Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We've a gateway with two NIC's:
eth0: 192.168.1.2 <-----> connected to modem/router -----> WAN
eth1: 192.168.0.0/24 ----------> LAN
Actually, as far as my understanding:
if a packet is destined to the gateway, it goes right to the INPUT chain and so on....
if a packet is destinet to the LAN, the route changes and the packet follows the FORWARD chain and so on ....
So now, if i want to stop a host which is on the LAN (192.168.0.10), i've done the following:
Quote:
iptables -I INPUT -m mac --mac-source 00:1E:58:9E:E4:E8 -j DROP
The host (192.168.0.10) stopped surfing, which is great, but i thought that we should apply the rule within the FORWARD chain instead since this host is on LAN and is not the gateway !!!
The host (192.168.0.10) stopped surfing, which is great, but i thought that we should apply the rule within the FORWARD chain instead since this host is on LAN and is not the gateway !!!
Is the gateway running DNS for the LAN?
If so, the DNS requests will go to the gateway, via INPUT, and dropping them will prevent DNS requests from resolving.
If this is the case, can the host connect using an IP instead of DNS?
A transparent proxy redirection rule could have the same result.
Is the gateway running DNS for the LAN?
If so, the DNS requests will go to the gateway, via INPUT, and dropping them will prevent DNS requests from resolving.
If this is the case, can the host connect using an IP instead of DNS?
A transparent proxy redirection rule could have the same result.
Thanks for the reply fukawil,
Well we have got both:
- hosts on LAN are using the Gateway as a DNS server (192.168.0.1) via the DHCPD, and
- we have got a transparent proxy
If the gateway is handling DNS, then trying to connect/browse etc by using a IP address in the hosts browser, rather than domain name ie:
Code:
http://74.125.237.82
instead of
Code:
http://google.com
would most likely work..
So you would need to add the same rule to the FORWARD chain..
Oh yes, i see now
Well it works in both ways, yes.
either as you said "using an IP address or domain name" .
Thanks.
Just to be clear, i'm little confused:
The packet initially should traverse the FORWARD chain. Since the same packet needs the DNS which is located on the Gateway, so all the packet is just changing his way and is traversing the INPUT chain !!!!
is it right, i'm not sure about it ?
In other words, why i can not stop the host (192.168.0.10) just by saying:
Check out the picture in the link I posted above. It shows a flowchart of when a packet passes through each table/chain..
Because the transparent proxy rule you have, is intercepting the packets destined for the internet in nat/PREROUTING
the packet passes through the filter/INPUT chain to squid, BEFORE it gets to the filter/FORWARD chain, squid then sends the requests out to the internet..
So you need the filter/INPUT rule.
As I understand it, (and I stand to be corrected).
host sends a some packets asking the gateway to resolve google.com (filter/INPUT)
the gateway looks locally to resolve the name, if it cant, it asks nameservers in /etc/resolv (filter/OUTPUT)
once the gateway has obtained an answer it responds to the host with 74.125.237.82 (filter/OUTPUT)
the host then initiates a connection with 74.125.237.82.. which goes to the gateway (nat/PREROUTING)
these packets then hit the squid intercept rule, and get sent to squid running locally, (filter/INPUT)
it then gets processed by squid. and gets sent to its destination of 74.125.237.82
As I said though, I stand to be corrected on that..
Check out the picture in the link I posted above. It shows a flowchart of when a packet passes through each table/chain..
Because the transparent proxy rule you have, is intercepting the packets destined for the internet in nat/PREROUTING
the packet passes through the filter/INPUT chain to squid, BEFORE it gets to the filter/FORWARD chain, squid then sends the requests out to the internet..
So you need the filter/INPUT rule.
As I understand it, (and I stand to be corrected).
host sends a some packets asking the gateway to resolve google.com (filter/INPUT)
the gateway looks locally to resolve the name, if it cant, it asks nameservers in /etc/resolv (filter/OUTPUT)
once the gateway has obtained an answer it responds to the host with 74.125.237.82 (filter/OUTPUT)
the host then initiates a connection with 74.125.237.82.. which goes to the gateway (nat/PREROUTING)
these packets then hit the squid intercept rule, and get sent to squid running locally, (filter/INPUT)
it then gets processed by squid. and gets sent to its destination of 74.125.237.82
As I said though, I stand to be corrected on that..
Thank you very much, i am getting better now
According to the linked picture and if i follow your reasonning:
1) Network B >>> data for the firewall>>>filter INPUT (looking for DNS(resolving)
2) if the resolving is done
3) Network B >>>>>Network A however the NAT PREROUTING stops the packet (squid) and the packet will follows the other way:
Data for the firewall>>>>>>filter INPUT>>>>Network A
I think it make sence and is logic.
It is not obvious at all for some one who tries to learn (Netfilter) as an indepent follow (needs help).
Even if some one reads a lot of books, i think still an expert is needed (a least in the beginning) right !!
I am a welder by trade, and I figured it out. Largely from that link I keep referring people to.
If I can do it, anyone can..
Another handy note, when working on something remotely, (a VPS for example), before I load a new set of rules, or substantially change things. I always set up a cron/at job to load a very basic default set of rules, in the event I have one of those facepalm moments and DROP ssh without leaving it open to my IP, or something equally as stupid..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.