Unable to Block Individual Ports from the LAN to the Internet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am doing something wrong but I am at a loss to know what it is.   I
am using Slackware with the 3.10.30 kernel and iptables v1.4.20 with
eth0 as Internet side and eth1 as the LAN user's side.

If I set up the following in rc.iptables

           #!/bin/sh
           # define the path to the iptables executable
           IPTABLES=/usr/sbin/iptables

           # FLUSH TABLE RULES
           $IPTABLES -F

           # FLUSH NAT-CHAIN TABLE RULES
           $IPTABLES -t nat -F

           # ENABLE IP FORWARDING
           echo 1 > /proc/sys/net/ipv4/ip_forward

 IPTABLES looks like this.

          Chain INPUT (policy ACCEPT)
          target     prot opt source               destination

          Chain FORWARD (policy ACCEPT)
          target     prot opt source               destination

          Chain OUTPUT (policy ACCEPT)
          target     prot opt source               destination

I would think with this configuration I should be able to browse the
Internet from a LAN PC, but I cannot.  ??????

If I add this rule to rc.iptables

          $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The output of  $IPTABLES -t nat -L  adds the following to IPTABLES

          MASQUERADE  all  --  anywhere             anywhere

I can now use a browser on the LAN side to reach a web site on the Internet.

If I then add this rule.

          IPTABLES -A INPUT -i eth1 -p tcp --dport 1:1054 -j DROP

Which results in this

          Chain INPUT (policy ACCEPT)
          target     prot opt source               destination
          DROP       tcp  --  anywhere             anywhere
 tcp dpts:tcpmux:1054

          Chain FORWARD (policy ACCEPT)
          target     prot opt source               destination

          Chain OUTPUT (policy ACCEPT)
          target     prot opt source               destination

 I would think that would block just about everything again, but I can
use a browser on the LAN side and see Internet sites just fine.

 I have also tried to configure it in other ways with different rules
and/or IP addresses instead of eth0 or eth1 including the order the
rules are applied, but I always end up with the same results.  Either
it passes nothing or when it does pass traffic, the drop rules do not
seem to work.

 Ideally I would like the LAN side on eth1 to be able to reach
anything on eth0, the Internet side, except those ports and IP
addresses that I would specifically block but I am obviously not
applying the rules correctly.   Any hints or suggestions?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux