Cant figure out whats wrong with simple rules

[dualarrow]

I'm having problems figuring out why a simple set of rules are failing. In total, theres 3 rules. 1 to allow everything on interface lo (1st rule) The last rule is a block everything, and the middle rule is as follows
Source: any
Destingation: network 10.250.0.0/16
Service: any
Interface: any
Direction: both
Action: allow
Time: any
Options: none

When applied, I can't ssh to the box. If I add the boxes IP (10.250.1.153) to the destination, it all works.

Below is the result of iptables -L -n

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       all  -  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state NEW
RULE_10    all  -  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       all  -  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  -  0.0.0.0/0            10.250.0.0/16       state NEW
RULE_10    all  -  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       all  -  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  -  0.0.0.0/0            0.0.0.0/0           state NEW
ACCEPT     all  -  0.0.0.0/0            10.250.0.0/16       state NEW
RULE_10    all  -  0.0.0.0/0            0.0.0.0/0

Chain RULE_10 (3 references)
target     prot opt source               destination
ULOG       all  -  0.0.0.0/0            0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
DROP       all  -  0.0.0.0/0            0.0.0.0/0

The logging indicates it always reaches the block rule even through the rules look like they should be letting it through.

I'm sure I'm missing something obvious but I just can't see it.

Any help would be appreciated.

Thanks,
Andrew

[Vadim Kurland]

iptables -L -n -v   would have been better command because it shows inbound and outbound interface

anyway, check if the option "assume firewall is part of "any" and networks" is turned on in the firewall settings dialog. When it is off, compiler assumes firewall is _not_ part of the network 10.250.0.0/16 and so does not put rule matching this network in destination in the INPUT chain

[dualarrow]

Thanks for the reply vkurland,

Below is the iptables -L -n -v

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    9   668 ACCEPT     all  -  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  -  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
   90  9433 RULE_10    all  -  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  -  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   54  8805 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  261 24054 ACCEPT     all  -  *      *       0.0.0.0/0            10.250.0.0/16       state NEW
   96 11073 RULE_10    all  -  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   12  1108 ACCEPT     all  -  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  -  *      lo      0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 ACCEPT     all  -  *      *       0.0.0.0/0            10.250.0.0/16       state NEW
    0     0 RULE_10    all  -  *      *       0.0.0.0/0            0.0.0.0/0

Chain RULE_10 (3 references)
pkts bytes target     prot opt in     out     source               destination
  186 20506 ULOG       all  -  *      *       0.0.0.0/0            0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `RULE 10 - DENY ' queue_threshold 1
  186 20506 DROP       all  -  *      *       0.0.0.0/0            0.0.0.0/0

I have been comparing another firewall I have generated (its live and works fine and also generated from FWB).

What I have noticed is that the working one generates a few ACCEPT rules in the INPUT chain that dont seem to be getting generated in this simple rule set. With the -v option added, it looks like theres nothing to ACCEPT on the INPUT chain for the 10.250.0.0/16 network which seems odd as I would have thought the middle rule would have generated an appropriate ACCEPT for it.

If I remove the final RULE_10 from the INPUT chain and replace it with an ACCEPT it works (not really surprising).

I just dont know why the 10.250.0.0/16 rule isnt generating any INPUT ACCEPT's.

Andrew

[dualarrow]

Sorry, I forgot to add that the "assume firewall is part of any" was checked.

[dualarrow]

I found the problem

Near the "Assume firewall is part of any" is the option "Bridging Firewall". I had assumed this would have mean it turned forwarding on. Maybe it does, but it also seems to stop generating the INPUT ACCEPT rules.

If anyone is able to briefly explain what it's for that would be helpful.

Anyway, my firewall seems to behaving as expected now.

Regards,
Andrew

[Vadim Kurland]

that option indicates that your firewall is set up as a bridge rather than a router. Iptables rules should be different in this case.

If you wanted to turn ip forwarding on, there is a control for this in the first page of the "advanced host settings" in the firewall object