From: MT <mt@open2web.com>
To: NetFilter <netfilter@lists.netfilter.org>
Subject: Nefilter problem
Date: Thu, 19 Jun 2003 19:50:20 -0400 [thread overview]
Message-ID: <20030619195020.3d3da7d7.mt@open2web.com> (raw)
I have a RH 7.1 box which has iptables v1.2.5. I've set up my rc.firewall script based and started testing it. Lo and behold I couldn't ssh into the box, although I could ssh out. Nor could I ping the box either. After many attempts and playing around with the code, I boiled it down to the following:
#!/bin/bash
CONNECTION_TRACKING=1
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
# Don't set nat and mangle tables to DROP unless
# you know what you're doing
# nat
# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP
# mangle
# iptables -t mangle --policy PREROUTING DROP
# iptables -t mangle --policy OUTPUT DROP
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Set traffic on the loopback interface to unlimited
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
###############################################################
# allow incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR \
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p icmp \
-s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp \
-s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT
###############################################################
exit 0
As it stands, I still can't ping the box. As soon as I bring down the firewall I can ping again.
Here's what lsmod yields:
Module Size Used by
ipt_state 576 1 (autoclean)
iptable_mangle 1728 0 (autoclean) (unused)
iptable_nat 13904 0 (autoclean) (unused)
iptable_filter 1728 0 (autoclean) (unused)
ip_tables 11168 6 [ipt_state iptable_mangle iptable_nat iptable_filter]
ip_conntrack_ftp 3376 0 (unused)
ip_conntrack 13360 3 [ipt_state iptable_nat ip_conntrack_ftp]
via-rhine 10784 1 (autoclean)
ide-cd 26976 0
cdrom 27456 0 [ide-cd]
I hope this is enough information. Thanks.
Mark
next reply other threads:[~2003-06-19 23:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-19 23:50 MT [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-06-20 23:31 Nefilter problem MT
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030619195020.3d3da7d7.mt@open2web.com \
--to=mt@open2web.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox