Why is iptables firewall not working?

J

jidckii2015-06-27 18:06:28

linux

jidckii, 2015-06-27 18:06:28

Tell me why the iptables filter might not work?
eth0 - internet
wlan0 - wi-fi for clients.
It is necessary to close all ports on wlan0 except those listed.
but for some reason, when I connect and try to open, for example, RDP 3389, which is not on the allowed list, everything works fine!
The rules look like this:

Chain INPUT (policy ACCEPT 1746 packets, 144K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      *       172.20.20.5          0.0.0.0/0           
2        0     0 ACCEPT     udp  --  *      *       172.20.20.5          0.0.0.0/0           
3       26  8528 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
4        5  1735 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
5       26  1976 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
7       32  2144 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
8        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
10       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
11       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
12       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
13       0     0 DROP       tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
14      21  4699 DROP       udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 187 packets, 21975 bytes)
num   pkts bytes target     prot opt in     out     source               destination

or in this form:

[email protected] ~ $ cat /etc/nat_fw 
#!/bin/bash

# NAT для обоих подключений
iptables -t nat -A POSTROUTING -s 172.20.20.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.20.20.0/24 -o wwan0 -j MASQUERADE

## ssh tcp port 22 ##
iptables -A INPUT -s 172.20.20.5 -p tcp -j ACCEPT
iptables -A INPUT -s 172.20.20.5 -p udp -j ACCEPT

## DHCP ##
iptables -A INPUT  -p udp --dport 67 -j ACCEPT
iptables -A INPUT  -p udp --dport 68 -j ACCEPT

## time sync via NTP для локальной сети (udp port 123) ##
iptables -A INPUT  -p udp --dport 123 -j ACCEPT

## tcp port 25 (smtp) ##
iptables -A INPUT   -p tcp --dport 25 -j ACCEPT

# dns server ports ##
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

## http/https www server port ##
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

## tcp port 110 (pop3) ##
iptables -A INPUT -p tcp --dport 110 -j ACCEPT

## tcp port 143 (imap) ##
iptables -A INPUT -p tcp --dport 143 -j ACCEPT

## Блокируем все остальное 
iptables -A INPUT -i wlan0 -p tcp  -j DROP
iptables -A INPUT -i wlan0 -p udp  -j DROP

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vladimir, 2015-06-27
@jidckii

If the connection on RDP 3389 goes from the client through this gateway somewhere further to the Internet, then the rules should not be in the INPUT chain, but in the FORWARD chain.

E

eCat3, 2015-06-27
@eCat3

By default, iptables allows all packets that do not match the rules. You
only explicitly permitted are registered.
will drop packets in all cases not described