Re: multiport

["Jörg Harmuth" <harmuth@mnemon.de>]

Hi,

Sadus . schrieb:
> Maybe a misconception from my part here, please correct me:
> 
> When you want to block an IP from connecting to the internet, should i
> use: 
> iptables -A INPUT -i $INTERNAL -s 192.168.1.2 -j DROP
> or 
> iptables -A FORWARD -i $INTERNAL -s 192.168.1.2 -j DROP or both?
> 
> since the firewall is set to the gateway, then any client will try to
> connect to the IP of the gateway to then establish a connection with the
> site needed, if i already block that IP to connect to my NIC via the
> INPUT chain, then there is no need for me to DROP in FORWARD, or is it
> the other way around? 

It depends on your configuration. If you use a proxy on your gateway /
firewall like squid, then the INPUT chain will be hit, because your
clients connect to your proxy. BTW, in this configuration you don't need
to set ip_forward to 1.

If, on the other hand, there is no proxy, then your clients connect
directly to the respective site on the internet and thus the forward
chain will be hit. Because your clients use RFC 1918 addresses, which
will be dropped on the first router on the internet, you need a
MASQUERADE / SNAT rule in nat / POSTROUTING in this case. Otherwise
nothing will work. And you must set ip_forward to 1.

Generally I agree with with all the people saying, that the best
approach is to have a DROP policy in INPUT / FORWARD and then only allow
the traffic you want. It's simple and clean in my opinion.

HTH and have a nice time,

Joerg