From mboxrd@z Thu Jan 1 00:00:00 1970 From: "David H. Askew" Subject: RE: firewall host problem Date: Sun, 19 Oct 2003 22:01:37 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1066618897.2317.11.camel@lappy> References: <1066614589.2282.3.camel@lappy> <1147.192.168.111.123.1066615354.squirrel@mail.linknet-solutions.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-CILYeRG1FNyIM9s5kj3R" Return-path: In-Reply-To: <1147.192.168.111.123.1066615354.squirrel@mail.linknet-solutions.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter users mailing list --=-CILYeRG1FNyIM9s5kj3R Content-Type: text/plain Content-Transfer-Encoding: quoted-printable This is the line I added .. thank you for your suggestion anyway iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT On Sun, 2003-10-19 at 21:02, Josh Berry wrote: > You are only allowing port 22 for input, you have to allow related traffi= c > back. Something like: >=20 > iptables -A FORWARD -p tcp -i -m state --state > ESTABLISHED,RELATED -j ACCEPT >=20 >=20 > > I thought about that too.. but > > > > This output seems to indicate a default policy of ACCEPT on the output > > chain. I've not yet formulated a set of rules to handle outbound > > traffic. > > > > iptables -L .. partial output ... > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > or .. am I missing your point ? > > > > On Sun, 2003-10-19 at 20:44, Mark E. Donaldson wrote: > >> David - Where are your OUTPUT chain Rules? If you want to ping (or > >> anything > >> else) your ISP gateway from the firewall itself, you need rules in you= r > >> OUTPUT chain to permit this. If your OUTPUT default policy is set to > >> DROP, > >> then all packets generated by your firewall are being dropped. > >> > >> -----Original Message----- > >> From: David H. Askew [mailto:daskew2@kc.rr.com] > >> Sent: Sunday, October 19, 2003 2:44 PM > >> To: netfilter@lists.netfilter.org > >> Subject: firewall host problem > >> > >> > >> > >> ok .. so 'I'm trying to setup my first iptables firewall .. and I've g= ot > >> a semi functional setup so far ... but I do have one small problem .. = my > >> firewall machine .. which is performing NAT for my home network.. cann= ot > >> access the Internet with any standard tools ... tracepath .. ping .. > >> etc. I know network connectivity is fine .. because my internal > >> machines function properly. > >> > >> My router/firewall has 3 interfaces .... > >> eth0: ISP > >> eth1: Home Subnet 1 > >> eth2: Home Subnet 2 > >> > >> eth2 can ping my ISP gateway > >> eth1 can ping my ISP gateway > >> eth0 can not ping my ISP gateway > >> > >> > >> my firewall script is below ... > >> > >> I've recently switched from an ACCEPT default policy to the DROP defau= lt > >> policy below. I didn't have this problem previously, so I know i'I've > >> just forgotten to allow something .. but I'm having trouble coming to = a > >> logical conclusion .... > >> > >> ...any help .. critique ... advice you could provide would be helpful > >> > >> -dave > >> > >> > >> iptables --flush > >> iptables --table nat --flush > >> iptables --delete-chain > >> iptables --table nat --delete-chain > >> > >> > >> # Enable packet forwarding in the kernel > >> echo 1 > /proc/sys/net/ipv4/ip_forward > >> > >> # Setup IP FORWARDing and Masquerading > >> iptables --table nat --append POSTROUTING --out-interface eth0 -j > >> MASQUERADE > >> iptables --append FORWARD --in-interface eth1 -j ACCEPT > >> iptables --append FORWARD --in-interface eth2 -j ACCEPT > >> > >> > >> #enable connection tracking > >> iptables -I FORWARD -m state --state INVALID -j DROP > >> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > >> > >> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> iptables -A INPUT -p udp -i eth0 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> > >> iptables -A INPUT -p tcp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> iptables -A INPUT -p udp -i eth2 -s 0/0 -d 0/0 --dport 22 -j ACCEPT > >> > >> iptables -P INPUT DROP > >> > >> > >> -- > >> How many Microsoft engineers does it take to change a light bulb ? > >> > >> Answer : None, they just declare darkness a new standard. > >> > > -- > > How many Microsoft engineers does it take to change a light bulb ? > > > > Answer : None, they just declare darkness a new standard. > > > > >=20 >=20 > Thanks, > Josh Berry, CTO > LinkNet-Solutions > 469-831-8543 > josh.berry@linknet-solutions.com --=20 How many Microsoft engineers does it take to change a light bulb ? Answer : None, they just declare darkness a new standard.=20 --=-CILYeRG1FNyIM9s5kj3R Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/k1ARy2JQXGULrAERAjsnAJ9YTh4KDbwHW4pKb6cOhjobrzb97ACg2DQx 3WwG5DK+OvvB1F2aaXC9fKQ= =Lgp5 -----END PGP SIGNATURE----- --=-CILYeRG1FNyIM9s5kj3R--