From: Mark Tessier <mt@open2web.com>
To: netfilter@lists.samba.org
Subject: script particularities
Date: Wed, 10 Jul 2002 14:41:09 -0400 [thread overview]
Message-ID: <20020710144109.5448cc69.mt@open2web.com> (raw)
Is there anyone out there who has deployed the choke firewall script found in chapter 6 of R. Ziegler's book "Linux Firewalls". I have been trying to get this script to work with zero success. Furthermore, there are things about this script that don't make sense to me, such as in the section named "# allow outgoing pings to anywhere". In this section you have the following rule:
iptables -A FORWARD -o $DMZ_INTERFACE -p icmp \
--icmp-type echo-request -s $LAN_ADDRESSES \
-m state --state NEW -j ACCEPT
My question is, where is the rule for allowing incoming responses to those pings. I've looked around in the script and can't find it, which is not to say that it isn't there.
Second mystery: You find the following at the beginning of the script, where the environment variables are initialized:
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
This is all typical of what you'd find in most scripts, but the fact is in this script, that's the last time CLASS_A, CLASS_B, etc are mentioned. In other words, there's no rule specific to denying packets coming from a CLASS_A private network. Why would one initialize a CLASS_A variable if it's never going to be used, I wonder? Is there some other rule used in this script that makes using a rule specifically denying access to packets coming from a CLASS_A private network obsolete?
Finally, I use the following rule:
iptables -L FORWARD -v -x
to see where an icmp or tcp packet gets dropped. This way, I at least have a vague idea where to start fixing my script. But in my case, all counters remain steadfastly at zero, no matter how many packets die trying to get through. This makes me wonder whether iptables is working at all, or partially working since maybe I negleted to modprobe certain modules.
Anyway, I'd be happy to hear from someone who knows this script and its particularities.
Thanks,
Mark
next reply other threads:[~2002-07-10 18:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-10 18:41 Mark Tessier [this message]
2002-07-10 19:11 ` script particularities Jan Humme
2002-07-10 19:23 ` Ramin Alidousti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020710144109.5448cc69.mt@open2web.com \
--to=mt@open2web.com \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox