Re: Setting up default policy to 'DROP' problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

ads nat wrote:

Hi,
It's working.
It was my fault.
I am getting Internet bandwidth through iptunnel. IP address of tunnel and my eth0 is different. I was giving access to INPUT for eth0 IP and not for IP of tunnel which is my Internet IP.
Your suggestion of using log at the end of INPUT rule has given this hit.
Thanks for support.

Glad it's working, you're making progress. :-) I made a couple of suggestions below.

Jeff



From: "ads nat" <adsnat@xxxxxxxxxxx>
To: adsnat@xxxxxxxxxxx, JALaramie@xxxxxxxxxxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Setting up default policy to 'DROP' problem
Date: Wed, 04 Feb 2004 08:26:13 +0530

Following are my iptable rules

xxx.xxx.xxx.xxx is internet ip.
eth0 internet interface
eth1 lan interface

*******************
*nat
:PREROUTING ACCEPT [678915:47234902]
:POSTROUTING ACCEPT [36934:2160799]
:OUTPUT ACCEPT [35607:2143032]
-A POSTROUTING -o tunnel0 -j MASQUERADE
COMMIT
# Completed on Wed Feb  4 08:15:38 2004
# Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
*mangle
:PREROUTING ACCEPT [15137995:7366304630]
:INPUT ACCEPT [5934119:3407840707]
:FORWARD ACCEPT [9046926:3942957156]
:OUTPUT ACCEPT [5005001:930279054]
:POSTROUTING ACCEPT [14042840:4872546468]
COMMIT
# Completed on Wed Feb  4 08:15:38 2004
# Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
*filter
:INPUT DROP [6317:1242856]
:FORWARD DROP [107:11548]
:OUTPUT ACCEPT [841:137965]
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 127.0.0.1 -i lo -j ACCEPT


I don't think this rule does anything.

-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT


Except for the loopback entries the INPUT rules don't differentiate between interfaces. You may want to have different rules for eth0 and eth1. In particular your first rule lets a lot of stuff in from the outside that you may not want.

-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT


You don't identify eth2 anywhere else. Is this to the dmz?

-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT


These are all ACCEPT rules and your default OUTPUT policy is accept. You should either delete these rules or change the default policy.

COMMIT




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux