Re: blocking ports outbound

[Arnt Karlsen <arnt@c2i.net>]

On Wed, 12 Mar 2003 22:06:04 +0100, 
"Rob Sterenborg" <rob@sterenborg.info> wrote in message 
<001a01c2e8db$31a31b50$0401000a@sterenborg.info>:

> > Maybe I got my question wrong.
> > 
> > I'm very new to iptables coming from a ipfilter background. 
> > In ipfilter I just state block all in and then open the ports 
> > I wish to allow through. Is there something similiar in iptables.
> 
> Yes.
> 
> iptables -P INPUT DROP
> Does just what is says : it droppes all inbound packets where there is
> no ACCEPT rule for.
> 
> I guess you'd want the thing to be stateful :
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> If you want to accept packets on a certain port, you just do :
> iptables -A INPUT -p <proto> --dport <port> -j ACCEPT
> Or
> iptables -A INPUT -i <if_in> -p <proto> --dport <port> -j ACCEPT
> Or
> iptables -A INPUT -s <src_ip|net> -p proto --dport <port> -j ACCEPT
> 
> There are of course more options that I didn't mention here, some can
> be used together.
> In the examples above you could use both -i and -s in one rule to make
> sure an IP will match on a certain NIC.
> 
> > I wish to stop the outside world from seeing the ports upon 
> > the firewall/proxy and beyond into my internal network.
> > 
> > My problem is I cannot join certain irc servers due to there 
> > open proxy policy.
> 
> Actually I'm not quite familiar with irc ; never used it.
> 
> > So really how do I block all ports internally while allowing 
> > a something like a connection internally to go outbound and 
> > recieve the packets back.
> 
> On what port does the irc client connect ? Is it 6667 ?
> What if you forward port 6667 so it can contact the irc server
> directly?
> 
> > My current iptables config is
> > 
> > 
> > #!/bin/bash
> > /bin/echo "Firewall rules starting up now..."
> > /sbin/modprobe ipt_MASQUERADE
> > /usr/local/sbin/iptables -F
> 
> > /usr/local/sbin/iptables -t nat
>                           ^^^^^^^^
> What does this do ? On my box it gives an error.
> You specify what table iptables should use, but you don't give it any
> "command".
> 
> > /usr/local/sbin/iptables -t mangle -F
> > /usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward 
> > /usr/local/sbin/iptables -A OUTPUT --dport 3128 -j DENY 
>                                                     ^^^^^^
> Do you want to DROP or REJECT ?
> DENY was in ipchains, not in iptables.
> 
> > Pl,ease pick apart my rules and tell me what I'm doing wrong.
> > 
> > As I stated, I'm a complete newbie to iptables.
> > 
> > My system is a firewall/proxy unit with a adsl connection 
> > running pppoe to the outside world. I recieve a permanent ip 
> > upon te ppp0 interface.
> 
> So eth0 and eth2 are connected to your lan I suppose, and are on
> different subnets.
> If I'd have to make it work I'd try this :
> 
> # Stop forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
> 
> # Load some modules
> modprobe ipt_MASQUERADE
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> # You may need ip_conntrack_irc and ip_nat_irc. Do you have these
> modules ?
> 
> # Flush all rules
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> 
> # Set the default policy
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> 
> # Make it stateful
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> # Don't know if you need to access the box itself from your lan ?
> # If so then you need to do something like this.
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i eth2 -j ACCEPT
> 
> # Forward traffic from eth0 and eth2
> iptables -A FORWARD -i eth0 -o ppp0 -s <lan_net1> -j ACCEPT
> iptables -A FORWARD -i eth2 -o ppp0 -s <lan_net2> -j ACCEPT
> 
> # Redirect webclients to squid
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 
> # MASQ traffic from eth0 and eth2 destined for the internet
> # You're using ppp so I don't think SNAT will work for you (it doesn't
> for me..)
> iptables -t nat -A POSTROUTING -o ppp0 -s <lan_net1> -j MASQUERADE
> iptables -t nat -A POSTROUTING -o ppp0 -s <lan_net2> -j MASQUERADE
> 
> # Start forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward

..reason to put this echo at the end, is you don't want 
_any_ traffic, until you have the firewall ready for it.
 
> Again : this may not work for your purpose, but it can be a start.
> 
> For more information about iptables there is a nice tutorial from
> Oskar:
> http://iptables-tutorial.frozentux.net/
> You may want to look there for a lot of information.
> 
> 
> Rob
> 
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.