[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables blocking eth0 .. why ?



Hey,

> ### Create Chains
> iptables -N IN_LO
> iptables -N OUT_LO
> iptables -N IN_ETH0
> iptables -N OUT_ETH0
> iptables -N IN_ETH1
> iptables -N OUT_ETH1
> iptables -N BLOCKED_PACKETS
> iptables -N ICMP_PACKETS
>
> ### POLICIES
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> ### INPUT
> iptables -A INPUT -j BLOCKED_PACKETS

so all incoming packets first have to pass BLOCKED_PACKETS

> ### BLOCKING_PACKETS
> iptables -A BLOCKED_PACKETS -m state --state INVALID -j DROP
> iptables -A BLOCKED_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK \
> SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

looks strange, -p tcp -m tcp, tcp matches are written with -p tcp 

on the one hand you wanna block all packets that have the syn and ack flag, 
but one the other side you wanna block state NEW, aren't that two rules in 
one, does that work?

> iptables -A BLOCKED_PACKETS -p tcp ! --syn -m state --state NEW \
> -j DROP

block not syn but state NEW, isn't that a contradiction?

If those two rules work, in my opinion no tcp connection will work on any 
interface.

Did you take a look at 'iptables -vL'? What does it display?
If you introduce logging for debugging purposes can help.

Regards
 Frank



Reply to: