Iptables Question

Rashkae ubuntu at tigershaunt.com
Fri Jun 1 13:58:16 UTC 2007 

Waqas Toor wrote:
> Hello Ubuntuers,
> 
> i have written a script to setup a firewall for me
> 
> the script is
> ====================================
> #! /bin/bash
> 
> #blocking every thing
> 
> /sbin/iptables -A INPUT -p all -j DROP
> /sbin/iptables -A FORWARD -p all -j DROP
> 
> #allowing only my MACs
> 
> for MAC in `cat ./macclist`
> do
>         /sbin/iptables -A INPUT -m mac --mac-source $MAC -p all -j ACCEPT
>         /sbin/iptables -A INPUT -m mac --mac-source $MAC -j ACCEPT
> done
> 

A Packet will travel to the first rule it matches.  In this case, your 
first matching rule is -A INPUT -p all and the action is DROP, end of line.

You could probably make this work by moving your ACCEPT's to the top of 
the list, so allowed mac's match and are Accepted.  The usual way to do 
this would be to make DROP your default input policy, and not a rule.  A 
policy tells iptables what to do with packets that don't match any of 
the rules.

Remove the first two -A rules and instead use:

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP


Your loopback adapter probably doesn't have a mac, and you *really* want 
to accept connections from localhost, so add:

/usr/sbin/iptables -A INPUT -s localhost -j ACCEPT

A computer that is firewalled with your script will not be able to 
establish any connections with any computers on the Internet, as the 
packets coming from the outside computer will be dropped.  If you want 
to make connections to Internet hosts (assuming you are directly 
attached to the net and not another NAT firewall)


iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

(The -I will Insert the rule at the top rather than adding it to the 
bottom of the chain, so this will be the first thing iptables checks for.)

The other item I find strange is your './macclist'  I'm not entirely 
sure what the working directory is when the system is running start-up 
scripts, but it might really be best to make the path to the macclist 
file absolute.  '/home/username/macclist' for example.

More information about the ubuntu-users mailing list