Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
can't connect to internet with my iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1554

PostPosted: Tue Dec 18, 2007 9:18 pm    Post subject: can't connect to internet with my iptables Reply with quote

I have a script of iptables that I want to use. The problem is that I can't connect to internet when I enable it. Can someone tell me what's wrong with the script? Here is the script:
Code:

 #!/bin/sh

# Set location of iptables
IPTABLES=/sbin/iptables

# Define interfaces
PUBLIC_IF="eth2"

# Flush current rules
#$IPTABLES -t nat -F
$IPTABLES -t filter -F
#$IPTABLES -t mangle -F

# Delete custom chains
#$IPTABLES -t nat -X
$IPTABLES -t filter -X
#$IPTABLES -t mangle -X

# Set default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
#$IPTABLES -t nat -P PREROUTING ACCEPT
#$IPTABLES -t nat -P OUTPUT ACCEPT
#$IPTABLES -t nat -P POSTROUTING ACCEPT
#$IPTABLES -t mangle -P PREROUTING ACCEPT
#$IPTABLES -t mangle -P INPUT ACCEPT
#$IPTABLES -t mangle -P FORWARD ACCEPT
#$IPTABLES -t mangle -P OUTPUT ACCEPT
#$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow https
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 443 --syn -j ACCEPT

# Allow http
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 80 --syn -j ACCEPT

# Allow inbound DNS requests from the wireless network.
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp --dport 53 -j ACCEPT

# Allow BitTorrent traffic -- avoid ISP blocking defaults
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

# Allow BitTorrent tracker capability
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6969 --syn -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6969 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT

# Allow linuxdc
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 29800 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 29800 -j ACCEPT

# Allow Donkey capability
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 8726 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 8730 -j ACCEPT

# Allow Kad in emule capability
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 16687 -j ACCEPT

# Allow Msn capability to get files
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6891 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6891 -j ACCEPT

# Allow Msn
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1863 -j ACCEPT

# Allow ICQ
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5190 -j ACCEPT

## Allow GTALK
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5223 -j ACCEPT

# Allow rsync
$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 873 -j ACCEPT
Back to top
View user's profile Send private message
gentoo_dude
l33t
l33t


Joined: 08 May 2004
Posts: 642
Location: Washington, DC

PostPosted: Tue Dec 18, 2007 10:36 pm    Post subject: Reply with quote

You cannot establish new connections from your computer on the outside

$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A OUTPUT -o $PUBLIC_IP -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

NOTE:
SOrry I just saw that your default table for OUTPUT table is set to ACCEPT. What does /sbin/iptables -L look like?
Back to top
View user's profile Send private message
didymos
Advocate
Advocate


Joined: 10 Oct 2005
Posts: 4798
Location: California

PostPosted: Tue Dec 18, 2007 10:56 pm    Post subject: Reply with quote

Try changing this:

Code:

$IPTABLES -A INPUT -i lo -j ACCEPT


to

Code:

$IPTABLES -A INPUT -i ! <interface connected to Internet> -j ACCEPT


and change this:

Code:

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT


to this:

Code:

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


It'd help to see what you've got in /etc/conf.d/net and to know whether or not you're also going through a router.
_________________
Thomas S. Howard
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8979

PostPosted: Wed Dec 19, 2007 4:13 am    Post subject: Reply with quote

Instead of iptables -L, use iptables-save -c. The latter produces a machine-readable definition that gives us all the details. The former omits detailed hit counters, interface restrictions, and all but one of the netfilter tables. Also, going along with the request from didymos, please provide the output of ip addr ; ip route. If you are directly on a public IP address, feel free to remove that from the output.
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1554

PostPosted: Wed Dec 19, 2007 6:33 am    Post subject: Reply with quote

I am going through a router. The router is with spi firewall enabled. I want to disable the spi firewall and use myiptables. I get a direct ip for browsing from the ISP. Router is linksys wrt54gc.

