# Problems accessing net with netfilter/ iptables

## subdriver

Dist: Gentoo 2008.0 on UltraSparc platform, kernel version 2.6.29-r1. Kernel is 64 bit with 32 bit userspace.

I am using this machine as a firewall / router for my home network, using netfilter / iptables configured using Bastille firewall. I cannot connect to the 'net, tracepath returns 'host name lookup failure' but I am able to ping the DNS servers on my ISPs network. I have tested with an earlier kernel build which doesn't have iptables compiled and I can access the 'net. TCPDump indicates that there is traffic both ways to the DNS server, so it seems the filter is blocking packets that I wouldn't expect it to.

I'm fairly new to packet filtering so don't really know where to look first; any pointers please?

----------

## bendeguz

post your iptables configuration

btw. i don't know bastille:S

----------

## subdriver

Is this what you need?

```

LinserverSparc1 ~ # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

LOG        tcp  --  anywhere             loopback/8          LOG level warning prefix `INPUT DROP 0'

DROP       tcp  --  anywhere             loopback/8

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

LOG        all  --  224.0.0.0/4          anywhere            LOG level warning prefix `INPUT DROP 1 '

DROP       all  --  224.0.0.0/4          anywhere

LOG        all  --  anywhere             192.168.0.0/16      LOG level warning prefix `INPUT DROP 2 '

DROP       all  --  anywhere             192.168.0.0/16

LOG        all  --  192.168.0.0/16       anywhere            LOG level warning prefix `INPUT DROP 3 '

DROP       all  --  192.168.0.0/16       anywhere

PUB_IN     all  --  anywhere             anywhere

INT_IN     all  --  anywhere             anywhere

DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn

DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

DROP       all  --  anywhere             224.0.0.0/8

LOG        all  --  anywhere             anywhere            LOG level warning prefix `INPUT DROP 7 '

DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)

target     prot opt source               destination

LOG        tcp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 4 '

DROP       tcp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn

LOG        udp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 5 '

DROP       udp  --  192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn

ACCEPT     all  --  192.168.0.0/16       anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PUB_OUT    all  --  anywhere             anywhere

INT_OUT    all  --  anywhere             anywhere

Chain INT_IN (1 references)

target     prot opt source               destination

PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh

ACCEPT     icmp --  anywhere             anywhere

DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn

DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

DROP       all  --  anywhere             224.0.0.0/8

LOG        all  --  anywhere             anywhere            LOG level warning prefix `INT_IN DROP 9 '

DROP       all  --  anywhere             anywhere

Chain INT_OUT (1 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

Chain PAROLE (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

Chain PUB_IN (1 references)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

DROP       tcp  --  anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn

DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

DROP       all  --  anywhere             224.0.0.0/8

LOG        icmp --  anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 6'

DROP       icmp --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 8 '

DROP       all  --  anywhere             anywhere

Chain PUB_OUT (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

LinserverSparc1 ~ #

```

----------

## bendeguz

sorry, forgot -v option

could you please update your previous post with 

```
iptables -L -v
```

if this the deafault setup in bastille?

----------

## elissoncosta

You need add the rule for established connections.

# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables-save > rules_file

 :Cool: 

--

Elisson CostaLast edited by elissoncosta on Tue Mar 23, 2010 6:39 pm; edited 1 time in total

----------

## bendeguz

well, i'm not much of an iptables guru, but i think you have to enable incoming packets in the "forward" chain

----------

## bendeguz

 *elissoncosta wrote:*   

> You need add the rule for established connections.
> 
> # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> 

 

yes, maybe you have to add(insert) that too

and same to the forward

```

# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

```

----------

## elissoncosta

The Forward chain work as filter for packets that going through the firewall between 2 hosts on different networks.

For connections from or to the firewall you should configure rules on INPUT or OUTPUT chains.

 :Cool: 

--

Elisson Costa

----------

## bendeguz

"I am using this machine as a firewall / router for my home network,"

so, he wants to use it as a gateway

----------

## subdriver

 *bendeguz wrote:*   

> sorry, forgot -v option
> 
> could you please update your previous post with 
> 
> ```
> ...

