Questions

iptables

Tags:
+
0 Votes
Locked

iptables

j-mart
I have been looking at my firewall script
on my home network. I am using a firewall /
gateway on a linux machine, using iptables.
My question is : from reading man pages and
one of my books if I want to block packets
from a particular IP address I can type at
command line - iptables -A INPUT -s
www.youtube.com -j DROP - and, in this case
I should not be able to connect to youtube.
I must be getting something wrong as this
line does not stop me from reaching
youtube. can anyone tell me what I have
done wrong ?
  • +
    0 Votes
    j-mart

    I can on various Linux machines on network type in iptables commands and get desired results. When I use same commands on gateway machine it won't block web site either with domain name or IP address. I will do some more googling for answers but I have yet to find anything that tells me where I have gone wrong. The config script I am using is adapted from the example in Linux iptables howto.

    +
    0 Votes
    deity_chooch

    It appears that your firewall is set up to block data coming from YouTube to you, not _vice_versa_. If you want to block your <acronym title="Local Area Network">LAN</acronym> from getting there, you will need to change to the "d" option (for destination). Make sure you are putting this rule into the correct chain as well.<br/><br/>

    It also depends on the order that your iptables is in. The "A" command tells iptables you are appending the rule to the end of the chain. If there is a previous rule that allows that traffic, this rule will be ignored. If you want to give this rule priority, try giving it the "I" command (for Insert).

    +
    0 Votes
    j-mart

    After an afternoon of reserch and reading got it sorted

    1. If I inserted desired iptables rule into start of chain rather than usng the A option as you sugested blocked site on gateway machine

    2. Inserting this into the INPUT chain only blocked gateway machine and not rest of machines on private network. When I inserted a rule into FORWARD chain enabled blocking on internal networked machines.

    I'm not completly certain but I think the -d option enables me to block a particular machine on internal network. I would need to play around with this to see how it works.

    Thanks for getting me started in the right direction to get this working.

  • +
    0 Votes
    j-mart

    I can on various Linux machines on network type in iptables commands and get desired results. When I use same commands on gateway machine it won't block web site either with domain name or IP address. I will do some more googling for answers but I have yet to find anything that tells me where I have gone wrong. The config script I am using is adapted from the example in Linux iptables howto.

    +
    0 Votes
    deity_chooch

    It appears that your firewall is set up to block data coming from YouTube to you, not _vice_versa_. If you want to block your <acronym title="Local Area Network">LAN</acronym> from getting there, you will need to change to the "d" option (for destination). Make sure you are putting this rule into the correct chain as well.<br/><br/>

    It also depends on the order that your iptables is in. The "A" command tells iptables you are appending the rule to the end of the chain. If there is a previous rule that allows that traffic, this rule will be ignored. If you want to give this rule priority, try giving it the "I" command (for Insert).

    +
    0 Votes
    j-mart

    After an afternoon of reserch and reading got it sorted

    1. If I inserted desired iptables rule into start of chain rather than usng the A option as you sugested blocked site on gateway machine

    2. Inserting this into the INPUT chain only blocked gateway machine and not rest of machines on private network. When I inserted a rule into FORWARD chain enabled blocking on internal networked machines.

    I'm not completly certain but I think the -d option enables me to block a particular machine on internal network. I would need to play around with this to see how it works.

    Thanks for getting me started in the right direction to get this working.