Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Iptables 1

Status
Not open for further replies.
Mellegem

Mellegem

Technical User
Apr 3, 2003
49
ZA
Hi

I have currently got a script that goes like this

<code>
echo &quot; Clearing any existing rules and setting default policy..&quot;
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo &quot; FWD: Allow all connections OUT and only existing and related ones IN&quot;
#$IPTABLES -A INPUT -p ICMP -j DROP

#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp --sport 80 -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --sport 53 -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp --sport 53 -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --sport 42 -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

echo &quot; Enabling SNAT (MASQUERADE) functionality on $EXTIF&quot;
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


</code>
To my understanding this script sets a policy to drop all packets that need to be routed and then states which protocols should be forwarded. As it stands it doesn't work although everything I've read says it should. If I remove the port specifications then the script works but forwards everything which is obviously not what I need.
Any Ideas what I'm leaving out or where I'm going wrong?
 
Sort by date Sort by votes
In iptables, when a rule is matched the chain ends. The sequence of rules are very important. i.e.

01 $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
02 $IPTABLES -A FORWARD -i $INTIF -p tcp --sport 80 -o $EXTIF -j ACCEPT

will always forward anything that goes from $INTIF to $EXTIF. rule 02 will always never be touched. Also, it is better to deal with destination ports rather than source ports as the client machine can generate a request from any randomly available port but usually to a specific port. i.e.

client making DNS request
192.168.0.42:1369 to 202.190.128.10:53


Maybe if you do this:

$IPTABLES -A FORWARD -i $INTIF -p tcp -m multiport --dports 42,53,80 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -p udp --dports 53 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -o $INTIF -j ACCEPT

Its also good to have a &quot;-j log&quot; at the end of your chain to track anything that is going wrong.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
101
minicompbx
minicompbx
MichealC4
  • Locked
  • Question
iptables + gre + masquerade = doesn't work?
Replies
1
Views
129
MichealC4
MichealC4
maccarone
  • Locked
  • Question
Using iptables for internal nattined Virtual machine
Replies
0
Views
74
maccarone
maccarone
geebers
  • Locked
  • Question
iptables wlan traffic to LAN webserver
Replies
0
Views
55
geebers
geebers
ThomasJSmart
  • Locked
  • Question
iptables blocking email to server
Replies
2
Views
108
Noway2
Noway2

Part and Inventory Search

Sponsor

Back
Top