Re: --policy DROP kills everything?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Gary W. Smith" <gary@primeexalia.com>
To: busby@edoceo.com, netfilter@lists.netfilter.org
Subject: Re: --policy DROP kills everything?
Date: Wed, 08 Jun 2005 22:04:24 -0700	[thread overview]
Message-ID: <BECD1BE8.8F6A%gary@primeexalia.com> (raw)
In-Reply-To: <23591.65.121.191.30.1118318071.squirrel@lithium.edoceo.com>

This may or my not help your situation.  Included are my rules for the INPUT
chain on one of my firewalls.  We don't default drop (which can be bad) but
rather end all our chains with REJECT icmp-host-prohibited.  But something
you might want to do to quickly solve this problem is to try the following:

Instead of defaulting to DROP put a LOG at the end of the INPUT chain with
something like '-j LOG --log-prefix "INPUT_DROP: " --log-level 1'.  Then do
a tail -n 0 -f /var/log/messages | grep "INPUT_DROP".  It will tell you
exactly what you have missed.

While you are at it you might want to do the same for FORWARD and OUTPUT to
rule out the usual suspects.

The output from the logs might be more useful to you that trying to guess at
why the related connection isn't working.

BTW, here is my INPUT.  eth0 if external IF, eth1 is internal IF, lo, well
if I explain that you need some funamentals, ppp+ is the PPTPD IF.
Basically I allow all interfaces to come in.  eth0 doesn't actually accept
any data but just log the number of bytes that travel across it's IF for
accounting purposes.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
target     prot opt in     out     source               destination
INCOUNT    all  --  eth0   *       0.0.0.0/0            123.123.123.1
ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED

ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
MARK match 0x1 

filter_firewall  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
filter_trusted  all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 1 prefix `INPUT: '

REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited

Hope the helps, 

Gary Smith

On 6/9/05 4:54 AM, "busby@edoceo.com" <busby@edoceo.com> wrote:

> My OUTPUT and FORWARD tables have policy ACCEPT and no rules.
> It's only INPUT that is causing headache.  In my current state (below) an
> established connection is OK (like ssh in then start) but after adding
> these rule no new connection can be made.
> 
> Config:
>> 
>> imperium root # iptables -L INPUT -n
>> Chain INPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
>> ACCEPT     udp  --  192.168.42.1         192.168.42.2        udp spt:53
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
> ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
>> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
> level 4
>> 
> 
> 
> 
>

next prev parent reply	other threads:[~2005-06-09  5:04 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-06-09  3:05 --policy DROP kills everything? Ginter, Jeff A
2005-06-09 11:54 ` busby
2005-06-09  5:04   ` Gary W. Smith [this message]
2005-06-09 17:59 ` R. DuFresne
2005-06-09 18:21   ` David Busby
2005-06-09 18:36     ` Damon Gray
     [not found]       ` <42A8909E.1030104@edoceo.com>
     [not found]         ` <Pine.LNX.4.62.0506091515190.14790@dgray-test.acs.internap.com>
2005-06-09 20:59           ` David Busby
2005-06-09 18:52     ` R. DuFresne
  -- strict thread matches above, loose matches on Subject: below --
2005-06-08 21:11 David Busby
2005-06-08 22:02 ` Rob Sterenborg
2005-06-08 23:32   ` David Busby
2005-06-09  6:26     ` Rob Sterenborg
2005-06-10 18:08       ` Jason Opperisano
2005-06-10 14:48 ` Steven M Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BECD1BE8.8F6A%gary@primeexalia.com \
    --to=gary@primeexalia.com \
    --cc=busby@edoceo.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox