LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-06-2003, 01:35 PM   #1
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Rep: Reputation: 15
iptables FORWARD


Hello,

I got a little bridge going with the ip_tables module loaded and it's working, because I managed to cut off my ssh connection by denying all INPUT. I can't however manage to stop traffic going through the box.

iptables -A FORWARD -p ALL -i eth1 -s 198.86.12.102/24 -o eth0 -d 198.86.12.1/24 -j DROP

thanks for any help.....
 
Old 07-06-2003, 05:16 PM   #2
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
For full describing the forwarding traffic you need to take care both for forwarding and natting rules (and mangling as well if you have got ones)
I believe apart from the FORWARD rules you have got '-t nat ... POSTROUTING' or PREROUTING rules. The rules can change the IP addresses before FORWARD will act.
Anyway: have you tried 'iptables -A FORWARD -p ALL -i eth1 -o eth0 -j DROP' (or just 'iptables -A FORWARD -j DROP') ?
 
Old 07-06-2003, 07:07 PM   #3
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Original Poster
Rep: Reputation: 15
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule. I have tried what you suggested and more but when I enter iptables -vL I can see that none of the packets seem to have gone through the FORWARD chain at all. I even tried to make the rule from eth1 to br0 and from br0 to eth0 but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.

hmm, weird ?

Last edited by ArnaudVR; 07-06-2003 at 07:09 PM.
 
Old 07-07-2003, 01:19 PM   #4
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Quote:
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule.
Yeah, but remember that the nat PREROUTING rule can change the IP :)

Quote:
... but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.
So you have got what you want, haven't you? Did I understand your necessity correctly?
 
Old 07-07-2003, 01:32 PM   #5
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Original Poster
Rep: Reputation: 15
its a bridge that bridges two parts of the same network, so machines on one side of the box would be in the same network as on the other side, the INPUT & OUTPUT chains are for packets comming to or generated on the localhost, I'm supposed to be able to stop packets to localhost but also have the option of accepting packets to localhost but not letting them go through to the rest of the network (FORWARD)
 
Old 07-07-2003, 05:30 PM   #6
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Sorry, but this time I don't understand anything.
If you need a bridge you do not need any netfilter (bridge doesn't know about IP addresses).
Using iptables you can make a router since it works with internet protocol.
 
Old 07-07-2003, 06:05 PM   #7
ArnaudVR
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware
Posts: 30

Original Poster
Rep: Reputation: 15
thanks for your help Dorian, i resolved the issue.

A bridge is invisible, think of it as a piece of ethernet cable, you can use iptables to say what goes through it or not.

For anyone interested take a look at ebtables.

thanks again for the input
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables doesn't forward and a suggation ikillu Linux - Networking 6 07-03-2005 09:43 AM
[IPTABLES] FORWARD problem :( wesleywestervel Linux - Security 23 06-22-2005 10:08 AM
iptables FORWARD Ipolit Slackware 16 06-09-2005 05:35 PM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 08:07 PM
iptables forward? Bambi Linux - Security 2 10-02-2003 11:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration