LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-07-2005, 02:30 AM   #1
vijfita
LQ Newbie
 
Registered: May 2005
Distribution: Redhat 9.0
Posts: 24

Rep: Reputation: 15
iptables not working for "accept" action rules


Hi all,

I have been configuring iptables for packet filtering
for the last few days. I am experiencing a very strange behaviour of iptables.

All iptables rules that I mention at each chain match with real packets and work ONLY if the action is DROP. This invariably means that I am unable to set the default action of any chain to be DROP. For example,

when I set the following rules:

a)Default action for INPUT: ACCEPT
b)Action for INPUT packets that are addressed to port 3128 of localhost
(squid runs on this port): DROP

This ruleset works well, and all packets that are addressed to the gateway's squid are being blocked (meaning Internet access is blocked).

But when I rewrite teh same function with the following rules:

a)Default action for INPUT: DROP
b) Action for INPUT packets that are addressed to port 3128 of localhost:ACCEPT

The incoming packets dont seem to be matching the first rule, and end up in the default rule, thereby dropping the packet.

The actual script mentions the followng lines:

iptables -P INPUT DROP
iptables -A INPUT -i eth0 -m tcp -p tcp -s 192.168.20/24 --dport 3128 -j ACCEPT

Am I going wrong in making the iptables commands for achieving what I want to achieve ? I want to drop packets by default, but accept input packets addressed to the squid port.

Or, do I have to enable a few more things ? IP forwarding is already enabled in the gateway machine.

I am seeing the same problems even with forward rules(irrespective of any application like squid running)....

Some one help me please ...
 
Old 05-07-2005, 04:48 AM   #2
Demonbane
LQ Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
It'll be better if you provide more details, like the fullset of your rules. But judging from the snippet above, you didn't use connection tracking, therefore what happens when you specify default INPUT policy as DROP is that your clients can acutally connect to the Squid server, but the server cannot retrieve contents outside.
Therefore you should add the rule below:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Also if you're planning to use a proxy server to provide internet access, there's no need to enable IP forwarding.
 
Old 05-10-2005, 01:03 AM   #3
vijfita
LQ Newbie
 
Registered: May 2005
Distribution: Redhat 9.0
Posts: 24

Original Poster
Rep: Reputation: 15
Demonbane,

Thanks for your reply at the first place, but there is no further detail available. ...this was the first set of rules I tried, and it faltered ....

What I am actually trying to do is to connect all computers in my network to the Internet thru an internet gateway/application firewall. I am running squid on a machine, and I am setting other machined to pass thru this machine for internet. Ofcourse, as you rightly pointed out, there is no need for ip forwarding if I am using squid, because squid will receive the packets, and send it out as if it had sent the packet itself. For this,I guess that masquerading may also be necessary,

By the way, I shall also try the state solution that you ahve given and get back to you.....but then what is the significance of tcp states? when I am able to address any tcp packet irrespective of its tcp state, then why do I have to worry about the tcp state of the packet?

Thanks in advance.

Regards.
 
Old 05-12-2005, 09:35 AM   #4
vijfita
LQ Newbie
 
Registered: May 2005
Distribution: Redhat 9.0
Posts: 24

Original Poster
Rep: Reputation: 15
iptables "ACCEPT" not working

Demonbane,

Your solution doesnt seem to be working out ...

It could either be not working, or I went wrong in understanding or implementing it ...hihihihi

Meanwhile, you didnt tell me where I should be adding the rule that you have mentioned ...I mean the position ....

And moreover, I want to filter packets for which:

1.The destination and source ports can be examined; AND
2. The tcp state of the packets could either be ESTABLISHED or RELATED (as you told me);

How can I combine such things together?

Thanks in advance.
 
Old 05-12-2005, 10:03 AM   #5
vijfita
LQ Newbie
 
Registered: May 2005
Distribution: Redhat 9.0
Posts: 24

Original Poster
Rep: Reputation: 15
iptables not working at all !!

Hey all,

The situation is getting even worse now ....

No rule gets matched at all now !!!

I am trying to execute the following code:

iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp -s 192.168.2.0/24 -d 192.168.2.99(gateway) --dport 3128(squid) -j DROP
iptables -A INPUT -i eth1 -m tcp -p tcp -s 0/0 -d 192.168.2.99 --sport 80 -j DROP

and, after this, I am still able to access all websites, meaning there is no match at all !!!

and when I tried the following out:

iptables -P INPUT DROP
iptables -A INPUT -i eth0 -m tcp -p tcp -s 192.168.2.0/24 -d 192.168.2.99(gateway) --dport 3128(squid) -j ACCEPT
iptables -A INPUT -i eth1 -m tcp -p tcp -s 0/0 -d 192.168.2.99 --sport 80 -j ACCEPT

This doesnt seem to be woking either !!

Are there any prerequisites before implementing iptables? why does this problem happen ?Do I have to reinstall iptables ?

LINUX gurus and pandits, help at the earliest please !!

Regards.
 
Old 05-12-2005, 10:11 AM   #6
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

a few stupid questions :
1/ Are the Web server and squid on the same box as the firewall ?
If not, your rules should go in the FORWARD chain.

2/ Did you flush (clear) the tables before changing the rules ?
That's iptables -F INPUT; iptables -F OUTPUT; iptables -F FORWARD

A remark :
I don't think that you miss some prerequisites for iptables since if it was so, iptables would output some errors when you create your rules.

Good luck...
 
Old 05-12-2005, 01:03 PM   #7
camelrider
Member
 
Registered: Apr 2003
Location: Juneau, Alaska
Posts: 251

Rep: Reputation: 32
It seems you should have better luck if your exception rule appears above the default rule. Otherwise the packet will be processed by the default rule and never reach the exception.
AFIK packets only reach the first matching rule.

Disclaimer: I am no iptables gure.
 
Old 05-13-2005, 05:28 AM   #8
vijfita
LQ Newbie
 
Registered: May 2005
Distribution: Redhat 9.0
Posts: 24

Original Poster
Rep: Reputation: 15
Hey,

The default rule is always the last rule to be matched ...so the default rule doesnt have much voice here..

Regards.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
fall back "action=" in HTML rblampain Programming 2 07-30-2005 11:53 PM
Installed Mandrake 10.1 - ""There is no action associated with..." neuropulse Linux - Newbie 3 04-25-2005 02:59 AM
Screensaver of "make" in action ChillingSilence Linux - General 1 01-03-2004 09:00 AM
User name does not accept "." in version 9 rajesh1m Linux - Software 5 09-25-2003 02:04 PM
java installation, where is the "accept" button? noni Linux - Newbie 4 05-11-2001 06:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration