Please note that LinuxExchange will be shutting down on December 31st, 2016. Visit this thread for additional information and to provide feedback.

Bridge firewall with iptables; how do i block incoming traffic except for specified ports, and allow outgoing traffic?

1

Im having problems with iptables not doing what i want :(

I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.

I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)

These are the rules im running now, and i can't figure out why it wont block incoming:

#!/bin/bash

iptables -F
iptables -X

iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT

# connection tracking (not entirely sure what this does, but tutorial said it was needed)
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT

iptables -S gives me

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable

Any advice on what im doing wrong is appreciated :(

asked 02 May '10, 20:15

Zyprexa's gravatar image

Zyprexa
41227
accept rate: 33%

edited 02 May '10, 22:32

Some guys on linuxquestion.org said i should be using "-m physdev", will post the results when i get to try it out, but it makes sense.

(03 May '10, 14:19) Zyprexa

Please accept an answer so the question/answer can be finished.

(20 Apr '11, 13:41) rfelsburg ♦


2 Answers:
oldestnewestmost voted
2

Did you try:

iptables --policy FORWARD DROP

and just allow the ports you want

iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp --dport 80 -j ACCEPT

link

answered 03 May '10, 00:37

Wilson's gravatar image

Wilson
312
accept rate: 0%

I tried adding "iptables -P FORWARD DROP" just below "iptables -X" in the script. But then it seems to block outgoing as well.

(03 May '10, 08:23) Zyprexa

i'd been using the "-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" as "-i eth0 -o eth1" when it should've been "-i eth1 and -o eth0", so this solution might have worked as well.

(03 May '10, 22:26) Zyprexa
2

Using physdev seems to make it work:

#!/bin/bash

# clean rules
iptables -F
iptables -X

#default rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# block input and output bridge (might need physdev on these too?)
iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I INPUT -i br0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT
iptables -I OUTPUT -o br0 -j REJECT

# drop invalid
iptables -I FORWARD -m state --state INVALID -j DROP

# allow outgoing
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

## allow an incoming service
# http
iptables -A FORWARD -p tcp -m physdev --physdev-in eth1 --physdev-out eth0 -d <server ip> --dport 80 -j ACCEPT

# drop everything else
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT

Many thanks to SuperJediWombat! and TimothyEBaldwin on linuxquestions.org forum!

link

answered 03 May '10, 16:45

Zyprexa's gravatar image

Zyprexa
41227
accept rate: 33%

edited 03 May '10, 23:03

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×81
×11
×5
×5
×2

Asked: 02 May '10, 20:15

Seen: 20,284 times

Last updated: 20 Apr '11, 13:41

Related questions

iptables configuration script - need help with it

random wireless disconnections (lucid lynx)

iptables firewall problem openvpn bridged

Mobile broadband under Ubuntu 10.04

iptables and sudo not logging

Two virtual networks over one LAN?

Netbook alternative to Ubuntu?

How do I move the Minimize, Maximize and Close buttons in Ubuntu Lucid back to where they used to be?

How to Install LTSP in Linux

Booting Asus EEE with Ubuntu

about | faq | privacy | contact

powered by OSQA