USB Networking vs. iptables
Joel Newkirk
freerunner at newkirk.us
Fri Sep 19 13:35:11 CEST 2008
Try "iptables -I RH-Firewall-1-INPUT -s 192.168.0.202 -j ACCEPT", or the
same rule inserted at the top of INPUT and FORWARD chains.
Your FORWARD chain simply jumps to RH-Firewall-1-INPUT, the same as the
INPUT chain.
RH-Firewall-1-INPUT blocks SSH from various specific IPs, then accepts
only very limited specific connections, including ICMP,http,https,ssh,CUPS
and ipsec but NOT including DNS... Lack of a rule accepting DNS in INPUT
keeps you from doing DNS lookups at 192.168.0.201, lack of a rule accepting
DNS in FORWARD keeps you from doing DNS lookups at any other host.
If you want to keep it locked down tight on the Freerunner's traffic you
can amend the rule above with '-p udp --dport 53', but other things (like
email, FTP, VOIP, chat, and other things in the future) are probably
desirable as well, and not permitted through.
j
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 592K 375M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 701 45828 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 613K packets, 261M bytes)
> num pkts bytes target prot opt in out source
> destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> num pkts bytes target prot opt in out source
> destination
> 21 246K 210M ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 22 898 78034 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 255
> 23 0 0 ACCEPT esp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 24 0 0 ACCEPT ah -- * * 0.0.0.0/0
> 0.0.0.0/0
> 25 72 20607 ACCEPT udp -- * * 0.0.0.0/0
> 224.0.0.251 udp dpt:5353
> 26 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:631
> 27 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:631
> 28 330K 164M ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 29 180 10764 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW tcp dpt:22
> 30 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW tcp dpt:443
> 31 4155 244K ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW tcp dpt:80
> 32 9849 611K REJECT all -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-host-prohibited
>
> Due to the masquerade I checked, if it would helpful to change the
> FR.resolv.conf to the same DNS (212.6.108.140), but I got just the known
> result:
> root at om-gta02:~# nslookup www.google.com
> Server: 212.6.108.140
> Address 1: 212.6.108.140
>
> nslookup: can't resolve 'www.google.com'
>
> If I ping from FR to this IP I got a good result:
>
> root at om-gta02:~# ping 212.6.108.140
> PING 212.6.108.140 (212.6.108.140): 56 data bytes
> 64 bytes from 212.6.108.140: seq=0 ttl=248 time=21.264 ms
> 64 bytes from 212.6.108.140: seq=1 ttl=248 time=22.464 ms
> 64 bytes from 212.6.108.140: seq=2 ttl=248 time=23.561 ms
>
> --- 212.6.108.140 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max = 21.264/22.429/23.561 ms
>
> BTW, my router has no DNS function, it is just a router.
More information about the community
mailing list