firewall ignore the rule

firewall ignore the rule

[liyas_m m]

I hv iptables 1.2.7 installed on my firewall
The problem is  when i try to block traffic from certain address , it
just does not work
e.g
iptables -A INPUT -s 10.5.33.22 -j DROP

but when i run iptraf , there are still traffic sent from the source address
Any idea why?

Re: firewall ignore the rule

[Jan Engelhardt]

>iptables -A INPUT -s 10.5.33.22 -j DROP

Make sure that traffic is not ACCEPTed before.

>but when i run iptraf , there are still traffic sent from the source address
>Any idea why?

Iptraf bypasses netfilter and so sees _all_ packets.



Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

Re: firewall ignore the rule

[Cedric Blancher]

Le mercredi 13 juillet 2005 à 18:52 +0800, liyas_m m a écrit :
> The problem is  when i try to block traffic from certain address , it
> just does not work
> e.g
> iptables -A INPUT -s 10.5.33.22 -j DROP

If your work on routed traffic, then you have to put this rule on
FORWARD chaine :

	iptables -A FORWARD -s 10.5.33.22 -j DROP


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: firewall ignore the rule

[liyas_m m]

i have done that and checked with ethereal..still that source address
is not blocked. It is still broadcasting ARP packets..a lot.


On 7/13/05, Cedric Blancher <blancher@cartel-securite.fr> wrote:
> Le mercredi 13 juillet 2005 à 18:52 +0800, liyas_m m a écrit :
> > The problem is  when i try to block traffic from certain address , it
> > just does not work
> > e.g
> > iptables -A INPUT -s 10.5.33.22 -j DROP
> 
> If your work on routed traffic, then you have to put this rule on
> FORWARD chaine :
> 
>         iptables -A FORWARD -s 10.5.33.22 -j DROP
> 
> 
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!
>

Re: firewall ignore the rule

[Jason Opperisano]

On Thu, Jul 14, 2005 at 09:55:23AM +0800, liyas_m m wrote:
> i have done that and checked with ethereal..still that source address
> is not blocked. It is still broadcasting ARP packets..a lot.

iptables/netfilter operates at layer 3.  therefore, packets generated or
received at layer 2 cannot be blocked with iptables/netfilter.
ethereal/iptraf operate at the BPF layer (layer 2), and arp packets are
layer 2 as well.

iptables/netfilter is not at fault; you have an invalid testing
methodology.

-j

--
"Peter: Brian, there's a message in my Alpha Bits. It says "OOOOOO".
 Brian: Peter, those are Cheerios."
        --Family Guy

Re: firewall ignore the rule

[liyas_m m]

so how do i block that source from transmitting/broadcasting packet?

On 7/14/05, Jason Opperisano <opie@817west.com> wrote:
> On Thu, Jul 14, 2005 at 09:55:23AM +0800, liyas_m m wrote:
> > i have done that and checked with ethereal..still that source address
> > is not blocked. It is still broadcasting ARP packets..a lot.
> 
> iptables/netfilter operates at layer 3.  therefore, packets generated or
> received at layer 2 cannot be blocked with iptables/netfilter.
> ethereal/iptraf operate at the BPF layer (layer 2), and arp packets are
> layer 2 as well.
> 
> iptables/netfilter is not at fault; you have an invalid testing
> methodology.
> 
> -j
> 
> --
> "Peter: Brian, there's a message in my Alpha Bits. It says "OOOOOO".
>  Brian: Peter, those are Cheerios."
>         --Family Guy
> 
>

Re: firewall ignore the rule

[Jason Opperisano]

On Thu, Jul 14, 2005 at 10:10:30AM +0800, liyas_m m wrote:
> so how do i block that source from transmitting/broadcasting packet?

use something that operates at layer 2.  arptables and ebtables come to
mind.

-j

--
"Stewie: What the hell is this?
 Lois: Stewie that's tuna salad.
 Stewie: Really? I could have sworn it was cat food."
        --Family Guy

Re: firewall ignore the rule

[liyas_m m]

u mean blocking the MAC address also doesnot do any good. hmm i
thought iptables is that powerful.

On 7/14/05, Jason Opperisano <opie@817west.com> wrote:
> On Thu, Jul 14, 2005 at 10:10:30AM +0800, liyas_m m wrote:
> > so how do i block that source from transmitting/broadcasting packet?
> 
> use something that operates at layer 2.  arptables and ebtables come to
> mind.
> 
> -j
> 
> --
> "Stewie: What the hell is this?
>  Lois: Stewie that's tuna salad.
>  Stewie: Really? I could have sworn it was cat food."
>         --Family Guy
> 
>

Re: firewall ignore the rule

[Jason Opperisano]

On Thu, Jul 14, 2005 at 10:19:19AM +0800, liyas_m m wrote:
> u mean blocking the MAC address also doesnot do any good. hmm i
> thought iptables is that powerful.

it is that powerful.  you are currently incapable of comprehending its
power.

-j

--
"Quagmire: Don't look at me like that. Fat chicks need love too... but
 they got to pay."
        --Family Guy

Re: firewall ignore the rule

[Ishwar Rattan]

On Wed, 13 Jul 2005, Jason Opperisano wrote:

> On Thu, Jul 14, 2005 at 10:19:19AM +0800, liyas_m m wrote:
> > u mean blocking the MAC address also doesnot do any good. hmm i
> > thought iptables is that powerful.
>
> it is that powerful.  you are currently incapable of comprehending its
> power.

I like the response. My suggestion would have been to rewrite the tcp/ip
stack and block them at layer 1 :-)

-ishwar

Re: firewall ignore the rule

[Jason Opperisano]

On Wed, Jul 13, 2005 at 10:39:57PM -0400, Ishwar Rattan wrote:
> I like the response. My suggestion would have been to rewrite the tcp/ip
> stack and block them at layer 1 :-)

layer 1 filtering is simplest of all:  unplug the cable.

-j

--
"Peter: Chris, everything I say is a lie. Except that. And that. And
 that. And that. And that. And that. And that. And that."
        --Family Guy

Re: firewall ignore the rule

[Jan Engelhardt]

>u mean blocking the MAC address also doesnot do any good. hmm i
>thought iptables is that powerful.

There is a reason it's called _IP_tables.

What iptables can do for you is block *IP* packets with certain MAC addresses.


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

Re: firewall ignore the rule

[Nikolai Alexandrov]

You might want to look at this project: http://arpstar.sourceforge.net/.


Ishwar Rattan wrote:

>On Wed, 13 Jul 2005, Jason Opperisano wrote:
>
>  
>
>>On Thu, Jul 14, 2005 at 10:19:19AM +0800, liyas_m m wrote:
>>    
>>
>>>u mean blocking the MAC address also doesnot do any good. hmm i
>>>thought iptables is that powerful.
>>>      
>>>
>>it is that powerful.  you are currently incapable of comprehending its
>>power.
>>    
>>
>
>I like the response. My suggestion would have been to rewrite the tcp/ip
>stack and block them at layer 1 :-)
>
>-ishwar
>
>
>  
>