IPtables - forwarding question (take 2)
in [Slackware]
|
Prev: Best site to get 13.1 DVD?
Next: Quanta plus
From: Mike Jones on 16 Jun 2010 16:33 Ok. Lessavanutha go. ;) Assuming dnsmasq is configured properly (it works fine), and assuming aliens are not disrupting anything else... I've got (stripped back to related bits) these firewall details... # === SERVER === # IPT="/usr/sbin/iptables" NIC_LAN="eth1" PORTS_DHCP="53,67,68,4567" $IPT -F; $IPT -X; $IPT -P FORWARD DROP $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects $IPT -A INPUT -i $NIC_LAN -p udp \ -m multiport --ports $PORTS_DHCP \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $NIC_LAN -p udp \ -m multiport --ports $PORTS_DHCP \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # === SERVER === # # === CLIENT === # IPT="/usr/sbin/iptables" NIC_LAN="eth0" PORTS_DHCP="53,67,68,4567" $IPT -F; $IPT -X; $IPT -P FORWARD DROP $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -o $NIC_LAN \ -p icmp --icmp-type 8 -j ACCEPT $IPT -A INPUT -i $NIC_LAN \ -p icmp --icmp-type 0 -j ACCEPT $IPT -A OUTPUT -o $NIC_LAN -p udp \ -m multiport --ports $PORTS_DHCP \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $NIC_LAN -p udp \ -m multiport --ports $PORTS_DHCP \ -m state --state ESTABLISHED,RELATED -j ACCEPT # === CLIENT === # ....and the client can connect to the server ok. However... If I take this line in the server firewall... $IPT -A OUTPUT -o $NIC_LAN -p udp \ -m multiport --ports $PORTS_DHCP \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ....and change it to, $IPT -A OUTPUT -o $NIC_LAN -p udp \ -m multiport --ports $PORTS_DHCP \ -m state --state ESTABLISHED,RELATED -j ACCEPT (Just cut the "NEW" from the "OUTPUT") ....then the client can't connect. I'm thinking that as far as IPtables is concerned, the outgoing traffic is "NEW" to it, and I'm blocking the client by blocking it's request return traffic, but the client treats that traffic as ESTABLISHED,RELATED as initial request traffic has already gone out. Thoughts? Comments? XP alt.os.linux.slackware,alt.os.linux FU alt.os.linux -- *=( http://www.thedailymash.co.uk/ *=( For all your UK news needs.
From: buck on 17 Jun 2010 20:47 Mike Jones <luck(a)dasteem.invalid> wrote in news:pan.2010.06.16.20.33.14(a)dasteem.invalid: > # === SERVER === # > > IPT="/usr/sbin/iptables" > > NIC_LAN="eth1" > PORTS_DHCP="53,67,68,4567" > > $IPT -F; > $IPT -X; > $IPT -P FORWARD DROP > $IPT -P INPUT DROP > $IPT -P OUTPUT DROP > $IPT -A INPUT -i lo -j ACCEPT > $IPT -A OUTPUT -o lo -j ACCEPT > > /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > > $IPT -A INPUT -i $NIC_LAN -p udp \ > -m multiport --ports $PORTS_DHCP \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $IPT -A OUTPUT -o $NIC_LAN -p udp \ > -m multiport --ports $PORTS_DHCP \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > If I take this line in the server firewall... > > $IPT -A OUTPUT -o $NIC_LAN -p udp \ > -m multiport --ports $PORTS_DHCP \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > ...and change it to, > > $IPT -A OUTPUT -o $NIC_LAN -p udp \ > -m multiport --ports $PORTS_DHCP \ > -m state --state ESTABLISHED,RELATED -j ACCEPT > > (Just cut the "NEW" from the "OUTPUT") > > ...then the client can't connect. > Thoughts? Comments? Ask Simon, the author of dnsmasq. Assuming you took my previous advice to check the connection in /proc/net/ip_conntrack and that you see an ESTABLISHED connection on the server when the client cannot connect, my guess is that the connection is in fact terminated and a new one created. -- buck
|
Pages: 1 Prev: Best site to get 13.1 DVD? Next: Quanta plus |