[Firewall] Very basic iptables question

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Apr 23 20:11:40 CEST 2013


Hi James,

Simple answer, but I'll provide a long drawn out one instead. :-)  Hopefully this might be generally useful.

If you prefer to use "/etc/arno-iptables-firewall/custom-rules", then this should work:
--
echo "[CUSTOM RULE] Drop client.privatedomain.local -> INET"
iptables -A LAN_INET_FORWARD_CHAIN -s client.privatedomain.local -j DROP
--
Note:  This assumes your DNS lookups are setup before the AIF script is called on startup.

Note:  If both IPv4 and IPv6 are enabled, client.privatedomain.local must contain both A and AAAA records else you will get an error since "iptables" will try both "iptables" and "ip6tables" calls with DNS names.  This is since AIF's custom-rules "iptables" is a shell function used as a wrapper to make both iptables and ip6tables calls.

While using DNS values my be handy and may work, be careful. Using numeric IPv4 and IPv6 addresses is preferred.

Additionally, from experience, be sure to document your custom rules with an "echo" as above.

Another solution is to use the LAN_INET_HOST_DENY_xxx variables in your firewall.conf file, such as:
--
LAN_INET_HOST_DENY_TCP="192.168.101.13>0/0"
LAN_INET_HOST_DENY_UDP="192.168.101.13>0/0"
--
This will generate rules as logged by the AIF script:

 Setting up LAN->INET policy
  Denying 192.168.101.13(LAN) to 0/0(INET) for TCP port(s): 0:65535
  Denying 192.168.101.13(LAN) to 0/0(INET) for UDP port(s): 0:65535

probably good enough, raw IP is still allowed out, you decide if LAN_INET_HOST_DENY_IP needs to also be defined, probably not for most cases.

Again, if your client.privatedomain.local has an IPv6 address (ex. 2001:db8:12::1001), also add:
--
LAN_INET_HOST_DENY_TCP="192.168.101.13>0/0 2001:db8:12::1001>0/0"
LAN_INET_HOST_DENY_UDP="192.168.101.13>0/0 2001:db8:12::1001>0/0"
--
While the custom rule approach will work, the AIF way is to use the LAN_INET_HOST_DENY_xxx variables.

Finally, if you understand the issues with using DNS values, this should also work, but not recommended, with same A and AAAA requirements as above:
--
LAN_INET_HOST_DENY_TCP="client.privatedomain.local>0/0"
LAN_INET_HOST_DENY_UDP="client.privatedomain.local>0/0"
--

Lonnie



On Apr 23, 2013, at 10:17 AM, James Applebaum wrote:

> Attempting to setup a custom rule to block an internal "private" ip address from accessing the external interface. This is what I added:
> iptables -I OUTPUT -d client.privatedomain.local  -j DROP
> 
> But when I do this the DNS services I run locally start outputting errors. 
> Apr 23 11:08:23 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.25', client request failed.
> Apr 23 11:08:23 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.20', client request failed.
> Apr 23 11:08:30 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.25', client request failed.
> Apr 23 11:08:30 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.20', client request failed.
> 
> 
> I assume this is because the rule is blocking both eth0 (my external interface) and eth1 (my internal interface) which is not allowing DNS to resolve?
> I can't seem to define just the external interface. This just generates an error when I run Arno script.
> iptables -I OUTPUT -i eth0 -d client.privatedomain.local  -j DROP



More information about the Firewall mailing list