#1  
Old 24th August 2007, 17:32
satimis satimis is offline
Senior Member
 
Join Date: Oct 2006
Posts: 533
Thanks: 4
Thanked 2 Times in 2 Posts
Default About iptables rules

Hi folks,


Ubuntu 7.04 lamp server amd64 - Host OS
VMware
Guest OS - not yet installed.
Iptables-1.3.6


$ cat /etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.10
        netmask 255.255.255.0
        gateway 192.168.0.1

Browser can connect Internet w/o problem.


After performing following steps to setup iptables, Internet connection blocked.

Edited /etc/rc.local and entered following rules on it
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#exit 0

#
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d 192.168.0.10 --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d 192.168.0.10 --reject-with icmp-port-unreachable


#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -I OUTPUT 1 -j ACCEPT -s 192.168.0.10 -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -I OUTPUT 2 -j ACCEPT -s 192.168.0.10 -p UDP --destination-port 53

# reject all other traffic from localhost
iptables -I OUTPUT 3 -j REJECT -s 127.0.0.10 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -I OUTPUT 4 -j REJECT -s 192.168.0.10 --reject-with icmp-port-unreachable

$ sudo /etc/init.d/rc.local start
Code:
 * Running local boot scripts (/etc/rc.local)                                                     [ OK ]
$ sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.10        reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8222 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:8333 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:902 
REJECT     0    --  anywhere             192.168.0.1         reject-with icmp-port-unreachable 
ACCEPT     0    --  anywhere             192.168.0.10        state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  127.0.0.10           anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable 
ACCEPT     0    --  192.168.0.10         anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  192.168.0.10         anywhere            udp dpt:domain 
REJECT     0    --  localhost            anywhere            reject-with icmp-port-unreachable 
REJECT     0    --  192.168.0.10         anywhere            reject-with icmp-port-unreachable

$ ping -c3 yahoo.com
Code:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable
From 192.168.0.10 icmp_seq=1 Destination Port Unreachable

--- yahoo.com ping statistics ---
0 packets transmitted, 0 received, +3 errors
Failed.


I have to run following command to stop iptables.

$ sudo iptables -F
No complaint

$ ping -c3 yahoo.com
Code:
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=55 time=242 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=54 time=247 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=54 time=246 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 242.397/245.283/247.256/2.086 ms
Internet connection then worked.


Please advise where goes wrong. TIA


B.R.
satimis
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules for ftp flourishing Installation/Configuration 5 14th April 2008 21:18
The Perfect Xen 3.0.3 Setup For Debian Sarge iptables problem on dom0 ren22 HOWTO-Related Questions 21 7th January 2007 19:32
iptables issue with xen perfect setup - debian alexnz HOWTO-Related Questions 3 25th November 2006 13:49
can't initialize iptables table `filter asmadius Installation/Configuration 5 31st July 2006 15:36
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 14:18


All times are GMT +2. The time now is 11:34.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.