Dropping Connections

Dropping Connections

[Tolga Onbay]

Hi,

I want to drop all connections from/to subnet if I don't allow. For example, accept msnmessenger protocol with l7-filter and forward all 80 connections to content filtering software. Then I want to drop all connections. I write the rules and add the default action type to Drop. But now the clients cannot connect to msnmessenger. (I write the msnmessenger rule to FORWARD chain) 

Also, noone answer my previous mail, If I asked to wrong group or something wrong with the subject please remind me.

Thanks


Tolga


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: Dropping Connections

[Elvir Kuric]

Hi Tolga, 

iptables working in way that it first check first
rules that are writen in your firewall script.
So you first have to allow everything you want and
after that to stop traffic you do not wanted.

If you have rules , A, B , C , D written in script in
this order 
A
B
C
D
iptables will check rule A first and so on. If rule A
drop some traffic it will be droped even if you allow
it again in rule B, or some other rule after A.
for example 
iptables -A INPUT -p tcp -m state --state
NEW,RELATED,ESTABLISHED -j DROP

iptables -A INPUT -p tcp -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT 

the first  rule will be just checked and you will not
be able to accept new connections in INPUT chain (
first rule ) even you allow it in seccond one. 


To drop everything you can use for example 
iptables -A INPUT -s 0/0 -p tcp --syn -j DROP
iptables -A INPUT -s 0/0 -p udp -j DROP

but apply these rules after all your rules that allow
necessary traffic.
I recommend you to read ( in my opinion the best
manual  I ever read )
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


So conclusion will be,iptables looks first rules
first.
See of course man iptables.

Regards 

Elvir Kuric


To drop everything you can use for example 
iptables -A INPUT -s 0/0 -p tcp --syn -j DROP
iptables -A INPUT -s 0/0 -p udp -j DROP

but apply these rules after all your rules that allow
necessary traffic.
I recommend you to read ( in my opinion the best
manual  I ever read )
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


So conclusion will be,iptables looks first rules
first.
See of course man iptables.

Regards 

Elvir Kuric 


--- Tolga Onbay <tolgaonbay@yahoo.com> wrote:

> Hi,
> 
> I want to drop all connections from/to subnet if I
> don't allow. For example, accept msnmessenger
> protocol with l7-filter and forward all 80
> connections to content filtering software. Then I
> want to drop all connections. I write the rules and
> add the default action type to Drop. But now the
> clients cannot connect to msnmessenger. (I write the
> msnmessenger rule to FORWARD chain) 
> 
> Also, noone answer my previous mail, If I asked to
> wrong group or something wrong with the subject
> please remind me.
> 
> Thanks
> 
> 
> Tolga
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Dropping Connections

[jwlargent]

Elvir Kuric wrote:
> Hi Tolga, 
>
> iptables working in way that it first check first
> rules that are writen in your firewall script.
> So you first have to allow everything you want and
> after that to stop traffic you do not wanted.
>
> If you have rules , A, B , C , D written in script in
> this order 
> A
> B
> C
> D
> iptables will check rule A first and so on. If rule A
> drop some traffic it will be droped even if you allow
> it again in rule B, or some other rule after A.
> for example 
> iptables -A INPUT -p tcp -m state --state
> NEW,RELATED,ESTABLISHED -j DROP
>
> iptables -A INPUT -p tcp -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT 
>
> the first  rule will be just checked and you will not
> be able to accept new connections in INPUT chain (
> first rule ) even you allow it in seccond one. 
>
>
> To drop everything you can use for example 
> iptables -A INPUT -s 0/0 -p tcp --syn -j DROP
> iptables -A INPUT -s 0/0 -p udp -j DROP
>
> but apply these rules after all your rules that allow
> necessary traffic.
> I recommend you to read ( in my opinion the best
> manual  I ever read )
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
>
> So conclusion will be,iptables looks first rules
> first.
> See of course man iptables.
>
> Regards 
>
> Elvir Kuric
>
>
> To drop everything you can use for example 
> iptables -A INPUT -s 0/0 -p tcp --syn -j DROP
> iptables -A INPUT -s 0/0 -p udp -j DROP
>
>   

Why no just:
  iptables -A INPUT -j DROP


> but apply these rules after all your rules that allow
> necessary traffic.
> I recommend you to read ( in my opinion the best
> manual  I ever read )
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
>
> So conclusion will be,iptables looks first rules
> first.
> See of course man iptables.
>
> Regards 
>
> Elvir Kuric 
>
>
> --- Tolga Onbay <tolgaonbay@yahoo.com> wrote:
>
>   
>> Hi,
>>
>> I want to drop all connections from/to subnet if I
>> don't allow. For example, accept msnmessenger
>> protocol with l7-filter and forward all 80
>> connections to content filtering software. Then I
>> want to drop all connections. I write the rules and
>> add the default action type to Drop. But now the
>> clients cannot connect to msnmessenger. (I write the
>> msnmessenger rule to FORWARD chain) 
>>
>> Also, noone answer my previous mail, If I asked to
>> wrong group or something wrong with the subject
>> please remind me.
>>
>> Thanks
>>
>>
>> Tolga
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam
>> protection around 
>> http://mail.yahoo.com
>>
>>
>>     
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>   

Dropping connections

[Ben Prince]

Hello All,

I am running Redhat 7.3 and installed iptables from the
iptables-1.2.5-3.i386.rpm found on ftp.redhat.com .  The problem I am having
is that I can't seem to DROP connections at all.

I am using the following syntax

$IPTABLES -A INPUT -s ip.address.he.re -j DROP

Did I just newb something up somewhere?  Any help at all?

Thanks in advance,

Ben Prince
Cyber Pixels
Systems Administrator
ben@cyberpixels.com 

Re: Dropping connections

[Antony Stone]

On Thursday 25 December 2003 4:27 am, Ben Prince wrote:

> Hello All,
>
> I am running Redhat 7.3 and installed iptables from the
> iptables-1.2.5-3.i386.rpm found on ftp.redhat.com .  The problem I am
> having is that I can't seem to DROP connections at all.
>
> I am using the following syntax
>
> $IPTABLES -A INPUT -s ip.address.he.re -j DROP

Tell us what the rest of your ruleset is, and what connection you are trying 
to block (ie how are you testiung it and deciding it doesn't work?).

Let's just clarify one thing to begin with - since this rule is in the INPUT 
chain, you *are* trying to block a connection to the machine running 
netfilter / iptables, and not a connection being routed through to somewhere 
else (for which you should use the FORWARD chain), yes?

Regards,

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Dropping connections

[Andy Loukes]

On Wed, 24 Dec 2003, Ben Prince wrote:

> I am running Redhat 7.3 and installed iptables from the
> iptables-1.2.5-3.i386.rpm found on ftp.redhat.com .  The problem I am having
> is that I can't seem to DROP connections at all.
> 
> I am using the following syntax
> 
> $IPTABLES -A INPUT -s ip.address.he.re -j DROP

This should drop connections destined for the machine running iptables, if
it is a router you will need to drop the packets in the forward chain.

Also the order of the rules matters, if you have an ACCEPT before the DROP 
then that will match first.

tcpdump is very useful for debugging. You can also add a log rule at the 
top iptables -I will insert at the top...


-- 
Andy Loukes
http://www.navaho.co.uk				Complete Appliance Technology