Im having problems with iptables not doing what i want
I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and gateway on eth1.
I'm trying to get it to basically block everything incoming except for the ports i specify (www etc.), but also allow outgoing traffic from the lan behind it. I've found, tried and modified som examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)
These are the rules im running now, and i can't figure out why it wont block incoming:
Code:
#!/bin/bash
iptables -F
iptables -X
iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT
# connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
iptables -S gives me
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable
Any advice on what im doing wrong is appreciated
Bridging firewall, how to block incoming traffic?
