iptables blocking eth0 .. why ?

Adam Bogacki Thu, 06 Jan 2005 15:38:45 -0600

Hi,

I'd appreciate a second opinion why this script is blocking eth0,
confirming or disconfirming the line I've indicated.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
re two interfaces in this server:
#eth0 - <internet-address>
#eth1 - <lan-address>

### Create Chains
iptables -N IN_LO
iptables -N OUT_LO
iptables -N IN_ETH0
iptables -N OUT_ETH0
iptables -N IN_ETH1
iptables -N OUT_ETH1
iptables -N BLOCKED_PACKETS
iptables -N ICMP_PACKETS

### POLICIES
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### INPUT
iptables -A INPUT -j BLOCKED_PACKETS
iptables -A INPUT -p icmp -j ICMP_PACKETS
iptables -A INPUT -i lo -j IN_LO
iptables -A INPUT -i eth0 -j IN_ETH0
iptables -A INPUT -i eth1 -j IN_ETH1

### FORWARD
iptables -A FORWARD -j BLOCKED_PACKETS
iptables -A FORWARD -p icmp -j ICMP_PACKETS
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

### OUTPUT
iptables -A OUTPUT -j BLOCKED_PACKETS
iptables -A OUTPUT -p icmp -j ICMP_PACKETS
iptables -A OUTPUT -o lo -j OUT_LO
iptables -A OUTPUT -o eth0 -j OUT_ETH0
iptables -A OUTPUT -o eth1 -j OUT_ETH1

### BLOCKING_PACKETS
iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
-j DROP
iptables -A BLOCKED_PACKETS -d 224.0.0.0/8 -j DROP
# should this be on both interfaces?
#iptables -A BLOCKED_PACKETS -d <internet-broadcast> -i eth0 -p udp \
#--dport 135:139 -j DROP

s the following line why eth0 is blocked on my system ?
iptables -A BLOCKED_PACKETS -d 255.255.255.255 -i eth0 -p udp \
--dport 67:68 -j DROP

### ICMP_PACKETS
# are all of these really needed?  Which ones should I not accept?
iptables -A ICMP_PACKETS -p icmp --icmp-type 0 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 3 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 4 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 8 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 11 -j ACCEPT
iptables -A ICMP_PACKETS -p icmp --icmp-type 12 -j ACCEPT
### IN_LO (localhost)
# are these really needed?  Why?
iptables -A IN_LO -s 127.0.0.1 -i lo -j ACCEPT
#iptables -A IN_LO -s <lan-address> -i lo -j ACCEPT
#iptables -A IN_LO -s <internet-address> -i lo -j ACCEPT

### IN_ETH0 (Internet)
#iptables -A IN_ETH0 -d <internet-address> -i eth0 -m state \
#--state RELATED,ESTABLISHED -j ACCEPT

### IN_ETH1 (LAN)
#iptables -A IN_ETH1 -d <lan-address> -i eth1 -m state \
#--state RELATED,ESTABLISHED -j ACCEPT

### OUT_LO (Localhost)
# are these really needed?  Why?
iptables -A OUT_LO -d 127.0.0.1 -o lo -j ACCEPT
#iptables -A OUT_LO -d <lan-address> -o lo -j ACCEPT
#iptables -A OUT_LO -d <internet-address> -o lo -j ACCEPT

### OUT_ETH0 (Internet)
#iptables -A OUT_ETH0 -s <internet-address> -o eth0 -m state \
#--state RELATED,ESTABLISHED -j ACCEPT

### OUT_ETH1 (LAN)
#iptables -A OUT_ETH1 -s <lan-address> -o eth1 -m state \
#--state RELATED,ESTABLISHED -j ACCEPT

#save this setup for next use

iptables-save
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

iptables blocking eth0 .. why ?

Reply via email to