 |  |  |  |  |  |  |  |
IPTables blocks all incoming traffic from other networks
 |
My DNS server has a Firestarter firewall. When the firewall runs, only addresses on the same network as the DNS server can get a response from DNS/FTP/SSH. When I boot without the firewall, anyone can access them - as well as everything else!.
This is my first foray into IPTables, but the following IPTables entries should, I believe, allow access from anyone to DNS, SSH and FTP:
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
Something else must be blocking access from outside of xx.yyy.zz/26 and there is a lot in the tables that I do not understand. Below is the output from iptables -L -n (I removed some entries I feel do not contribute to the issue). Can someone tell me what causes the blockage?
Thanks,
Angus.
ns2:/sbin# ./iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT tcp -- 67.154.209.206 0.0.0.0/0 tcp flags:!0x16/0x02
ACCEPT udp -- 67.154.209.206 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 xx.yyy.zz.128/26 limit: avg 10/sec burst 5
LD all -- 0.0.0.0/8 xx.yyy.zz.128/26
LD all -- 1.0.0.0/8 xx.yyy.zz.128/26
LD all -- 2.0.0.0/8 xx.yyy.zz.128/26
LD all -- 5.0.0.0/8 xx.yyy.zz.128/26
LD all -- 7.0.0.0/8 xx.yyy.zz.128/26
... more similar nnn.0.0.0/8 entries are here ...
LD all -- 187.0.0.0/8 xx.yyy.zz.128/26
LD all -- 189.0.0.0/8 xx.yyy.zz.128/26
LD all -- 190.0.0.0/8 xx.yyy.zz.128/26
LD all -- 192.0.2.0/24 xx.yyy.zz.128/26
LD all -- 192.168.0.0/16 xx.yyy.zz.128/26
LD all -- 197.0.0.0/8 xx.yyy.zz.128/26
LD all -- 198.18.0.0/15 xx.yyy.zz.128/26
LD all -- 223.0.0.0/8 xx.yyy.zz.128/26
LD all -- 224.0.0.0/3 xx.yyy.zz.128/26
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP all -- 10.0.0.255 0.0.0.0/0
DROP all -- 0.0.0.0 0.0.0.0/0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 0.0.0.0/0 0.0.0.0
LD all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LD all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
LD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:513:65535 flags:!0x16/0x02 state RELATED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20 dpts:1023:65535 flags:!0x16/0x02 state RELATED
STATE tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:1023:65535
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
all -- 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 64
ACCEPT icmp -- xx.yyy.zz.128/26 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain LD (146 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SANITY (0 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain STATE (1 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain UNCLEAN (2 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
ns2:/sbin#
This is my first foray into IPTables, but the following IPTables entries should, I believe, allow access from anyone to DNS, SSH and FTP:
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
Something else must be blocking access from outside of xx.yyy.zz/26 and there is a lot in the tables that I do not understand. Below is the output from iptables -L -n (I removed some entries I feel do not contribute to the issue). Can someone tell me what causes the blockage?
Thanks,
Angus.
ns2:/sbin# ./iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT tcp -- 67.154.209.206 0.0.0.0/0 tcp flags:!0x16/0x02
ACCEPT udp -- 67.154.209.206 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 xx.yyy.zz.128/26 limit: avg 10/sec burst 5
LD all -- 0.0.0.0/8 xx.yyy.zz.128/26
LD all -- 1.0.0.0/8 xx.yyy.zz.128/26
LD all -- 2.0.0.0/8 xx.yyy.zz.128/26
LD all -- 5.0.0.0/8 xx.yyy.zz.128/26
LD all -- 7.0.0.0/8 xx.yyy.zz.128/26
... more similar nnn.0.0.0/8 entries are here ...
LD all -- 187.0.0.0/8 xx.yyy.zz.128/26
LD all -- 189.0.0.0/8 xx.yyy.zz.128/26
LD all -- 190.0.0.0/8 xx.yyy.zz.128/26
LD all -- 192.0.2.0/24 xx.yyy.zz.128/26
LD all -- 192.168.0.0/16 xx.yyy.zz.128/26
LD all -- 197.0.0.0/8 xx.yyy.zz.128/26
LD all -- 198.18.0.0/15 xx.yyy.zz.128/26
LD all -- 223.0.0.0/8 xx.yyy.zz.128/26
LD all -- 224.0.0.0/3 xx.yyy.zz.128/26
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP all -- 10.0.0.255 0.0.0.0/0
DROP all -- 0.0.0.0 0.0.0.0/0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 0.0.0.0/0 0.0.0.0
LD all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LD all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:20 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpt:53
LD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:513:65535 flags:!0x16/0x02 state RELATED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20 dpts:1023:65535 flags:!0x16/0x02 state RELATED
STATE tcp -- 0.0.0.0/0 xx.yyy.zz.128/26 tcp dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 xx.yyy.zz.128/26 udp dpts:1023:65535
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- 0.0.0.0/0 0.0.0.0/0 unclean
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:16660 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:60001 flags:0x16/0x02 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:135 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:135 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:1524 limit: avg 2/min burst 5
LD tcp -- xx.yyy.zz.128/26 0.0.0.0/0 tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:27444 limit: avg 2/min burst 5
LD udp -- xx.yyy.zz.128/26 0.0.0.0/0 udp dpt:31335 limit: avg 2/min burst 5
LD all -- 224.0.0.0/8 0.0.0.0/0
LD all -- 0.0.0.0/0 224.0.0.0/8
LD all -- 255.255.255.255 0.0.0.0/0
LD all -- 0.0.0.0/0 0.0.0.0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
all -- 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 64
ACCEPT icmp -- xx.yyy.zz.128/26 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain LD (146 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SANITY (0 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain STATE (1 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LD all -- 0.0.0.0/0 0.0.0.0/0
Chain UNCLEAN (2 references)
target prot opt source destination
LD all -- 0.0.0.0/0 0.0.0.0/0
ns2:/sbin#
|
Similar Threads
- One way ping problem (Networking Hardware Configuration)
- Unable to ping to win2k3 machine from linux/win and unable to ping from it.. (Networking Hardware Configuration)
- New badges (Geeks' Lounge)
- Self Hosting (Networking Hardware Configuration)
Other Threads in the *nix Software Forum
- Previous Thread: Installing DOS Without Affecting XP/Linux
- Next Thread: how do I play windows games on open suse?
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest *nix Software Posts
- Today's Posts
- Unanswered Threads
