I am trying to log outgoing connections with iptables. What I want is, drop and accept connection while logging them also. I have found that -j option takes DROP/REJECT/ACCEPT/LOG. But I want to do something like DROP and LOG or ACCEPT and LOG. Is there a way to achieve this ?
Although already over a year old, I stumbled across this question a couple of times on other Google search and I believe I can improve on the previous answer for the benefit of others.
Short answer is you cannot combine both action in one line, but you can create a chain that does what you want and then call it in a one liner.
Let's create a chain to log and accept:
iptables -N LOG_ACCEPT
And let's populate its rules:
iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT
Now let's create a chain to log and drop:
iptables -N LOG_DROP
And let's populate its rules:
iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
iptables -A LOG_DROP -j DROP
Now you can do all actions in one go by jumping (-j) to you custom chains instead of the default LOG / ACCEPT / REJECT / DROP:
iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROP
Example:
iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP
Log Exampe:
Feb 19 14:18:06 servername kernel: INPUT:DROP:IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=x PROTO=TCP SPT=x DPT=x WINDOW=x RES=0x00 SYN URGP=0
Other options:
LOG
Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information on all matching packets
(like most IP header fields) via the kernel log (where it can
be read with dmesg or syslogd(8)). This is a "non-terminating
target", i.e. rule traversal
continues at the next rule. So if you want to LOG the packets
you refuse, use two separate rules with the same matching
criteria, first using target LOG
then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29
letters long, and useful for distinguishing messages in
the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the
log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
At work, I needed to log and block SSLv3 connections on ports 993 (IMAPS) and 995 (POP3S) using iptables. So, I combined Gert van Dijk's How to take down SSLv3 in your network using iptables firewall? (POODLE) with Prevok's answer and came up with this:
iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
iptables -A INPUT \
-p tcp \! -f -m multiport --dports 993,995 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C# 12>>26&0x3C# 0 & 0xFFFFFF00=0x16030000 && \
0>>22&0x3C# 12>>26&0x3C# 2 & 0xFF=0x01 && \
0>>22&0x3C# 12>>26&0x3C# 7 & 0xFFFF=0x0300" \
-j SSLv3
Explanation
To LOG and DROP, create a custom chain (e.g. SSLv3):
iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
Then, redirect what you want to LOG and DROP to that chain (see -j SSLv3):
iptables -A INPUT \
-p tcp \! -f -m multiport --dports 993,995 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C# 12>>26&0x3C# 0 & 0xFFFFFF00=0x16030000 && \
0>>22&0x3C# 12>>26&0x3C# 2 & 0xFF=0x01 && \
0>>22&0x3C# 12>>26&0x3C# 7 & 0xFFFF=0x0300" \
-j SSLv3
Note: mind the order of the rules. Those rules did not work for me until I put them above this one I had on my firewall script:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
nflog is better
sudo apt-get -y install ulogd2
ICMP Block rule example:
iptables=/sbin/iptables
# Drop ICMP (PING)
$iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix 'ICMP Block'
$iptables -t mangle -A PREROUTING -p icmp -j DROP
And you can search prefix "ICMP Block" in log:
/var/log/ulog/syslogemu.log
for china GFW:
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
Related
CONTEXT:
I wanted to have a shell script that would block all Inbound/Outbound traffic to my computer, UNLESS I decide I want to use the browser or some other application, in which case I would summon it and only those applications would run.
I have researched previous scripts made by smart individuals (links to sources at the end), as well as invested the time to learn to use iptables myself (still working on this front).
