/dev/rob0 <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> In article <(E-Mail Removed) >,
> Colin Bigam wrote:
Problem solved!!!
> And later I presume you're jumping to this chain from INPUT and FORWARD
> built-in chains?
Indeed I am.
> Whenever posting an iptables question, it helps to show
> ALL the rules, because as I assume you are aware, earlier rules can make
> later ones superfluous. Anyway I am assuming you've covered that on your
> own.
Heh. Had just a few seconds to post before the wife picked me up. I didn't
have time to bring everything over.
> Related and established connections (ip_conntrack) are ACCEPTed here.
> The rest of the rules won't be considered.
Right. I want to allow (and not log) any connections I've already got set up.
> Same with new connections not from $EXT_ETH.
Yep. I don't care about logging connections initiated by my own people.
> > $IPTAB -A block --dport ! 6348 -j LOG --log-level info
>
> I thought --[ds]port options required -p (tc|ud)p ? I'll bet this is it.
> Try running this at the command line and watch for errors. Is your
> script hiding the errors from you? If you want to match both TCP and
> UDP, use separate rules.
Right you are! --[ds]port are options within the -p rule. I guess that's
what I get for jumping through the man pages instead of reading them
closely. That was the key, thanks!
> I'd say that ssh logging is redundant, since sshd does its own logging
> of all connections, whether successful or not.
Ah, but earlier in the ruleset (which I didn't show :-), you would have
seen that ssh traffic gets forwarded to an internal host. The point of
logging it here is that all connections get logged on the firewall.
At any rate, thanks for the help. In checking through the order of the
rules, I found a pair of rules that were backwards and causing me some
other strange but subtle problems. Now I've got more to worry about...
Thanks,
Colin
|
Similar Threads
Linear Mode
