LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page IPTables Firewall Rule
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2016, 02:08 AM   #1
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Rep: Reputation: 31
IPTables Firewall Rule

Hello to all, i tried to setup the firewall with following rules but fail connect to internet.

Please advise.

Quote:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.124.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.124.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_block all -- anywhere anywhere
FWDO_block all -- anywhere anywhere

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_FedoraWorkstation_allow (0 references)
target prot opt source destination

Chain FWDI_FedoraWorkstation_deny (0 references)
target prot opt source destination

Chain (0 references)
target prot opt source destination

Chain FWDO_block (2 references)
target prot opt source destination
FWDO_block_log all -- anywhere anywhere
FWDO_block_deny all -- anywhere anywhere
FWDO_block_allow all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FWDO_block_allow (1 references)
target prot opt source destination

Chain FWDO_block_deny (1 references)
target prot opt source destination

Chain FWDO_block_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination
Why i still cannot browse?
I want to keep my firewall close on all ports but allows outgoing connections and keep state with the firewall.

Please help.
 
Old 09-30-2016, 04:23 AM   #2
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
Is this a router or are you trying to connect from this computer?

Given your forward chain, I take it to be a router.

If that is so, you need to apply SNAT.

iptables -t nat -vnL. What does this command show?
 
Old 09-30-2016, 10:24 PM   #3
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 606

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by vincix View Post
Is this a router or are you trying to connect from this computer?

Given your forward chain, I take it to be a router.

If that is so, you need to apply SNAT.

iptables -t nat -vnL. What does this command show?
There is a router connect to this computer.

Quote:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 66 packets, 4659 bytes)
pkts bytes target prot opt in out source destination
66 4659 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 66 packets, 4659 bytes)
pkts bytes target prot opt in out source destination
2 159 RETURN all -- * * 192.168.124.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.124.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.124.0/24 !192.168.124.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.124.0/24 !192.168.124.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.124.0/24 !192.168.124.0/24
64 4500 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination

Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
64 4500 POST_block all -- * + 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination

Chain POST_block (1 references)
pkts bytes target prot opt in out source destination
64 4500 POST_block_log all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POST_block_deny all -- * * 0.0.0.0/0 0.0.0.0/0
64 4500 POST_block_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POST_block_allow (1 references)
pkts bytes target prot opt in out source destination

Chain POST_block_deny (1 references)
pkts bytes target prot opt in out source destination

Chain POST_block_log (1 references)
pkts bytes target prot opt in out source destination

Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 PRE_block all -- + * 0.0.0.0/0 0.0.0.0/0

Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination

Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_block (1 references)
pkts bytes target prot opt in out source destination
0 0 PRE_block_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PRE_block_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PRE_block_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PRE_block_allow (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_block_deny (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_block_log (1 references)
pkts bytes target prot opt in out source destination


Please help.
 
Old 10-01-2016, 12:48 PM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
So then I take it that you're trying to connect FROM this computer, right?
If that's the case, then it makes no difference what is going on in your NAT tables, unless this computer acts as a router.

You need to offer more information. What is your ip address, netmask, gateway? Does the router offer dhcp? How is it connected exactly?
 
Old 10-02-2016, 12:57 AM   #5
lazydog
Senior Member
Contributing Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Even if it is acting as a router it will still not need to NAT the outgoing traffic as it will use the correct interface for where the traffic is destine.
 
Old 10-02-2016, 01:02 AM   #6
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
Quote:
Originally Posted by lazydog View Post
Even if it is acting as a router it will still not need to NAT the outgoing traffic as it will use the correct interface for where the traffic is destine.
Well, the OP hasn't really given a lot of info, but it does depend on where that router is placed - which we don't know, really. If a gets a public ip, he'd obviously need nat for the other computers behind it.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables firewall rule met0555 Linux - Security 3 04-17-2013 11:09 AM
Firewall iptables rule jitendra.sharma Linux - General 2 03-14-2013 04:53 AM
[SOLVED] [FIREWALL] confused about setting up a specific rule using iptables cryptoboss Linux - Security 4 04-14-2011 09:22 AM
canceling all iptables rule withous diable firewall zodehala Linux - Networking 1 03-07-2009 10:59 AM
iptables firewall rule question xxrsc Linux - Networking 8 06-07-2006 02:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:09 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration