0

I posted this same question in another SE forum, later felt this forum is more appropriate considering the Linux Distro I am dealing with.

Totally new to netfilter thing, currently am running an application which uses three interfaces eth0/eth1/eth2, my application will run on two servers and they both can communicate between them via their own interfaces (eth0/eth1/eth2)

In ubuntu 18.04 (kernel version 4.*), I just used iptables commands to break the communication between them.

In 22.04 (kernel version 6.2.*), I use the same iptable commands to break the communication between two servers but things are not working as expected (My app code remains unchanged) -- my application has the mechanism to report whether the neighbor server is reachable or not -- in 22.04 with iptables rules applied, it still reports the other server is reachable (not the case in 18.04).

I could see there's a lot has been changed regard to how Network traffic can be filtered between two kernel versions (more tools in recent one).

I removed the ufw just to avoid conflicts with nftables, one observation is, when I applied the rule, for a brief moment my app reports the neighbor server is unreachable and suddenly it will change to reachable, something is overriding the rule, am unsure.

Now am seeking help here to see what I have missed...

-A INPUT -s x.x.x.x/32 -d y.y.y.y/32 -i eth2 -j DROP
-A INPUT -s x.x.x.y/32 -d y.y.y.x/32 -i eth1 -j DROP
-A INPUT -s x.x.y.y/32 -d y.y.x.x/32 -i eth0 -j DROP

-A OUTPUT -s y.y.y.y/32 -d x.x.x.x/32 -o eth2 -j DROP
-A OUTPUT -s y.y.y.x/32 -d x.x.x.y/32 -o eth1 -j DROP
-A OUTPUT -s y.y.x.x/32 -d x.x.y.y/32 -o eth0 -j DROP

Note: All my rules are prepended in the chain to make sure that are taking precedence over anything else

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  xxxx  yyyy
DROP       all  --  zzzz  AAAA
DROP       all  --  BBBB  CCCC

0

You must log in to answer this question.

Browse other questions tagged .