LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Bridging firewall, how to block incoming traffic? (http://www.linuxquestions.org/questions/linux-networking-3/bridging-firewall-how-to-block-incoming-traffic-805520/)

zyprexa 05-02-2010 02:20 PM

Bridging firewall, how to block incoming traffic?
 
Im having problems with iptables not doing what i want :(

I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and gateway on eth1.

I'm trying to get it to basically block everything incoming except for the ports i specify (www etc.), but also allow outgoing traffic from the lan behind it. I've found, tried and modified som examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)

These are the rules im running now, and i can't figure out why it wont block incoming:

Code:

#!/bin/bash

iptables -F
iptables -X

iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT

# connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT

iptables -S gives me
Code:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable

Any advice on what im doing wrong is appreciated :(

SuperJediWombat! 05-03-2010 02:06 AM

Because your eth0 and eth1 are in a bridge, they show up as br0 (or someting similar) to iptables. If you want to match packets inside the bridge using the physical interface the packets come from, you need to use the 'physdev' module.

Try this (untested, might be wrong on the physdev syntax)
Code:

#!/bin/bash

iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# drop invalid
iptables -I FORWARD -m state --state INVALID -j DROP

# allow outgoing traffic
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT

# allow related/established connections in
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop all other incoming traffic
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT


TimothyEBaldwin 05-03-2010 03:03 AM

Use the physdev match extension. Your connection tracking match is backwards, you want to allow incoming traffic that matches.

What about protocols other than IPv4?

zyprexa 05-03-2010 11:23 AM

Thanks guys, using physdev seems to solve my problem.


All times are GMT -5. The time now is 03:06 AM.