unsubscribe

Wed, 09 Feb 2005 06:30:41 -0800 

Em Qua 09 Fev 2005 11:07, Tomaz Kravcar escreveu:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Manfred Sampl wrote:
> | Hi,
> |
> | My input ruleset doesn't work as it should... I'm using woody /
> | netfilter on 2.4.27 (debian kernel I think) for doing the routing
> | on a DSL connection.
> |
> | I can't reach ssh on the external interface.
> |
> | First here is my ruleset:
> |
> | # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP  -s
> | 240.0.0.0/5 -j DROP
> |
> | # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s
> | $UNIVERSE -d $UNIVERSE -j ACCEPT
> |
> | # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem
> | -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j
> | ACCEPT
> |
> | # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22
> | -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
> |
> |
> | # DHCPd - Enable the following lines if you run an INTERNAL DHCPd
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j
> | ACCEPT
> |
> | # SMB - Enable the following lines if you run an INTERNAL SMB
> | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j
> | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j
> | ACCEPT
> |
> | # local interface, local machines, going anywhere is valid
> | $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> |
> | # external interface, from any source, for ICMP traffic is valid -
> | ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j
> | ACCEPT
> |
> | # Allow any related traffic coming back to the MASQ server in echo
> | "        INPUT: Allow connections OUT and only existing/related IN"
> |  $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state
> | --state \ ESTABLISHED,RELATED -j ACCEPT
> |
> | What is wrong? and are the spoofing rules not redundant? The
> | default policy is DROP.
> |
> | I can use any help or hint,
> |
> | Regards Manfred
>
> Did you notice that you have only roules for INPUT, what about OUTPUT ?
> For every INPUT you need apropriate OUTPUT rule :)
> I don't know your configuration or how exactly you are connected to the
> network but for ssh you should probably have to add:
>
> $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
>
> But this wont make your firewall to work as expected, since you have
> to make
> some OUTPUT(maybe FORWARD) rules. You should consider useing something
> like
> firehol, firestarter or some other frontend for iptables, since that
> is much
> easier and safer.
>
> Regards
> Tomaz
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
>
> iD8DBQFCCgsS6Zdbmk3K9rwRAo+qAJ96iwdqZrLWvwV0G2m1w5733a0ScgCfenhl
> ldhdIZOx1MQW6qorpQUWesk=
> =Pidy
> -----END PGP SIGNATURE-----

-- 
Guilherme Rocha
Analista de Sistemas e Servi�os
Sul Solu��es Inform�tica Ltda.
http://www.sulsolucoes.com.br
+55-71-240-2026/240-3975

Reply via email to