Re: iptables

I'm playing around with my iptables configuration and I've got some
strange things going on. Either that or I don't understand what iptables
is doing.

I've got the following config and I can listen to Internet radio. I can
also run traceroute.
# Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Mar 10 13:08:05 2005
# Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# allow loop back
-A INPUT -i lo -j ACCEPT
# eth0 (internal)
-A INPUT -i eth0 -j ACCEPT
COMMIT
# Completed on Thu Mar 10 13:08:05 2005
# Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

My understanding of iptables and packet filtering is that this should not
work. Input is set to "drop" and then allow on "lo" and "eth0". Why is
it working?

I'll make the changes you suggested. Just playing around with the
settings for now. At some point I'll have to find a configuration that
works.

On Thu, 2005-03-10 at 20:43 -0900, Arthur Corliss wrote:
> On Thu, 10 Mar 2005, damien hull wrote:
>
> > # Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
> > *mangle
> > :PREROUTING ACCEPT [0:0]
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :POSTROUTING ACCEPT [0:0]
> > COMMIT
> > # Completed on Thu Mar 10 13:08:05 2005
> > # Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
> > *filter
> > :FORWARD ACCEPT [0:0]
>
> First off, you should set FORWARD's default policy to DROP, and only forward
> traffic that's explicitly allowed. Next, you should add the rules to allow
> forwarding. Based on below I assume eth1 is your Internet connection
> (assuming you're not on a pppoe DSL connection, in which case the interface
> should be ppp+). So:
>
> -A FORWARD -i eth1 -o ! eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i ! eth1 -o eth1 -j ACCEPT
>
> > :INPUT DROP [0:0]
> > :OUTPUT ACCEPT [0:0]
> > # accept traffic from all interface but not eth1
> > -A INPUT ! -i eth1 -j ACCEPT
> > # setup stateful connections on eth1
> > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> You might want to add a '-i eth1' to this line for clarity.
>
> > COMMIT
> > # Completed on Thu Mar 10 13:08:05 2005
> > # Generated by iptables-save v1.2.11 on Thu Mar 10 13:08:05 2005
> > *nat
> > :OUTPUT ACCEPT [0:0]
> > :PREROUTING ACCEPT [0:0]
> > :POSTROUTING ACCEPT [0:0]
> > -A POSTROUTING -o eth1 -j MASQUERADE
> > COMMIT
>
> Now, keep in mind that the kernel won't really forward unless you modify an
> entry in the /proc tree. Put:
>
> net.ipv4.ip_forward = 1
>
> in /etc/sysctl.conf and put 'sysctl -p' in your rc.local. Outside of that,
> this looks to be a working configuration for basic NAT. I'd post my own
> config, but I've got all kinds of crap in it that would just confuse the
> issue.
>
> --Arthur Corliss
> Bolverk's Lair -- http://arthur.corlissfamily.org/
> Digital Mages -- http://www.digitalmages.com/
> "Live Free or Die, the Only Way to Live" -- NH State Motto
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Mar 11 10:01:50 2005