Iptables and reject rules
Hi
Working on an new firewall script. My default rule is: Code:
iptables -P INPUT DROP This does not seem to work from internal(eth2) and dmz(eth1): Code:
iptables -P FORWARD -i eth2 -j REJECT |
In your first code block, you're setting chain policies, so the -P is fine. In the second code block, you're creating actual rules, so you don't use -P anymore. You need to either append (-A) or insert (-I) the rules. See man iptables for more info.
|
Well I tried that as well and added the following rules:
Forward: Code:
#reject all other traffic not explisit allowed between DMZ and LAN Code:
# reject internal traffic in on eth2 and eth1 instead of deafault drop Code:
Connection timed out |
Show us what your INPUT chain's current configuration looks like:
Code:
iptables -nvL INPUT |
Here are my input rules:
Code:
#standard rules stopper alt default uten en lyd################### |
That shows us what you wish to have, not what you actually do have.
The command I posted, OTOH, would show us your actual/current configuration. |
here is the result:
Code:
|
I can't see anything wrong there (relevant to the issue at hand, at least). Could you add a LOG rule to the end of the INPUT chain then check the log file for evidence that the packet is getting sent to DROP by the policy?
Code:
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: " |
One of the members of my LUG gave a presentation about iptables and posted his script to the LUG's website. Maybe it will help.
|
I have three NIC's in the gateway:
Code:
eth0 - wan link, |
We kinda knew that already. :)
Do you have the log file snippet(s) ready to share? |
So I addef the following at the end of my INPUT rules:
Code:
#Internet 2 firewall Code:
May 3 19:45:43 dc7700 kernel: [ 831.913563] IN=eth1 OUT= MAC=00:0f:fe:50:54:0f:90:e6:ba:0a:4b:cf:08:00 SRC=192.168.10.4 DST=192.168.10.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=27959 DF PROTO=TCP SPT=39681 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 |
I tried to do one thing now, I added the following line to my output chain:
Code:
iptables -A OUTPUT -p ICMP -j ACCEPT /Andy |
So did some additional testing, and added the following lines to my OUTPUT chain:
Code:
iptables -A OUTPUT -p ICMP -o eth1 --icmp-type port-unreachable -j ACCEPT Any feedback to this conclusion? /Andy.l |
Quote:
I would just add that you don't really need to do any ICMP matching here. As long as you're matching packets in state RELATED, you'll be fine. I had actually assumed you were matching both RELATED and ESTABLISHED. Using these state matches in the OUTPUT chain is usually a better idea than specifying a protocol/port/code/etc, as it prevents arbitrarily-generated packets from exiting. Practically speaking, you could get rid of those two rules with a single one like: Code:
iptables -A OUTPUT -m state --state RELATED -j ACCEPT Personally, I prefer to just kill two birds with one stone: Code:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
All times are GMT -5. The time now is 06:15 PM. |