(no subject)

James Mello james.mello@wamu.net
Mon, 17 Jun 2002 13:05:36 -0700 

Hrm... This did fix the problem, but I'm still not sure why the heck
connections other than those from localhost did work. Any ideas?

	-- Cheers
	-- James

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Monday, June 17, 2002 12:56 PM
To: netfilter@lists.samba.org
Subject: Re: (no subject)


On Monday 17 June 2002 8:47 pm, James Mello wrote:

> I forgot to mail this to the entire list... Sorry...
>
> At any rate, I suspect that this is not the issue as I'm able to 
> connect to SSH from a remote server, but NOT the localhost ;) Sorry 
> for not including this critical piece of info!

What happens if you include the following rule ?

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Does it solve the problem ?

 
Antony.


> On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:
> > I've set up the following iptables chains on my box,  but I'm 
> > getting denies that I'm not expecting. Below is a copy of the config

> > as well as the deny log that I'm seeing.
> >
> > # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002 
> > *filter :INPUT DROP [0:0]
> >
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [199:15749]
> > :LOGDENY - [0:0]
> >
> > -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> > -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> > -A INPUT -p tcp -j LOGDENY
> > -A INPUT -p udp -j LOGDENY
> > -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> > -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> > -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> > -A LOGDENY -j DROP
> > COMMIT
> > # Completed on Mon Jun 17 11:11:02 2002
> >
> > root# ssh localhost
> > root# tail -f /var/log/messages
> >
> > Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT= 
> > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
> > DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
> > SPT=22 DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> >
> >
> > What confuses me the most is the fact that I'm getting denied on the

> > SYN/ACK rather than on the initial connection. Can someone please 
> > shed
> >
> > some light on this?