On Wednesday 13 August 2003 06:55 am, t_gecks wrote: > Jack Coates schrieb: > > If you want a firewall, urpmi shorewall or look at gshield or something > > else to do this stuff for you. > > > > If you want to learn netfilter & iptables, I can highly recommend > > "Policy Routing Using Linux" by Matthew Marsh, see Amazon or similar. > > > > You probably have something else matching above those rules which is > > stopping them from processing. > > To check exactly this an iptables -L -n -v on the command line perhaps > can help, one of the first columns shows if the rule fired and how many > bytes were affected.
These are all my rules: echo "setting INPUT rules ..." $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -j ACCEPT echo "setting FORWARD rules ..." $IPTABLES -A FORWARD -p udp --dport 137 -j DROP $IPTABLES -A FORWARD -p tcp --dport 137 -j DROP $IPTABLES -A FORWARD -p tcp --dport 135 -j DROP $IPTABLES -A FORWARD -p tcp --dport 4444 -j DROP $IPTABLES -A FORWARD -p tcp --sport 4444 -j DROP $IPTABLES -A FORWARD -p udp --sport 631 -j DROP $IPTABLES -A FORWARD -p tcp --sport 631 -j DROP $IPTABLES -A FORWARD -p tcp --dport 901 -j DROP $IPTABLES -A FORWARD -p tcp --sport 901 -j DROP $IPTABLES -A FORWARD -p tcp --sport 6346 -j DROP $IPTABLES -A FORWARD -p tcp --dport 6346 -j DROP $IPTABLES -A FORWARD -p tcp --sport 6350 -j DROP $IPTABLES -A FORWARD -p tcp --dport 6350 -j DROP $IPTABLES -A FORWARD -p tcp --sport 1213:1214 -j DROP $IPTABLES -A FORWARD -p udp --sport 1213:1214 -j DROP $IPTABLES -A FORWARD -p udp --sport 1542 -j DROP $IPTABLES -A FORWARD -p tcp --dport 3470:3476 -j DROP $IPTABLES -A FORWARD -p tcp --dport 1433:1434 -j DROP $IPTABLES -A FORWARD -i $EXT_IF -j ACCEPT $IPTABLES -A FORWARD -i $INT_IF -j ACCEPT echo "setting NAT ..." $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Here's the output of 'iptables -L -n -v': Chain INPUT (policy ACCEPT 1613 packets, 96669 bytes) pkts bytes target prot opt in out source destination 2891 258K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:4444 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:631 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:631 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:901 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:901 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6346 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6350 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6350 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1213:1214 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1213:1214 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1542 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:3470:3476 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1433:1434 0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 4485 packets, 427K bytes) This would seem to imply that none of the FORWARD rules had any hits. Niether has the INPUT rule to block SYN packets. If I understand this correctly though, the first INPUT rule should not allow any incoming packet unless the connection was established from inside. What puzzles me is that things like the SYN packets and NBNS requests cause a response from my gateway machine, like an ACK or a DNS lookup on the requesting IP. While these packets are apparently not being forwarded to my local network, the activity on the PPP connection keeps the connection open when I'm not using it and causes me some concern about its vulnerability. -- Thomas K. Gamble [EMAIL PROTECTED] Registered Linux User #270415 The fear of the Lord leads to life, and he who has it shall abide in satisfaction; he will not be visited with evil. (Proverbs 19:23) 09:17:54 up 3 days, 23:32, 5 users, load average: 0.00, 0.20, 0.44
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com