[SOLVED] iptables command gets executed successfully but its impact is not visible.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables command gets executed successfully but its impact is not visible.
Hi!
I am facing a problem where I want to use iptables commands to drop the incoming packets, I execute the iptables command, it gets executed but its effect is not visible.
Details:
OS: Cent OS 7 / Fedora 21
Kernel: 3.11.7
Network setup:
I have two ethernet interface on my machine eth0 and eth1 where eth0 is connected to the internet (say with IP 192.168.1.10) and eth1 is connected to a stb. I create a bridge with below commands and bridge eth0 and eth1 so that the stb gets IP and network connectivity through this bridge. STB obtains IP 192.168.1.20
Usgae of this setup: From an another machine with IP 192.168.1.5 I am multicasting a H264 udp transport stream on IGMP group 233.0.0.248:1112. STB joins this multicast group and plays the incoming transport stream on it.
So, my machine having bridge between eth0 and eth1 is receiving the transport stream in form of udp packets on interface eth0 and getting redirected to interface eth1 through the bridge interface test_Stb.
Requirement of iptables: I am using below iptables command to drop the incoming udp packets so that stb do not get the transport stream.
iptables -A FORWARD -i test_stb -d 233.0.0.248 -p udp --dport 1112 -j DROP
or
iptables -A FORWARD -i test_stb -d 233.0.0.0/24 -p udp -j DROP
iptables-save
Above commands gets executed successfully but it's impact is not visible i.e. the incoming udp packets are not getting dropped.
I googled about this problem and I found that the newer versions of Cent OS and Fedora has included firewalld and replaced the iptables but; It is still possible to use the iptables by disabling the firewalld module on the machine. I tried below commands to disable the firewalld and using the iptables but it didn't help me as the outcome of executing iptables command is still same as stated above
systemctl mask firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl enable iptables
systemctl enable ip6tables
systemctl start iptables
systemctl start ip6tables
I even checked the running status of firewalld by command "firewall-cmd --state" and it returns status as "not running".
Please help me to troubleshoot this issue. The strange thing is that above mentioned iptables commands runs and gives its impact perfectly fine on using a older version of fedora 18 / CentOS 5 which do not have firewalld module in it.
I tried the commands as suggested by you but the result is still same i.e. The command got executed but it's effect is not visible.
I even tried below command which also works on a older version of fedora 18 / CentOS 5 which do not have firewalld module in it. But, below commands are also not working on Cent OS 7
iptables -t raw -A PREROUTING -i eth0 -d 233.0.0.0/24 -p udp -j DROP
or
iptables -t raw -A PREROUTING -i eth0 -d 233.0.0.248 -p udp --dport 1112 -j DROP
Is there any log file in which iptables writes its log where we can check what could be happening )
I have made sure that firewall is not running. In my first post I verified this by running command "firewall-cmd --state" and it returns status as "not running".
I tried applying iptables rules on each interface. This time to be very simple I applied the rule in the INPUT chain to drop every type of packet and not specific packets like udp. But the ipables are still not leaving its effect. Below is the snapshot what I did from reboot of the machine.
When machine is rebooted then the interface configuration looks like below
One more thing I found during my investigation, the iptables rules are effective on an ethernet interface without adding it to the bridge interface i.e. I rebooted the machine and applied the below iptables rule on em1
Code:
iptables -A INPUT -i em1 -p all -j DROP
then I was not able to access anything from my machine. On applying below iptables rule
Code:
iptables -A INPUT -i em1 -p tcp -j DROP
I was not able to browse websites from a webbrowser but I was able to ping 8.8.8.8 and received the icmp packets. On applying below iptables rule
Code:
iptables -A INPUT -i em1 -p icmp -j DROP
The ping stopped working and I was able to browse website through web browser.
It looks like that these iptables are not getting effective when I add my both ethernet interface in a bridge and also not effective on a bridge interface.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.