[SOLVED] can someone explain

end · 09-26-2017, 07:15 AM

Question is way this working. way i dont need open 80,443,53 on INPUT and OUTPUT have this working only with forwarding. so desktoplinux has internet with this rules. i know that is something about osi model, and that some functions of wireless card handling connections or has build in dhcpcd so it is not part of kernel. The logic is INPUT then ROUTING DECISION then FORWARDING so in this chace INPUT is already somehowe predefine.Can anyone know something about this

routerISP------>linuxPC1(act like router2)----->desktoplinux
--------------------wlp2s0-connect to wireless--------tap1
--------------------ens3-dhcpd server

so ens3 has dhcpd subnet 1.1.1.1, tap1 get ip from this interface.

Code:

#!/bin/bash

i="/sbin/iptables"

$i -F
$i -X
$i -t nat -F
$i -t nat -X
$i -t mangle -F
$i -t mangle -X


$i -P INPUT  DROP
$i -P OUTPUT DROP
$i -P FORWARD DROP



$i -I FORWARD -i wls4u1 -o ens3 -p udp -m udp -m multiport --dports 53,68 -j ACCEPT

$i -I FORWARD -i ens3 -o wls4u1 -p udp -m udp -m multiport --sports 53,68 -j ACCEPT


$i -I FORWARD -i wls4u1 -o ens3 -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT

$i -I FORWARD -i ens3 -o wls4u1 -p tcp -m tcp -m multiport --sports 53,68 -j ACCEPT

$i -t nat -I POSTROUTING -s 1.1.1.1/24 -j SNAT --to-source 192.168.0.187

rknichols · 09-27-2017, 09:03 AM

Forwarded packets do not pass through the INPUT or OUTPUT chains. Here's a map of how the chains are traversed: https://www.frozentux.net/iptables-t...s_traverse.jpg

end · 09-27-2017, 09:16 AM

yes i saw that but im confused with this prerouting, but now i saw that prerouting chain is always on ACCEPT is there a way to put it to DROP on defoult policy like INPUT or OUTPUT.

Actualy now i saw that you canot put drop on nat chain, bacouse he is not for filtering. But that doesent matter if packet pass prerouting he canot pass if he is not allowed on INPUT etc...
But way ACCEPT is allowed and why we use ACCEPT on PREROUTING.

and hove to get ssh working in this script

rknichols · 09-27-2017, 09:37 AM

Quote:

Originally Posted by end

yes i saw that but im confused with this prerouting, but now i saw that prerouting chain is always on ACCEPT is there a way to put it to DROP on defoult policy like INPUT or OUTPUT

Yes, you can, though the DROP target is more commonly associated with the "filter" table. You can set a default policy for any of the built-in chains, including PREROUTING.

Excerpt from my iptables rules:

Code:

*raw
:PREROUTING ACCEPT

*mangle
:PREROUTING ACCEPT

*nat
:PREROUTING ACCEPT

end · 09-27-2017, 09:47 AM

i put

iptables -P -t nat PREROUTING DROP = bad argument PREROUTING

how to put this

end · 09-27-2017, 10:23 AM

i put like this

iptables -t mangle -I PREROUTING -j DROP and this working i lost connection but is it possible use defoult policy like on INPUT OUTPUT chain i know its the same but you know i whant to know.

but when i put this mangle on drop -t nat stoped working it seems that packet if stop on mangle or raw doesent pass to nat. i try google and see man but i canot find have to put defoult policy to drop on nat.

rknichols · 09-27-2017, 12:58 PM

Quote:

Originally Posted by end

iptables -P -t nat PREROUTING DROP = bad argument PREROUTING

The chain name and policy need to immediately follow the "-P" flag.

Code:

iptables -t nat -P PREROUTING DROP

Once a packet hits a DROP target, that's the end of it. It won't be processed any further. If you set a default policy of DROP, you'd better make sure that any packet you want to accept doesn't fall through to that default policy.

Also, doing filtering in tables other than "filter" is generally not recommended due to (unspecified) side effects. Also, packets for connections not in the NEW state don't pass through the "nat" table at all, and thus might slip by your DROP rule there.