Bridge firewall with iptables; how do i block incoming traffic except for specified ports, and allow outgoing traffic?
<p>Im having problems with iptables not doing what i want :(</p>
<p>I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.</p>
<p>I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)</p>
<p>These are the rules im running now, and i can't figure out why it wont block incoming:</p>
<pre><code>#!/bin/bash
iptables -F
iptables -X
iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT
# connection tracking (not entirely sure what this does, but tutorial said it was needed)
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
</code></pre>
<p><em>iptables -S</em> gives me</p>
<pre><code>-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable
</code></pre>
<p>Any advice on what im doing wrong is appreciated :(</p>