Bits & Bytes

Rocking iptables like a DJ


The next step is to allow explicitly our subnets to talk to the router only. Let’s assume the router’s IP is configured to a class C private subnet like and all hosts on the eth0 link should be allowed to send and receive traffic.

1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
 inet brd scope global eth0
 valid_lft forever preferred_lft forever

Usally configuring a firewall by hand all the micro management stuff begins now by adding them to the USER-IN or USER-OUT chains but there’s an easier way. In a common network setup there’s often some kind of internal interface on which private subnets reside. The ALLOW_SUBNETS call just expects an interface name and all subnets configured on that interface will be allowed to talk to the router host by placing appropriate rules in:

Chain USER-IN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  ...   ... ACCEPT     all  --  eth0   *            /* ALLOW_SUBNETS_0x50e549399da8 */

Chain USER-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  ...   ... ACCEPT     all  --  *      eth0       /* ALLOW_SUBNETS_0x50e549399da8 */

Notice the comments to the right which are used to identify these rules as rules created by an ALLOW_SUBNET call. This is a good example of a logical ruleset spanning over multiple chains.

Although these rules allow primary traffic among the router and hosts of the subnet additional traffic is still not allowed like link-local, service discovery or UPNP which needs to be explicitly allowed by using ALLOW_LINK_LOCAL or ALLOW_SERVICE_DISCOVERY which in turn opens up traffic originating from or fe80::/10 subnets to allow use of ZeroConf address assignment like IPv4ll or Netbios|DNS based service discovery via multicast or UPNP features like available DLNA or AirPlay servers in your subnet. All these comfort features eases life on an internal link in a private subnet but these shouldn’t be available on a WAN device as they expose attack surface but since we’re on an internal link in our scenario we can safely allow them as in it’s default configuration doesn’t allow any forwarding of such traffic. Usally a router shouldn’t be allowed to use service discovery but there can be useful situations eg. when the router offers DNS multicast for hostname resolution on auto-configured subnets to specific interfaces only especially when a DHCP server isn’t available there.

Figure C: Allowing a subnet, link-local and service discovery on a specific interface. Click to enlarge.

By вяоӣсо

I'm a computer kid of the 80', not born but raised in good old' germany, playin' games, makin' music & lovin' the blues. My career started at an age of 10 in a shopping mall where they sold computers too. It was the first time ever i've seen such an electronic monster and was fascinated instantly.
Later on i've learned my first programming skills (Basic) with a friend's Sinclair ZX 81. Yes, that one with the strange plastics keyboard. After that i got some experience with a Schneider CPC464 and the Commodore C64 until i fell in love with the Commodore Amiga, a machine with 4096 different colors which sounds nowadays to most like black'n'white tv's sounded to me at that time.
We played a lot of games like Decathlon, The Last V8, Impossible Mission, Elite, Mega'lo'Mania, Xenon, Speedball or Chaos Engine and ruined a lot of those Competition Pro Joysticks. My favourites were mostly games by Sensible Software, Bitmap Brothers or Rainbow Arts.
What i liked the most about that machine was it's AmigaOS, it's operating system was ahead of it's time. On this machine i learned my first assembler language (m68k) and the hardware internas.
I watched the decline of Commodore with a tear in my eye and at some point i went over to usual business and my first PC and learned it's beastly manners.