Firewalling (sorry, I didnt see this show up so Im posting again)

Henning Rohde Rohde.Henning at gmx.net
Tue Oct 9 15:18:45 PDT 2001


Hi Ian,
hi everybody else,

OK, the worst thing that I, being the author of the firewall-hint, ever 
could imagine has happened: I've missed a firewall-related discussion!
	;-(
I've got a subscription to lfs.security, I've to admit that only quite 
seldomly I'm having a quick glance at blfs.support.


Ian, tell my, did you read my hint?

Your aim is that your masquerading router allows ftp-traffic to go through?
Hmm, you haven't loaded all the necessary modules, there's no 
auto-loading, you need the following line besides ip_conntrack_ftp:
# $MODPROBE ip_nat_ftp


OK, please imagine that an initial packet from any of your clients comes 
into an interface of your masquerading-router.

Taking your rules, what's going to happen to it?
It get's dropped by your policy in FORWARD, because you do not allow 
packet from internal clients to be masqueraded.
So, allow any new packages to pass, but only if they do not come from 
the outside:
$IPTABLES -A FORWARD -m state --state NEW -i! ppp0 -j ACCEPT
(If your uplink is something like DSL, just exchange the interface)


The denial of active-ftp could be caused by the fact that you have no 
identd running: the ftp-server will wait until timeout after it tried to 
issue a query!
Read my hint, chapter (C) - example 4 will help you out:
$IPTABLES -A INPUT  -p tcp --dport 11 -j REJECT --reject-with tcp-reset
$IPTABLES -A OUTPUT -p tcp --sport 113 -m state --state RELATED \
	-j ACCEPT


BTW: debugging your firewall could be easier if you logged the discarded 
packages:
$IPTABLES -A INPUT		-j LOG --log-prefix "FIREWALL:INPUT  "
$IPTABLES -A FORWARD		-j LOG --log-prefix "FIREWALL:FORWARD"
$IPTABLES -A OUTPUT		-j LOG --log-prefix "FIREWALL:OUTPUT "
You may comment them out again, when your firewall is working to your 
satisfaction.


Just my EUR 0.02,

	Henning Rohde


PS: Chris, you've done a good job in combining my hint with Rusties 
guides. And you've extended the result with the '-v'-parameter: good 
idea! Now, you could think about delimiting the sources from where pings 
and ssh is allowed, for instance only your intranet should be allowed to 
do so.

PPS: I've just noticed that Daniel wrote something similar on the 
original thread, but, as long as I don't know how to recombine them and 
because he didn't mention the missing module and active ftp, I'm 
posting it although.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list