[PLUG] Still having fun with IPTables

Daniel M. Head Wed, 02 Feb 2011 12:18:35 -0800

Hey all,

I tried to send this yesterday, but was having some issues with the 
wireless network. I didn't receive it from the list, so I'm resending. 
Any suggestions on what the problem may be would be _greatly_ 
appreciated. If others have already received this, please accept my most 
humble apologies.



I have the openvpn client rules set up (as per my question earlier this 
week - thank you again EJ), and the correct virtual ip is being assigned 
to my test account when i connect through openvpn.

Now, I am trying to restrict that test account to only be able to access 
one specific server. All other traffic of any form should be allowed. As 
it is, my test account is not able to access anything except the openvpn 
server itself. If I turn iptables off, everything is talking to 
everything again.

Here is the output of the iptables file (I have also added comments to 
the five custom entries I made in iptables. Also, IPs and names have 
been changed, not that it matters, no one could identify anything with a 
private IP.):

    [dan@server1 sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -i tun0 -s 192.168.0.1/30 -d 172.16.0.50 -j ACCEPT #This 
client should be able to access this one server.
-A FORWARD -i tun0 -s 192.168.0.1/30 -j DROP #The same client should not 
be able to access anything else.
-A FORWARD -i tun0 -j ACCEPT #Everyone else should be able to access 
everything else.
-A INPUT -j ACCEPT #All traffic directed directly to this machine should 
be allowed.
-A INPUT -j ACCEPT #All traffic originating from this machine should be 
allowed.
-A OUTPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[dan@server1 sysconfig]#

The output from iptables-L looks good (to me anyway) too:

[dan@server1 sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
RH-Firewall-1-INPUT  all  --  anywhere   anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.1/30       server4.acompany.com
DROP       all  --  192.168.0.1/30       anywhere
ACCEPT     all  --  anywhere             anywhere
RH-Firewall-1-INPUT  all  --  anywhere   anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW 
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with 
icmp-host-prohibited
[dan@server1 sysconfig]#

It was my understanding that iptables read rules from the top down, and 
that once a rule condition was met, it skipped any further rules. Does 
anyone see a problem with the above? Thanks in advance!
-- 
Best regards,
Daniel M. Head
http://www.linkedin.com/in/dmhead
Cell Phone: (360) 980-5885
Home/Message Phone: (360) 210-5492
E-mail: [email protected]

"/If we want to set our lives aright and find peace,
it is not the tolerant attitude of others that will do it for us.
It will come about, rather, by our learning how to show them compassion./"
- John Cassian
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] Still having fun with IPTables

Reply via email to