LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] really being specific with iptables.

[ILUG] really being specific with iptables.

John Allen john.allen at dublinux.net
Thu Jan 10 08:19:36 GMT 2008 

Darragh wrote:
> Hello there,
> I may be stretching the functionality that one machine can provide and if
> so, that's fine but better to be sure about these things.
>
>   
No you are not stretching the functionality provided by iptables,
but I'd suggest using something like Shorewall, it sure makes setting up 
your rules a lot easier.

eg. my /etc/shorewall/rules
#ACTION         SOURCE  DEST            PROTO   DEST    SOURCE          
ORIGINAL        RATE            USER/
#                                               PORT(S) PORT(S)         
DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNS/ACCEPT      all     all
ACCEPT          all     $FW             tcp     ssh
ACCEPT          vpn     all             tcp
ACCEPT          all     $FW             tcp     pop3s
ACCEPT          all     $FW             tcp     imaps
ACCEPT          all     $FW             tcp     smtp
ACCEPT          all     $FW             tcp     smtps
ACCEPT          loc     $FW             tcp     http
ACCEPT          all     $FW             tcp     https
REDIRECT        loc     3128            tcp     www      -      !192.168.1.1

> On that machine with the squid proxy and the iptables set up that I spoke
> about during the weekend, I have a mail server running that delivers mail
> via imap and webmail.
> Imap is working perfectly and web mail is accessible from the lan but I
> cant access port 80 from the internet like i could before configuring
> iptables.
>
> My thihnking was that because there are connections coming in on port 80
> and I've instructed iptables to forward all conections on port 80 to squid
> at 3028, it is seeing this connection on port 80 as something that needs
> to be forwarded as well.
>
> I had an idea that that could be the cause of my problem but after
> thinking about it, that couldn't be as I can access the server over port
> 80 internally so it must be something I've done wrong somewhere.
>
> my problem is, I cannot adiquitly read these blasted iptable entries. 
> I've tried iptables -L -n and that is definitly more descriptive than -L
> on it's own but I'm still not seeing a reason why connections made from
> the internet are rejected.
>
> here is the output of iptables.
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
> ACCEPT     icmp --  192.168.2.25         0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:67
> dpt:68
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1214
> DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1214
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpts:0:1023 state NEW LOG flags 0 level 4 prefix `LOW PORT TCP CONNECTION:
> '
> LOG        udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
> dpts:0:1023 LOG flags 0 level 4 prefix `LOW PORT UDP CONNECTION: '
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION: '
> LOG        udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION:'
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `NEW NOT SYN: '
> LOG        icmp --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
> level 4 prefix `ECHO: '
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:123
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>
> can anyone tell me if I'm completely over looking something?
> Or, better again, is there a better way of understanding these iptables
> rules?
>
> Thanks
>
> Darragh
>
>   


-- 
John Allen                          mailto:john.allen at codemountain.net
CodeMountain                        http://www.codemountain.net

Ubuntu 7.10, kernel 2.6.22-14-generic
up 17:30,  3 users,  load average: 0.73, 1.13, 1.11

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell