|
[Original]
[Print]
[Top]
|
Hi all!
My distro is Debian Stable 3.1.
I've set this script (/etc/rc2.d/S97iptables) on my home PC inserting some iptables rules.
#!/bin/sh
#drop all rules
/sbin/iptables -F
#drop default rules
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
#close all ports in input
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
#open some ports in input
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
But I have some problems. I can't connect to any port of this computer from other computers of my net.
When I launch halt, PC stops all services but it doesn't switch off...it remain freezed on last system messages.
So I think the problem is that my rules don't allow pinging to the PC. In fact if I launch locally ping or nmap, "Operation not permitted" is shown.
So I add the rule below:
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT
or:
iptables -A INPUT -p icmp -j ACCEPT
but all problems remain.
where's the mistake?
Thanks in advance.
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
|
I have a experience that, you can reset the ipv4_forward to 1 . Hope can help you.
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
Hi,
As far as the nmap issue: Some options require root privileges, so that might be the problem, however, ping should work (inless you do a broadcast or flood ping).
Assuming the eth0 interface is the one connected to the internet, your rules seem a bit strange.
First you disallow NEW and INVALID packets (which is not bad), but after that you drop the packet anyway (the -P setting).
If eth0 is your internet interface, i allways use:
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
This gives the same result as what you want to do (at least i think), with the difference that you specify what to drop, and i specify what to accept
And before any other PC on your network will be able to connect to the internet, you might have to setup NAT, which is done in the postrouting chain.
Assuming eth1 is the interface where the rest is connected, you might want to do:
iptables -t nat -A POSTROUTING -i eth1 -j MASQUERADE
If you don't use NAT, filtering in the FORWARD chain is usefull. In this case you made the same mistake again (DROP what you don't want, and ... wel drop the packet anyways :-) ). Using the line above for the FORWARD chain might fix it:
iptables -A FORWARD -i eth0 -m STATE --state RELATED,ESTABLISHED -j ACCEPT
But remember, you also need to accept some outgoing traffic if you set FORWARD default policy to DROP (like you did):
iptables -A FORWARD -i eth1 -j ACCEPT
This accepts any traffic from your network to anywhere.
Last but not least you can check if /proc/sys/net/ipv4/ip_forward is set to 1.
Best regards,
pa4wdh
|
|
|
----
The biggest difference between M$ stuff and the rest ? Most stuff is secure by design, M$ stuff is secure by accident.
bash# killall gaim
killall: Don't shoot the messenger !
If we have /dev/powerbutton, what would touch /dev/powerbutton do ?
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
[div class='quotetop']QUOTE(foobar47 @ Feb 6 2006, 03:25 PM) [snapback]760469[/snapback][/div][div class='quotemain']
Excuse me but, where is the localhost entry ??
::
[/quote]
In /etc/hosts?
|
|
|
----
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
[div class='quotetop']QUOTE(x86processor @ Feb 7 2006, 03:42 AM) [snapback]760531[/snapback][/div][div class='quotemain']
In /etc/hosts?
[/quote]
No, in the iptable' decola script !!?
|
|
|
----
Linux is like sex, it's better when it's free... My WebPage |
|
[Original]
[Print]
[Top]
|
|
The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.