Morten Nilsen, 23.11.2005 12:48: > Vidar Tyldum Hansen wrote: >> http://tyldum.com/iptables.save.txt > > I removed the counters, they were only in the way, and this sort of > stuck out at me; > > -A OUTPUT -o eth1 -j admin_ut > -A OUTPUT -o eth3 -j felles_ut > -A OUTPUT -o eth2 -j sosial_ut > -A OUTPUT -o eth5 -j internett_ut > -A OUTPUT -o eth0 -j radio_ut > -A OUTPUT -o eth6 -j dmz_ut > -A OUTPUT -o eth4 -j elev_ut > > if you're not going to filter output, why define rules that jump to > empty tables?
Old reminiscent that might come in handy :) They should have no impact, remember things work until I type too fast. > similarily, you only filter packages from the internet on input.. > I would prefer filtering everything in/out on every interface, and only > allow the traffic you want in.. > (see http://www.ranum.com/security/computer_security/editorials/dumb/) No traffic may pass without going through a FORWARD rule. Default policy there is drop. Only traffic to/from the router itself is not passed through FORWARD. > http://84.234.141.4/fw - this is my setup.. Connection refused. At least you are secure ;) > anyhoo.. back to your problem.. > I can't see anything in your iptables that should cause your problem.. I > do however note you use tc to shape student traffic.. does the ssh > problem go away if you (temporarily) remove shaping? Thought of that, but discarded it because I never touch that interface. Anyways, it would be silly not to test so I just did. Same result :/ > if no, I would suggest making a new setup, without all the extra > chains.. you know, just to test :) You are funny. I'll start by adding some more LOG-rules to see if I can pinpoint something. That won't disrupt the network more than 1-2 lost packets. Fooling around with the general setup will be the nighttime activity the next few days if that doesn't reveal anything. But I still fail to see why iptables should do something to my pakcets just by pressing and holding a random key in an ssh session. Seems like a stack problem to me. Thanks anyways for reading through the files and respnding. _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
