[PLUG] Still having fun with IPTables

wes plug at the-wes.com
Wed Feb 2 20:33:58 UTC 2011


I don't know why, but Gmail is flagging your messages as spam. Whatever
crazy thing you're doing, I suggest you knock it off :)

-wes

On Wed, Feb 2, 2011 at 12:18 PM, Daniel M. Head <dmhead01 at gmail.com> wrote:

> Hey all,
>
> I tried to send this yesterday, but was having some issues with the
> wireless network. I didn't receive it from the list, so I'm resending.
> Any suggestions on what the problem may be would be _greatly_
> appreciated. If others have already received this, please accept my most
> humble apologies.
>
>
> I have the openvpn client rules set up (as per my question earlier this
> week - thank you again EJ), and the correct virtual ip is being assigned
> to my test account when i connect through openvpn.
>
> Now, I am trying to restrict that test account to only be able to access
> one specific server. All other traffic of any form should be allowed. As
> it is, my test account is not able to access anything except the openvpn
> server itself. If I turn iptables off, everything is talking to
> everything again.
>
> Here is the output of the iptables file (I have also added comments to
> the five custom entries I made in iptables. Also, IPs and names have
> been changed, not that it matters, no one could identify anything with a
> private IP.):
>
>    [dan at server1 sysconfig]# cat iptables
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A FORWARD -i tun0 -s 192.168.0.1/30 -d 172.16.0.50 -j ACCEPT #This
> client should be able to access this one server.
> -A FORWARD -i tun0 -s 192.168.0.1/30 -j DROP #The same client should not
> be able to access anything else.
> -A FORWARD -i tun0 -j ACCEPT #Everyone else should be able to access
> everything else.
> -A INPUT -j ACCEPT #All traffic directed directly to this machine should
> be allowed.
> -A INPUT -j ACCEPT #All traffic originating from this machine should be
> allowed.
> -A OUTPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> [dan at server1 sysconfig]#
>
> The output from iptables-L looks good (to me anyway) too:
>
> [dan at server1 sysconfig]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> RH-Firewall-1-INPUT  all  --  anywhere   anywhere
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  192.168.0.1/30       server4.acompany.com
> DROP       all  --  192.168.0.1/30       anywhere
> ACCEPT     all  --  anywhere             anywhere
> RH-Firewall-1-INPUT  all  --  anywhere   anywhere
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> Chain RH-Firewall-1-INPUT (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     esp  --  anywhere             anywhere
> ACCEPT     ah   --  anywhere             anywhere
> ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp dpt:ssh
> REJECT     all  --  anywhere             anywhere            reject-with
> icmp-host-prohibited
> [dan at server1 sysconfig]#
>
> It was my understanding that iptables read rules from the top down, and
> that once a rule condition was met, it skipped any further rules. Does
> anyone see a problem with the above? Thanks in advance!
> --
> Best regards,
> Daniel M. Head
> http://www.linkedin.com/in/dmhead
> Cell Phone: (360) 980-5885
> Home/Message Phone: (360) 210-5492
> E-mail: dan at dmhead.us
>
> "/If we want to set our lives aright and find peace,
> it is not the tolerant attitude of others that will do it for us.
> It will come about, rather, by our learning how to show them compassion./"
> - John Cassian
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list