| View previous topic :: View next topic |
| Author |
Message |
keschrich
n00b
Joined: 09 Apr 2002
Posts: 69
Location: Branford, CT
|
 Posted: Sat Jan 18, 2003 2:25 am Post subject: iptables blocks localhost even with accept |
 |
|
So long as iptables is running, I cannot connect to localhost from the computer, i.e. 'ping localhost' responds with:
| Quote: | PING localhost (127.0.0.1): 56 octets data
sendto: Operation not permitted
ping: sent 64 octets to localhost, ret=-1
|
I know that it is an issue with iptables because once I stop the firewall everything runs fine..
Heres my rule set (its fairly simple as of yet):
| Code: |
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 554 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 6970:6999 -j ACCEPT
-A INPUT -i ppp0 -j DROP
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth0 -j ACCEPT
|
As you can see I don't restrict any outbound traffic, so that shouldn't be an issue. At one point for testing reasons I put a LOG rule on the output chain '-A OUTPUT -o lo -j LOG' and I could see that packets were going through when I tried to ping, however when I put a similar rule on input '-I INPUT 1 -i lo -j LOG', I saw nothing at all.
If somebody could give a hand I would really appreciate it; this has become quite discouraging. |
|
| Back to top |
|
 |
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Sat Jan 18, 2003 2:49 am Post subject: |
|
|
You need the corresponding outbound rule for "lo."
| Code: | | -A OUTPUT -o lo -j ACCEPT |
Please read up on IPTABLES firewalling and become familiar with the basics as soon as possible.
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
keschrich
n00b
Joined: 09 Apr 2002
Posts: 69
Location: Branford, CT
|
| Posted: Sat Jan 18, 2003 4:39 am Post subject: |
|
|
| no, as i said i have not restricted outbound traffic, therefore everything is allowed to go out by default...plus id already tried that just in case to no avail |
|
| Back to top |
|
|
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Sat Jan 18, 2003 5:21 am Post subject: |
|
|
Well, you had outbound rules for ppp0 and eth0, but didn't list one for lo. The one for lo should definitely be in there, usually the first outbound rule you have.
What are your default policies?
Is that your entire ruleset that you posted above?
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
zleepy
n00b
Joined: 19 Dec 2002
Posts: 19
Location: /sweden/ludvika
|
|
| Back to top |
|
|
keschrich
n00b
Joined: 09 Apr 2002
Posts: 69
Location: Branford, CT
|
| Posted: Sat Jan 18, 2003 2:29 pm Post subject: |
|
|
| Quote: |
Well, you had outbound rules for ppp0 and eth0, but didn't list one for lo. The one for lo should definitely be in there, usually the first outbound rule you have.
What are your default policies?
Is that your entire ruleset that you posted above?
|
excuse me, you were right...
all the rules I'd been adding trying to get this to work were going into the filter table, where there were no outgoing restrictions as i said. The postrouting rules were in the nat table, which is obvious if you look at the rules i had, but it totally slipped my mind. so all i needed was '-t nat -A POSTROUTING -o lo -j ACCEPT'.
that was my entire ruleset, the default being just a drop on the input chain of the filter table. |
|
| Back to top |
|
|
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Mon Jan 20, 2003 6:33 am Post subject: |
|
|
So did that fix it?? 
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
|
Networking & Security
