Setting up default policy to 'DROP' problem

Setting up default policy to 'DROP' problem

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

I have setup DMZ firewall as per Oskar Anderson tutorial on Netfilter.org 
site.

When I set up default policy to drop for INPUT, OUTPUT and FORWARD chains as 
mentioned in the tutorial my connection drops.
I am attaching my iptables rules listing.
Is there anything wrong in the IPtable rules.
When I setup default to ACCEPT everything works fine.
Help appreciated.
Thanks

_________________________________________________________________
Play the prediction game on MEZ. Win Sehwag���s autographed T-shirts. 
http://go.msnserver.com/IN/41491.asp Predict and win on myenjoyzone.com.

[-- Attachment #2: DMZ-FIREWALL-anderson --]
[-- Type: application/octet-stream, Size: 5615 bytes --]

[root@shastriweb root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  192.168.0.0/24       anywhere           reject-with icmp-por
t-unreachable
REJECT     all  --  192.168.1.0/24       anywhere           reject-with icmp-por
t-unreachable
REJECT     all  --  shastriweb           anywhere           reject-with icmp-por
t-unreachable
DROP       tcp  --  anywhere             anywhere           tcp dpt:1214
DROP       tcp  --  anywhere             anywhere           tcp dpt:1214
bad_tcp_packets  tcp  --  anywhere             anywhere
icmp_packets  icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.1.1
ACCEPT     all  --  anywhere             192.168.0.1
ACCEPT     all  --  shastriweb           anywhere
ACCEPT     all  --  192.168.0.1          anywhere
ACCEPT     all  --  xxx.xxx.xxx.xxx       anywhere
ACCEPT     all  --  anywhere             xxx.xxx.xxx.xxx     state RELATED,ESTABL
ISHED
DROP       udp  --  anywhere             yyy.yyy.yyy.yyy     udp dpts:135:netbios
-ssn
DROP       udp  --  anywhere             255.255.255.255    udp dpts:bootps:boot
pc
LOG        all  --  anywhere             anywhere           limit: avg 3/min bur
st 3 LOG level debug prefix `IPT INPUT packet died: '
bad_tcp_packets  tcp  --  anywhere             anywhere
icmp_packets  icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.1.1
ACCEPT     all  --  anywhere             192.168.0.1
ACCEPT     all  --  shastriweb           anywhere
ACCEPT     all  --  192.168.0.1          anywhere
ACCEPT     all  --  xxx.xxx.xxx.xxx       anywhere
ACCEPT     all  --  anywhere             xxx.xxx.xxx.xxx     state RELATED,ESTABL
ISHED
DROP       udp  --  anywhere             255.255.255.255    udp dpts:bootps:boot
pc
LOG        all  --  anywhere             anywhere           limit: avg 3/min bur
st 3 LOG level warning prefix `IPT INPUT packet died: '
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
bad_tcp_packets  tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
allowed    tcp  --  anywhere             192.168.1.2        tcp dpt:http
icmp_packets  icmp --  anywhere             192.168.1.2
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
LOG        all  --  anywhere             anywhere           limit: avg 3/min bur
st 3 LOG level debug prefix `IPT FORWARD packet died: '
bad_tcp_packets  tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
allowed    tcp  --  anywhere             192.168.1.2        tcp dpt:http
icmp_packets  icmp --  anywhere             192.168.1.2
allowed    tcp  --  anywhere             192.168.1.2        tcp dpt:domain
ACCEPT     udp  --  anywhere             192.168.1.2        udp dpt:domain
icmp_packets  icmp --  anywhere             192.168.1.2
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
LOG        all  --  anywhere             anywhere           limit: avg 3/min bur
st 3 LOG level warning prefix `IPT FORWARD packet died: '
ACCEPT     all  --  anywhere             anywhere
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
bad_tcp_packets  tcp  --  anywhere             anywhere
ACCEPT     all  --  shastriweb           anywhere
ACCEPT     all  --  192.168.0.1          anywhere
ACCEPT     all  --  xxx.xxx.xxx.xxx       anywhere
LOG        all  --  anywhere             anywhere           limit: avg 3/min bur
st 3 LOG level debug prefix `IPT OUTPUT packet died: '
bad_tcp_packets  tcp  --  anywhere             anywhere
ACCEPT     all  --  shastriweb           anywhere
ACCEPT     all  --  192.168.0.1          anywhere
ACCEPT     all  --  xxx.xxx.xxx.xxx       anywhere
LOG        all  --  anywhere             anywhere           limit: avg 3/min bur
st 3 LOG level warning prefix `IPT OUTPUT packet died: '
 
