From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: Barry Fawthrop <barry@ttienterprises.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: filtering ruleset help sought
Date: Mon, 15 Aug 2005 16:49:14 -0400 [thread overview]
Message-ID: <1124138954.21025.29.camel@localhost> (raw)
In-Reply-To: <4300FAAD.4060305@ttienterprises.org>
On Mon, 2005-08-15 at 16:27 -0400, Barry Fawthrop wrote:
> Hi
>
> I was given a iptables ruleset (that I think was generated by firestarter)
> I don't have GUI nor do I want to so I have no means to test it.
> It runs on a gateway machine ETH0 = Wan and ETH1 = LAN NICs
>
> I'm looking for a simple ruleset that will deny all outgoing traffic
> accept to a list of IP addresses found in a file
> and only on port 80 for HTTP access only.
>
> I have this:
>
> $IPT -t filter -A INPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j DROP
>
> while read s1 s2
> do
> $IPT -t filter -A INPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> done < /allowed-hosts
>
>
> 1) doesn't work complains about --dport
> 2) I can still ping other ip addresses not found in the allowed-hosts file?
>
> Any help, most welcome
> Thank You
> Barry
>
Hmm . . .looks a little strange. Do you want such access for this
specific device or for other devices on the internal network that use
this device as a gateway? The INPUT and OUTPUT chains will only handle
traffic to and from this device.
I would suggest you use connection tracking and you may find it easier
to use DROP policies. Thus:
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Then you can allow the outbound access including the protcol:
while read s1 s2
do
$IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j
ACCEPT
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
done < /allowed-hosts
If you want to allow other devices to access these sites through this
device, you will need rules in the FORWARD chain and probably an SNAT
rule in the nat table POSTROUTING chain. Good luck - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2005-08-15 20:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-15 20:27 filtering ruleset help sought Barry Fawthrop
2005-08-15 20:49 ` John A. Sullivan III [this message]
2005-08-15 21:02 ` Barry Fawthrop
2005-08-15 21:22 ` John A. Sullivan III
2005-08-17 5:40 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1124138954.21025.29.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=barry@ttienterprises.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.