iptables; confusing internal access error
 

This sure is confusing.

I have a rh8 gateway, which acts as router, firewall, etc.

This is my iptables script.

The problem is that only two workstations 192.168.0.2 and 192.168.0.3 can access all ports, however, my recent addition a Dell Inspiron laptop 192.168.0.4 cannot access anything other than higher ports > 1024 and squid proxy - for internet surfing.

The only thing I can think of that would be the problem is my previous iptables script
Those two tables.


This machine 192.168.0.4 - notebook - is running Windows XP Home.


Any ideas.

Thanks in advance.

I don't see anything in this that would treat the XP box differently from any of the others. A possibility: Maybe something on the XP box is preventing you from accessing certain ports.

No, the more I think about it, that doesn't make much sense, but it brings up a point that needs clarifying. What do you mean when you say "can't access ports below 1024"? Are you trying to do things like telnet and ftp? If so, double-check your hosts.allow. It might not be the firewall preventing you from getting in.

I did see something else that worried me about your firewall script, though.


Unless things changed drastically between ipchains and iptables, flushing a chain/table (iptables -F xxx) wipes out everything that was done before on that table, and the default setting is "accept". So if you have your flush (-F input) AFTER your policy (-P input DROP), it's going to get wiped out.

All of that becomes moot in this case, though, because of what you have below:

This is setting your policy to ACCEPT, and you don't have any DENY rules, so effectively, you have no firewall at all.

If this is the firewall script you were using to test the XP box, I can almost guarantee that your problem is not the firewall, because this script effectively turned it off. (ACCEPT on everything is the "turned off" state.)

Do an "iptables -nL" to double-check my logic, but if you don't see any DROP rules, you might as well just shut the firewall off. It's not doing you any good.

I would recommend setting each chain/table up this way:

iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT ~~~~~ (rule 1) ~~~~~~~
iptables -A INPUT ~~~~~ (rule 2) ~~~~~~~

and so on.

An input policy of "DROP" is a major pain in the butt (believe me, I know!), but if you use a policy of ACCEPT, then you have to depend on getting every DROP that you need right, or else there's a hole in your armor. I don't know about you, but I stopped being perfect years ago.

Good luck,

CHL

Yes, thanks for your reply.

I see a few problems with the firewall - yes there are a few flaws.

So i've fixed them.

Problem is stillthe same. Ican't access ports below 1024. For example ftp, pop3 etc.

I can use webbrowsing no problem.

I am pretty sure its a problem on the xp box.

Ill check the hosts.allow file just incase.
:)

Thanks

As i said before, ftp and mail server access is restricted however I can access everything hosted on the gateway/server machine.

I think it's a problem with my caching nameserver. I think I half set it up! So the only thing I could access was my gateway.

I removed the drop, and filtered it by a few accept rules.

I've changed the XP machine to rh9 now, and now I can't access anything other than squids proxy - ie web browsing.

I've gotten a little lost. If I've understood and remembered everything right, you have:

A Linux gateway/firewall machine (192.168.0.1) which can get to any port (telnet, ssh, ftp, http, etc) on any machine, local or Internet.

You have two workstations (192.168.0.2 and -.3) which use 192.168.0.1 as their gateway, and can get to any port on any machine.

You have a new laptop, which was running XP and is now running RH 9, which can get to ports above 1024 on Internet addresses, and get can get to any port on the gateway machine. (I strongly suspect it will be able to get to any port on the other two workstations, although I don't think you've said.)

This one canNOT get to ports below 1024 on Internet hosts, so you can't do things like FTP from any Internet site.

One thing I don't think you've mentioned: How does it fail? You've said "I don't have access", but what tells you that?

I'd like to see a few things:

Contents of your firewall script (current).
Output of "route" on your gateway machine
Output of "route" on one of the working desktops
Output of "route" on the laptop

Contents of "/etc/resolv.conf" on the gateway.
Contents of "/etc/resolv.conf" on a working workstation.
Contents of "/etc/resolv.conf" on the laptop.

It shouldn't matter, but I did notice an oddity in your firewall script. Your line that says "iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth1 -j MASQUERADE" should be 192.168.0.0, I'm pretty sure. With the /24 on there, that shouldn't make any difference, but a problem with the forwarding rules would make excellent sense, given the symptoms.

Given that you've had the problem with both XP and RH9, it almost HAS to be on your firewall box.

Sorry, thanks for your reply.

I forgot to mention that I did fix it. It was indeed my firewall box. One line right at the bottom of the firewall script was uncommented. It was a DENY all.

Testing different accessing of ports and different times led me to the conclusion that one machine could access ports XY and the other couldn't. Thanksf ro you help.


I think i'll search around for a good linux iptables guide and securemy box. Thanks for your help nevertheless