On Wed, 2003-08-27 at 23:13, Jacob Anawalt wrote:
> #192.168.1.1 doesn't get any traffic from us
> iptables -A OUTPUT -d 192.168.1.1 -j DROP
>
> That's the 'plumbing' level access to iptables which works for all Linux kernels
> supporting iptables, irreguardless of distribution. In other words, your rules
> failing on Debian should fail on RH or Mandrake.
I think I've gotten a lot of the concept now, but this isn't what I
meant. Initially I was coming from an understanding of "fstab is a
static file of rules the system reads to set up mounts, .gtkrc is a
static file of rules the system reads to set up GUI"...
Later, there is the issue of when is the system in a configuration where
it needs firewall rules? The Debian manual says runlevels 2-5 are user
runlevels - these are enshrined in the update-rc.d defaults. K(ill)
links are created by default in runlevels 0, 1, 6. Ok.
But my network is up in runlevel 1. (From "telinit 1". I haven't tried
it from the boot prompt.)
And then there's the question of coordination with who-knows-what other
systems that are or aren't starting, stopping, etc.
I meant a picture of where the rules are kept, how they're initialized,
and what the implications are. I can find many sites with info about
how to write rules that do X. I couldn't find a site that told me what
file to put them in.
Now I know there isn't one, and some other things about it all...
> A better post might be:
> What am I doing wrong with iptables rules
>
> Here are my rules. They block all access to the internet, but I cant see
> why.
> #iptables -L
> <output from command>
> #iptables -t <other table(s)> -L
> <output from command(s)>
I've appended my current rules. Email fetches from my pop3 account ok,
but the browser doesn't connect.
> It's pretty apparent that this text has bothered you. Perhaps you could
> post a bug against /etc/default/ipchains with a patch adding additional
> helpfull text, like a pointer to netfilter.org and the
> /usr/share/doc/ipchains/README.Debian.gz file and whatever other
> information you think is helpful for newbies.
>
> The solution isn't broken. 'Works for me' :) It just isn't optimal as
> the other posters have pointed out. The ifup-down method sounds very
> sensible. I didn't have an issue with the text, infact I had a good
> laugh reading it when I set up my sysem for /etc/init.d/iptables.
I may. For now, I am going to keep studying until I do understand.
Then I'll be in a better position to say why I think this isn't good
language (if I still think it isn't when I get there).
Cheers,
Bret
eth0: 192.168.2.30 assigned by DHCP from gateway/router on cable
modem. This is where I browse from.
vmnet1: 192.168.174.1 virtual network device to communicate with
VMware Windows 98 session. Requires no access
to the outside. A bridge to eth0 provides
Internet access from VMware. (I think.)
iptables -t nat -L:
Chain PREROUTING (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain POSTROUTING (policy DROP)
target prot opt source destination
MASQUERADE all -- 192.168.174.0/24 anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- ganesha anywhere
ACCEPT all -- 192.168.2.30 anywhere
ACCEPT all -- 192.168.174.1 anywhere
DROPl all -- anywhere 255.255.255.255
DROPl all -- anywhere 192.168.174.255
DROPl all -- anywhere !192.168.2.30
DROPl all -- !192.168.174.0/24 anywhere
DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux
DROPl tcp -- anywhere anywhere tcp dpt:daytime
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpt:sunrpc
DROPl tcp -- anywhere anywhere tcp
dpts:netbios-ns:netbios-ssn
DROPl tcp -- anywhere anywhere tcp dpts:161:162
DROPl tcp -- anywhere anywhere tcp dpt:445
DROPl tcp -- anywhere anywhere tcp dpt:1214
DROPl tcp -- anywhere anywhere tcp dpt:1999
DROPl tcp -- anywhere anywhere tcp dpt:2049
DROPl tcp -- anywhere anywhere tcp dpt:3049
DROPl tcp -- anywhere anywhere tcp dpt:4329
DROPl tcp -- anywhere anywhere tcp dpt:6346
DROPl tcp -- anywhere anywhere tcp dpt:3128
DROPl tcp -- anywhere anywhere tcp dpt:8000
DROPl tcp -- anywhere anywhere tcp dpt:www
DROPl tcp -- anywhere anywhere tcp dpt:8
DROPl tcp -- anywhere anywhere tcp dpt:webcache
DROPl tcp -- anywhere anywhere tcp dpt:12345
DROPl tcp -- anywhere anywhere tcp dpt:65535
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpts:exec:printer
