Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Thu, 24 Jul 2003 11:18:13 +0200
  • Message-id: <84ECB0B9D002A54EA3E926AAA94E580801907F@xxxxxxxxxxxxxx>
Keith gave me a very simple example on how to create simple iptable configuration. I adopted most of it - leaving out the logs and denying ICMP on eth1 - and this is how it looks now:

** Begin **
echo "*** Flush all rules "
iptables -F

echo "*** Clear all counters"
iptables -Z

echo "*** Delete user defined rules"
iptables -X

echo "*** Log all packets going through the FORWARD chain"
iptables -A FORWARD -j LOG --log-prefix 'FILTER-FWD PKTS '

#echo "*** NAT Rules"

#echo "*** MANGLE Rules"

#echo "*** FILTER rules"
iptables -A INPUT -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request  -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j DROP

iptables -N open_port_80
iptables -A open_port_80 -i eth1 -p tcp --dport 80 -m state ! --state INVALID -j ACCEPT
iptables -A open_port_80 -i ! eth1 -p tcp --dport 80 -j ACCEPT

iptables -N block
iptables -A block -i eth1 -m state --state NEW,INVALID -j DROP

iptables -A INPUT -j open_port_80
iptables -A INPUT -j block
iptables -A FORWARD -j block
*** End

However, no packets are ever reaching it's destination on the internal network. How come? My external network is on eth1 and my internal is on eth0. IP Forwarding (YaST, Network Services, Routing) is not enabled. If I do enable IP Forwarding, any packets will go trough the firewall, and eh, that's not what i expected ;-)

>From sources that i have found, the way of a packet is described like this:
- if a packet is destined for local host, it will be redirected to the input chain
- if a packet is not destined for local host, it will be redirected to the forward chain (forwarding needs to be enabled in the kernel - but where - and there must be a routing table in place. Routing table is ok, but since I am a newbie, i do not know where to change this forwarding setting if it is not the setting mentioned above?!?!? :-S (confused smiley)

Any hints are deeply appreciated!

Cheers
Knut Erik

< Previous Next >