Re: iptables forwarding not working/iptables-save not saving

[Bill Davidsen <davidsen@xxxxxxx>]

Antonio Olivares wrote:
> --- On Thu, 11/20/08, Chuck Anderson <cra@xxxxxxx> wrote:
>
> > From: Chuck Anderson <cra@xxxxxxx>
> > Subject: Re: iptables forwarding not working/iptables-save not saving
> > To: fedora-test-list@xxxxxxxxxx
> > Date: Thursday, November 20, 2008, 12:33 PM
> > On Thu, Nov 20, 2008 at 12:26:26PM -0800, Antonio Olivares
> > wrote:
> > > Sorry for double post :(  Yahoo mail was misbehaving
> > :(  
> > > Here's some info to clarify things 
> > >
> > > [root@localhost ~]# service iptables stop
> > > [root@localhost ~]# iptables -A FORWARD -i eth1 -o
> > eth0 -j ACCEPT [1]+  Done                    gedit
> > /etc/sysconfig/iptables       
> > > [root@localhost ~]# iptables -A FORWARD -i eth0 -o
> > eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT         
> >                                                
> > > [root@localhost ~]# iptables -A POSTROUTING -t nat -s
> > 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210    
> >                                     
> > > [root@localhost ~]# iptables-save
> > > # Generated by iptables-save v1.4.1.1 on Thu Nov 20
> > 13:14:50 2008
> >
> > The output of "iptables-save" goes to your
> > terminal, it isn't 
> > stored anywhere.
> >
> > > The iptables get back to original state.  error in
> > iptables-save ?/bug
> >
> > Nope, you need to do this instead:
> >
> > service iptables save
> >
> > --
>
>
> Thank you all for helping me with this.  I have done this and I hope that it will work :)
I doubt that it will work as expected. You appear to have a policy of ACCEPT on 
FORWARD, and lack the usual REJECT rule at the end of the rules, so everything 
gets forwarded and your rules don't do anything to prevent it. Also, if you 
didn't enable forwarding in /proc/sys/ your system won't forward. Also, you 
probably don't want the interfaces on the RELATED line, as you will work better 
if you forward in both directions, assuming you change the policy and return to 
normal security.

In other words, you will have no security, because you appear to forward 
everything. Use "iptables -L FORWARD -nv" to see if the policy is being used to 
forward anything it sees.

Excerpt from my FC9 table save: (note the last rule)
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34700:4826013]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list