Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    linux iptables firewall


    I'm trying to set iptables firewall rules. But i'm having a problem , after applying my rules, it blocks all the connections, i'm not sure why.

    I have 3 pcs

    , PC2

    , PC3

    PC2 is connected to PC1 and PC2, and IP forwarding is turned on.

    So when there is no firewall rule everything works but after applying it blocks everything , i can't ping ... i'm not sure what i'm missing

    #PC1 to PC3 web server
    iptables -A FORWARD -p tcp -s --dport 80 -d -j ACCEPT
    #PC1 to PC3 ssh server 
    iptables -A FORWARD -p tcp -s -d --dport 22 -j ACCEPT
    #PC3 to  PC2 ssh server
    iptables -A INPUT -p tcp -s -d --dport 22 -j ACCEPT
    #PC1 to PC3 ICMP ping
    iptables -A FORWARD -s -d -p icmp --icmp-type echo-request -j ACCEPT
    # to PC1 ICMP ping
    iptables -A FORWARD -p icmp --icmp-type echo-request -s -d -j ACCEPT
    iptables -A OUTPUT -p icmp --icmp-type echo-request -s -d -j ACCEPT
    # drop everything else
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j DROP
    thank you

  2. #2
    ummm the last section ? does it not DROP ALL. everything you have set up to begin with is voided?

  3. #3
    i'm trying to drop everything else that is not permitted. If i remove the last section, yes it will work fine. Any idea with what i should replace the last section?


  4. $spacer_open
  5. #4
    Just Joined!
    Join Date
    Nov 2008

    It looks like you are only allowing the communication in 1 direction (towards PC3). The answers are being dropped on there way back because of the last FORWARD chain DROP.
    When you are doing static rules you need to allow the return packet also. When you right a matching rule for the return direction, your 3 FORWARD rules should work. You will need the matching answers for the INPUT rule and the OUTPUT rule also...

    The 3 DROP targets will work fine for dumping the rest of the unwanted communication, but you could also set the Default Policy for the 3 chains and it would do the same.

    Hope this helps.

  6. #5
    I prefer to do most things in the INPUT chain.

    I wouldn't be so restrictive, but to do what you are describing, on PC2, I would try...

    # clean filter/INPUT chain
    iptables --table filter --flush INPUT
    # set filter/INPUT policy to DROP
    iptables --table filter --policy INPUT DROP
    # clean filter/FORWARD chain
    iptables --table filter --flush FORWARD
    # set filter/FORWARD policy to ACCEPT
    iptables --table filter --policy FORWARD ACCEPT
    # clean filter/OUTPUT chain
    iptables --table filter --flush OUTPUT
    # set filter/OUTPUT policy to ACCEPT
    iptables --table filter --policy OUTPUT ACCEPT
    # allow machine to talk to itself
    iptables --table filter --append INPUT --in-interface lo --jump ACCEPT
    # allow replies to conversations
    iptables --table filter --append INPUT --in-interface eth0 --source --destination --match state --state RELATED,ESTABLISHED --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source --destination --match state --state RELATED,ESTABLISHED --jump ACCEPT
    # allow ssh connections to PC2 from PC3
    iptables --table filter --append INPUT --in-interface eth1 --source --destination --protocol tcp --dport 22 --jump ACCEPT
    # allow ping traffic from PC1 to PC3 and back
    iptables --table filter --append INPUT --in-interface eth0 --source --destination --protocol icmp --icmp-type echo-request --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source --destination --protocol icmp --icmp-type echo-request --jump ACCEPT
    # allow ssh traffic from PC1 to PC3 and back
    iptables --table filter --append INPUT --in-interface eth0 --source --destination --dport 22 --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source --destination --sport 22 --jump ACCEPT
    # allow web traffic from PC1 to PC3 and back
    iptables --table filter --append INPUT --in-interface eth0 --source --destination --dport 80 --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth1 --source --destination --sport 80 --jump ACCEPT
    # allow all ping traffic between network 2 and PC1
    iptables --table filter --append INPUT --in-interface eth1 --source --destination --protocol icmp --icmp-type echo-request --jump ACCEPT
    iptables --table filter --append INPUT --in-interface eth0 --source --destination --protocol icmp --icmp-type echo-request --jump ACCEPT
    If you want to log failures, to get more information about what is failing, you might add a log rule to your INPUT chain
    iptables --table filter --append INPUT --match limit --limit 2/second --jump LOG --log-prefix "iptables dropping " --log-level 4
    Since I am not willing to duplicate your network to test these command's syntax and function, I can't guarantee the commands described here will work for you. It is my best off-the-cuff answer to your specific request.

    Hope that helps...

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    The Keystone State
    Try the following rules;

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptanles -P FORWARD DROP
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth1 --dport 22 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -j LAN1
    iptables -A FORWARD -i eth1 -j LAN2
    iptables -A LAN1 -m conntrack --ctstate NEW -dport 22 -j ACCEPT
    iptables -A LAN1 -m conntrack --ctstate NEW -dport 80 -j ACCEPT
    iptables -A LAN1 -p icmp-type echo-request -j ACCEPT
    iptables -A LAN2 -p icmp-type echo-request -j ACCEPT
    You can look at the following TUTORIAL on iptables.


    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts