I have a problem with a few rules, that I need some help with. Here is my setup, I have two IPs, 81.174.224.69 and 81.174.224.70. 69 is the main IP, 70 is used only for SSH access, specificly over port 443. This is done via Portmapping to port 22. The Problem is this section of code /sbin/iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT /sbin/iptables -A INPUT -p ALL -i $LOC_IFACE -j ACCEPT #This section is for the Internet facing sections! /sbin/iptables -A INPUT -p ALL -i $WAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -i $WAN_IFACE -d ! $EXT_IP -j DROP /sbin/iptables -A INPUT -p TCP -i $WAN_IFACE ! --syn -m state --state NEW -j DROP-INPUT /sbin/iptables -A INPUT -p TCP -i $WAN_IFACE --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP-INPUT /sbin/iptables -A INPUT -p UDP --dport bootps -i ! $LOC_IFACE -j DROP /sbin/iptables -A INPUT -p UDP --dport bootpc -i ! $LOC_IFACE -j DROP /sbin/iptables -A INPUT -p UDP --dport domain -i ! $LOC_IFACE -j DROP /sbin/iptables -A INPUT -p ALL -d 81.174.224.70 -j LOG /sbin/iptables -A INPUT -p ALL -i $LOC_IFACE -j REJECT --reject-with icmp-host-prohibited /sbin/iptables -A INPUT -p TCP --dport 22 -s hilton.bath -d 81.174.224.70 -j ACCEPT /sbin/iptables -A INPUT -p TCP --dport 443 -s hilton.bath -d 81.174.224.70 -j ACCEPT /sbin/iptables -A INPUT -p ALL -d 81.174.224.70 -j DROP-INPUT As I understand it, this line should drop anything that comes into the interface that is connected to the internet /sbin/iptables -A INPUT -i $WAN_IFACE -d ! $EXT_IP -j DROP ie, if it is not destined for 81.174.224.69 it gets dropped. However it does not. Traffic that is destined for 81.174.224.70 gets passed that, however, it does not even reach the first log statement for that IP. I know that the block is in the wrong place, it was put there as a test. I am just confused as to why it is being allowed at all. If any one can help me understand what is going on, and how the packet is traversing this rule block would be helpful! So what I am trying to achive is that all traffic to 81.174.224.70 is dropped, with the exception of port 22 and 443 TCP. -- Mike ---------------------------------------------------------------- This message was sent for a thompsonmike.co.uk address, and may not reflect the views or opinions of the Network owner. All Views and Opinions are those of the author.
Attachment:
pgpNBny3pNTx0.pgp
Description: PGP Digital Signature
Attachment:
binENhf4e2KyC.bin
Description: PGP Public Key
