|
Hi Greg,
The first rule in my firewall chain does the same thing. Its: iptables -I acctin 1 -p tcp -m state --state ESTABLISHED -j ACCEPT That allows any packets that are part of a established connection (no ACK bit in the header) to flow through without having to go through the rest of the rules in the chains. The only reason I do this first - I have a LOT of rules in the acctin chain. And my second rule is: iptables -I acctin 2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT Which allows any new http packet to flow through. The reason for this - I block out huge parts of the world with /8, and /16 network blocks. This rule allows anyone anywhere to see the webpages on my server, but no FTP, SMTP, POP, IMAP, or SSH. They can still poke around and look for vulnerabilities in the webpages or CMS - but no hacking attempts via other protocols. Try that first rule to get the ESTABLISHED packets flowing. But to be honest, if the first packets with the ACK bit set flow through - anything after that (considered ESTABLISHED) should flow through too. So that rule really shouldn't be needed. Oh BTW - the reason your attempt listed below failed is the chain name/location. When you use the -I switch to input a rule, you have to provide the chain name and location. So you provided the chain name "INPUT", but not where in that chain. As you can see in my inputs above - I told it to put the rule in the "acctin" CHAIN and slot number 1 or 2. You didn't provide where in the chain to insert that rule. Oh. And just FYI - you tried to use the INPUT chain. That's fine, and will work. But you'll notice that in Blueonyx - the first (and usually only) thing that INPUT chain does is call the "acctin" chain. So I usually do all my changes & inputs in the "acctin" chain instead of the "INPUT" chain. (And yes - those chain names are case sensitive). Chuck ---------- Original Message ----------- From: Greg Kuhnert <gkuhn...@compassnetworks.com.au> To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it> Sent: Wed, 22 Feb 2017 09:16:33 +1100 Subject: [BlueOnyx:20698] Re: errors and issues > Further informational [UTF-8?]update⦠While upgrading the kernel would be helpful, it is not the answer. (I have the same kernel version on a box that does not have this problem). > This problem is as follows: related and established traffic is not being permitted on the inbound iptables rule. I am not an APF guru, so I tried to add a manual rule as a [UTF-8?]workaround⦠> > iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED > > # iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED > iptables: No chain/target/match by that name. > > I had a chat to Chris, and he had a report of someone once with a similar problem but was unable to recall the solution. > > My time is diverted elsewhere today - [UTF-8?]Iâll have a look within the next 24 [UTF-8?]hours⦠In the meantime, if anyone has some APF wisdom, that might get this in the right direction. > > Greg >
------- End of Original Message ------- |
_______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
