[arch-general] iptables not working well?

Javier Vasquez j.e.vasquez.v at gmail.com
Sun Jul 10 20:09:46 EDT 2011


On Sun, Jul 10, 2011 at 5:02 PM, Dr. Robert Marmorstein
<robert at narnia.homeunix.com> wrote:
> If you have a static IP address on your ethernet card, you probably want to
> use SNAT rather than MASQUERADE.
>
> Also, I find it odd that you are using MASQUERADE on traffic TO the ppp0
> interface.  Usually, ou MASQUERADE traffic FROM the ppp0 address.  You might try
> "-i" instead of "-o" in that rule and see if it makes a difference

It's workin like I showed on a debian box.  But I'll try of course.

>
> Your state rules also look a little odd to me.  On your INPUT chain, you are
> accepting traffic that is established or related.  But you only accept new
> connections if they are not from ppp0.  I think I would delete the "! -i ppp0"
> from that line unless you have a very good reason for it to be there.

ppp0 is my connection to the external world (ISP through PPPoE), so
the idea is not to accept new connections from the outside.  That
seemed logical to me.  And has been working on the debian box for
quiet a while.  However I'll remove conditional acceptance, just plain
accept new connections both from inside as from outside.

>
> Furthermore, there should be an equivalent line that alow the FORWARD chain to
> accept NEW connections, but that seems to be missing.
>
> Since you don't seem to really have any real security rules in your firewall
> anyway, I suggest something like this:
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -F
> iptales -t nat -F
> iptales -t mangle -F
> iptales -X
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
> iptables -A INPUT -i ppp0 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -ippp0 -m state --state NEW -j ACCEPT
> iptables -t nat -A POSTROUTING -i ppp0 -o eth0 -j MASQUERADE
> iptables -A INPUT -j REJECT
> iptables -A FORWARD -j REJECT
>
> Of course, since I'm not on your system, I can't test these.  But I think this
> is more or less what you're trying to do.

I'll experiment a bit with your settings, I hope you're right, :-)
Notice that even though my setting look a bit dated, they're still
working for me on an old debian box (which I'm trying to replace)...

>
> In terms of security stuff, I strongly recommend you think about adding some
> limit matches -- at least for SSH and HTTP ports if you have them open.

Yes, I haven't set a firewall, just a transparent gateway, I mean a
plane router between my ISP and my internal LAN.  So far I don't have
any service, like web or mail, so it hadn't been much of a constrain,
but I can learn how to do things and implement them.  Perhaps you can
share later on more on your suggestions for more security, :-)

>
> Hope this helps,

Yeap, I'll try, and then will let you and the list know...

>
> Robert

Thanks a lot,

-- 
Javier.


More information about the arch-general mailing list