[nzlug] iptables problems...
Nick 'Zaf' Clifford
zaf at nrc.co.nz
Tue Feb 19 03:35:35 NZDT 2008
Steve Holdoway wrote:
> I'm trying to set up a basic firewall - as a start, I'm just trying to have ssh traffic and nothing else running. However, this just doesn't work. What am I doing wrong?
>
> It's going to act as a gateway - ssh tunnelling in, eventually restricting outgoing traffic to a few targets so it *should* make sense to default drop all output. The problem may be in the forwarding??
>
> Script... ( eth0 *is* internet facing, and nothing upstream is interfering )
>
<snip>
> # iptables --list -n -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 DROP tcp -- eth0 * 192.168.0.0/16 0.0.0.0/0
> 0 0 DROP tcp -- eth0 * 172.16.0.0/12 0.0.0.0/0
> 0 0 DROP tcp -- eth0 * 10.0.0.0/8 0.0.0.0/0
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
>
> <snip>
Um, iptables is seeing zero traffic. Its not dropping or accepting anything.
Check with `tcpdump -i eth0` that you're actually receiving/seeing
packets on eth0
My suspicion is you aren't.
As for the others who say use a tool. Bah, they can stick with Windows
XP. Learn to write your own firewall, and you'll understand the nature
of iptables.
<sarcasm>
These are the same people who say that using a compiler is acceptable!
Bah! Assembler is the only way
</sarcasm>
Nick
More information about the NZLUG
mailing list