Here is the result of the work done:
RESULTS:
before the shell script is run, a group called internet is created:
sudo groupadd internet
Shell Script:
#!/bin/sh
#only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -j REJECT
# same process for IPv6:
sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
sudo ip6tables -A OUTPUT -j REJECT
this is the other part of the shell that I'm currently working on and not 100% confident with:
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#SAME REPEATED FOR IPv6
sudo ip6tables -A INPUT -j DROP
sudo ip6tables -A FORWARD -j DROP
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
after the whole script above is executed, the following command would open a terminal that would be part of the internet group, and hence any application (like firefox for instance) that were open by that terminal would have internet access, while all other INPUT/OUTPUT would be stopped
sudo -g internet -s
QUESTION:
Is the previous logic in order? Currently I am working on testing out all the features, by installing network monitoring software (nethogs), testing each line of code and seeing if the result is as expected, BUT at the same time, I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result. Thanks to anyone who took the time to read all this and participate in the discussion !!!
sources:
https://plus.google.com/+TobyKurien/posts/YZhZJCZmGgm
https://serverfault.com/questions/429400/iptables-rule-to-allow-all-outbound-locally-originating-traffic
P.S.: Thanks to #dirkt for previously helping me understand a lot of the fundamental concepts of iptables as well as answering some of my questions regarding the source code.
UPDATE:
So after having run the code, there seems to be something wrong. What happens is as follows. I run the shell script:
bash myscript
I get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
but everything else ran well, and when doing sudo iptables -L I did confirm all the other rules are in place. AFTER that, I tried the following:
Run firefox by manually double-clicking the icon. The result was as expected, right away I got a Server not found error, which was a good sign
After that I ran the command sudo -g internet -s in the terminal, and then firefox. NOW... when I tried loading a website, it didn't show me Server not found, but it keep loading for a long period of time, very long. This leads me to believe that maybe the output response was sent, BUT the input was being blocked.
If anyone knows why this might be happening, I would love to know your feedback!
I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result.
Coincidentally, I'm looking for the same solution around the same time and saw your post. Just sign-up SO, hope this could help you and others. I'm still learning and open to suggestion and advice :)
A few change to the code. I need to open all port to local connections to make it work.
Also changed 192.168.0.1/24 to 192.168.0.0/16. This range allowed wifi/usb tether to be included.
# also allow local connections
#TODO. Use log to see which port are actually needed.
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
Is the previous logic in order?
Change the order for/to this code.
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
Also add this code on top of previous code. These are taken from default firewall. Originally it contained specific interface.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
I get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
Probably because you are using IP4 address.
Change 127.0.0.1 to ::1/128 and 198.168.0.1 to fe80::/10.
Can't help much about IPv6. I have no idea how it work and I don't think mine using IPv6 at all.
Complete Script:
#!/bin/sh
#only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
#Some application need more port. Such as ping.
sudo iptables -A OUTPUT -p icmp -m owner --gid-owner internet -j ACCEPT
#Less secure. Open all port.
#sudo iptables -A OUTPUT -m owner --gid-owner internet -j ACCEPT
# also allow local connections
#TODO. Use log to see which port are actually needed.
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -j REJECT
#Taken from default rules.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
#IPv6 Section
# Flush ip6tables too
sudo ip6tables -F
# same process for IPv6:
sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -d ::1/128 -j ACCEPT
sudo ip6tables -A OUTPUT -d fe80::/10 -j ACCEPT
sudo ip6tables -A OUTPUT -j REJECT
sudo ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -j DROP
sudo ip6tables -A FORWARD -j DROP
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I am new to tor and Kali linux, I have installed Kali linux and installed tor and download tor bundle, but I realised only when I brows through the tor bundle browser is when my traffic is being channel through tor, excluding any other browser and application.
How can I channel all my network traffic on linux to pass through the tor network?
Add the following to torrc:
AutomapHostsOnResolve 1
DNSPort 53530
TransPort 9040
create a file to contain your iptables rules. For IPv4: /etc/iptables.firewall.rules and for IPv6: /etc/ip6tables.firewall.rules.
Now edit the IPv4 file and add something like the following (make sure to grep for TODO items and follow the instructions):
# Ues the nat table to redirect some traffic to Tor
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Don't allow Tor traffic to get stuck in a redirect loop...