Chain allowed (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,AC
K/SYN
ACCEPT     tcp  --  anywhere             anywhere           state RELATED,ESTABL
ISHED
DROP       tcp  --  anywhere             anywhere
 
Chain bad_tcp_packets (6 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           tcp flags:SYN,ACK/SY
N,ACK state NEW reject-with tcp-reset
LOG        tcp  --  anywhere             anywhere           tcp flags:!SYN,RST,A
CK/SYN state NEW LOG level warning prefix `New not syn:'
DROP       tcp  --  anywhere             anywhere           tcp flags:!SYN,RST,A
CK/SYN state NEW
 
Chain icmp_packets (5 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded

Re: Setting up default policy to 'DROP' problem

[Jeffrey Laramie]

ads nat wrote:

> I have setup DMZ firewall as per Oskar Anderson tutorial on 
> Netfilter.org site.
>
> When I set up default policy to drop for INPUT, OUTPUT and FORWARD 
> chains as mentioned in the tutorial my connection drops.
> I am attaching my iptables rules listing.
> Is there anything wrong in the IPtable rules.
> When I setup default to ACCEPT everything works fine.
> Help appreciated.
> Thanks
>

I've responded to your postings before, so I was hoping someone new 
might give this a shot. I know that you've been trying for months to get 
this configured, but you're having problems with the basics and you've 
still got a long way to go. Oskar's tutorial is a great place to start, 
but you may want to try reading some other documentation to see if it 
helps you. You may also want to look at using a tool like shorewall to 
help you create rules.

That said, I'll do what I can to help you. Try using: iptables -L -n -v 
-x > /var/log/iptables.report. Open up iptables.report in a text editor 
and turn off word wrap so you can see one rule on each line. When I 
review rules I make the font really small and print the ruleset out 
'landscape' oriented so I can see a whole rule printed out on a line.

Look at the number of packets hitting each rule. I think you'll be 
surprised where the packets are going. Remember that the rules are 
transversed from top to bottom in each ruleset. As soon as a packet 
matches a rule it stops (except logging) and doesn't go to the next rule 
in the chain. Try starting out with a new script and only a couple 
rules. Test the configuration and then use iptables -L -n -v -x again to 
see if the packets are going where you think they should. For more 
details you can also add logging rules then check /var/log/messages to 
see the packet flow in more detail. Once you have the basic routing 
working you can add the filtering rules back in. If you have problems 
post your new rules back to the list so we can see what you've done.

Good Luck

Jeff

Re: Setting up default policy to 'DROP' problem

[ads nat]

Thanks for support.
As per your suggestions I have changed rules as follows :

xxx.xxx.xxx.xxx is 'tunnel0' tunnel IP.
yyy.yyy.yyy.yyy is 'eth0' Internet IP.
192.168.0.1 is 'eth1' LAN IP.

I want to setup rules for LAN first and after getting through with this I 
will setup rules for DMZ 'eth2'.

***************
-A INPUT -s xxx.xxx.xxx.xxx -p icmp -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -d 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
-A INPUT -d yyy.yyy.yyy.yyy -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j LOG --log-prefix " ?????? Last INPUT RULE:"
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i tunnel0 -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp -j ACCEPT
-A OUTPUT -o tunnel0 -p tcp -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp -j LOG --log-prefix "***** OUTPUT LAST:"

**************

-A INPUT -s xxx.xxx.xxx.xxx -p icmp -j ACCEPT

This rule is required since my ISP wants to check continuously whether 
connection is down due cable or any other reason.

