Hi, Yes the script is kind of long and tedious in its respects. My initial purpose was to set this up at a remote facility with around 20 systems. I have also tried to get info from iptables -L chian, but noticed that the rules seem to be ok. If people want I can put the output for iptables -L chain. I am trying to block out everything accept what i need. I think that my firewall optimization is kind of crap but I am in process of working on that. The other thing that I just noticed is that my order for rules is not very properly laid out. I should have had the most active rules up ontop right before all the drop rules. I am asking for help if anyone notices anything interesting or decides to just suggest a more optimized approach to things let me know. I tried some automated firewall scripting programs, and just feel that a lot of them are just designed to save time for the lazy, and then you waste a lot of time trying to correct the script. These programs have their users I am just not one of them. I have also learned that iptables have some very interesting and helpful modules. If someone knows anything about that, then I would appreciate if they let me know where I could get them.
Best Regards kc Daniel Pittman wrote: > On 3 Jul 2005, KC wrote: > >>I need help understanding what goes wrong in this script. I cannot ping >>anyone and cannot resolve as well. In fact I believe the only thing I can >>get is an ip address from my isp's dhcp server. > > > With sufficiently modern kernels, the DHCP client uses raw sockets, so > it can (AIUI) bypass firewall rules that would otherwise stop it getting > through. > > I can't spot anything wrong with your script, which means that it isn't > an obvious stupid mistake (congratulations ;). You have some work to > do, I guess. :) > > Two things that are generally helpful in debugging iptables/firewall > problems: > > The logs of dropped packets, which I note you have added, may show you > where things are getting discarded. A *default* log at the end, showing > everything else, is also really helpful. > > Watching the output of 'iptables -L' will show you where packets are > flowing: each time they pass a rule, or chain, they bump up the packet > count. > > This can show that, say, one of your rules is eating all the packets -- > they get that far, then stop. > > > Finally, that is a pretty complex firewall script, and obviously > somewhat hard to maintain. Maybe you would get better value for your > time by using an existing firewall helper like 'firehol', or something, > than re-doing the work that went into the existing tools? > > Of course, if your aim is to learn iptables rather than just get it > working, that loses. ;) > > Daniel > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