# TODO: Is `tor' your actual Tor user? It might be `debian-tor' or `toranon' or something else.
-A OUTPUT -m owner --uid-owner tor -j RETURN
# Redirect DNS lookups to Tor.
# TODO: Set this to your Tor DNSPort if it's not 53530.
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53530
# Do not redirect private networks or loopback.
-A OUTPUT -d 10.0.0.0/8 -j RETURN
-A OUTPUT -d 172.16.0.0/12 -j RETURN
-A OUTPUT -d 192.168.0.0/16 -j RETURN
# Redirect HS connections to the TransPort.
-A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
# Redirect all TCP traffic to Tor's TransPort.
-A OUTPUT ! -o lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
COMMIT
# Only accept anonymized network traffic in the filter table.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN - [0:0]
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow connections that are already established.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Reject incoming connections.
-A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
# Accept network traffic for the Tor service itself.
# TODO: Tor user?
-A OUTPUT -m owner --uid-owner tor -j ACCEPT
# Accept DNS requests to the Tor DNSPort.
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53530 -j ACCEPT
# Accept outgoing traffic to the local Tor TransPort.
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9040 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
# Accept outgoing traffic to the local Tor SOCKSPorts.
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9150 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
# Accept connections on private networks.
-A OUTPUT -d 10.0.0.0/8 -j LAN
-A OUTPUT -d 172.16.0.0/12 -j LAN
-A OUTPUT -d 192.168.0.0/16 -j LAN
-A LAN -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A LAN -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A LAN -j ACCEPT
# Reject all other outgoing traffic.
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
For the IPv6 file, you can do something similar with ip6tables, or just drop all IPv6 traffic.
Now set these rules to be loaded on startup by creating the file /etc/network/if-pre-up.d/firewall with the following contents:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
/sbin/ip6tables-restore < /etc/ip6tables.firewall.rules
Restart Tor if needed, and load your new firewall rules manually by executing the previous commands.
As you can image, we need iptables to block the ports we do not need to protect server.
But I need to request some third party resource, and I got confuse on how to do it.
Here are my iptables rules
iptables -F
iptables -A INPUT -p UDP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 110.75.147.65/32 -j ACCEPT
iptables -A INPUT -s localhost -j ACCEPT
iptables -A INPUT -j DROP
And 110.75.147.65/32 is the one of third party servers' IP, I wonder if there are any way to allow all connection started by my server such as curl https://www.google.com/, otherwise I need to add all my third party servers' IP to the iptables rules.
How about
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I am trying to create iptable rules that will allow incoming and outgoing ssh connections, and then allow outbound connections to specific ports, then finally drop anything that doesnt match.
These are the rules I have come up with, the SSH rules work, but when I tunnel into the box I cant seem to access http (port 80) even though i've allowed it. Can anyone spot the mistake?
#!/bin/bash
#clear iptables
iptables -F
iptables -X
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT
#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow input on port 22, (established connections auto accepted)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
#...
#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Thanks for your time.
You might want to add the DNS ports, otherwise you may not be able to resolve any hostnames.
Allowing OUTPUT for TCP and UDP Port 53 should help.
You need to open port 80 for input and output with a rule like this:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
I have a home network with Linux pc's, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I've put a pc (with fedora,no gui) between my router and LAN and configured iptables. No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet.
But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? Do FORWARD and INPUT work together or are they separate?
This is my iptables:
*nat
:PREROUTING ACCEPT [16:1336]
:INPUT ACCEPT [14:840]
:OUTPUT ACCEPT [30:2116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o p1p1 -j MASQUERADE
COMMIT
# Completed on Tue Oct 16 09:55:31 2012
# Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9888]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p UDP --dport 53 -j ACCEPT
-A INPUT -p TCP --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP
-A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP
-A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -j LOG --log-prefix "denied out: "
COMMIT
p1p1 (.1.x) is my external nic, p3p1 (.2.x) is internal.
RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.
Here is the chapter about FORWARD and NAT Rules. As it states:
For example, if you want to forward incoming HTTP requests to your
dedicated Apache HTTP Server at 172.31.0.23, use the following command
as the root user:
~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
Here is what happens:
your linux gateway receives a packet from your router. The packet header has:
source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
=> I'll send it to the FORWARD chain.
since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).
Hope it'll help to understand a little bit more how internal routing works with iptables.
INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.
If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.