1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables firewall script

Discussion in 'Tomato Firmware' started by baubau, Aug 27, 2014.

  1. baubau

    baubau Network Newbie Member

    hi, I'm trying to block outbound traffic to some external IP addresses, I am confused about iptables command:

    iptables -I FORWARDS -j DROP "ip_address"
    iptables -A OUTPUT -j DROP "ip_address"

    which should I use ? what is the difference between above two lines ?

    thanks
     
  2. koitsu

    koitsu Network Guru Member

    1. The FORWARD chain is called FORWARD, not FORWARDS (singular, not plural).
    2. The IP address you want to block is not put at the end of the command-line argument; it is either provided as an argument to -s (source) or -d (destination).
    3. The IP address does not need to be in double-quotes.
    4. You use -I in the first example and -A in the second. -I means INSERT, -A means APPEND. INSERT without a location (ex. -I {chain} ...) means to insert the rule at the top of the chain, i.e. it becomes the first firewall rule. -A appends a rule to the end of the chain (ex. -A {chain} ...), which inserts the rule at the bottom of the chain. Where to place rules matters greatly, and can impact performance. Knowing whether to use -A or -I {chain} or -I {chain} {location} (location is an "index" or "line number" when using --line-numbers (see below)) matters.

    The complication with your request relates to whether or not you want to block packets the router itself is generating, or blocking packets that come "through" the router (a.k.a. forwarded through the router), e.g. a machine on the local network is trying to visit a website and you want to make that unreachable. Gut feeling is that you want the latter.

    If that's the case: TomatoUSB has a chain called wanout that can be used for this purpose. It's referenced within the FORWARD chain at the proper place (use iptables -L -n -v --line-numbers and read slowly). Example:

    Code:
    root@gw:/tmp/home/root# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 3635 packets, 251K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1     6014  513K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    2     1454  345K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    3        8  1308 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    4    10486 1456K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    5    76505 4865K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    6        6   168 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534
    7     8249 2844K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    8        3   180 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 flags:0x17/0x02
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    2      857 44572 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    3    48785 2984K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    4      12M 8740M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    5        0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    6    85314 6514K wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    7    85314 6514K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    8        0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 171K packets, 23M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain upnp (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain wanin (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain wanout (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    
    So, to block something outbound to the Internet, you'd do this:

    iptables -A wanout -d x.x.x.x -j DROP

    Be aware that any existing established TCP connections ("through" the router) with that IP address will still function/work due to the way the FORWARD rules work (note the one that says state RELATED,ESTABLISHED). New connections should be blocked however. You may need to fully exit web browsers/etc. to test.

    You can verify the rule is working by watching the pkts/bytes counters on the rule within wanout.

    P.S. -- This forum is not a replacement for the iptables/netfilter mailing list. Your questions so far are 100% purely related to iptables and are not TomatoUSB-specific at all. The wanout chain is however a "Tomato thing".
     
    Last edited: Aug 28, 2014
    gfunkdave likes this.
  3. baubau

    baubau Network Newbie Member

    Thanks Koitsu for the comprehensive answer!!
     

Share This Page