# iptables not working

## fr3aker

Hey,

Solved so far, but one question remains. see: https://forums.gentoo.org/viewtopic-p-6898056.html#6898056

I've got a problem with my gentoo router and my iptables config.

The only thing iptables does as expected is routing my network traffic, but neither does locking up external ports work, nor does port forwarding.

I'm running 3.0.4-hardened-r4 (+selinux in permissive mode) with iptables v1.4.12.1.

interfaces:

wlan0 (192.168.2.1/24)

eth0 (no ip, modem connected)

ppp0 (dynamic public ip)

This is what my iptables looks like:

```
# iptables -L       

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       icmp --  anywhere             anywhere            

DROP       tcp  --  anywhere             anywhere             tcp dpt:domain

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  192.168.2.0/24      anywhere            

ACCEPT     all  --  anywhere             192.168.2.0/24     

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

# iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  anywhere             anywhere            
```

port 53/domain is still publicly accessable. This is the command I used to block port 53 input:

```
iptables -A INPUT -p tcp --dport 53 -i ppp0 -j DROP
```

also I tried to setup port forwarding for ssh (listening on 192.168.2.1:22):

```
iptables -t nat -A PREROUTING -p tcp --dport 44444 -i ppp0 -j DNAT --to 192.168.2.1:22
```

but only got a "connection refused". Same happens with all other services i try to forward.

Binding ssh to all available interfaces works, though.

I simply don't see what goes wrong here. Can anyone assist me with this?

greez fr3akerLast edited by fr3aker on Mon Dec 12, 2011 11:40 am; edited 1 time in total

----------

## Hu

Those rules look very permissive.  Is this a second-line firewall behind some other device?

Please post the output of iptables-save -c.  Do I understand correctly that you want to have sshd listen on the internal interface and use a DNAT rule to rewrite the traffic?  Why not just have it listen directly on the external interface?

----------

## fr3aker

thanks for your fast reply.

This is my only router/firewall. The rules are kept permissive because I'm right now debugging iptables  :Wink:  Also I don't believe in blocking ports to increase security.

Yes, you understood that ssh thing right. I want ssh to listen on the default port in the internal network but use a different port for my public interface. I could not find a possibility to configure sshd to do this directly. (it would listen on both specified ports on all interfaces only, or is there a way to bind sshd to an interface instead of an ip address?)

```
#iptables-save -c

# Generated by iptables-save v1.4.12.1 on Mon Dec 12 00:46:27 2011

*nat

:PREROUTING ACCEPT [889:124826]

:INPUT ACCEPT [416:26242]

:OUTPUT ACCEPT [78:5778]

:POSTROUTING ACCEPT [0:0]

[616596:36311338] -A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

# Completed on Mon Dec 12 00:46:27 2011

# Generated by iptables-save v1.4.12.1 on Mon Dec 12 00:46:27 2011

*mangle

:PREROUTING ACCEPT [39748983:32741800114]

:INPUT ACCEPT [11423428:12669195403]

:FORWARD ACCEPT [28182696:20012934468]

:OUTPUT ACCEPT [9016714:5749486176]

:POSTROUTING ACCEPT [37199360:25762422072]

COMMIT

# Completed on Mon Dec 12 00:46:27 2011

# Generated by iptables-save v1.4.12.1 on Mon Dec 12 00:46:27 2011

*filter

:INPUT ACCEPT [613:43625]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [259:34270]

[0:0] -A INPUT -i ppp0 -p icmp -j DROP

[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j DROP

[6352:795889] -A FORWARD -s 192.168.2.0/24 -i wlan0 -j ACCEPT

[5616:3231436] -A FORWARD -d 192.168.2.0/24 -i ppp0 -j ACCEPT

COMMIT

# Completed on Mon Dec 12 00:46:27 2011
```

----------

## Hu

 *fr3aker wrote:*   

> I don't believe in blocking ports to increase security.

 Then why do you use any DROP rules at all?

 *fr3aker wrote:*   

> Yes, you understood that ssh thing right. I want ssh to listen on the default port in the internal network but use a different port for my public interface. I could not find a possibility to configure sshd to do this directly. (it would listen on both specified ports on all interfaces only, or is there a way to bind sshd to an interface instead of an ip address?)

 You could run two sshd instances.  Make one listen on the external IP address with a high port and the other listen on an internal IP address with the regular port.

----------

## fr3aker

By

```
I don't believe in blocking ports to increase security.
```

I meant I don't believe in creating very restrictive blocking rules just in case there might by some service running somewhere i can lock up with this.

e.g. on port 53 dnsmasq is running which in binding to all interfaces. The manual says it will drop all packets from non-white listed interfaces, but I want to make sure it really does. (The generic DROP rule of the FORWARD chain is for testing only)

but anyways this is not what this thread should be about.

As already stated in my first both posts my public interface has no static ip and therefore sshd cannot easily listen on a specific ip address. Also this does not help anything with my iptables problem at all but only workarounds it.

update: Ok, got it working (with the rules from the first post). The problem actually wasn't iptables not working but iptables not applying the rules to traffic originating from my own network (i of course used my public ip for connection tests). Can anyone explain this behavior to me? My iptables knowledge regarding is quite limited.

I did a "ssh [myPublicIp] -p44444" from hosts 192.168.2.1 and 192.168.2.2 with both giving me a "connection refused", but using an external host the connection was successful.

----------

