simple iptables ruleset?
This is a discussion on simple iptables ruleset? within the Linux Networking forums, part of the Linux Forums category; Folks, This is driving me up the wall... I've written a script which appears to work on my lan - ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-30-2007
|
|||
|
|||
simple iptables ruleset?
Folks,
This is driving me up the wall... I've written a script which appears to work on my lan - I can successfully accept/deny folk either by their IP, network and port - however when I try it in a live environment, it stops all traffic. There are too many fences between me and the outside world (BigIP and reverse proxies for example) so I don't know what might be happening to the packets as they come in so I'm wondering if someone can help me write up a ruleset to do the following: 1: Allow all traffic from a selection of ip subnets (for example, allow 192.168.1.0 thru to 192.168.10.0). They should have full access to all ports. 2. Allow access to port 22 (ssh) and 8001 (weblogic) using tcp/http traffic from specific ip address (for example 192.168.168.168). 3. Deny everything else. What is known: When traffic goes thru my BigIPs and proxies and other fences between me and the outside world, their IP address is carried. I've tested this via dialup internet GPRS connection using my laptop. As soon as I switch off iptables, access to my web based app works - as sooner I enable the firewall, access to my web app fails even though I explicitly have a request to allow it by source ip and port. One thing that has just crossed my mind - BigIP listens at port 80, does a redirect from HTTP to HTTPS and then from there it goes through some proxies before hitting my application server at port 8001. I would therefore guess that my rules should apply to 8001 (since iptables is on application server). Is there anything I am omitting? I'm going to persist in learning more about IP tables as it appears to be an art - but when I had my script working on my laptop, and it tested fine on my lan, I would have expected it to work. Can anyone help? It would be greatly appreciated, Thanks, Randell D. 
|
|
03-30-2007
|
|||
|
|||
|
Re: simple iptables ruleset?
Randell D. wrote:
> [a totally inadequate problem description deleted] > Can anyone help? No. Because you described a technical problem in quite nice prosa but without providing even a single piece of information required to deal with such problems. So please describe your setup correctly: Client-IP, netmask, type of gateway(s) on the ways from client to destination, the destination IP, your iptables ruleset, service you like to connect to, extract from logfiles etc. And please no more prosa ... In general: the last 2 rules of every chain should look something like: iptables -A <rule> -j LOG iptables -A <rule> -j DROP This ensures that every packet that is dropped shows up in the logfile. Wolfgang
|
|
03-30-2007
|
|||
|
|||
|
Re: simple iptables ruleset?
Randell D. wrote:
> [a totally inadequate problem description deleted] > Can anyone help? No. Because you described a technical problem in quite nice prosa but without providing even a single piece of information required to deal with such problems. So please describe your setup correctly: Client-IP, netmask, type of gateway(s) on the ways from client to destination, the destination IP, your iptables ruleset, service you like to connect to, extract from logfiles etc. And please no more prosa ... In general: the last 2 rules of every chain should look something like: iptables -A <rule> -j LOG iptables -A <rule> -j DROP This ensures that every packet that is dropped shows up in the logfile. Wolfgang
|
Linear Mode
