[SOLVED] Iptables Drop rule

sree123 · 06-15-2012, 01:31 PM

Hi,

I have the below setup for my firewall and i am using iptables 1.4.9.1 v

Client PC (eth0, 172.31.114.239)--------------(eth0 172.31.114.252) Firewall Router (eth1, 10.2.2.2)--------------------Network PC (10.2.2.1)

I have set the default policy as accept for my testing purpose. My aim is to prevent ssh from Client PC to Network PC. But allow ssh from Network PC to Client PC.

I have the following iptables rule

iptables -nvL
Chain INPUT (policy ACCEPT 744 packets, 46652 bytes)
pkts bytes target prot opt in out source destination
9989 780K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
82 17854 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
11 660 DROP tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 source IP range 172.31.114.1-172.31.114.254 tcp spts:2:65535 dpt:22 destination IP range 10.2.2.1-10.2.2.254

Chain OUTPUT (policy ACCEPT 1741 packets, 149K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 source IP range 172.31.114.1-172.31.114.254 tcp spt:22 dpts:2:65535 destination IP range 10.2.2.1-10.2.2.254

Observations
-------------------
1. Ssh from Network PC to client PC --- ssh successful as expected
2. ssh from client pc to Network PC ---- ssh blocked as expected
3. Again ssh from Network PC to client PC --- ssh blocked which was not expected.
4. If i randomly insert some rules which has no relevance to ssh, and do step 1 alone again - ssh sucessful
5. Again do step 2 followed by step -- ssh blocked ..problem.

Please help or any idea will be very much appreciated

Also, noted that if i have a ssh rule to deny from client PC to network PC. If i do ftp, it is fine. But if i do ssh followed by ftp, ftp doesnt work. please note that default policy is accept all. I donot add or delete rules in between.

thanks and regards
sreejith

wildwizard · 06-16-2012, 07:51 AM

Some pointers.

1. Traffic from the "Client PC" to the "Network PC" will not go through the INPUT or OUTPUT chains on the firewall machine, these chains are for traffic going to or from the firewall machine itself, traffic it forwards goes through the FORWARD chain only.

2. Remove the RELATED,ESTABLISHED rule from all chains while your running a permissive policy (ACCEPT on all chains is permissive)
2a. RELATED,ESTABLISHED rules should always go last as it can have unintended side effects

3. Your block rule, don't bother matching the source ports you only need the destination port 22 and add matching for state NEW, also you should use REJECT instead of DROP (performance reasons), the rest can stay the same.

sree123 · 06-16-2012, 02:00 PM

I found out the reason for dropping the packet.

On Debugging Kernel I found that in the forward path (ip_forward.c), a
particular part of code under a configuration flag
(CONFIG_NETFILTER_TABLE_INDEX) is getting executed and was giving the
wrong verdict of DROP for the packets.

I removed the same from .config file. Now the rules are working as
expected.

any way wildwizard thanks for your reply. i should think about the placement of STATEFUL inspection rule. Ideally i believe there is chance that someone can place drop rule at the last and other permissive rules at the top. Since these are configured from an application software i thought it i better to place stateful inspection rules at the beginning as i always want to allow the reply packets