Find the answer to your Linux question:
Results 1 to 2 of 2
?? i create iptables rules for authentication before using internet (in this below) and i add ip and mac address for authenticate with some computer for pass throught problem 1. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2007
    Posts
    98

    problem with iptables authentication


    ?? i create iptables rules for authentication before using internet (in this below) and i add ip and mac address for authenticate with some computer for pass throught

    problem
    1. when i delete ip and mac address that but computer that can be using video streaming and radio streaming.
    2. but website can't using.

    question
    1. how to modify this iptables for kick all connection when delete ip and mac rules in iptables. becuz computer that still using video streaming and radio stream.


    # Generated by iptables-save v1.3.5 on Fri Dec 14 16:13:02 2007
    *nat
    :PREROUTING ACCEPT [163:13133]
    :POSTROUTING ACCEPT [82:6416]
    :OUTPUT ACCEPT [633:44129]
    -A PREROUTING -i eth1 -p tcp -m mark --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 80
    -A PREROUTING -i eth+ -p tcp -m mark --mark 0x1 -m tcp --dport 3128 -j DROP
    -A PREROUTING -i eth1 -p tcp -m mark ! --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -j MASQUERADE
    COMMIT
    # Completed on Fri Dec 14 16:13:02 2007
    # Generated by iptables-save v1.3.5 on Fri Dec 14 16:13:02 2007
    *mangle
    :PREROUTING ACCEPT [31592:4424655]
    :INPUT ACCEPT [74843:50517700]
    :FORWARD ACCEPT [778:266367]
    :OUTPUT ACCEPT [77353:51209402]
    :POSTROUTING ACCEPT [78204:51485165]
    :maccheck - [0:0]
    -A PREROUTING -i eth1 -p tcp -m tcp ! --dport 53 -j maccheck
    -A PREROUTING -i eth+ -p udp -m mark ! --mark 0x1 -m udp -j ACCEPT
    -A PREROUTING -i eth+ -p tcp -m mark ! --mark 0x1 -m tcp -j ACCEPT
    -A PREROUTING -s 172.168.1.199 -i eth+ -m mac --mac-source 00:1B:FC:0D:BA:AC -j MARK --set-mark 0xc8 --> delete this rules
    -A maccheck -j MARK --set-mark 0x1
    COMMIT
    # Completed on Fri Dec 14 16:13:02 2007
    # Generated by iptables-save v1.3.5 on Fri Dec 14 16:13:02 2007
    *filter
    :INPUT ACCEPT [1282:735362]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [1253:745349]
    :d-band - [0:0]
    :u-band - [0:0]
    -A FORWARD -s 172.168.1.199 -j u-band --> delete this rules
    -A FORWARD -s 172.168.1.199 -i eth+ -m mac --mac-source 00:1B:FC:0D:BA:AC -j ACCEPT --> delete this rules
    -A FORWARD -d 172.168.1.199 -j d-band --> delete this rules
    -A FORWARD -i eth1 -p tcp -m tcp ! --dport 80 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth1 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -d 172.168.1.199 -j d-band --> delete this rules
    -A d-band -j ACCEPT
    -A u-band -j ACCEPT
    COMMIT
    # Completed on Fri Dec 14 16:13:02 2007

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Dude, your rules leave a lot to be desired!!

    Did you write these by hand or did you use a script/firewall generator? Your firewall is wide open to the public!!

    Code:
    *filter
    :INPUT ACCEPT [1282:735362]
    :OUTPUT ACCEPT [1253:745349]
    You are blocking no connection from the outside to your firewall!
    I see no drop rules for the INPUT or OUTPUT rules.

    These have no affect;
    Code:
    -j maccheck
    -j u-band
    -j d-band
    because you have not defined the chains. That is why you see [0:0] by them in the file.
    Iptables doesn't have anything to jump to and these do nothing;
    Code:
    -A maccheck -j MARK --set-mark 0x1
    -A d-band -j ACCEPT
    -A u-band -j ACCEPT
    This IP Address 172.168.1.199 is that coming in on eth1? If so this rule is the reason why you are not stopping him;
    Code:
    -A FORWARD -i eth1 -j ACCEPT
    If it on another interface are you restarting your firewall when you make changes to it? The tracking needs to be reset so that the firewall doesn't see this connection as an established one.

    I would suggest that you read and understand the following:

    http://iptables-tutorial.frozentux.n...-tutorial.html

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •