From: Joseph Sirucka <jsirucka@connectingyou.com.au>
To: Rob Sterenborg <rob@sterenborg.info>
Cc: netfilter@lists.netfilter.org
Subject: Re: blocking ports outbound
Date: Thu, 13 Mar 2003 07:15:37 +1100 [thread overview]
Message-ID: <3E6F9569.5030108@connectingyou.com.au> (raw)
In-Reply-To: FD8F124A387AD6119F7900A0D218B321019C41@hslex01.hslbz.local
[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]
Hi
Maybe I got my question wrong.
I'm very new to iptables coming from a ipfilter background. In ipfilter
I just state block all in and then open the ports I wish to allow
through. Is there something similiar in iptables.
I wish to stop the outside world from seeing the ports upon the
firewall/proxy and beyond into my internal network.
My problem is I cannot join certain irc servers due to there open proxy
policy.
So really how do I block all ports internally while allowing a something
like a connection internally to go outbound and recieve the packets back.
My current iptables config is
> #!/bin/bash
> /bin/echo "Firewall rules starting up now..."
> /sbin/modprobe ipt_MASQUERADE
> /usr/local/sbin/iptables -F
> /usr/local/sbin/iptables -t nat
> /usr/local/sbin/iptables -t mangle -F
> /usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
> /usr/local/sbin/iptables -A OUTPUT --dport 3128 -j DENY
> /usr/local/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
> 80 -j REDIRECT --to-port 3128
> /usr/local/sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp --dport
> 80 -j REDIRECT --to-port 3128
Pl,ease pick apart my rules and tell me what I'm doing wrong.
As I stated, I'm a complete newbie to iptables.
My system is a firewall/proxy unit with a adsl connection running pppoe
to the outside world. I recieve a permanent ip upon te ppp0 interface.
I hope I make some sense.
thanks
Joseph
Rob Sterenborg wrote:
>>I would like to know the rule to block ports outbound.
>>
>>I am trying to block port 3128 my squid/proxy port.
>>
>>
>
>Soo, ehm, you want to prevent outbound packets from squid ?
>If you don't want that squid is sending packets, then why start squid at
>all.
>
>Well, if that's what you really want to :
>iptables -A OUTPUT -p tcp --sport 3128 -j REJECT --reject-with tcp-reset
>or simply
>iptables -A OUTPUT -p tcp --sport 3128 -j DROP
>
>
>Or don't you want users from the outside (internet) to connect ?
>
># Drops everything by default
>iptables -P INPUT DROP
>
># Accepts anything coming in on your LAN interface,
># but you may want something more secure.
>iptables -A INPUT -i <if_lan> -j ACCEPT
>
>
>Rob
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 2778 bytes --]
next prev parent reply other threads:[~2003-03-12 20:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-12 12:22 blocking ports outbound Joseph Sirucka
2003-03-12 15:45 ` Rob Sterenborg
2003-03-12 20:15 ` Joseph Sirucka [this message]
2003-03-12 21:06 ` Rob Sterenborg
2003-03-13 0:32 ` Arnt Karlsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E6F9569.5030108@connectingyou.com.au \
--to=jsirucka@connectingyou.com.au \
--cc=netfilter@lists.netfilter.org \
--cc=rob@sterenborg.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.