Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help by defining rules in iptable

Status
Not open for further replies.
alfer

alfer

Programmer
Jun 12, 2003
41
0
0
PL
Hi friends!

I have a Linux system with the iptables installed. The system makes an IPMasqarading and filters traffic on external interface. The internal interface is mostly trusted.

Now I have to block a traffic from one computer (192.168.1.26) in internal network on one specific port (80). What shall I change in my ip-configuration? I have to block forwarding and accepting of port 80 for only this one computer (192.168.1.26)

I have following /etc/sysconfig/iptables file:
[tt]
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT[/tt]

I thought about a linie like:
[tt]-A RH-Lokkit-0-50-INPUT -p tcp -s 192.168.1.26 --dport 80 -j REJECT[/tt]
but this seems not working.

How would You change my configuration to perform my task?

Have I to restart the Linux or only /etc/init.d/iptables after such changes?

Thanks for any answer!
 
Sort by date Sort by votes
Since it's internal, I guess you are doing some sort of NAT. In that case put that rule on the FORWARD chain, not INPUT...


 
Upvote 0 Downvote
Firstly: To perform nat you must use the nat builtin and
one of its processing chains.
Secondly: To route traffic you must enable forwarding
and set up the proper rules in your Forward chain.

I would not use RH specific tools.
This is an example for network related activity and not
for INPUT rules affecting only your router.
Code: 
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -s $local_net -o $external -j MASQUERADE
iptables -A FORWARD -s $local_net -d 0/0 -o $external -j
ACCEPT
iptables -A FORWARD -s 0/0 -d $local_net -i $external --match state --state ESTABLISHED -j ACCEPT

Your rules as written are badly broken or insecure.
Check out Tony Mancill's "Linux Routers" which is
the best quality for your money when using linux as
a router IMHO.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
77
Krus1972
Krus1972
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
51
harro1968
harro1968
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
86
Stephen_Hawk
Stephen_Hawk
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
90
vacunita
vacunita
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
95
daniel.warner
daniel.warner

Part and Inventory Search

Sponsor

Back
Top