Problems configuring iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,
I am new to iptables, so please bear with me here. I am configuring what I think is a fairy simple setup. I have a linux box which is acting as a network bridge that I want to install the firewall on. It has two ethernet cards: eth0 is attached to the internet, and eth1 is connected to the internal network. All machines inside the network use static public IP addresses, so there is no need to use NAT services or IP masquerading. I am setting it up to only accept SYN packets on certain TCP ports, then accept all packets on existing connections. The order would be: 

ACCEPT SYN packets for certain TCP services.
DENY all other SYN packets on other TCP services.
ACCEPT all other TCP packets that are part of an existing connection.
DENY all other TCP packets.
I started by changing the policies on INPUT AND FORWARD to drop all packets by default, and OUTPUT to accept. 

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
Next, I added a rule to allow all traffic from the internal network to the outside world: 

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Next, a rule to forward packets that are part of an existing connection from eth0 to eth1. 

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Same thing, but on the firewall...

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
And to allow all inputs from the internal network and local loopback to the firewall. 

iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
So after I set up these rules, if I understand iptables correctly, all traffic from inside the network should flow out smoothly over the bridge no matter what the internal IP address is nor what port the traffic is on. This, however, is not happening: no traffic can flow in or out of the network.
Also, if I try to add a rule to allow, say, SSH traffic to a specific machine behind the firewall, I run into other problems. If I type: 

iptables -A FORWARD -s 0/0 -d w.x.y.z -p tcp --dport 22 --syn -j ACCEPT
This is, so far as I am aware, the format I would use. However, when I type iptables -L, the list just hangs just before listing that rule.
Can anyone offer any pointers as to what I may be doing wrong, and what I can do to get this working? Thanks! 

Regards,

Matt
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux