Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables -i eth0 problems
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
marco2010
n00b
n00b


Joined: 23 Jul 2008
Posts: 3
PostPosted: Wed Jul 23, 2008 10:57 am    Post subject: iptables -i eth0 problems Reply with quote
Hi,
I am trying to set up a firewall with iptables, I already had one and it worked fine, now I have added one more network card and I wanted to configure different INPUT rules on each interface .

The problem is that iptables doesn't seem to recognize the -i and -o switches.
No matter if i specify -i ethX, , (even if I write -i eth3 (There is no eth3 !) it doesn't return an error but just apply rules to every existing network interface , lo included)


With iptables -L it doesn't even show the interface column.

Any help would be appreciated
thank you
Back to top
View user's profile Send private message
nephron
n00b
n00b


Joined: 18 Oct 2007
Posts: 66
PostPosted: Wed Jul 23, 2008 8:15 pm    Post subject: Reply with quote
Hey marco2010!

I only use shorewall to set up IP-Table rules..
May you want to use..? Its more efficent and optimized for setting up a firewall. When you try to start or to check shorewall its telling you which kernel-support for Net-Filtering is missed..

To run shorewall you need to activate (not everything):

Code:

Networking  --->
[*] Network packet filtering framework (Netfilter)  --->
[*]   Advanced netfilter configuration
[*]   Network packet filtering debugging
<*> Netfilter connection tracking support
 -*-   Connection tracking flow accounting
 -*-   Connection mark tracking support
<*>   FTP protocol support
<*>   IRC protocol support
 -*- Netfilter Xtables support (required for ip_tables)
<*>   "CLASSIFY" target support
<*>   "CONNMARK" target support
<*>   "DSCP" and "TOS" target support
<*>   "MARK" target support
<*>   "NFQUEUE" target Support
<*>   "NFLOG" target support
<*>   "NOTRACK" target support
<*>   "TRACE" target support
<*>   "TCPMSS" target support
<*>   "TRACE" target support
<*>   "TCPMSS" target support
<*>   "comment" match support
<*>   "connbytes" per-connection counter match support
<*>   "connlimit" match support
<*>   "connmark" connection mark match support
<*>   "conntrack" connection tracking match support
<*>   "dccp" protocol match support
<*>   "dscp" and "tos" match support
<*>   "esp" match support
<*>   "helper" match support
<*>   "length" match support
<*>   "limit" match support
<*>   "mac" address match support
<*>   "mark" match support
<*>   "multiport" Multiple port match support
<*>   "pkttype" packet type match support
<*>   "quota" match support
<*>   "realm" match support
<*>   "sctp" protocol match support (EXPERIMENTAL)
<*>   "state" match support
<*>   "statistic" match support
<*>   "string" match support
<*>   "tcpmss" match support
<*>   "time" match support
<*>   "u32" match support
<*>   "hashlimit" match support
IP: Netfilter Configuration  --->
<*> IPv4 connection tracking support (required for NAT)
[*]   proc/sysctl compatibility with old connection tracking
< > IP Userspace queueing via NETLINK (OBSOLETE)
<*> IP tables support (required for filtering/masq/NAT)
<*>   "recent" match support
<*>   "ecn" match support
<*>   "ah" match support
<*>   "ttl" match support
<*>   "addrtype" address type match support
<*>   Packet filtering
<*>     REJECT target support
<*>   LOG target support
<*>   ULOG target support
<*>   Full NAT
<*>     MASQUERADE target support
<*>     REDIRECT target support
<*>     NETMAP target support
<*>     Basic SNMP-ALG support
<*>   Packet mangling
<*>     ECN target support
<*>     TTL target support
< >     CLUSTERIP target support (EXPERIMENTAL)
<*>   raw table support (required for NOTRACK/TRACE)
<*> ARP tables support
<*>   ARP packet filtering
<*>   ARP payload mangling


whith these settings i was able to use iptables... finally also shorewall ;)

n3ph
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23081
PostPosted: Thu Jul 24, 2008 3:11 am    Post subject: Reply with quote
The interface column is not shown unless you specify --verbose. It is legal to specify interface names that do not exist, since they may exist later when additional drivers load or a VPN comes up. How do you know that iptables is applying the rules to improper interfaces?
Back to top
View user's profile Send private message
marco2010
n00b
n00b


Joined: 23 Jul 2008
Posts: 3
PostPosted: Thu Jul 24, 2008 7:11 am    Post subject: Reply with quote
Hi,

This is my situation:
I have a gentoo box with two nic both connected to the same lan, eth0: 10.0.0.10 eth1:10.0.0.11

10.0.0.10 is the address where my public IP is redirected from the router with full NAT (I can't change this, the router is provided from my ISP and it is locked).

I would like iptables to drop all packets on eth0 except for ssh , and accept everything on eth1.
I don't need any routing between them.

I first tried with this very simple example:

Code:


iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F

#accept only ssh on eth0
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -j ACCEPT

#accept everything from eth1
iptables -A INPUT     -i eth1 -j ACCEPT

#and accept everything on the  loopback
iptables -A INPUT     -i  lo -j ACCEPT




The problem with this settings is that I am still able to connect to all services on eth0 (It accepts everything) , eg. samba on \\10.0.0.10 (and this means they are open to outside )
I am sure I make some mistakes with iptables but I can't figure out where.
Thank you again
marco
Back to top
View user's profile Send private message
marco2010
n00b
n00b


Joined: 23 Jul 2008
Posts: 3
PostPosted: Thu Jul 24, 2008 11:56 am    Post subject: Solved Reply with quote
I made a big mistake,
two interfaces on the same subnet can cause lots of problems that was the problem, I will change one subnet

thank you

ciao
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23081
PostPosted: Fri Jul 25, 2008 2:58 am    Post subject: Reply with quote
marco2010 wrote:

Code:

#accept only ssh on eth0
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -j ACCEPT


The problem with this settings is that I am still able to connect to all services on eth0 (It accepts everything) , eg. samba on \\10.0.0.10


The comment says that the rule only applies to ssh, but the rule applies to any TCP connection.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy