Search This Blog

Wednesday, January 28, 2009

Re: my debian does not read my own iptables script

On 2009-01-28 Patrik Hasibuan wrote:
> I am building a firewall with Debian Sarge on my internet gateway. But
> lookslike my debian does not read my iptables script after I run my
> own iptables script.
[...]
> I haven't open the rpcbind,auth,printer. And the 21,23,53 are not
> opened by my iptables. Where is the mistake? Please tell me. I am new
> in debian and iptables. Usually I use OpenSuSE and SuSEfirewall2 and I
> configure the firewall with YaST2 so easily. But now I want to get
> close to debian too. And I am stucked on this case.
[...]
> #!/bin/bash
> #Zero...zero...from beginning
> iptables -F

You are not setting default policies (bad idea), so your chains probably
accept all incoming packets. As others have told you before: please post
the output of "iptables -nL" and "iptables -t nat -nL" (and perhaps the
output of "iptables -t mangle -nL" and "iptables -t raw -nL").

As a starting point, my iptables scripts usually begin like this:

----8<----
# 1) Disable IP forwarding.
echo "0" > /proc/sys/net/ipv4/ip_forward

# 2) Set default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# 3) Flush chains
iptables -F
iptables -t nat -F

# 4) Delete user-defined chains
iptables -X
iptables -t nat -X

# 5) Re-enable IP forwarding (if required)
echo "1" > /proc/sys/net/ipv4/ip_forward

# ...
---->8----

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: