Debian – how can I block all traffic that is coming to and from an IP address using iptables

debianiptableslocal-area-networknetworking

I am trying to block all traffic that is both coming and going to an internal IP address (this server acts as a router for the network). so far I have tried the following: iptables -A INPUT -s 192.168.1.111 -j DROP & iptables -A OUTPUT -d 192.168.1.111 -j DROP, with 192.168.1.111 being the IP address I am trying to block traffic from. The local area network connects to br0. Here is my current iptables setup (I've removed port forwards, etc to make it easier to go through):

# Generated by iptables-save v1.4.8 on Sat Feb 16 21:21:16 2013
*nat
:PREROUTING ACCEPT [184556:41149689]
:POSTROUTING ACCEPT [13698:835740]
:OUTPUT ACCEPT [77252:6378101]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 16 21:21:16 2013
# Generated by iptables-save v1.4.8 on Sat Feb 16 21:21:16 2013
*filter
:INPUT DROP [10054:2687428]
:FORWARD ACCEPT [1377:76856]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.1.0/24 -i br0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A FORWARD -i eth0 -o Br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
COMMIT
# Completed on Sat Feb 16 21:21:16 2013

How could I go about blocking all traffic to and from an IP with this current setup? Im not the best in the world with iptables, so any help would be much appreciated, thanks!

Best Answer

The INPUT and OUTPUT iptables chains apply to traffic destined to the local server. Any packet routed through the firewall is processed by the FORWARD chain. So in this case, you need to prevent packets from being forwarded by the linux router to the internal client using the FORWARD chain.

I would advise you to start with a default DROP policy for the FORWARD chain. Because your current setup shows that by default your FORWARD policy is ACCEPT, which is not the most secure setup. So start with a drop policy for forward with -

  iptables -P FORWARD DROP

Then allow packets to be forwarded to the Internal clients with -

  iptables -A FORWARD -s source-net/subnet -d destination-net/subnet -j ACCEPT
  iptables -A FORWARD -m state –state NEW,ESTABLISHED -s source-net/subnet -j ACCPET
  iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

If the internal client is within the allowed subnet, set a rule to explicitly drop the packets destined to that client -

   iptables -I FORWARD -s 0/0 -d 192.168.1.111 -j DROP
   iptables -I FORWARD -s 192.168.1.111 -d 0/0 -j DROP

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables – ftp tls firewalled :(

Related Topic