On Wed, 2006-09-06 at 07:31 +0200, Rob Sterenborg wrote: > > Hello, > > > > Basically I am allowing internet on the > > firewall as well as nating to 2 clients. > > > > I am not able to ssh from the firewall > > to a client. Though the reverse is > > working. > > > > I would also like to put : > > > > -A OUTPUT -j DROP > > > > But if I do that clients are not able to connect > > to the net. I need add a rule which I could > > not figure out. > > You should allow SSH out when you want to be able to use it. > SSH listens on port 22, so this should do it: > > -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A OUTPUT -p tcp --dport 22 -j ACCEPT > -A OUTPUT -j DROP No that did not work. > > > Please comment and correct. > > > > My rules as follows. > > > > > > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006 > > *nat > >: OUTPUT ACCEPT [0:0] > >: PREROUTING ACCEPT [0:0] > >: POSTROUTING ACCEPT [0:0] > > -A POSTROUTING -o eth0 -s 192.168.15.0/24 -j MASQUERADE > > COMMIT > > # Completed on Sat Jul 22 13:14:10 2006 > > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006 > > *mangle > >: PREROUTING ACCEPT [80:13056] > >: INPUT ACCEPT [80:13056] > >: FORWARD ACCEPT [0:0] > >: OUTPUT ACCEPT [80:13056] > >: POSTROUTING ACCEPT [80:13056] > > COMMIT > > # Completed on Sat Jul 22 13:14:10 2006 > > # Generated by iptables-save v1.3.3 on Sat Jul 22 13:14:10 2006 > > *filter > >: INPUT ACCEPT [80:13056] > > -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > It looks like eth0 is connected to the internet and eth1 to your LAN. > Check if outgoing ssh works using: > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > -A INPUT -i lo -j ACCEPT > > -A INPUT -p icmp -j ACCEPT > > -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT > > -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT > > -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT > > -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT > > -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT > > So, you are accepting ftp for the firewall on eth1. See below (FORWARD). > > > -A INPUT -j DROP > >: FORWARD ACCEPT [0:0] > >: OUTPUT ACCEPT [80:13056] > > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED > > -j ACCEPT > > I would make that: > > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > > -A FORWARD -i eth1 -o eth0 -s 192.168.15.5 -j ACCEPT > > -A FORWARD -i eth1 -o eth0 -s 192.168.15.9 -j ACCEPT > > -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT > > And you allow ftp forwarding on eth1 to eth0. > Either one (see above) is going to work, not both. Since you are > masquerading everything from 192.168.15.0/24 via eth0, I'd say this rule > has hits and the rule in the INPUT chain doesn't. > (Check with "iptables -nvL INPUT" and "iptables -nvL FORWARD".) > > > -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -j ACCEPT > > -A FORWARD -i eth1 -o eth0 -p tcp --dport 110 -j ACCEPT > > -A FORWARD -i eth1 -o eth0 -p tcp --dport 119 -j ACCEPT > > -A FORWARD -p udp --dport 53 -j ACCEPT > > -A FORWARD -j DROP > > -A OUTPUT -j ACCEPT > > -A OUTPUT -o lo -j ACCEPT > > This seems useless to me. There are no DROP rules in the OUTPUT chain > and policy is set to ACCEPT. These packets would be accepted anyway. > > > COMMIT > > # Completed on Sat Jul 22 13:14:10 2006 > > > > ---------- end rules -------------- > > Instead of have a last rule with a DROP target, you can also just set > the chain policy to DROP. > > > Gr, > Rob > > >
