On Wed, 17 Jan 2007 20:02:54 +0100
"Daniel Pielmeier" <[EMAIL PROTECTED]> wrote:
> Hi again,
>
> it seems that i was running in another problem.
>
> This are my current iptables!
> ...
> What could be the problem here? Is the net init-script changing my
> rules? I think i have removed shorewall completely, so there shouldn't
> be any remaining files which could cause that behavior. Or are there
> some remaining files from shorewall? When i invoke iptables save with
> my generate rules and restart
> iptables, the rules are ok and i can connect!
>
> Thanks in advance!
>
> Daniel
I've been holding back on replying for a while now, but I think you
should try a simple iptables setup like this one:
davey ~ # iptables -L -v ; iptables -t nat -L -v
Chain INPUT (policy DROP 764K packets, 79M bytes)
pkts bytes target prot opt in out source
destination 50707 18M ACCEPT tcp -- eth0 any
anywhere anywhere tcp dpt:smtp 955K 601M
ACCEPT all -- lo any anywhere anywhere 249K
20M ACCEPT all -- ath0 any anywhere anywhere
43M 6782M ACCEPT all -- eth1 any anywhere
anywhere 1 32 REJECT udp -- eth0 any
anywhere anywhere udp dpt:bootps reject-with
icmp-port-unreachable 1 58 REJECT udp -- eth0 any
anywhere anywhere udp dpt:domain reject-with
icmp-port-unreachable 414 36292 ACCEPT tcp -- eth0 any
anywhere anywhere tcp dpt:ssh 411K 91M
ACCEPT all -- eth0 any anywhere
anywhere state RELATED,ESTABLISHED 4 184 ACCEPT tcp
-- eth0 any anywhere anywhere tcp
dpt:http 14547 1187K ACCEPT icmp -- any any
anywhere anywhere
Chain FORWARD (policy DROP 3017 packets, 184K bytes)
pkts bytes target prot opt in out source
destination 173M 111G ACCEPT all -- any any
192.168.0.0/16 anywhere 22M 19G ACCEPT all -- eth0
any anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT 48M packets, 13G bytes)
pkts bytes target prot opt in out source
destination Chain PREROUTING (policy ACCEPT 10M packets, 1189M bytes)
pkts bytes target prot opt in out source
destination 58003 3477K DNAT tcp -- eth0 any
anywhere anywhere tcp dpt:ssh to:192.168.1.99:22
3828 213K DNAT tcp -- eth0 any anywhere
anywhere tcp dpt:http to:192.168.1.99:80 14 664 DNAT
tcp -- eth0 any anywhere anywhere tcp
dpt:222 to:192.168.1.1:22 248 11072 DNAT tcp -- eth0 any
anywhere anywhere tcp dpt:223
to:192.168.1.100:22
Chain POSTROUTING (policy ACCEPT 300K packets, 18M bytes)
pkts bytes target prot opt in out source
destination 4564K 318M MASQUERADE all -- any eth0
anywhere anywhere
Chain OUTPUT (policy ACCEPT 234K packets, 15M bytes)
pkts bytes target prot opt in out source
destination
It's my own stab at a stateful firewall and seems to be working very
well for me. spore.ath.cx is my home computer network; feel free to
nmap me and see what you think from the outside. It's rudimentary, but
that's what I like about it. Simple.
For what it's worth, I never would have been able to figure out
iptables without using
watch "iptables -v -L ; iptables -t nat -v -L"
which ends up showing you the packets in and out of each chain and each
rule, which is highly convenient for configuring firewalls.
Best of luck.
-- dan.
--
[email protected] mailing list
