iptables configuration

Fruity · 2010-08-09 02:37:43

Hello ArchWorld,

I'm trying to configure iptables to drop everything on all interfaces except ppp0. At the moment I have this:

*filter
:INPUT DROP [12:4262]
:FORWARD DROP [0:0]
:OUTPUT DROP [753:54659]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
COMMIT

Which allows the loopback and ppp0, both in and out, yet this doesnt work. Various googling and manual reading hasnt helped. So where am I going wrong? Usually I connect via eth0, but as this is purely a torrent box, I use a VPN (ppp0) and want to ensure all traffic goes via this (the vpn on ppp0), or not at all. Clearly eth0 is being used - if only to tunnel, so need I referance that in someway?

Any help would be greatly appreciated. Thank you.

Last edited by Fruity (2010-08-09 02:38:52)

fukawi2 · 2010-08-09 02:46:10

Fruity wrote:

Which allows the loopback and ppp0, both in and out, yet this doesnt work.

Can you give more detail about what exactly doesn't work? Connecting to your torrent client from yuor VPN client? Ping traffic? From/to where? Loading the rules fails?

cesura · 2010-08-09 03:27:14

A little off topic, but I have known people in the past who have had good experiences with Firestarter for configuring iptables. Maybe you could try that out?

Fruity · 2010-08-09 04:21:10

fukawi2 wrote:

Can you give more detail about what exactly doesn't work? Connecting to your torrent client from yuor VPN client? Ping traffic? From/to where? Loading the rules fails?

fukawi2, If I have the vpn up, when I load and start the above rule set, the vpn disconnects and I can not make it reconnect (I use network manager applet - part of gnome - to start and stop the vpn). I cant ping either. When I flush the rules and readd a basic normal set, I can then reconnect to the vpn. Loading, resetting, saving stopping the rules etc works, and the torrent connects and seeds via the vpn (but only with a basic set of rules, it clearly doesnt boogy with the above set!).

itsbrad212, I'll have a look at that, but I really want to get to the bottom of this, so I can understand why it isn't working.

fukawi2 · 2010-08-09 05:24:42

You'll need another rule like this for eth0 to allow the PPP encapsulation traffic to continue:

-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Fruity · 2010-08-11 17:28:46

fukawi, thanks for the help. However, in the middle of sorting this out, I decided to change the configuration of the drives - using dm-crypt and software raid. I seem to be getting a small error with that at the moment. Will come back to this iptables issues, when I have a gui etc

Fruity · 2010-08-18 11:06:42

I've been tweaking the rules and have a set which allows the vpn to connect whilst the firewall is up with defaults set to drop:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Aug 18 11:29:22 2010
# Generated by iptables-save v1.4.9 on Wed Aug 18 11:29:22 2010
*nat
:PREROUTING ACCEPT [36:2817]
:OUTPUT ACCEPT [4:240]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Aug 18 11:29:22 2010
# Generated by iptables-save v1.4.9 on Wed Aug 18 11:29:22 2010
*mangle
:PREROUTING ACCEPT [112:7258]
:INPUT ACCEPT [112:7258]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [162:7772]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Aug 18 11:29:22 2010

But when I try to lock things down, to achieve my original goal of only allowing traffic over ppp0, the vpn drops instantly and I cant make it reconnect. The following are specific to allowing vpn communication (correct me if I am wrong!):

-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

So if I am correct, in that the above is needed to make the vpn work through the firewall, then when I say change one output rule from:

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

to

-A OUTPUT -o ppp0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

ie. Trying to make sure all outbound goes via ppp0. well it just drops the vpn connection instead. So how can I incorporate all of this, ensure all traffic goes via the vpn on ppp0 or not at all?

fukawi2 · 2010-08-18 12:46:32

Fruity wrote:

-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
to
-A OUTPUT -o ppp0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ie. Trying to make sure all outbound goes via ppp0. well it just drops the vpn connection instead. So how can I incorporate all of this, ensure all traffic goes via the vpn on ppp0 or not at all?

You can't do that. All the related traffic for the tunnel also needs to be allowed OUT.

You can either leave the related,estalished rule (I would recommend this), or duplicate your INPUT rules to OUTPUT, swapping dest port for source port:

-A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -p gre -j ACCEPT

You should also have a loopback allow like you have in INPUT:

-A OUTPUT -o lo -j ACCEPT

EDIT: Spelling.

Last edited by fukawi2 (2010-08-18 12:47:07)

Arch Linux

#1 2010-08-09 02:37:43

iptables configuration

#2 2010-08-09 02:46:10

Re: iptables configuration

#3 2010-08-09 03:27:14

Re: iptables configuration

#4 2010-08-09 04:21:10

Re: iptables configuration

#5 2010-08-09 05:24:42

Re: iptables configuration

#6 2010-08-11 17:28:46

Re: iptables configuration

#7 2010-08-18 11:06:42

Re: iptables configuration

#8 2010-08-18 12:46:32

Re: iptables configuration

Board footer