[Wylug-help] Access through firewall
Dylan
fritz at ananzi.co.za
Thu Mar 11 21:06:30 GMT 2004
I've set up a new firewall on my router using fwbuilder, as I was not
happy with the Redhat 9.0 Lokkit. I understand the basics of iptables,
but I chose to use fwbuilder to give me a little more control.
I have a basic system: a box with two NICs, running Redhat 9.0; a simple
home network on the eth0 (192.168.0.0) and an NTL cable modem connected
to eth1.
I've set up the firewall so that everything is working except for one
small problem: I can't access the internet (or anything outside, for
that matter) from the router itself. I don't use it that often, except
for accessing the RHN or downloading new RPMs etc. All the rest of my
surfing, email etc I do from other computers on the network. All the
other computers are working fine, so the NAT and masquerading (is it the
same thing?) are set right. I've checked the firewall from the outside,
too, and it is nicely secure.
Does anyone have a suggestion as to why my router machine can't access
the internet. I've set the following parameters, which I thought would
allow this:
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p icmp -s 81.1.x.x --icmp-type 8/0 -m state
--state NEW -j RULE_1
$IPTABLES -A OUTPUT -p icmp -s 192.168.1.1 --icmp-type 8/0 -m state
--state NEW -j RULE_1
$IPTABLES -A OUTPUT -p tcp -m multiport -s 81.1.x.x
--destination-port 80,443,53 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p tcp -m multiport -s 192.168.1.1
--destination-port 80,443,53 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p udp -m multiport -s 81.1.x.x
--destination-port 53,68,67 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p udp -m multiport -s 192.168.1.1
--destination-port 53,68,67 -m state --state NEW -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 --
ACCEPT "
$IPTABLES -A RULE_1 -j ACCEPT
The 81.1.x.x just represents my external ip for the purpose of this
email. Call me paranoid.
If you'd like to see my entire firewall script, I could send another
email with it included.
Thanks,
Dylan (The new guy with the mustard jersey at the last meeting)
More information about the Wylug-help
mailing list