iptables question

Mike Lovell mike at dev-zero.net
Mon Nov 3 21:19:57 MST 2008


Stuart Jansen wrote:
> On Mon, 2008-11-03 at 20:39 -0700, Mike Lovell wrote:
>   
>> As for the suggestion to reinstall the OS, I'm not entirely sure how to 
>> go about that. The machine is a Linksys NSLU2 that I hacked and loaded 
>> Debian on. Things were touchy getting it installed so I'd rather try 
>> other solutions first. Thanks though.
>>     
>
> I was referring to the compromised file server. Surely that isn't a
> linksys.
>
> As for your firewall problem, it's hard to debug a firewall without
> looking at _all_ rules. If you're comfortable giving us the entire rule
> set, run "iptables-save" and send us the output.
Actually, the file server is another Linksys box. The NSLU2 is a neat 
little box that Linksys released a couple years ago. It has two USB 2.0 
ports and an Ethernet port. It is meant to share a USB drive on a 
network. Like many Linksys devices from the past, it was very hackable. 
I hooked up spare hard drive, installed Debian, set up a file share, and 
looked up two USB printers. It was worked relatively well for my parents 
and at the time was only $90. Good stuff.

After taking some time looking at the extra stuff that OpenWRT does, I 
found that in the middle of the FORWARD table, they redirect over to a 
new table called forwarding_rule. I was appending a rule to the end of 
FORWARD and nothing was ever getting there. I added some explicit 
accepts to the forwarding_rule table followed by a REJECT for everything 
else. And it appears to be working. I can do aptitude update and 
aptitude is able to pull the package lists but if I use links to go to 
google.com, I get a connection refused. So for anyone who wants to do 
something similar on a Linksys running OpenWRT, add your rules to 
forwarding_rule and not FORWARD.

Thanks everyone for the input.

Mike



More information about the PLUG mailing list