Hi, For your INPUT rules: - Change the order of rules 28 and 29 - process the "DROP" rule after "state ACCEPT" - Remove rule 27 2012/4/24 Richard Thornton <richie.thornton@xxxxxxxxx>: > Hi, > > I hope you can help, please be gentle as it's my first time with raw > iptables, I have used other firewalls though. > > I have a working config, my internal network can get out to the > internet but because of a lack of understanding I have opened up SSH > on the firewall to the internet: > > 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 > 2*mangle > 3:PREROUTING ACCEPT [3292:1334085] > 4:INPUT ACCEPT [462:36946] > 5:FORWARD ACCEPT [2826:1297011] > 6:OUTPUT ACCEPT [268:37651] > 7:POSTROUTING ACCEPT [3075:1327352] > 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss > --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu > 9COMMIT > 10# Completed on Tue Apr 24 16:51:19 2012 > 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 > 12*nat > 13:PREROUTING ACCEPT [130:12667] > 14:INPUT ACCEPT [4:586] > 15:OUTPUT ACCEPT [4:264] > 16:POSTROUTING ACCEPT [0:0] > 17-A POSTROUTING -o ppp0 -j MASQUERADE > 18COMMIT > 19# Completed on Tue Apr 24 16:51:19 2012 > 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 > 21*filter > 22:INPUT DROP [0:0] > 23:FORWARD DROP [0:0] > 24:OUTPUT DROP [0:0] > 25-A INPUT -i lo -j ACCEPT > 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2 > -m tcp --dport 22 -j ACCEPT > 27-A INPUT -i ppp0 -j ACCEPT > 28-A INPUT -j DROP > 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > 31-A FORWARD -i br0 -o ppp0 -j ACCEPT > 32-A FORWARD -j DROP > 33-A OUTPUT -o lo -j ACCEPT > 34-A OUTPUT -o br0 -j ACCEPT > 35-A OUTPUT -o ppp0 -j ACCEPT > 36-A OUTPUT -j DROP > 37COMMIT > 37# Completed on Tue Apr 24 16:51:19 2012 > > I believe my mistake is in either line 27 or line 35 but if I remove > either of them my firewall fails to be able to access the internet > locally for apt and stuff. > > To add some background basically I have the following running on an > ubuntu 12.04 server: > > ppp0 brought up on eth0 > br0 a bridge which includes wlan0 and eth2 (office lan) > eth3 (lab mgmt) > eth4 (lab) > eth5 (quarantined pc) > > So the firewall should be able to access the internet but the internet > should not be able to access the firewall. > Users on br0 should be able to access the internet, lab, lab mgmt, firewall > The lab should be able to access the internet > Lab mgmt should be able to access the internet, there are 8 IPs in > here and I have public IPs for them all but I need to setup SNAT and > fwknop doing DNAT to access them: > > iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y > > With the above I am worried that this will conflict with line 17... > > I believe fwknop will handle the DNAT stuff automagically. > > The quarantined PC should be able to access the internet but nothing else > > I have a way to go :) > > Thanks for looking. > > Kind Regards > Richard > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
