Re: iptables ruleset ...

To: debian-firewall@lists.debian.org
Subject: Re: iptables ruleset ...
From: Dave Ewart <davee@sungate.co.uk>
Date: Wed, 9 Feb 2005 13:01:43 +0000
Message-id: <[🔎] 20050209130143.GB3090@sungate.co.uk>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 1107952215.4706.17.camel@localhost.localdomain>
References: <[🔎] 1107952215.4706.17.camel@localhost.localdomain>

On Wednesday, 09.02.2005 at 13:30 +0100, Manfred Sampl wrote:

> Hi,
> 
> My input ruleset doesn't work as it should... I'm using woody /
> netfilter on 2.4.27 (debian kernel I think) for doing the routing on a
> DSL connection.
> 
> I can't reach ssh on the external interface.

Please clarify - really from 'outside', or just using the external IP
from an internal IP.  It's important.

> First here is my ruleset: 
> 
> # IP spoofing rules 
> $IPTABLES -A INPUT -i $EXTIF -p TCP  -s 10.0.0.0/8 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p TCP  -s 192.0.0.0/16 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p TCP  -s 127.0.0.0/8 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p TCP  -s 172.16.0.0/12 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p TCP  -s 240.0.0.0/5 -j DROP
> 
> # loopback interfaces are valid.
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> 
> # pptp 
> # 1+2 line: pptp control + data
> $IPTABLES -A INPUT -i $modem -p tcp --sport 1723 -j ACCEPT 
> $IPTABLES -A INPUT -i $modem -p 47 -j ACCEPT               
> 
> # ssh IN
> $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22 -j ACCEPT 
> $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT 
> 
> # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
> 
> # SMB - Enable the following lines if you run an INTERNAL SMB server
> $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j ACCEPT
> 
> # local interface, local machines, going anywhere is valid
> $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> 
> # external interface, from any source, for ICMP traffic is valid - ping
> $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
> 
> # Allow any related traffic coming back to the MASQ server in
> echo "        INPUT: Allow connections OUT and only existing/related IN"
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
>  ESTABLISHED,RELATED -j ACCEPT
> 
> What is wrong? and are the spoofing rules not redundant? The default
> policy is DROP.

They're not technically redundant - if someone tries to hijack a
connection, which might be considered 'ESTABLISHED' or 'RELATED', making
sure you dump the IP spoofing traffic is important.

Answer the question above.  If you can't figure out what's being
dropped, then at a 'log' statement to each chain and see where stuff is
being blocked.

Looking at your rules, if you have default policy DROP, your OUTPUT
chain is getting DROPped, so your incoming SSH connection, although
accepted, is not allowed to send any traffic back out.

Dave.
-- 
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- iptables ruleset ...
  - From: Manfred Sampl <msampl@gmx.net>

Prev by Date: Re: Help, Simple forward doesn't work!
Next by Date: Re: iptables ruleset ...
Previous by thread: iptables ruleset ...
Next by thread: Re: iptables ruleset ...
Index(es):
- Date
- Thread