# iptables seems to block allowed traffic

## Jimini

Hey there,

to keep it short and simple, here are the relevant lines of my iptables rules:

```
#!/bin/sh

echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "1" > /proc/sys/net/ipv4/ip_forward

### delete existing tables

iptables -F

iptables -t nat -F

iptables -t mangle -F

lan="eth1"

wan="eth0"

intern=10.0.0.0/24

clients=10.0.0.3-10.0.0.20

### drop everything by default

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P POSTROUTING ACCEPT

iptables -t nat -P OUTPUT ACCEPT 

iptables -A FORWARD -s $intern -i $lan -o $wan -j ACCEPT

### accept traffic belonging to an existing connection

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### masquerading

iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE

iptables -t nat -A POSTROUTING -o $wan -j SNAT --to-source $extip

### bittorrent

iptables -A FORWARD -i $wan -o $lan -p tcp --dport 51413 -j ACCEPT

iptables -A FORWARD -i $wan -o $lan -p udp --dport 51413 -j ACCEPT

iptables -t nat -I PREROUTING -i $wan -p tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413

iptables -t nat -I PREROUTING -i $wan -p udp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413

### log and drop all other traffic

iptables -A INPUT -j LOG --log-prefix "DROPPED_INPUT: " --log-level=5

iptables -A INPUT -j DROP

iptables -A OUTPUT -j LOG --log-prefix "DROPPED_OUTPUT: " --log-level=5

iptables -A OUTPUT -j DROP

iptables -A FORWARD -j LOG --log-prefix "DROPPED_FORWARD: " --log-level=5

iptables -A FORWARD -j DROP
```

I simply want to forward all incoming traffic on port 51413 to 10.0.0.21:51413. All other traffic (which is unwanted), will be logged and dropped afterwards.

But the log contains many many lines as these:

```
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=827 PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0 

DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=941 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0 

DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=1212 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0 

DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=1481 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0 

DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=1938 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=0 RES=0x00 ACK RST URGP=0 

DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=94.221.216.70 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=11992 DF PROTO=TCP SPT=49420 DPT=51413 WINDOW=0 RES=0x00 ACK RST URGP=0 
```

Why?

Best regards,

Jimini

----------

## dE_logics

I'm not sure about the things that you changed in /proc, but - 

```
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE 

iptables -t nat -A POSTROUTING -o $wan -j SNAT --to-source $extip
```

Seems ambiguous. I suggest deleting the latter.

If that doesn't work I also suggest setting the FILTER policies to ACCEPT for debugging.

----------

## pigeon768

 *Jimini wrote:*   

> 
> 
> ```
> ### bittorrent
> 
> ...

  It's been a while, so I'm a little rusty, but those packets are being dropped before they even get to the FORWARD table. You need to -j ACCEPT them through the INPUT table on $wan, not the FORWARD table. (also you won't need -o on the INPUT table) I believe that when you DNAT them their state becomes ESTABLISHED so you don't need to ACCEPT them in FORWARD either.

I believe dE_logics is correct; the -j SNAT is redundant; -j MASQUERADE takes care of this for you.

----------

## Hu

 *pigeon768 wrote:*   

> It's been a while, so I'm a little rusty, but those packets are being dropped before they even get to the FORWARD table.

 Yes.  Since they are being dropped in INPUT, that tells us that the kernel decided to deliver the traffic locally instead of rewriting the destination header.  Somehow, the DNAT rule failed to match. *pigeon768 wrote:*   

> You need to -j ACCEPT them through the INPUT table on $wan, not the FORWARD table.

 That depends on the intended handling.  If the listening socket is on the local machine, then yes, he should process it via INPUT and not have a PREROUTING rule or FORWARD rule.  If the listening socket is on an internal machine hidden behind the local machine, then no, he should process it in PREROUTING and FORWARD, but not in INPUT.

 *pigeon768 wrote:*   

> I believe that when you DNAT them their state becomes ESTABLISHED so you don't need to ACCEPT them in FORWARD either.

 No, on both counts.  First, they will still be in state NEW when they enter the FORWARD chain, which allows you to DNAT everything for a given port, then selectively allow particular clients in a NEW state and allow everything in an ESTABLISHED state.  Second, you do need to ACCEPT them in FORWARD if you want them to receive handling different from the FORWARD policy.

----------

