[NBLUG/talk] iptables guidance/guru?
Tim C. Lewis
tclewis at oreilly.com
Mon Feb 12 14:25:16 PST 2007
On Mon, 12 Feb 2007, Glen Gunsalus wrote:
> > test with no firewall rules before adding them -- stop the firewall
> > service, see if traffic routes under those circumstances before moving
> > forward with drop/deny rules.
>
> Well, it's not a "service" under OpenWrt, rather a startup script with
> multiple calls to iptables. I tried deleting/flushing all tables, but then
> couldn't talk to the box anymore.
ah. the policies in the filter table may be DROP instead of ACCEPT,
leaving you dead in the water if you flush. this might help:
iptables -t filter -P INPUT ACCEPT;
iptables -t filter -P OUTPUT ACCEPT;
iptables -t filter -P FORWARD ACCEPT;
then you can flush:
iptables -t filter -F;
and you should be back to 0 filter rules.
without seeing what the builtin rules are, it's hard to give suggestions
on what (and more importantly where in the chain) to add to allow traffic
between your networks, but probably something along the lines of:
iptables -t filter -A FORWARD -i vlan1 -s 10.42.14.0/255.255.255.192
-o vlan3 -d 10.42.14.128/255.255.255.192 -j ACCEPT;
but repeated for each network-to-network, or a more general rule to allow
traffic within 10.42.14.128/255.255.255.0 entirely, like:
iptables -t filter -A FORWARD -s 10.42.14.0/24 -d 10.42.14.0/24 -j ACCEPT;
and then perhaps specifically deny it from interfaces that 10.42.14.0/24
shouldn't be coming from, if any (but those rules should be before this
one in the chain).
-tcl.
More information about the talk
mailing list