Join Log in
Score:0
jianing avatar Server

Why can't I block the Internet access (iptables)?

br flag
jianing

I am setting up my linux server's firewall with iptables.
for test, I failed to protect the the local web server(8080 port) from Internet accessing.

  • OS
    OMV6(6.0.16-1) a debian based linux
  • connections:
                    Internet
                        |
LinuxServer(pppoe)----Router(pppoe-relay)
                        |
WorkPC------------------+
  • the interfaces
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0e:c4:cf:2e:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.100/24 brd 192.168.0.255 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::20e:c4ff:fecf:2e98/64 scope link
       valid_lft forever preferred_lft forever
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1454 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet x.x.x.x peer x.x.x.x/32 scope global ppp0
       valid_lft forever preferred_lft forever
  • What I did
  1. I added rules to drop all input packet from ppp0:
root@lxs:/home/aaa# iptables -L INPUT -vn
Chain INPUT (policy ACCEPT 3625 packets, 1238K bytes)
 pkts bytes target     prot opt in     out     source               destination
 4513  638K ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0
  460 25241 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
  1. montoring the packet. In the same time access the web server(8080 port) from LTE:
    x.x.x.x is the ip address of ppp0.
root@nas:/home/bjn# tcpdump -i ppp0 -n port 8080
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
15:59:20.474424 IP 133.106.52.47.65368 > x.x.x.x.8080: Flags [S], seq 1901489667, win 65535, options [mss 1300,nop,wscale 5,nop,nop,TS val 3868697852 ecr 0,sackOK,eol], length 0
15:59:20.474678 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [S.], seq 3559979952, ack 1901489668, win 65160, options [mss 1414,sackOK,TS val 3483431673 ecr 3868697852,nop,wscale 7], length 0
15:59:20.542349 IP 133.106.52.47.65368 > x.x.x.x.8080: Flags [.], ack 1, win 4105, options [nop,nop,TS val 3868697925 ecr 3483431673], length 0
15:59:20.558901 IP 133.106.52.47.65368 > x.x.x.x.8080: Flags [P.], seq 1:598, ack 1, win 4105, options [nop,nop,TS val 3868697927 ecr 3483431673], length 597: HTTP: GET / HTTP/1.1
15:59:20.559000 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [.], ack 598, win 505, options [nop,nop,TS val 3483431758 ecr 3868697927], length 0
15:59:20.619981 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [P.], seq 1:646, ack 598, win 505, options [nop,nop,TS val 3483431819 ecr 3868697927], length 645: HTTP: HTTP/1.1 200 OK
15:59:20.621516 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [.], seq 646:1934, ack 598, win 505, options [nop,nop,TS val 3483431820 ecr 3868697927], length 1288: HTTP
15:59:20.621763 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [.], seq 1934:3222, ack 598, win 505, options [nop,nop,TS val 3483431821 ecr 3868697927], length 1288: HTTP
15:59:20.621768 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [P.], seq 3222:4510, ack 598, win 505, options [nop,nop,TS val 3483431821 ecr 3868697927], length 1288: HTTP
15:59:20.622514 IP x.x.x.x.8080 > 133.106.52.47.65368: Flags [FP.], seq 4510:5152, ack 598, win 505, options [nop,nop,TS val 3483431821 ecr 3868697927], length 642: HTTP
  • What I got
    you can see the access from Internet was not blocked. any one can help?
30
0 + 0
A.B avatar
cl flag
A.B
Just in case can you provide the full network state? `ip -br link; ip -br address; ip route` and also `iptables-save -c`? `ss -tnlp sport == 8080` could help too.
0
Reply
A.B avatar
cl flag
A.B
Also just in case (though I don't see how this would affect this case): `sysctl net.bridge.bridge-nf-filter-pppoe-tagged` (an error or 0 is fine, 1 might cause problems).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.