 

No, it's not the default as that doesn't give NAT or masquerading.

OK, here's the result of iptables -L -v:

```
LinserverSparc1 ~ # iptables -L -v

Chain INPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 LOG        tcp  --  !lo    any     anywhere             loopback/8          LOG level warning prefix `INPUT DROP 0'

    0     0 DROP       tcp  --  !lo    any     anywhere             loopback/8  

    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere    

  166 13353 ACCEPT     all  --  eth1   any     anywhere             anywhere    

    0     0 LOG        all  --  any    any     224.0.0.0/4          anywhere            LOG level warning prefix `INPUT DROP 1 '

    0     0 DROP       all  --  any    any     224.0.0.0/4          anywhere    

    0     0 LOG        all  --  eth0   any     anywhere             192.168.0.0/16      LOG level warning prefix `INPUT DROP 2 '

    0     0 DROP       all  --  eth0   any     anywhere             192.168.0.0/16

    0     0 LOG        all  --  eth0   any     192.168.0.0/16       anywhere            LOG level warning prefix `INPUT DROP 3 '

    0     0 DROP       all  --  eth0   any     192.168.0.0/16       anywhere    

  242 32077 PUB_IN     all  --  eth0   any     anywhere             anywhere    

    0     0 INT_IN     all  --  eth1   any     anywhere             anywhere    

    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn

    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

    0     0 DROP       all  --  any    any     anywhere             224.0.0.0/8 

    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `INPUT DROP 7 '

    0     0 DROP       all  --  any    any     anywhere             anywhere    

Chain FORWARD (policy DROP 450 packets, 38340 bytes)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 LOG        tcp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 4 '

    0     0 DROP       tcp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 tcp dpts:netbios-ns:netbios-ssn

    0     0 LOG        udp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn LOG level warning prefix `FORWARD DROP 5 '

    0     0 DROP       udp  --  any    eth0    192.168.0.0/16       0.0.0.255/0.0.0.255 udp dpts:netbios-ns:netbios-ssn

  448 31172 ACCEPT     all  --  any    eth0    192.168.0.0/16       anywhere    

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination 

  195 13560 PUB_OUT    all  --  any    eth0    anywhere             anywhere    

  133 26292 INT_OUT    all  --  any    eth1    anywhere             anywhere    

Chain INT_IN (1 references)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:bootps

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:bootpc

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    

    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn

    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

    0     0 DROP       all  --  any    any     anywhere             224.0.0.0/8 

    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `INT_IN DROP 9 '

    0     0 DROP       all  --  any    any     anywhere             anywhere    

Chain INT_OUT (1 references)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    

  133 26292 ACCEPT     all  --  any    any     anywhere             anywhere    

Chain PAROLE (1 references)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere    

Chain PUB_IN (1 references)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable

    3   252 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded

    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:netbios-ns:netbios-ssn

    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

    0     0 DROP       all  --  any    any     anywhere             224.0.0.0/8 

    0     0 LOG        icmp --  any    any     anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 6'

    0     0 DROP       icmp --  any    any     anywhere             anywhere    

  239 31825 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `PUB_IN DROP 8 '

  239 31825 DROP       all  --  any    any     anywhere             anywhere    

Chain PUB_OUT (1 references)

 pkts bytes target     prot opt in     out     source               destination 

  195 13560 ACCEPT     all  --  any    any     anywhere             anywhere    

LinserverSparc1 ~ #

```

I'm not sure why Bastille's added 224.0.0.0 to the chains, but it originates from the /etc/Bastille/firewall.d/pre-audit.d/pre-audit.sh script.

Note, I've tweaked some settings in bastille that I had previously set incorrectly, so the above output differs slightly from the previous one.

----------

## subdriver

 *elissoncosta wrote:*   

> You need add the rule for established connections.
> 
> # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # iptables-save > rules_file
> ...

 

Not sure if I can do that as bastille flushes all the chains before loading its own ones; I cannot see why bastille won't set up the NAT / masquerading as it's set in the /etc/Bastille/bastille-firewall.cfg configuration file (I manually added it to match the old, now dead, firewalls settings).

