On 2017-01-11 10:21, André Paulsberg-Csibi wrote:
From what you sent me directly , you also allowed this in the OUTPUT chain which makes no sense to me ... ... but it maybe that the rules set has somehow been "broken" and it is now causing un-intended packet handling .
You might need INPUT, OUTPUT & FORWARD policies all to be 'DROP' for this behaviour.
I reproduced this at home using the below script (now corrected for copy/paste errors)
It's very basic, and should allow you to telnet from an internal host to the allowed HTTP site but refuse all other port 80's
I used tcpdump on the firewall to monitor the LAN interface. -------------------------------------------------- A='/sbin/iptables' EXIF='ppp0' LANIF='eth1' #Clear $A -F $A -F INPUT $A -F OUTPUT $A -F FORWARD $A -F -t mangle $A -F -t nat $A -X #Setup policies $A -P INPUT DROP $A -P OUTPUT DROP $A -P FORWARD DROP echo "1" > /proc/sys/net/ipv4/ip_forward # Some basics # Accept loopback interface $A -A INPUT -i lo -j ACCEPT $A -A OUTPUT -o lo -j ACCEPT # SSH from LAN $A -A INPUT -i $LANIF -p tcp --dport 22 -j ACCEPT #general NAT $A -t nat -A POSTROUTING -o $EXIF -j MASQUERADE #General State Matching $A -A OUTPUT -m state --state ESTABLISHED -j ACCEPT $A -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #Allowed HTTP/HTTPS Sites #bbc $A -A FORWARD -i $LANIF -o $EXIF -d 212.58.244.22 -p tcp -m multiport --dports '80,443' -j ACCEPT #Send RST to LAN for all other 80/443 connections $A -A FORWARD -i $LANIF -p tcp -m multiport --dports '80,443' -j REJECT --reject-with tcp-reset -------------------------- Matt -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
