forum.excito.org

Posted: **29 Jan 2012, 19:46**

Hi All,

I am reading up on iptables and I thought I got it until I saw a description and the iptables commands. The description is as follows

allow our users to be able to access WWW servers on the Internet, but to allow no other traffic to be passed

The iptables commands that is supposed to do this is in the example

Code: Select all

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 --syn -j DROP
iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 --sport 80 -d 0/0 -j ACCEPT
iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 --dport 80 -s 0/0 -j ACCEPT

I do not understand how that can work, I tought that the iptables for doing what is described should look like the following.

Code: Select all

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m tcp -p tcp -s 0/0 -d 172.16.1.0/24 --syn -j DROP
iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 -d 0/0  --dport 80 -j ACCEPT
iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 -j ACCEPT

My understanding is that
* the third line should block incoming TCP establishments from all ports and IP addresses
* the fourth line should allow outgoing TCP connections to WWW servers on the internet
* and that the fifth line should allow responses to on connections created by internal node

Source ports on a web browser is a random number higher than 1024 and the port of a web server is in most cases port 80.

Is the original example correct or am I?

Best Regards,
Morgan

Posted: **04 Feb 2012, 10:24**

Seems to me like a bad example, although it might serve a demonstrative purpose if it even had been correct. Your version is in this sense correct.

Thing is that the first rule is supposed to protect against a syn flood, but at the same time it expects a site that does bad things to send perfectly correct packets. It would be more logical to use iptables' connection tracker to just block any traffic that is initiated by an address connected to the WAN interface:

Code: Select all

iptables -A FORWARD -m state -p tcp -i eth0 --state NEW -j DROP

Then the fifth line says that you want to accept traffic that originates from port 80, but this is silly because the only traffic that can exist is already defined by the fact that it has to be initiated on the LAN and can only be with port 80 on the WAN side. You could get the same result if you made this an accept all rule, which is also silly because this would override the policy.

Check out the original firewall script on Bubba and note the following two lines:

Code: Select all

iptables -A FORWARD -i br0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Essentially this does the same as your example, with the exception that this accepts what we do want rather than blocking what we don't want (the policy will take care of that). If you'd want to limit traffic to allow http only, just change that first line to:

Code: Select all

iptables -A FORWARD -i br0 --dport 80 -j ACCEPT

forum.excito.org

[Solved] Is this iptables example correct?

[Solved] Is this iptables example correct?

Re: Is this iptables example correct?