[dundee] Help with iptables

Andersom Meise anderson.meise at gmail.com
Fri Mar 23 12:01:24 UTC 2012 

Hello everyone, How was the meeting last night? I regret I could not make
it . . .

For the last few DAYS I have been working on my firewall and the last thing
I have todo is make my manager mini mac to communicate to the apple store.
The app loader needs to comunicate to a series of apple servers (
17.152.249.51 - 58)
 trought ports 33001 TCP and 33001-33500 for udp.

My default gateway has network interfaces, one face WAN (ETH0) and the
other facing LAN (ETH1), and is proxyed everything with squid

on eth1 is behind an NAT and is using DHCP server in it, everything works
just fine, I can give access to the managers machine to ssh out or ftp etc.
The problem is the app loader that apple provides HAS to have ALL access to
all the ports in the firewall.

I have tried:

iptables -I FORWARD -p udp -s MANAGER_IP --dport 0:65535 -i eth1 -o
eth0 -m mac --mac-source MANAGER_MAC -j ACCEPT

iptables -I FORWARD -p tcp -s MANAGER_IP --dport 0:65535 -i eth1 -o
eth0 -m mac --mac-source MANAGER_MAC -j ACCEPT

iptables -L FORWARD -nv

Chain FORWARD (policy DROP 1080 packets, 64708 bytes)
 pkts bytes target     prot opt in     out     source
destination


    0     0 ACCEPT     udp  --  eth1   eth0    manager-ip
0.0.0.0/0           udp manager_mac

    0     0 ACCEPT     tcp  --  eth1   eth0    manager-ip
0.0.0.0/0           tcp manager_mac

    1   176 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0

   52  3451 ACCEPT     udp  --  eth1   eth0    0.0.0.0/0
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     all  --  ppp+   eth0    192.168.1.0/24
0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth1   eth0    manager-ip
0.0.0.0/0           tcp dpt:22


    0     0 ACCEPT     tcp  --  eth1   eth0    manager-ip
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth1   eth0    manager-ip
0.0.0.0/0           tcp dpt:21


    0     0 ACCEPT     tcp  --  eth1   eth0    manager-ip
0.0.0.0/0           tcp dpt:21
  501  402K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED


I have tested the machine connectivity, it has ssh,ftp,http,https
access on everything in the net, but the app refuses to connect to the
apple servers, the only error that I get from the app is " TCP/IP
connectivity failed ",
the settings for the network for the machine is set to http and https
through proxy and everything else has connection direct trough the
firewall.

Does anyone has any ideas what am I missing?

Thanks for you time

Roddy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/dundee/attachments/20120323/034589c1/attachment.htm>

More information about the dundee mailing list