I am not getting any message from OUTPUT chain in logs.

Now when I want to setup default policy for OUTPUT as drop, Connection goes 
down.

What could be problem?

Thanks for support.

>From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
>To: netfilter@lists.netfilter.org
>Subject: Re: Setting up default policy to 'DROP' problem
>Date: Wed, 04 Feb 2004 09:52:28 -0500
>
>ads nat wrote:
>
>>Hi,
>>It's working.
>>It was my fault.
>>I am getting Internet bandwidth through iptunnel. IP address of tunnel and 
>>my eth0 is different. I was giving access to INPUT for eth0  IP and not 
>>for IP of tunnel which is my Internet IP.
>>Your suggestion of using log at the end of INPUT rule has given this hit.
>>Thanks for support.
>>
>Glad it's working, you're making progress.  :-)  I made a couple of 
>suggestions below.
>
>Jeff
>
>>
>>
>>>From: "ads nat" <adsnat@hotmail.com>
>>>To: adsnat@hotmail.com, JALaramie@Loudoun-Fairfax.com, 
>>>netfilter@lists.netfilter.org
>>>Subject: Re: Setting up default policy to 'DROP' problem
>>>Date: Wed, 04 Feb 2004 08:26:13 +0530
>>>
>>>Following are my iptable rules
>>>
>>>xxx.xxx.xxx.xxx is internet ip.
>>>eth0 internet interface
>>>eth1 lan interface
>>>
>>>*******************
>>>*nat
>>>:PREROUTING ACCEPT [678915:47234902]
>>>:POSTROUTING ACCEPT [36934:2160799]
>>>:OUTPUT ACCEPT [35607:2143032]
>>>-A POSTROUTING -o tunnel0 -j MASQUERADE
>>>COMMIT
>>># Completed on Wed Feb  4 08:15:38 2004
>>># Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
>>>*mangle
>>>:PREROUTING ACCEPT [15137995:7366304630]
>>>:INPUT ACCEPT [5934119:3407840707]
>>>:FORWARD ACCEPT [9046926:3942957156]
>>>:OUTPUT ACCEPT [5005001:930279054]
>>>:POSTROUTING ACCEPT [14042840:4872546468]
>>>COMMIT
>>># Completed on Wed Feb  4 08:15:38 2004
>>># Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
>>>*filter
>>>:INPUT DROP [6317:1242856]
>>>:FORWARD DROP [107:11548]
>>>:OUTPUT ACCEPT [841:137965]
>>>-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
>>>-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>-A INPUT -d 127.0.0.1 -i lo -j ACCEPT
>>
>
>I don't think this rule does anything.
>
>>>-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
>>>-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
>>>-A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT
>>>-A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j 
>>>ACCEPT
>>
>
>Except for the loopback entries the INPUT rules don't differentiate between 
>interfaces. You may want to have different rules for eth0 and eth1. In 
>particular your first rule lets a lot of stuff in from the outside that you 
>may not want.
>
>>>-A FORWARD -i eth1 -j ACCEPT
>>>-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>-A FORWARD -i eth0 -o eth1 -j ACCEPT
>>>-A FORWARD -i eth1 -o eth2 -j ACCEPT
>>
>
>You don't identify eth2 anywhere else. Is this to the dmz?
>
>>>-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
>>>-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
>>>-A OUTPUT -s 127.0.0.1 -j ACCEPT
>>>-A OUTPUT -s 192.168.0.1 -j ACCEPT
>>>-A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
>>
>
>These are all ACCEPT rules and your default OUTPUT policy is accept. You 
>should either delete these rules or change the default policy.
>
>>>COMMIT
>>
>
>
>

_________________________________________________________________
Contact brides & grooms FREE! http://www.shaadi.com/ptnr.php?ptnr=hmltag 
Only on www.shaadi.com. Register now!

