IPTABLES is driving me crazy!!! :P
Jeremy Fowler
jfowler at westrope.com
Fri Dec 20 19:33:47 CST 2002
Not quite. Here is a little diagram of netfilter and where the different chains
attach themselves to hooks in the kernel's IP stack and routing system.
# The Netfilter System:
#
# --->[PREROUTING]------>[ROUTE]--->[FORWARD]-------->[POSTROUTING]--->
# Conntrack | Filter ^ NAT (Src)
# Mangle | | Conntrack
# NAT (Dst) | [ROUTE]
# (QDisk) V |
# [INPUT] Filter [OUTPUT] Conntrack
# | Conntrack ^ Mangle
# | | NAT (Dst)
# V | Filter
#
As you can see all packets first go thru the PREROUTING chain of the nat and
mangle tables first. This is the best place to block packets since it's the
single point of entry into the kernel before any routing is done. It's also
where DNAT packets are rewritten to go to other hosts. If the packet is destined
for the actual box the packet is passed thru the INPUT chain. If the packet is
destined for a host or network on either side of the host it is passed thru the
FORWARD chain. Packets originating from the host are passed thru the OUTPUT
chain. Finally, all packets leaving the host are passed thru the POSTROUTING
chain of the mangle and nat tables. This is where SNAT/Masquerading takes place
and any last minute packet mangling occurs. Hope this helps. -Jeremy
> -----Original Message-----
> From: Advancewarning [mailto:advancewarning at swbell.net]
> Sent: Friday, December 20, 2002 12:12 PM
> To: Jeremy Fowler
> Subject: Re: IPTABLES is driving me crazy!!! :P
>
>
> So let me see if I got these policies down.
>
> INPUT - This is what is coming in to my linux box.
>
> FORWARD - This is what is forwarded to the internet via my linux box
>
> OUTPUT - Is what my linuxbox reploes with.
>
> What type of things can you do with this OUTPUT?
> I have return different IP address to someone that is pinging me? ie a
> bogus one?
>
>
> ----- Original Message -----
> From: "Jeremy Fowler" <jfowler at westrope.com>
> To: "Advancewarning" <advancewarning at swbell.net>; "KCLUG" <kclug at kclug.org>
> Sent: Friday, December 20, 2002 11:52 AM
> Subject: RE: IPTABLES is driving me crazy!!! :P
>
>
> > Yes, you just have to specifically name that website - by ip address,
> network
> > address, or hostname. Note that rules are added to the table in the order
> they
> > are given (if using the -A append option). A packet traverses each rule in
> a
> > chain until it finds a rule it matches. So make sure if you want to
> specifically
> > drop a host, do it before any ACCEPT rules or else an ACCEPT rule may let
> > packets thru that you don't want. It's always a good idea to flush your
> rules to
> > give yourself a clean slate and then add the rules you want in the
> sequence that
> > they should be traversed. -Jeremy
> >
> > > -----Original Message-----
> > > From: Advancewarning [mailto:advancewarning at swbell.net]
> > > Sent: Friday, December 20, 2002 11:38 AM
> > > To: Jeremy Fowler; KCLUG
> > > Subject: Re: IPTABLES is driving me crazy!!! :P
> > >
> > >
> > > so by if by default I drop everything and allow web in . Is there a way
> I
> > > can just drop a certain website?
> > >
> > >
> > > Mike
> > > ----- Original Message -----
> > > From: "Jeremy Fowler" <jfowler at westrope.com>
> > > To: "Advancewarning" <advancewarning at swbell.net>; "KCLUG"
> <kclug at kclug.org>
> > > Sent: Friday, December 20, 2002 10:49 AM
> > > Subject: RE: IPTABLES is driving me crazy!!! :P
> > >
> > >
> > > > When you set a chain's policy to DROP all packets are dropped, unless
> you
> > > add a
> > > > specific rule to accept those certain types of packets. So if you want
> > > Internet
> > > > access, you have to accept those types of packet - specifically
> outgoing
> > > TCP
> > > > packets with a destination port of 80 and then add a rule for the
> state
> > > engine
> > > > to accept the incoming reply packets.
> > > >
> > > > So
> > > >
> > > > # Drop *all* packets going across the FORWARD chain
> > > > iptables -P FORWARD DROP
> > > > # Except for RELATED and ESTABLISHED packets
> > > > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > > # Except for NEW TCP packets with destination port 80
> > > > iptables -A FORWARD -m state NEW -p TCP --dport 80 -j ACCEPT
> > > >
> > > >
> > > >
> > > > Then just continue to add rules that accept only the types of packets
> you
> > > want
> > > > thru. This may sound extremely complex at first, and it is. It just
> takes
> > > time
> > > > to understand the syntax, structure, and meaning of each rule.
> Remember,
> > > > firewall rules is both an art and a science. Getting proficient and
> > > getting the
> > > > rules right just takes time. Read the HOWTOs on netfilter.org, search
> > > google for
> > > > sample iptables firewall scripts (some people call them rc.firewall),
> and
> > > > experiment. Remember this should be fun, so take your time.
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: owner-kclug at marauder.illiana.net
> > > > [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Advancewarning
> > > > Sent: Thursday, December 19, 2002 11:09 PM
> > > > To: KCLUG
> > > > Subject: IPTABLES is driving me crazy!!! :P
> > > >
> > > >
> > > > First thing is first I want to set up all the Policys so that by
> default
> > > they
> > > > DROP. I did that.
> > > >
> > > > For some reason as soon as I set FORWARD to DROP I no longer have
> > > INTERNET!
> > > >
> > > > If I leave it as ACCEPT it works
> > > >
> > > > Another thing is how do I get Apache to work? the only way it will is
> if I
> > > set
> > > > all thePolicies to ACCEPT.
> > > >
> > > > Also if I set OUTPUT to DROP I loose SSH capability.
> > > >
> > > > This is what I have set in order for it to work. Is there something I
> am
> > > > missing here in order for all these to be set to DROP to work
> properly?
> > > >
> > > >
> > > > Chain INPUT (policy DROP)
> > > > target prot opt source destination
> > > > LOG all -- anywhere anywhere LOG level
> > > warning
> > > > ACCEPT all -- muldersworld advancewarning.net
> > > >
> > > > Chain FORWARD (policy ACCEPT)
> > > > target prot opt source destination
> > > > ACCEPT all -- anywhere anywhere
> > > >
> > > > Chain OUTPUT (policy ACCEPT)
> > > > target prot opt source destination
> > > >
> > > >
> > > > Thanks!
> > > > Mike
> > > >
> > > >
> > > >
> majordomo at kclug.org
> > >
> >
>
More information about the Kclug
mailing list