Re: Routing problem

Fri, 12 Sep 2003 17:50:21 -0700 

** Reply to message from gaston <[EMAIL PROTECTED]> on Fri, 12 Sep 2003
15:32:32 -0300

> -----Original Message-----
> This is feeling like a firewall issue to me so lets look more closely at
> that.
> 
> Not knowing your firewall script (I have lazily allowed shorewall to
> abstract my thinking to it way of doing things) why don't we take a look
> at the rules as the are actually in iptables  
> 
> why don't you post the output of iptables-save -c and lets take a look
> at what iptables is really doing?
> 
> Bret
> 
> --------------------------------------------------------------------------
> These are the scripts I'm using for iptables, i really appreciate your
> help, my job depends on this.
> 
> 
> #!/bin/bash
> 
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> 
> 
> iptables -A INPUT -i lo -p all -j ACCEPT                      
> iptables -A OUTPUT -o lo -p all -j ACCEPT
> 
> iptables -A INPUT -i eth0 -p ICMP -j ACCEPT
> 
> iptables -A INPUT -p ALL -i eth0
> 
> iptables -A FORWARD -i eth0 -p ALL -j ACCEPT
> 
> iptables -A OUTPUT -o eth0 -p all -j ACCEPT
> 
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> 
> iptables -A INPUT -i eth0 -p TCP --dport 22 -m state --state NEW -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --dport 80 -m state --state NEW -j ACCEPT
> iptables -A INPUT -i eth0 -p UDP --dport 53 -m state --state NEW -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --dport 3306 -m state --state NEW -j ACCEPT
> 
> iptables -P INPUT DROP 
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT                                    
> 
> 
> then I run other script which enables forwarding for the clients
> 
> iptables -A INPUT -s $IP -i eth1 -m mac --mac $MAC 
> iptables -A FORWARD -s $IP -i eth1 -m mac --mac $MAC 


Do not use two scripts. Instead, move your default policy (iptables -P ...)
stanza to the front of your first script and then move the contents of your 2nd
script to follow the default policy stanza. As well, adding the following catch
all rule to the very end of your script is considered a good idea for added
insurance:

# Drop everything not let through earlier

iptables -A INPUT -j DROP

jb


-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list

Reply via email to