[ILUG] really being specific with iptables.

Darragh lists at digitaldarragh.com
Tue Jan 8 22:33:14 GMT 2008 

Hello there,
I may be stretching the functionality that one machine can provide and if
so, that's fine but better to be sure about these things.


On that machine with the squid proxy and the iptables set up that I spoke
about during the weekend, I have a mail server running that delivers mail
via imap and webmail.
Imap is working perfectly and web mail is accessible from the lan but I
cant access port 80 from the internet like i could before configuring
iptables.

My thihnking was that because there are connections coming in on port 80
and I've instructed iptables to forward all conections on port 80 to squid
at 3028, it is seeing this connection on port 80 as something that needs
to be forwarded as well.

I had an idea that that could be the cause of my problem but after
thinking about it, that couldn't be as I can access the server over port
80 internally so it must be something I've done wrong somewhere.

my problem is, I cannot adiquitly read these blasted iptable entries. 
I've tried iptables -L -n and that is definitly more descriptive than -L
on it's own but I'm still not seeing a reason why connections made from
the internet are rejected.

here is the output of iptables.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     icmp --  192.168.2.25         0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:67
dpt:68
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1214
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1214
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpts:0:1023 state NEW LOG flags 0 level 4 prefix `LOW PORT TCP CONNECTION:
'
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
dpts:0:1023 LOG flags 0 level 4 prefix `LOW PORT UDP CONNECTION: '
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION: '
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION:'
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `NEW NOT SYN: '
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           LOG flags 0
level 4 prefix `ECHO: '
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:123

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

can anyone tell me if I'm completely over looking something?
Or, better again, is there a better way of understanding these iptables
rules?

Thanks

Darragh

More information about the ILUG mailing list