Re: Setting up default policy to 'DROP' problem

[Jeffrey Laramie]

ads nat wrote:

> Hi,
> It's working.
> It was my fault.
> I am getting Internet bandwidth through iptunnel. IP address of tunnel 
> and my eth0 is different. I was giving access to INPUT for eth0  IP 
> and not for IP of tunnel which is my Internet IP.
> Your suggestion of using log at the end of INPUT rule has given this hit.
> Thanks for support.
>
Glad it's working, you're making progress.  :-)  I made a couple of 
suggestions below.

Jeff

>
>
>> From: "ads nat" <adsnat@hotmail.com>
>> To: adsnat@hotmail.com, JALaramie@Loudoun-Fairfax.com, 
>> netfilter@lists.netfilter.org
>> Subject: Re: Setting up default policy to 'DROP' problem
>> Date: Wed, 04 Feb 2004 08:26:13 +0530
>>
>> Following are my iptable rules
>>
>> xxx.xxx.xxx.xxx is internet ip.
>> eth0 internet interface
>> eth1 lan interface
>>
>> *******************
>> *nat
>> :PREROUTING ACCEPT [678915:47234902]
>> :POSTROUTING ACCEPT [36934:2160799]
>> :OUTPUT ACCEPT [35607:2143032]
>> -A POSTROUTING -o tunnel0 -j MASQUERADE
>> COMMIT
>> # Completed on Wed Feb  4 08:15:38 2004
>> # Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
>> *mangle
>> :PREROUTING ACCEPT [15137995:7366304630]
>> :INPUT ACCEPT [5934119:3407840707]
>> :FORWARD ACCEPT [9046926:3942957156]
>> :OUTPUT ACCEPT [5005001:930279054]
>> :POSTROUTING ACCEPT [14042840:4872546468]
>> COMMIT
>> # Completed on Wed Feb  4 08:15:38 2004
>> # Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
>> *filter
>> :INPUT DROP [6317:1242856]
>> :FORWARD DROP [107:11548]
>> :OUTPUT ACCEPT [841:137965]
>> -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
>> -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
>

I don't think this rule does anything.

>> -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
>> -A INPUT -s 192.168.0.1 -i lo -j ACCEPT
>> -A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT
>> -A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j 
>> ACCEPT
>

Except for the loopback entries the INPUT rules don't differentiate 
between interfaces. You may want to have different rules for eth0 and 
eth1. In particular your first rule lets a lot of stuff in from the 
outside that you may not want.

>> -A FORWARD -i eth1 -j ACCEPT
>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i eth0 -o eth1 -j ACCEPT
>> -A FORWARD -i eth1 -o eth2 -j ACCEPT
>

You don't identify eth2 anywhere else. Is this to the dmz?

>> -A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
>> -A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
>> -A OUTPUT -s 127.0.0.1 -j ACCEPT
>> -A OUTPUT -s 192.168.0.1 -j ACCEPT
>> -A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
>

These are all ACCEPT rules and your default OUTPUT policy is accept. You 
should either delete these rules or change the default policy.

>> COMMIT
>

Re: Setting up default policy to 'DROP' problem

[ads nat]

Hi,
It's working.
It was my fault.
I am getting Internet bandwidth through iptunnel. IP address of tunnel and 
my eth0 is different. I was giving access to INPUT for eth0  IP and not for 
IP of tunnel which is my Internet IP.
Your suggestion of using log at the end of INPUT rule has given this hit.
Thanks for support.



