Joined: 08 Aug 2006 Posts: 106 Location: Karlsruhe, Germany
Posted: Tue Mar 27, 2007 10:39 Post subject: iptables output chain not working correctly?
Hello,
I have a question regarding the iptables OUTPUT chain in DD-WRT. Suppose I want to block all outbound traffic from an IP 192.168.1.100 to all other IPs. The only exception is, that outbound traffic to one IP x.x.x.x
should be allowed.
My idea was to put a rule in the OUTPUT chain to allow traffic from 192.168.1.100 to x.x.x.x and after this another rule which blocks all remaining outbound traffic from 192.168.1.100.
The rules are added correctly and in the above listed sequence to the OUTPUT chain. and these are the only rules in the OUTPUT chain. But nevertheless it doesn't work as expected. IP 192.168.1.100 is still able to send data to any other IP and not only to x.x.x.x.
Any ideas, why this is not working?
Is there something special about the OUTPUT chain in DD-WRT? I have already read the IPTables tutorial, but according to the information there, this approach should work.
(The other way around, using the FORWARD chain to block all inbound traffic to 192.168.1.100 except the traffic from x.x.x.x is working fine. But I specifically want to block the outgoing packets and not the incoming packets.)
Joined: 07 Jun 2006 Posts: 1488 Location: the Netherlands
Posted: Tue Mar 27, 2007 16:02 Post subject:
Is this to limit acces to other ip's in the network or on the internet.
It won't work to block access to other ip's in the internal network. Iptables only works between WAN and LAN/WLAN. _________________ Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N
Joined: 08 Aug 2006 Posts: 106 Location: Karlsruhe, Germany
Posted: Tue Mar 27, 2007 16:53 Post subject:
cyberde wrote:
Is this to limit acces to other ip's in the network or on the internet.
The purpose is to limit access to the internet. Not to the LAN.
x.x.x.x is a public IP from a server on the internet.
Actually I don't have a real use for this. I'm just playing around a bit to understand better how the various iptables settings a chains are working.
I just don't understand, why apparently blocking traffic in the outbound chain is not working as I expect it to work according to the explanations in the iptables tutorial....
Joined: 08 Aug 2006 Posts: 106 Location: Karlsruhe, Germany
Posted: Tue Mar 27, 2007 19:46 Post subject:
cyberde wrote:
If you change OUTPUT to FORWARD it does work.
Thanks a lot! Seems, that I didn't understand the iptables tutorial as good as I thought...
As these rules were working on my local Debian box I thought, that they would work the same on the router. But now after re-reading the section about chain processing in the iptables tutorial I understand, that the OUTPUT chain is only relevant for packets directly originating on the router, while the FORWARD chain is for packets forwarded into or out of the network.
