Re: --policy DROP kills everything?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



to allow port 8 and 22 from the outside into the firewall itself,you need NEW,ESTABLISHED,RELATED, ESTABLISHED,RELATED will not suffice.

It would suffice for out going only connections, but for incoming to the FW from any sites outside, you need to allow the syn=NEW.

Thanks,

Ron DuFresne


On Thu, 9 Jun 2005, David Busby wrote:

R. DuFresne wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We found that in a 1:1 nat setup the policy for the forward chain has to be accept or traffic will not flow.

Thanks,

Ron DuFresne

My box only has rules in the INPUT chain, doesn't do IP forwarding/routing at all.
I have these rules below:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          0.0.0.0/0
ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:53
ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:123
ACCEPT     udp  --  192.168.42.1         0.0.0.0/0           udp dpt:514
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.42.2        tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

An cannot make new connections to port 22 or port 80, I see it in the logs.
An existing ssh connection will stay if I connect with no rules then run iptables-restore. This seems totally odd to me. The UDP traffic is also blocked. Everyone is telling me that these rules should work, new connections should be allowed and such but it's not the case. Here's what my modules look like:

imperium root # lsmod
Module                  Size  Used by
ipt_LOG                 6272  1
ipt_state               1472  1
ip_conntrack           39860  1 ipt_state
iptable_filter          2944  1
ip_tables              16320  3 ipt_LOG,ipt_state,iptable_filter

So everything looks loaded OK too, but it's not working, I even added this rule:

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

But still cannot make a new connection to port 22 or 80, what gives? What do I try now?

/djb


- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCqI/cst+vzJSwZikRAhWOAJ9IDdK+zJg+OZFIgDlZ1L70/QiuwgCgzr96
2/aVRqww5vfCotUcROUhW08=
=93zv
-----END PGP SIGNATURE-----


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux