firewalling...

Daniel Roethlisberger daniel at roe.ch
Sun Oct 7 17:49:19 PDT 2001


Ian Molton <imolton at clara.net> wrote:
> Ok, so If I have this right (which I obviously havent), then
> this should work:

> $IPTABLES -t filter -P INPUT DROP
> $IPTABLES -t filter -P FORWARD DROP
> $IPTABLES -t filter -P OUTPUT ACCEPT

> /sbin/modprobe ip_conntrack_ftp

> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -m state --state INVALID -j DROP

> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

well for one thing, this does not allow the masqueraded boxes to
do anything. you need to allow the initial connections to go
through, like so:

$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

(assuming eth0 is your external interface, and eth1 your LAN)

> but it doesnt - the firewalled box cannot do anything.

how are you connected to the internet? which interfaces do you
have, which IP addresses have they got, that sort of thing. it is
hard to tell without knowing your setup.

generally, to find out which rule was blocking things, use
iptables -v -n -L -t filter/nat/mangle

> If I change the forward chains policy to accept, I can do
> passive ftp from the firewalled box, but not active mode.

did you actually -flush- the old rules? use the above command to
verify. sounds like something else is still hanging around. as
before, cannot tell without seeing the full script and/or output
of the -L above.

no more from me tonight, I gotta get some sleep now ;)
if you're desperate, ask the netfilter mailing list at
netfilter.samba.org

Cheers,
Dan


-- 
   Daniel Roethlisberger <daniel at roe.ch>
   PGP Key ID 0x8DE543ED with fingerprint
   6C10 83D7 2BB8 D908 10AE  7FA3 0779 0355 8DE5 43ED

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list