From: David Busby <busby@edoceo.com>
To: netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?
Date: Thu, 09 Jun 2005 11:21:56 -0700 [thread overview]
Message-ID: <42A888C4.20006@edoceo.com> (raw)
In-Reply-To: <Pine.LNX.4.60.0506091359050.9191@darkstar.sysinfo.com>
R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> We found that in a 1:1 nat setup the policy for the forward chain has to
> be accept or traffic will not flow.
>
> Thanks,
>
> Ron DuFresne
My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at all.
I have these rules below:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:53
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:123
ACCEPT udp -- 192.168.42.1 0.0.0.0/0 udp dpt:514
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.42.2 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
An cannot make new connections to port 22 or port 80, I see it in the logs.
An existing ssh connection will stay if I connect with no rules then run iptables-restore.
This seems totally odd to me. The UDP traffic is also blocked. Everyone is telling me that these rules should work,
new connections should be allowed and such but it's not the case. Here's what my modules look like:
imperium root # lsmod
Module Size Used by
ipt_LOG 6272 1
ipt_state 1472 1
ip_conntrack 39860 1 ipt_state
iptable_filter 2944 1
ip_tables 16320 3 ipt_LOG,ipt_state,iptable_filter
So everything looks loaded OK too, but it's not working, I even added this rule:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
But still cannot make a new connection to port 22 or 80, what gives? What do I try now?
/djb
next prev parent reply other threads:[~2005-06-09 18:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-09 3:05 --policy DROP kills everything? Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09 5:04 ` Gary W. Smith
2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21 ` David Busby [this message]
2005-06-09 18:36 ` Damon Gray
[not found] ` <42A8909E.1030104@edoceo.com>
[not found] ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
2005-06-09 20:59 ` David Busby
2005-06-09 18:52 ` R. DuFresne
-- strict thread matches above, loose matches on Subject: below --
2005-06-08 21:11 David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32 ` David Busby
2005-06-09 6:26 ` Rob Sterenborg
2005-06-10 18:08 ` Jason Opperisano
2005-06-10 14:48 ` Steven M Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42A888C4.20006@edoceo.com \
--to=busby@edoceo.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox