1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables bypassed for some reason

Discussion in 'General Discussion' started by lollekatt, Feb 8, 2014.

  1. lollekatt

    lollekatt Reformed Router Member

    Heya.. so on shibby 115 I think.. I am seeing this:

    iptables -A INPUT -s some_ip -j DROP
    iptables -A OUTPUT -d same_some_ip -j DROP

    Router correctly rejects pinging that ip... for some reason a lan client CAN ping that ip...

    that is with restarting iptables and firewall services too.

    WTF?

    Lately, we have had our isp being compromised by akamai (probably NSA's most effective ssl mitm machine).. past two weeks... and as it happens to be... sudden weird behaviour on the network has appeared.. sigh.

    Anyway, backtracking to the general question.. how is that even possible then?

    tomato with that kernel is obviously not the most secure in the world but can I consider this a compromised router or is there something more innocuous going on?

    I mean if the router can't ping the ip, a lan client should not be able to either...

    I use 4 bridges , and iptables for the 4 bridges seem all ok, the drop is * * for all bridges so.

    An example response from the lan client

    ACCEPT IN=br2 OUT=vlan2 SRC=lan-comp DST=some_ip LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15523 DF PROTO=TCP SPT=37xxx DPT=18xxx SEQ=2754385210 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT
     
    Last edited: Feb 8, 2014
  2. eibgrad

    eibgrad Addicted to LI Member

    LAN clients can still ping a public IP because those packets are only affected by the FORWARD chain.

    Remember these three rules and it’ll all make sense.

    The INPUT chain only applies to packets directed at the router (i.e, packets whose destination ip equals the router’s ip).

    The OUTPUT chain only applies to packets coming from the router (i.e., packets who source ip equals the router’s ip).

    The FORWARD chain only applies to packets passing through the router (i.e., packets where neither the source ip nor the destination ip equals the router ip).

    All devices w/ a personal firewall have INPUT and OUTPUT chains to protect themselves. Routers have an additional chain, FORWARD, for traffic the router is merely escorting from one network to the other.
     
    Last edited: Mar 14, 2014

Share This Page