Why does these iptables rules does not work

Question

I think a bit more detail is needed. I have opened a new cafe in my area and people are downloading stuff that are increasing my bills, so I want to block protocols on my router and then re enable it for any PC if the PC needs it at a later date which may be days or months

My router runs Openwrt Attitude Adjustment

I was blocking http just to test it and then later add protocols using l7 filter

Hi I am a noob at Iptables and was fiddling with it to get a hold of it.

Here is the system

Router IP-192.168.1.10
PC1 IP-192.168.1.11
PC2 IP-192.168.1.12
Laptop IP-192.168.1.13
Mobile IP-192.168.1.14

I applied the below rule and it dropped all the http packets.

iptables -I FORWARD -m layer7 --l7proto http -j DROP

and then I wanted to enable http for PC1 I wrote the below rule but http does not work.

iptables -I FORWARD -mlayer7 --l7proto http -s 192.168.1.11 -j ACCEPT

It only works when I enter the rule

iptables -I FORWARD -m layer7 --l7proto http -j ACCEPT

but now it enables on all the systems.

What should I do to first block http on all the systems, followed by enabling it on lets say PC1 only.

Thanks for you help!

OUtput

Chain FORWARD (policy DROP 12 packets, 2700 bytes)
pkts bytes target     prot opt in     out     source               destination
5   200 ACCEPT     all  --  *      *       192.168.1.113        0.0.0.0/0           LAYER7 l7proto http
25  1036 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto http

When you are having problems and not understanding then [use TRACE](http://serverfault.com/questions/122157/debugger-for-iptables). — Zoredache, Apr 10 '14 at 20:28

score 1 · Accepted Answer · answered Apr 10 '14 at 20:31

1

iptables -I -INPUT -p tcp ! -s [IP address here] --dport 80 -j DROP

Pay close attention to the '!' operator. It drops all traffic that isn't from the source IP address.

However, in a later comment, you say:

Nathan what I am trying to achieve is first block everything http and then re-enable any device one by one per my wish

That's slightly different. In that case, you'll want to rely on ordering. You'll need to explicitly deny all HTTP, but then add a single rule above that drop rule for each host that you want to accept. Nathan's answer is more on target.

answered Apr 10 '14 at 20:31

Wesley

32,320
9
80
116

I have already tried this and this does not work once you execute the statements in the order that I have written in the original post – user3406774 Apr 10 '14 at 20:34
Solved it, What was happening was that outgoing request from my PC were allowed after I added the ACCEPT rule but incoming responses where since they are not from 192.168.1.11 and hence they are dropped.Thanks Wesley and Nathan, without you prodding I could have never figured it out. As for my problem , I need to think again – user3406774 Apr 10 '14 at 20:53

score 0 · Answer 2 · answered Apr 10 '14 at 20:28

0

Do the following:

iptables -I INPUT -p tcp -s 192.168.1.11 --dport 80 -j ACCEPT iptables -I INPUT -p tcp --dport 80 -j DROP

This will allow traffic from that IP on port 80 (http), else drop it. Not sure why you're using the FORWARD chain.

answered Apr 10 '14 at 20:28

Nathan C

14,901
4
42
62

Nathan what I am trying to achieve is first block everything http and then re-enable any device one by one per my wish – user3406774 Apr 10 '14 at 20:31
3

@user3406774 iptables doesn't work like that: the first match always wins. – Michael Hampton Apr 10 '14 at 20:41

Why does these iptables rules does not work

2 Answers2