Re: Help with IPTables

From: Marcus Herou <marcus.herou#tailsweep.com>
Date: Wed, 1 Oct 2008 22:12:36 +0200


Thanks!

No the iptables rules were created incorrectly :) I changed the order to: 

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level 7
iptables -A INPUT -j DROP -i eth1

The reason was that I added the port 80 and 443 accept lines in a rush last week.

I get this when I remove the nf_conntrack modules rmmod nf_conntrack nf_conntrack_ipv4
ERROR: Module nf_conntrack is in use by nf_conntrack_ipv4,xt_state

nf_conntrack gets removed but nf_conntrack_ipv4 is used by xt_state and cannot be removed.

By checking the conntrack counter (net.netfilter.nf_conntrack_count = 0) I draw the conclusion that conntrack got disabled after all.

Kindly

//Marcus

On Wed, Oct 1, 2008 at 9:03 PM, Benoit <maverick#maverick.eu.org> wrote:

> Marcus Herou a écrit :
>
>> Hi.
>>
>> These are my rules, few and simple.
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -s 192.168.10.0/24 <http://192.168.10.0/24> -j ACCEPT
>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>> denied: " --log-level 7
>> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>> iptables -A INPUT -j DROP -i eth1
>>
>> Perhaps I should drop the second rule about ESTABLISHED since I never
>> login from the internet ? Let's say I do that, how do I then disable
>> conntrack ?
>> <http://blogg.tailsweep.com/>
>>
>
> Well, as soon as you will drop the ESTABLISHED,RELATED line you will be
> able to rmmod the conntrack modules
> ( lsmod | grep nf_conntrack ), and this will be enough for the job.
>
> Appart from that your current iptables rules is wrong (maybe a copy/paste
> error: the position of the LOG line make it log every accepted http request.
> If your OUTPUT policy is ACCEPT then you should be ok
>
>

-- 
Marcus Herou CTO and co-founder Tailsweep AB
+46702561312
marcus.herou#tailsweep.com
http://www.tailsweep.com/
http://blogg.tailsweep.com/
Received on 2008/10/01 22:12

This archive was generated by hypermail 2.2.0 : 2008/10/01 22:16 CEST