From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Walter D. Wyndroski" Date: Thu, 23 Oct 2003 03:45:01 +0000 Subject: [LARTC] iptables question MIME-Version: 1 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0107_01C398F6.82AC90F0" Message-Id: List-Id: To: lartc@vger.kernel.org This is a multi-part message in MIME format. ------=_NextPart_000_0107_01C398F6.82AC90F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable First off, I know this is the LARTC list, but I've been living on this list= for over a year now. :) Now with that said, I'm probably going to get flam= ed for my question. :) I've read that iptables is a first match wins system. My recent experience = is showing that it is a last match wins. I understand that if a packet is m= atched in prerouting chain, it may be matched again in a subsequent chain u= nless the jump target was drop. NOTE: I am not using iptables as a true firewall, much as most people on th= is list do not. I'm primarily using iptables to mark packets and drop them = for securing my network and to deny all traffic to my router except for a f= ew exclusive port.s The following is an excerpt from my router script on how I'm handling certa= in traffic to my router and this works: (This example is a last match wins) #Deny All Traffic to Interface except SSH and ICMP $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT = #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP = #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22= -j DROP #CMTS Link ##Allow SNMP Calls Via MRTG To This Interface Only $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= -p udp --dport 161 -j ACCEPT $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= -p udp --dport 162 -j ACCEPT This is how I was doing it and it worked: (This example is a first match wi= ns) (note: I was routing the fwmark 1 to blackhole) ##Allow SNMP Calls Via MRTG To This Interface Only $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= 0.5 -p udp --dport 161 -j ACCEPT $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= 0.5 -p udp --dport 162 -j ACCEPT #Deny All Traffic to Interface except SSH and ICMP $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEP= T #CMTS Link $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j MARK= --set-mark 1 #CMTS Link $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport != 22 -j MARK --set-mark 1 #CMTS Link I just need someone to tell me when is iptables using first match wins vers= us last match wins. I think I am missing something but I am not sure. I sta= y so busy with other tasks that I cannot devote the time that I need and wo= uld like to this. Anyway, many thanks in advance. Walt Wyndroski ***************************************************************************= ******************* * This message has been scanned by CityNET's email scanner for viruses and = dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For m= ore information * * concerning MailScanner, visit http://www.mailscanner.info = * ***************************************************************************= ******************* ------=_NextPart_000_0107_01C398F6.82AC90F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

First off, I know this is the LARTC list, = but I've=20 been living on this list for over a year now. :) Now with that said, I'm=20 probably going to get flamed for my question. :)

I've read that iptables is a first match w= ins=20 system. My recent experience is showing that it is a last match wins. I=20 understand that if a packet is matched in prerouting chain, it may be match= ed=20 again in a subsequent chain unless the jump target was drop.

NOTE: I am not using iptables as a true fi= rewall,=20 much as most people on this list do not. I'm primarily using iptables to ma= rk=20 packets and drop them for securing my network and to deny all traffic to my= =20 router except for a few exclusive port.s

The following is an excerpt from my router= script=20 on how I'm handling certain traffic to my router and this works: (This exam= ple=20 is a last match wins)

#Deny All Traffic to Interface except SSH and ICMP

$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j=20 ACCEPT &nb= sp; =20 #CMTS Link

$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j=20 DROP = ; =20 #CMTS Link

$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport= ! 22=20 -j DROP #CMTS Link

##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A FOR= WARD=20 -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -= j=20 ACCEPT
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst= =20 172.20.0.5 -p udp --dport 162 -j ACCEPT

This is how I was doing it and it worked: (This example is a firs= t=20 match wins)

(note: I was routing the fwmark 1 to blackhole)

##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A=20 PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --= dport=20 161 -j ACCEPT
$IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.= 226=20 --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT

#Deny All Traffic to Interface except SSH and ICMP

$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icm= p -j=20 ACCEPT &nb= sp; = =20 #CMTS Link

$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp=20 -j MARK --set-mark=20 1 &n= bsp; =20 #CMTS Link

$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dp= ort !=20 22 -j MARK --set-mark 1 #CMTS Link

I just need someone to tell me when is iptables using first match wins= =20 versus last match wins. I think I am missing something but I am not sure. I= stay=20 so busy with other tasks that I cannot devote the time that I need and woul= d=20 like to this. Anyway, many thanks in advance.

Walt Wyndroski

This message has been scanned by CityNET's = email scanner for viruses and dangerous content
and is believed to be clean. CityNET is proud to use MailScann= er. For more information
concerning MailScanner, visit http://www.mailscanner.info

------=_NextPart_000_0107_01C398F6.82AC90F0-- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/