I am looking for insight on the iptables FORWARD chain. I need to
forward all ports with the exception of 2 on a firewall. I am dropping
all FORWARD packets that don't match certain rules. My problem is I
cannot seem to restrict tcp/udp forwarding to everything but 2 specific
ports.
If I want to forward all ports with the exception of a single port (or
port range) I could use the following command:
iptables -A FORWARD -i eth0 -s localnet -d ! localnet -p tcp --dports \
! 80 -j ACCEPT # forward all but tcp port 80
OR
iptables -A FORWARD -i eth0 -s localnet -d ! localnet -p tcp --dports \
! 20:25 -j ACCEPT # forward all but tcp ports 20 through 25
I'd like to block the forwarding of two non-sequential ports. Iptables
has a multiport module. The following command errors because the module
"multiport" does not support the exclamation argument before the ports:
iptables -A FORWARD -i eth0 -m multiport -s localnet -d ! localnet -p \
tcp --dports ! 80,443 -j ACCEPT
If I setup two separate rules, they cancel each other out:
iptables -A FORWARD -i eth0 -s localnet -d ! localnet -p tcp --dports \
! 80 -j ACCEPT # forward all ports but tcp 80
iptables -A FORWARD -i eth0 -s localnet -d ! localnet -p tcp --dports \
! 443 -j ACCEPT # forward all ports but tcp 443
I've tried formulating the rule like this:
iptables -A FORWARD -i eth0 -m multiport -s localnet -d ! localnet -p \
tcp ! --dports 80,443 -j ACCEPT
Although iptables accepts this as a valid rule (no errors), the
specified ports are still being forwarded.
Any ideas?
-- Matt Miller Systems Administrator MP TotalCare gpg public key id: 08BC7B06
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:39:24 EDT