Find the answer to your Linux question:
Results 1 to 3 of 3
Hi all, I have been configuring iptables for packet filtering for the last few days. I am experiencing a very strange behaviour of iptables. All iptables rules that I mention ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2005
    Posts
    5

    iptables failing when "accept" is the rule action


    Hi all,

    I have been configuring iptables for packet filtering
    for the last few days. I am experiencing a very strange behaviour of iptables.

    All iptables rules that I mention at each chain match with real packets and work ONLY if the action is DROP. This invariably means that I am unable to set the default action of any chain to be DROP. For example,

    when I set the following rules:

    a)Default action for INPUT: ACCEPT
    b)Action for INPUT packets that are addressed to port 3128 of localhost
    (squid runs on this port): DROP

    This ruleset works well, and all packets that are addressed to the gateway's squid are being blocked (meaning Internet access is blocked).

    But when I rewrite teh same function with the following rules:

    a)Default action for INPUT: DROP
    b) Action for INPUT packets that are addressed to port 3128 of localhost:ACCEPT

    The incoming packets dont seem to be matching the first rule, and end up in the default rule, thereby dropping the packet.

    The actual script mentions the followng lines:

    iptables -P INPUT DROP
    iptables -A INPUT -i eth0 -m tcp -p tcp -s 192.168.20/24 --dport 3128 -j ACCEPT

    Am I going wrong in making the iptables commands for achieving what I want to achieve ? I want to drop packets by default, but accept input packets addressed to the squid port.

    Or, do I have to enable a few more things ? IP forwarding is already enabled in the gateway machine.

    I am seeing the same problems even with forward rules(irrespective of any application like squid running)....

    Some one help me please ...

    Regards.

    Vijay

  2. #2
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    the answer looks pretty simple, you used a / instead of a .
    iptables -A INPUT -i eth0 -m tcp -p tcp -s 192.168.20/24 --dport 3128 -j ACCEPT
    should be
    iptables -A INPUT -i eth0 -m tcp -p tcp -s 192.168.20.24 --dport 3128 -j ACCEPT

  3. #3
    Just Joined!
    Join Date
    Mar 2005
    Posts
    5
    Sorry mates.....that was a typo ...it should have been 192.168.2.0/24 .....which implies that this was not the only problem ...

    Regards.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •