Re: Statefull??

Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> · Sun, 4 Apr 2004 12:28:25 +0100

On Monday 05 April 2004 3:58 am, Wan Seman Bin Wan Ismail wrote:

> Dear all,
>
> I got a problem dealing with my current iptables rules
>
> here is my iptables rules:-
>
> $ipt -A FORWARD -i $EXT -o $DMZ -p tcp -m tcp -s 0/0 -d $WEB --dport 80
> - -j LOG --log-level info --log-prefix "[IN WEB] :"
> $ipt -A FORWARD -i $EXT -o $DMZ -p tcp -m tcp -s 0/0 -d $WEB --dport 80
> - -j ACCEPT
>
> $ipt -A FORWARD -i ! $EXT -m state --state NEW -j ACCEPT
> $ipt -A FORWARD -i $EXT -m state --state ESTABLISHED,RELATED -j LOG
> - --log-prefix "Established conn: "
> $ipt -A FORWARD -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $ipt -A FORWARD -i $EXT -o $DMZ  -p tcp -m tcp ! --tcp-flags SYN,RST,ACK
> SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
> $ipt -A FORWARD -i $EXT -o $DMZ  -p tcp -m tcp ! --tcp-flags SYN,RST,ACK
> SYN -m state --state NEW -j DROP
>
> $ipt -A FORWARD -i $EXT -o $DMZ -p tcp -j LOG --log-level info
> - --log-prefix " EXT-DMZ TCP DROP "
> $ipt -A FORWARD -i $EXT -o $DMZ -p tcp -j REJECT
> $ipt -A FORWARD -i $DMZ -o $EXT -p tcp -j LOG --log-level info
> - --log-prefix " DMZ-EXT TCP DROP "
> $ipt -A FORWARD -i $DMZ -o $EXT -p tcp -j REJECT
> $ipt -A FORWARD -i $EXT -o $DMZ -p udp -j LOG --log-level info
> - --log-prefix " EXT-DMZ UDP DROP "
> $ipt -A FORWARD -i $EXT -o $DMZ -p udp -j REJECT
> $ipt -A FORWARD -i $DMZ -o $EXT -p udp -j LOG --log-level info
> - --log-prefix " DMZ-EXT UDP DROP "
> $ipt -A FORWARD -i $DMZ -o $EXT -p udp -j REJECT
>
>
> so my problem is why ppl outside can't browse my webpages?

Because you are REJECTing the reply packets from the server :)

Just take a look at the above rules, and think firstly about a SYN packet from 
the client (EXT) to the server (on the DMZ).

It will match the first and second rules, and therefore gets LOGged, and 
ACCEPTed.

Now think about the SYN ACK replly packet from the server (on the DMZ) to the 
client (EXT).

It will match the tenth and eleventh rules, and therefore gets LOGged and 
REJECTed.

Hope this explains the problem.

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.