Answers to: Bridge firewall with iptables; how do i block incoming traffic except for specified ports, and allow outgoing traffic?

Answers to: Bridge firewall with iptables; how do i block incoming traffic except for specified ports, and allow outgoing traffic?http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic<p>Im having problems with iptables not doing what i want :(</p> <p>I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.</p> <p>I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)</p> <p>These are the rules im running now, and i can't figure out why it wont block incoming:</p> <pre><code>#!/bin/bash iptables -F iptables -X iptables -I INPUT -i eth1 -j DROP iptables -I INPUT -i eth0 -j DROP iptables -I OUTPUT -o eth1 -j REJECT iptables -I OUTPUT -o eth0 -j REJECT # connection tracking (not entirely sure what this does, but tutorial said it was needed) iptables -I FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT # allow outgoing traffic iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT # allow ping iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT # stop incoming iptables -A FORWARD -i eth1 -o eth0 -j REJECT </code></pre> <p><em>iptables -S</em> gives me</p> <pre><code>-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth0 -j DROP -A INPUT -i eth1 -j DROP -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT -A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable </code></pre> <p>Any advice on what im doing wrong is appreciated :(</p>enWed, 20 Apr 2011 13:41:56 -0400Comment by rfelsburg on Zyprexa's questionhttp://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic#2391<p>Please accept an answer so the question/answer can be finished.</p>rfelsburgWed, 20 Apr 2011 13:41:56 -0400http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic#2391