I'm setting up an iptables firewall (from scratch) and am having a few problems. Right now, the firewall blocks all syn packets on all ports not explicitly specified.
ATM, when I try to connect to openprojects.net on IRC, I can connect, but it takes forever.... taking down the firewall, I can connect fine. BTW, openprojects.net does not require ident.

Anyone have any idea what ports I need to open and why?

Thanks.

I can't be sure, but I bet although they don't REQUIRE ident, they still send an ident request whenever you log in. Nearly every IRC server does, even if they let you in without a functional ident.

The big delay is because your firewall is dropping the ident connection, rather than refusing it, so the server has to wait for it to time out. REJECT instead of DROP the ident port (113, if I recall) and try again.

Hey, thanks Craig. It worked! :cool:

Hey. You should change your sig to this:

Bradmont's sig says "Bradmont's sig says".

Then it would be a Quine. Well, sorta a reverse-Quine, I guess. "Bradmont's sig says" Bradmont's sig says would be a real Quine, but that would be stupid.

Bradmont,

Can you post the full line that allows it to work?

It's one thing that I haven't had any luck with. Granted, I haven't spent any time on making it work, but that's a different story.

TIA!

This should do it:

iptables -a INPUT -p tcp --dport 113 -j REJECT

You'll have to have the REJECT module inserted or built into your kernel in order to use the REJECT target. And make sure you put it before any line that would drop such a packet -- first matching rule always wins.

Thanks Craig! :cool:

I've been off iptables for awhile. I got mine functional and had left it that way. Just when I thought I understood how things worked, I'd run across something else on the internet that threw my understanding out of whack.

I guess it's about time to start looking at it again. :D

hey, can any of you point me in the right direction setting up IP Masq/NAT using iptables?

should be fairly simple, but hey...I'm a n00b ;)

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

That's how you do NAT with iptables. That's not the entire firewall, of course, but that's the key line to active the IP masquerading. You have to have IP forwarding enabled as usual.

You can also generate an iptables script to your specifications at http://www.linux-firewall-tools.com/. It doesn't really take advantage of iptables's new features, though: you should read the HOWTO and add in all the cool stateful stuff.

I'm running a heavily modified version of a script from there at the moment.

[ 03 June 2001: Message edited by: Craig McPherson ]

hmm I went there and it seems to be using ipchains...as you said it lacks all the iptables cool stuff...but I'd at least like a script focused partly on iptables.. ;)
I'll poke around the HOWTO and such tho...thanks anyway.

The very first page of the Firewall Design Tool lets you select ipchains, iptables, or ipfwadm. It still defaults to ipchains, but it will generate an iptables firewall just fine.

I can e-mail you my perfectly functional but rather obese iptables NAT firewall if you want to look at one that works. It's based on one generated by that Firewall Design Tool, but it's been hacked up a bit.

I can also e-mail you my new, revised, streamlined, super-ultra-cool but unfortunately nonfunctional new iptables NAT firewall that I never got around to working the bugs out of, if you want to look at it too. It uses most of the new stateful inspection features, unclean match support, and a lot of other new features too, and I think the only thing wrong with it is that it isn't letting DHCP leases get renewed, but I got busy with other stuff and never got around to fixing it.

Hmm, well. I stand corrected. The firewall design tool doesn't let you create iptables firewalls. But I swear, it used to. I did it once.

Oh well. You can convert an ipchains firewall to an iptables firewall easily enough:

1. DENY becomes DROP
2. The rule to engage IP masquerading is different (see above)
3. "ipchains" becomes "iptables", of course
4. You can replace --source-port with --sport and --destination-port with --dport. Much simpler to type.

If your firewall is simple, those are the only changes you'd need to make to it... a few sed commands, and you're done. Then try running the script, and fix any more errors that it gives you.