Skip to main content

Accept only a specific protocol with iptables/l7filter ?

More
17 years 4 weeks ago #23722 by dangerous666
Hi mates,

I would like to know if there's a way to make the iptables l7filter extension work as a filter for all protocols but a specific one. Something like a DROP default policy for a chain and with a accept rule for just one protocol...

It is like:

iptables -P FORWARD -j DROP
iptables -A FORWARD -m layer7 --l7proto http -j ACCEPT

These rules don't work at all for me... How to make the firewall block all the protocols but not http?

Thanks in Advance.
More
17 years 4 weeks ago #23727 by nske
Hello and welcome :)

How do you verify that they don't work? What exactly happens?

Try to use [code:1]iptables -L -vv[/code:1] to check what is the terminating rule for your packets.
More
17 years 3 weeks ago #23758 by dangerous666

Hello and welcome :)

How do you verify that they don't work? What exactly happens?

Try to use [code:1]iptables -L -vv[/code:1] to check what is the terminating rule for your packets.


These rules drop eveything... it's because the first one, according to "iptables -L -vv"... Any ideas?
More
17 years 3 weeks ago #23779 by Elohim
This isn't even a firewall policy. It merely instructs iptables to list all rules in verbosely.

Anyway... you are trying to make this too difficult for yourself. For something like http, you should just look at the layer 4 port. And make it simple, forward traffic on the input chain and not the forward chain.

iptables -P forward -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -j DROP




Hello and welcome :)

How do you verify that they don't work? What exactly happens?

Try to use [code:1]iptables -L -vv[/code:1] to check what is the terminating rule for your packets.


This rules drops eveything... it's because the first one, according to "iptables -L -vv"... Any ideas?

More
17 years 2 weeks ago #23878 by dangerous666

This isn't even a firewall policy. It merely instructs iptables to list all rules in verbosely.

Anyway... you are trying to make this too difficult for yourself. For something like http, you should just look at the layer 4 port. And make it simple, forward traffic on the input chain and not the forward chain.

iptables -P forward -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -j DROP

Hello and welcome :)

How do you verify that they don't work? What exactly happens?

Try to use [code:1]iptables -L -vv[/code:1] to check what is the terminating rule for your packets.


This rules drops eveything... it's because the first one, according to "iptables -L -vv"... Any ideas?


The rules I referenced were mine's... I know that what you suggest previously wasn't a firewall policy. I'm not trying to make it more difficult to me, but a need a way to do the inspect in layer 7, cause the protocols i'm working run on several ports and I'm searching for a most fail-proof way as possible to filter these protocols.

When I set my rules, the firewall blocks everything. I would like it to permit only http or any other specified protocol, blocking others.

Thank You in advance.
More
16 years 10 months ago #24803 by dangerous666
Time to create page: 0.132 seconds