Re: weird iptables behaviour

---

• From: Jeroen Geilman <jeroen@xxxxxxxxx>
• Date: Fri, 24 Nov 2006 22:13:09 +0100

---

Fabio wrote:

iptables is configured via the following script:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -j DROP

Erm.. okay, but that's not quite all, is it ?
On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
as you should.

You filter this *** on INPUT, *not* FORWARD.
In your situation, FORWARD is a trivial case, only interesting in and of
itself when PC1 is a *pure* router, which it isn't.

Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
rules will now be:

INPUT all interfaces, *including* the internet from PC1, DENY ALL
OUTPUT all interfaces, ACCEPT ALL
FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

If you have set ACCEPT on INPUT, on the other hand, you have zero actual
security.

Your PC1 is wide open to the Intarweb in that case.

Change the FORWARD to INPUT in your ruleset and you should be good.


--
All your bits are belong to us.
.

---

• Follow-Ups:
  • Re: weird iptables behaviour
    • From: Fabio

• References:
  • weird iptables behaviour
    • From: Fabio

• Prev by Date: Re: How to set default gw not by route command in linux?
• Next by Date: Re: How to set default gw not by route command in linux?
• Previous by thread: Re: weird iptables behaviour
• Next by thread: Re: weird iptables behaviour
• Index(es):
  • Date
  • Thread

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)