Search This Blog

Saturday, July 02, 2005

Re: Firewall-troubleshooting

On 3 Jul 2005, KC wrote:
> I need help understanding what goes wrong in this script. I cannot ping
> anyone and cannot resolve as well. In fact I believe the only thing I can
> get is an ip address from my isp's dhcp server.

With sufficiently modern kernels, the DHCP client uses raw sockets, so
it can (AIUI) bypass firewall rules that would otherwise stop it getting
through.

I can't spot anything wrong with your script, which means that it isn't
an obvious stupid mistake (congratulations ;). You have some work to
do, I guess. :)

Two things that are generally helpful in debugging iptables/firewall
problems:

The logs of dropped packets, which I note you have added, may show you
where things are getting discarded. A *default* log at the end, showing
everything else, is also really helpful.

Watching the output of 'iptables -L' will show you where packets are
flowing: each time they pass a rule, or chain, they bump up the packet
count.

This can show that, say, one of your rules is eating all the packets --
they get that far, then stop.

Finally, that is a pretty complex firewall script, and obviously
somewhat hard to maintain. Maybe you would get better value for your
time by using an existing firewall helper like 'firehol', or something,
than re-doing the work that went into the existing tools?

Of course, if your aim is to learn iptables rather than just get it
working, that loses. ;)

Daniel

--
A cathedral, a wave of a storm, a dancer's leap,
never turn out to be as high as we had hoped.
-- Marcel Proust

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: