[Tfug] firewall help
John Gruenenfelder
johng at as.arizona.edu
Sun Feb 19 16:47:42 MST 2006
I just upgraded my wrt54g router to the newest (rc4) release of OpenWRT. The
change was necessary to do some VOIP traffic shaping later.
But... in doing so I seem to have messed up the very simple firewall. It's
mostly working, though. All traffic on the LAN/wifi interfaces is fine as is
all outbound and masqueraded traffic.
What's not working is the blanket forwarding. Before, I had it set up to
forward all incoming traffic to a machine on the LAN where I run my services.
But now that machine is no longer reachable. All incoming connections go into
the void.
Unfortunately, this little problem demonstrates my lack of networking and
firewall knowledge. So... I'm not entirely sure where my problem lies. Here
is the output from "iptables -L -n":
root at bebop:/etc/init.d# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=!2 flags:0x02/0x02
input_rule all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
forwarding_rule all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
output_rule all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain forwarding_rule (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 192.168.0.3
Chain input_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
The machine at 192.168.0.3 is my server.
My best guess is that the new OpenWRT has a default DROP policy. And if I
want anything to get in then I'll have to allow those specific ports. If
that's the case, I'm fine with that. But I'd like to know what the problem is
first before I start mucking around with the firewall and potentially hose it
even further.
Any ideas?
--
--John Gruenenfelder Research Assistant, UMass Amherst student
Systems Manager, MKS Imaging Technology, LLC.
Try Weasel Reader for PalmOS -- http://gutenpalm.sf.net
"This is the most fun I've had without being drenched in the blood
of my enemies!"
--Sam of Sam & Max
More information about the tfug
mailing list