Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The thing is every time I try to SSH back into my box I also try FTP and that will not work.
I dont know, Ive been playing with that gShield. Im going to try to make a configuration as close as I can to the script and see what differences it makes. That may help me to discover what the problem is with my script.
In your ftp part of the firewall you only allow ESTABILISHED and RELATED, not NEW packets, so a connection cannot be made (or I can't see the right fragment).
Several large problems in both versions of rules,
but a couple of questions first...
You are Masquerading everything outward on eth1, which means it is your "Internet" interface, YES?
You are directing traffic to a couple of internal servers, 10.0.0.3 & 4 YES?
You have some servers on the firewall, at least http, ssh, ftp YES?
There are a lot of OUTPUT rules, which will block any traffic the firewall itself generates, including dns queries which ssh may want for verification.
I suggest you comment them ALL out and change the POLICY to ACCEPT. There should be no reason to mistrust what the firewall itself generates, not just yet...
Remove the INPUT -s *my.ip.add.ress* -j DROP rule. The rp_filter does this.
I suggest you add some -j LOG rules immediately before any -j DROP rules and last of all on any DROP POLICY chains, to catch the information until you get an idea what is happening. eg
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "INPUT_NEW_!_SYN " --log-level 6
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
These can be viewed with "tail -f /var/log/messages" in a default syslog install.
I suggest you add at least...
iptables -A FORWARD -i eth1 -o eth0 -p tcp ! --syn -m state NEW -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state INVALID -j DROP
iptables -A FORWARD -i eth1 -o eth0 -f -j DROP
for protection in the FORWARD chain. Fragments should be handled inside netfilter automatically, but in case...
Because there are similar port descriptions in the INPUT chain and the PREROUTING chains, I think you may be confusing the packet paths.
INPUT is only used for packets which will stop on the firewall, usu at a server on the firewall.
FORWARD is for the packets going to LAN based servers.
Forwarded packets go through PREROUTING, FORWARD & POSTROUTING chains
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
