-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 03.06.2008 02:26, Simon Slater a écrit : | On Mon, 2008-06-02 at 11:17 +0200, François Patte wrote: |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> Le 02.06.2008 10:26, Simon Slater a écrit : |> | G'day all, |> | I've been plugging away at this for some time and have no idea which |> | direction to turn. The iptables on a gateway box (FC6) is blocking |> | access to the internet from a laptop (F8). On each attempt to access |> | the internet, the gateway responds with a reset. |> | |> | I have turned on everything in iptables using lokkit and |> | system-config-iptables, with some hand editing to boot (guided by |> | various howto's), probably allowing more than I need, but cannot get the |> | laptop out through the firewall. |> |> What is the result of: |> |> cat /proc/sys/net/ipv4/ip_forward |> | 1 | | This morning I flushed the iptables rules to see what would happen and | the gateway still sends the reset. I don't understand what you mean by "reset". I don't know how these system-config-iptables/whatever are working you can try this: first: iptables -L > rules-iptables_orig second: execute (as root) this script: #<---begin #!/bin/sh #Antispoof: pris en charge par netfilter if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then ~ for filtre in /proc/sys/net/ipv4/conf/*/rp_filter ~ do ~ echo 1 > $filtre ~ done fi IPTABLES=/sbin/iptables EXTERNAL_DEVICE=ppp0 INTERNAL_DEVICE=eth0 # On vide toutes les règles avant d'appliquer # les nouvelles règles de firewall $IPTABLES -F $IPTABLES -X $IPTABLES -t nat -F $IPTABLES -t nat -X #politique globale: on jette tout ce qui n'est pas autorisé $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP #nouvelles chaines: #on logue et on jette $IPTABLES -N LOG_DROP $IPTABLES -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 4 $IPTABLES -A LOG_DROP -j DROP #on logue et on accepte $IPTABLES -N LOG_ACCEPT $IPTABLES -A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " - --log-level 4 $IPTABLES -A LOG_ACCEPT -j ACCEPT #tout est accepté sur lo $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT #navigation internet acceptée: les connexions en entrée ne sont acceptées que si elles font suite à une connexion déjà établie #http:80, https:443 $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --sport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --sport 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --dport 80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT #DNS du serveur $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p udp --dport 53 -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 53 -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 53 -m state - --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p udp --sport 53 -m state - --state ESTABLISHED -j ACCEPT #SMTP(25) et NEWS(119) en sortie sur internet $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --dport 25,119 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --sport 25,119 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --dport 25 -m state - --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --sport 25 -m state - --state NEW,ESTABLISHED -j ACCEPT #ftp: les paquets ne sont acceptés que dans la mesure ou ils font partie d'une connexion établie en sortie $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 21 -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 21 -m state - --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 20 -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 20 -m state - --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --sport 1024:65535 - --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT #LAN # #circulation sur le LAN acceptée dans tous les sens $IPTABLES -A INPUT -i $INTERNAL_DEVICE -s 192.168.1.0/24 -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -d 192.168.1.0/24 -j ACCEPT #mascarade #$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_DEVICE -j LOG --log-prefix "[IPTABLES MASQ]" $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE #dhcp du LAN $IPTABLES -A INPUT -i $INTERNAL_DEVICE -p udp -s 0.0.0.0/32 --sport 68 - -d 255.255.255.255/32 --dport 67 -j ACCEPT $IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -p udp -s 0.0.0.0/32 --sport 67 - -d 255.255.255.255/32 --dport 68 -j ACCEPT #"forwarding" #dns $IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp - --dport 53 -j ACCEPT $IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp - --sport 53 -j ACCEPT $IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p udp - --dport 53 -j ACCEPT $IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p udp - --sport 53 -j ACCEPT #navigation $IPTABLES -A FORWARD -i $EXTERNAL_DEVICE -o $INTERNAL_DEVICE -p tcp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -o $EXTERNAL_DEVICE -i $INTERNAL_DEVICE -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $EXTERNAL_DEVICE -o $INTERNAL_DEVICE -p udp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -o $EXTERNAL_DEVICE -i $INTERNAL_DEVICE -p udp -m state --state NEW,ESTABLISHED -j ACCEPT #courrier $IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp - --sport 25 -j ACCEPT $IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp - --dport 25 -j ACCEPT #news $IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp - --dport 119 -j ACCEPT $IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp - --sport 119 -j ACCEPT #cups $IPTABLES -A INPUT -p tcp -i $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT $IPTABLES -A INPUT -p tcp -i $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT $IPTABLES -A OUTPUT -p tcp -o $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT $IPTABLES -A OUTPUT -p tcp -o $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT $IPTABLES -A INPUT -p udp -i $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT $IPTABLES -A INPUT -p udp -i $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT $IPTABLES -A OUTPUT -p udp -o $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT $IPTABLES -A OUTPUT -p udp -o $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT #le serveur est autorisé à se connecter sur le LAN $IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -s 192.168.1.1 -d 192.168.1.0/24 - -j ACCEPT #tout ce qui est arrivé ici sans trouver de destination est logué et jeté $IPTABLES -A FORWARD -j LOG_DROP $IPTABLES -A INPUT -j LOG_DROP $IPTABLES -A OUTPUT -j LOG_DROP #autorisation de "ipforward" echo 1 > /proc/sys/net/ipv4/ip_forward #<-----end You may want to change IP addresses 192.168.1.* to fit your own LAN. try some internet browsing from your laptop and is if it works. third: iptables -L > iptables-rules_new And compare and try to guess what has to be changed in your use of system-config-iptables - -- François Patte UFR de mathématiques et informatique Université Paris Descartes 45, rue des Saints Pères F-75270 Paris Cedex 06 Tél. +33 (0)1 44 55 35 61 http://www.math-info.univ-paris5.fr/~patte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFIRPEWdE6C2dhV2JURAj8UAKCQ/lKjpJqNOo50rLLODiv26uYZjgCgtd7a szaRrqdT6nOLKuDo2vJn4a0= =j3HK -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
