I've got the 2.4.17 kernel patched with iptables 1.2.5. I've created all IP: Netfilter Configuration options as Modules:
# # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_EGG=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_IPLIMIT=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_STRING=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_COMPAT_IPCHAINS=m CONFIG_IP_NF_NAT_NEEDED=y # CONFIG_IP_NF_COMPAT_IPFWADM is not set # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set # CONFIG_VLAN_8021Q is not set # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_DECNET is not set # CONFIG_BRIDGE is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_LLC is not set # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set I guess you can see from the list above what I've patched into the kernel. Now, when I make a rule to allow DNS TCP/UDP from my firewall/router box to my ISP DNS server, I get some strange behavior. To narrow it down, I've created the smallest version of the script here, which only allow me to sit on my workstation ssh'ing to my box, and also allowing my box to do dns queries to my isp dns server, and nothing else. =====my firewall script==== IPTABLES="/usr/local/sbin/iptables" LAN_INTERFACE="eth0" DMZ_INTERFACE="eth1" INET_INTERFACE="eth2" LO_INTERFACE="lo" LAN_IP="10.10.10.1" DMZ_IP="10.10.20.1" INET_IP="123.4.5.12" # This was changed to a random number to protect the innocents :) LO_IP="127.0.0.1" LAN_IP_RANGE="10.10.10.0/24" LAN_BCAST_IP="10.10.10.255/32" depmod -a #modules are automatically loaded ############################## INPUT chain ############################## $IPTABLES -A INPUT -p TCP -i $LAN_INTERFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 22 -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_INTERFACE -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT ############################## OUTPUT chain ############################# $IPTABLES -A OUTPUT -p ALL -o $LAN_INTERFACE -s $LAN_IP -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -p TCP -o $INET_INTERFACE -s $INET_IP --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p UDP -o $INET_INTERFACE -s $INET_IP --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p TCP -o $INET_INTERFACE -s $INET_IP --dport $HIGHPORTS -j ACCEPT ############################## DROP Policy ############################# $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j DROP $IPTABLES -A FORWARD -j DROP =====my firewall script==== What I've got problems with is: iptables -L running this command results in more or less nothing. It takes about 5 minutes for one (1) line in the tables to be displayed, and then a new 5 minutes before the next line shows up... with a complex script it would take hours to list everything. If I remove the UDP rule of the DNS though, 'iptables -L' works like a charm and lists everything in about one or two seconds. If i add '-n' when the UDP rule is enabled, everything is fine, but I shouldn't (and wouldn't) have to use '-n'. I'm not sure though, but I believe this problem occured after I applied the string and ULOG patch, because I was able to list the tables just fine a week ago, before I started experimenting with ULOG. Is it just me, or is this a bug somewhere? I'm not subscribing to the developers netfilter mailinglist, so please send any replies to my email address to: [EMAIL PROTECTED] Thanks /Christopher Thorjussen
