Hi Ralph, and thanks for your reply. On 26/03/18 13:08, Ralph Ronnquist wrote: > John Crisp wrote on 26/03/18 19:37: >> Two questions. >> >> Is it better like this or should I use iptables-persistent ? > > I would suggest that this approach has the advantage of raising the > firewall immediately with bringing up the interface. When using > iptables-persistent, it would be brought up with a delay and after IP > assignment, which leaves a small temporal window of no firewall. On the > other hand, that window is only of concern when the system has some > early (earlier) staring services that needs intrusion protection. So in > most cases it's of no difference.
OK - at least I know ! >> Secondly it appears that iptables are getting loaded before the dhclient >> transaction has completed and the interface then does not get the IP >> information from the upstream server. >> >> >> As I only have a single web based terminal to work from on boot I can't >> run a tcpdump to see what is happening with packets !! >> >> Any suggestions appreciated. > > I think you'll also need the "-A INPUT -i lo -j ACCEPT" rule, and > possibly you should allow some/all icmp packets as well. > I actually have the ICMP rules, but just noted the bits I thought most relevant. I did have this but changed it to your version, to no avail: -A INPUT ! -i eth0 -j ACCEPT I've managed to do a static IP setup so problem has gone but it's annoying not knowing what I was missing! Complete table rules as follows for reference. Any more ideas appreciated ! *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LOGGING - [0:0] -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow DHCP ? -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT # Allow tunnel out forward -A FORWARD -o tun+ -j ACCEPT # Allow tunnel in forward -A FORWARD -i tun+ -j ACCEPT # Allow tunnel out -A OUTPUT -o tun+ -j ACCEPT #Allow Tunnel in -A INPUT -i tun+ -j ACCEPT #Allow DNS -A INPUT -p udp -m udp -i tun+ --dport 53 -j ACCEPT # Accept traffic from internal interfaces -A INPUT ! -i eth0 -j ACCEPT # -A INPUT -i lo -j ACCEPT # -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT # Allow connections to ssh -A INPUT -p tcp -m tcp --dport 2233 -j ACCEPT # Allow connections to auth -A INPUT -p tcp -m tcp --dport auth -j ACCEPT # Allow connections to webmin -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT # Allow connections to openvpn -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT # Logging -A INPUT -j LOGGING -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " -A LOGGING -j DROP COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE # pre Route OpenVPN -A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT COMMIT
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
