[Siglinux] problem with some -j REJECT commands in levy.pl generated script

Wed, 12 Dec 2001 14:23:26 -0800 

If I add these two lines to the DUMP table section of the script, I can't even
ping my ISPs router by IP address (it's the next upstream link from me) from the
desktops on the lan. Any ideas? ssh, web, DNS, established connections and NAT
are (should be) all enabled and accepted before hitting the dump rules. BTW -
I'm running debian/testing with a 2.4.14 kernel, iptables package is version 1.2.3.

$IPTABLES -A DUMP -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable

here's the script

IPTABLES=/sbin/iptables
IP=<my ip address>
LAN=<my lan's subnet>
DNS1=<dns server 1>
DNS2=<dns server 2>

# create DUMP table
$IPTABLES -N DUMP > /dev/null
$IPTABLES -F DUMP
$IPTABLES -A DUMP -p tcp -j LOG
$IPTABLES -A DUMP -p udp -j LOG
< This is where I put the two rules above>
$IPTABLES -A DUMP -j DROP

# Stateful table
$IPTABLES -N STATEFUL > /dev/null
$IPTABLES -F STATEFUL
$IPTABLES -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
$IPTABLES -A STATEFUL -j DUMP

# loopback rules
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# drop reserved addresses incoming
$IPTABLES -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP
$IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP
$IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP
$IPTABLES -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP

# allow certain inbound ICMP types
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

# opened ports
$IPTABLES -A INPUT -p tcp -s $DNS1 -d $IP --dport domain -j ACCEPT
$IPTABLES -A INPUT -p udp -s $DNS1 -d $IP --dport domain -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $DNS2 -d $IP --dport domain -j ACCEPT
$IPTABLES -A INPUT -p udp -s $DNS2 -d $IP --dport domain -j ACCEPT
$IPTABLES -A INPUT -p tcp -d $IP --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p udp -d $IP --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p tcp -d $IP --dport www -j ACCEPT
$IPTABLES -A INPUT -p udp -d $IP --dport www -j ACCEPT

# Set up NAT for internal network
$IPTABLES -t nat -A POSTROUTING -s $LAN -o eth0 -j MASQUERADE

# push everything else to state table
$IPTABLES -A INPUT -j STATEFUL

-- 
; Justin Georgeson
; http://www.lopht.net
; mailto:[EMAIL PROTECTED]
; "Free the mallocs, delete the news"
; "f u cn rd ths, u r prbbly a lsy spllr"



_______________________________________________
Siglinux mailing list
[EMAIL PROTECTED]
http://www.utacm.org/mailman/listinfo/siglinux

Reply via email to