>From: "ads nat" <adsnat@hotmail.com>
>To: adsnat@hotmail.com, JALaramie@Loudoun-Fairfax.com, 
>netfilter@lists.netfilter.org
>Subject: Re: Setting up default policy to 'DROP' problem
>Date: Wed, 04 Feb 2004 08:26:13 +0530
>
>Following are my iptable rules
>
>xxx.xxx.xxx.xxx is internet ip.
>eth0 internet interface
>eth1 lan interface
>
>*******************
>*nat
>:PREROUTING ACCEPT [678915:47234902]
>:POSTROUTING ACCEPT [36934:2160799]
>:OUTPUT ACCEPT [35607:2143032]
>-A POSTROUTING -o tunnel0 -j MASQUERADE
>COMMIT
># Completed on Wed Feb  4 08:15:38 2004
># Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
>*mangle
>:PREROUTING ACCEPT [15137995:7366304630]
>:INPUT ACCEPT [5934119:3407840707]
>:FORWARD ACCEPT [9046926:3942957156]
>:OUTPUT ACCEPT [5005001:930279054]
>:POSTROUTING ACCEPT [14042840:4872546468]
>COMMIT
># Completed on Wed Feb  4 08:15:38 2004
># Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
>*filter
>:INPUT DROP [6317:1242856]
>:FORWARD DROP [107:11548]
>:OUTPUT ACCEPT [841:137965]
>-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
>-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
>-A INPUT -d 127.0.0.1 -i lo -j ACCEPT
>-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
>-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
>-A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT
>-A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT
>-A FORWARD -i eth1 -j ACCEPT
>-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>-A FORWARD -i eth0 -o eth1 -j ACCEPT
>-A FORWARD -i eth1 -o eth2 -j ACCEPT
>-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
>-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
>-A OUTPUT -s 127.0.0.1 -j ACCEPT
>-A OUTPUT -s 192.168.0.1 -j ACCEPT
>-A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
>COMMIT
>
>
>*********************
>
>With these rules LAN users can access to internet but from server I can not 
>access to internet. I get error "resolving host".
>
>Help me to solve this problem.
>
>Thanks for support.
>
>
>>From: "ads nat" <adsnat@hotmail.com>
>>To: JALaramie@Loudoun-Fairfax.com, netfilter@lists.netfilter.org
>>Subject: Re: Setting up default policy to 'DROP' problem
>>Date: Tue, 03 Feb 2004 21:23:04 +0530
>>
>>I realy appretiat your support and feelings to help others.
>>
>>With your support I have succedded in setting up default policy drop for 
>>INPUT, OUTPUT and FORWARD. Will post rules soon.
>>
>>I know I have taken long time to understand this technology. But I can not 
>>rush until I get my fundas clear.
>>Once again Thanks for support.
>>
>>
>>>From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
>>>To: netfilter@lists.netfilter.org
>>>Subject: Re: Setting up default policy to 'DROP' problem
>>>Date: Tue, 03 Feb 2004 08:49:39 -0500
>>>
>>>ads nat wrote:
>>>
>>>>I have setup DMZ firewall as per Oskar Anderson tutorial on 
>>>>Netfilter.org site.
>>>>
>>>>When I set up default policy to drop for INPUT, OUTPUT and FORWARD 
>>>>chains as mentioned in the tutorial my connection drops.
>>>>I am attaching my iptables rules listing.
>>>>Is there anything wrong in the IPtable rules.
>>>>When I setup default to ACCEPT everything works fine.
>>>>Help appreciated.
>>>>Thanks
>>>>
>>>
>>>I've responded to your postings before, so I was hoping someone new might 
>>>give this a shot. I know that you've been trying for months to get this 
>>>configured, but you're having problems with the basics and you've still 
>>>got a long way to go. Oskar's tutorial is a great place to start, but you 
>>>may want to try reading some other documentation to see if it helps you. 
>>>You may also want to look at using a tool like shorewall to help you 
>>>create rules.
>>>
>>>That said, I'll do what I can to help you. Try using: iptables -L -n -v 
>>>-x > /var/log/iptables.report. Open up iptables.report in a text editor 
>>>and turn off word wrap so you can see one rule on each line. When I 
>>>review rules I make the font really small and print the ruleset out 
>>>'landscape' oriented so I can see a whole rule printed out on a line.
>>>
>>>Look at the number of packets hitting each rule. I think you'll be 
>>>surprised where the packets are going. Remember that the rules are 
>>>transversed from top to bottom in each ruleset. As soon as a packet 
>>>matches a rule it stops (except logging) and doesn't go to the next rule 
>>>in the chain. Try starting out with a new script and only a couple rules. 
>>>Test the configuration and then use iptables -L -n -v -x again to see if 
>>>the packets are going where you think they should. For more details you 
>>>can also add logging rules then check /var/log/messages to see the packet 
>>>flow in more detail. Once you have the basic routing working you can add 
>>>the filtering rules back in. If you have problems post your new rules 
>>>back to the list so we can see what you've done.
>>>
>>>Good Luck
>>>
>>>Jeff
>>>
>>>
>>
>>_________________________________________________________________
>>Gifts for Him & Her. Valentine’s Day.  
>>http://go.msnserver.com/IN/42197.asp At MSN Shopping.
>>
>>
>
>_________________________________________________________________
>Marriage? Join BharatMatrimony.com. 
>http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?74
>
>

