LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-16-2013, 03:32 AM   #1
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538

Rep: Reputation: 112Reputation: 112
iptables is blocking an application


I have a computer with Internet access acting as a gateway/router. It does some filtering of the traffic it exchanges with a Wifi router through Ethernet. That router serves a notebook, phone and tablet over Wifi.

INTERNET --> PC --> Ethernet --> ROUTER --> Wifi --> devices

I have iptables running with a large number of rules, established by a script I downloaded somewhere. I know that's obscure, but it's what I have.

At the end of the script, I have added a few rules myself:

Code:
# routing
iptables -A FORWARD --in-interface wlan0 --out-interface eth0 --source 10.42.43.1/255.255.255.0 -m state --state NEW -j ACCEPT 

# privoxy
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8118

# I am not sure what this does
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT

# or this
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

# masquerading
iptables -A POSTROUTING -t nat -j MASQUERADE
Everything works fine, including email, browsing, many apps etc.

Except one application, called 8Tracks on the tablet. Ever since I added this firewall, the application no longer works.

I hooked up my Internet access directly to the Wifi router:

INTERNET --> ROUTER --> Wifi --> devices

The application worked beautifully, like it used to before I installed the firewall. So it seems obvious that the PC with iptables is blocking the application.

I don't know what to do, especially because I don't know what ports and protocol this application is using. All I know is that everything between the PC and the router, i.e. everything coming to and from Ethernet should be trusted and given free pass. How do I do that?
 
Old 05-16-2013, 04:40 AM   #2
sillvester
LQ Newbie
 
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6

Rep: Reputation: 4
it seems like only
Quote:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8118
should make it not work
it redirect the tcp packet come from the internet which destport is 80 to 8118
if the application use local port 80 conmunicate with others,it will failed
 
1 members found this post helpful.
Old 05-16-2013, 08:46 AM   #3
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538

Original Poster
Rep: Reputation: 112Reputation: 112
Damn, you're right! The app works if I remove that line.

But I need that redirection, because I need Privoxy to filter out some websites! Do you suppose there is any way I can distinguish that app from other apps (browsers) that use port 80? :-(
 
Old 05-16-2013, 08:52 AM   #4
curious95
Member
 
Registered: Oct 2012
Location: /home/v
Distribution: Slackware 14.0
Posts: 83

Rep: Reputation: Disabled
Can iptables block samba?
 
Old 05-17-2013, 03:16 AM   #5
sillvester
LQ Newbie
 
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6

Rep: Reputation: 4
match the mac address of your tablet device. then accept before this redirect rule.
 
Old 05-18-2013, 02:59 AM   #6
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538

Original Poster
Rep: Reputation: 112Reputation: 112
Quote:
Originally Posted by sillvester View Post
match the mac address of your tablet device. then accept before this redirect rule.
I think you don't understand that there is a conflict between two services that are used by the tablet. I need Privoxy for all the devices, including the tablet, and the 8tracks application runs on nothing but the tablet. I don't see how identifying the tablet's MAC address would be useful. The two services would still clash just the same.
 
Old 05-20-2013, 09:03 PM   #7
sillvester
LQ Newbie
 
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6

Rep: Reputation: 4
Quote:
Originally Posted by lucmove View Post
I think you don't understand that there is a conflict between two services that are used by the tablet. I need Privoxy for all the devices, including the tablet, and the 8tracks application runs on nothing but the tablet. I don't see how identifying the tablet's MAC address would be useful. The two services would still clash just the same.
The only method I work out is identy this application's protocol by the ip addresses of the server.
first nslookup the domain "8tracks.com, imgix.8tracks.com, cft.8tracks.com", you will get the ip addresses
then add accept rules before the redirect rule
these rules I tested worked.
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            199.27.75.129       
    0     0 ACCEPT     all  --  *      *       199.27.75.129        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       205.251.203.245      0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            205.251.203.245     
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            23.23.196.130       
    0     0 ACCEPT     all  --  *      *       23.23.196.130        0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
 
1 members found this post helpful.
Old 05-21-2013, 12:48 AM   #8
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538

Original Poster
Rep: Reputation: 112Reputation: 112
That sounds interesting. Can you please provide the explicit iptables rules, the way I am supposed to enter them? I am not really familiar with the syntax.
 
Old 05-21-2013, 02:10 AM   #9
sillvester
LQ Newbie
 
Registered: Dec 2010
Location: Jiaxing Zhejiang Province China
Posts: 6

Rep: Reputation: 4
Talking

Quote:
Originally Posted by lucmove View Post
That sounds interesting. Can you please provide the explicit iptables rules, the way I am supposed to enter them? I am not really familiar with the syntax.
rules you want should be
Code:
iptables -t nat -I PREROUTING -s a.a.a.a -p tcp -j ACCEPT    // rules allow tcp packets from a.a.a.a
iptables -t nat -I PREROUTING -d a.a.a.a -p tcp -j ACCEPT    // rules allow tcp packets to a.a.a.a
iptables -t nat -I PREROUTING -s b.b.b.b -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -d b.b.b.b -p tcp -j ACCEPT
 
1 members found this post helpful.
Old 05-22-2013, 02:46 AM   #10
RootMason
Member
 
Registered: Oct 2012
Location: Tucson, AZ
Distribution: Debian/CentOS
Posts: 124

Rep: Reputation: 5
Sounds like the response from sillvester was the right one, I just wanted to elaborate on your initial config:

# I am not sure what this does
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT

This seems like a security issue here, but I could be wrong. What this is saying is that any NEW tcp traffic coming in on port 80 (HTTP) on eth0 should be accepted. I believe any traffic inbound to your network that is not already either ESTABLISHED or RELATED should be DENY. Please feel free to correct me there.

# or this
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This is a good one, though. It says it's ok (ACCEPT) to FORWARD any traffic that was already initiated by you (ESTABLISHED,RELATED)
 
1 members found this post helpful.
Old 05-22-2013, 02:48 AM   #11
RootMason
Member
 
Registered: Oct 2012
Location: Tucson, AZ
Distribution: Debian/CentOS
Posts: 124

Rep: Reputation: 5
My bad, on that 1st config, it's --dport... destination port. This is not a security issue, it's allowing NEW HTTP traffic initiated out on port 80.
 
1 members found this post helpful.
Old 05-23-2013, 02:42 PM   #12
lucmove
Senior Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian
Posts: 1,538

Original Poster
Rep: Reputation: 112Reputation: 112
Cool, silvester's rules are working just fine! I have 8tracks again. :-)

Have you guys tried 8tracks, by the way? It's awesome. :-)

SOLVED.

Last edited by lucmove; 05-23-2013 at 02:46 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking an IP using iptables picox Linux - Security 7 12-10-2010 03:00 PM
Iptables blocking , well...everything crispyleif Linux - Networking 2 12-12-2008 04:22 AM
Blocking almost everything with iptables GeneralDark Linux - Security 18 12-04-2007 05:36 PM
Blocking an IP with iptables asif2k Linux - Security 4 04-19-2006 12:22 AM
Iptables blocking certain websites?? Ikik Linux - Security 3 09-29-2003 03:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration