Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am using Fedora Core 8 on vmware with vista. my windows and linux can ping each other and I am also connected to another vmware via crossover cable. we all can ping each other no problems in that.
Now on Linux I am suppose to test some iptables commands. I am mentioning the ones below which I couldn't do and need help in that.
1) reject all traffic coming to all UDP ports (see if you can block all of them, if you cannot then try to block some UDP ports).
2) allow traffic coming to port 80 but reject traffic coming out through port 80.
3) block all email coming in and out of your network. Internal email is allowed.
What command to use for it and how do I test blocked UDP ports??
My another problem is testing. for internal network testing what we have done is put crossover cables in same subnet 192.168.1.1 etc.. and we all can ping each other and we are on same subnet. Now we are suppose to check some access from external network (like question 3). If we change the subnet of 1 computer to 10.0.0.0 or something we anyways cannot ping each other so cannot test any packets coming in or out. So via crossover cable is it possible to test external network and internal network both?
1) reject all traffic coming to all UDP ports (see if you can block all of them, if you cannot then try to block some UDP ports).
I assume you only want to block incoming UDP streams which aren't related to outgoing ones. Because if you filter all incoming UDP packets then you won't, for example, be able to receive results for your DNS queries. So:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p UDP -j DROP
Quote:
2) allow traffic coming to port 80 but reject traffic coming out through port 80.
If by "coming out" you mean from the box itself:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j REJECT
If by "coming out" you mean from the network:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
--dport 80 -m state --state NEW -j REJECT
Quote:
3) block all email coming in and out of your network. Internal email is allowed.
Code:
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
-m multiport --dports 25,110 -m state --state NEW -j REJECT
Keep in mind that these are simply direct answers to the questions. I don't suggest you actually go about doing this like this in real life. You really should take the opposite approach instead. In other words, filter everything then make ACCEPT rules for the stuff you want to allow.
Quote:
What command to use for it and how do I test blocked UDP ports??
I assume you only want to block incoming UDP streams which aren't related to outgoing ones. Because if you filter all incoming UDP packets then you won't, for example, be able to receive results for your DNS queries. So:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p UDP -j DROP
If by "coming out" you mean from the box itself:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j REJECT
If by "coming out" you mean from the network:
Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
--dport 80 -m state --state NEW -j REJECT
Code:
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE \
-m multiport --dports 25,110 -m state --state NEW -j REJECT
Keep in mind that these are simply direct answers to the questions. I don't suggest you actually go about doing this like this in real life. You really should take the opposite approach instead. In other words, filter everything then make ACCEPT rules for the stuff you want to allow.
hey how do u test external network via crossover cable?? as i have mentioned above internal we can test.. how can i make 1 external network and then try the iptables rules??
hey how do u test external network via crossover cable?? as i have mentioned above internal we can test.. how can i make 1 external network and then try the iptables rules??
It really is as simple as plugging your laptop into the WAN interface of the iptables box and running your tests. You can give your laptop pretty much any Internet IP you wish.
It really is as simple as plugging your laptop into the WAN interface of the iptables box and running your tests. You can give your laptop pretty much any Internet IP you wish.
Oh did i forget to mention the linux is running on a laptop and is directly connected to another laptop via crossover cable. so i dont think there is any WAN interface in a laptop. Hope i m right about it..
Oh did i forget to mention the linux is running on a laptop and is directly connected to another laptop via crossover cable. so i dont think there is any WAN interface in a laptop. Hope i m right about it..
It's the WAN interface on your iptables router/gateway/firewall - not the laptop. You'd plug your laptop into the WAN interface of the iptables router/gateway/firewall and test the WAN side from there. Perhaps I am not understanding your setup/question correctly. I've just re-read your first post and it sounds like you are trying to simulate some sort of network by using two machines, a crossover cable, and virtual machines. Is that the case? I was operating under the impression that this all revolved around one, real, iptables router/gateway/firewall.
I've just re-read your first post and it sounds like you are trying to simulate some sort of network by using two machines, a crossover cable, and virtual machines. Is that the case?
Yes that is correct. Just two laptops and a crossover cable.. no other hardware involved
Yes that is correct. Just two laptops and a crossover cable.. no other hardware involved
Oh, okay. Cool. I'm gonna go ahead and move this over to Networking then, as it'll get more adequate exposure there. I personally don't have any experience using iptables with virtual machines, so I can't be of much help - but there's tons of LQ members who are very familiar with this sort of thing so help should be on the way.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Some iptables settings for testing needed
