iptables help.....

iptables help.....

Post by Ab » Tue, 13 May 2003 19:48:03



Hello
I have a linux box with a firewall with iptables.
My problem is to block some outgouing traffic from the lan; so i issued the
following commands:
iptables -t mangle -A POSTROUTING -o eth1 -s 0/0 -d 0/0 -p tcp --dport
1:65525 -j DROP
and the same for udp
next I make follow the command:
iptables -t mangle -A POSTROUTING -o eth1 -s 0/0 -d 0/0 -p tcp --dport
$port -j ACCEPT
there had to be something wrong because my connection with linux box goes
down just when I restart the firewall.
Any help would be appreciated
Thanks
 
 
 

iptables help.....

Post by bens » Wed, 14 May 2003 01:00:22


[Mon, 12 May 2003 10:48:03 +0000] quoth Ab:

Quote:> My problem is to block some outgouing traffic from the lan; so i issued the
> following commands:
> iptables -t mangle -A POSTROUTING -o eth1 -s 0/0 -d 0/0 -p tcp --dport
> 1:65525 -j DROP
> and the same for udp
> next I make follow the command:
> iptables -t mangle -A POSTROUTING -o eth1 -s 0/0 -d 0/0 -p tcp --dport
> $port -j ACCEPT

  why did you choose the mangle table to block traffic? Why not just use
  the filter (default) table's INPUT, FORWARD and OUTPUT chains?

  in the example posted above, your first rule accepts, and second rule
  drops, is this what you intended?
  B

 
 
 

iptables help.....

Post by Ab » Wed, 14 May 2003 18:20:44




Quote:> [Mon, 12 May 2003 10:48:03 +0000] quoth Ab:

> > My problem is to block some outgouing traffic from the lan; so i issued
the
> > following commands:
> > iptables -t mangle -A POSTROUTING -o eth1 -s 0/0 -d 0/0 -p tcp --dport
> > 1:65525 -j DROP
> > and the same for udp
> > next I make follow the command:
> > iptables -t mangle -A POSTROUTING -o eth1 -s 0/0 -d 0/0 -p tcp --dport
> > $port -j ACCEPT

>   why did you choose the mangle table to block traffic? Why not just use
>   the filter (default) table's INPUT, FORWARD and OUTPUT chains?

>   in the example posted above, your first rule accepts, and second rule
>   drops, is this what you intended?
>   B

Thanks for the advice.
I intended to block all that is not open and then open what I need in the
second rule.
 
 
 

iptables help.....

Post by Walter Cardwel » Wed, 14 May 2003 23:43:03


Quote:> I intended to block all that is not open and then open what I need in the
> second rule.

Packets are evaluated against each rule in order until a match is found, and
if no match is found, the Default Policy is applied. If you put a "block
everything" rule first, then packets will always be dropped before they can
be matched against any subsequent rules. What you want to do is set the
chain Default Policy to DROP, then create rules to specify which packets
should be accepted.

Also, you need to use the INPUT, OUTPUT, and FORWARD chains and not the
MANGLE chain for the purpose of accepting or dropping packets.

See "man iptables"