re: trying to get one blessed thing to work

[Jan Humme]

On Monday 08 July 2002 18:32, Mark Tessier wrote:
> I have a PC running rh7.1., which I'm trying to turn into a firewall. The
> firewall stands between a DMZ and a LAN. I have an elaborate script which
> I've been trying to deploy, but so far no luck. Since I really don't know
> where to begin in terms of diagnosing my problem, I decided to see if I
> could just ping one machine on the DMZ from another on the LAN.
>
> The first thing I did was to set the policy to drop for the forward chain
> as in:
>
> iptables --policy FORWARD DROP

=> Response on my machine (and yours) is:
iptables v1.2.1a: Unknown arg '--policy'
Try 'iptables -h` or 'iptables --help' for more information.

Suppose you mean:
#iptables -P FORWARD DROP ?


> Next, I tried to open one door on the forward chain, allowing icmp packets
> of the echo request type to ping any other machine as in:
>
> iptables -A FORWARD -o eth0 -p icmp --icmp-type echo-request -s
> 192.168.0.0/24 -m state --state NEW -j ACCEPT

Assuming that this line properly reflects your network configuration, you may 
also want to allow the reply to come in:

#iptables -A FORWARD -i eth0 -p icmp --icmp-type echo-reply -d 192.168.0.0/24 
-j ACCEPT.


In general though, one good way to debug is to look at the firewall machine, 
and use:
=> iptables -Z FORWARD to clear counter
=> do your ping
=> run iptables -L -v -x to inspect counters to see which rule(s) matched and 
caused your packets to be dropped.
=> also tcpdump may help

Jan Humme.

Re: trying to get one blessed thing to work

[Adam D. Barratt]

Jan Humme wrote:

> On Monday 08 July 2002 18:32, Mark Tessier wrote:
[...]
> > The first thing I did was to set the policy to drop for the
forward chain
> > as in:
> >
> > iptables --policy FORWARD DROP
>
> => Response on my machine (and yours) is:
> iptables v1.2.1a: Unknown arg '--policy'
> Try 'iptables -h` or 'iptables --help' for more information.

Not on a 1.2.6a (or any version I've ever used) it's not. If you enter

  iptables --policy

without any arguments, then you'll get that error. Enter the line as
quoted and it'll work perfectly.

> Suppose you mean:
> #iptables -P FORWARD DROP ?

RFTM. -P is shorthand for --policy, as iptables --help would quickly
have shown.

Adam

Re: trying to get one blessed thing to work

[Jan Humme]

On Monday 08 July 2002 18:56, Jan Humme wrote:
> On Monday 08 July 2002 18:32, Mark Tessier wrote:
> > I have a PC running rh7.1., which I'm trying to turn into a firewall. The
> > firewall stands between a DMZ and a LAN. I have an elaborate script which
> > I've been trying to deploy, but so far no luck. Since I really don't know
> > where to begin in terms of diagnosing my problem, I decided to see if I
> > could just ping one machine on the DMZ from another on the LAN.
> >
> > The first thing I did was to set the policy to drop for the forward chain
> > as in:
> >
> > iptables --policy FORWARD DROP
>
> => Response on my machine (and yours) is:
> iptables v1.2.1a: Unknown arg '--policy'
> Try 'iptables -h` or 'iptables --help' for more information.

Nonsense.

Please accept my sincere and humble apologies: of course your syntax is OK.

Jan Humme.

Re: trying to get one blessed thing to work

[Jan Humme]

On Monday 08 July 2002 19:23, Adam D. Barratt wrote:
> Jan Humme wrote:
> > On Monday 08 July 2002 18:32, Mark Tessier wrote:
>
> [...]
>
> > > The first thing I did was to set the policy to drop for the
>
> forward chain
>
> > > as in:
> > >
> > > iptables --policy FORWARD DROP
> >
> > => Response on my machine (and yours) is:
> > iptables v1.2.1a: Unknown arg '--policy'
> > Try 'iptables -h` or 'iptables --help' for more information.
>
> Not on a 1.2.6a (or any version I've ever used) it's not. If you enter
>
>   iptables --policy
>
> without any arguments, then you'll get that error. Enter the line as
> quoted and it'll work perfectly.
>
> > Suppose you mean:
> > #iptables -P FORWARD DROP ?
>
> RFTM. -P is shorthand for --policy, as iptables --help would quickly
> have shown.

Thank you.

I deserved and needed to hear that.

Jan Humme.