From: Warpme <warpme@o2.pl>
To: "Gáspár Lajos" <swifty@freemail.hu>, netfilter@lists.netfilter.org
Subject: Re: error - but I don't know where....
Date: Wed, 15 Aug 2007 14:38:06 +0200 [thread overview]
Message-ID: <46C2F3AE.2020505@o2.pl> (raw)
In-Reply-To: <46C18BC1.3010600@freemail.hu>
[-- Attachment #1: Type: text/plain, Size: 4467 bytes --]
Gaspar,
Thanx for trying help !
It looks like I found problem. Probably somewhere in file was non-ASCII
chars which are not visible in my editor and causing problem.
I rewrite manually script and now works as expected :-)
I also change little bit approach: default policy for FORWARD chain is
now DROP.
I'm allowing forwarding only new connections from LAN to WAN and accept
only already established
connections from WAN to LAN:
iptables -A FORWARD -i $WAN_intf -o $LAN_intf -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_intf -o $WAN_intf -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
BTW: I have some comments to Your hints (see inline):
br
Gáspár Lajos wrote:
> warpme írta:
>> Hi *
>>
>> I just try setup firewall. Config is following:
>>
>> Desktop Firewll (192.168.1.1) ------Eth0
>> Eth1(91.189.74.10)---------ISP
>>
>> Script below is working OK for all LAN hosts, but not for for
>> firewall PC itself (i tested it with i.e. ping www.ibm.com)
>> Commenting line "iptables -P INPUT DROP" allows to ping from
>> firewall, but it effectivelly turning off firewall....
>> It is probably simple error - but I can't find where it is...
>> Can somebody verify thid script and tell me what is wrong ?
>>
>> thx in advance
>>
>> #Config area
>> BEGIN--------------------------------------------------------------
>>
>> LAN_intf=eth0
>> LAN_subnetwork=192.168.1.0/255.255.255.0
>>
>> WAN_intf=eth1
>> WAN_ip=91.189.74.10
>>
>> Open_WAN_TCP_ports=20,21,80,500,1352,4500
>> Open_WAN_UDP_ports=500,1352,4500,5060
>> Open_WAN_RTP_port_range=7070:7080
>>
>>
>> #Config area
>> END----------------------------------------------------------------
>>
>>
>>
>>
>> #--Flushing all iptables
>> tables-------------------------------------------------
>> iptables -F
>> iptables -X iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>>
>>
>>
>>
>> #--Setting up SNAT for outgoing to WAN DATA
>> connections------------------------
>> iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j
>> SNAT --to-source $WAN_ip
> I would write like this:
>
> iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT
> --to-source $WAN_ip
I'm understand advantage of such approach is that any non WAN_ip host
will be NAT'ed. But for non-LAN addressed hosts it will require
additional entries in routing table for packets received from WAN and
destinated to LAN host. Effectively it will require touch to firewall
- and by this I'm considering this as no beneficial.
>> #--Allowing self access by loopback
>> interface----------------------------------
>> iptables -A INPUT -i lo -p all -j ACCEPT
>>
>>
> "-p all" not needed... And I would rather set up the OUTPUT rule than
> the INPUT rule because the "lo" interface only accepts connections
> from itself... if a new connection is made then first step is to send
> OUT something to the other host... :D
> iptables -A OUTPUT -o lo -j ACCEPT
Well, default iptables policy for all chains is ACCEPT, so this rule is
redundant.
>
>>
>> #--Allowing local access to
>> LAN------------------------------------------------
>> iptables -A INPUT -i $LAN_intf -p all -j ACCEPT
>>
>>
> no need for "-p all"
Right !
>
>>
>> #--Allowing WAN incoming traffic form already established
>> connections----------
>> iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>>
>>
>> #--Allowing WAN incoming traffic for desired
>> services--------------------------
>> #Open WAN TCP ports
>> iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport
>> $Open_WAN_TCP_ports -j ACCEPT
>>
>> #Open WAN UDP ports
>> iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport
>> $Open_WAN_UDP_ports -j ACCEPT
>>
>> #Open VoIP UDP port ranges
>> iptables -A INPUT -p udp -i $WAN_intf --dport
>> $Open_WAN_RTP_port_range -j ACCEPT
>>
>>
> For "ping" you need the following line:
> iptables -A INPUT -p icmp -j ACCEPT
Well - it is not needed when only outgoing pings are allowed (my case).
I think incoming pings should be rather disabled - it will help to
protect host from potential DoS via ping flood.
>> #--Drop all other incoming connection. Only above will be
>> allowed-------------
>> iptables -P INPUT DROP
>>
>>
>>
>
>
>
prev parent reply other threads:[~2007-08-15 12:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-14 9:59 error - but I don't know where warpme
2007-08-14 11:02 ` Gáspár Lajos
2007-08-15 12:38 ` Warpme [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46C2F3AE.2020505@o2.pl \
--to=warpme@o2.pl \
--cc=netfilter@lists.netfilter.org \
--cc=swifty@freemail.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox