LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables FORWARD (https://www.linuxquestions.org/questions/linux-security-4/iptables-forward-70516/)

ArnaudVR 07-06-2003 12:35 PM
iptables FORWARD
 
Hello,

I got a little bridge going with the ip_tables module loaded and it's working, because I managed to cut off my ssh connection by denying all INPUT. I can't however manage to stop traffic going through the box.

iptables -A FORWARD -p ALL -i eth1 -s 198.86.12.102/24 -o eth0 -d 198.86.12.1/24 -j DROP

thanks for any help.....

dorian33 07-06-2003 04:16 PM
For full describing the forwarding traffic you need to take care both for forwarding and natting rules (and mangling as well if you have got ones)
I believe apart from the FORWARD rules you have got '-t nat ... POSTROUTING' or PREROUTING rules. The rules can change the IP addresses before FORWARD will act.
Anyway: have you tried 'iptables -A FORWARD -p ALL -i eth1 -o eth0 -j DROP' (or just 'iptables -A FORWARD -j DROP') ?

ArnaudVR 07-06-2003 06:07 PM
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule. I have tried what you suggested and more but when I enter iptables -vL I can see that none of the packets seem to have gone through the FORWARD chain at all. I even tried to make the rule from eth1 to br0 and from br0 to eth0 but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.

hmm, weird ?

dorian33 07-07-2003 12:19 PM
Quote:
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule.
Yeah, but remember that the nat PREROUTING rule can change the IP :)

Quote:
... but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.
So you have got what you want, haven't you? Did I understand your necessity correctly?

ArnaudVR 07-07-2003 12:32 PM
its a bridge that bridges two parts of the same network, so machines on one side of the box would be in the same network as on the other side, the INPUT & OUTPUT chains are for packets comming to or generated on the localhost, I'm supposed to be able to stop packets to localhost but also have the option of accepting packets to localhost but not letting them go through to the rest of the network (FORWARD)

dorian33 07-07-2003 04:30 PM
Sorry, but this time I don't understand anything.
If you need a bridge you do not need any netfilter (bridge doesn't know about IP addresses).
Using iptables you can make a router since it works with internet protocol.

ArnaudVR 07-07-2003 05:05 PM
thanks for your help Dorian, i resolved the issue.

A bridge is invisible, think of it as a piece of ethernet cable, you can use iptables to say what goes through it or not.

For anyone interested take a look at ebtables.

thanks again for the input


All times are GMT -5. The time now is 01:48 PM.