2

I am building a small office network with virtual machines. My schema is this:

  • Computer A: gateway, ip 1.1.1.1, iptables used for NAT [eth0=public internet dhcp, dhcp; eth1=gateway]
  • Computer B: client, ip 1.1.1.2, using gateway from Computer A.

NAT is working, and Computer B can access the internet using the A's gateway. I redirected some incoming ports from A to B (for instance, if A receives a request to port 80, it goes automatically to Computer B's Apache).

The thing is that I do not really understand how to open/close ports for Computer B from Computer A. I know how to close a port:

iptables -A INPUT -p tcp --dport 80 -j DROP

And it will refuse all incoming (not output) connections to port 80. However, this works for main interface eth0. I tried to, for instance, drop ingoing and outgoing connections for Computer B, port 80:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j DROP

But it does not work. And I cannot figure out what I am doing wrong. Any clue?

Rajie
  • 21
  • 2

2 Answers2

1

First line should be with sport (source port is 80). And also be careful about using -A. This append the rule to the chain (add the rule at the end). Rules in chains are evaluated from first to last, if one rule matches then the rest are not evaluated any more. So if you want to be sure use -I (insert at the beginning of chain):

iptables -I FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j DROP
iptables -I FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j DROP
Laurentiu Roescu
  • 2,266
  • 17
  • 17
0

I believe you were missing the 'OUTPUT' directive.

Please try this:

iptables -A OUTPUT -p tcp --dport 80 -j DROP

This will drop all outbound traffic on port 80.

rwc
  • 316
  • 1
  • 7