[SOLVED] Cannot stop iptables forwarding packets?

Issues related to configuring your network
Post Reply
derrend
Posts: 24
Joined: 2012/06/05 13:27:26
Location: Sheffield

[SOLVED] Cannot stop iptables forwarding packets?

Post by derrend » 2015/03/14 03:05:37

Here is my script:

Code: Select all

#!/bin/bash -x

IPT=$(which iptables)

TCPLIST=/tmp/TCPLIST
UDPLIST=/tmp/UDPLIST

ss -lnt | awk '{print $4;}' | rev | cut -f 1 -d : | rev | sort | uniq | head -n -1 > $TCPLIST
ss -lnu | awk '{print $4;}' | rev | cut -f 1 -d : | rev | sort | uniq | head -n -1 > $UDPLIST

function tcpgen {
    if [ $# -ne 0 ]; then
        for i in $@; do
            $IPT -A INPUT -p tcp --dport $i -j ACCEPT
        done
    fi
}

function udpgen {
    if [ $# -ne 0 ]; then
        for i in $@; do
            $IPT -A INPUT -p udp --dport $i -j ACCEPT
        done
    fi
}

$IPT -F
$IPT -t nat -F

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

tcpgen $(cat $TCPLIST)
udpgen $(cat $UDPLIST)

$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 1000 -j REDIRECT --to-ports 80
$IPT -A FORWARD -p tcp --dport 80 -j DROP
Please notice that at the bottom I have a rule to DROP the packet received on port 1000 but I am still able to access the web page on port 80 regardless, how can this be?

Here is more info for your consideration:

Code: Select all

$ sudo iptables -L -t nat -vn
Chain PREROUTING (policy ACCEPT 79 packets, 4647 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   300 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1000 redir ports 80 

Chain POSTROUTING (policy ACCEPT 35 packets, 2548 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 35 packets, 2548 bytes)
 pkts bytes target     prot opt in     out     source               destination

Code: Select all

$ sudo iptables -L -vn
Chain INPUT (policy DROP 27 packets, 1631 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
  108  9720 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2049 
  789 95748 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
   18  1126 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3128 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:32803 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
   59  4707 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:892 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2049 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:32769 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:35270 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:47969 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:718 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:892 
   40  4765 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

Chain OUTPUT (policy ACCEPT 1038 packets, 245K bytes)
 pkts bytes target     prot opt in     out     source               destination
Thank you in advance for any info :D
Last edited by derrend on 2015/03/15 08:48:40, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot stop iptables forwarding packets?

Post by TrevorH » 2015/03/14 09:33:32

Looks to me like you're hitting the port 80 rule in INPUT. Since you're redirecting to a different port on the same host (not a different ip address) you're probably not going through the FORWARD chain at all so your prerouting rule changes it from port 1000 to 80 then the INPUT rule accepts it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

derrend
Posts: 24
Joined: 2012/06/05 13:27:26
Location: Sheffield

Re: Cannot stop iptables forwarding packets?

Post by derrend » 2015/03/15 08:48:17

TrevorH wrote:Looks to me like you're hitting the port 80 rule in INPUT. Since you're redirecting to a different port on the same host (not a different ip address) you're probably not going through the FORWARD chain at all so your prerouting rule changes it from port 1000 to 80 then the INPUT rule accepts it.
Thank you, I did not know that the forward chain is not used for local forwarding. Much appreciated :)

Post Reply