Am Mittwoch, den 09.02.2005, 14:07 +0100 schrieb Tomaz Kravcar: > | > | First here is my ruleset: > | > | # IP spoofing rules $IPTABLES -A INPUT -i $EXTIF -p TCP -s > | 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s > | 192.0.0.0/16 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s > | 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s > | 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $EXTIF -p TCP -s > | 240.0.0.0/5 -j DROP > | > | # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s > | $UNIVERSE -d $UNIVERSE -j ACCEPT > | > | # pptp # 1+2 line: pptp control + data $IPTABLES -A INPUT -i $modem > | -p tcp --sport 1723 -j ACCEPT $IPTABLES -A INPUT -i $modem -p 47 -j > | ACCEPT > | > | # ssh IN $IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 22 > | -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT > | > | > | # DHCPd - Enable the following lines if you run an INTERNAL DHCPd > | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j > | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j > | ACCEPT > | > | # SMB - Enable the following lines if you run an INTERNAL SMB > | server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 137:139 -j > | ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 137:139 -j > | ACCEPT > | > | # local interface, local machines, going anywhere is valid > | $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT > | > | # external interface, from any source, for ICMP traffic is valid - > | ping $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j > | ACCEPT > | > | # Allow any related traffic coming back to the MASQ server in echo > | " INPUT: Allow connections OUT and only existing/related IN" > | $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state > | --state \ ESTABLISHED,RELATED -j ACCEPT > | > | > | Regards Manfred > | > | > Did you notice that you have only roules for INPUT, what about OUTPUT ? > For every INPUT you need apropriate OUTPUT rule :) > I don't know your configuration or how exactly you are connected to the > network but for ssh you should probably have to add: > > $IPTABLES -A OUTPUT -o $EXTINT -d $EXTIP -p tcp --sport 22 -j ACCEPT > $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT
I didn't include the OUTPUT rules, because I thought the wrong rule is in the INPUT chain, but I was wrong. Logging and trial and error helped me find a wrong output rule: $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 22 -j ACCEPT HURRRRRA now it works, Thanks everybody for fast response and help Regards Manfred -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
