-A INPUT -s 192.168.1.1 -i eth0 -p udp -m udp --sport 67 --dport 68 -j DHCP
The problem with the rules seems to be that the network is hardcoded to 192.168.1.0, while it can be something else.
]]># Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:59]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*mangle
:PREROUTING ACCEPT [14:964]
:INPUT ACCEPT [14:964]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:964]
:POSTROUTING ACCEPT [14:964]
-A PREROUTING -m state --state INVALID -j LOG --log-prefix "gShield (INVALID drop) "
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --sport 23 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6660:6669 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7000 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7500 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7501 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7777 -j TOS --set-tos 0x10
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
# Generated by iptables-save v1.3.1 on Sat Mar 19 21:08:43 2005
*filter
:ACCEPTnLOG - [0:0]
:BLACKLIST - [0:0]
:BLOCK_OUT - [0:0]
:CLIENT - [0:0]
:CLOSED - [0:0]
:DHCP - [0:0]
:DMZ - [0:0]
:DNS - [0:0]
:DROPICMP - [0:0]
:DROPnLOG - [0:0]
:HIGHPORT - [0:0]
:INPUT DROP [2:118]
:FORWARD DROP [0:0]
:MON_OUT - [0:0]
:MULTICAST - [0:0]
:OPENPORT - [0:0]
:OUTPUT ACCEPT [14:964]
:PUBLIC - [0:0]
:RESERVED - [0:0]
:SCAN - [0:0]
:SERVICEDROP - [0:0]
:STATEFUL - [0:0]
:loopback - [0:0]
-A ACCEPTnLOG -j LOG --log-prefix "gShield (accept) " --log-level 1
-A ACCEPTnLOG -j ACCEPT
-A BLACKLIST -j LOG --log-prefix "gShield (blacklisted drop) " --log-level 1
-A BLACKLIST -j DROP
-A BLOCK_OUT -j DROP
-A CLIENT -j ACCEPT
-A CLOSED -j LOG --log-prefix "gShield (closed port drop) " --log-level 1
-A CLOSED -p tcp -j DROP
-A CLOSED -p udp -j REJECT --reject-with icmp-port-unreachable
-A CLOSED -j DROP
-A DHCP -j LOG --log-prefix "gShield (DHCP accept) " --log-level 1
-A DHCP -j ACCEPT
-A DMZ -j LOG --log-prefix "gShield (DMZ drop) " --log-level 1
-A DMZ -j DROP
-A DNS -j ACCEPT
-A DROPICMP -j DROP
-A DROPnLOG -p udp -m udp --dport 137:139 -j DROP
-A DROPnLOG -p tcp -m tcp --sport 80 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A DROPnLOG -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j DROP
-A DROPnLOG -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop) " --log-level 1
-A DROPnLOG -p 47 -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop / GRE) " --log-level 1
-A DROPnLOG -p tcp -j DROP
-A DROPnLOG -p udp -j REJECT --reject-with icmp-port-unreachable
-A DROPnLOG -j DROP
-A HIGHPORT -j ACCEPT
-A INPUT -i lo -j loopback
-A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j RESERVED
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j RESERVED
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.1 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.2 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.4 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.5 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.6 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.9 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.13 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.15 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.1 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.2 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.4 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.5 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.6 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.9 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.13 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.15 -i eth0 -j MULTICAST
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -j DROPICMP
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -s 192.168.1.1 -i eth0 -p udp -m udp --sport 67 --dport 68 -j DHCP
-A INPUT -s 132.163.135.130 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT
-A INPUT -s 128.118.25.3 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT
-A INPUT -s 131.107.1.10 -p udp -m udp --sport 123 --dport 1024:65535 -j ACCEPT
-A INPUT -s 192.168.1.1 -p udp -m udp --sport 53 -j DNS
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j STATEFUL
-A FORWARD -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT
-A FORWARD -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT
-A FORWARD -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT
-A FORWARD -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT
-A FORWARD -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT
-A FORWARD -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT
-A FORWARD -j STATEFUL
-A MON_OUT -j ACCEPT
-A MULTICAST -j DROP
-A OPENPORT -j ACCEPT
-A OUTPUT -o lo -j loopback
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT
-A OUTPUT -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT
-A OUTPUT -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT
-A OUTPUT -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT
-A PUBLIC -j ACCEPT
-A RESERVED -p tcp -j DROP
-A RESERVED -p udp -j REJECT --reject-with icmp-port-unreachable
-A RESERVED -j DROP
-A SCAN -j LOG --log-prefix "gShield (possible port scan) " --log-level 1
-A SCAN -j DROP
-A SERVICEDROP -j LOG --log-prefix "gShield (service drop) " --log-level 1
-A SERVICEDROP -p tcp -j DROP
-A SERVICEDROP -p udp -j REJECT --reject-with icmp-port-unreachable
-A SERVICEDROP -j DROP
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT
-A STATEFUL -j DROPnLOG
-A loopback -i lo -j ACCEPT
COMMIT
# Completed on Sat Mar 19 21:08:43 2005
tomk - i look for logs but i can't find the buggers that i would expect - i don't actually run the gShield.rc as my firewall - i save the output to iptable.rules and use iptables - but i just can't find the output logs anywhere - i checked the gShield settings to see if i missed a logging option.
i've also checked the usual logs and seen some firewall activity but nothing that seems to make sense re my setup
]]>I run an IPCop firewall myself, and anytime I fail to connect for any reason, I can examine the logs to see if anything didn't get through, then adjust the IPCop config accordingly.
]]>However, when i try to access a wireless net my firewall always stops me and i can only connect when I stop iptables.
i think it is something do with DHCP but i dunno where to even start.
I have only changed the most basic settings in gShield - i don't do any port forwarding as i don't have any service running on my machine.
Another thing - some nmap actions fail as well while the firewall is up
]]>