On 09/02/2011 07:25 AM, Julio A. Romero wrote:
Hi all, what happen with DHCP requests trying to forward below?
As a relatively new user to iptables, I couldn't understand the following rules completely. However, if I remember correctly, the broadcasts (DHCP or any other) will not reach FORWARD chain; will go into INPUT chain.
Sorry, if you know this already. Regards, Vignesh
Thanks, julio ################################################################## # ipv4 - policies configuration - zero all - flush all chains - delete defined chains # ################################################################# iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t raw -P OUTPUT ACCEPT iptables -t raw -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P POSTROUTING ACCEPT iptables -Z iptables -F iptables -X iptables -t nat -Z iptables -t nat -F iptables -t nat -X iptables -t raw -Z iptables -t raw -F iptables -t raw -X iptables -t mangle -Z iptables -t mangle -F iptables -t mangle -X ####### # END # ####### ########################## # ipv4 - FILTER - srcnetfilter # ######################### # SRCNETFILTER RULES # # Create srcnetfilter iptables -N srcnetfilter # Return to back the connections from trust networks iptables -A srcnetfilter -s $NETWORKS -j RETURN # Deny all other traffic iptables -A srcnetfilter -j DROP ####### # END # ####### ########################## # ipv4 - FILTER - dstnetfilter # ######################### # DSTNETFILTER RULES # # Create dstnetfilter iptables -N dstnetfilter # Return to back the connections toward trust networks iptables -A dstnetfilter -d $NETWORKS -j RETURN # Deny all other traffic iptables -A dstnetfilter -j DROP ####### # END # ####### ######################## # ipv4 - FILTER - average # ####################### # AVERAGE RULES # # Create average iptables -N average # Maximum limit of global connections iptables -A average -m connlimit --connlimit-mask 0 \ --connlimit-above $GLOBAL_CONNECTIONS -j LOG --log-prefix "FW:average:GCs>LIMIT " iptables -A average -m connlimit --connlimit-mask 0 \ --connlimit-above $GLOBAL_CONNECTIONS -j REJECT # Restrict the number of parallel connections per client IP iptables -A average -m connlimit --connlimit-mask 32 \ --connlimit-above $CONNECTIONS_PER_IP -j LOG --log-prefix "FW:average:CCs>LIMIT " iptables -A average -m connlimit --connlimit-mask 32 \ --connlimit-above $CONNECTIONS_PER_IP -j REJECT # Global traffic rate average iptables -A average -m fuzzy --lower-limit $LOWER_LIMIT \ --upper-limit $UPPER_LIMIT -j LOG --log-prefix "FW:average:GTRA:REJECT " iptables -A average -m fuzzy --lower-limit $LOWER_LIMIT \ --upper-limit $UPPER_LIMIT -j REJECT # Traffic rate control above the lower limit per client IP iptables -A average -m connlimit --connlimit-mask 32 \ ! --connlimit-above $CONNECTIONS_PER_IP -m fuzzy \ --lower-limit $LOWER_LIMIT_PER_IP --upper-limit $UPPER_LIMIT_PER_IP \ -j LOG --log-prefix "FW:average:TRC_PIP:REJECT " iptables -A average -m connlimit --connlimit-mask 32 \ ! --connlimit-above $CONNECTIONS_PER_IP -m fuzzy \ --lower-limit $LOWER_LIMIT_PER_IP --upper-limit $UPPER_LIMIT_PER_IP -j REJECT # Allow the traffic below the lower limit per client IP iptables -A average -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 \ --hashlimit-upto $FREE_PACKETS --hashlimit-burst $BURST \ --hashlimit-name average -j ACCEPT ####### # END # ####### ############################ # ipv4 - FILTER - netfilter_fwd # ########################### # NETFILTER_FWD RULES # # Create netfilter_fwd iptables -N netfilter_fwd # LOG and DROP untrue connections iptables -A netfilter_fwd -s $GW_NETWORKS -j LOG --log-prefix "FW:FWD:BOX->* " iptables -A netfilter_fwd -s $GW_NETWORKS -j DROP iptables -A netfilter_fwd -d $GW_NETWORKS -j LOG --log-prefix "FW:FWD:*->BOX " iptables -A netfilter_fwd -d $GW_NETWORKS -j DROP iptables -A netfilter_fwd -i $INT_IFACEs -o $EXT_IFACEs -d $INT_NETWORKS -j LOG \ --log-prefix "FW:FWD:I->E:dst:INT_NET " iptables -A netfilter_fwd -i $INT_IFACEs -o $EXT_IFACEs -d $INT_NETWORKS -j DROP iptables -A netfilter_fwd -i $EXT_IFACEs -o $INT_IFACEs -s $INT_NETWORKS -j LOG \ --log-prefix "FW:FWD:E->I:src:INT_NET " iptables -A netfilter_fwd -i $EXT_IFACEs -o $INT_IFACEs -s $INT_NETWORKS -j DROP # Send outgoing traffic to dstnetfilter for validation of the destination iptables -A netfilter_fwd -i $INT_IFACEs -o $EXT_IFACEs -s $INT_NETWORKS -g dstnetfilter # Send incoming traffic to srcnetfilter for validation of the source iptables -A netfilter_fwd -i $EXT_IFACEs -o $INT_IFACEs -d $INT_NETWORKS -g srcnetfilter # LOG and DROP all other traffic iptables -A netfilter_fwd -j LOG --log-prefix "FW:FWD:netfilter_fwd:? " iptables -A netfilter_fwd -j DROP ####### # END # ####### ... more chains of filter table... (udpport, tcpport, icmpfilter, tcpfilter, udpfilter, netfilter_out, netfilter_in, INPUT, OUTPUT) ########################### # ipv4 - FILTER - FORWARD # ########################## # FORWARD RULES # # Forward all traffic to netfilter_fwd iptables -A FORWARD -j netfilter_fwd # Allow (established|related) connections in returned traffic of netfilter_fwd iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Send all other ICMP returned packets to icmpfilter iptables -A FORWARD -p icmp -g icmpfilter # Send all other UDP returned packets to udpport iptables -A FORWARD -p udp -g udpport # Send all other TCP returned packets to tcpport iptables -A FORWARD -p tcp -g tcpport # Send all other returned fragmented packets to average iptables -A FORWARD -f -j average # Log for debugger iptables -A FORWARD -j LOG --log-prefix "FW:FWD:? " ####### # END # ####### -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
