USB Networking vs. iptables

Joel Newkirk freerunner at newkirk.us
Fri Sep 19 13:35:11 CEST 2008 

Try "iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT", or the
same rule inserted at the top of INPUT and FORWARD chains.

Your FORWARD chain simply jumps to RH-Firewall-1-INPUT, the same as the
INPUT chain.

RH-Firewall-1-INPUT blocks SSH from various specific IPs,  then accepts
only very limited specific connections, including ICMP,http,https,ssh,CUPS
and ipsec but NOT including DNS...  Lack of a rule accepting DNS in INPUT
keeps you from doing DNS lookups at 192.168.0.201, lack of a rule accepting
DNS in FORWARD keeps you from doing DNS lookups at any other host.

If you want to keep it locked down tight on the Freerunner's traffic you
can amend the rule above with '-p udp --dport 53', but other things (like
email, FTP, VOIP, chat, and other things in the future) are probably
desirable as well, and not permitted through.

j


> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source
> destination         
> 1     592K  375M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source
> destination         
> 1      701 45828 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           
> 
> Chain OUTPUT (policy ACCEPT 613K packets, 261M bytes)
> num   pkts bytes target     prot opt in     out     source
> destination         
> 
> Chain RH-Firewall-1-INPUT (2 references)
> num   pkts bytes target     prot opt in     out     source
> destination         

> 21    246K  210M ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0           
> 22     898 78034 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           icmp type 255 
> 23       0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           
> 24       0     0 ACCEPT     ah   --  *      *       0.0.0.0/0
> 0.0.0.0/0           
> 25      72 20607 ACCEPT     udp  --  *      *       0.0.0.0/0
> 224.0.0.251         udp dpt:5353 
> 26       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:631 
> 27       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:631 
> 28    330K  164M ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED 
> 29     180 10764 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:22 
> 30       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:443 
> 31    4155  244K ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:80 
> 32    9849  611K REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-host-prohibited 
> 
> Due to the masquerade I checked, if it would helpful to change the
> FR.resolv.conf to the same DNS (212.6.108.140), but I got just the known
> result:
> root at om-gta02:~# nslookup www.google.com
> Server:    212.6.108.140
> Address 1: 212.6.108.140
> 
> nslookup: can't resolve 'www.google.com'
> 
> If I ping from FR to this IP I got a good result:
> 
> root at om-gta02:~# ping 212.6.108.140
> PING 212.6.108.140 (212.6.108.140): 56 data bytes
> 64 bytes from 212.6.108.140: seq=0 ttl=248 time=21.264 ms
> 64 bytes from 212.6.108.140: seq=1 ttl=248 time=22.464 ms
> 64 bytes from 212.6.108.140: seq=2 ttl=248 time=23.561 ms
> 
> --- 212.6.108.140 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max = 21.264/22.429/23.561 ms
> 
> BTW, my router has no DNS function, it is just a router.

More information about the community mailing list