At 7:24 AM +0000 19/10/00, Peter Kiem wrote:
>Hi Dan,
>
>> /var/log/messages:Oct 18 14:50:54 FireWall kernel: Packet log: input
>> DENY ppp0 PROTO=17 the.remote.ip.address:55833
>> our.server.ip.address:61533 L=40 S=0x00 I=60941 F=0x4000 T=247 (#22)
>
>I think what you are seeing is this.
>When you set up the firewall to masquerade the connections for you it is the
>firewall that the outside computers are talking to. Instead of denying all
>traffic to the firewall you need to allow replies that are directed to your
>firewall.
well - as far as I know I have my ipchains set up as such... I don't think I'm
blocking returning masqueraded traffic - masquerading seems to be working fine anyhow!
here's my ipchains -L:
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 192.168.2.0/24 anywhere n/a
ACCEPT all ------ localhost localhost n/a
DENY tcp -y--l- anywhere ppp0.ip.address any -> 1024:65535
ACCEPT tcp ------ anywhere ppp0.ip.address any -> 1024:65535
ACCEPT tcp ------ anywhere ppp0.ip.address any -> smtp
ACCEPT icmp ------ anywhere anywhere any -> any
ACCEPT tcp ------ anywhere ppp0.ip.address any -> www
ACCEPT udp ------ ppp0.ip.address anywhere icp -> icp
ACCEPT udp ------ anywhere ppp0.ip.address icp -> icp
ACCEPT tcp ------ ppp0.ip.address ppp0.ip.address any -> any
ACCEPT tcp ------ 192.168.2.0/24 anywhere pop-3 -> any
ACCEPT udp ------ 192.168.2.0/24 anywhere pop-3 -> any
ACCEPT tcp ------ anywhere anywhere any -> ssh
ACCEPT tcp ------ anywhere anywhere ssh -> tcpmux:1023
ACCEPT tcp ------ ns.nitro.com.au ppp0.ip.address domain ->
1024:65535
ACCEPT udp ------ ns.nitro.com.au ppp0.ip.address domain ->
1024:65535
ACCEPT udp ------ anywhere ppp0.ip.address 1024:65535 ->
domain
ACCEPT udp ------ anywhere ppp0.ip.address domain ->
1024:65535
ACCEPT udp ------ anywhere ppp0.ip.address domain -> domain
ACCEPT udp ------ ppp0.ip.address anywhere domain -> domain
ACCEPT tcp ------ anywhere anywhere any -> ntp
ACCEPT udp ------ anywhere anywhere any -> ntp
REJECT tcp ------ anywhere anywhere any -> auth
DENY all ----l- anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination ports
MASQ tcp ------ 192.168.2.0/24 anywhere any -> any
MASQ udp ------ 192.168.2.0/24 anywhere any -> any
Chain output (policy ACCEPT):
> > It's interesting the way the port numbers get bumped up each time,
>
>A good indication it is the masqueraded traffic that is being denied.
ok - but the strange thing is that this is happening with only two IP addresses... and
masqerading seems to be working fine. I noticed that the firewall rules you posted
before were TCP realted - but the packets beingrejected are UDP... should I just be
adding a rule to allow UDP ina simlar fashion to the TCP one you have set. AFAIK
there's no point in setting up a rule allowing SYN packets with UDP 'cos SYN is TCP
only?
I'm kinda hesitant to just add a rule allowing the traffic without knowing what it's
about first!
> > a) can someone provide me with an explanation of what's going on here?
>
>Did I help? *grin*
defintely - just need a bit of discussion to get the grey matter working! :)
> > b) can someone elaborate or point me in the direction of some docs to
> > help me decode the ipchains output a bit better. I'm interested in
>> the stats listed after our.server.ip.address... ie. L=40 S=0x00
>> I=60941 F=0x4000 T=247 (#22)
>
>There was an IP-Chains howto I believe that addressed this. Could try
>looking on www.linuxdoc.org for that howto.
hmm.. I had been going through man pages and neglected to think of looking for a HOWTO
- will have to have a read over the weekend!
> > c) can someone point me towards a list where it would be more
>> appropriate posting such discussions.
>
>Can't think of anywhere better than here
excellent! me too! :)
got to go home now with a cut thumb (and stitches) which is making it very hard to
type... will get back onto this one over the weekend!
cheers, and thanks for the thoughts!
- dan.
--
Nitro - 3D Visualisation, Graphics & Animation
Ph (+61 2) 9810 5177 - Fx (+61 2) 9810 0199
http://www.nitro.com.au/
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
