Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Questioning iptables behavior
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Sun Jun 20, 2010 4:56 pm    Post subject: Questioning iptables behavior Reply with quote

I set
Code:
iptables -t filter -A OUTPUT -o eth0 -p all -j DROP


To allow blocking of almost all connection from the interface eth0. But I can surf, download (FTP, HTTP etc...). So why is this not blocking everything? However if I set the default policy of the OUTPUT chain to DROP, it works as expected.

So are the rules in the chain not matching, if yes why?
_________________
My blog
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16016

PostPosted: Sun Jun 20, 2010 5:30 pm    Post subject: Reply with quote

What is the output of iptables-save -c in the failed case?
Back to top
View user's profile Send private message
oRDeX
Veteran
Veteran


Joined: 19 Oct 2003
Posts: 1309

PostPosted: Sun Jun 20, 2010 9:31 pm    Post subject: Reply with quote

is there any other rule in the chain? have you tried removing -o eth0?! (I imagine that eth0 is your interface to internet)
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Sun Jun 20, 2010 10:31 pm    Post subject: Reply with quote

Can you post this :
Code:

# iptables -L
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Mon Jun 21, 2010 4:34 am    Post subject: Reply with quote

iptables -L

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere


Code:
# Generated by iptables-save v1.4.7 on Mon Jun 21 15:24:56 2010
*raw
:PREROUTING ACCEPT [172:118591]
:OUTPUT ACCEPT [172:17952]
COMMIT
# Completed on Mon Jun 21 15:24:56 2010
# Generated by iptables-save v1.4.7 on Mon Jun 21 15:24:56 2010
*mangle
:PREROUTING ACCEPT [172:118591]
:INPUT ACCEPT [168:118511]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [172:17952]
:POSTROUTING ACCEPT [172:17952]
COMMIT
# Completed on Mon Jun 21 15:24:56 2010
# Generated by iptables-save v1.4.7 on Mon Jun 21 15:24:56 2010
*filter
:INPUT ACCEPT [2:112]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:248]
[0:0] -A OUTPUT -o eth0 -j DROP
COMMIT
# Completed on Mon Jun 21 15:24:56 2010


Removing -o eth0 does the trick. But I would like to know why did this happen. Here's the iptables -L without specifying the output interface -

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere


Which's identical.
_________________
My blog
Back to top
View user's profile Send private message
Anarcho
Advocate
Advocate


Joined: 06 Jun 2004
Posts: 2967
Location: Germany

PostPosted: Mon Jun 21, 2010 5:52 am    Post subject: Reply with quote

You should use

iptables -L -v

to show all information about the rules.

But could it be that eth0 isn't your outgoing interface? Could it be another ethX or even ppp0 in case of DSL etc?
_________________
...it's only Rock'n'Roll, but I like it!
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Mon Jun 21, 2010 6:29 am    Post subject: Reply with quote

No, eth0 is the only active interface I have... that's connected to the Internet.
_________________
My blog
Back to top
View user's profile Send private message
Anarcho
Advocate
Advocate


Joined: 06 Jun 2004
Posts: 2967
Location: Germany

PostPosted: Mon Jun 21, 2010 7:58 am    Post subject: Reply with quote

Could you please provide:

ifconfig -a

iptables -L -v
_________________
...it's only Rock'n'Roll, but I like it!
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Mon Jun 21, 2010 11:42 am    Post subject: Reply with quote

There is something wrong for sure.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Mon Jun 21, 2010 4:34 pm    Post subject: Reply with quote

iptables -L -v
Code:
Chain INPUT (policy ACCEPT 27 packets, 8018 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023 LOG level warning
    4   196 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023 LOG level warning
    0     0 DROP       udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023
    4   196 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023
    3   144 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
    3   144 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
    5  6061 DROP       icmp --  ppp+   any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 80 packets, 7589 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    eth0    anywhere             anywhere


ifconfig -a -

Code:
eth0      Link encap:Ethernet  HWaddr 00:1c:23:a1:9d:09                                 
          inet6 addr: fe80::21c:23ff:fea1:9d09/64 Scope:Link                           
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1                           
          RX packets:288 errors:0 dropped:0 overruns:0 frame:0
          TX packets:499 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:72143 (70.4 KiB)  TX bytes:67177 (65.6 KiB)
          Interrupt:18

lo        Link encap:Local Loopback
          LOOPBACK  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:59.94.136.245  P-t-P:59.94.128.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:474 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:63797 (62.3 KiB)  TX bytes:53054 (51.8 KiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Also, another small question -- to make NAT work, I don't have to configure anything in it? Just start iptables and it will start working?
_________________
My blog
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Mon Jun 21, 2010 4:35 pm    Post subject: Reply with quote

OOOk! I think I need to use ppp0 instead of eth0.

And now it works.
_________________
My blog
Back to top
View user's profile Send private message
Anarcho
Advocate
Advocate


Joined: 06 Jun 2004
Posts: 2967
Location: Germany

PostPosted: Mon Jun 21, 2010 4:52 pm    Post subject: Reply with quote

I don't like to quote myself, but....

Anarcho wrote:
But could it be that eth0 isn't your outgoing interface? Could it be another ethX or even ppp0 in case of DSL etc?


:twisted:


EDIT:

For NAT you would need to use the MASQUERADE Target in your postrouting table:

iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0

and enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
_________________
...it's only Rock'n'Roll, but I like it!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16016

PostPosted: Tue Jun 22, 2010 3:04 am    Post subject: Reply with quote

Anarcho wrote:
You should use

iptables -L -v

to show all information about the rules.
No, he should use iptables-save -c to show all information about the rules, which is why I asked for it. Using iptables -L -v does not show non-default tables, nor does it show exact packet and byte counters, nor does it prevent iptables from resolving numbers to names, which could potentially obscure useful information. You can get closer to full output with iptables -n -v -x -L, which still misses non-default tables, but does at least provide non-resolved numbers and exact counters.
dE_logics wrote:
Also, another small question -- to make NAT work, I don't have to configure anything in it? Just start iptables and it will start working?
No, you need to configure NAT properly for it to work. Specifically, you need to instruct the edge Linux to perform appropriate header rewriting on packets going from LAN to WAN. This is typically accomplished with either SNAT or MASQUERADE, depending on your WAN configuration.

Also, you need IP forwarding enabled, but that is required even if you are not doing NAT on the routed packets.
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Tue Jun 22, 2010 4:56 am    Post subject: Reply with quote

SNAT is for static IP.

Thanks for the info. Hope MASQUERADE and SNAT will work for clients with static IP also.
_________________
My blog
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum