iptables help needed

methuselah · 2009-08-22 03:41:11

Hello. I'm brand new at iptables and I followed this guide (only the top section): http://wiki.archlinux.org/index.php/Sim … wall_HOWTO

So far it seems to have worked good. I'm still able to connect to my torrents from the open ports I created, and my internet works the same as before (maybe a tad bit slower)..... but I noticed that my live streaming video seems to be messed up. It seems to stop and start a bunch, like a choppy playback instead of a smooth playback.

I've noticed that my iptables usually doesn't drop any packets. But after trying to use a live video stream I had this line in my sudo iptables -nvL:

1270  488K DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0

So as an iptables noob (trying to learn), I'm not sure if I missed any important steps needed. (that weren't in that wiki guide)

Last edited by methuselah (2009-08-22 03:42:21)

fukawi2 · 2009-08-22 07:43:00

Can you post your complete /etc/iptables/iptables.rules file? It's difficult to see what's going on from only one rule

A bit more information about your network would be good too, such as internal IP addresses etc...

methuselah · 2009-08-23 09:14:06

fukawi2 wrote:

Can you post your complete /etc/iptables/iptables.rules file? It's difficult to see what's going on from only one rule
A bit more information about your network would be good too, such as internal IP addresses etc...

I am just one laptop connected to a cable modem (no network). I just want to have a secure computer for using public wlan0 hot spots, and for regular eth0.

These are my rules (the "torrent" parts are where I edited out my port numbers just for this thread):

# Generated by iptables-save v1.4.4 on Thu Aug 13 22:01:56 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [151943:10701243]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP 
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP 
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP 
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -f -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP 
-A interfaces -i lo -j ACCEPT 
-A interfaces -i eth0 -j ACCEPT 
-A interfaces -i wlan0 -j ACCEPT 
-A interfaces -i mon0 -j ACCEPT 
-A open -p tcp -m tcp --dport "torrent":"torrent" -j ACCEPT 
-A open -p udp -m udp --dport "torrent":"torrent" -j ACCEPT 
-A open -p udp -m udp --dport "torrent" -j ACCEPT 
-A open -p tcp -m tcp --dport "torrent" -j ACCEPT 
-A open -p udp -m udp --dport "torrent" -j ACCEPT 
-A open -p tcp -m tcp --dport "torrent" -j ACCEPT 
COMMIT
# Completed on Thu Aug 13 22:01:56 2009

fukawi2 · 2009-08-23 23:15:48

methuselah wrote:

-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP 
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP

These rules are going to drop anything and everything coming from private network addresses -- which is probably being used between your Cable modem and your laptop. You'll need to find out (ip a s eth0) and remove the rule that is blocking that range.

methuselah · 2009-08-23 23:42:59

fukawi2 wrote:

methuselah wrote:
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP 
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
These rules are going to drop anything and everything coming from private network addresses -- which is probably being used between your Cable modem and your laptop. You'll need to find out (ip a s eth0) and remove the rule that is blocking that range.

I had originally added those rules because the wiki guide said they were for protection from common attacks: http://wiki.archlinux.org/index.php/Sim … ing_attack

So you think that my cable modem and the private networks might have caused the live video stream (HBO Bill Maher's: http://www.hbo.com/billmaher/webcast/index.html ) to play in a "choppy" way. (pausing or freezing, then starting again after missing a few words, then pausing/freezing again and skipping over a few seconds of a live video feed to start playing again.)

I wasn't too clear on this part: (ip a s eth0)

How does everything else look? Did I add the correct rule for my wlan0 wifi?

Thanks again for the help.

Last edited by methuselah (2009-08-23 23:51:08)

fukawi2 · 2009-08-24 02:43:44

Post the output of the following command:

ip a s

You may need to install the iproute2 package first:

pacman -S iproute2

methuselah · 2009-08-24 03:50:00

fukawi2 wrote:

Post the output of the following command:
ip a s

output:

EDITED

Last edited by methuselah (2009-08-24 06:17:01)

fukawi2 · 2009-08-24 05:59:54

I stand corrected -- your modem passes your public address through to your laptop so you're not using private address space. Those rules are valid (until you plug in to a network that does use private address space!). I don't think that's the cause of your problems.

methuselah · 2009-08-24 06:16:37

The only other thing that might have been the problem of the streaming HBO Bill Maher video was that it was the first week I have watched it using mplayer and the mplayer plugin.

Before that I had been using mozplugger with totem-xine. I'm going to keep my iptable.rules the same as they are and next Friday night I'll switch back to mozplugger and totem-xine to see if that was the reason the live video stream was playing so badly..... I had just assumed that my brand new iptables rules had been the reason that the video playback wasn't a consistent stream like it had been before. (if it plays badly using mozplugger and totem, then it might be iptables)

Arch Linux

#1 2009-08-22 03:41:11

iptables help needed

#2 2009-08-22 07:43:00

Re: iptables help needed

#3 2009-08-23 09:14:06

Re: iptables help needed

#4 2009-08-23 23:15:48

Re: iptables help needed

#5 2009-08-23 23:42:59

Re: iptables help needed

#6 2009-08-24 02:43:44

Re: iptables help needed

#7 2009-08-24 03:50:00

Re: iptables help needed

#8 2009-08-24 05:59:54

Re: iptables help needed

#9 2009-08-24 06:16:37

Re: iptables help needed

Board footer