Firewalling (sorry, I didnt see this show up so Im posting again)
Rohde.Henning at gmx.net
Tue Oct 9 15:18:45 PDT 2001
hi everybody else,
OK, the worst thing that I, being the author of the firewall-hint, ever
could imagine has happened: I've missed a firewall-related discussion!
I've got a subscription to lfs.security, I've to admit that only quite
seldomly I'm having a quick glance at blfs.support.
Ian, tell my, did you read my hint?
Your aim is that your masquerading router allows ftp-traffic to go through?
Hmm, you haven't loaded all the necessary modules, there's no
auto-loading, you need the following line besides ip_conntrack_ftp:
# $MODPROBE ip_nat_ftp
OK, please imagine that an initial packet from any of your clients comes
into an interface of your masquerading-router.
Taking your rules, what's going to happen to it?
It get's dropped by your policy in FORWARD, because you do not allow
packet from internal clients to be masqueraded.
So, allow any new packages to pass, but only if they do not come from
$IPTABLES -A FORWARD -m state --state NEW -i! ppp0 -j ACCEPT
(If your uplink is something like DSL, just exchange the interface)
The denial of active-ftp could be caused by the fact that you have no
identd running: the ftp-server will wait until timeout after it tried to
issue a query!
Read my hint, chapter (C) - example 4 will help you out:
$IPTABLES -A INPUT -p tcp --dport 11 -j REJECT --reject-with tcp-reset
$IPTABLES -A OUTPUT -p tcp --sport 113 -m state --state RELATED \
BTW: debugging your firewall could be easier if you logged the discarded
$IPTABLES -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
$IPTABLES -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
$IPTABLES -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
You may comment them out again, when your firewall is working to your
Just my EUR 0.02,
PS: Chris, you've done a good job in combining my hint with Rusties
guides. And you've extended the result with the '-v'-parameter: good
idea! Now, you could think about delimiting the sources from where pings
and ssh is allowed, for instance only your intranet should be allowed to
PPS: I've just noticed that Daniel wrote something similar on the
original thread, but, as long as I don't know how to recombine them and
because he didn't mention the missing module and active ftp, I'm
posting it although.
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support