From: Steven M Campbell <Netfilter@SCampbell.net>
To: netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?
Date: Fri, 10 Jun 2005 10:48:51 -0400 [thread overview]
Message-ID: <42A9A853.5060106@SCampbell.net> (raw)
In-Reply-To: <42A75EF8.7050002@edoceo.com>
David Busby wrote:
> I have this these rules on a host, to protect only this host.
>
> # Generated by iptables-save v1.2.11 on Tue Jun 7 23:03:58 2005
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -s 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -d 192.168.42.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
> COMMIT
> # Completed on Tue Jun 7 23:03:58 2005
>
I used loaded these same rules changing only the ip address to match
mine and tested only SSH (didn't have apache running). It worked for
me, however, the DNS reverse lookup for the by SSH daemon had to time
out which took around 10-20 seconds (I'm sure there is a real fixed
number there I'm just to lazy to look it up). Ensure the eth0 really is
192.168.42.2 and be patient. I don't know if there would be issues
with the web server you have with this or not as I didn't test. The
bottom line is that this is an incomplete firewall set as SSH uses DNS
and, even though it may be configured to ignore the result it still does
the query, making it wait for a timeout is a problem.
While not part of your question I'd like to address some comments made
here about connection tracking (all that --state stuff):
For the record, once a connection tracking module is loaded it tracks
connections, it does nothing to them it just tracks the numbers. You
not need to see --state NEW in a rule to actually start tracking. The
--state things are there so you can =query= the state of the packet
relative to the connection tracker, you can see if this is a NEW packet,
an ESTABLISHED connection or a connection/packet RELATED to another (for
example FTP and FTP Data channels). The module tracks the connections
the --state allows us to apply the information to our firewall rules.
This confused me for quite a while too but now that I get it, it is
really quite obvious and simple.
next prev parent reply other threads:[~2005-06-10 14:48 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-08 21:11 --policy DROP kills everything? David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32 ` David Busby
2005-06-09 6:26 ` Rob Sterenborg
2005-06-10 18:08 ` Jason Opperisano
2005-06-10 19:13 ` specifying -m state --state NEW (Was : --policy DROP kills everything?) Rob Sterenborg
2005-06-10 19:33 ` Jason Opperisano
2005-06-10 20:31 ` Rob Sterenborg
2005-06-10 20:13 ` Jason Opperisano
2005-06-10 14:48 ` Steven M Campbell [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-06-09 3:05 --policy DROP kills everything? Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09 5:04 ` Gary W. Smith
2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21 ` David Busby
2005-06-09 18:36 ` Damon Gray
[not found] ` <42A8909E.1030104@edoceo.com>
[not found] ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
2005-06-09 20:59 ` David Busby
2005-06-09 18:52 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42A9A853.5060106@SCampbell.net \
--to=netfilter@scampbell.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox