Iptables – New chain for specific IP iptables

iptables

I need to create a new chain to treat a specific IP, say 192.168.0.101.

In this new chain, this IP will have access to all services, except FTP.

My solution is:

iptables -N IP1

iptables -A IP1 -p tcp --dport 20 -j DROP
iptables -A IP1 -p tcp --dport 21 -j DROP
iptables -A IP1 -j ACCEPT

iptables -A INPUT -s 192.168.0.101 -j IP1

Is the solution correct? Does two rules with –sport 20, 21 are required for incoming packets?

Best Answer

Your suggested rules should work, but there may be cases where a DROP in a chain is not the correct action.

For example if you wanted some later rule INPUT chain to permit ftp access to some specific destination for all hosts on your network.

In this case a RETURN might be a better choice. Assuming the policy of your INPUT chain is DROP this would probably also have the same results.

iptables -A IP1 -p tcp --dport 20 -j RETURN
iptables -A IP1 -p tcp --dport 21 -j RETURN
iptables -A IP1 -j ACCEPT

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Linux – Forward HTTP Traffic to Another IP Address with iptables

There are three potential problems I see (contary to the other answer I don't see anything that would cause a "loop" even in the unedited version of your question).

IP forwarding must be enabled.
After being natted and placed back on the network the packet may fall victim to source address filtering as it looks very much like a spoofed packet.
Responses to packets that go through a NAT must go through the same NAT so the reverse translation can be performed. Otherwise the client will get a response with the wrong source IP/port which it is likely to drop (if it has not already been dropped by reverse path filtering).

You can work arround points 2 and 3 by using a SNAT or MASQURADE rule in addition to the DNAT but if you do that then you lose the original source IP of the traffic. That will make abuse control very difficult.

Another soloution to points 2 and 3 would be to set up a VPN between the two servers. Then use DNAT to forward traffic over the VPN and source IP based routing to bring the replies back to the NAT.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – Forward HTTP Traffic to Another IP Address with iptables

Related Topic