iptables problem!!
 

Hi Guys,

I'm building a gateway and i have two interface eth0(Internet) and eth1 (Private Network). I'm tring to write a rule that will block ip addresses recieved on eth0 and sent to eth1 for example (www.google.com). So the private network will not be able to access www.google.com for example.

I can't figure out the syntax i have something like:

iptables -A INPUT -s www.google.com 0 eth1 -j DROP

But this does not work, is there anyone that nows the correct sytax to do this?

Thanks Rich.

I see a couple of things wrong with your syntax. First if you are going from the internal interface to the external interface you will want to use the FORWARD chain not the input chain. Second I don't think that "0" should be in your rule. Finally you list the link (www.google.com) as a source when it is really the destination address. Fourth, you don't list which interface eth1 is, it must be specified as incoming our outgoing, but in this case if you just want to block the address you don't really need it.

Try this:

Thanks for the speedy reply, ive only just learning iptables so im not really to hot on the commands. I can see where i went wrong now.

Thanks Rich

Probably the best tutorial out there: IPTables Tutorial 1.2.2

Definitely worth a read!!

Let me know if you need any other help.

Centinul

I'm having a bit of a problem with this script, im building an internat gateway. Eth0 for outside connection, eth1 for LAN connection.

First off:
I block all ports into and out of my Gateway
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Then i block all FORWARD connections to my LAN
iptables -P FORWARD DROP

I then block all Telnet access to my LAN
iptables -A INPUT -p tcp --sport telnet -j REJECT
iptables -A INPUT -p udp --sport telnet -j REJECT

OK, so now i want to open port 80 (http) to my LAN but the following code does not work:
iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -sport 80 -j ACCEPT

Is the iptables line correct of have i done something wrong elsewhere?

Thanks Rich.

If you want to block telnet access to your LAN you'll want to change it to the DESTINATION port. Also the input rules only block telnet access to the gateway device not the PCs behind it. So you may want to add another rule to do that. An example would be:

Technically speaking though since your default policies are to drop any packets that don't match anyways there really is no need to explicitly reject these packets because they will be dropped anyways. But it is good practice to make sure.

Now I'm confused as to what you want here. Do you want the clients in your LAN to be able to browse the NET? Or do you have a web server in your LAN that you want people on the outside to be able to view?

If it's the former then:

Should work. Also don't forget to allow all established and related packets back through your gateway

if it's a web server that you want people from the outside to view then you will need to explain your network setup a little bit more (ala ip addresses NAT or no NAT, etc.).

HTH,

Centinul

Sorry yeah i would like the Internal Network to access the NET.

I tried the about but i still cannot gain access to the NET via a LAN Machine.

If i enter iptables -A FOWARD ACCEPT then i have access to the NET. This is my iptables -L

Would it have anything to do with no ACCEPT defined in the OUTPUT chain?

That first rule I gave you should work in theory, we should try and investigate why it isn't working. Read the link to the tutorial about logging. You need to log those dropped packets. That way when you try and access the internet from a LAN machine you should be able to see WHY the packets are being dropped.

Please post the "iptables -L" output when the rule I gave you is in place.

The OUTPUT chain is used on the gateway. If you wanted your gateway machine to access the internet you would put the same rule in place except you would use the OUTPUT chain instead.

Just for the fun of it try this rule:

Also don't forget to drop and recreate all your rules everytime that way you make sure there aren't any extraneous rules in there.

Iptables Rules Entered:
iptables -L
From my LAN machine i tried www.google.com. Log on the Gateway was:
eth2 will be used for my DMZ but its not setup at the moment it has a network subnet of 192.168.3./24. The 172.16.87.2 is the DNS server. The gateway is on a Virtual Machine (VMWARE) The IP Address of the gateway is 172.16.87.128 ITS gateway is 172.16.87.1.
192.168.2.150 is the LAN machine that executed the google request. As said before if i remove the OUPUT,INPUT,FORWARD DROP and replace with ACCEPT i have connectivity to the NET. So that illimunates that problem.

Would it have anything to do with port 53 (DNS) if it cannot resolve google.com then it wont be able to connect to it.

Thanks Rich

Yes that is most likely your problem. You will also have to allow DNS access from your LAN machines because if you don't they won't be able to resolve the addresses to the correct IP addresses. A rule that would allow that would be the following:

Unfortunately the example that you gave for the rules that were entered would fail no matter way because you specified the eth1 interface as the input interface when you tried from the eth2 interface. Make sure that you add the proper rules to support that interface.

Let me know if you have any other questions.

Thanks,

Centinul

let me correct please..
i think it must be UDP port 53 instead of TCP 53
so
no need "TCP 53" to resolve domain names. Also UDP 53 packets are shown in logs..

best regards.

Thanks for the correction. I must have been sleeping when I wrote that.

:)