# [SOLVED] Iptables not Blocking

## Nrot

Working on router box and having some problems getting iptables to drop/reject anything.  It's forwarding all fine and dandy but I'd like it to have a bit of protection its' self.

Here's some info on it.

Applying table.

```

iptables -F

iptables -t nat -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

export LAN=eth0

export WAN=ppp0

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -A POSTROUTING -o ${WAN} -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 53098:53098 -i ${WAN} -j DNAT --to 192.168.0.130

iptables -t nat -A PREROUTING -p udp --dport 53098:53098 -i ${WAN} -j DNAT --to 192.168.0.130

```

iptables-save

```

# Generated by iptables-save v1.3.8 on Mon Jun  2 23:58:02 2008

*nat

:PREROUTING ACCEPT [15319:1077792]

:POSTROUTING ACCEPT [5316:508871]

:OUTPUT ACCEPT [116:28125]

-A PREROUTING -i ppp0 -p tcp -m tcp --dport 53098 -j DNAT --to-destination 192.168.0.130 

-A PREROUTING -i ppp0 -p udp -m udp --dport 53098 -j DNAT --to-destination 192.168.0.130 

-A POSTROUTING -o ppp0 -j MASQUERADE 

COMMIT

# Completed on Mon Jun  2 23:58:02 2008

# Generated by iptables-save v1.3.8 on Mon Jun  2 23:58:02 2008

*filter

:INPUT ACCEPT [997:77570]

:FORWARD DROP [1911:312855]

:OUTPUT ACCEPT [2894:204353]

-A INPUT -i lo -j ACCEPT 

-A INPUT -i eth0 -j ACCEPT 

-A INPUT -i ppp0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable 

-A INPUT -i ppp0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable 

-A INPUT -i ppp0 -p tcp -m tcp --dport 0:1023 -j DROP 

-A INPUT -i ppp0 -p udp -m udp --dport 0:1023 -j DROP 

-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth0 -j DROP 

-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT 

-A FORWARD -d 192.168.0.0/255.255.255.0 -i ppp0 -j ACCEPT 

COMMIT

# Completed on Mon Jun  2 23:58:02 2008

```

iptables -L

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 

REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 

DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             192.168.0.0/24      

ACCEPT     all  --  192.168.0.0/24       anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/24      

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

```

I see in -l that it's allowing from anywhere to anywhere but I'm not sure how to remove that without breaking the forwarding as setting "iptables -P INPUT ACCEPT" to drop was a bad idea...

Thanks for the help Nrot.

EDIT: Wow misspelled Blocking...  FixedLast edited by Nrot on Sat Jun 07, 2008 7:38 pm; edited 2 times in total

----------

## Anarcho

iptables -L doesn't print out everything. Add a "-v" (complete "iptables -L -v") to get all the information. Source and destiation just specifiy IP adresses and not interfaces.

But what is the dificulty in dropping packets per default?

----------

## Nrot

What's concerning me is that even if I use -I it still allows data through.  For this example say port 22 and 53.  I know I can bind SSH to addresses but there's times I need away from where I'm at.  I plan to have iptables protect it and have port knocking set up.  But port knocking pretty pointless if the router is a open door unless I want to port knock to some internal computers.

Here's iptables -vL

```

Chain INPUT (policy ACCEPT 6031 packets, 590K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 REJECT     udp  --  !eth0  any     anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            

 7946 1248K ACCEPT     all  --  eth0   any     anywhere             anywhere            

    0     0 REJECT     udp  --  ppp0   any     anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 

    0     0 REJECT     udp  --  ppp0   any     anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

   16   952 DROP       tcp  --  ppp0   any     anywhere             anywhere            tcp dpts:0:1023 

   36  9944 DROP       udp  --  ppp0   any     anywhere             anywhere            udp dpts:0:1023 

Chain FORWARD (policy DROP 1911 packets, 313K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  eth0   any     anywhere             192.168.0.0/24      

8377K 2565M ACCEPT     all  --  eth0   any     192.168.0.0/24       anywhere            

8798K 3809M ACCEPT     all  --  ppp0   any     anywhere             192.168.0.0/24      

Chain OUTPUT (policy ACCEPT 16220 packets, 4071K bytes)

 pkts bytes target     prot opt in     out     source               destination         

```

I grabbed the table from http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap5

It seems that iptables should be rejecting the packets on blocked ports, but it's just ignoring those rules...

----------

## Hu

The output from iptables-save is more useful when you are trying to examine the loaded rules, since it is designed to be a machine readable format that can recreate a perfect copy of the rules at a later time.

Could you give us an example of a packet which is being allowed that you want denied?  Your rules look correct, so I suspect the test may be flawed.

Why are you only dropping the privileged ports?  It would be simpler and safer to allow incoming traffic in the ESTABLISHED state, then drop any remaining traffic without regard to protocol or port.

----------

## Nrot

I'd have no problem switching to just allowing established traffic.  I'm still trying to figure all this out... 

Got forced into this a bit earlier than I had planed when my D-Link router finally died (Board discolored from heat highest external temp over 120fern).  >.<

So I'm still trying to get a hold of what's going on.  I have a small grasp on how to write iptable rules but nowhere where I wanted to be when I switched to using a computer and a switch.

If you could throw me a copy of what established only commands would look like I'd love to use them, and any explanation on them is greatly appreciated.  Looking around on how to do that now.

Here's the first ssh packet.  The rule isn't up there but iptable refuses to block when I add it or just add it with -I. This is from the lan(client) to lan(server) which I plan on keeping open but it should work for the example.

```

10   20.675830   192.168.0.121   192.168.0.1   TCP   48884 > ssh [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=43570249 TSER=0 WS=7

0000  00 14 d1 3c 76 9a 00 90  f5 5d 51 8d 08 00 45 00   ...<v... .]Q...E.

0010  00 3c 86 b2 40 00 40 06  32 3f c0 a8 00 79 c0 a8   .<..@.@. 2?...y..

0020  00 01 be f4 00 16 34 1b  52 fb 00 00 00 00 a0 02   ......4. R.......

0030  16 d0 92 62 00 00 02 04  05 b4 04 02 08 0a 02 98   ...b.... ........

0040  d4 49 00 00 00 00 01 03  03 07                     .I...... ..      

```

----------

## Hu

An appropriate rule for established connections would be iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT.  Place this high enough up that it precedes any blanket deny rules.  You will need CONFIG_NETFILTER_XT_MATCH_CONNTRACK enabled in the kernel.  You can compile it in or build it as a module.  If you build it as a module, you may need to explicitly load it with modprobe before your firewall script can use it.

Your ssh capture is not good for demonstrating the problem, since it is allowed by the third INPUT rule.  It is traffic coming in on eth0, so the action for rule 3 applies: ACCEPT.  Traversal of the INPUT chain stops and the packet is accepted into the IP stack.

----------

## Nrot

Sorry for the delay.  ATT broke... again.  If it weren't for the other good internet I know of was overpriced and had bandwidth restrictions I wouldn't stay.

I got a cable written that worked but didn't like it much.  So I went ahead and learned the Firewall Builder GUI.  Now I've got one that works with time to read the documentation and all and figure it out.

Thanks for the idea's got some reading in on them!  Just realized that the box is smart enough to realize even when try to connect to the external IP that I'm still coming from within!  Never had a router do that.  Somewhat nice, just worry about the spoof ability of that.  Guess I'll find out sometime.

----------

