[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SLUG] Network card trouble



Robert Martinovic was once rumoured to have said:
>> This is fairly useless information (it won't show interfaces,
>> etc)... at a minimum, you should post the full output from both:
>> 
>> iptables -t filter -nvL
[excess output snipped]

After reviewing your netfilter rules I think I've seen whats wrong.

I take it your dial up is using a dynamically allocated IP address.

Your Netfilter rules are set to do anti-spoof (which is wasteful since
rp_filter already does this), and is blocking the wrong address on
ppp0.

your ruleset could be collasped down to:

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -t filter -F INPUT
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F OUTPUT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -F FORWARD
iptables -t filter -P FORWARD ACCEPT

(rp_filter will do the rest, and its enabled by default)

If you want additional protection, you can make use of NetFilter's
connection tracking and state modules by patching your INPUT rule.

A simple example which blocks new inbound connections on ppp0 only
might read:

iptables -t filter -F INPUT
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth0 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -j LOG

If OTOH, you're using a static IP dialup, you should be using SNAT,
not MASQUERADE.

you should read Rusty's guides none the less.

C.
-- 
--==============================================--
  Crossfire      | This email was brought to you
  xfire@nospam.xware.cx | on 100% Recycled Electrons
--==============================================--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug