All I saw in the rules and policies were ACCEPT's, so what was really
being blocked? Seemed to be a new router layer being added rather then
anything resemebling a firewall. I must have missed something eh?
Thanks,
Ron DuFresne
On Thu, 27 Jan 2005, Eric Ellis wrote:
> Jason Opperisano wrote:
> > On Thu, 2005-01-27 at 05:13, varun_saa@xxxxxxxx wrote:
> >
> >>Hello,
> >> My server is Mandrake 10.1
> >>eth0 is WAN with static IP connected to 512k DSL
> >>eth1 is LAN
> >>
> >>I am trying to write iptables rules and I am
> >>stuck with some error.
> >>
> >>My iptable file is as follows :
> >>
> >># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> >>*nat
> >>:OUTPUT ACCEPT [0:0]
> >>:PREROUTING ACCEPT [0:0]
> >>:POSTROUTING ACCEPT [0:0]
> >>-A POSTROUTING -o eth0 -j MASQUERADE
> >>COMMIT
> >># Completed on Thu Oct 21 05:32:36 2004
> >># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> >>*mangle
> >>:PREROUTING ACCEPT [32056:3889577]
> >>:INPUT ACCEPT [32010:3885659]
> >>:FORWARD ACCEPT [0:0]
> >>:OUTPUT ACCEPT [31637:4617585]
> >>:POSTROUTING ACCEPT [31639:4618071]
> >>COMMIT
> >># Completed on Thu Oct 21 05:32:36 2004
> >># Generated by iptables-save v1.2.9 on Thu Oct 21 05:32:36 2004
> >>*filter
> >>:FORWARD ACCEPT [0:0]
> >>:INPUT DROP [0:0]
> >>:OUTPUT ACCEPT [0:0]
> >>-A INPUT -j ACCEPT
> >>-A INPUT -s 127.0.0.1 -j ACCEPT
> >>-A INPUT -p tcp -m tcp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> >>-A INPUT -p udp -m udp -i eth1 -o eth0 --dport 3128 --sport 80 -j ACCEPT
> >>COMMIT
> >># Completed on Thu Oct 21 05:32:36 2004
> >>
> >>When I am trying to save I get the following error :
> >>
> >>iptables-restore v1.2.9: Can't use -o with INPUT
> >>
> >>Error occurred at line: 25
> >>Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> >>
> >>Can anybody guide me ?
> >
> >
> > yeah--you can't use "-o" with INPUT.
> >
> > if you are under the impression that the traffic you're trying to filter
> > has both an inbound and outbound interface and that the packet is
> > FORWARD-ed from one to the other--you should be adding that rule to the
> > FORWARD chain, not the INPUT chain.
> >
> > btw--what traffic do you believe has a source port of 80 and a
> > destination port of 3128?
> >
> > -j
> >
> > --
> > "Oh, people can come up with statistics to prove anything, Kent. 14%
> > of people know that."
> > --The Simpsons
> Jason:
>
> He has a squid proxy on the other side. :) 3128 is the default for squid.
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
