Linux - Embedded & Single-board computerThis forum is for the discussion of Linux on both embedded devices and single-board computers (such as the Raspberry Pi, BeagleBoard and PandaBoard). Discussions involving Arduino, plug computers and other micro-controller like devices are also welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using a DD-WRT linux embedded router and I need an IPTables line to put into the command section. I get awlully confused with IP tables, and I'm told that the syntax is no different than what comes with the Linux kernel. What I need to do is to block all outgoing TCP port 53 traffic except to IP address 208.67.222.123 and 208.67.220.123. Can someone please show me what the syntax looks like?
... I get awlully confused with IP tables, and I'm told that the syntax is no different than what comes with the Linux kernel.
Well, iptables syntax ought to be iptables syntax, ot it wouldn't be iptables.
Now, if you don't mind, I'll go down the 'teach a man to fish' route. The documentation is to be found at frozentux - download the pdf, you'll probably want to look at it several times.
Quote:
What I need to do is to block all outgoing TCP port 53 traffic except to IP address 208.67.222.123 and 208.67.220.123.
Well, there are several ways that you could do this, depending on how it fits into the other stuff going on, and how heavy the workload is.
(Warning, pseudocode alert!)
You could just put in a sequence like:
Code:
'if it is port 53, and ip_1 then let it pass'
'if it is port 53, and ip_2 then let it pass'
'if it is port 53, drop'
OTOH, I think that I would prefer
Code:
'if it is port 53, jump to p53_chain'
p53_chain
if dest = ip_1, then let it pass
if dest = ip_2, then let it pass
drop
(I'm anticpating, maybe incorrectly, mostly traffic not to port 53, and in the second approach the rest of the traffic goes through fewer conditional tests. Maybe this is irrelevant, but if you are really interested, you can do testing.)
OK well I never had someone explain it to me that way before. That's brilliant. I've always asked "What the heck is an IP chain and what does it mean in IP tables." I use webmin and have tried to make heads or tails out of that and still come up short. I will try that and see how it goes.
Quote:
Originally Posted by salasi
Well, iptables syntax ought to be iptables syntax, ot it wouldn't be iptables.
Now, if you don't mind, I'll go down the 'teach a man to fish' route. The documentation is to be found at frozentux - download the pdf, you'll probably want to look at it several times.
Well, there are several ways that you could do this, depending on how it fits into the other stuff going on, and how heavy the workload is.
(Warning, pseudocode alert!)
You could just put in a sequence like:
Code:
'if it is port 53, and ip_1 then let it pass'
'if it is port 53, and ip_2 then let it pass'
'if it is port 53, drop'
OTOH, I think that I would prefer
Code:
'if it is port 53, jump to p53_chain'
p53_chain
if dest = ip_1, then let it pass
if dest = ip_2, then let it pass
drop
(I'm anticpating, maybe incorrectly, mostly traffic not to port 53, and in the second approach the rest of the traffic goes through fewer conditional tests. Maybe this is irrelevant, but if you are really interested, you can do testing.)
I've always asked "What the heck is an IP chain and what does it mean in IP tables." I use webmin...
Sorry, I don't know how much easier (or the exact opposite of easier) Webmin makes things, never having tried it for firewalling, but...
Most of the easy-gui things make simple cases rather easy to deal with, at the expense of getting in the way of you learning what is really going on underneath. Technically, this is called making the learning curve shallower and it isn't always helpful.
Iptables is a simple programming language for building a firewall, and it is genuinely simple. It is easy to learn. But, to put the knowledge to some use, without being a danger to yourself, you do have to have some basic appreciation of networking and an ability to work out which packets are going where and an ability to plan out what you want to happen.
This is also easy; I think if you want to impress people, you have to be able to do this in your head, but there should be no objection to you working it out on a flowchart, if you want to - just don't tell anyone else that this is what you did!
Now the doc at frozentux; it is quite long, quite comprehensive, but you don't need to read all of it, by any means. I think you may only have to read the part about the one or two specific instructions that you need, but you may also want to skim through the introduction/basic part, too. (Chapters 1, 3 and the start of ch 11...ch 6, if you are still in any doubt about traversing tables and chains...you may want to look at 'how a rule is built in ch 9, but the answer to the specific question that you started off by asking is in ch 10).
(One piece of advice; don't treat modules like an 'all you can eat buffet' and try to get as many on your plate as possible; certainly, to start, the fewer you need the better as some are big and complex, and it is easy to slow the whole thing down by using everything that has a fun feature.)
Sorry, I don't know how much easier (or the exact opposite of easier) Webmin makes things, never having tried it for firewalling, but...
Most of the easy-gui things make simple cases rather easy to deal with, at the expense of getting in the way of you learning what is really going on underneath. Technically, this is called making the learning curve shallower and it isn't always helpful.
Iptables is a simple programming language for building a firewall, and it is genuinely simple. It is easy to learn. But, to put the knowledge to some use, without being a danger to yourself, you do have to have some basic appreciation of networking and an ability to work out which packets are going where and an ability to plan out what you want to happen.
This is also easy; I think if you want to impress people, you have to be able to do this in your head, but there should be no objection to you working it out on a flowchart, if you want to - just don't tell anyone else that this is what you did!
Now the doc at frozentux; it is quite long, quite comprehensive, but you don't need to read all of it, by any means. I think you may only have to read the part about the one or two specific instructions that you need, but you may also want to skim through the introduction/basic part, too. (Chapters 1, 3 and the start of ch 11...ch 6, if you are still in any doubt about traversing tables and chains...you may want to look at 'how a rule is built in ch 9, but the answer to the specific question that you started off by asking is in ch 10).
(One piece of advice; don't treat modules like an 'all you can eat buffet' and try to get as many on your plate as possible; certainly, to start, the fewer you need the better as some are big and complex, and it is easy to slow the whole thing down by using everything that has a fun feature.)
OK Thanks for that. I also had posted the same query in the dd-wrt forum, and someone had exact syntax for me and with some head scratching, got it to work perfectly. Thanks you so much for your friendly help. I will take a look at the manual.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.