[Firewall] Very basic iptables question

James Applebaum james at electricbluefish.com
Tue Apr 23 21:28:58 CEST 2013


Thank you, very helpful!




On Apr 23, 2013, at 2:11 PM, Lonnie Abelbeck wrote:

> Hi James,
> 
> Simple answer, but I'll provide a long drawn out one instead. :-)  Hopefully this might be generally useful.
> 
> If you prefer to use "/etc/arno-iptables-firewall/custom-rules", then this should work:
> --
> echo "[CUSTOM RULE] Drop client.privatedomain.local -> INET"
> iptables -A LAN_INET_FORWARD_CHAIN -s client.privatedomain.local -j DROP
> --
> Note:  This assumes your DNS lookups are setup before the AIF script is called on startup.
> 
> Note:  If both IPv4 and IPv6 are enabled, client.privatedomain.local must contain both A and AAAA records else you will get an error since "iptables" will try both "iptables" and "ip6tables" calls with DNS names.  This is since AIF's custom-rules "iptables" is a shell function used as a wrapper to make both iptables and ip6tables calls.
> 
> While using DNS values my be handy and may work, be careful. Using numeric IPv4 and IPv6 addresses is preferred.
> 
> Additionally, from experience, be sure to document your custom rules with an "echo" as above.
> 
> Another solution is to use the LAN_INET_HOST_DENY_xxx variables in your firewall.conf file, such as:
> --
> LAN_INET_HOST_DENY_TCP="192.168.101.13>0/0"
> LAN_INET_HOST_DENY_UDP="192.168.101.13>0/0"
> --
> This will generate rules as logged by the AIF script:
> 
> Setting up LAN->INET policy
>  Denying 192.168.101.13(LAN) to 0/0(INET) for TCP port(s): 0:65535
>  Denying 192.168.101.13(LAN) to 0/0(INET) for UDP port(s): 0:65535
> 
> probably good enough, raw IP is still allowed out, you decide if LAN_INET_HOST_DENY_IP needs to also be defined, probably not for most cases.
> 
> Again, if your client.privatedomain.local has an IPv6 address (ex. 2001:db8:12::1001), also add:
> --
> LAN_INET_HOST_DENY_TCP="192.168.101.13>0/0 2001:db8:12::1001>0/0"
> LAN_INET_HOST_DENY_UDP="192.168.101.13>0/0 2001:db8:12::1001>0/0"
> --
> While the custom rule approach will work, the AIF way is to use the LAN_INET_HOST_DENY_xxx variables.
> 
> Finally, if you understand the issues with using DNS values, this should also work, but not recommended, with same A and AAAA requirements as above:
> --
> LAN_INET_HOST_DENY_TCP="client.privatedomain.local>0/0"
> LAN_INET_HOST_DENY_UDP="client.privatedomain.local>0/0"
> --
> 
> Lonnie
> 
> 
> 
> On Apr 23, 2013, at 10:17 AM, James Applebaum wrote:
> 
>> Attempting to setup a custom rule to block an internal "private" ip address from accessing the external interface. This is what I added:
>> iptables -I OUTPUT -d client.privatedomain.local  -j DROP
>> 
>> But when I do this the DNS services I run locally start outputting errors. 
>> Apr 23 11:08:23 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.25', client request failed.
>> Apr 23 11:08:23 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.20', client request failed.
>> Apr 23 11:08:30 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.25', client request failed.
>> Apr 23 11:08:30 ***** avahi-daemon[3797]: dbus-protocol.c: Too many objects for client ':1.20', client request failed.
>> 
>> 
>> I assume this is because the rule is blocking both eth0 (my external interface) and eth1 (my internal interface) which is not allowing DNS to resolve?
>> I can't seem to define just the external interface. This just generates an error when I run Arno script.
>> iptables -I OUTPUT -i eth0 -d client.privatedomain.local  -j DROP
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130423/2454a711/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5738 bytes
Desc: not available
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130423/2454a711/attachment-0001.bin>


More information about the Firewall mailing list