On Sunday 07 March 2004 2:47 pm, Brad Morgan wrote: > > iptables -A OUTPUT -o lo -m state --state RELATED,ESTABLISHED,NEW -j > > ACCEPT > > > > iptables -A INPUT -i lo -m state --state RELATED,ESTABLISHED,NEW -j > > ACCEPT > > The first problem I see is that you allow ESTABLISHED,RELATED,NEW in your > INPUT and OUTPUT chains. Only to/from interface lo (see above). > Once you hit that rule, the only thing going past > are INVALID packets so the rest of the INPUT and OUTPUT chains aren't doing > anything useful. No, the other rules are dealing with packets to interfaces other than lo. > The second problem I see is the FORWARD chain has "-i eth0 -o eth0" on the > ESTABLISHED,RELATED rule which can't be right. All the packets on the > FORWARD chain are going to be either "-i eth0 -o eth1" or "-i eth1 -o > eth0". Agreed, however a more fundamental problem with this rule is that it is commented out and therefore non-functional: > > #iptables -A FORWARD -i eth0 -o eth0 -m state --state ESTABLISHED,RELATED > > -j ACCEPT > Since your private address space (192.168.1.0/24) shouldn't exist on the > outside, there's little need to specify both the address and the interface > in your rules. Lots of people like to do that on the basis that you can't have too much security, and just in case someone outside does manage to send you a packet from your own address space, you'd rather your system didn't try to respond to it. > It looks like you have rules in your INPUT and OUTPUT chains intended to > pass traffic through the firewall. Only packets directed at the firewall > go through INPUT and only packets generated by the firewall go through > OUTPUT. Packets passing through the firewall are seen on FORWARD. Agreed - I wasn't sure when looking at Pierre's ruleset whether he was completely clear about the difference between INPUT/OUTPUT and FORWARD. > Look at (make that study!) the tutorial, including a nice diagram (in > "Traversing of Tables and Chains"), written by Oskar Andreasson at > http://iptables-tutorial.frozentux.net. > > Here's what I suggest to help get you going... I agree with the remainder of your suggestions - they should help Pierre get his firewall working, and understand how/why at the same time. Regards, Antony. -- "The joy of X!!?? I've always hated compiling graphical shite. You have a 10 line program, and it ends up depending on the entire known universe." - Philip Hands Please reply to the list; please don't CC me.
