On Wed, 31 Jan 2007, Ismaël BALLO wrote:
When I try to test such a configuration.
ipset rules ( file ipset.rule I load with ipset -R < ipset.rule)
# Generated by ipset 2.2.9a on Mon Jan 29 15:43:49 2007
-N servers iphash --hashsize 1024 --probes 8 --resize 50
-A servers 192.169.50.105
-N services portmap --from 1 --to 31
-A services 22
-N clients iphash --hashsize 1024 --probes 8 --resize 50
-A clients 192.168.1.5
-A clients 192.168.1.4
-B servers :default: -b services
-B services 22 -b clients
COMMIT
iptables rules :
# Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
*nat
:PREROUTING ACCEPT [79:3756]
:POSTROUTING ACCEPT [94:5189]
:OUTPUT ACCEPT [46:3071]
COMMIT
# Completed on Mon Jan 29 15:11:48 2007
# Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
*filter
:INPUT ACCEPT [29336:1622806]
:FORWARD ACCEPT [1122:89879]
:OUTPUT ACCEPT [700613:32934646]
:LOG_DROP - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -m set --set servers dst,dst,src -j ACCEPT
---------------------
-A FORWARD -j LOG_DROP
-A OUTPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : "
-A LOG_DROP -j DROP
COMMIT
The firewall drops reponses from 192.169.50.105.
Do I have to add an ipset rule for the return as
(*) -A FORWARD -m set --set clients dst,dst,src -j ACCEPT ?
Without (*), it doesn't work, but this last rule disturbs me.
Yes, the rule to allow the reply packets is missing. The best is to add
the rule
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
as the very first in the FORWARD chain.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
