Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've got a question regarding IPTables. I have configured IPTables through Guarddog to enable range port 6882-6889 UDP to get Bittorrent connectios go faster, but in the logs the firewall drops the connections.
You can use UDP connections as well for decentralized transfer. But the question here is why if I have a rule that enables UDP connections on range port 6882-6889, the firewall drops them
Well whilst you have the rule in there, the table it's in is only referenced by the OUTPUT table, but it's the INPUT table that would be reciving this packet. i don't know guarddog so don't know how that relates to the UI, but essentially it's looking for outbound data, not inbound data, which it should be.
As far as I understand, what that rule say is that any traffic from any IP and port directed to UDP range 6882-6889 on my machine has to be allowed. Is that wright? If not, what should the rule be to achieve that?
the rule in itself is fine, but it appears to be in the wrong place. if you look at the tables above, incoming data startings with the INPUT table, and that hooks into the guarddog tables with the reference to the srcfilt table. that references s0, and s0 references f0to1. f0to1 then ends up referncing logdrop, which is what's doing the logging and dropping you're seeing. at no stage does incoming data get anywhere near that rule.
OK, I decided to build a firewall myself from what I learned here and some piece of script of Guarddog itself.
I'd like if someone could comment on the firewall. Weaknesses that might have and this kind of things.
Code:
# Generated by Hammett on Mon 10th Sep 2007
*filter
# Shut down all traffic
-P FORWARD DROP
-P INPUT DROP
-P OUTPUT DROP
# Clear all rules
-F
-X
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o 127.0.0.1 -j ACCEPT
# Allow DNS
-A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
-A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
-A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
-A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow HTTP,HTTPS
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Allow ftp
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT
# Allow ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6881:6999 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 6881:6999 -j ACCEPT
# Allow MSN Messenger
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1863 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 1863 -j ACCEPT
# Allow eDonkey
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4661:4662 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4665:4666 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 4661:4662 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 4665:4666 -j ACCEPT
# Allow IRC
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6665:6669 -j ACCEPT
# LOG everything that does not fit on the rules above
-N logdrop
-A logdrop -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
-A logdrop -j DROP
COMMIT
It seems the system is not logging the dropped packets. I copied the script from Guarddog, but seems not to work on this one
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
