RE: iptables help needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: RE: iptables help needed

JR,
  I know very little about iptables either, I use the script supplied at this Web Sight. There are also discussion groups too.

John
http://monmotha.mplug.org/firewall/index.php



-----Original Message-----
From: JR [mailto:traken@spscompanies.com]
Sent: Monday, February 17, 2003 12:39 PM
To: security-discuss@linuxsecurity.com
Subject: iptables help needed


        Ok im pretty new to iptables, but this is where im at, Redhat 8 kernel
2.4.20 w/pom-20030107 mods added, dhcpd server.  The dhcpd seems fine, I can
get to the main box fine from a 192.168.. pc but I cannot get past the main
box, ping, telnet, ftp, nothing.  The main box can do all those...
   I have gotten kinda crazy with opening things up to try and get this to
work, seems like I must be close:

/sbin/iptables -vL | more
Chain INPUT (policy ACCEPT 3 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source
destination

    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere

    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere
       tcp dpt:ssh
    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere
       state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   any     anywhere             anywhere
       state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere
       tcp dpt:telnet
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere
       tcp dpt:1065
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere
       tcp dpt:1063
    0     0 ACCEPT     udp  --  eth1   any     anywhere             anywhere

    0     0 ACCEPT     udp  --  eth0   any     anywhere             anywhere

    0     0 ACCEPT     all  --  eth1   any     anywhere             anywhere
    0     0 ACCEPT     all  --  eth1   any     anywhere             anywhere

   60  4464 ACCEPT     all  --  eth0   any     anywhere             anywhere


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

    0     0            all  --  any    any     anywhere             anywhere

    0     0 ACCEPT     all  --  eth1   any     anywhere             anywhere

    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere


Chain OUTPUT (policy ACCEPT 3 packets, 348 bytes)
 pkts bytes target     prot opt in     out     source
destination

    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere

   32  6672 ACCEPT     all  --  any    any     anywhere             anywhere
       state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    any     modem                anywhere
    0     0 ACCEPT     all  --  any    any                          anywhere

    0     0 ACCEPT     all  --  any    eth0    anywhere             anywhere

    0     0 ACCEPT     all  --  any    eth1    anywhere             anywhere

This is the file I run to get this:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t filter -A FORWARD
echo \* Setting loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
echo \* setting NAT rules
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/25 -d -0/0 -j
MASQU$
echo \* setting external rules
/sbin/iptables -t filter -A INPUT -i eth1 -m tcp -p tcp --dport 22 -j ACCEPT
#allow ftp etc
/sbin/iptables -t filter -A INPUT -i eth1 -p tcp -m state --state
ESTABLISHED,\$
#Drop all new connects?
/sbin/iptables -t filter -A INPUT -i eth1 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 1065 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 1063 -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
#/sbin/iptables -A OUTPUT -p ALL -s 192.168.1.7 -j ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A INPUT -p UDP -i eth1 -j ACCEPT
/sbin/iptables -A FORWARD -p ALL -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -p UDP -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -p ALL -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
$
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
$
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT



Im not affraid to read if someone can stear me in the right direction I
would very much appreciate it, pretty lost right now...

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.455 / Virus Database: 255 - Release Date: 2/13/2003


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Mailscanner thanks transtec Computers for their support.

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux