[SOLVED] Iptables not Blocking

[Nrot]

Working on router box and having some problems getting iptables to drop/reject anything. It's forwarding all fine and dandy but I'd like it to have a bit of protection its' self.

Here's some info on it.

Applying table.

[Anarcho]

iptables -L doesn't print out everything. Add a "-v" (complete "iptables -L -v") to get all the information. Source and destiation just specifiy IP adresses and not interfaces.

But what is the dificulty in dropping packets per default?
_________________
...it's only Rock'n'Roll, but I like it!
HOWTO:WLAN mit OpenVPN absichern | TOOL:useedit - USE-flag editor/changer

[Nrot]

What's concerning me is that even if I use -I it still allows data through. For this example say port 22 and 53. I know I can bind SSH to addresses but there's times I need away from where I'm at. I plan to have iptables protect it and have port knocking set up. But port knocking pretty pointless if the router is a open door unless I want to port knock to some internal computers.

Here's iptables -vL

[Hu]

The output from iptables-save is more useful when you are trying to examine the loaded rules, since it is designed to be a machine readable format that can recreate a perfect copy of the rules at a later time.

Could you give us an example of a packet which is being allowed that you want denied? Your rules look correct, so I suspect the test may be flawed.

Why are you only dropping the privileged ports? It would be simpler and safer to allow incoming traffic in the ESTABLISHED state, then drop any remaining traffic without regard to protocol or port.

[Nrot]

I'd have no problem switching to just allowing established traffic. I'm still trying to figure all this out...
Got forced into this a bit earlier than I had planed when my D-Link router finally died (Board discolored from heat highest external temp over 120fern). >.<
So I'm still trying to get a hold of what's going on. I have a small grasp on how to write iptable rules but nowhere where I wanted to be when I switched to using a computer and a switch.
If you could throw me a copy of what established only commands would look like I'd love to use them, and any explanation on them is greatly appreciated. Looking around on how to do that now.


Here's the first ssh packet. The rule isn't up there but iptable refuses to block when I add it or just add it with -I. This is from the lan(client) to lan(server) which I plan on keeping open but it should work for the example.

[Hu]

An appropriate rule for established connections would be iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT. Place this high enough up that it precedes any blanket deny rules. You will need CONFIG_NETFILTER_XT_MATCH_CONNTRACK enabled in the kernel. You can compile it in or build it as a module. If you build it as a module, you may need to explicitly load it with modprobe before your firewall script can use it.

Your ssh capture is not good for demonstrating the problem, since it is allowed by the third INPUT rule. It is traffic coming in on eth0, so the action for rule 3 applies: ACCEPT. Traversal of the INPUT chain stops and the packet is accepted into the IP stack.

[Nrot]

Sorry for the delay. ATT broke... again. If it weren't for the other good internet I know of was overpriced and had bandwidth restrictions I wouldn't stay.
I got a cable written that worked but didn't like it much. So I went ahead and learned the Firewall Builder GUI. Now I've got one that works with time to read the documentation and all and figure it out.
Thanks for the idea's got some reading in on them! Just realized that the box is smart enough to realize even when try to connect to the external IP that I'm still coming from within! Never had a router do that. Somewhat nice, just worry about the spoof ability of that. Guess I'll find out sometime.