problem with iptables

Hello@all,

i have a problem with the configuration of my firewallscript.

My system: Suse 9.3 base installation on epia with 2 nics.

on nic (eth0) for the internal connections (192.168.0.0 net)

the other as dialup dsl connection (over ppp0).

now i created the following rules for the startup:

#!/bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -P INPUT DROP

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED -j ACCEPT

#SSH
iptables -A INPUT -i ppp0 -p TCP --dport 22 -j ACCEPT

#VPN
#iptables -A INPUT -i eth2 -p UDP --dport 1194 -j ACCEPT
#iptables -A INPUT -i tun0 -j ACCEPT
#iptables -A INPUT -i tap0 -j ACCEPT


#ClientPorts
#iptables -A INPUT -i eth1 -p TCP -m multiport --dports 4661,4662,4665 -j
ACCEPT
#iptables -A INPUT -i eth1 -p UDP -m multiport --dports 4661,4662,4665 -j
ACCEPT


iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


all connections from the internal network to gatewayserver which are online
before running the script are doing. but if i run the script new connections
are rejected.
internet-connection works too. but a new ssh connetion to the server from
the internal network don´t work anymore.

i have no idea wath is wrong with the script.

could you help me.

thank you.

regards

Marcus König

On Sun, 05 Feb 2006 15:27:42 +0100, Marcus König wrote:

> all connections from the internal network to gatewayserver which are online
> before running the script are doing. but if i run the script new connections
> are rejected.
> internet-connection works too. but a new ssh connetion to the server from
> the internal network don´t work anymore.

Simple. Your script only allows Established connection from ppp0. All
NEW connection are dropped. Your SSH connection is only allowed via the
ppp0 port so internal connection are not.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Hello Robert,

thanks for the quick answer, but with these line:

iptables -A INPUT -i eth0 -j ACCEPT <-- internal device
iptables -A INPUT -i lo -j ACCEPT

should all internal traffic be allowed. (i forgot it to say in the first
mail).

the next thing i noticed a few moments ago, is that if i run the script, i
can log in in my system yet, but the effect turns on when i make the
dsl-connection with adsl-start. this script sets the default gateway to ppp0
and brings the server online.

do you have any idea?

thx
"Robert" <(E-Mail Removed)> schrieb im Newsbeitrag
news(E-Mail Removed) e...
> On Sun, 05 Feb 2006 15:27:42 +0100, Marcus König wrote:
>
>> all connections from the internal network to gatewayserver which are
>> online
>> before running the script are doing. but if i run the script new
>> connections
>> are rejected.
>> internet-connection works too. but a new ssh connetion to the server from
>> the internal network don´t work anymore.
>
> Simple. Your script only allows Established connection from ppp0. All
> NEW connection are dropped. Your SSH connection is only allowed via the
> ppp0 port so internal connection are not.
>
>
> --
>
> Regards
> Robert
>
> Smile... it increases your face value!
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----

On Sun, 05 Feb 2006 16:37:45 +0100, Marcus König wrote:

> the next thing i noticed a few moments ago, is that if i run the script, i
> can log in in my system yet, but the effect turns on when i make the
> dsl-connection with adsl-start. this script sets the default gateway to ppp0
> and brings the server online.
>
> do you have any idea?

What does iptables -L -n -v give for an output after the script is run?


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

this was the right tip. the adsl-start script changed the iptables.

thx

"Robert" <(E-Mail Removed)> schrieb im Newsbeitrag
news(E-Mail Removed) e...
> On Sun, 05 Feb 2006 16:37:45 +0100, Marcus König wrote:
>
>> the next thing i noticed a few moments ago, is that if i run the script,
>> i
>> can log in in my system yet, but the effect turns on when i make the
>> dsl-connection with adsl-start. this script sets the default gateway to
>> ppp0
>> and brings the server online.
>>
>> do you have any idea?
>
> What does iptables -L -n -v give for an output after the script is run?
>
>
> --
>
> Regards
> Robert
>
> Smile... it increases your face value!
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----

try this rule.

iptables -A INPUT -i ppp0 -m state --state RELATED, ESTABLISHED -j
ACCEPT

don't forgot to read iptables man page.