# Questioning iptables behavior

## dE_logics

I set 

```
iptables -t filter -A OUTPUT -o eth0 -p all -j DROP
```

To allow blocking of almost all connection from the interface eth0. But I can surf, download (FTP, HTTP etc...). So why is this not blocking everything? However if I set the default policy of the OUTPUT chain to DROP, it works as expected.

So are the rules in the chain not matching, if yes why?

----------

## Hu

What is the output of iptables-save -c in the failed case?

----------

## oRDeX

is there any other rule in the chain? have you tried removing -o eth0?! (I imagine that eth0 is your interface to internet)

----------

## d2_racing

Can you post this :

```

# iptables -L

```

----------

## dE_logics

iptables -L

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere
```

```
# Generated by iptables-save v1.4.7 on Mon Jun 21 15:24:56 2010

*raw

:PREROUTING ACCEPT [172:118591]

:OUTPUT ACCEPT [172:17952]

COMMIT

# Completed on Mon Jun 21 15:24:56 2010

# Generated by iptables-save v1.4.7 on Mon Jun 21 15:24:56 2010

*mangle

:PREROUTING ACCEPT [172:118591]

:INPUT ACCEPT [168:118511]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [172:17952]

:POSTROUTING ACCEPT [172:17952]

COMMIT

# Completed on Mon Jun 21 15:24:56 2010

# Generated by iptables-save v1.4.7 on Mon Jun 21 15:24:56 2010

*filter

:INPUT ACCEPT [2:112]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [5:248]

[0:0] -A OUTPUT -o eth0 -j DROP

COMMIT

# Completed on Mon Jun 21 15:24:56 2010
```

Removing -o eth0 does the trick. But I would like to know why did this happen. Here's the iptables -L without specifying the output interface - 

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere
```

Which's identical.

----------

## Anarcho

You should use

iptables -L -v

to show all information about the rules.

But could it be that eth0 isn't your outgoing interface? Could it be another ethX or even ppp0 in case of DSL etc?

----------

## dE_logics

No, eth0 is the only active interface I have... that's connected to the Internet.

----------

## Anarcho

Could you please provide:

ifconfig -a

iptables -L -v

----------

## d2_racing

There is something wrong for sure.

----------

## dE_logics

iptables -L -v

```
Chain INPUT (policy ACCEPT 27 packets, 8018 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023 LOG level warning

    4   196 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023 LOG level warning

    0     0 DROP       udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023

    4   196 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023

    3   144 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning

    3   144 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN

    5  6061 DROP       icmp --  ppp+   any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 80 packets, 7589 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  any    eth0    anywhere             anywhere
```

ifconfig -a - 

```
eth0      Link encap:Ethernet  HWaddr 00:1c:23:a1:9d:09                                 

          inet6 addr: fe80::21c:23ff:fea1:9d09/64 Scope:Link                            

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1                            

          RX packets:288 errors:0 dropped:0 overruns:0 frame:0

          TX packets:499 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:72143 (70.4 KiB)  TX bytes:67177 (65.6 KiB)

          Interrupt:18

lo        Link encap:Local Loopback

          LOOPBACK  MTU:16436  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol

          inet addr:59.94.136.245  P-t-P:59.94.128.1  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:267 errors:0 dropped:0 overruns:0 frame:0

          TX packets:474 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:63797 (62.3 KiB)  TX bytes:53054 (51.8 KiB)

sit0      Link encap:IPv6-in-IPv4

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
```

Also, another small question -- to make NAT work, I don't have to configure anything in it? Just start iptables and it will start working?

----------

## dE_logics

OOOk! I think I need to use ppp0 instead of eth0.

And now it works.

----------

## Anarcho

I don't like to quote myself, but....

 *Anarcho wrote:*   

> But could it be that eth0 isn't your outgoing interface? Could it be another ethX or even ppp0 in case of DSL etc?

 

 :Twisted Evil: 

EDIT:

For NAT you would need to use the MASQUERADE Target in your postrouting table:

iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0

and enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

----------

## Hu

 *Anarcho wrote:*   

> You should use
> 
> iptables -L -v
> 
> to show all information about the rules.

 No, he should use iptables-save -c to show all information about the rules, which is why I asked for it.  Using iptables -L -v does not show non-default tables, nor does it show exact packet and byte counters, nor does it prevent iptables from resolving numbers to names, which could potentially obscure useful information.  You can get closer to full output with iptables -n -v -x -L, which still misses non-default tables, but does at least provide non-resolved numbers and exact counters.

 *dE_logics wrote:*   

> Also, another small question -- to make NAT work, I don't have to configure anything in it? Just start iptables and it will start working?

 No, you need to configure NAT properly for it to work.  Specifically, you need to instruct the edge Linux to perform appropriate header rewriting on packets going from LAN to WAN.  This is typically accomplished with either SNAT or MASQUERADE, depending on your WAN configuration.

Also, you need IP forwarding enabled, but that is required even if you are not doing NAT on the routed packets.

----------

## dE_logics

SNAT is for static IP.

Thanks for the info. Hope MASQUERADE and SNAT will work for clients with static IP also.

----------

