LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-15-2012, 02:31 PM   #1
sree123
LQ Newbie
 
Registered: Jun 2012
Posts: 2

Rep: Reputation: Disabled
Iptables Drop rule


Hi,

I have the below setup for my firewall and i am using iptables 1.4.9.1 v


Client PC (eth0, 172.31.114.239)--------------(eth0 172.31.114.252) Firewall Router (eth1, 10.2.2.2)--------------------Network PC (10.2.2.1)

I have set the default policy as accept for my testing purpose. My aim is to prevent ssh from Client PC to Network PC. But allow ssh from Network PC to Client PC.

I have the following iptables rule

iptables -nvL
Chain INPUT (policy ACCEPT 744 packets, 46652 bytes)
pkts bytes target prot opt in out source destination
9989 780K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
82 17854 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
11 660 DROP tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 source IP range 172.31.114.1-172.31.114.254 tcp spts:2:65535 dpt:22 destination IP range 10.2.2.1-10.2.2.254


Chain OUTPUT (policy ACCEPT 1741 packets, 149K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 source IP range 172.31.114.1-172.31.114.254 tcp spt:22 dpts:2:65535 destination IP range 10.2.2.1-10.2.2.254


Observations
-------------------
1. Ssh from Network PC to client PC --- ssh successful as expected
2. ssh from client pc to Network PC ---- ssh blocked as expected
3. Again ssh from Network PC to client PC --- ssh blocked which was not expected.
4. If i randomly insert some rules which has no relevance to ssh, and do step 1 alone again - ssh sucessful
5. Again do step 2 followed by step -- ssh blocked ..problem.


Please help or any idea will be very much appreciated


Also, noted that if i have a ssh rule to deny from client PC to network PC. If i do ftp, it is fine. But if i do ssh followed by ftp, ftp doesnt work. please note that default policy is accept all. I donot add or delete rules in between.

thanks and regards
sreejith
 
Old 06-16-2012, 08:51 AM   #2
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 865

Rep: Reputation: 264Reputation: 264Reputation: 264
Some pointers.

1. Traffic from the "Client PC" to the "Network PC" will not go through the INPUT or OUTPUT chains on the firewall machine, these chains are for traffic going to or from the firewall machine itself, traffic it forwards goes through the FORWARD chain only.

2. Remove the RELATED,ESTABLISHED rule from all chains while your running a permissive policy (ACCEPT on all chains is permissive)
2a. RELATED,ESTABLISHED rules should always go last as it can have unintended side effects

3. Your block rule, don't bother matching the source ports you only need the destination port 22 and add matching for state NEW, also you should use REJECT instead of DROP (performance reasons), the rest can stay the same.
 
Old 06-16-2012, 03:00 PM   #3
sree123
LQ Newbie
 
Registered: Jun 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
I found out the reason for dropping the packet.

On Debugging Kernel I found that in the forward path (ip_forward.c), a
particular part of code under a configuration flag
(CONFIG_NETFILTER_TABLE_INDEX) is getting executed and was giving the
wrong verdict of DROP for the packets.

I removed the same from .config file. Now the rules are working as
expected.

any way wildwizard thanks for your reply. i should think about the placement of STATEFUL inspection rule. Ideally i believe there is chance that someone can place drop rule at the last and other permissive rules at the top. Since these are configured from an application software i thought it i better to place stateful inspection rules at the beginning as i always want to allow the reply packets
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Prerouting with DROP as the default rule loureed4 Linux - Security 15 01-02-2015 04:20 PM
[SOLVED] iptables: drop rule mrmnemo Linux - Newbie 3 04-21-2010 12:14 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 03:07 AM
how to drop all packets to one host with the default rule of accept dan5009 Linux - Security 1 08-20-2003 06:55 PM


All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration