Iptables don't block traffic

Iptables don't block traffic

[Oscar Arranz]

Hi all, this is my first message to the list, so excuse me if it is too
trivial...

    I have a Red Hat box running as a firewall in my network. It's
working fine, but now I'm doing tests in order to block certain Internet
traffic. I've added the following rules which should drop packets from
my PC to a known public IP (a web server):

iptables -A FORWARD -s 192.138.35.110 -d 193.110.128.200 -j DROP

    But the packets are not droped because I still can connect to the
web server.

    The default rule for FORWARD chain is DROP

   Any ideas?

Thanks,
Oscar

Re: Iptables don't block traffic

[Antony Stone]

On Thursday 22 April 2004 2:53 pm, Oscar Arranz wrote:

>     I have a Red Hat box running as a firewall in my network. It's
> working fine, but now I'm doing tests in order to block certain Internet
> traffic. I've added the following rules which should drop packets from
> my PC to a known public IP (a web server):
>
> iptables -A FORWARD -s 192.138.35.110 -d 193.110.128.200 -j DROP
>
>     But the packets are not droped because I still can connect to the
> web server.
>
>     The default rule for FORWARD chain is DROP
>
>    Any ideas?

You say you have added the above rule.

But, what have you added it *to*?

In other words, what other rules do you also have running on the machine?

That information would help us greatly in answering your question.

Regards,

Antony

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Iptables don't block traffic

[Andrew Schulman]

> Hi all, this is my first message to the list, so excuse me if it is 
too
> trivial...
> 
>     I have a Red Hat box running as a firewall in my network. It's
> working fine, but now I'm doing tests in order to block certain Internet
> traffic. I've added the following rules which should drop packets from
> my PC to a known public IP (a web server):
> 
> iptables -A FORWARD -s 192.138.35.110 -d 193.110.128.200 -j DROP
> 
>     But the packets are not droped because I still can connect to the
> web server.

Look at your whole FORWARD chain: 'iptables -v -L FORWARD'.  You have an 
earlier rule in the chain that's allowing those packets through.

If you want to be sure, try replacing '-A' by '-I'.  This will insert 
your rule at the front of the FORWARD chain, instead of at the end.  

>    The default rule for FORWARD chain is DROP

This confirms it.  If you didn't have an earlier rule that was letting 
the packets through, then with a DROP policy you wouldn't need the above 
rule at all.

Re: Iptables don't block traffic

[Oscar Arranz]

[-- Attachment #1: Type: text/html, Size: 1425 bytes --]

RE: Iptables don't block traffic

[Rob Sterenborg]

> OK, I saw the problem. The default for FORWARD chain is 
> another chain called block and its rules don't block this traffic.

Well, ehm, not really.
The policy DROP for the chain means that all traffic that doesn't get
ACCEPTed, REJECTed (or whatever) by one of your rules is DROPped.

Do you have another rule in the chain the ACCEPT's this traffic, before it
reaches your DROP rule ?
Because then the packets are accepted before the ever reach the DROP chain.


Gr,
Rob