> Some comments / question, neither of which I imagine will solve your problem:
--- lol :-) > 1) What distro you using? If RH or derivative, then run this iptables script, and then run iptables-save >/etc/sysconfig/iptables to save it. that way when you start your machine and /etc/rc.d/init.d/iptables start is run, the rules you have work. I would remove the aliases from this script and put them where they belong, /etc/sysconfig/networking-scripts --- I am running Redhat 9. I don't have any problem with starting iptables on boot. I create a link under /etc/rc.d/rc5.d called "S11iptables-custom" that points to my iptables script. I changed the S to a K in front of Red Hat's iptables link so that it wouldn't start and confuse things. Anyway, my script runs at boot fine. If I run "iptables-save" after I have booted I can see that my script has been run. > 2) By break your script what do you mean? The script doesn't work? or your networking doesn't work? --- Sorry, I should have given some more background on what I am trying to do and what is not working. Basically I have a number of physical servers. Each of these servers I am placing in a DMZ (192.168.1.0/24). I am using the Linux box with IPTables to forward traffic to and from our servers on the DMZ to their respective IP addresses externally on the internet (60.30.135.221/28). I have configured sub-interfaces on Eth0 with the external ip-addresses (eth0:1 - eth0:13). For simplicity sake I have made the last octet of each DMZ IP the same as its respective external address. The goal is to be able to filter what ports are open to any given server. I am opening DNS for most of them right now for test purposes. I will change this later, to different ports, after I know things are working. Also, the IP addresses provided have been slightly altered to protect the innocent. :-) My problem is this. My script works fine and dandy when my default policies are set to Accept. But as soon as I set my default policies to Drop, everything appears to get blocked. None of the ports specified to be opened appear to open at all when I have the default policies set to Drop. Even thought the rules for each server specify Allows for specific ports. >From a security point of view I want to Drop everything, and then only Allow through specific ports, protocols, and what not. > I will look over the script to see what you are doing and see what I can suggest to clean it up. --- Thank you very much. Appreciate it. Regards, Brian Horncastle -----Original Message----- From: Nathanael Noblet [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 4:03 PM To: [EMAIL PROTECTED] Subject: Re: (clug-talk) IPTables On Friday, October 10, 2003, at 04:50 PM, Brian Horncastle wrote: > Hi, > > I wrote an IPTables script. It seems to work fine when the default > policies > are set as follows: > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > This obviously isn't the most secure way of doing things. I would > like to > have the default policies set like this instead: > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > As soon as I do this it breaks the rest of my script and nothing works > properly. Could anyone enlighten me on how I can keep the default > policy > drops and keep my script functional? > > Also, I would really appreciate any suggestions on more elegant ways of > doing things with IP tables. Any suggestions would be great. > > Thank you very much, > > Brian H. Some comments / question, neither of which I imagine will solve your problem: 1) What distro you using? if RH or derivative, then run this iptables script, and then run iptables-save >/etc/sysconfig/iptables to save it. that way when you start your machine and /etc/rc.d/init.d/iptables start is run, the rules you have work. I would remove the aliases from this script and put them where they belong, /etc/sysconfig/networking-scripts 2) By break your script what do you mean? The script doesn't work? or your networking doesn't work? I will look over the script to see what you are doing and see what I can suggest to clean it up. -- Nathanael Noblet Gnat Solutions 4604 Monterey Ave NW Calgary, AB T3B 5K4 T/F 403.288.5360 C 403.809.5368 http://www.gnat.ca/