I will output all the details in a couple of hours, because I have to run. Right now the firewall is not enabled.
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1554

PostPosted: Fri Dec 21, 2007 9:26 pm    Post subject: Reply with quote

Hello didymos

It seems that the changing you suggested work. Now I can ping google, browse, etc.

Few notes: before the change i tried the command route and There was no output. Now route gives the output:
Code:

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth2
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth2


Here is my /etc/conf.d/net
Code:

config_eth0=("dhcp")
#dhcp_eth0="nontp nonis nodns"
dhcp_eth0="nontp nonis"
#dns_servers_eth0="127.0.0.1 208.67.222.222 208.67.220.220"

config_eth2=("dhcp")
modules_eth2=("iwconfig")
#dhcp_eth2="nodns"
dns_servers_eth2="208.67.222.222 208.67.220.220"
routes_eth2=("default gw 192.168.1.1")



eth0 is the non wifi card. eth2 is the wifi card. I am behind a router. I would like to disable the spi firewall of the router. I have speed problems and not sure from where the problems come. I try to use opendns ips.

I get internal ip from the router (via dhcp) and have a static ip address to connect directly to the internet.

Can you explain what the changes you suggested do?

didymos wrote:
Try changing this:

Code:

$IPTABLES -A INPUT -i lo -j ACCEPT


to

Code:

$IPTABLES -A INPUT -i ! <interface connected to Internet> -j ACCEPT


and change this:

Code:

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT


to this:

Code:

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


It'd help to see what you've got in /etc/conf.d/net and to know whether or not you're also going through a router.
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1554

PostPosted: Fri Dec 21, 2007 9:44 pm    Post subject: Reply with quote

Hu wrote:
Instead of iptables -L, use iptables-save -c. The latter produces a machine-readable definition that gives us all the details. The former omits detailed hit counters, interface restrictions, and all but one of the netfilter tables. Also, going along with the request from didymos, please provide the output of ip addr ; ip route. If you are directly on a public IP address, feel free to remove that from the output.


What is ip route or ip addr? It said command not found. route gave me an output.

here is the output i got from iptables-save -c before I changed the settings that didymos suggested.

Code:
iptables-save -c
# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007
*nat
:PREROUTING ACCEPT [963:270530]
:POSTROUTING ACCEPT [3142:189427]
:OUTPUT ACCEPT [3142:189427]
COMMIT
# Completed on Fri Dec 21 23:07:44 2007
# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007
*mangle
:PREROUTING ACCEPT [14991:802708]
:INPUT ACCEPT [14209:544608]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19584:855385]
:POSTROUTING ACCEPT [19584:855385]
COMMIT
# Completed on Fri Dec 21 23:07:44 2007
# Generated by iptables-save v1.3.8 on Fri Dec 21 23:07:44 2007
*filter
:INPUT DROP [2352:165107]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [19007:816911]
[11277:337977] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 6969 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 6969 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 29800 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 29800 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 8726 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 8730 -j ACCEPT
[114:8433] -A INPUT -i eth2 -p udp -m udp --dport 16687 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 6891 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 6891 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 1863 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5190 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 5223 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 873 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 873 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 21 -j ACCEPT
COMMIT
# Completed on Fri Dec 21 23:07:44 2007
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1554

PostPosted: Fri Dec 21, 2007 10:10 pm    Post subject: Reply with quote

One more question:

I have port forwarding in the router. With these rules, I can disable the port fwd in the router?
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8979

PostPosted: Sat Dec 22, 2007 4:31 pm    Post subject: Reply with quote

queen wrote:

What is ip route or ip addr? It said command not found. route gave me an output.


/sbin/ip is part of sys-apps/iproute2. It is an alternative to using ifconfig and route.
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1554

PostPosted: Sat Dec 22, 2007 4:39 pm    Post subject: Reply with quote

Hu wrote:
queen wrote:

What is ip route or ip addr? It said command not found. route gave me an output.


/sbin/ip is part of sys-apps/iproute2. It is an alternative to using ifconfig and route.


ok. Thanks. I don't have iproute2 installed.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum