Join Log in
Score:0
masoud hanifehzadeh avatar Ubuntu

iptables to block http and ssh in one direction

eg flag
masoud hanifehzadeh

I have a topology where there is a Linux as a router that connects two Linux, and I want to use iptables to filter ssh and HTTP in one direction. I used the below code but it didn't work! I really appreciate any help you can provide.

iptables -A FORWARD -i ens33 -o ens38 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i ens38 -o ens33 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -i ens38 -o ens33 -p tcp --dport 80 -j DROP

topology

263
1 + 2
Doug Smythies avatar
gn flag
Doug Smythies
Some context is missing in your question. How are packets forwarded from 192.168.18.128 to 192.168.17.128? If 192.168.18.129 is truly a router, then 192.168.18.128 would not know about 192.168.17.128, and you would filter incoming HTTP and SSH connection requests in the INPUT chain.
0
Reply
masoud hanifehzadeh avatar
eg flag
masoud hanifehzadeh
192.168.18.129 is also a Linux, and in 192.168.18.128 I used 192.168.18.129 as default gateway.
0
Reply
Score:1
dummyuser avatar Ubuntu
uy flag
dummyuser

your script should work for http, but it is not really nice. I woulde use something like this:

IPTABLE=/sbin/iptables

$IPTABLE -P INPUT ACCEPT
$IPTABLE -P FORWARD DROP
$IPTABLE -P OUTPUT ACCEPT

$IPTABLE -F
$IPTABLE -X

$IPTABLE -F -t nat
$IPTABLE -X -t nat

$IPTABLE -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#http
$IPTABLE -A FORWARD -i ens33 -o ens38 -p tcp --dport 80 -j ACCEPT
#https
$IPTABLE -A FORWARD -i ens33 -o ens38 -p tcp --dport 443 -j ACCEPT
# ssh
$IPTABLE -A FORWARD -i ens33 -o ens38 -p tcp --dport 22 -j ACCEPT
# icmp
$IPTABLE -A FORWARD  -p icmp -j ACCEPT

Once rules are woking I recommend to do a iptables-save > /etc/iptables/rules.v4. With the iptables-persistent packet the rules are loaded at boot.
In addition to the iptables Rules you need

  1. IP Forwarding enabled on your Gateway.
  2. a route for the external network on your internal host
  3. a route for the internal network on your external host
+ 2
Doug Smythies avatar
gn flag
Doug Smythies
Instead of generic `RELATED,ESTABLISHED` I would recommend these two rules: `$IPTABLE -A FORWARD -i ens38 -o ens33 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT` and `$IPTABLE -A FORWARD -i ens33 -o ens38 -j ACCEPT`. Then you wouldn't need the 3 port specific FORWARD rules.
0
Reply
dummyuser avatar
uy flag
dummyuser
@Doug, first: your recommendation does not meet the request limiting allowed connections to http ans ssh. I already extented it with https and icmp. Seconed: packets of exsisting sessions are alwaxy handeled by rule one (conntrack) in your recommendation all packets from ens33 to ens38 must run through the whole ruleset - not recommended.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.