[ILUG] really being specific with iptables.
John Allen
john.allen at dublinux.net
Thu Jan 10 08:19:36 GMT 2008
Darragh wrote:
> Hello there,
> I may be stretching the functionality that one machine can provide and if
> so, that's fine but better to be sure about these things.
>
>
No you are not stretching the functionality provided by iptables,
but I'd suggest using something like Shorewall, it sure makes setting up
your rules a lot easier.
eg. my /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT(S) PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNS/ACCEPT all all
ACCEPT all $FW tcp ssh
ACCEPT vpn all tcp
ACCEPT all $FW tcp pop3s
ACCEPT all $FW tcp imaps
ACCEPT all $FW tcp smtp
ACCEPT all $FW tcp smtps
ACCEPT loc $FW tcp http
ACCEPT all $FW tcp https
REDIRECT loc 3128 tcp www - !192.168.1.1
> On that machine with the squid proxy and the iptables set up that I spoke
> about during the weekend, I have a mail server running that delivers mail
> via imap and webmail.
> Imap is working perfectly and web mail is accessible from the lan but I
> cant access port 80 from the internet like i could before configuring
> iptables.
>
> My thihnking was that because there are connections coming in on port 80
> and I've instructed iptables to forward all conections on port 80 to squid
> at 3028, it is seeing this connection on port 80 as something that needs
> to be forwarded as well.
>
> I had an idea that that could be the cause of my problem but after
> thinking about it, that couldn't be as I can access the server over port
> 80 internally so it must be something I've done wrong somewhere.
>
> my problem is, I cannot adiquitly read these blasted iptable entries.
> I've tried iptables -L -n and that is definitly more descriptive than -L
> on it's own but I'm still not seeing a reason why connections made from
> the internet are rejected.
>
> here is the output of iptables.
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> ACCEPT icmp -- 192.168.2.25 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67
> dpt:68
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214
> DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1214
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpts:0:1023 state NEW LOG flags 0 level 4 prefix `LOW PORT TCP CONNECTION:
> '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
> dpts:0:1023 LOG flags 0 level 4 prefix `LOW PORT UDP CONNECTION: '
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION: '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
> dpts:1024:65535 LOG flags 0 level 4 prefix `HIGH PORT UDP CONNECTION:'
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `NEW NOT SYN: '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4 prefix `ECHO: '
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> can anyone tell me if I'm completely over looking something?
> Or, better again, is there a better way of understanding these iptables
> rules?
>
> Thanks
>
> Darragh
>
>
--
John Allen mailto:john.allen at codemountain.net
CodeMountain http://www.codemountain.net
Ubuntu 7.10, kernel 2.6.22-14-generic
up 17:30, 3 users, load average: 0.73, 1.13, 1.11
More information about the ILUG
mailing list