Hello,
how do you block incoming AND outgoing traffic to a site?
I have 2 drop lines for a site in my /etc/sysconfig/iptables:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -d xx.xx.xx.0/24 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT
but for some reason still can "ping xx.xx.xx.1" and "ssh xx.xx.xx.1" prints "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" immediately, which probably means my packets aren't dropped at all.
Using CentOS 5.6/64 bit
Thank you Alex
On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote:
Hello,
how do you block incoming AND outgoing traffic to a site?
I have 2 drop lines for a site in my /etc/sysconfig/iptables:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -d xx.xx.xx.0/24 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT
but for some reason still can "ping xx.xx.xx.1" and "ssh xx.xx.xx.1" prints "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" immediately, which probably means my packets aren't dropped at all.
To block outgoing traffic (traffic originating on this host destined for another machone) you need to add rules to the OUTPUT filter.
Stephen Harris wrote:
On Mon, Apr 25, 2011 at 06:03:29PM +0200, Alexander Farber wrote:
Hello,
how do you block incoming AND outgoing traffic to a site?
I have 2 drop lines for a site in my /etc/sysconfig/iptables:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -d xx.xx.xx.0/24 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT
but for some reason still can "ping xx.xx.xx.1" and "ssh xx.xx.xx.1" prints "ssh: connect to host xx.xx.xx.1 port 22: Connection refused" immediately, which probably means my packets aren't dropped at all.
To block outgoing traffic (traffic originating on this host destined for another machone) you need to add rules to the OUTPUT filter.
Meaning: -A INPUT -s xx.xx.xx.0/24 -j DROP -A OUTPUT -d xx.xx.xx.0/24 -j DROP
Ljubomir
There's a number of diagrams around the Internet illustrating the path packets take through the Linux kernel, including the various firewall modules, that's quite helpful in understanding which rules should go in which table.
Here's one that's not bad:
The box labeled "Local Processing of Data" is where packets that are created by the firewall's applications originate.
Does anyone have a better diagram? How about one that shows the policy routing system?
Kenneth Porter wrote:
There's a number of diagrams around the Internet illustrating the path packets take through the Linux kernel, including the various firewall modules, that's quite helpful in understanding which rules should go in which table.
Here's one that's not bad:
The box labeled "Local Processing of Data" is where packets that are created by the firewall's applications originate.
Does anyone have a better diagram? How about one that shows the policy routing system?
Maybe this one: http://www.shorewall.net/NetfilterOverview.html
Policy routing is pretty straightforward. You mark the packet in PREROUTING:
iptables -t mangle -A PREROUTING -d 172.27.0.0/16 -j MARK --set-mark 200
, and then add (ip )route rules like in: http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH05.web.html#5.6
I use policy routing only on StarV3 Wireless/LAN routers and they very easy to set up policy routing:
policy nfmark 80 {default 10.0.1.100 } or policy from 192.168.2.0/24 { default 10.10.1.1 } policy to 192.168.2.0/24 { default 10.10.1.1 } etc...
Ljubomir
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alexander Farber -
Kenneth Porter -
Ljubomir Ljubojevic -
Stephen Harris