| View previous topic :: View next topic |
| Author |
Message |
maiku
l33t
Joined: 24 Mar 2004
Posts: 603
Location: Escaping from NY
|
 Posted: Mon Mar 12, 2007 8:49 pm Post subject: [solved] iptables stop packets from going out on one IP |
 |
|
I'm trying to block packets from going out and coming in through the router from one IP address.
I tried to block it with | Code: | $IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -d $ip -p tcp -j REJECT
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $ip -p tcp -j REJECT |
to prevent packets from being routed to the internet but that threw errors. Then I tried | Code: | $IPTABLES -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d $ip -p tcp -j REJECT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $ip -p tcp -j REJECT |
which just didn't work. Any suggestions?
_________________
Michael
Last edited by maiku on Tue Mar 13, 2007 1:31 am; edited 1 time in total |
|
| Back to top |
|
 |
embobo
Guru
Joined: 19 May 2003
Posts: 311
|
| Posted: Mon Mar 12, 2007 9:26 pm Post subject: |
|
|
The FORWARD rules should work.
You are trying to block an IP on the LAN, correct? Otherwise, you have it backwards.
There may be another rule before this one the matches the packet and then ACCEPTs it. You may wish to post the output of "iptables -L -v -n". You may also try using http://itval.sourceforge.net/ to see what rules the traffic is matching. |
|
| Back to top |
|
|
maiku
l33t
Joined: 24 Mar 2004
Posts: 603
Location: Escaping from NY
|
| Posted: Mon Mar 12, 2007 9:35 pm Post subject: |
|
|
I'm trying to stop packing from going out from the IP to the rest of the world (and the other way around). Here is the iptables output.
| Quote: | # iptables -L -v -n
Chain INPUT (policy ACCEPT 283K packets, 2095M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 66.154.102.171 0.0.0.0/0
80618 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 200 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 limit: avg 1/min burst 2
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 limit: avg 2/min burst 3
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
4 208 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,81 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000
1 48 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
2006 101K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50500:50600
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50000:50100
134 13160 ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
2010 190K REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 168M packets, 104G bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- eth0 br0 0.0.0.0/0 10.0.0.5 reject-with icmp-port-unreachable
0 0 REJECT tcp -- br0 eth0 10.0.0.5 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 278K packets, 54M bytes)
pkts bytes target prot opt in out source destination
119K 263M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 |
and | Quote: | # iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 9588K packets, 1843M bytes)
pkts bytes target prot opt in out source destination
98 5712 REDIRECT tcp -- br0 * 0.0.0.0/0 !10.0.0.1 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT 253K packets, 33M bytes)
pkts bytes target prot opt in out source destination
349 21900 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1338K packets, 145M bytes)
pkts bytes target prot opt in out source destination |
_________________
Michael |
|
| Back to top |
|
|
embobo
Guru
Joined: 19 May 2003
Posts: 311
|
| Posted: Mon Mar 12, 2007 9:44 pm Post subject: |
|
|
| Quote: | # iptables -L -v -n
Chain FORWARD (policy ACCEPT 168M packets, 104G bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- eth0 br0 0.0.0.0/0 10.0.0.5 reject-with icmp-port-unreachable
0 0 REJECT tcp -- br0 eth0 10.0.0.5 0.0.0.0/0 reject-with icmp-port-unreachable
|
This is saying:
block any traffic coming from eth0 and going to br0 IP 10.0.0.5
block any traffic coming from br0 IP 10.0.0.5 and going to eth0
Is br0 the LAN interface and eth0 the WAN interface?
Also, is br0 a bridge? If so you need to make sure the kernel is configured to apply netfilter to bridged packets and you then use "-m physdev --physdev-in <interface>" syntax rather than the "-i <interface>" syntax. |
|
| Back to top |
|
|
maiku
l33t
Joined: 24 Mar 2004
Posts: 603
Location: Escaping from NY
|
| Posted: Mon Mar 12, 2007 11:43 pm Post subject: |
|
|
Changed the rules (and added in the proper kernel module) | Quote: | | $IPTABLES -m physdev -A FORWARD --physdev-in $LAN_IFACE -o $WAN_IFACE -s $ip -j REJECT |
so | Quote: | # iptables -L -v -n
Chain INPUT (policy ACCEPT 283K packets, 2095M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 66.154.102.171 0.0.0.0/0
257 91500 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 limit: avg 1/min burst 2
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 limit: avg 2/min burst 3
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,81 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8000
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
43 2144 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50500:50600
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:50000:50100
5 568 ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
16 3384 REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 168M packets, 104G bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- eth0 br0 0.0.0.0/0 10.0.0.5 reject-with icmp-port-unreachable
0 0 REJECT all -- * eth0 10.0.0.5 0.0.0.0/0 PHYSDEV match --physdev-in br0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 278K packets, 54M bytes)
pkts bytes target prot opt in out source destination
289 90866 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 |
but | Quote: | britt-gentoo-0 ~ # ping -c4 yahoo.com
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=52 time=85.2 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=52 time=84.9 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=3 ttl=53 time=90.7 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=4 ttl=53 time=90.3 ms
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 84.963/87.851/90.775/2.752 ms |
britt-gentoo-0 is 10.0.0.5[/quote]I wonder what I'm doing wrong.
_________________
Michael |
|
| Back to top |
|
|
maiku
l33t
Joined: 24 Mar 2004
Posts: 603
Location: Escaping from NY
|
| Posted: Tue Mar 13, 2007 1:32 am Post subject: |
|
|
Aha! -j REJECT doesn't work. The packets have to be dropped in PREROUTING. And I'm assuming PREROUTING only takes place when doing routing so packets go out before they even are looked at. So the final score is: | Quote: | $IPTABLES -t nat -A PREROUTING -i $WAN_IFACE -d $ip -j DROP
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $ip -j DROP |
prevents internet usage on 10.0.0.5.
_________________
Michael |
|
| Back to top |
|
|
|
Networking & Security
