Find the answer to your Linux question:
Results 1 to 6 of 6
Hi, I'm trying to set iptables firewall rules. But i'm having a problem , after applying my rules, it blocks all the connections, i'm not sure why. I have 3 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2013
    Posts
    2

    linux iptables firewall


    Hi,

    I'm trying to set iptables firewall rules. But i'm having a problem , after applying my rules, it blocks all the connections, i'm not sure why.

    I have 3 pcs
    PC1
    eth0=192.168.111.2

    , PC2
    eth0= 192.168.111.1
    eth1=10.20.0.1

    , PC3
    eth0= 10.20.0.2

    PC2 is connected to PC1 and PC2, and IP forwarding is turned on.

    So when there is no firewall rule everything works but after applying it blocks everything , i can't ping ... i'm not sure what i'm missing

    Code:
    #PC1 to PC3 web server
    iptables -A FORWARD -p tcp -s 192.168.111.2 --dport 80 -d 10.20.0.2 -j ACCEPT
    
    
    #PC1 to PC3 ssh server 
    iptables -A FORWARD -p tcp -s 192.168.111.2 -d 10.20.0.2 --dport 22 -j ACCEPT
    
    #PC3 to  PC2 ssh server
    iptables -A INPUT -p tcp -s 10.20.0.2 -d 10.20.0.1 --dport 22 -j ACCEPT
    
    #PC1 to PC3 ICMP ping
    iptables -A FORWARD -s 192.168.111.2 -d 10.20.0.2 -p icmp --icmp-type echo-request -j ACCEPT
    
    
    #10.20.0.0/16 to PC1 ICMP ping
    iptables -A FORWARD -p icmp --icmp-type echo-request -s 10.20.0.0/16 -d 192.168.111.2 -j ACCEPT
    iptables -A OUTPUT -p icmp --icmp-type echo-request -s 10.20.0.0/16 -d 192.168.111.2 -j ACCEPT
    
    # drop everything else
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j DROP
    thank you

  2. #2
    Just Joined!
    Join Date
    Aug 2012
    Posts
    15
    ummm the last section ? does it not DROP ALL. everything you have set up to begin with is voided?

  3. #3
    Just Joined!
    Join Date
    Apr 2013
    Posts
    2
    i'm trying to drop everything else that is not permitted. If i remove the last section, yes it will work fine. Any idea with what i should replace the last section?

    thx

  4. #4
    Just Joined!
    Join Date
    Nov 2008
    Location
    Germany
    Posts
    1
    Hi,

    It looks like you are only allowing the communication in 1 direction (towards PC3). The answers are being dropped on there way back because of the last FORWARD chain DROP.
    When you are doing static rules you need to allow the return packet also. When you right a matching rule for the return direction, your 3 FORWARD rules should work. You will need the matching answers for the INPUT rule and the OUTPUT rule also...

    The 3 DROP targets will work fine for dumping the rest of the unwanted communication, but you could also set the Default Policy for the 3 chains and it would do the same.

    Hope this helps.

  5. #5
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    I prefer to do most things in the INPUT chain.

    I wouldn't be so restrictive, but to do what you are describing, on PC2, I would try...

    Code:
    # clean filter/INPUT chain
    iptables --table filter --flush INPUT
    # set filter/INPUT policy to DROP
    iptables --table filter --policy INPUT DROP
    # clean filter/FORWARD chain
    iptables --table filter --flush FORWARD
    # set filter/FORWARD policy to ACCEPT
    iptables --table filter --policy FORWARD ACCEPT
    # clean filter/OUTPUT chain
    iptables --table filter --flush OUTPUT
    # set filter/OUTPUT policy to ACCEPT
    iptables --table filter --policy OUTPUT ACCEPT
    # allow machine to talk to itself
    iptables --table filter --append INPUT --in-interface lo --jump ACCEPT
    # allow replies to conversations
    iptables --table filter --append INPUT --in-interface eth0 --source 192.168.111.0/24 --destination 192.168.111.1 --match state --state RELATED,ESTABLISHED --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source 10.20.0.0/16 --destination 10.20.0.1 --match state --state RELATED,ESTABLISHED --jump ACCEPT
    # allow ssh connections to PC2 from PC3
    iptables --table filter --append INPUT --in-interface eth1 --source 10.20.0.2 --destination 192.168.111.1 --protocol tcp --dport 22 --jump ACCEPT
    # allow ping traffic from PC1 to PC3 and back
    iptables --table filter --append INPUT --in-interface eth0 --source 192.168.111.2 --destination 10.20.0.2 --protocol icmp --icmp-type echo-request --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source 10.20.0.2 --destination 192.168.111.2 --protocol icmp --icmp-type echo-request --jump ACCEPT
    # allow ssh traffic from PC1 to PC3 and back
    iptables --table filter --append INPUT --in-interface eth0 --source 192.168.111.2 --destination 10.20.0.2 --dport 22 --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source 10.20.0.2 --destination 192.168.111.2 --sport 22 --jump ACCEPT
    # allow web traffic from PC1 to PC3 and back
    iptables --table filter --append INPUT --in-interface eth0 --source 192.168.111.2 --destination 10.20.0.2 --dport 80 --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source 10.20.0.2 --destination 192.168.111.2 --sport 80 --jump ACCEPT
    # allow all ping traffic between network 2 and PC1
    iptables --table filter --append INPUT --in-interface eth1 --source 10.20.0.0/16 --destination 192.168.111.2 --protocol icmp --icmp-type echo-request --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth0 --source 192.168.111.2 --destination 10.20.0.0/16 --protocol icmp --icmp-type echo-request --jump ACCEPT
    If you want to log failures, to get more information about what is failing, you might add a log rule to your INPUT chain
    Code:
    iptables --table filter --append INPUT --match limit --limit 2/second --jump LOG --log-prefix "iptables dropping " --log-level 4
    Since I am not willing to duplicate your network to test these command's syntax and function, I can't guarantee the commands described here will work for you. It is my best off-the-cuff answer to your specific request.

    Hope that helps...

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Try the following rules;

    Code:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptanles -P FORWARD DROP
    
    #INPUT RULES
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth1 --dport 22 -m conntrack --ctstate NEW -j ACCEPT
    
    #OUTPUT RULES
    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
    
    #FORWARD RULES
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -j LAN1
    iptables -A FORWARD -i eth1 -j LAN2
    
    #LAN1 RULES
    iptables -A LAN1 -m conntrack --ctstate NEW -dport 22 -j ACCEPT
    iptables -A LAN1 -m conntrack --ctstate NEW -dport 80 -j ACCEPT
    iptables -A LAN1 -p icmp-type echo-request -j ACCEPT
    
    #LAN2 RULES
    iptables -A LAN2 -p icmp-type echo-request -j ACCEPT
    You can look at the following TUTORIAL on iptables.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •