Basic IPTables Question

Listman fedora at linsolutions.com
Tue Aug 31 11:10:27 UTC 2004 

On Mon, 2004-08-30 at 19:08, Aly Dharshi wrote:
> Hi Folks,
> 
> 	I am new to the world of IPTables and I have rules such as:
> 
> iptables -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED 
> -j ACCEPT
> iptables -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED 
> -j LOG --log-prefix "IPTABLES TCP-IN" --log-level 1
> 
> 	Where can I see these logs, I assumed that they would be in /var/log/messages 
> but nothing shows.
> 
> 	Secondly on this same box that is running this firewall I have a mail server 
> that just sends mail out, if I try to send a message from the box to the local 
> smtpd on the box it just sits there, these are all my rules:
> 
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED -j LOG 
> --log-prefix "IPTABLES TCP-IN" --log-level 1
> -A INPUT -d 161.184.244.187 -i eth0 -p udp -m state --state ESTABLISHED -j ACCEPT
> -A INPUT -d 161.184.244.187 -i eth0 -p udp -m state --state ESTABLISHED -j LOG 
> --log-prefix "IPTABLES UDP-IN" --log-level 1
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state NEW -m tcp --dport 
> 22 -j ACCEPT
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state NEW -m tcp --dport 
> 22 -j LOG --log-prefix "IPTABLES SSH-IN" --log-level 1
> -A OUTPUT -s 161.184.244.187 -o eth0 -p tcp -m state --state NEW,ESTABLISHED -j 
> ACCEPT
> -A OUTPUT -s 161.184.244.187 -o eth0 -p tcp -m state --state NEW,ESTABLISHED -j 
> LOG --log-prefix "IPTABLES TCP-OUT" --log-level 1
> -A OUTPUT -s 161.184.244.187 -o eth0 -p udp -m state --state NEW,ESTABLISHED -j 
> ACCEPT
> -A OUTPUT -s 161.184.244.187 -o eth0 -p udp -m state --state NEW,ESTABLISHED -j 
> LOG --log-prefix "IPTABLES UDP-OUT" --log-level 1
> 
> 	What am I doing wrong, should I have a rule to allow incoming 25 on tcp, as I 
> have listed the full hostname in the mail settings.
> 
> 	Cheers,
> 
> 	Aly.
> 
> 
> -- 
> Aly Dharshi
> aly.dharshi at telus.net

I would recomend you start by using a tool that sets your rules up for
you at first until you are clear on what the rules do.

I noticed also that you are using -d on input rules, unless you have
some PREROUTING chain requirement or a non etherent/ppp type interface
this is pointless. Also use of the OUTPUT chain has very very specific
applications, I would be surprised if your criteria require it.

Also for logging to work properly the log rule must be above what it is
trying to log. Once a rule matched/hit packets are no longer processed
within that chain.

For security related stuff always confirm information you are given.
Iptables related stuff, the netfilter list is the place to be.



Ted

More information about the fedora-list mailing list