| View previous topic :: View next topic |
| Author |
Message |
ShadyMilkman
n00b
Joined: 20 Apr 2002
Posts: 57
|
 Posted: Sun Jul 14, 2002 5:25 pm Post subject: iptables breaks internet |
 |
|
Well, I have my system running great and iptables compiled into my kernel, and I can add rules and stuff fine, but the problem is that as soon as I add a rule, to say, INPUT, my internet effectively shuts down. It acts as if my cable modem just got unplugged from the wall. If I remove the rule from iptables the internet then works again. Maybe it has to do with the way I'm writing the rule? Anyway, here's an example of something I'll do:
| Code: |
iptables -A INPUT -p tcp -s ! 127.0.0.1 --dport 3000 -j DROP
|
I do this because I run ntop which runs a mini-webserver on port 3000 that you connect to to view its stats, but I don't want just anybody looking. It doesn't just happen with this command though, I've tried it with the source only being a certain IP address for dport 22 (SSH from work) and it does the exact same thing. The policies are all ACCEPT for INPUT, OUTPUT, what am I doing wrong? |
|
| Back to top |
|
 |
Aruspex
n00b
Joined: 28 Jun 2002
Posts: 51
Location: Brick, NJ
|
| Posted: Sun Jul 14, 2002 7:22 pm Post subject: |
|
|
Is your default polcy set to Deny? Type 'iptables -L' to check.
If this is the case, you would either need to set it to accept or create rules that allow traffic through.
[edit] I am sorry. That was one of the more stupid things I have done  I should have read your whole post...
Try going to google and searching for a sample firewall script. This will atleast let you know if you are building the rules properly.
_________________
"If you want to make an apple pie from scratch, you must first create the universe" -Carl Sagan |
|
| Back to top |
|
|
rizzo
Retired Dev
Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA
|
| Posted: Mon Jul 15, 2002 6:42 pm Post subject: |
|
|
| Perhaps post your entire iptables script would be more helpful for the forum crowd. |
|
| Back to top |
|
|
ShadyMilkman
n00b
Joined: 20 Apr 2002
Posts: 57
|
| Posted: Mon Jul 15, 2002 7:33 pm Post subject: |
|
|
| That command was not a script..... I simply typed it in as root. I'll try a script when I get home. |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Mon Jul 15, 2002 7:42 pm Post subject: Re: iptables breaks internet |
|
|
It isn't the command. I think you have a problem with your kernel and netfilter. Could you supply us with the output of: | Code: | | grep "IP_NF" /usr/src/linux/.config |
Also, I doubt this is the problem, but could you also give us the output of
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't.
Last edited by Nitro on Mon Jul 15, 2002 8:09 pm; edited 1 time in total |
|
| Back to top |
|
|
ShadyMilkman
n00b
Joined: 20 Apr 2002
Posts: 57
|
| Posted: Mon Jul 15, 2002 8:05 pm Post subject: |
|
|
| Code: |
milkvan root# grep "IP_NF" /usr/src/linux/.config
# CONFIG_IP_NF_CONNTRACK is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
CONFIG_IP_NF_MATCH_MAC=y
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STEALTH=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
# CONFIG_IP_NF_MANGLE is not set
# CONFIG_IP_NF_TARGET_LOG is not set
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_ARPTABLES=y
# CONFIG_IP_NF_ARPFILTER is not set
|
and for iptables:
[code]
milkvan root# iptables -L -v -n
(couldn't get the output on here but it listed the three chains input, output, forward, said they were all accept, and listed how much data had gone accross each. no further information was shown). |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Tue Jul 16, 2002 12:18 am Post subject: |
|
|
You have one wierd problem.  You tried recompiling your kernel? Maybe something is broke.
If you want to play with your kernel, my server has the following, and it does work: | Code: | CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
# CONFIG_IP_NF_MATCH_STEALTH is not set
CONFIG_IP_NF_MATCH_STATE=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
# CONFIG_IP_NF_NAT is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IP_NF_ARPTABLES is not set
|
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
dcloues
n00b
Joined: 15 Apr 2002
Posts: 7
Location: Atlanta, Georgia
|
| Posted: Tue Jul 16, 2002 5:19 am Post subject: |
|
|
Try replacing the line with
| Code: | | iptables -A INPUT -p tcp --dport 3000 -i ! lo -j DROP |
That should have the intended effect; it will drop any tcp packets to port 3000 that aren't coming in on the loopback interface. But, I have no clue why iptables is going crazy on rules that drop packets from specific addresses - that's bizarre. |
|
| Back to top |
|
|
|
Networking & Security
