Re: [arch-general] iptables not working well?
On Sun, Jul 10, 2011 at 5:02 PM, Dr. Robert Marmorstein <robert@narnia.homeunix.com> wrote:
If you have a static IP address on your ethernet card, you probably want to use SNAT rather than MASQUERADE.
Also, I find it odd that you are using MASQUERADE on traffic TO the ppp0 interface. Usually, ou MASQUERADE traffic FROM the ppp0 address. You might try "-i" instead of "-o" in that rule and see if it makes a difference
It's workin like I showed on a debian box. But I'll try of course.
Your state rules also look a little odd to me. On your INPUT chain, you are accepting traffic that is established or related. But you only accept new connections if they are not from ppp0. I think I would delete the "! -i ppp0" from that line unless you have a very good reason for it to be there.
ppp0 is my connection to the external world (ISP through PPPoE), so the idea is not to accept new connections from the outside. That seemed logical to me. And has been working on the debian box for quiet a while. However I'll remove conditional acceptance, just plain accept new connections both from inside as from outside.
Furthermore, there should be an equivalent line that alow the FORWARD chain to accept NEW connections, but that seems to be missing.
Since you don't seem to really have any real security rules in your firewall anyway, I suggest something like this:
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptales -t nat -F iptales -t mangle -F iptales -X
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A INPUT -i ppp0 -m state --state NEW -j ACCEPT iptables -A FORWARD -ippp0 -m state --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -i ppp0 -o eth0 -j MASQUERADE iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT
Of course, since I'm not on your system, I can't test these. But I think this is more or less what you're trying to do.
I'll experiment a bit with your settings, I hope you're right, :-) Notice that even though my setting look a bit dated, they're still working for me on an old debian box (which I'm trying to replace)...
In terms of security stuff, I strongly recommend you think about adding some limit matches -- at least for SSH and HTTP ports if you have them open.
Yes, I haven't set a firewall, just a transparent gateway, I mean a plane router between my ISP and my internal LAN. So far I don't have any service, like web or mail, so it hadn't been much of a constrain, but I can learn how to do things and implement them. Perhaps you can share later on more on your suggestions for more security, :-)
Hope this helps,
Yeap, I'll try, and then will let you and the list know...
Robert
Thanks a lot, -- Javier.
If you have a static IP address on your ethernet card, you probably want to use SNAT rather than MASQUERADE.
Also, I find it odd that you are using MASQUERADE on traffic TO the ppp0 interface. Usually, ou MASQUERADE traffic FROM the ppp0 address. You might try "-i" instead of "-o" in that rule and see if it makes a difference
It's workin like I showed on a debian box. But I'll try of course.
I don't see the previous message in my mailbox, but… he is wrong. The correct way is -o ppp0, you want to MASQUERADE everything that goes out of your internet facing interface. -- damjan
participants (2)
-
Damjan Georgievski
-
Javier Vasquez