I have gentoo running on a p4 box, 2 nics etc. all networking works, and all services work (im a cisco net admin so i know how to use most of this stuff), BUT i cannot for the life of me figure out why iptables is selectively allowing some ports through and not others, and by selective i mean its only honoring SOME of the ACL rules i entered in. Keep in mind the ports in question are open locally and the services on them respond locally. As well, SOME services are going through the firewall fine, but not always the same one, and it changes based on the clouds outside for all i can tell.
For instance:
port 80 http never has worked its a new service though
port 21 worked fine, now doesnt work
port 22 worked fine now doesnt work, selectively works then quits
port 1337 irc works perfectly all the time.
All of the access rules for those ports are IDENTICAL other than the port number, so there is no difference between them.
I will paste my saved rules file here, i need to know why iptables is not passing through these ports while passing on others fine. I can provide any information needed, im good with linux so ask for a command result and ill provide it (ls -l, ps -A etc)
/var/lib/iptables/rules-save
i removed the numbers [0:0] etc before each line for ease of reading here. there still in the real file.
Quote:
# Generated by iptables-save v1.3.4 on Wed Jun 21 02:07:11 2006
*filter
:INPUT ACCEPT [435378:613163056]
:FORWARD DROP [162:8356]
:OUTPUT ACCEPT [10632076:603304402]
:PREROUTING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 1337 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth0 -j DROP
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -i ppp0 -j ACCEPT
COMMIT
# Completed on Wed Jun 21 02:07:11 2006
# Generated by iptables-save v1.3.4 on Wed Jun 21 02:07:11 2006
*nat
:PREROUTING ACCEPT [327155:24925561]
:POSTROUTING ACCEPT [2442:194212]
:OUTPUT ACCEPT [6294:444377]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 21 02:07:11 2006
# Generated by iptables-save v1.3.4 on Wed Jun 21 02:07:11 2006
*mangle
:PREROUTING ACCEPT [75167183:96597472404]
:INPUT ACCEPT [65541943:91444787711]
:FORWARD ACCEPT [9622118:5152451221]
:OUTPUT ACCEPT [43409298:2110202814]
:POSTROUTING ACCEPT [53012444:7260847720]
COMMIT
# Completed on Wed Jun 21 02:07:11 2006
|