Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How iptables directs to localhost in this series of iptable rules
Top Forums UNIX for Advanced & Expert Users How iptables directs to localhost in this series of iptable rules Post 302570580 by Narnie on Thursday 3rd of November 2011 04:35:15 PM
Old 11-03-2011
Quote:
Originally Posted by otheus
I understand your objection to being given a very general answer, but as your post had gone unanswered after 2 weeks, it made little sense to give a very long response in case you had since solved the problem. Also, as I was posting from my iPhone, i couldn't give you more than a general response.

Here's one visual aid but I prefer this one. These should give you a better idea of the distinction between POST/PRE-ROUTING, etc.

Code:
#1
-A OUTPUT -d 127.0.0.1 -p tcp --dport 8118 
       -m owner ! --uid-owner dansguardian -j DROP
#2
-A POSTROUTING -t nat -o lo -p tcp --dport 8080 -j SNAT --to 127.0.0.1
#3
-A OUTPUT -t nat ! -d 127.0.0.1 -p tcp --dport 80 
       -m owner ! --uid-owner root -j REDIRECT --to-ports 8080

#4
-A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
#5
-A INPUT -d 224.0.0.1 -j DROP
#6
-A INPUT -j REJECT

For #1,
I have no idea what dansguardian is doing, but this rule will drop any packet sent to the loopback interface and port 8118 that is not from a process owned by dansguardian.

For #2 / #3, It looks like port 8080 is some sort of proxy server for all outbound "typical HTTP" traffic (unless you're running as root, in which case it's not proxied). #4 instructs to redirect all traffic to the service on port 8080 on the loopback interface, and #3 tells it to spoof the packets as if they were really supposed to go there in the first place. (Otherwise, the listening interface would not see packets for 127.0.0.1 but for their original destination, which it's not listening for.)

For #4
I'm not sure, but anything to 255.255.255.xxx is dropped. Normally that's a broadcast from ill-behaved equipment.

For #5, that's multicast it's dropping.

For #6 REJECT vs DROP - That's just an issue of preference. REJECT will result in an icmp packet sent back to the sender indicating the packet has not been accepted. DROP simply ignores the packet and no further action is taken.
I do appreciate your following up on this.

I have learned a lot since the original post. There still are gaps, however.

#1 above prevents a person from just putting 127.0.0.1:8118 into their browser proxy settings and effectively bypassing dansguardian filtering. Although I didn't know what it was doing before, it was I nice little tip I learned from using dansguardian with firehol.

#2 another forum said that there can be other broadcasts regarding localhost that are NOT from 127.0.0.1 and this rule changes it to the loopback address. My system works without this line, so I'm not 100% sure what this is trying to do. I know WHAT it is doing, but not the rationale why. Perhaps it prevents some kind of circular routing since only 127.0.0.1 traffic is allowed dport 80 traffic all other is redirected to 8080 where dansguardian is listening so it can do the content filtering but there may be some legit lo traffic on another ip#.

#4 is dropping broadcast packets, but I'm not exactly sure where those would come from. #4 and #5 I have found on other sites that on networks with Windows systems on them, there will be a lot of broadcast and multicast packets on them that will hog the logs, so it just drops them. Does this make since? If not, other explainations are welcome. Not sure what Windows is doing here, but it seems to be in some of the "best practices" info on firewall building.

#6 I understand the difference, but wonder why sometimes things are just dropped (and therefore silent) and if everything makes it through the rules to this point, it might be chosen to use are REJECT and thus send back a TCP RST packet alerting them that they got a "live" system. Just curious on this one.
 

9 More Discussions You Might Find Interesting

1. IP Networking

Iptables rules at boot

Hi I have small home network and I want to block some forums on web When I use this iptables -A INPUT -s forum -j DROP rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings iptables-save > /root/dsl.fw but how to... (2 Replies)
Discussion started by: solaris_user
2 Replies

2. Cybersecurity

Editing rules on iptables

Hello, I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables. iptables -A INPUT -j ACCEPT iptables -A OUTPUT -m... (4 Replies)
Discussion started by: garric
4 Replies

3. Ubuntu

iptables rules (ubuntu)

Could someone help me with writing rules for iptables? I need a dos attacks protection for a game server. port type udp ports 27015:27030 interface: eth0 Accept all packets from all IPs Chek if IP sent more than 50 packets per second Drop all packets from this IP for 5 minutes I would be... (0 Replies)
Discussion started by: Greenice
0 Replies

4. Red Hat

iptables Rules for my network

Hi Champs i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local : #Allow loopback iptables -I INPUT -i lo -j ACCEPT # Accept packets from Trusted network iptables -A INPUT -s my-network/subnet -j... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies

5. Web Development

$_SERVER['DOCUMENT_ROOT'] directs to /var/www not ~/public_html

Hi all, Exactly like my title says. I am learning PHP and MySQL and I used to use /var/www/ to host (contain or store) my files (.htm/.php) for testing. I could configure, finally, apache2 to use ~/public_html instead. Now I when I tried to use $_SERVER it still directs (I used echo to show... (7 Replies)
Discussion started by: faizlo
7 Replies

6. Proxy Server

IPtable rules for DNS/http/https traffic for specific hosts only, not working.

Hi there, I have a VPS and am working on a little side project for myself and friend which is a DNS proxy. Everything was great till recently. My VPS IP has been detected by some botnet or something, and I believe SMURF attacks are occuring. The VPS provider keeps shutting down my VPS... (3 Replies)
Discussion started by: phi0x
3 Replies

7. UNIX for Advanced & Expert Users

iptables help with rules

Hi, I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it. The cluster has a firewall server with a wifi card connecting to... (4 Replies)
Discussion started by: steadyonabix
4 Replies

8. Cybersecurity

Need help for iptables rules

Hello, I did 2 scripts. The second one is, I hope, more secure. What do you think? Basic connection (no server, no router, no DHCP and the Ipv6 is disabled) #######script one #################### iptables -F iptables -X -t filter iptables -P INPUT DROP iptables -P FORWARD... (6 Replies)
Discussion started by: Thomas342
6 Replies

9. IP Networking

iptables - formatting icmp rules

Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type... (0 Replies)
Discussion started by: CrazyDave
0 Replies
All times are GMT -4. The time now is 08:04 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy