Results 1 to 2 of 2

Thread: Bridging firewall, how to block incoming traffic

  1. May 2nd, 2010 #1
    Zyprexa
    Zyprexa is offline 5 Cups of Ubuntu
    Join Date
    Nov 2009
    Beans
    20

    Question Bridging firewall, how to block incoming traffic

    Im having problems with iptables not doing what i want

    I have a ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and gateway on eth1.

    I'm trying to get it to basically block everything incoming except for the ports i specify, but also allow outgoing traffic. I've found, tried, modified som examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)

    These are the rules, and i can't figure out why it wont block:

    Code:
    #!/bin/bash

iptables -F
iptables -X

iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT

# connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
    iptables -S gives me
    Code:
    -P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable
    Any advice on what im doing wrong is appreciated
    Last edited by Zyprexa; May 2nd, 2010 at 08:05 PM. Reason: added output from iptables rules
    Advanced reply Adv Reply  
  2. May 14th, 2010 #2
    jpl888
    jpl888 is offline Frothy Coffee!
    Join Date
    Sep 2007
    Location
    Ireland
    Beans
    224
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Bridging firewall, how to block incoming traffic

    Ok well I assume you have br0 setup and both those interfaces added to it?

    To get the rules you have working you will need to use the physdev option, extract from ebtables website:-

    The 2.6 standard kernel contains an iptables match module called physdev which has to be used to match the bridge's physical in and out ports. Its basic usage is simple (see the iptables man page for more details):

    iptables -m physdev --physdev-in <bridge-port>
    and

    iptables -m physdev --physdev-out <bridge-port>
    BTW I haven't done this myself, only thinking of it so there may be additional steps and considerations I haven't come across.
    http://www.johnlewis.ie
    Advanced reply Adv Reply  
« Previous Thread | Next Thread »

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct