From: Matt Singerman <msingerman@ncemch.org>
To: netfilter@lists.netfilter.org
Subject: Problems configuring iptables
Date: Wed, 23 Aug 2006 11:49:11 -0400 [thread overview]
Message-ID: <44EC78F7.4010106@ncemch.org> (raw)
Hi all,
I am new to iptables, so please bear with me here. I am configuring
what I think is a fairy simple setup. I have a linux box which is
acting as a network bridge that I want to install the firewall on. It
has two ethernet cards: eth0 is attached to the internet, and eth1 is
connected to the internal network. All machines inside the network use
static public IP addresses, so there is no need to use NAT services or
IP masquerading. I am setting it up to only accept SYN packets on
certain TCP ports, then accept all packets on existing connections. The
order would be:
ACCEPT SYN packets for certain TCP services.
DENY all other SYN packets on other TCP services.
ACCEPT all other TCP packets that are part of an existing connection.
DENY all other TCP packets.
I started by changing the policies on INPUT AND FORWARD to drop all
packets by default, and OUTPUT to accept.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
Next, I added a rule to allow all traffic from the internal network to
the outside world:
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Next, a rule to forward packets that are part of an existing connection
from eth0 to eth1.
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Same thing, but on the firewall...
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
And to allow all inputs from the internal network and local loopback to
the firewall.
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
So after I set up these rules, if I understand iptables correctly, all
traffic from inside the network should flow out smoothly over the bridge
no matter what the internal IP address is nor what port the traffic is
on. This, however, is not happening: no traffic can flow in or out of
the network.
Also, if I try to add a rule to allow, say, SSH traffic to a specific
machine behind the firewall, I run into other problems. If I type:
iptables -A FORWARD -s 0/0 -d w.x.y.z -p tcp --dport 22 --syn -j ACCEPT
This is, so far as I am aware, the format I would use. However, when I
type iptables -L, the list just hangs just before listing that rule.
Can anyone offer any pointers as to what I may be doing wrong, and what
I can do to get this working? Thanks!
Regards,
Matt
next reply other threads:[~2006-08-23 15:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-23 15:49 Matt Singerman [this message]
2006-08-23 16:23 ` Problems configuring iptables Ross A. Del Duca
2006-08-23 17:51 ` Matt Singerman
2006-08-23 17:54 ` Matt Singerman
2006-08-23 18:22 ` Martijn Lievaart
2006-08-23 18:58 ` Matt Singerman
2006-08-23 19:00 ` Pablo Sanchez
2006-08-23 19:07 ` Matt Singerman
2006-08-23 19:18 ` Martijn Lievaart
2006-08-24 10:57 ` Gáspár Lajos
2006-08-24 15:08 ` Matt Singerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44EC78F7.4010106@ncemch.org \
--to=msingerman@ncemch.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox