| View previous topic :: View next topic |
| Author |
Message |
sebad
Tux's lil' helper
Joined: 06 Oct 2005
Posts: 130
Location: Poland
|
 Posted: Mon Aug 22, 2011 9:14 am Post subject: Problem iptables-1.4.11.1-r2 (FORWARD) |
 |
|
Some days ago I updated iptables to version 1.4.11.1-r2 (stable), but after update internet at workstations stopped working. No changes in config file has been made after update. This is part of my config:
| Code: |
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -j ACCEPT
|
After few minutes fight I figured out, thet problem is in blocking packets in FORWARD filter. After changind FORWARD default rule from DROP to ACCEPT everything is working fine. Question: why the command
| Code: |
iptables -t filter -A FORWARD -s 192.168.151.0/24 -j ACCEPT
|
doesn't work ? Bug in iptables? I don't think so...
_________________
Serwis komputerowy - Warszawa |
|
| Back to top |
|
 |
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Mon Aug 22, 2011 5:58 pm Post subject: |
|
|
| Code: | | iptables -t filter -A FORWARD -s 192.168.151.0/24 -j ACCEPT |
is not enough!
What about the replies?
add something like | Code: | | iptables -t filter -A FORWARD -d 192.168.151.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT |
then try to set your default policy to DROP in the FORWARD chain
_________________
The End of the Internet! |
|
| Back to top |
|
|
sebad
Tux's lil' helper
Joined: 06 Oct 2005
Posts: 130
Location: Poland
|
| Posted: Tue Aug 23, 2011 8:31 am Post subject: |
|
|
It doesn't work...
This is my whole config.
| Code: | *nat
#INTERNET SHARING
-A POSTROUTING -s 192.168.151.0/24 -j SNAT --to-source 217...
-A POSTROUTING -s 192.168.152.0/24 -j SNAT --to-source 217...
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -j ACCEPT
-A FORWARD -s 192.168.152.0/24 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 5001 -j ACCEPT
-A INPUT -p tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
#PPTPD
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
#Samba
-A INPUT -m state --state NEW -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 445 -j ACCEPT
COMMIT
|
_________________
Serwis komputerowy - Warszawa |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Tue Aug 23, 2011 8:57 am Post subject: |
|
|
I don't see the rule I invited you to add in there
Note: If your rules for 192.168.151.0/24 and 192.168.152.0/24 are similar, then you can combine them using this subnet instead 192.168.150.0/23
_________________
The End of the Internet! |
|
| Back to top |
|
|
|
Networking & Security
