Welcome to the Linux Foundation Forum!

linux firewall, iptables forwarding problem

weiweiweiwei Posts: 2
in Introductions

Hi,

I am new to the linux, but I need to set up a simple firewall for the local network.

I have Ubuntu kernel 2.6 installed, two NIC cards with a one static IP address to internet, I am using bridge-utilities bridge two interfaces together. The bridge is up and fine.

Now I am really stock at this point.

I set default policy to DROP for Forward and enabled forwarding.

Then add rules like these:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

the local computer can not access internet, but if I changed default FORWARD policy to ACCEPT,

the local computer then can access internet.

I really don't understand why, Please help!

weiwei

Comments

  • mfillpotmfillpot Posts: 2,180
    The issue is with the order of operation in your rules, add the "-P" entries on the end to make them the final actions. This will allow the forwarding rules to be caught and used before the packets are being dropped.
  • weiweiweiwei Posts: 2
    Thank you very much for replying, did the firewall check the default policy very last?
    weiwei
  • marcmarc Posts: 647
    weiwei wrote:
    iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    Why do the state have to be ESTABLISHED or RELATED? Like this newly generated packets won't get through your rules and will be DROPed as that is your default policy.

    Try changing that

    Regards
  • mfillpotmfillpot Posts: 2,180
    The default policy must be set last, iptables reads the rules in the order they are input so whatever is last will be default for anything that does not find a matching rule in the preceding rules.
  • marcmarc Posts: 647
    mfillpot wrote:
    The default policy must be set last, iptables reads the rules in the order they are input so whatever is last will be default for anything that does not find a matching rule in the preceding rules.

    AFAIK this is not true.

    The policies are only applied whenever all the other rules fail.
  • UnknownUnknown
    edited April 2016

    This was the sort of problem i faced in Linux Firewall that is in Forwarding iptables. 

    i hav 3 NICs

    eth0 is my internet interface

    eth1 is DMZ interface (doesnt really act like a dmz yet)

    eth2 is my local lan

    I want to forward the ports to the server on the DMZ

    I looked on google on more sites on how to forward ports and it says :

    iptables -t nat -A PREROUTING -p tcp -d $INET_IP --dport 25 -j DNAT --to $DMZ_SERVER1:80

    is this command correct?

    thanks for your reply

    EDIT:

    no worried thanks again for your reply fixed it. USed these commands

    $IPTABLES -A FORWARD -p tcp -i $INETIF --destination-port 80 --destination 192.168.2.2 -j ACCEPT

    $IPTABLES -t nat -A PREROUTING -p tcp -i $INETIF --destination-port 80 -j DNAT --to-destination 192.168.2.2:80 __________________

    rm -rf /

Sign In or Register to comment.