Anyone good with iptables and MASQ/NATing firewalls?

    Date: 03/20/08 (Computer Geeks)    Keywords: web

    I've got a problem. I've got a router running iptables with masquerading and NAT running. I want to block some IP ranges from coming into the system. However, it seems that no matter what I try, I can't actually block the IPs. Right now I watch the traffic going through the router to a web server on the other side of the router (but not on the router itself).

    Here's the rules I'm trying (note I've tried every chain, INPUT, FORWARD, OUTPUT, PREROUTING):

    eth0 is world facing, eth1 is internal

    iptables -A PREROUTING -i eth0 -s 38.105.83.0/24 -j DROP
    iptables -A PREROUTING -i eth0 -s 38.100.41.64/26 -j DROP
    iptables -A PREROUTING -i eth0 -s 194.72.238.0/24 -j DROP
    iptables -A PREROUTING -i eth0 -s 66.249.64.0/19 -j DROP


    And here's a dump using iptables-save:

    # Generated by iptables-save v1.3.3 on Thu Mar 20 04:05:40 2008
    *nat
    :PREROUTING ACCEPT [2876241:307448826]
    :POSTROUTING ACCEPT [6521:333829]
    :OUTPUT ACCEPT [12954:928292]
    -A prerouting_rule -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2
    -A POSTROUTING -o eth1 -j MASQUERADE

    *mangle
    :PREROUTING ACCEPT [22505476:11729363667]
    :INPUT ACCEPT [1855615:190994709]
    :FORWARD ACCEPT [19949171:11434442261]
    :OUTPUT ACCEPT [129100:18125182]
    :POSTROUTING ACCEPT [20078113:11452563549]

    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
    -A INPUT -i ! vlan1 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p gre -j ACCEPT
    -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    -A INPUT -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -m state --state INVALID -j DROP
    -A forwarding_rule -d 10.0.0.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -i br0 -o vlan1 -j ACCEPT
    -A OUTPUT -m state --state INVALID -j DROP
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j ACCEPT
    -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
    -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

    Source: http://community.livejournal.com/computergeeks/1159847.html

« Networking || Problem with my k7s5a pro... »
Search  •  Site Map  •  Set as Homepage  •  Add to Favourites  • 
antivirus | apache | asp | blogging | browser | bugtracking | cms | crm | css | database | ebay | ecommerce | google | hosting | html | java | jsp | linux | microsoft | mysql | offshore | offshoring | oscommerce | php | postgresql | programming | rss | security | seo | shopping | software | spam | spyware | sql | technology | templates | tracker | virus | web | xml | yahoo | home