Creating INPUT-only or OUTPUT-only rules?

2012-08-28
2013-03-05
  • George Joseph
    George Joseph
    2012-08-28

    I'm using Linux/iptables and looking for a way to create policy rules in fwbuilder that only apply to a single chain.  Whenever I create an "Inbound" rule, I always get INPUT and FORWARD iptables rules generated.  For "Outbound" rules I get OUTPUT and FORWARD and for "Both" rules, I get all three.   Unfortunately I have cases where I need only an INPUT (or OUTPUT or FORWARD) rule generated.

    I can get around this (kind of) by turning OFF the "Assume firewall is part of 'any'" option BUT I must then supply a rule source or destination ip address/network.  This doesn't work for un-numbered interfaces.

    Am i missing something obvious for creating a simple rule that allows access to the firewall itself but prevents forwarding?
    I.E.
    "-A INPUT  -i eth1  -p tcp -m tcp  -dport 22  -m state -state NEW  -j ACCEPT"
    without a corresponding
    "-A FORWARD  -i eth1  -p tcp -m tcp  -dport 22  -m state -state NEW  -j ACCEPT"

     
  • Vadim Kurland
    Vadim Kurland
    2012-08-28

    just put firewall object in "Destination" of the rule

     
  • George Joseph
    George Joseph
    2012-08-29

    Yes, but…   "Destination" creates ip based match criteria which won't work for an un-numbered interface. Fwbuilder simply skips them when it generates the rules.

     
  • George Joseph
    George Joseph
    2012-08-29

    Oh wait… you mean the actual "firewall" object. :)

    Yep, that worked.  So simple actually.  I just missed it.

    Thanks!