[Firehol-support] custom rule applied but resulting iptables are strange
Tsaousis, Costa
costa at tsaousis.gr
Mon Mar 28 20:34:49 BST 2016
Hi,
Try running:
iptables -nxvL
or
firehol status
These statements have additional parameters which are not shown by default.
Also, run:
firehol explain
and then issue the configuration commands one by one.
FireHOL will show you the commands it generates (with comments about
each and every one).
Costa
On Mon, Mar 28, 2016 at 10:04 PM, Wojtek Swiatek <w at swtk.info> wrote:
> Hello
>
> I wanted to try a custom rule on my firehol setup:
>
> router EVERYTHING
> # LAN
> server all accept inface lan0 outface int0 custom '-m time
> --timestart 6:00 --timestop 19:00'
> server all accept inface lan0 outface br1
> server all accept inface lan0 outface br2
> # Minecraft
> server minecraft accept inface int0 outface br2
> server minecraft accept inface lan0 outface br2
> server all accept inface br2 outface int0
> # openvpn container, only via openvpn
> server openvpn accept inface br1 outface int0
> # openvpn server
> server all accept inface tun0 outface lan0
> server all accept inface tun0 outface int0
>
> The idea was that traffic from lan0 to int0 should be restricted to the day
>
> The restriction did not work (it finally worked - it was my mistake, I
> forgot that I should have used UTC which is 2 hours behind my location) and
> I had a look at iptables -L, the result is quite surprising. Doesn't it
> mean that all traffic is allowed, no matter the interface?
> As an example the line
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED
> is repeated several times, without any information on the interface. Is
> this normal?
> Where is the information about which interface filters which traffic?
>
> Chain in_EVERYTHING (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "ftp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "irc"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "sip"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "pptp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match
> "proto_gre"
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "ftp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "irc"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "sip"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "pptp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "proto_gre"
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "ftp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "irc"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "sip"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "pptp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "proto_gre"
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1024:65535 multiport dports 9000,25565 ctstate NEW,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1024:65535 multiport dports 9000,25565 ctstate NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "ftp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "irc"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "sip"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "pptp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "proto_gre"
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1024:65535 dpt:openvpn ctstate NEW,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> spts:1024:65535 dpt:openvpn ctstate NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "ftp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "irc"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "sip"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "pptp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "proto_gre"
> ACCEPT all -- anywhere anywhere ctstate
> NEW,ESTABLISHED
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "ftp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "irc"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "sip"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "pptp"
> ACCEPT all -- anywhere anywhere ctstate
> RELATED,ESTABLISHED helper match "proto_gre"
> ACCEPT icmp -- anywhere anywhere ctstate
> RELATED
> ACCEPT tcp -- anywhere anywhere ctstate
> RELATED tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list