2 questions about iptables configuration

[Daemorog]

# 1

Eth0 - 208.98.98.1 (outside network aka the internet)
Eth1 - 192.168.111.2 (DMZ)
Eth2 - 10.23.23.2 (Internal Network)

Packets that enter eth0 begin with IP "192.168." or "10.". Only packets of the DMZ or internal network has such IP

Eth0 has an internet address range 10.0.0.8 and 192.168.0/16 private address range

Setup of IP tables
iptables -I INPUT 1 -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I INPUT 2 -i eth0 -s 10.0.0.0/8 -j DROP
iptables -I INPUT 3 -i eth1 -s ! 192.168.111.0/24 -j DROP
iptables -I INPUT 4 -i eth2 -s ! 10.0.0.0/8 -j DROP

iptables -I FORWARD 1 -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I FORWARD 2 -i eth0 -s 10.0.0.0/8 -j DROP
iptables -I FORWARD 3 -i eth1 -s ! 192.168.111.0/24 -j DROP
iptables -I FORWARD 4 -i eth2 -s ! 10.0.0.0/8 -j DROP

looked up what -s ! is used for
"A "!" argument before the address specification inverts the sense of the address." what is meant with inverts the sense of the address SOLVED!

If i got it right the first two rules are there to block internal spoofing
rules 3 and 4 for spoofing of it own address range
SOLVED!

can't really figure out the meaning of the last four just yet
probably yet again against ip spoofing but kinda make no sense to me - imo you need a source and destination if you forward packets PENDING

---

#2

trying to allow incoming TCP connections to active services with #iptables

listing all active services --> netstat -tulpn
thinking about sudo

iptables -A INPUT -i eth0 -p TCP -m conntrack --ctstate NEW -j ACCEPT

[mizzle]

! means 'is not'
You could read the third rule like this:
For all incoming packets, on interface eth1, if the source 'is not' a 192.168.111.0/24 address, then drop.

Unless your system is acting as a gateway for other systems, or you are hosting VMs, you do not need forwarding typically.

[Daemorog]

Thnx a bunch for that answer should have known what "!" meant from my background in programming. But i wasn't entirely sure of it.

Regarding the forwarding i would really like to know why it is there - i still doesn't really make since the rules doesn't have a destination appointed to them

#2 is still open too

[mizzle]

Forwarding is forwarding packets from one interface to another.

iptables -I FORWARD 1 -i eth0 -s 192.168.0.0/16 -j DROP = If I receive a forward request on eth0, and the source address is 192.168.x.x (spoofed), drop.
iptables -I FORWARD 2 -i eth0 -s 10.0.0.0/8 -j DROP = If I receive a forward request on eth0, and the source address is 10.0.x.x (spoofed), drop.
iptables -I FORWARD 3 -i eth1 -s ! 192.168.111.0/24 -j DROP = If I receive a forward request on eth1, and the source address 'is not' from 192.168.111.0/24, drop.
iptables -I FORWARD 4 -i eth2 -s ! 10.0.0.0/8 -j DROP = If I receive a forward request on eth2, and the source address 'is not' from 10.0.0.0/8, drop.

So, what is a forward exactly? Say your machine is acting as a gateway for another device on the 192.168.111.x network. The final destination isn't your server, it's likely the internet or the other private network. Thus, your server will do little more than forward those packets along.

[Daemorog]

i don't really get forward yet can you explain it a little bit more plz
(the example without a destination is keep messing with my mind)

You had my curiosity, now you have full attention

[mizzle]

This article explains the gist of it:
How to implement ip forwarding in Linux

[Daemorog]

so basically forward can been seen as a routing method who connect to separate networks together

so what rules actually says is that traffic should come from the subnet (inside - 192.168.111.x) to the gateway (eth[0-2]) before it can be forwarded to the other networks. Which also concludes that in the 2 first iptables the -s should be a -d (destination) to make a lot more sense

[mizzle]

No, the rules look to be correct to protect against spoofing.

[Daemorog]

plz clarify further

[mizzle]

What exactly are you trying to accomplish with these rules? Perhaps you are confused because you are intending the rules to do something they aren't.