Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-16-2013, 03:32 AM
|
#1
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Rep:
|
iptables is blocking an application
I have a computer with Internet access acting as a gateway/router. It does some filtering of the traffic it exchanges with a Wifi router through Ethernet. That router serves a notebook, phone and tablet over Wifi.
INTERNET --> PC --> Ethernet --> ROUTER --> Wifi --> devices
I have iptables running with a large number of rules, established by a script I downloaded somewhere. I know that's obscure, but it's what I have.
At the end of the script, I have added a few rules myself:
Code:
# routing
iptables -A FORWARD --in-interface wlan0 --out-interface eth0 --source 10.42.43.1/255.255.255.0 -m state --state NEW -j ACCEPT
# privoxy
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8118
# I am not sure what this does
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT
# or this
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# masquerading
iptables -A POSTROUTING -t nat -j MASQUERADE
Everything works fine, including email, browsing, many apps etc.
Except one application, called 8Tracks on the tablet. Ever since I added this firewall, the application no longer works.
I hooked up my Internet access directly to the Wifi router:
INTERNET --> ROUTER --> Wifi --> devices
The application worked beautifully, like it used to before I installed the firewall. So it seems obvious that the PC with iptables is blocking the application.
I don't know what to do, especially because I don't know what ports and protocol this application is using. All I know is that everything between the PC and the router, i.e. everything coming to and from Ethernet should be trusted and given free pass. How do I do that?
|
|
|
05-16-2013, 04:40 AM
|
#2
|
LQ Newbie
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6
Rep:
|
it seems like only
Quote:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8118
|
should make it not work
it redirect the tcp packet come from the internet which destport is 80 to 8118
if the application use local port 80 conmunicate with others,it will failed
|
|
1 members found this post helpful.
|
05-16-2013, 08:46 AM
|
#3
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep:
|
Damn, you're right! The app works if I remove that line.
But I need that redirection, because I need Privoxy to filter out some websites! Do you suppose there is any way I can distinguish that app from other apps (browsers) that use port 80? :-(
|
|
|
05-16-2013, 08:52 AM
|
#4
|
Member
Registered: Oct 2012
Location: /home/v
Distribution: Slackware 14.0
Posts: 83
Rep:
|
Can iptables block samba?
|
|
|
05-17-2013, 03:16 AM
|
#5
|
LQ Newbie
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6
Rep:
|
match the mac address of your tablet device. then accept before this redirect rule.
|
|
|
05-18-2013, 02:59 AM
|
#6
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep:
|
Quote:
Originally Posted by sillvester
match the mac address of your tablet device. then accept before this redirect rule.
|
I think you don't understand that there is a conflict between two services that are used by the tablet. I need Privoxy for all the devices, including the tablet, and the 8tracks application runs on nothing but the tablet. I don't see how identifying the tablet's MAC address would be useful. The two services would still clash just the same.
|
|
|
05-20-2013, 09:03 PM
|
#7
|
LQ Newbie
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6
Rep:
|
Quote:
Originally Posted by lucmove
I think you don't understand that there is a conflict between two services that are used by the tablet. I need Privoxy for all the devices, including the tablet, and the 8tracks application runs on nothing but the tablet. I don't see how identifying the tablet's MAC address would be useful. The two services would still clash just the same.
|
The only method I work out is identy this application's protocol by the ip addresses of the server.
first nslookup the domain "8tracks.com, imgix.8tracks.com, cft.8tracks.com", you will get the ip addresses
then add accept rules before the redirect rule
these rules I tested worked.
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 199.27.75.129
0 0 ACCEPT all -- * * 199.27.75.129 0.0.0.0/0
0 0 ACCEPT all -- * * 205.251.203.245 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 205.251.203.245
0 0 ACCEPT all -- * * 0.0.0.0/0 23.23.196.130
0 0 ACCEPT all -- * * 23.23.196.130 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
|
1 members found this post helpful.
|
05-21-2013, 12:48 AM
|
#8
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep:
|
That sounds interesting. Can you please provide the explicit iptables rules, the way I am supposed to enter them? I am not really familiar with the syntax.
|
|
|
05-21-2013, 02:10 AM
|
#9
|
LQ Newbie
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6
Rep:
|
Quote:
Originally Posted by lucmove
That sounds interesting. Can you please provide the explicit iptables rules, the way I am supposed to enter them? I am not really familiar with the syntax.
|
rules you want should be
Code:
iptables -t nat -I PREROUTING -s a.a.a.a -p tcp -j ACCEPT // rules allow tcp packets from a.a.a.a
iptables -t nat -I PREROUTING -d a.a.a.a -p tcp -j ACCEPT // rules allow tcp packets to a.a.a.a
iptables -t nat -I PREROUTING -s b.b.b.b -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -d b.b.b.b -p tcp -j ACCEPT
|
|
1 members found this post helpful.
|
05-22-2013, 02:46 AM
|
#10
|
Member
Registered: Oct 2012
Location: Tucson, AZ
Distribution: Debian/CentOS
Posts: 124
Rep:
|
Sounds like the response from sillvester was the right one, I just wanted to elaborate on your initial config:
# I am not sure what this does
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT
This seems like a security issue here, but I could be wrong. What this is saying is that any NEW tcp traffic coming in on port 80 (HTTP) on eth0 should be accepted. I believe any traffic inbound to your network that is not already either ESTABLISHED or RELATED should be DENY. Please feel free to correct me there.
# or this
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This is a good one, though. It says it's ok (ACCEPT) to FORWARD any traffic that was already initiated by you (ESTABLISHED,RELATED)
|
|
1 members found this post helpful.
|
05-22-2013, 02:48 AM
|
#11
|
Member
Registered: Oct 2012
Location: Tucson, AZ
Distribution: Debian/CentOS
Posts: 124
Rep:
|
My bad, on that 1st config, it's --dport... destination port. This is not a security issue, it's allowing NEW HTTP traffic initiated out on port 80.
|
|
1 members found this post helpful.
|
05-23-2013, 02:42 PM
|
#12
|
Senior Member
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538
Original Poster
Rep:
|
Cool, silvester's rules are working just fine! I have 8tracks again. :-)
Have you guys tried 8tracks, by the way? It's awesome. :-)
SOLVED.
Last edited by lucmove; 05-23-2013 at 02:46 PM.
|
|
|
All times are GMT -5. The time now is 12:01 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|