iptables problem!!
Hi Guys,
I'm building a gateway and i have two interface eth0(Internet) and eth1 (Private Network). I'm tring to write a rule that will block ip addresses recieved on eth0 and sent to eth1 for example (www.google.com). So the private network will not be able to access www.google.com for example. I can't figure out the syntax i have something like: iptables -A INPUT -s www.google.com 0 eth1 -j DROP But this does not work, is there anyone that nows the correct sytax to do this? Thanks Rich. |
Quote:
Try this: |
Thanks for the speedy reply, ive only just learning iptables so im not really to hot on the commands. I can see where i went wrong now.
Thanks Rich |
Probably the best tutorial out there: IPTables Tutorial 1.2.2
Definitely worth a read!! Let me know if you need any other help. Centinul |
I'm having a bit of a problem with this script, im building an internat gateway. Eth0 for outside connection, eth1 for LAN connection.
First off: I block all ports into and out of my Gateway iptables -P INPUT DROP iptables -P OUTPUT DROP Then i block all FORWARD connections to my LAN iptables -P FORWARD DROP I then block all Telnet access to my LAN iptables -A INPUT -p tcp --sport telnet -j REJECT iptables -A INPUT -p udp --sport telnet -j REJECT OK, so now i want to open port 80 (http) to my LAN but the following code does not work: iptables -A FORWARD -p tcp -dport 80 -j ACCEPT iptables -A FORWARD -p tcp -sport 80 -j ACCEPT Is the iptables line correct of have i done something wrong elsewhere? Thanks Rich. |
Quote:
Code:
iptables -A INPUT -p tcp --dport telnet -j REJECT Quote:
If it's the former then: Code:
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT Code:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT HTH, Centinul |
Sorry yeah i would like the Internal Network to access the NET.
Code:
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT If i enter iptables -A FOWARD ACCEPT then i have access to the NET. This is my iptables -L Code:
Chain INPUT (policy DROP) |
That first rule I gave you should work in theory, we should try and investigate why it isn't working. Read the link to the tutorial about logging. You need to log those dropped packets. That way when you try and access the internet from a LAN machine you should be able to see WHY the packets are being dropped.
Please post the "iptables -L" output when the rule I gave you is in place. The OUTPUT chain is used on the gateway. If you wanted your gateway machine to access the internet you would put the same rule in place except you would use the OUTPUT chain instead. Just for the fun of it try this rule: Code:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT |
Iptables Rules Entered:
Code:
iptables -P INPUT DROP Code:
Chain INPUT (policy DROP) Code:
IPF FWD DROPIN=eth2 OUT=eth0 SRC=192.168.2.150 192.168.2.150 is the LAN machine that executed the google request. As said before if i remove the OUPUT,INPUT,FORWARD DROP and replace with ACCEPT i have connectivity to the NET. So that illimunates that problem. Would it have anything to do with port 53 (DNS) if it cannot resolve google.com then it wont be able to connect to it. Thanks Rich |
Quote:
Code:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 53 -j accept Let me know if you have any other questions. Thanks, Centinul |
Quote:
i think it must be UDP port 53 instead of TCP 53 so Code:
iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j accept best regards. |
Quote:
:) |
All times are GMT -5. The time now is 03:10 PM. |