[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SLUG] Re: your mail

To: maxmail@nospam.optushome.com.au
Subject: [SLUG] Re: your mail
From: Anand Kumria <wildfire@nospam.progsoc.uts.edu.au>
Date: Mon, 19 Jun 2000 05:53:02 +1000
Cc: slug@nospam.slug.org.au
In-Reply-To: <20000618091032.QKFP7578.mail.rdc1.nsw.optushome.com.au@nospam.optushome.com.au>; from maxmail@nospam.optushome.com.au on Sun, Jun 18, 2000 at 09:13:54AM +0000
References: <20000618091032.QKFP7578.mail.rdc1.nsw.optushome.com.au@nospam.optushome.com.au>
Reply-To: slug@nospam.slug.org.au
Sender: owner-slug@nospam.newtreno.spectrum.com.au

On Sun, Jun 18, 2000 at 09:13:54AM +0000, maxmail@nospam.optushome.com.au wrote:
> Hello i have a problem which i belive in my firewall script 
> but im not sure. Anyway im running a masq with gateway
> Anyway i run daemons on gateway no sub machines can
> use auth only gateway i also have ssh and other things
> running on gateway none can connect to them even
> gateway cannot connect to ssh for example or webmin ??

Sorry, I found this too difficult to parse properly.

You have this:

[home] -> [gateway] <-> {net} ...

yes? and you want someone from the internet to connect to your home machine?

> Is this my scripting could someome give me a idea why
> i cannot connect to daemons running on my system

Which system? The gateway or the one being masquaraded?

> Thanks in advance 
> firewall script below
> ------------------------------------
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
> ipchains -M -S 14400 30 300
> ipchains -A input -i ! lo -j DENY
> ipchains -A output -i ! lo -j DENY
> ipchains -A forward -j DENY

This is `deny everything' taken to extremes. Does your gateway even
work? Ahh; I see you delete these rules later on. 

> ipchains -A input -i lo -j ACCEPT
> ipchains -A output -i lo -j ACCEPT
> ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> ipchains -P forward DENY
> ipchains -A forward -i eth0 -j MASQ

You may also need to duplicate the bootp rule on the forward chain
since you are doing masquarading on the same device. But I am still not
sure what it is you are trying to do.

> ipchains -N icmp-acc
> ipchains -N bad-if
> ipchains -N good-if
> ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
> ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
> ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
> ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
> ipchains -A forward -j DENY -l
> ipchains -A bad-if -i eth1 -j DENY -l
> ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
> ipchains -A bad-if -p TCP --dport ssh -j ACCEPT
> ipchains -A bad-if -j icmp-acc
> ipchains -A bad-if -j DENY
> ipchains -A good-if -i eth0 -j DENY
> ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
> ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
> ipchains -A good-if -j icmp-acc
> ipchains -A good-if -j DENY -l

These are good, textbook chains. But I don't see you linking
them in anywhere. More informative than the list of commands
your firewalls runs would have been the output of `ipchains -L'

[snip - module insertion; ipchains -D <chain> 1 ]

Anand
--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to slug-request@nospam.slug.org.au with
unsubscribe in the text

References:
- No Subject
  - From: maxmail@nospam.optushome.com.au

Prev by Date: Re: [SLUG] split and join?
Next by Date: Re: [SLUG] ipchains stuff
Prev by thread: No Subject
Next by thread: No Subject
Index(es):
- Date
- Thread