Results 1 to 3 of 3
My DNS server has a Firestarter firewall. When the firewall runs, only addresses on the same network as the DNS server can get a response from DNS/FTP/SSH. When I boot ...
- 07-06-2007 #1Just Joined!
- Join Date
- May 2007
- Posts
- 4
IPTables blocks all incoming traffic from other networks
My DNS server has a Firestarter firewall. When the firewall runs, only addresses on the same network as the DNS server can get a response from DNS/FTP/SSH. When I boot without the firewall, anyone can access them - as well as everything else!.
This is my first foray into IPTables, but the following IPTables entries should, I believe, allow access from anyone to DNS, SSH and FTP:
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
Something else must be blocking access from outside of xx.yyy.zz/26 and there is a lot in the tables that I do not understand. Below is the output from iptables -L -n (I removed some entries I feel do not contribute to the issue). Can someone tell me what causes the blockage?
Thanks,
Angus.
ns2:/sbin# ./iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT tcp -- 67.154.209.206 0.0.0.0/0 tcp flags:!0x16/0x02
ACCEPT udp -- 67.154.209.206 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 xx.yyy.zz.128/26 limit: avg 10/sec burst 5
LD all -- 0.0.0.0/8 xx.yyy.zz.128/26
LD all -- 1.0.0.0/8 xx.yyy.zz.128/26
LD all -- 2.0.0.0/8 xx.yyy.zz.128/26
LD all -- 5.0.0.0/8 xx.yyy.zz.128/26
LD all -- 7.0.0.0/8 xx.yyy.zz.128/26
... more similar nnn.0.0.0/8 entries are here ...
LD all -- 187.0.0.0/8 xx.yyy.zz.128/26
LD all -- 189.0.0.0/8 xx.yyy.zz.128/26
LD all -- 190.0.0.0/8 xx.yyy.zz.128/26
LD all -- 192.0.2.0/24 xx.yyy.zz.128/26
LD all -- 192.168.0.0/16 xx.yyy.zz.128/26
LD all -- 197.0.0.0/8 xx.yyy.zz.128/26
LD all -- 198.18.0.0/15 xx.yyy.zz.128/26
LD all -- 223.0.0.0/8 xx.yyy.zz.128/26
LD all -- 224.0.0.0/3 xx.yyy.zz.128/26
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP all -- 10.0.0.255 0.0.0.0/0
DROP all -- 0.0.0.0 0.0.0.0/0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 0.0.0.0/0 0.0.0.0
LD all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LD all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
LD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:513:65535 flags:!0x16/0x02 state RELATED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20 dpts:1023:65535 flags:!0x16/0x02 state RELATED
STATE tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:1023:65535
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
all -- 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 64
ACCEPT icmp -- xx.yyy.zz.128/26 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain LD (146 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SANITY (0 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain STATE (1 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain UNCLEAN (2 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
ns2:/sbin#
- 07-09-2007 #2Linux User
- Join Date
- Feb 2006
- Posts
- 484
hi
post the whole iptables script not the output of the iptables-save
- 07-10-2007 #3Just Joined!
- Join Date
- May 2007
- Posts
- 4
I hacked the firewall script and by a process of elimination found that it was the very records I thought were irrelevant that were causing the problem - each one blocked all traffic from an entire network not just the non-routable addresses as implied by the firewall script comments.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
