Im having problems with iptables not doing what i want :(

I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.

I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)

These are the rules im running now, and i can't figure out why it wont block incoming:


iptables -F
iptables -X

iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT

# connection tracking (not entirely sure what this does, but tutorial said it was needed)
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT

iptables -S gives me

-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable

Any advice on what im doing wrong is appreciated :(

Some guys on said i should be using "-m physdev", will post the results when i get to try it out, but it makes sense.

Using physdev seems to make it work:


# clean rules
iptables -F
iptables -X

#default rules
iptables -P INPUT ACCEPT

# block input and output bridge (might need physdev on these too?)
iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I INPUT -i br0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT
iptables -I OUTPUT -o br0 -j REJECT

# drop invalid
iptables -I FORWARD -m state --state INVALID -j DROP

# allow outgoing
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

## allow an incoming service
# http
iptables -A FORWARD -p tcp -m physdev --physdev-in eth1 --physdev-out eth0 -d <server ip> --dport 80 -j ACCEPT

# drop everything else
iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT

Many thanks to SuperJediWombat! and TimothyEBaldwin on forum!


Did you try:

iptables --policy FORWARD DROP

and just allow the ports you want

iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp --dport 80 -j ACCEPT


I tried adding "iptables -P FORWARD DROP" just below "iptables -X" in the script. But then it seems to block outgoing as well.

(03 May '10, 08:23) Zyprexa

i'd been using the "-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" as "-i eth0 -o eth1" when it should've been "-i eth1 and -o eth0", so this solution might have worked as well.

(03 May '10, 22:26) Zyprexa
