linux firewall, iptables forwarding problem
Hi,
I am new to the linux, but I need to set up a simple firewall for the local network.
I have Ubuntu kernel 2.6 installed, two NIC cards with a one static IP address to internet, I am using bridge-utilities bridge two interfaces together. The bridge is up and fine.
Now I am really stock at this point.
I set default policy to DROP for Forward and enabled forwarding.
Then add rules like these:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
the local computer can not access internet, but if I changed default FORWARD policy to ACCEPT,
the local computer then can access internet.
I really don't understand why, Please help!
weiwei
Comments
-
The issue is with the order of operation in your rules, add the "-P" entries on the end to make them the final actions. This will allow the forwarding rules to be caught and used before the packets are being dropped.0
-
Thank you very much for replying, did the firewall check the default policy very last?
weiwei0 -
weiwei wrote:iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Why do the state have to be ESTABLISHED or RELATED? Like this newly generated packets won't get through your rules and will be DROPed as that is your default policy.
Try changing that
Regards0 -
The default policy must be set last, iptables reads the rules in the order they are input so whatever is last will be default for anything that does not find a matching rule in the preceding rules.0
-
mfillpot wrote:The default policy must be set last, iptables reads the rules in the order they are input so whatever is last will be default for anything that does not find a matching rule in the preceding rules.
AFAIK this is not true.
The policies are only applied whenever all the other rules fail.0 -
This was the sort of problem i faced in Linux Firewall that is in Forwarding iptables.
i hav 3 NICs
eth0 is my internet interface
eth1 is DMZ interface (doesnt really act like a dmz yet)
eth2 is my local lanI want to forward the ports to the server on the DMZ
I looked on google on more sites on how to forward ports and it says :
iptables -t nat -A PREROUTING -p tcp -d $INET_IP --dport 25 -j DNAT --to $DMZ_SERVER1:80
is this command correct?
thanks for your reply
EDIT:
no worried thanks again for your reply fixed it. USed these commands$IPTABLES -A FORWARD -p tcp -i $INETIF --destination-port 80 --destination 192.168.2.2 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $INETIF --destination-port 80 -j DNAT --to-destination 192.168.2.2:80 __________________
rm -rf /0
Categories
- All Categories
- 175 LFX Mentorship
- 175 LFX Mentorship: Linux Kernel
- 745 Linux Foundation IT Professional Programs
- 372 Cloud Engineer IT Professional Program
- 168 Advanced Cloud Engineer IT Professional Program
- 73 DevOps IT Professional Program - Discontinued
- 3 DevOps & GitOps IT Professional Program
- 98 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- AI & ML Training
- Blockchain & Decentralized Identity Training
- Cloud & Containers Training
- Cybersecurity Training
- DevOps & Site-Reliability Training
- Linux Kernel Development Training
- Networking Training
- Open Source Best Practice Training
- System Administration Training
- System Engineering Training
- Web & Application Development Training
- 2 LFD103-JP クラス フォーラム
- 4 LFD210-CN Class Forum
- 764 LFD259 Class Forum
- 681 LFS101 Class Forum
- 2 LFS158-JP クラス フォーラム
- 162 LFS207 Class Forum
- 3 LFS207-DE-Klassenforum
- 4 LFS207-JP クラス フォーラム
- 61 LFS241 Class Forum
- 52 LFS242 Class Forum
- 42 LFS243 Class Forum
- 19 LFS244 Class Forum
- 4 LFS250-JP クラス フォーラム
- 166 LFS253 Class Forum
- 19 LFS256 Class Forum
- 1.4K LFS258 Class Forum
- 165 LFS261 Class Forum
- 26 LFS267 Class Forum
- 792 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 87 Storage
- 768 Linux Distributions
- 81 Debian
- 67 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 106 Mobile Computing
- 18 Android
- 73 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 392 Off Topic
- 121 Introductions
- 181 Small Talk
- 29 Study Material
- 944 Programming and Development
- 310 Kernel Development
- 616 Software Development
- 977 Software
- 369 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)