new to IPTABLES
Phil Oester
kernel@theoesters.com
Fri, 11 Jan 2002 22:17:41 -0800
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C19AED.C8F91BE0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
You won't get a connection refused using the DROP target - as it
implies, the packet is simply dropped. If you want connection refused
responses, you'll need the REJECT target with the '--reject-type'
extension.
You need to be more specific about the host forwarding rule.
-Phil Oester
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Dean
Sent: Friday, January 11, 2002 10:01 PM
To: netfilter@lists.samba.org
Subject: new to IPTABLES
I'm kind of new to IPTABLES. My boss pointed me to a firewall and said
fix it. Well I'm kind of stuck. The firewall is constructed on linux
7.1 kernel 2.4.2-2. It seems like not matter how the simple the rule is
that I put in the firewall script I get no response. The script runs
with out errors. I flushed the firewall before every build and ran the
zero function. The best response I get is that if I apply the rules,
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 23:23 -j DROP
/sbin/iptables -A INPUT -s 0/0 -p tcp --sport 23:23 -j DROP
the firewall will timeout trying to connect, I would expect to get a
connection refused message. If I remove the rule I get right in. I
also applied a simple HOST forwarding rule that should forward the
incoming telnet connection to an internal server. When I execute this
script I get the same thing.. Timeout while trying to connect. A can
telnet to the server fine from the internal network. I'm not sure what
to try next? Any help is appreciated.
Dean
------=_NextPart_000_0005_01C19AED.C8F91BE0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word" xmlns:st1 =3D=20
"urn:schemas-microsoft-com:office:smarttags"><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3DWord.Document name=3DProgId>
<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR>
<META content=3D"Microsoft Word 10" name=3DOriginator><LINK=20
href=3D"cid:filelist.xml@01C19B04.8AEE44D0" =
rel=3DFile-List><o:SmartTagType=20
name=3D"time"=20
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"></o:SmartTagT=
ype><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<STYLE>st1\:* {
BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<![endif]-->
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; =
mso-paper-source: 0; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; =
mso-style-parent: ""; mso-pagination: widow-orphan; =
mso-fareast-font-family: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; text-underline: single
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; text-underline: single
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; text-underline: single
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; text-underline: single
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: =
personal-compose; mso-style-noshow: yes; mso-ansi-font-size: 10.0pt; =
mso-bidi-font-size: 10.0pt; mso-ascii-font-family: Arial; =
mso-hansi-font-family: Arial; mso-bidi-font-family: Arial
}
SPAN.SpellE {
mso-style-name: ""; mso-spl-e: yes
}
SPAN.GramE {
mso-style-name: ""; mso-gram-e: yes
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]--></HEAD>
<BODY lang=3DEN-US style=3D"tab-interval: .5in" vLink=3Dpurple =
link=3Dblue>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D255261206-12012002>You=20
won't get a connection refused using the DROP target - as it =
implies, the=20
packet is simply dropped. If you want connection refused =
responses, you'll=20
need the REJECT target with the '--reject-type' =
extension.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D255261206-12012002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D255261206-12012002>You=20
need to be more specific about the host forwarding =
rule.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D255261206-12012002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D255261206-12012002>-Phil=20
Oester</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
netfilter-admin@lists.samba.org =
[mailto:netfilter-admin@lists.samba.org] <B>On=20
Behalf Of </B>Dean<BR><B>Sent:</B> Friday, January 11, 2002 10:01=20
PM<BR><B>To:</B> netfilter@lists.samba.org<BR><B>Subject:</B> new to=20
IPTABLES<BR><BR></FONT></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">I’m kind of new to =
IPTABLES.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>My boss pointed me to a =
firewall and=20
said fix it. Well I’m kind of stuck.<SPAN style=3D"mso-spacerun: =
yes"> =20
</SPAN>The firewall is constructed on linux 7.1 kernel 2.4.2-2. It =
seems like=20
not matter how the simple the rule is that I put in the firewall =
script I get=20
no response. The script runs with out errors. I flushed the firewall =
before=20
every build and ran the zero function. <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>The best response I get is =
that if I=20
apply the rules, <o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">/<SPAN=20
class=3DSpellE>sbin/iptables</SPAN> -A INPUT<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>-s 0/0 -p tcp --dport=20
</SPAN></FONT><st1:time Minute=3D"23" Hour=3D"23"><FONT face=3DArial =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">23:23</SPAN></FONT></st1:time><FONT=20
face=3DArial size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>-j=20
DROP<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">/sbin/iptables -A =
INPUT<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>-s 0/0 -p tcp --sport=20
</SPAN></FONT><st1:time Minute=3D"23" Hour=3D"23"><FONT face=3DArial =
size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">23:23</SPAN></FONT></st1:time><FONT=20
face=3DArial size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>-j=20
DROP<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">the firewall will =
timeout trying=20
to connect, I would expect to get a connection refused message. <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>If I remove the rule I get =
right=20
in.<SPAN style=3D"mso-spacerun: yes"> </SPAN>I also applied a =
simple HOST=20
forwarding rule that should forward the incoming telnet connection to =
an=20
internal server. <SPAN style=3D"mso-spacerun: yes"> </SPAN>When I =
execute=20
this script I get the same thing…. Timeout while trying to =
connect. A can=20
telnet to the server fine from the internal network.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>I’m not sure what to =
try next?<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>Any help is=20
appreciated.<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Dean<o:p></o:p></SPAN></FONT></P></DIV></BLOCKQUOTE></BODY></HTML>=
------=_NextPart_000_0005_01C19AED.C8F91BE0--