Using default policy drop in FORWARD chain´s

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Using default policy drop in FORWARD chain´s
@ 2006-03-21 14:59 Juan Santamaria
  2006-03-22 17:42 ` Mike Wright
  0 siblings, 1 reply; 2+ messages in thread
From: Juan Santamaria @ 2006-03-21 14:59 UTC (permalink / raw)
  To: netfilter

Hello Guys

Nowdays, I ´ve been working  in a firewall configuration. I want use default 
policy DROP, for the INPUT,FORWARD,OUTPUT chain´s.  I using the redwall 
firewall, it has support for l7-protocols. I need to block msn, but when I 
apply the ruler to the forward chain it isn´t block.

But when y change de default policy in Forward chain´s  to ACCEPT, tha same 
ruler block the msn traffic.

I appreciate some advices

Cheerio!

IPTABLES=/sbin/iptables

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


$IPTABLES  -A FORWARD -p tcp -m tcp -m layer7 --l7proto msnmessenger
-j DROP




$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

#$IPTABLES -A FORWARD -s 10.0.109.20 -j DROP

$IPTABLES -A INPUT   -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT  -o eth2 -p tcp -m tcp --sport 22 -m state --state 
RELATED,ESTABLISHED -j ACCEPT



$IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -m layer7 --l7proto 
msnmessenger -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m layer7 --l7proto 
msnmessenger -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT

$IPTABLES -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp --dport 53 -j ACCEPT




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Using default policy drop in FORWARD chain´s
  2006-03-21 14:59 Using default policy drop in FORWARD chain´s Juan Santamaria
@ 2006-03-22 17:42 ` Mike Wright
  0 siblings, 0 replies; 2+ messages in thread
From: Mike Wright @ 2006-03-22 17:42 UTC (permalink / raw)
  To: netfilter

Juan Santamaria wrote:
> Hello Guys

Hi Juan,

> 
> Nowdays, I ´ve been working  in a firewall configuration. I want use 
> default policy DROP, for the INPUT,FORWARD,OUTPUT chain´s.  I using the 
> redwall firewall, it has support for l7-protocols. I need to block msn, 
> but when I apply the ruler to the forward chain it isn´t block.
> 
> But when y change de default policy in Forward chain´s  to ACCEPT, tha 
> same ruler block the msn traffic.
> 
> I appreciate some advices
> 
> Cheerio!
> 
> IPTABLES=/sbin/iptables
> 
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -X
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> 
> 
> $IPTABLES  -A FORWARD -p tcp -m tcp -m layer7 --l7proto msnmessenger
> -j DROP
> 
> 
> 
> 
> $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
> 
> #$IPTABLES -A FORWARD -s 10.0.109.20 -j DROP
> 
> $IPTABLES -A INPUT   -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT
> $IPTABLES -A OUTPUT  -o eth2 -p tcp -m tcp --sport 22 -m state --state 
> RELATED,ESTABLISHED -j ACCEPT
> 

I think the problem occurs here.  It's important to put the more 
specific rules in front of the more general rules or they will never be 
seen because the condition has already been matched.  Move the following 
two rules to after those of "layer7" and all should be well.

Hope this is useful.

> 
> 
> $IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp -m tcp --sport 80 -m layer7 --l7proto 
> msnmessenger -j DROP
> $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m layer7 --l7proto 
> msnmessenger -j DROP
> $IPTABLES -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
> 
> $IPTABLES -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
> $IPTABLES -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
> 
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-03-22 17:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-21 14:59 Using default policy drop in FORWARD chain´s Juan Santamaria
2006-03-22 17:42 ` Mike Wright

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox