On Wed, 2001-12-12 at 23:18, Larry Sanders wrote:
> Why is this packet, comming in on ppp0, dropped?? Why is this anser to a
> ping not
> being recognized as an answer to this ping?
> Derek, Thanks in advance.
You're welcome. :)
It looks like you're not allowing packets back into your network. If
you're using IPtables, then you can use stateful inspection to allow
"RELATED,ESTABLISHED" back in:
# Insert this line here to allow packets from
# established sessions back in
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# rule to log any not accepted
/sbin/iptables -A FORWARD -j LOG --log-prefix="FORWARD DROP:"# rule to
drop any not accepted
/sbin/iptables -A FORWARD -j DROP
You'll probably want to add a similar rule to your "INPUT" table, else
your firewall will never receive responses to things like DNS lookups
and so on.
If you make the 'state' check rule the first one in the chain, you save
a meager amount of processing power since most packets will be part of
an established session (it only takes three packets to set up a TCP
session...) and the IPtables won't have to pass that packet through all
intervening rules first. Here is your modified ruleset:
# rc.firewall iptables to protect internal network
# by Derek Glidden at www.nks.net - July 2001
# add eth1 by Larry Sanders, Dec 2001
#
# turn forwarding off while vulnerable
echo "0" > /proc/sys/net/ipv4/ip_forward
#
/sbin/iptables -F # flush all rules
# rule to nat if from inside going out
/sbin/iptables -t nat -A POSTROUTING -o ppp0 \
-s 192.168.27.0/24 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp0 \
-s 192.168.127.0/24 -j MASQUERADE
# allow session-related packets through
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# rule to accept if from inside with good ip
/sbin/iptables -A FORWARD -i eth0 -s 192.168.27.0/24 -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -s 192.168.127.0/24 -o ppp0 -j ACCEPT
# rule to log any not accepted
/sbin/iptables -A FORWARD -j LOG --log-prefix="FORWARD DROP:"
# rule to drop any not accepted
/sbin/iptables -A FORWARD -j DROP
#
# allow session-related packets back into the firewall
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# rule to accept input from internal lan
# /sbin/iptables -A INPUT -i eth0 -s 192.168.27.0/24 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -s 192.168.127.0/24 -j ACCEPT
# rule to explicitly log and drop all others
# /sbin/iptables -A INPUT -j LOG --log-prefix="INPUT DROP:"
/sbin/iptables -A INPUT -j DROP
#
# turn on forwarding with wall constucted
echo "1" > /proc/sys/net/ipv4/ip_forward
echo iptables set for firewall in file rc.firewall
# end of firewall
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/ http://www.anti-dmca.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:13:11 EDT