DNS on firewall machine & traffic in/out of firewall to
other networks
Joni Chu
rjchu@jonichu.com
Sat, 6 Oct 2001 01:13:33 -0700
Oskar,
Believe it or not, this actually seems to have done the trick! I checked
the line towards the end of the file from
$IPTABLES -A OUTPUT -p ALL -d $INET_IP -s $INET_IP -j ACCEPT
to
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
and everything started working just fine - firewall can now send email out
(what I really wanted to do - email Tripwire reports to my cell phone) and
everything else that didn't work - ping, telnet, etc.
Am I opening anything up that I don't want to be by doing this? Also, do
you have any other suggestions for tightening up things more on the
firewall? If you'd like, I can re-send my current rc.firewall for the record
if you'd like to update your tutorial with the latest from the 'test
rabbit'. ;)
Thank you so much for your help!
-rjc-
> I found something just now that don't look right....
>
> $IPTABLES -A OUTPUT -p ALL -d $LO_IP -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -d $LAN_IP -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -d $INET_IP -s $INET_IP -j ACCEPT
>
> It seems you're not allowing packets to leave the firewall. Or rather, you
> don't allow them to the internet. You let packets through from LO_IP to
> LO_IP, you allow packets from LAN_IP to LAN_IP and you allow packets from
> INET_IP to INET_IP... but that's it.
>
> I just checked the original script myself, and found out that there's an
> error in there=). It should be -o $INET_IFACE -s $INET_IP, but it reads -d
> $INET_IFACE...(This'll probably not fix your problem with sendto not
>permitted though but try it anyways)