_________________________________________________________________
Easiest Money Transfer to India . Send Money To 6000 Indian Towns. 
http://go.msnserver.com/IN/42198.asp Easiest Way To Send Money Home!

Re: Setting up default policy to 'DROP' problem

[ads nat]

Following are my iptable rules

xxx.xxx.xxx.xxx is internet ip.
eth0 internet interface
eth1 lan interface

*******************
*nat
:PREROUTING ACCEPT [678915:47234902]
:POSTROUTING ACCEPT [36934:2160799]
:OUTPUT ACCEPT [35607:2143032]
-A POSTROUTING -o tunnel0 -j MASQUERADE
COMMIT
# Completed on Wed Feb  4 08:15:38 2004
# Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
*mangle
:PREROUTING ACCEPT [15137995:7366304630]
:INPUT ACCEPT [5934119:3407840707]
:FORWARD ACCEPT [9046926:3942957156]
:OUTPUT ACCEPT [5005001:930279054]
:POSTROUTING ACCEPT [14042840:4872546468]
COMMIT
# Completed on Wed Feb  4 08:15:38 2004
# Generated by iptables-save v1.2.7a on Wed Feb  4 08:15:38 2004
*filter
:INPUT DROP [6317:1242856]
:FORWARD DROP [107:11548]
:OUTPUT ACCEPT [841:137965]
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx -i lo -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
COMMIT


*********************

With these rules LAN users can access to internet but from server I can not 
access to internet. I get error "resolving host".

Help me to solve this problem.

Thanks for support.


>From: "ads nat" <adsnat@hotmail.com>
>To: JALaramie@Loudoun-Fairfax.com, netfilter@lists.netfilter.org
>Subject: Re: Setting up default policy to 'DROP' problem
>Date: Tue, 03 Feb 2004 21:23:04 +0530
>
>I realy appretiat your support and feelings to help others.
>
>With your support I have succedded in setting up default policy drop for 
>INPUT, OUTPUT and FORWARD. Will post rules soon.
>
>I know I have taken long time to understand this technology. But I can not 
>rush until I get my fundas clear.
>Once again Thanks for support.
>
>
>>From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
>>To: netfilter@lists.netfilter.org
>>Subject: Re: Setting up default policy to 'DROP' problem
>>Date: Tue, 03 Feb 2004 08:49:39 -0500
>>
>>ads nat wrote:
>>
>>>I have setup DMZ firewall as per Oskar Anderson tutorial on Netfilter.org 
>>>site.
>>>
>>>When I set up default policy to drop for INPUT, OUTPUT and FORWARD chains 
>>>as mentioned in the tutorial my connection drops.
>>>I am attaching my iptables rules listing.
>>>Is there anything wrong in the IPtable rules.
>>>When I setup default to ACCEPT everything works fine.
>>>Help appreciated.
>>>Thanks
>>>
>>
>>I've responded to your postings before, so I was hoping someone new might 
>>give this a shot. I know that you've been trying for months to get this 
>>configured, but you're having problems with the basics and you've still 
>>got a long way to go. Oskar's tutorial is a great place to start, but you 
>>may want to try reading some other documentation to see if it helps you. 
>>You may also want to look at using a tool like shorewall to help you 
>>create rules.
>>
>>That said, I'll do what I can to help you. Try using: iptables -L -n -v -x 
>> > /var/log/iptables.report. Open up iptables.report in a text editor and 
>>turn off word wrap so you can see one rule on each line. When I review 
>>rules I make the font really small and print the ruleset out 'landscape' 
>>oriented so I can see a whole rule printed out on a line.
>>
>>Look at the number of packets hitting each rule. I think you'll be 
>>surprised where the packets are going. Remember that the rules are 
>>transversed from top to bottom in each ruleset. As soon as a packet 
>>matches a rule it stops (except logging) and doesn't go to the next rule 
>>in the chain. Try starting out with a new script and only a couple rules. 
>>Test the configuration and then use iptables -L -n -v -x again to see if 
>>the packets are going where you think they should. For more details you 
>>can also add logging rules then check /var/log/messages to see the packet 
>>flow in more detail. Once you have the basic routing working you can add 
>>the filtering rules back in. If you have problems post your new rules back 
>>to the list so we can see what you've done.
>>
>>Good Luck
>>
>>Jeff
>>
>>
>
>_________________________________________________________________
>Gifts for Him & Her. Valentine’s Day.  http://go.msnserver.com/IN/42197.asp 
>At MSN Shopping.
>
>

