-i interface filter not working for firewall
victor oliveira
victor.oliveira at concretesolutions.com.br
Thu Nov 30 18:08:37 CET 2006
I have 4 network interfaces, eth0, eth1 (external) and eth2, eht3 (internal).
I have started to add rules for the iptables.
These are the interfaces:
# External 1
ifconfig eth0 5.5.5.1 netmask 255.255.255.0
# External 2
ifconfig eth1 6.6.6.1 netmask 255.255.255.0
# Internal 1
ifconfig eth2 10.10.1.9 netmask 255.255.255.0
# Internal 2
ifconfig eth3 10.10.1.8 netmask 255.255.255.0
My intent is to only allow connection with the firewall for ssh by the
eth2 interface, so the following are my rules:
#1 SSH firewall to eth2
iptables -A INPUT -i eth2 -p tcp -m tcp --dport 22 -s 10.10.1.0/24 -d
10.10.1.0/24 -j ACCEPT
iptables -A OUTPUT -o eth2 -p tcp -s 10.10.1.0/24 -d 10.10.1.0/24 -j ACCEPT
#21 marcando pacotes da eth2 para a rota da tabela 3
iptables -t mangle -A PREROUTING -i eth2 -s 10.10.1.0/24 -j MARK --set-mark 3
#22 marcando pacotes da eth2 para a rota da tabela 4
iptables -t mangle -A PREROUTING -i eth3 -s 10.10.1.0/24 -j MARK --set-mark 4
#3 NAT
iptables -t nat -A POSTROUTING -o eth1 -s 10.10.1.0/24 -j SNAT
--to-source 5.5.5.1
iptables -t nat -A POSTROUTING -o eth0 -s 10.10.1.0/24 -j SNAT
--to-source 5.5.5.2
#4 forward da eth2 (interna) para eth0
/sbin/iptables -A FORWARD -i eth0 -o eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
#7 forward da eth2 (interna) para eth1
/sbin/iptables -A FORWARD -i eth1 -o eth2 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
#7 forward da eth3 (interna) para eth0
/sbin/iptables -A FORWARD -i eth0 -o eth3 -m state --state
RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth3 -o eth0 -j ACCEPT
#8 deny para todos os pacotes
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
iptables -Z
My problem is the following: I am able to connect from my machine to
the firewall using both eth2 and eth3. However, note that the INPUT
default is DROP, and the only rule on the INPUT SHOULD be filtering
and only allowing connections to the eth2 and not the eth3
interface...
Any toughts ?
Regards,
Victor
More information about the netfilter
mailing list