El dom, 05 de 09 de 2004 a las 16:31, Steve Turnbull escribiÃ: > Hi > > Our web server is configured; > Debian (Woody) (No X installed) > Kernel 2.4.23 - configured with iptables in mind > iptables v1.2.6a > > When we start the firewall script, we get this message; > 'No chain/target/match by that name' > You should check your firewall script and find the rule that it's giving the error, just run it with "bash -x <script>" and you can see line by line what's happening. Maybe it's a misspelling of a rule. > The firewall works however, but is constantly logging; > 'Sep 5 16:00:52 www kernel: Input: IN=eth0 OUT= > MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93 > DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP > SPT=53 DPT=32833 LEN=282' > This is DNS normal traffic I think, so you shouldn't be logging it. > Something is ammis here, and we can't ping out from the server with the > firewall running, also, we can't use Lynx to browse. Turn the firewall > off and all is well for both of these. > If you turn the policy to deny and then the firewall script gives an error and exits then you don't have the ports you need open and that's the problem. > Has anybody got any ideas what is wrong? Our firewall rule is below. > > Regards > Steve > > > > #!/bin/sh > > > # > # This is the firewall up script. > # > > # > # Lets start by dropping all incoming traffic and allowing all > # outbound traffic > # > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > > > > # Flush any existing rules... > iptables -F > > > # Allow any established connections to come on through... > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > # This is a web server. We only require access to http ports > # 80,21,53 and 443. New ports to allow will be added here... > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp --dport 443 -j ACCEPT > > #ssh > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > #ftp > iptables -A INPUT -p tcp --dport 21 -j ACCEPT > > #DNS > iptables -A INPUT -p tcp --dport 53 -j ACCEPT > iptables -A INPUT -p udp --dport 53 -j ACCEPT > > > # Allow the loopback connection... > iptables -A INPUT -i lo -j ACCEPT > > > # Log stuff that doesn't match above rules... > iptables -A INPUT -j LOG --log-prefix="Input: " -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
