FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-03-2011, 11:21 PM
Hilco Wijbenga
 
Default Firewall/iptables question

Hi all,

I'm attempting to set up a simple firewall on a virtual server. I have
the following:

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

(And iptables -L shows that this setup has been accepted.)

This was supposed to only allow my box (or at least my public IP)
access to port 80 on this server. I can not access port 80 at all,
however. (Please note that without --source it works as expected.)

What am I doing wrong?

On a related note, the logging only logs the packet, but no timestamp.
Is that configurable somewhere?

Cheers,
Hilco


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTi=9iR+SE-w2Fd_mJq4R-PDGVgoh_A@mail.gmail.com">http://lists.debian.org/BANLkTi=9iR+SE-w2Fd_mJq4R-PDGVgoh_A@mail.gmail.com
 
Old 05-04-2011, 01:34 AM
Hilco Wijbenga
 
Default Firewall/iptables question

On 3 May 2011 16:21, Hilco Wijbenga <hilco.wijbenga@gmail.com> wrote:
> Hi all,
>
> I'm attempting to set up a simple firewall on a virtual server. I have
> the following:
>
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
> iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
> state --state NEW -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A INPUT -j LOG
> iptables -A INPUT -j REJECT
>
> (And iptables -L shows that this setup has been accepted.)
>
> This was supposed to only allow my box (or at least my public IP)
> access to port 80 on this server. I can not access port 80 at all,
> however. (Please note that without --source it works as expected.)
>
> What am I doing wrong?

Mmmh, it does work after all. You have to be careful to restart
everything, I guess.

I've moved the --source to the SSH line. That works too but it seems
like I can only have 1 connection open at the same time. Sort of. I
have a reverse connection from a local server with a non-routable IP
to this public server. That works. But then I can't access the public
server anymore. If I kill the reverse connection and wait a few
minutes, I can login again. Switch the reverse connection back on ...
and I can't login anymore. Strange.

> On a related note, the logging only logs the packet, but no timestamp.
> Is that configurable somewhere?
>
> Cheers,
> Hilco
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_=g@mail.gmail.com ">http://lists.debian.org/BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_=g@mail.gmail.com
 
Old 05-04-2011, 03:05 AM
green
 
Default Firewall/iptables question

Hilco Wijbenga wrote at 2011-05-03 18:21 -0500:
> On a related note, the logging only logs the packet, but no timestamp.
> Is that configurable somewhere?

/etc/rsyslog.conf I suppose?
 

Thread Tools




All times are GMT. The time now is 07:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org