Hi, My input ruleset doesn't work as it should... I'm using woody / netfilter on 2.4.27 (debian kernel I think) for doing the routing on a DSL connection.
I can't reach ssh on the external interface. First here is my ruleset: # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP -s 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s 240.0.0.0/5 -j DROP # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j ACCEPT # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # SMB - Enable the following lines if you run an INTERNAL SMB server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j ACCEPT # local interface, local machines, going anywhere is valid $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # external interface, from any source, for ICMP traffic is valid - ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in echo " INPUT: Allow connections OUT and only existing/related IN" $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT What is wrong? and are the spoofing rules not redundant? The default policy is DROP. I can use any help or hint, Regards Manfred -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