DROPl tcp -- anywhere anywhere tcp dpt:socks
DROPl tcp -- anywhere anywhere tcp dpts:x11:6009
DROPl tcp -- anywhere anywhere tcp dpt:6112
DROPl udp -- anywhere anywhere udp dpts:0:1
DROPl udp -- anywhere anywhere udp dpt:daytime
DROPl udp -- anywhere anywhere udp dpt:98
DROPl udp -- anywhere anywhere udp dpt:sunrpc
DROPl udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:445
DROPl udp -- anywhere anywhere udp dpt:1214
DROPl udp -- anywhere anywhere udp dpt:1999
DROPl udp -- anywhere anywhere udp dpt:2049
DROPl udp -- anywhere anywhere udp dpt:3049
DROPl udp -- anywhere anywhere udp dpt:4329
DROPl udp -- anywhere anywhere udp dpt:6346
DROPl udp -- anywhere anywhere udp dpt:3128
DROPl udp -- anywhere anywhere udp dpt:8000
DROPl udp -- anywhere anywhere udp dpt:www
DROPl udp -- anywhere anywhere udp dpt:8
DROPl udp -- anywhere anywhere udp dpt:webcache
DROPl udp -- anywhere anywhere udp dpt:12345
DROPl udp -- anywhere anywhere udp dpt:65535
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:route
DROPl udp -- anywhere anywhere udp dpt:ntp
DROPl udp -- anywhere anywhere udp dpts:talk:ntalk
DROPl udp -- anywhere anywhere udp dpt:1427
DROPl udp -- anywhere anywhere udp dpt:9000
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
flags:SYN,RST,ACK/SYN state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROPl all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROPl all -- anywhere 255.255.255.255
DROPl all -- anywhere 192.168.174.255
DROPl all -- !192.168.174.0/24 anywhere
DROPl icmp -- anywhere anywhere icmp !echo-request
DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux
DROPl tcp -- anywhere anywhere tcp dpt:daytime
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpt:sunrpc
DROPl tcp -- anywhere anywhere tcp
dpts:netbios-ns:netbios-ssn
DROPl tcp -- anywhere anywhere tcp dpts:161:162
DROPl tcp -- anywhere anywhere tcp dpt:445
DROPl tcp -- anywhere anywhere tcp dpt:1214
DROPl tcp -- anywhere anywhere tcp dpt:1999
DROPl tcp -- anywhere anywhere tcp dpt:2049
DROPl tcp -- anywhere anywhere tcp dpt:3049
DROPl tcp -- anywhere anywhere tcp dpt:4329
DROPl tcp -- anywhere anywhere tcp dpt:6346
DROPl tcp -- anywhere anywhere tcp dpt:3128
DROPl tcp -- anywhere anywhere tcp dpt:8000
DROPl tcp -- anywhere anywhere tcp dpt:www
DROPl tcp -- anywhere anywhere tcp dpt:8
DROPl tcp -- anywhere anywhere tcp dpt:webcache
DROPl tcp -- anywhere anywhere tcp dpt:12345
DROPl tcp -- anywhere anywhere tcp dpt:65535
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpts:exec:printer
DROPl tcp -- anywhere anywhere tcp dpt:socks
DROPl tcp -- anywhere anywhere tcp dpts:x11:6009
DROPl tcp -- anywhere anywhere tcp dpt:6112
DROPl udp -- anywhere anywhere udp dpts:0:1
DROPl udp -- anywhere anywhere udp dpt:daytime
DROPl udp -- anywhere anywhere udp dpt:98
DROPl udp -- anywhere anywhere udp dpt:sunrpc
DROPl udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:445
DROPl udp -- anywhere anywhere udp dpt:1214
DROPl udp -- anywhere anywhere udp dpt:1999
DROPl udp -- anywhere anywhere udp dpt:2049
DROPl udp -- anywhere anywhere udp dpt:3049
DROPl udp -- anywhere anywhere udp dpt:4329
DROPl udp -- anywhere anywhere udp dpt:6346
DROPl udp -- anywhere anywhere udp dpt:3128
DROPl udp -- anywhere anywhere udp dpt:8000
DROPl udp -- anywhere anywhere udp dpt:www
DROPl udp -- anywhere anywhere udp dpt:8
DROPl udp -- anywhere anywhere udp dpt:webcache
DROPl udp -- anywhere anywhere udp dpt:12345
DROPl udp -- anywhere anywhere udp dpt:65535
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:route
DROPl udp -- anywhere anywhere udp dpt:ntp
DROPl udp -- anywhere anywhere udp dpts:talk:ntalk
DROPl udp -- anywhere anywhere udp dpt:1427
DROPl udp -- anywhere anywhere udp dpt:9000
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:domain
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ssh
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:www
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:https
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ftp
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:ftp-data
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:smtp
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:pop3
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:pop3s
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:imap3
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:imaps
