On 2005-06-01 JM wrote: > This is a configuration that is not working with apache after some > upgrades to the system. If turning off iptables, apache is allowed.The > syntax appears OK. Amule with id also not working. > Here is the configuration: > ############################################ > iptables -F > iptables -t nat -F > > iptables -A INPUT -s 127.0.0.1 -j ACCEPT > iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT > > > #X > iptables -A INPUT -i eth0 -p TCP -s 0/0 --dport 6000:6005 -j DROP > iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 6000:6005 -j DROP > > #ICMP > iptables -A INPUT -i eth0 -p ICMP --icmp-type 8 -j DROP > iptables -A INPUT -i eth0 -p ICMP --icmp-type 0 -m limit --limit 1/s -j ACCEPT > iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
Because of the third ICMP rule, the second one is pointless. > #lo mio OK > iptables -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT You need to allow ESTABLISHED,RELATED traffic in the OUTPUT chain as well. That's most likely the source of your problem. > #todo desde fuera KO > iptables -A INPUT -m state --state NEW,INVALID -j DROP > > #apache > iptables -A INPUT -s 0.0.0.0/0 -p tcp -i eth0 --dport 80 -j ACCEPT Is eth0 your "external" interface? > #amule > iptables -A INPUT -p tcp --dport 4662 -j ACCEPT > iptables -A INPUT -p udp --dport 4665 -j ACCEPT > iptables -A INPUT -p udp --dport 4672 -j ACCEPT > > iptables -P INPUT DROP > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT The default policies should be set at the *beginning* of your script (before flushing the chains), not at the end. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
