simple iptables ruleset? - Networking

This is a discussion on simple iptables ruleset? - Networking ; Folks, This is driving me up the wall... I've written a script which appears to work on my lan - I can successfully accept/deny folk either by their IP, network and port - however when I try it in a ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: simple iptables ruleset?

  1. simple iptables ruleset?

    Folks,
    This is driving me up the wall... I've written a script which appears
    to work on my lan - I can successfully accept/deny folk either by
    their IP, network and port - however when I try it in a live
    environment, it stops all traffic.

    There are too many fences between me and the outside world (BigIP and
    reverse proxies for example) so I don't know what might be happening
    to the packets as they come in so I'm wondering if someone can help me
    write up a ruleset to do the following:

    1: Allow all traffic from a selection of ip subnets (for example,
    allow 192.168.1.0 thru to 192.168.10.0). They should have full access
    to all ports.
    2. Allow access to port 22 (ssh) and 8001 (weblogic) using tcp/http
    traffic from specific ip address (for example 192.168.168.168).
    3. Deny everything else.

    What is known: When traffic goes thru my BigIPs and proxies and other
    fences between me and the outside world, their IP address is carried.
    I've tested this via dialup internet GPRS connection using my laptop.
    As soon as I switch off iptables, access to my web based app works -
    as sooner I enable the firewall, access to my web app fails even
    though I explicitly have a request to allow it by source ip and port.

    One thing that has just crossed my mind - BigIP listens at port 80,
    does a redirect from HTTP to HTTPS and then from there it goes through
    some proxies before hitting my application server at port 8001. I
    would therefore guess that my rules should apply to 8001 (since
    iptables is on application server).

    Is there anything I am omitting? I'm going to persist in learning more
    about IP tables as it appears to be an art - but when I had my script
    working on my laptop, and it tested fine on my lan, I would have
    expected it to work.

    Can anyone help? It would be greatly appreciated,

    Thanks,
    Randell D.


  2. Re: simple iptables ruleset?

    Randell D. wrote:

    > [a totally inadequate problem description deleted]
    > Can anyone help?


    No. Because you described a technical problem in quite nice prosa but
    without providing even a single piece of information required to deal with
    such problems.

    So please describe your setup correctly:

    Client-IP, netmask, type of gateway(s) on the ways from client to
    destination, the destination IP, your iptables ruleset, service you like to
    connect to, extract from logfiles etc.

    And please no more prosa ...

    In general: the last 2 rules of every chain should look something like:

    iptables -A -j LOG
    iptables -A -j DROP

    This ensures that every packet that is dropped shows up in the logfile.

    Wolfgang

  3. Re: simple iptables ruleset?

    Randell D. wrote:

    > [a totally inadequate problem description deleted]
    > Can anyone help?


    No. Because you described a technical problem in quite nice prosa but
    without providing even a single piece of information required to deal with
    such problems.

    So please describe your setup correctly:

    Client-IP, netmask, type of gateway(s) on the ways from client to
    destination, the destination IP, your iptables ruleset, service you like to
    connect to, extract from logfiles etc.

    And please no more prosa ...

    In general: the last 2 rules of every chain should look something like:

    iptables -A -j LOG
    iptables -A -j DROP

    This ensures that every packet that is dropped shows up in the logfile.

    Wolfgang


+ Reply to Thread