Linux.com

Home Linux Community Forums Off Topic Introductions linux firewall, iptables forwarding problem

linux firewall, iptables forwarding problem

Link to this post 02 Apr 11

Hi,
I am new to the linux, but I need to set up a simple firewall for the local network.
I have Ubuntu kernel 2.6 installed, two NIC cards with a one static IP address to internet, I am using bridge-utilities bridge two interfaces together. The bridge is up and fine.
Now I am really stock at this point.
I set default policy to DROP for Forward and enabled forwarding.
Then add rules like these:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

the local computer can not access internet, but if I changed default FORWARD policy to ACCEPT,
the local computer then can access internet.
I really don't understand why, Please help!
weiwei

Link to this post 02 Apr 11

The issue is with the order of operation in your rules, add the "-P" entries on the end to make them the final actions. This will allow the forwarding rules to be caught and used before the packets are being dropped.

Link to this post 03 Apr 11

Thank you very much for replying, did the firewall check the default policy very last?
weiwei

Link to this post 03 Apr 11

weiwei wrote:


iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Why do the state have to be ESTABLISHED or RELATED? Like this newly generated packets won't get through your rules and will be DROPed as that is your default policy.

Try changing that

Regards

Link to this post 05 Apr 11

The default policy must be set last, iptables reads the rules in the order they are input so whatever is last will be default for anything that does not find a matching rule in the preceding rules.

Link to this post 06 Apr 11

mfillpot wrote:

The default policy must be set last, iptables reads the rules in the order they are input so whatever is last will be default for anything that does not find a matching rule in the preceding rules.

AFAIK this is not true.

The policies are only applied whenever all the other rules fail.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board