----------

## subdriver

 *bendeguz wrote:*   

> "I am using this machine as a firewall / router for my home network,"
> 
> so, he wants to use it as a gateway

 

That's correct.

----------

## elissoncosta

Add the following rules on command line(Don't flush the rules) then test it.

# iptables -t nat -A POSTROUTING -j MASQUERADE

--

Elisson Costa

----------

## bendeguz

 *subdriver wrote:*   

>  *elissoncosta wrote:*   You need add the rule for established connections.
> 
> # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # iptables-save > rules_file
> ...

 

But if is like iptables on desktop profile , the you can save the rules, this way update the iptables init script.

I use this

```

# /etc/init.d/iptables save

```

after added some rules .

So if you boot up your gateway, then you add some rules from command line, and type "iptables save", then next boot it will load the new rules as well.

----------

## subdriver

 *elissoncosta wrote:*   

> You need add the rule for established connections.
> 
> # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # iptables-save > rules_file
> ...

 

I tried this and got the messgage 

```
LinserverSparc1 ~ # iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables: No chain/target/match by that name.
```

 *elissoncosta wrote:*   

> 
> 
> Add the following rules on command line(Don't flush the rules) then test it. 
> 
> iptables -t nat -A POSTROUTING -j MASQUERADE
> ...

 

I did this but still can't tracepath from the server itself. 

I did notice that there are some rules that show up in iptables-save that don't show up in iptables -L -v, after adding the above, I get this with iptables-save

```
LinserverSparc1 ~ # iptables-save

# Generated by iptables-save v1.4.3.2 on Tue Mar 23 23:33:20 2010

*nat

:PREROUTING ACCEPT [1607:137967]

:POSTROUTING ACCEPT [175:12146]

:OUTPUT ACCEPT [178:12323]

-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

-A POSTROUTING -j MASQUERADE

COMMIT

# Completed on Tue Mar 23 23:33:20 2010

# Generated by iptables-save v1.4.3.2 on Tue Mar 23 23:33:20 2010

*filter

:INPUT DROP [0:0]

:FORWARD DROP [1389:126393]

:OUTPUT ACCEPT [2:196]

:INT_IN - [0:0]

:INT_OUT - [0:0]

:PAROLE - [0:0]

:PUB_IN - [0:0]

:PUB_OUT - [0:0]

-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j LOG --log-prefix "INPUT DROP 0"

-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth1 -j ACCEPT

-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "INPUT DROP 1 "

-A INPUT -s 224.0.0.0/4 -j DROP

-A INPUT -d 192.168.0.0/16 -i eth0 -j LOG --log-prefix "INPUT DROP 2 "

-A INPUT -d 192.168.0.0/16 -i eth0 -j DROP

-A INPUT -s 192.168.0.0/16 -i eth0 -j LOG --log-prefix "INPUT DROP 3 "

-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP

-A INPUT -i eth0 -j PUB_IN

-A INPUT -i eth1 -j INT_IN

-A INPUT -p tcp -m tcp --dport 137:139 -j DROP

-A INPUT -p udp -m udp --dport 137:139 -j DROP

-A INPUT -d 224.0.0.0/8 -j DROP

-A INPUT -j LOG --log-prefix "INPUT DROP 7 "

-A INPUT -j DROP

-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 4 "

-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p tcp -m tcp --dport 137:139 -j DROP

-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j LOG --log-prefix "FORWARD DROP 5 "

-A FORWARD -s 192.168.0.0/16 -d 0.0.0.255/0.0.0.255 -o eth0 -p udp -m udp --dport 137:139 -j DROP

-A FORWARD -s 192.168.0.0/16 -o eth0 -j ACCEPT

-A OUTPUT -o eth0 -j PUB_OUT

-A OUTPUT -o eth1 -j INT_OUT

-A INT_IN -p tcp -m tcp --dport 22 -j PAROLE

-A INT_IN -p udp -m udp --dport 67 -j ACCEPT

-A INT_IN -p udp -m udp --dport 68 -j ACCEPT

-A INT_IN -p icmp -j ACCEPT

-A INT_IN -p tcp -m tcp --dport 137:139 -j DROP

-A INT_IN -p udp -m udp --dport 137:139 -j DROP

-A INT_IN -d 224.0.0.0/8 -j DROP

-A INT_IN -j LOG --log-prefix "INT_IN DROP 9 "

-A INT_IN -j DROP

-A INT_OUT -p icmp -j ACCEPT

-A INT_OUT -j ACCEPT

-A PAROLE -j ACCEPT

-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PUB_IN -p tcp -m tcp --dport 137:139 -j DROP

-A PUB_IN -p udp -m udp --dport 137:139 -j DROP

-A PUB_IN -d 224.0.0.0/8 -j DROP

-A PUB_IN -p icmp -j LOG --log-prefix "PUB_IN DROP 6"

-A PUB_IN -p icmp -j DROP

-A PUB_IN -j LOG --log-prefix "PUB_IN DROP 8 "

-A PUB_IN -j DROP

-A PUB_OUT -j ACCEPT

COMMIT

# Completed on Tue Mar 23 23:33:20 2010

LinserverSparc1 ~ #

