2

I'm using iptables rule for censorship. I created hotspot.When I try to connect website on raspberry with mother network, It's working. But I try on pc with hotspot my iptable rules isn't working. What should I do for its work?

iptables -L:

:INPUT ACCEPT [8033:1704399] 

:FORWARD ACCEPT [5821:3005749] 

:OUTPUT    ACCEPT [5632:1865639]

-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --sport 80 --tcp-flags RST RST -j NFQUEUE --queue-num 1
-A INPUT -p tcp -m tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 1
-A INPUT -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK ACK -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x48545450" -j NFQUEUE --queue-num 1
-A INPUT -p tcp -m tcp --sport 443 --tcp-flags RST RST -j NFQUEUE --queue-num 1
-A INPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 1
-A INPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK ACK -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000" -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,ACK SYN -m mark ! --mark 0x9 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m length --length 0:80 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x47455420" -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x504f5354" -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,ACK SYN -m mark ! --mark 0x9 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m length --length 0:80 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000" -j NFQUEUE $
COMMIT
a.gulcan
  • 53
  • 1
  • 4
  • You might have a look at some of the "gui configuration tools" for iptables as the rules aren't always intuitive/easy to understand. It also might help if you would edit your question to add a description of what it is you're trying to accomplish as that would provide us a bit of context. – Seamus Aug 26 '18 at 17:14

1 Answers1

0

I solved it. When hotspot client send data, My data packets go to website server on the forward filter.So Data packets never visit input filter or output filter. Input and Output Filters don't work. So I added them by adding the forward.But I can't catch icmp on the forward filter So I didn't add icmp by adding the forward. iptables process flow
(source: cloudfront.net)

-A INPUT -p icmp -j DROP
    -A INPUT -p tcp -m tcp --sport 80 --tcp-flags RST RST -j NFQUEUE --queue-num 1
    -A INPUT -p tcp -m tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 1
    -A INPUT -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK ACK -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x48545450" -j NFQUEUE --queue-num 1
    -A INPUT -p tcp -m tcp --sport 443 --tcp-flags RST RST -j NFQUEUE --queue-num 1
    -A INPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 1
    -A INPUT -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK ACK -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000" -j NFQUEUE --queue-num 1

-A FORWARD -p tcp -m tcp --sport 80 --tcp-flags RST RST -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --sport 80 --tcp-flags SYN,RST,ACK ACK -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x48545450" -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --sport 443 --tcp-flags RST RST -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --sport 443 --tcp-flags SYN,RST,ACK ACK -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000" -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 80 --tcp-flags SYN,ACK SYN -m mark ! --mark 0x9 -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m length --length 0:80 -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x47455420" -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x504f5354" -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 443 --tcp-flags SYN,ACK SYN -m mark ! --mark 0x9 -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m length --length 0:80 -j NFQUEUE --queue-num 1
-A FORWARD -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000" -j NFQUEUE --queue-num 1

-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,ACK SYN -m mark ! --mark 0x9 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m length --length 0:80 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x47455420" -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x504f5354" -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,ACK SYN -m mark ! --mark 0x9 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m length --length 0:80 -j NFQUEUE --queue-num 1
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK ACK -m mark ! --mark 0x9 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000" -j NFQUEUE --queue-num 1
COMMIT
Glorfindel
  • 620
  • 1
  • 8
  • 15
a.gulcan
  • 53
  • 1
  • 4