Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
09-30-2016, 02:08 AM
#1
Member
Registered: Dec 2006
Posts: 606
Rep:
IPTables Firewall Rule
Hello to all, i tried to setup the firewall with following rules but fail connect to internet.
Please advise.
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.124.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.124.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_block all -- anywhere anywhere
FWDO_block all -- anywhere anywhere
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_FedoraWorkstation_allow (0 references)
target prot opt source destination
Chain FWDI_FedoraWorkstation_deny (0 references)
target prot opt source destination
Chain (0 references)
target prot opt source destination
Chain FWDO_block (2 references)
target prot opt source destination
FWDO_block_log all -- anywhere anywhere
FWDO_block_deny all -- anywhere anywhere
FWDO_block_allow all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FWDO_block_allow (1 references)
target prot opt source destination
Chain FWDO_block_deny (1 references)
target prot opt source destination
Chain FWDO_block_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Why i still cannot browse?
I want to keep my firewall close on all ports but allows outgoing connections and keep state with the firewall.
Please help.
09-30-2016, 04:23 AM
#2
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
Is this a router or are you trying to connect from this computer?
Given your forward chain, I take it to be a router.
If that is so, you need to apply SNAT.
iptables -t nat -vnL. What does this command show?
09-30-2016, 10:24 PM
#3
Member
Registered: Dec 2006
Posts: 606
Original Poster
Rep:
Quote:
Originally Posted by
vincix
Is this a router or are you trying to connect from this computer?
Given your forward chain, I take it to be a router.
If that is so, you need to apply SNAT.
iptables -t nat -vnL. What does this command show?
There is a router connect to this computer.
Quote:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 66 packets, 4659 bytes)
pkts bytes target prot opt in out source destination
66 4659 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 66 packets, 4659 bytes)
pkts bytes target prot opt in out source destination
2 159 RETURN all -- * * 192.168.124.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.124.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.124.0/24 !192.168.124.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.124.0/24 !192.168.124.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.124.0/24 !192.168.124.0/24
64 4500 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
64 4500 POST_block all -- * + 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_block (1 references)
pkts bytes target prot opt in out source destination
64 4500 POST_block_log all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POST_block_deny all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POST_block_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_block_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_block_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_block_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 PRE_block all -- + * 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_block (1 references)
pkts bytes target prot opt in out source destination
0 0 PRE_block_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PRE_block_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PRE_block_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_block_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_block_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_block_log (1 references)
pkts bytes target prot opt in out source destination
Please help.
10-01-2016, 12:48 PM
#4
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
So then I take it that you're trying to connect FROM this computer, right?
If that's the case, then it makes no difference what is going on in your NAT tables, unless this computer acts as a router.
You need to offer more information. What is your ip address, netmask, gateway? Does the router offer dhcp? How is it connected exactly?
10-02-2016, 12:57 AM
#5
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Rep:
Even if it is acting as a router it will still not need to NAT the outgoing traffic as it will use the correct interface for where the traffic is destine.
10-02-2016, 01:02 AM
#6
Senior Member
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240
Rep:
Quote:
Originally Posted by
lazydog
Even if it is acting as a router it will still not need to NAT the outgoing traffic as it will use the correct interface for where the traffic is destine.
Well, the OP hasn't really given a lot of info, but it does depend on where that router is placed - which we don't know, really. If a gets a public ip, he'd obviously need nat for the other computers behind it.
All times are GMT -5. The time now is 04:09 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News