Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
iptables order of rules
  • From: "erez avraham" <ereza@xxxxxxxxx>
  • Date: Mon, 31 Dec 2001 19:00:56 +0200
  • Message-id: <DAELLPGOONICLLHLIIMGMEFNCDAA.ereza@xxxxxxxxx>
Greetings

using Suse 7.1 kernel 2.4.0 iptables 1.2.4 with 2 nics
eth0 192.168.4.2 pointing to my ADSL Router
eth1 192.168.5.1 pointing to the LAN

i inserted some rules and got surprising rezolts, doing iptables -L shows
me ANY to ANY tcp ACCEPT !
i didn't put this rule.
incoming connection will stop at first rule on the list right? so is this
rule here to enable any connection at all and then eliminating what i'm
blocking?

my ADSL router is doing the NAT from 192.117.x.1 to 192.168.4.1, i have no
problem getting out of the firewall but I'm nut sure about getting into the
firewall or LAN behind it. 192.117.x.1 is the router address so how can I
open ports on/through the firewall?
I guess I will have to disable routing on the router and do it on the
firewall, right?

thanks and happy year
here is the rules and output
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere LOG level
warning prefix `IPTABLES FRAGMENTS: '
DROP all -f anywhere anywhere
ACCEPT udp -- 212.179.27.100 anywhere udp spt:domain
state ESTABLISHED
ACCEPT udp -- 216.34.120.171 anywhere udp spt:domain
state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere 212.179.27.100 udp dpt:domain
state NEW,ESTABLISHED
ACCEPT udp -- anywhere 216.34.120.171 udp dpt:domain
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
state NEW,ESTABLISHED




rules:
===============================
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT

## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

## FRAGMENTS
# Log fragments just to see if we get any, and deny them too.
iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP

## DNS

# Allow UDP packets in for DNS client from nameservers.
iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_1 --sport 53 -m
state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p udp -s $NAMESERVER_2 --sport 53 -m
state --state ESTABLISHED -j ACCEPT

# Allow UDP packets to DNS servers from client.

iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_1 --dport 53 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp -d $NAMESERVER_2 --dport 53 -m
state --state NEW,ESTABLISHED -j ACCEPT


## WWW
# Allow www outbound to 80.
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT


#FTP

iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT

#smtp
#iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state
NEW,ESTABLISHED -j ACCEPT


< Previous Next >
List Navigation
Follow Ups