From: "Niel Harper" <noaharper@hotmail.com>
To: netfilter@lists.netfilter.org
Subject: IPTables Problem
Date: Fri, 04 Oct 2002 17:55:26 +0000 [thread overview]
Message-ID: <F187QpbalJFWs0eNRfU00009397@hotmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
I have IPTables version 1.2.6a running on my VPN (FreeS/Wan 1.98b) gateway.
I have configured (or so I thought) it to accept incoming and outgoing
IPSEC, ESP, and AH traffic. When I try to connect from my remote client, I
keep getting a "not permitted" error. Could someone please check my
iptables chains and tell me exactly what I'm doing wrong. The IPTables list
is attached to this document as a text file.
Niel Harper, CISA
Information Security Engineer
Institute of Electrical and Electronic Engineers
IEEE Information Assurance Task Force
Tel: (246) 424-3809
Fax: (246) 425-6076
Email: niel.harper@ieee.org
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
[-- Attachment #2: iptables.txt --]
[-- Type: text/plain, Size: 9611 bytes --]
Chain INPUT (policy DROP)
target prot opt source destination
loopback_in all -- anywhere anywhere
interface0_in all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:isakmp
dpt:isakmp
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `giptables-end-of-firewall: '
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `giptables-end-of-firewall: '
Chain OUTPUT (policy DROP)
target prot opt source destination
loopback_out all -- anywhere anywhere
interface0_out all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:isakmp
dpt:isakmp
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- 192.168.10.1 localhost.localdomain
LOG all -- anywhere anywhere LOG level
warning prefix `giptables-end-of-firewall: '
Chain interface0_in (1 references)
target prot opt source destination
syn_flood_interface0_in tcp -- anywhere anywhere
tcp flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW limit: avg 5/min burst 7 LOG level warning
prefix `giptables-new-no-syn: '
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-fragments: '
DROP all -f anywhere anywhere
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 5/min burst
7 LOG level warning prefix `giptables-malformed-xmas: '
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 5/min burst 7 LOG level
warning prefix `giptables-malformed-null: '
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG all -- 192.168.10.2 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 192.168.10.2 anywhere
LOG all -- 0.0.0.0/8 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 0.0.0.0/8 anywhere
LOG all -- 127.0.0.0/8 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 127.0.0.0/8 anywhere
LOG all -- 10.0.0.0/8 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 10.0.0.0/8 anywhere
LOG all -- 172.16.0.0/12 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 172.16.0.0/12 anywhere
LOG all -- 192.168.0.0/16 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 192.168.0.0/16 anywhere
LOG all -- 224.0.0.0/3 anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-spoof: '
DROP all -- 224.0.0.0/3 anywhere
ACCEPT udp -- 205.214.192.201 192.168.10.2 udp spt:domain
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 205.214.192.201 192.168.10.2 tcp spt:domain
dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- 205.214.192.202 192.168.10.2 udp spt:domain
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 205.214.192.202 192.168.10.2 tcp spt:domain
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:ftp
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp
spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp
spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp
spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp
spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:ssh
dpts:login:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp
spts:login:65535 dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:telnet
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:smtp
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp
spts:1024:65535 dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:pop3
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:imap
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:http
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:https
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:webcache
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:nntp
dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- anywhere 192.168.10.2 udp spt:ldap
dpts:1024:65535 state ESTABLISHED
ACCEPT icmp -- anywhere 192.168.10.2 state
RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 5/min
burst 7 LOG level warning prefix `giptables-drop-src-norule: '
DROP all -- anywhere anywhere
Chain interface0_out (1 references)
target prot opt source destination
ACCEPT udp -- 192.168.10.2 205.214.192.201 udp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 205.214.192.201 tcp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT udp -- 192.168.10.2 205.214.192.202 udp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 205.214.192.202 tcp
spts:1024:65535 dpt:domain state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:ftp
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:ftp-data
dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:login:65535 dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:ssh
dpts:login:65535 state ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:telnet state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:smtp
dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:pop3 state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:imap state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:webcache state NEW,ESTABLISHED
ACCEPT tcp -- 192.168.10.2 anywhere tcp
spts:1024:65535 dpt:nntp state NEW,ESTABLISHED
ACCEPT udp -- 192.168.10.2 anywhere udp
spts:1024:65535 dpt:ldap state NEW,ESTABLISHED
ACCEPT udp -- 192.168.10.2 anywhere udp
spts:1024:65535 dpts:traceroute:33523 state NEW
ACCEPT icmp -- 192.168.10.2 anywhere state
NEW,RELATED,ESTABLISHED
Chain loopback_in (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain loopback_out (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain syn_flood_interface0_in (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec
burst 3
DROP all -- anywhere anywhere
next reply other threads:[~2002-10-04 17:55 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-04 17:55 Niel Harper [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-09-05 11:12 iptables problem Cam Bazz
2008-09-05 12:39 ` Matt Zagrabelny
2008-09-05 15:35 ` Grant Taylor
2007-10-06 16:28 IPtables problem Per Jørgensen
2007-10-06 18:25 ` Pascal Hambourg
2007-01-26 11:19 Iptables problem Saurabh Mehrotra
2007-01-26 13:53 ` Ted Phelps
2007-01-26 14:17 ` Saurabh Mehrotra
2007-01-26 15:17 ` Ted Phelps
2007-01-26 15:49 ` Saurabh Mehrotra
2007-01-26 15:55 ` Ted Phelps
2006-10-19 4:52 tarak
2005-11-08 17:08 IPTABLES PROBLEM Micol lupen
2005-11-08 18:56 ` Rob Sterenborg
2005-11-08 19:08 ` /dev/rob0
2005-11-01 18:06 iptables problem Ashley M. Kirchner
2005-11-02 0:31 ` Buddy wu
2004-08-25 20:04 Iptables problem Jason Opperisano
2004-08-25 19:52 Marcelo Sinhorini
2004-08-26 0:24 ` Jose Maria Lopez
2003-08-13 17:09 Glenn Hancock
2003-08-13 17:36 ` Rob Sterenborg
2003-05-14 11:45 IPTables problem Tech
2003-05-13 15:13 iptables problem hare ram
2003-05-13 17:02 ` Guilherme Viebig
2003-05-14 11:17 ` hare ram
2003-05-14 11:38 ` Bikrant Neupane
2003-03-13 9:57 Iptables problem De Jager Laubscher
2003-03-13 10:16 ` Maciej Soltysiak
2002-12-12 11:52 IPtables Problem Amit Kumar Gupta
2002-11-27 3:26 iptables problem 김도균
2003-01-17 5:32 ` Raymond Leach
2003-01-18 0:35 ` Diego Sarasua
2002-06-25 11:55 Iptables problem Paulo Andre
2002-06-25 11:57 ` Ramin Alidousti
2002-06-25 10:47 Paulo Andre
2002-06-25 11:51 ` Ramin Alidousti
[not found] <CC845BB8BC74D6119934000347DD23E87C0C09@jhbmail.autopage.co.za>
2002-06-24 16:03 ` Antony Stone
[not found] <CC845BB8BC74D6119934000347DD23E87C0C07@jhbmail.autopage.co.za>
2002-06-24 14:26 ` Antony Stone
[not found] <CC845BB8BC74D6119934000347DD23E87C0C01@jhbmail.autopage.co.za>
2002-06-21 14:44 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F187QpbalJFWs0eNRfU00009397@hotmail.com \
--to=noaharper@hotmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=niel.harper@ieee.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox