iptables question

[runt]

i have a linksys wrt54g running dd-wrt firmware and i got some iptable rules setup to block certain websites, my problem is i want to allow one system access to one of the sites.

i am using
iptables -A FORWARD -s outsideip -j REJECT
and
iptables -A FORWARD -s outsideip -d insideip -j ACCEPT
and it will not actually add the second one to the rule list (iptables -L FORWARD). anyone have a clue as to what i am doing wrong?

 

[Xipher]

Why wouldn't you use
iptables -A INPUT -s BADSITE -d ALLOWEDHOST -j ALLOW
iptables -A INPUT -s BADSITE -j DROP
Keep in mind those MUST be in order, or else you won't get the desired effect.

 

[runt]

because for some reason rules added to INPUT do not work.

 

[Xipher]

Do this for me
iptables -n -L
and paste the output

 

[x0as]

because for some reason rules added to INPUT do not work.

INPUT only effects traffic for the firewall, you need to use FORWARD for traffic that's passed through the firewall.

 

[Xipher]

Gah, forgot that part. That's why I prefer pf over netfilter, it takes into account the NAT redirection as it goes through the rules.

 

[runt]

iptables -n -L output, sorry for taking so long. had to take my fiance to the ER.

~ # iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 2 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- 66.115.147.194 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT 0 -- 216.150.69.36 172.16.6.117 reject-with icmp-port-unreachable
REJECT 0 -- 217.212.244.94 0.0.0.0/0 reject-with icmp-port-unreachable
ACCEPT 47 -- 172.16.6.0/24 0.0.0.0/0
ACCEPT tcp -- 172.16.6.0/24 0.0.0.0/0 tcp dpt:1723
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
logdrop 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460
lan2wan 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 224.0.0.0/4 udp
ACCEPT tcp -- 0.0.0.0/0 172.16.6.117 tcp dpt:50945
ACCEPT udp -- 0.0.0.0/0 172.16.6.117 udp dpt:50945
ACCEPT tcp -- 0.0.0.0/0 172.16.6.117 tcp dpt:3389
ACCEPT udp -- 0.0.0.0/0 172.16.6.117 udp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 172.16.6.117 tcp dpt:37
ACCEPT udp -- 0.0.0.0/0 172.16.6.117 udp dpt:37
ACCEPT tcp -- 0.0.0.0/0 172.16.6.117 tcp dpt:13
ACCEPT udp -- 0.0.0.0/0 172.16.6.117 udp dpt:13
ACCEPT tcp -- 0.0.0.0/0 172.16.6.117 tcp dpt:3306
ACCEPT udp -- 0.0.0.0/0 172.16.6.117 udp dpt:3306
TRIGGER 0 -- 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
trigger_out 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain advgrp_1 (0 references)
target prot opt source destination

Chain advgrp_10 (0 references)
target prot opt source destination

Chain advgrp_2 (0 references)
target prot opt source destination

Chain advgrp_3 (0 references)
target prot opt source destination

Chain advgrp_4 (0 references)
target prot opt source destination

Chain advgrp_5 (0 references)
target prot opt source destination

Chain advgrp_6 (0 references)
target prot opt source destination

Chain advgrp_7 (0 references)
target prot opt source destination

Chain advgrp_8 (0 references)
target prot opt source destination

Chain advgrp_9 (0 references)
target prot opt source destination

Chain grp_1 (0 references)
target prot opt source destination

Chain grp_10 (0 references)
target prot opt source destination

Chain grp_2 (0 references)
target prot opt source destination

Chain grp_3 (0 references)
target prot opt source destination

Chain grp_4 (0 references)
target prot opt source destination

Chain grp_5 (0 references)
target prot opt source destination

Chain grp_6 (0 references)
target prot opt source destination

Chain grp_7 (0 references)
target prot opt source destination

Chain grp_8 (0 references)
target prot opt source destination

Chain grp_9 (0 references)
target prot opt source destination

Chain lan2wan (1 references)
target prot opt source destination

Chain logaccept (1 references)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0

Chain logdrop (1 references)
target prot opt source destination
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset

Chain trigger_out (1 references)
target prot opt source destination

 

[runt]

ok, i've tried
iptables -A FORWARD -s BADSITE -d ALLOWEDHOST -j ALLOW
iptables -A FORWARD -s BADSITE -j DROP

and

iptables -I FORWARD -s BADSITE -d ALLOWEDHOST -j ALLOW
iptables -I FORWARD -s BADSITE -j DROP

neither one works

 

[Xipher]

Thats because you have a generic line here
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW

You HAVE to have any more specific drops inserted before that line in the forward table. Always keep in mind that iptables does first match wins, and NO rule after the first match will get checked for that packet.

 

[runt]

Thats because you have a generic line here
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW

You HAVE to have any more specific drops inserted before that line in the forward table. Always keep in mind that iptables does first match wins, and NO rule after the first match will get checked for that packet.

problem is, the iptables -A or -I FORWARD -s badip -d compip -j ACCEPT does nothing, doesn't even add it to the list.

 

[Xipher]

That's unusual, is there any error in dmesg? (just type dmesg in the shell and look towards the end)

 

[runt]

That's unusual, is there any error in dmesg? (just type dmesg in the shell and look towards the end)

i will have to check when i get home, i can't ssh into it from work (i.e. they blocked ssh outbound).

 

[runt]

ok, here is the dmesg output.

~ # iptables -I FORWARD -s 216.150.69.36 -d 172.16.6.130 -j ACCEPT
~ # dmesg
CPU revision is: 00029008
Linux version 2.4.35 (root@dd-wrt) (gcc version 3.4.4 (OpenWrt-2.0)) #2192 Thu Sep 13 22:08:26 CEST 2007
Setting the PFC to its default value
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
CPU: BCM5352 rev 0 at 200 MHz
Using 100.000 MHz high precision timer.
Calibrating delay loop... 199.47 BogoMIPS
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
PCI: no core
PCI: Fixing up bus 0
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch ([email protected])
devfs: boot_options: 0x1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xb8000300 (irq = 3) is a 16550A
ttyS01 at 0xb8000400 (irq = 3) is a 16550A
Software Watchdog Timer: 0.05, timer margin: 60 sec
PCI: Setting latency timer of device 00:01.0 to 64
imq driver loaded.
Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Physically mapped flash: Found an alias at 0x400000 for the chip at 0x0
Physically mapped flash: Found an alias at 0x800000 for the chip at 0x0
Physically mapped flash: Found an alias at 0xc00000 for the chip at 0x0
Physically mapped flash: Found an alias at 0x1000000 for the chip at 0x0
Physically mapped flash: Found an alias at 0x1400000 for the chip at 0x0
Physically mapped flash: Found an alias at 0x1800000 for the chip at 0x0
Physically mapped flash: Found an alias at 0x1c00000 for the chip at 0x0
cfi_cmdset_0001: Erase suspend on write enabled
0: offset=0x0,size=0x2000,blocks=8
1: offset=0x10000,size=0x10000,blocks=63
Using word write method
Flash device: 0x400000 at 0x1c000000
bootloader size: 262144
Physically mapped flash: Filesystem type: squashfs, size=0x2fc6a4
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00040000 : "cfe"
0x00040000-0x003f0000 : "linux"
0x000cb444-0x003d0000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x003f0000-0x00400000 : "nvram"
0x003d0000-0x003f0000 : "ddwrt"
Initializing Cryptographic API
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
ip_conntrack version 2.1 (512 buckets, 4096 max) - 336 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
IPP2P v0.8.2 loading
ipt_random match loaded
netfilter PSD loaded - (c) astaro AG
ipt_osf: Startng OS fingerprint matching module.
ipt_IPV4OPTSSTRIP loaded
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
diag boardtype: 00000467
PCI: Setting latency timer of device 00:05.0 to 64
eth1: Broadcom BCM4320 802.11 Wireless Controller 4.80.56.0
vlan0: add 01:00:5e:00:00:01 mcast address to master interface
vlan0: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
device vlan0 entered promiscuous mode
device eth1 entered promiscuous mode
HTB init, kernel part version 3.17
HTB init, kernel part version 3.17
vlan1: Setting MAC address to  00 14 bf 29 42 6f.
vlan1: add 01:00:5e:00:00:01 mcast address to master interface
vlan1: dev_set_promiscuity(master, 1)
device vlan1 entered promiscuous mode
vlan1: dev_set_allmulti(master, 1)
device br0 entered promiscuous mode
vlan1: dev_set_allmulti(master, 1)
vlan1: add 01:00:5e:7f:ff:fa mcast address to master interface
HTB init, kernel part version 3.17
HTB init, kernel part version 3.17

 

[runt]

ok, i got the allow to save, but it allows all computers now

iptables -A FORWARD -s ip -d ip -j ACCEPT
iptables -A FORWARD -s ip -j REJECT
iptables -A FORWARD -s ip -j REJECT
iptables -A FORWARD -s ip -j REJECT