```

----------

## bendeguz

Well, i dont't know, but isn't this ruleset overcomplicated?

If i were you i would build a basic ruleset, with the ones that allow you to go out the net(block everything in or through the gateway ( except related and established packages), allow everything out), and when it's working, then you can make it safer with adding more rules() .

(I was using floppyfw (http://www.zelow.no/floppyfw/) for routing for a long time.)

----------

## subdriver

 *bendeguz wrote:*   

> Well, i dont't know, but isn't this ruleset overcomplicated?
> 
> If i were you i would build a basic ruleset, with the ones that allow you to go out the net(block everything in or through the gateway ( except related and established packages), allow everything out), and when it's working, then you can make it safer with adding more rules() .
> 
> (I was using floppyfw (http://www.zelow.no/floppyfw/) for routing for a long time.)

 

It is complicated but that's what Bastille generates using the configuration script. If I had any idea about using iptables then I might have a go, but I don't, sadly. I used Bastille with great success on a Mandrake installation years ago, I was hoping it would work as smoothly this time.

----------

## bendeguz

You have a config file, to set up, like this http://www.physics.ucsb.edu/~taro/comp/dimension4100/bastille/bastille-firewall.cfg, and then you have to run a script which makes the rules from the config file?

Because if it is so, then maybe you have something wrong in the config file. Post that one too, if it is not too long.

----------

## subdriver

 *bendeguz wrote:*   

> You have a config file, to set up, like this http://www.physics.ucsb.edu/~taro/comp/dimension4100/bastille/bastille-firewall.cfg, and then you have to run a script which makes the rules from the config file?
> 
> Because if it is so, then maybe you have something wrong in the config file. Post that one too, if it is not too long.

 