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:11371
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.174.0/24 anywhere tcp dpt:time
flags:SYN,RST,ACK/SYN state NEW
ACCEPT udp -- 192.168.174.0/24 anywhere udp dpt:domain state NEW
ACCEPT udp -- 192.168.174.0/24 anywhere udp dpt:time state NEW
ACCEPT icmp -- 192.168.174.0/24 anywhere icmp echo-request state
NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROPl all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROPl all -- anywhere 255.255.255.255
DROPl all -- anywhere 192.168.174.255
DROPl all -- anywhere !192.168.174.0/24
DROPl all -- !192.168.2.0/24 anywhere
DROPl icmp -- anywhere anywhere icmp !echo-request
DROPl tcp -- anywhere anywhere tcp dpts:0:tcpmux
DROPl tcp -- anywhere anywhere tcp dpt:daytime
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpt:sunrpc
DROPl tcp -- anywhere anywhere tcp
dpts:netbios-ns:netbios-ssn
DROPl tcp -- anywhere anywhere tcp dpts:161:162
DROPl tcp -- anywhere anywhere tcp dpt:445
DROPl tcp -- anywhere anywhere tcp dpt:1214
DROPl tcp -- anywhere anywhere tcp dpt:1999
DROPl tcp -- anywhere anywhere tcp dpt:2049
DROPl tcp -- anywhere anywhere tcp dpt:3049
DROPl tcp -- anywhere anywhere tcp dpt:4329
DROPl tcp -- anywhere anywhere tcp dpt:6346
DROPl tcp -- anywhere anywhere tcp dpt:3128
DROPl tcp -- anywhere anywhere tcp dpt:8000
DROPl tcp -- anywhere anywhere tcp dpt:www
DROPl tcp -- anywhere anywhere tcp dpt:8
DROPl tcp -- anywhere anywhere tcp dpt:webcache
DROPl tcp -- anywhere anywhere tcp dpt:12345
DROPl tcp -- anywhere anywhere tcp dpt:65535
DROPl tcp -- anywhere anywhere tcp dpt:linuxconf
DROPl tcp -- anywhere anywhere tcp dpts:exec:printer
DROPl tcp -- anywhere anywhere tcp dpt:socks
DROPl tcp -- anywhere anywhere tcp dpts:x11:6009
DROPl tcp -- anywhere anywhere tcp dpt:6112
DROPl udp -- anywhere anywhere udp dpts:0:1
DROPl udp -- anywhere anywhere udp dpt:daytime
DROPl udp -- anywhere anywhere udp dpt:98
DROPl udp -- anywhere anywhere udp dpt:sunrpc
DROPl udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:445
DROPl udp -- anywhere anywhere udp dpt:1214
DROPl udp -- anywhere anywhere udp dpt:1999
DROPl udp -- anywhere anywhere udp dpt:2049
DROPl udp -- anywhere anywhere udp dpt:3049
DROPl udp -- anywhere anywhere udp dpt:4329
DROPl udp -- anywhere anywhere udp dpt:6346
DROPl udp -- anywhere anywhere udp dpt:3128
DROPl udp -- anywhere anywhere udp dpt:8000
DROPl udp -- anywhere anywhere udp dpt:www
DROPl udp -- anywhere anywhere udp dpt:8
DROPl udp -- anywhere anywhere udp dpt:webcache
DROPl udp -- anywhere anywhere udp dpt:12345
DROPl udp -- anywhere anywhere udp dpt:65535
DROPl udp -- anywhere anywhere udp dpts:snmp:snmp-trap
DROPl udp -- anywhere anywhere udp dpt:route
DROPl udp -- anywhere anywhere udp dpt:ntp
DROPl udp -- anywhere anywhere udp dpts:talk:ntalk
DROPl udp -- anywhere anywhere udp dpt:1427
DROPl udp -- anywhere anywhere udp dpt:9000
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:domain
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ssh
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:www
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:https
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ftp
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:ftp-data
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:smtp
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:pop3
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:pop3s
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:imap3
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:imaps
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:11371
flags:SYN,RST,ACK/SYN state NEW
ACCEPT tcp -- 192.168.2.30 anywhere tcp dpt:time
flags:SYN,RST,ACK/SYN state NEW
ACCEPT udp -- 192.168.2.30 anywhere udp dpt:domain state NEW
ACCEPT udp -- 192.168.2.30 anywhere udp dpt:time state NEW
ACCEPT icmp -- 192.168.2.30 anywhere icmp echo-request state
NEW
ACCEPT icmp -- 192.168.174.0/24 anywhere icmp echo-request state
NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECTl all -- anywhere anywhere
Chain DROPl (168 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix
`DROPl:'
DROP all -- anywhere anywhere
Chain REJECTl (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix
`REJECTl:'
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
