I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it.
The cluster has a firewall server with a wifi card connecting to my home network and eth0 connection to a switch connecting the pi's within the cluster. All the other pi's just use the switch to talk to each on a network. They all use IP addresses in the range 10.10.1.2/5. The firewall pi uses 10.10.1.1 for eth0 and picks up a 192.168.1.122 address from my router on the wifi card.
I have this rule set that is currently preventing me from ssh'ing from the fwl to an internal pi on the cluster. I know that because if I clear the rules I can connect:
Here is the script I use to create the rules:
I'm no expert on firewalls but I've been reading a lot this morning about setting up ssh in iptables and think the idea is to allow what you want and then append a drop of everything else after those rules.
Most of the pages I've looked at suggest doing this at the start of the rules:
and then relaxing the rules for ssh and ping afterwards, but I couldn't get that to work either.
Like I said though, I can connect if I flush the rules out.
for debugging purposes I suggest you add some these logging rules
Just before the Default-Drop-Rules
You should find the messages of the drop rules somewhere within the /var/log directory - most likely in log file kern.log there.
As for a possible error I'm wondering if state NEW for dns is sufficient. I would add ESTABLISHED to.
What I'm wondering too ist that you use 2 different methods to define your state. You use conntrack/cstate for ssh and state for dns/http. I suggest to use the state method for ssh too. (Never used conntrack with this).
Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type... (0 Replies)
Hello,
I did 2 scripts. The second one is, I hope, more secure.
What do you think?
Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)
#######script one
####################
iptables -F
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD... (6 Replies)
Hello,
I have iptables service running on my CentOS5 server. It has approx 50 rules right now.
The problem I am facing now is as follows -
I have to define a new chain in the filter table, say DOS_RULES & add all rules in this chain starting from index number 15 in the filter table.
... (1 Reply)
Hi Champs
i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local :
#Allow loopback
iptables -I INPUT -i lo -j ACCEPT
# Accept packets from Trusted network
iptables -A INPUT -s my-network/subnet -j... (0 Replies)
Hi Gurus,
I need to add Multicast Port = xyz
Multicast Address = 123.134.143 ( example) to my firewall rules. Can you please guide me with the lines I need to update my iptables files with. (0 Replies)
Could someone help me with writing rules for iptables?
I need a dos attacks protection for a game server.
port type udp
ports 27015:27030
interface: eth0
Accept all packets from all IPs
Chek if IP sent more than 50 packets per second
Drop all packets from this IP for 5 minutes
I would be... (0 Replies)
Hello,
I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables.
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -m... (4 Replies)
Hi
I have small home network and I want to block some forums on web
When I use this
iptables -A INPUT -s forum -j DROP
rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings
iptables-save > /root/dsl.fw
but how to... (2 Replies)
I'm trying to insert multiple new lines of text into an iptables script using sed in a while loop. I'm not sure if this is the most effective way. Searching the forums has helped me come up with a good beginning but it's not 100%. I'd like it to search out a unique line in my current iptables file... (2 Replies)