I've edited out a lot of the comments to shorten it but not so many that it doesn't make sense, hopefully:

```

#

# /etc/bastille-firewall.cfg

#

# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts

#

# the configuration values should be whitespace-delimited lists of

# appropriate values, e.g.

#       TCP_PUBLIC_SERVICES="80 smtp ssh"

# lists Web (port 80), SMTP mail, and Secure Shell ports

#

# This script is suitable for workstations or simple NAT firewalls;

# you may want to add more "output" restrictions for serious servers

# 0) DNS servers (Linux 2.2/ipchains only)

#       You must list your DNS servers here so that

#       the firewall will allow them to service your lookup requests

#

# List of DNS servers/networks to allow "domain" responses from

# This _could_ be nameservers as a list of <ip-address>/32 entries

#

#

# To have the DNS servers parsed from /etc/resolv.conf at runtime,

# as normal workstations will want, make this variable empty

#DNS_SERVERS=""

#

DNS_SERVERS=""

# 1) define your interfaces (all systems)

#       Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP

#       interface

#

TRUSTED_IFACES="lo eth1"

PUBLIC_IFACES="eth0"

INTERNAL_IFACES="eth1"

# 2) services for which we want to log access attempts to syslog (all systems)

#       Note this only audits connection attempts from public interfaces

#

TCP_AUDIT_SERVICES=""

UDP_AUDIT_SERVICES=""

ICMP_AUDIT_TYPES=""

# 3) services we allow connections to (all systems)

#

TCP_PUBLIC_SERVICES=""

UDP_PUBLIC_SERVICES=""

TCP_INTERNAL_SERVICES="22"

UDP_INTERNAL_SERVICES="67 68"

# 4) passive/active FTP (Linux 2.2/ipchains only)

FORCE_PASV_FTP="Y"

# 5) Services to explicitly block. (Linux 2.2/ipchains only)

TCP_BLOCKED_SERVICES="2049 2065:2090 6000:6020 7100"

UDP_BLOCKED_SERVICES="2049 6770"

ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"

# 6) Source Address Verification (all Linux systems)

#       This helps prevent "IP Spoofing" attacks

#

ENABLE_SRC_ADDR_VERIFY="Y"

# 7) IP Masquerading / NAT. (all systems)

#       List your internal/masq'ed networks here

#

IP_MASQ_NETWORK="192.168.0.0/255.255.0.0"

IP_MASQ_MODULES="ftp raudio vdolive"

# 8) How to react to disallowed packets (all systems)

# whether to "REJECT" or "DROP" disallowed packets; if you're running any

# public services, you probably ought to use "REJECT"; if in serious stealth

# mode, choose "DROP" so simple probes don't know if there's anything out there

REJECT_METHOD="DENY"

# 9) DHCP (Linux 2.2/ipchains only)

DHCP_IFACES="eth0"

# 10) NTP servers (Linux 2.2/ipchains only)

#       more UDP fun. List IP addresses or network space of NTP servers

#

#NTP_SERVERS=""                         # DISABLE NTP QUERIES / SAFEST

NTP_SERVERS=""

# 11) more ICMP. (Linux 2.2/ipchains only)

#       Control the outbound ICMP to make yourself invisible to

#       traceroute probes

ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"

# 12) Logging (all systems)

#       With this enabled, ipchains will log all blocked packets.

#                ** this could generate huge logs **

LOG_FAILURES="Y"

# 13) Block fragmented packets (all systems)

#       There's no good reason to allow these

#ALLOW_FRAGMENTS="N"                            # safest

ALLOW_FRAGMENTS="Y"                             # old behavior

# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)

DROP_SMB_NAT_BCAST="Y"          # drop those packets

# 15) Log level (iptables/netfilter/Linux 2.4 only)

IP_LOG_LEVEL=4                  # iptables/netfilter default

# 16) Always attempt to use stateful features for inbound connections

#       Always using state will allow the firewall to reject invalid

#       packets sent to otherwise open TCP services, e.g. XMAS, NULL

#       and SIN/FYN scans. The downside to choosing this behavior is that

#       services may become unreachable if the packet filter's state

#       table becomes full.

IP_ALWAYS_USE_STATE="N"         # default, ensures services remain available

#IP_ALWAYS_USE_STATE="Y"        # disallow invalid packets

```

----------

## bendeguz

 *subdriver wrote:*   

> 
> 
> I tried this and got the messgage 
> 
> ```
> ...

 

This should work. Maybe try PUB_IN instead of INPUT. 

And try this to the forward too:

```
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
```

I can't see anything in your bastille.conf (though i've never used it). So if there is no more configuration files, then you have to set you rules by hand, becuse it seems it doesn't want to allow incoming packets.

So try to run those two commands... Have luck  :Wink: 

----------

## subdriver

Fixed   :Very Happy: 

I discovered that module xt_state hadn't been built. Did a config, rebuilt the kernel and modules, including xt_state, and it works.

On a side note, most IPTables tutorials seem to refer to kernel version 2.4 or early 2.6 (pre 2.6.15) and a lot of the filter options have been renamed since then, it makes trying to ensure you have the correct modules very difficult   :Mad: 

One last problem remains, psad isn't starting, it's complaining about unrecognized src/dst : myhomenet.net  (myhomenet.net is my network's name); I'm guessing this needs to be set to something else in the psad.conf file.

----------

## subdriver

Fixed the psad issue, found the home network should be defined as the network IP address, i.e. 192.168.0.0/24 and not the name, that's not clear in the Bastille 'documentation' (the config file). Changed it and psad is working.

----------

