Using default policy drop in FORWARD chain´s

"Juan Santamaria" <juansh28@xxxxxxxxxxx> · Tue, 21 Mar 2006 14:59:55 +0000

Hello Guys

Nowdays, I ´ve been working  in a firewall configuration. I want use default 
policy DROP, for the INPUT,FORWARD,OUTPUT chain´s.  I using the redwall 
firewall, it has support for l7-protocols. I need to block msn, but when I 
apply the ruler to the forward chain it isn´t block.

But when y change de default policy in Forward chain´s  to ACCEPT, tha same 
ruler block the msn traffic.

I appreciate some advices

Cheerio!

IPTABLES=/sbin/iptables

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES  -A FORWARD -p tcp -m tcp -m layer7 --l7proto msnmessenger
-j DROP

$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

#$IPTABLES -A FORWARD -s 10.0.109.20 -j DROP

$IPTABLES -A INPUT   -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT  -o eth2 -p tcp -m tcp --sport 22 -m state --state 
RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -m layer7 --l7proto 
msnmessenger -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m layer7 --l7proto 
msnmessenger -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT

$IPTABLES -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp --dport 53 -j ACCEPT