Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-06-2003, 01:35 PM
|
#1
|
Member
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30
Rep:
|
iptables FORWARD
Hello,
I got a little bridge going with the ip_tables module loaded and it's working, because I managed to cut off my ssh connection by denying all INPUT. I can't however manage to stop traffic going through the box.
iptables -A FORWARD -p ALL -i eth1 -s 198.86.12.102/24 -o eth0 -d 198.86.12.1/24 -j DROP
thanks for any help.....
|
|
|
07-06-2003, 05:16 PM
|
#2
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
For full describing the forwarding traffic you need to take care both for forwarding and natting rules (and mangling as well if you have got ones)
I believe apart from the FORWARD rules you have got '-t nat ... POSTROUTING' or PREROUTING rules. The rules can change the IP addresses before FORWARD will act.
Anyway: have you tried 'iptables -A FORWARD -p ALL -i eth1 -o eth0 -j DROP' (or just 'iptables -A FORWARD -j DROP') ?
|
|
|
07-06-2003, 07:07 PM
|
#3
|
Member
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30
Original Poster
Rep:
|
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule. I have tried what you suggested and more but when I enter iptables -vL I can see that none of the packets seem to have gone through the FORWARD chain at all. I even tried to make the rule from eth1 to br0 and from br0 to eth0 but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.
hmm, weird ?
Last edited by ArnaudVR; 07-06-2003 at 07:09 PM.
|
|
|
07-07-2003, 01:19 PM
|
#4
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
Quote:
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule.
|
Yeah, but remember that the nat PREROUTING rule can change the IP :)
Quote:
... but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.
|
So you have got what you want, haven't you? Did I understand your necessity correctly?
|
|
|
07-07-2003, 01:32 PM
|
#5
|
Member
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30
Original Poster
Rep:
|
its a bridge that bridges two parts of the same network, so machines on one side of the box would be in the same network as on the other side, the INPUT & OUTPUT chains are for packets comming to or generated on the localhost, I'm supposed to be able to stop packets to localhost but also have the option of accepting packets to localhost but not letting them go through to the rest of the network (FORWARD)
|
|
|
07-07-2003, 05:30 PM
|
#6
|
Member
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591
Rep:
|
Sorry, but this time I don't understand anything.
If you need a bridge you do not need any netfilter (bridge doesn't know about IP addresses).
Using iptables you can make a router since it works with internet protocol.
|
|
|
07-07-2003, 06:05 PM
|
#7
|
Member
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30
Original Poster
Rep:
|
thanks for your help Dorian, i resolved the issue.
A bridge is invisible, think of it as a piece of ethernet cable, you can use iptables to say what goes through it or not.
For anyone interested take a look at ebtables.
thanks again for the input
|
|
|
All times are GMT -5. The time now is 01:22 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|