-   Linux - Security (
-   -   Strange IPTABLES issue (

TheLinuxDuck 04-25-2005 03:32 PM

Strange IPTABLES issue
Along with some other rules (after these two), I've got two rules in my iptables list:
1. Allow connects to all ports from internal IP's.
2. Deny all connections to specific specific ports.

Here are the rules:

iptables -A FORWARD -p tcp -m tcp -s -j ACCEPT
iptables -A FORWARD -p tcp -m tcp -m multiport -j DROP --dports 21,22,23

Yet, I'm getting IP's -- disallowed by the firwall mind you -- connecting to the ssh (22) port. How is it possible? The firewall works and I've verified this, but yet IP's can connect to these ports anyway. Anyone have any clues?


Mara 04-25-2005 04:23 PM

Two possible reasons:
1. The rules are for FORWARD. Where do you connect? To the machine with iptables or another one behind NAT?
2. Rules order is important. iptables -L and see their order.

TheLinuxDuck 04-25-2005 04:45 PM


Originally posted by Mara
2. Rules order is important. iptables -L and see their order.
The order is correct. Limited allows followed by a full deny. (=


1. The rules are for FORWARD. Where do you connect? To the machine with iptables or another one behind NAT?
You know, I must confess, I hadn't paid much attention to the FORWARD/INPUT/OUTPUT portion of it. And now I understand why it's not working.. because FORWARD is for packets going through the box, but these packets are destined for the box itself, which means that it needs to be INPUT.


Thanks for pointing out the snake under my nose. (=

TheLinuxDuck 04-26-2005 10:40 AM

Just thought I'd post a followup, in case someone else was having troubles
with packets getting through and not sure how to fix it.

Mara's suggestions were right on track. Once I changed the table to INPUT
from FORWARD, everything works fantastic.

The machine is a virtual email/web/ssh server with a public IP, we'll say
"", hosting several domains. I wanted to disallow all
traffic to special ports (ftp, ssh, telnet, ssh-mail (465, 993, 995)), except
for traffic coming from our NAT firewall (meaning, all computers on the
LAN side of the NAT firewall, we'll say "" are allowed
to access the public server on the special ports, but noone else is.

A simple diagram: -> firewall NAT ( -> firewall NAT ( -> firewall NAT (

firewall NAT ( -> public router (

public router ( -> internet
public router ( -> email/web/ssh server (

And since the firewall NAT is NATing all internal (192.168) traffic and causing
it to appear as though it is coming directly from the firewall NAT, we only allow
connections to the special ports from the firewall NAT box.

Here's the core of the iptables firewall rules on the email/web/ssh server (not
the firewall NAT, that is a separate machine):


# first, we establish a chain called "drop_kick", which logs all dropped packets
# and boots them. Remember, LOG is non-terminating! That's why we DROP
# afterward.
iptables -A drop_kick -j LOG --log-level info --log-prefix "Firewall: "
iptables -A drop_kick -j DROP

# Next, we allow traffic from the firewall NAT to all ports. This is a terminating
# rule, as are most.
iptables -A INPUT -p tcp -m tcp -s -j ACCEPT

# Just flat out refuse invalid packets
iptables -A INPUT -m state --state INVALID -j drop_kick

# Then, kill any traffic going to the special ports. If we get to here, then the
# packet was not coming from the firewall NAT.
iptables -A INPUT -p tcp -m tcp -m multiport -j drop_kick --dports 21,22,23,465,993,995
I am still quite an amateur when it comes to iptables, and could probably do
this a much better way, but this does work. And since I don't run services on
other ports (aside from web stuff), I don't worry about filtering those ports.

If anyone has suggestions for improvement, please post it! I'd be happy to
learn better ways and the suggestions could also teach others!

johnnydangerous 04-27-2005 07:44 AM

well you can have much more than 3 lines in your IPT like TCP packet flags verification, SYN for new connections, existing-established with SYN and ACK flag.... basic anti-IP-spoofing etc.

johnnydangerous 04-27-2005 07:44 AM

I don'y know why but my firewall.conf ended up at more than 600 lines... with just basic traffic filtering

All times are GMT -5. The time now is 01:45 AM.