_________________________________________________________________
Marriage? Join BharatMatrimony.com. 
http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?74

Re: Setting up default policy to 'DROP' problem

[ads nat]

I realy appretiat your support and feelings to help others.

With your support I have succedded in setting up default policy drop for 
INPUT, OUTPUT and FORWARD. Will post rules soon.

I know I have taken long time to understand this technology. But I can not 
rush until I get my fundas clear.
Once again Thanks for support.


>From: Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>
>To: netfilter@lists.netfilter.org
>Subject: Re: Setting up default policy to 'DROP' problem
>Date: Tue, 03 Feb 2004 08:49:39 -0500
>
>ads nat wrote:
>
>>I have setup DMZ firewall as per Oskar Anderson tutorial on Netfilter.org 
>>site.
>>
>>When I set up default policy to drop for INPUT, OUTPUT and FORWARD chains 
>>as mentioned in the tutorial my connection drops.
>>I am attaching my iptables rules listing.
>>Is there anything wrong in the IPtable rules.
>>When I setup default to ACCEPT everything works fine.
>>Help appreciated.
>>Thanks
>>
>
>I've responded to your postings before, so I was hoping someone new might 
>give this a shot. I know that you've been trying for months to get this 
>configured, but you're having problems with the basics and you've still got 
>a long way to go. Oskar's tutorial is a great place to start, but you may 
>want to try reading some other documentation to see if it helps you. You 
>may also want to look at using a tool like shorewall to help you create 
>rules.
>
>That said, I'll do what I can to help you. Try using: iptables -L -n -v -x 
> > /var/log/iptables.report. Open up iptables.report in a text editor and 
>turn off word wrap so you can see one rule on each line. When I review 
>rules I make the font really small and print the ruleset out 'landscape' 
>oriented so I can see a whole rule printed out on a line.
>
>Look at the number of packets hitting each rule. I think you'll be 
>surprised where the packets are going. Remember that the rules are 
>transversed from top to bottom in each ruleset. As soon as a packet matches 
>a rule it stops (except logging) and doesn't go to the next rule in the 
>chain. Try starting out with a new script and only a couple rules. Test the 
>configuration and then use iptables -L -n -v -x again to see if the packets 
>are going where you think they should. For more details you can also add 
>logging rules then check /var/log/messages to see the packet flow in more 
>detail. Once you have the basic routing working you can add the filtering 
>rules back in. If you have problems post your new rules back to the list so 
>we can see what you've done.
>
>Good Luck
>
>Jeff
>
>

_________________________________________________________________
Gifts for Him & Her. Valentine’s Day.  http://go.msnserver.com/IN/42197.asp 
At MSN Shopping.