Internal firewall with IPtables

[Trolli]

Hi,
i want to deny specific ports to my Router/server from my lan with Iptables.
I already set up a script for my firewall. I didint write it by my own so .. I have questions about to add rules to set up an internal firewall.

An example:
I want to deny Port 22 (ssh) from IP 192.168.10.3 to my router/server with IP 192.168.10.1

my rule would look like:

Code:

$IPTABLES -A INPUT -p all -i $LAN_IFACE -s 192.168.10.3 --dport 22 -j DROP

Is this correct?

thx ..i need help!!

[amitsharma_26]

Hi,
An example:
I want to deny Port 22 (ssh) from IP 192.168.10.3 to my router/server with IP 192.168.10.1

my rule would look like:

Code:

$IPTABLES -A INPUT -p all -i $LAN_IFACE -s 192.168.10.3 --dport 22 -j DROP

Is this correct?

Assuming you are running this rule on your router/server itself, this above iptable rule will work absolutely fine.

[Trolli]

But when I restart the Iptables... I get an error.
Here is the output (bold the problem):

-------------------------------------------------------------

Removing all iptables rules: [End of flush]
Iptables rules creation:

Loading Firewall...

External Interface: ppp0
Internal Interface: eth1
enabling forwarding...
enabling DynamicAddr...
clearing any existing rules and setting default policy..
setting up firewall rules..
setting up ICMP rules..
setting up TCP rules..
setting up UDP rules..
iptables v1.3.3: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
setting up FORWARD chain..
setting up OUTPUT chain..
setting up PREROUTING chain..
Enabling SNAT (MASQUERADE) functionality on

-------------------------------------------------------------

I read several IPtables tutorials but all specify a port via "--dport"
could you help?

[amitsharma_26]

Assuming you are running this rule on your router/server itself, this above iptable rule will work absolutely fine.

Code:

$IPTABLES -A INPUT -p all -i $LAN_IFACE -s 192.168.10.3 --dport 22 -j DROP

Somehow i did'nt noticed that, you got to specify "-p tcp " or "-p udp" for --dport to work. With -p ALL it will not work. Kindly correct that. And in your rule, instead of ALL, please mention tcp.

[Trolli]

First of all thx amitsharma_26
the iptables restart worked without errors now.

I testet it with port 80 to test if the rule works (i didint want to lose my ssh remote). But it didnt worked at all. I could reach my apache if nothing was set!!?

could be that other rules "overrule" my new rule?
here is the "hopefully" the hole section for internal traffic:

Code:

# 
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p all -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p all -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p all -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#my new rule
$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s 192.168.10.2 --dport 80 -j DROP

....please help!
greetz to india from germany

[amitsharma_26]

With No default policy for any chain as DROP, you got to specify the DROP rules above the ACCEPT ones & that is the fault in your case. Put the new rule, i.e.

Code:

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -s 192.168.10.2 --dport 80 -j DROP

above the all ACCEPT rules & it will work like a charm.

[Trolli]

I learned alot.
It works like a charm ... thx dude

greetz again
trolli