problem with iptables authentication

[slackman]

?? i create iptables rules for authentication before using internet (in this below) and i add ip and mac address for authenticate with some computer for pass throught

problem
1. when i delete ip and mac address that but computer that can be using video streaming and radio streaming.
2. but website can't using.

question
1. how to modify this iptables for kick all connection when delete ip and mac rules in iptables. becuz computer that still using video streaming and radio stream.


# Generated by iptables-save v1.3.5 on Fri Dec 14 16:13:02 2007
*nat
:PREROUTING ACCEPT [163:13133]
:POSTROUTING ACCEPT [82:6416]
:OUTPUT ACCEPT [633:44129]
-A PREROUTING -i eth1 -p tcp -m mark --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 80
-A PREROUTING -i eth+ -p tcp -m mark --mark 0x1 -m tcp --dport 3128 -j DROP
-A PREROUTING -i eth1 -p tcp -m mark ! --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Fri Dec 14 16:13:02 2007
# Generated by iptables-save v1.3.5 on Fri Dec 14 16:13:02 2007
*mangle
:PREROUTING ACCEPT [31592:4424655]
:INPUT ACCEPT [74843:50517700]
:FORWARD ACCEPT [778:266367]
:OUTPUT ACCEPT [77353:51209402]
:POSTROUTING ACCEPT [78204:51485165]
:maccheck - [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp ! --dport 53 -j maccheck
-A PREROUTING -i eth+ -p udp -m mark ! --mark 0x1 -m udp -j ACCEPT
-A PREROUTING -i eth+ -p tcp -m mark ! --mark 0x1 -m tcp -j ACCEPT
-A PREROUTING -s 172.168.1.199 -i eth+ -m mac --mac-source 00:1B:FC:0D:BA:AC -j MARK --set-mark 0xc8 --> delete this rules
-A maccheck -j MARK --set-mark 0x1
COMMIT
# Completed on Fri Dec 14 16:13:02 2007
# Generated by iptables-save v1.3.5 on Fri Dec 14 16:13:02 2007
*filter
:INPUT ACCEPT [1282:735362]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1253:745349]
:d-band - [0:0]
:u-band - [0:0]
-A FORWARD -s 172.168.1.199 -j u-band --> delete this rules
-A FORWARD -s 172.168.1.199 -i eth+ -m mac --mac-source 00:1B:FC:0D:BA:AC -j ACCEPT --> delete this rules
-A FORWARD -d 172.168.1.199 -j d-band --> delete this rules
-A FORWARD -i eth1 -p tcp -m tcp ! --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 172.168.1.199 -j d-band --> delete this rules
-A d-band -j ACCEPT
-A u-band -j ACCEPT
COMMIT
# Completed on Fri Dec 14 16:13:02 2007

[Lazydog]

Dude, your rules leave a lot to be desired!!

Did you write these by hand or did you use a script/firewall generator? Your firewall is wide open to the public!!

Code:

*filter
:INPUT ACCEPT [1282:735362]
:OUTPUT ACCEPT [1253:745349]

You are blocking no connection from the outside to your firewall!
I see no drop rules for the INPUT or OUTPUT rules.

These have no affect;

Code:

-j maccheck
-j u-band
-j d-band

because you have not defined the chains. That is why you see [0:0] by them in the file.
Iptables doesn't have anything to jump to and these do nothing;

Code:

-A maccheck -j MARK --set-mark 0x1
-A d-band -j ACCEPT
-A u-band -j ACCEPT

This IP Address 172.168.1.199 is that coming in on eth1? If so this rule is the reason why you are not stopping him;

Code:

-A FORWARD -i eth1 -j ACCEPT

If it on another interface are you restarting your firewall when you make changes to it? The tracking needs to be reset so that the firewall doesn't see this connection as an established one.

I would suggest that you read and understand the following:

http://iptables-tutorial.frozentux.n...-tutorial.html