[ydl-gen] iptables suddenly rejecting ping traffic
Derick Centeno
aguilarojo at verizon.net
Mon May 15 21:52:00 MDT 2006
Hi Chris:
May I respectfully suggest a completely different approach?
My reasoning for doing so follows this path: Maintaining a software
firewall can be extremely challenging. They can be tricked, hacked and
of course there are unintentional errors, even if one installs one or
another piece of software -- say tripwire -- to watch it and any
changes to your system for you.
The alternative is to go to a hardwired firewall, plug it in and go
about your business dedicating your time to something else which
absolutely requires your attention.
This little device has done it's job over and time again (for me) and
others and maybe if you consider it, you'll discover more time for
other issues. The really hot thing about this device is that it does
way more than what iptables can do for you anyway and the device works
independently of any operating system. It is designed to work on
networks faster dial-up; so it can sit between the incoming signal and
the router feeding the rest of the network which means that anything
coming past the device to the router is clean. So anything connected
to that router -- wireless or otherwise -- are also clean as far as the
signals they are receiving. Of course, making sure the internal nets
are clean is the job of the sys.admin.
Here's the link for you to review and consider:
http://www.thinkgeek.com/computing/accessories/75f3/
Of course, you could refer to IPCop.org, netfilter.org, or tldp.org ...
but after the Stingray, all of that will become mere reference
material.
Best wishes.... Derick.
On May 15, 2006, at 9:28 AM, Chris St. Pierre wrote:
> Last week, I brought up iptables on my YDL 4 box with a very basic
> configuration, and all was working well. This morning, at about 8 am,
> it randomly started rejecting ping traffic. Restarting iptables did
> not solve the problem. My iptables configuration has not changed
> since Thursday afternoon. Here's my /etc/sysconfig/iptables:
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5308
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666
> -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> As you can see, this is a very basic configuration that works on many
> other hosts -- and, in fact, worked on this host for a while, too.
> Any ideas? Thanks!
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general at lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
> HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
>
More information about the yellowdog-general
mailing list