From: Matt Singerman <msingerman@ncemch.org>
To: "Ross A. Del Duca" <RDelDuca@corelogic.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Problems configuring iptables
Date: Wed, 23 Aug 2006 13:51:44 -0400 [thread overview]
Message-ID: <44EC95B0.1090808@ncemch.org> (raw)
In-Reply-To: <580B00011E6B2F4980CAC67A08FECC3AF765CE@rpo.oldplacerville.csvaluation.lan>
Hmmm... That is definitely part of it, yeah. But there is something
else going on here.
So I tried changing the chain policy to ACCEPT and to just block all
traffic using an iptables rule. When I implement the rules as follows,
things work:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- x.y.z.116 x.y.z.120 tcp dpt:ssh
flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp dpt:ssh
flags:FIN,SYN,RST,ACK/SYN
As you can see, that is just blocking all traffic from anywhere to
anywhere on port 22 after allowing traffic from x.y.z.116 to x.y.z.120
through. (x.y.z.116 and x.y.z.120 are both on the same subnet, but 120
is behind the firewall and 116 is not.) x.y.z.116 can SSH in to
x.y.z.120, but nothing else can.
If I try to change it so that it isn't just blocking traffic on port 22,
but rather all traffic:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- x.y.z.116 x.y.z.120 tcp dpt:ssh
flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere
No SSH connections can get through at all, even from host x.y.z.116.
Any ideas what could be causing this odd behavior?
Ross A. Del Duca wrote:
> The 'hanging' is likely a result of a DNS lookup failing. If you add -n to
> your iptables command, it will not attempt to resolve DNS names, and may get
> you around at least that little part.
>
>
> Ross A. Del Duca, GCIH
>
>> -----Original Message-----
>> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
>> bounces@lists.netfilter.org] On Behalf Of Matt Singerman
>> Sent: Wednesday, August 23, 2006 8:49 AM
>> To: netfilter@lists.netfilter.org
>> Subject: Problems configuring iptables
>>
>> < SNIP >
>>
>
>
>> Also, if I try to add a rule to allow, say, SSH traffic to a specific
>> machine behind the firewall, I run into other problems. If I type:
>>
>> iptables -A FORWARD -s 0/0 -d w.x.y.z -p tcp --dport 22 --syn -j ACCEPT
>>
>> This is, so far as I am aware, the format I would use. However, when I
>> type iptables -L, the list just hangs just before listing that rule.
>>
>> Can anyone offer any pointers as to what I may be doing wrong, and what
>> I can do to get this working? Thanks!
>>
>> Regards,
>>
>> Matt
>>
>
>
next prev parent reply other threads:[~2006-08-23 17:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-23 15:49 Problems configuring iptables Matt Singerman
2006-08-23 16:23 ` Ross A. Del Duca
2006-08-23 17:51 ` Matt Singerman [this message]
2006-08-23 17:54 ` Matt Singerman
2006-08-23 18:22 ` Martijn Lievaart
2006-08-23 18:58 ` Matt Singerman
2006-08-23 19:00 ` Pablo Sanchez
2006-08-23 19:07 ` Matt Singerman
2006-08-23 19:18 ` Martijn Lievaart
2006-08-24 10:57 ` Gáspár Lajos
2006-08-24 15:08 ` Matt Singerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44EC95B0.1090808@ncemch.org \
--to=msingerman@ncemch.org \
--cc=RDelDuca@corelogic.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox