http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic<p>Im having problems with iptables not doing what i want :(</p> <p>I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.</p> <p>I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)</p> <p>These are the rules im running now, and i can't figure out why it wont block incoming:</p> <pre><code>#!/bin/bash iptables -F iptables -X iptables -I INPUT -i eth1 -j DROP iptables -I INPUT -i eth0 -j DROP iptables -I OUTPUT -o eth1 -j REJECT iptables -I OUTPUT -o eth0 -j REJECT # connection tracking (not entirely sure what this does, but tutorial said it was needed) iptables -I FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT # allow outgoing traffic iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT # allow ping iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT # stop incoming iptables -A FORWARD -i eth1 -o eth0 -j REJECT </code></pre> <p><em>iptables -S</em> gives me</p> <pre><code>-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth0 -j DROP -A INPUT -i eth1 -j DROP -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT -A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable </code></pre> <p>Any advice on what im doing wrong is appreciated :(</p>enMon, 03 May 2010 16:45:32 -0400http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic/181<p>Using physdev seems to make it work:</p> <pre><code>#!/bin/bash # clean rules iptables -F iptables -X #default rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # block input and output bridge (might need physdev on these too?) iptables -I INPUT -i eth1 -j DROP iptables -I INPUT -i eth0 -j DROP iptables -I INPUT -i br0 -j DROP iptables -I OUTPUT -o eth1 -j REJECT iptables -I OUTPUT -o eth0 -j REJECT iptables -I OUTPUT -o br0 -j REJECT # drop invalid iptables -I FORWARD -m state --state INVALID -j DROP # allow outgoing iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT ## allow an incoming service # http iptables -A FORWARD -p tcp -m physdev --physdev-in eth1 --physdev-out eth0 -d &lt;server ip&gt; --dport 80 -j ACCEPT # drop everything else iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -j REJECT </code></pre> <p>Many thanks to SuperJediWombat! and TimothyEBaldwin on linuxquestions.org forum!</p>ZyprexaMon, 03 May 2010 16:45:32 -0400http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic/181http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic/159<p>Did you try:</p> <p>iptables --policy FORWARD DROP </p> <p>and just allow the ports you want</p> <p>iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp --dport 80 -j ACCEPT</p>WilsonMon, 03 May 2010 00:37:48 -0400http://linuxexchange.org/questions/158/bridge-firewall-with-iptables-how-do-i-block-incoming-traffic-except-for-specified-ports-and-allow-outgoing-traffic/159