[SLUG] IPTABLES and confusing messages

Wed, 02 Jan 2002 14:23:56 -0800 

hey all,

I thought I was starting to get an understaning of iptables when I stumbled
on this problem.

I've figured out how to SNAT and DNAT thanks to the help from the previous
post and SLUGGERS who explained it a bit better than the man pages.
My problem now is that I have rules (as below) which allow incoming ports
for TCP, any anything else should be dropped or rejected (-P INPUT  DROP).
My problem is that the remote site receives a "telnet: Unable to connect to
remote host: No route to host" instead of just a TimeOut type of message
when attempting to test a port (ie telnet).

        #
        # GEORGEV TEST
        #
        $IPTABLES -P INPUT DROP

        $IPTABLES -A POSTROUTING -o $EXTDEV -t nat -s $GEORGEVINT
-j SNAT --to $GEORGEVEXT #Outgoing

        # Special Rules for Citadel Internal Users to see External WWW
server on GEORGEV
        $IPTABLES -A PREROUTING -i $INTDEV -t nat -p tcp        -d
$GEORGEVEXT --dport 80       -j DNAT --to $GEORGEVINT #Int WWW
        $IPTABLES -A POSTROUTING -o $INTDEV -t nat -p tcp -d $GEORGEVINT
--dport 80 -s $INTSN   -j SNAT --to $STARGATEINT #Int WWW

#       $IPTABLES -A PREROUTING -i $EXTDEV -t nat -p tcp        -d
$GEORGEVEXT --dport 23       -j DNAT --to $GEORGEVINT
        $IPTABLES -A PREROUTING -i $EXTDEV -t nat -p tcp        -d
$GEORGEVEXT ! --syn          -j DNAT --to $GEORGEVINT

I found on ports which are DROPPED I receive arp messages as below. (eth1 is
external).
08:57:26.641509 eth1 > arp who-has webmachine.citadelcomputer.com.au tell
firewallmachine.citadelcomputer.com.au (xx:xx:xx:xx:xx:xx)
                         0001 0800 0604 0001 5254 05e3 089a cb6f
                         4f72 0000 0000 0000 cb6f 4f77

The other thing weird is that my rules aren't DROPPING non allowed packets
and yet my rules appear quite strict.. I usually ACCEPT on the OUTPUT and
FORWARD (-P) rules.. I explicitly specify as much rule matching as possible
to eliminate the possiblility of accidently accepting when it shouldn't  ie.
"-A INPUT -i eth1 -d 203.x.x.x" ouch.. Anything I want passed through I make
the rules as explicit as possible.

If anybody would like to see my complete firewall rules, I can email them
off list.

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Reply via email to