trouble with firewall

[JR-__-]

Hi there,

I set the SSH , thttpd followed the http://www.macsat.com , but I cann't access these servicess from WAN only from LAN it's working

EXCEPT I TURN MY FIREWALL OFF

than everything works.

I could turn off the firewall, my computer are secured behind the NAT anyway, but still I would rather do it some other way with the firewall running.

I was going over the forum, but I couldn't find anyone with similar difficulties fixed.

Do you?
------------------------------------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
logdrop all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:81
ACCEPT tcp -- anywhere anywhere tcp dpt:www
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,AC K/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RS T,ACK/RST limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec bur
------------------------------------------------------
$ cat /usr/local/sbin/post-boot
#!/bin/sh
# wait for /opt to mount
mount /dev/discs/disc0/part2 /opt
i=0
while [ $i -le 30 ]
do
if [ -d /opt/etc ]
then
break
fi
sleep 1
i=`expr $i + 1`
done

# Activate swap
swapon /dev/discs/disc0/part1

# Run all active services - active means starts with S
/opt/etc/init.d/rc.unslung

dropbear
/usr/sbin/smbd -D
/usr/sbin/nmbd -D
------------------------------------------------------
$ cat /usr/local/sbin/post-firewall
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81

iptables -A INPUT -j DROP

[WlanMan]

Hi

SSH from wan works here neither, macsats tutorial.
I hate iptables in some way, so i hope he finds the problem someday .

Greets

[pfugl]

I would suspect your

logdrop all --anywhere --anywhere

in your input chain.
I am not quite sure what logdrop does, but I would suspect it to drop all packets.
I would try to turn all logging off in the web interface.

[JR-__-]

No success.

I would suspect your

logdrop all --anywhere --anywhere

in your input chain.
I am not quite sure what logdrop does, but I would suspect it to drop all packets.
I would try to turn all logging off in the web interface.

[JR-__-]

hi

I have found the prob. with the macsat tutorial I don't know why it didn't work for me.

I changed the script post-firewall to :
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to-destination $4:81
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination $4:22
iptables -A INPUT -j DROP

anyway for some reason the script didn't execute itself after the reboot of the rooter so I plaesed it to /opt/etc/init.d/ dir. as S99firewall

and it's working as it should.