D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Re: ftp and stuff



On Sunday 29 August 2004 17:44, Tony Sumner wrote:
On Sun, Aug 29, 2004 at 12:36:22PM +0100, Robin Cornelius wrote:
Your iptables is not setup exactly the same way as the example. OK a few
questions:-

what kernel are you running 'uname -r'               2.4.19
what iptables are you running 'iptables -V'          1.2.11

are you running any firewall distributions eg shorewall, smoothwall or
any other tool that sets up your iptables rules?         No

What are your iptables rules : use the following

iptables -t filter --list
iptables -t nat --list
iptables -t mangle --list

(slightly edited)
filter:
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
-------------------------------------------------------
mangle:
Chain PREROUTING (policy ACCEPT)
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
Chain POSTROUTING (policy ACCEPT)
----------------------------------------------------
nat:
iptables v1.2.11: can't initialize iptables table `nat': Table does not
exist

This looks a bit bald; the actual rules are in /etc/sysconfig/iptables. I
could list them (20 lines) but maybe the absence of nat is the main
problem. Should I compile the kernel with nat support included? What's the
module called?


No you don't need NAT for this box, your router-modem does NAT you only need 
filter and mangle.  Filter does what it says and is the "real" firewall part, 
mangle is what you are attempting to play with and does trafic shaping and 
other stuff.

If that is the output of iptables then IMHO your firewall is totaly open, the 
rules in /etc/sysconfig/iptables are NOT active, somthing is missing from 
your setup to invoke those rules. Is /etc/sysconfig/iptables a shell script 
that will set the tables or is it just rules for some other script?

for the issue at hand change the command to :-
iptables --table mangle --append OUTPUT --jump TOS --set-tos 0x0

the dscp is only on 2.6 kernel iptables it was called tos , that should ensure 
that you have no interactive packets.

Regards

Robin




-- 

Robin Cornelius
---------------------------------------------------
robin@xxxxxxxxxxxxxxxxxxxxx
GPG Key ID: 0x729A79A23B7EE764
http://www.biglumber.com/x/web?qs=0x729A79A23B7EE764

Attachment: pgp00050.pgp
Description: signature


Lynx friendly