* blocking ports outbound @ 2003-03-12 12:22 Joseph Sirucka 2003-03-12 15:45 ` Rob Sterenborg 0 siblings, 1 reply; 5+ messages in thread From: Joseph Sirucka @ 2003-03-12 12:22 UTC (permalink / raw) To: netfilter Hi All I would like to know the rule to block ports outbound. I am trying to block port 3128 my squid/proxy port. regards Joseph ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: blocking ports outbound 2003-03-12 12:22 blocking ports outbound Joseph Sirucka @ 2003-03-12 15:45 ` Rob Sterenborg 2003-03-12 20:15 ` Joseph Sirucka 0 siblings, 1 reply; 5+ messages in thread From: Rob Sterenborg @ 2003-03-12 15:45 UTC (permalink / raw) To: netfilter > I would like to know the rule to block ports outbound. > > I am trying to block port 3128 my squid/proxy port. Soo, ehm, you want to prevent outbound packets from squid ? If you don't want that squid is sending packets, then why start squid at all. Well, if that's what you really want to : iptables -A OUTPUT -p tcp --sport 3128 -j REJECT --reject-with tcp-reset or simply iptables -A OUTPUT -p tcp --sport 3128 -j DROP Or don't you want users from the outside (internet) to connect ? # Drops everything by default iptables -P INPUT DROP # Accepts anything coming in on your LAN interface, # but you may want something more secure. iptables -A INPUT -i <if_lan> -j ACCEPT Rob ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: blocking ports outbound 2003-03-12 15:45 ` Rob Sterenborg @ 2003-03-12 20:15 ` Joseph Sirucka 2003-03-12 21:06 ` Rob Sterenborg 0 siblings, 1 reply; 5+ messages in thread From: Joseph Sirucka @ 2003-03-12 20:15 UTC (permalink / raw) To: Rob Sterenborg; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 2243 bytes --] Hi Maybe I got my question wrong. I'm very new to iptables coming from a ipfilter background. In ipfilter I just state block all in and then open the ports I wish to allow through. Is there something similiar in iptables. I wish to stop the outside world from seeing the ports upon the firewall/proxy and beyond into my internal network. My problem is I cannot join certain irc servers due to there open proxy policy. So really how do I block all ports internally while allowing a something like a connection internally to go outbound and recieve the packets back. My current iptables config is > #!/bin/bash > /bin/echo "Firewall rules starting up now..." > /sbin/modprobe ipt_MASQUERADE > /usr/local/sbin/iptables -F > /usr/local/sbin/iptables -t nat > /usr/local/sbin/iptables -t mangle -F > /usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > /usr/local/sbin/iptables -A OUTPUT --dport 3128 -j DENY > /usr/local/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport > 80 -j REDIRECT --to-port 3128 > /usr/local/sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp --dport > 80 -j REDIRECT --to-port 3128 Pl,ease pick apart my rules and tell me what I'm doing wrong. As I stated, I'm a complete newbie to iptables. My system is a firewall/proxy unit with a adsl connection running pppoe to the outside world. I recieve a permanent ip upon te ppp0 interface. I hope I make some sense. thanks Joseph Rob Sterenborg wrote: >>I would like to know the rule to block ports outbound. >> >>I am trying to block port 3128 my squid/proxy port. >> >> > >Soo, ehm, you want to prevent outbound packets from squid ? >If you don't want that squid is sending packets, then why start squid at >all. > >Well, if that's what you really want to : >iptables -A OUTPUT -p tcp --sport 3128 -j REJECT --reject-with tcp-reset >or simply >iptables -A OUTPUT -p tcp --sport 3128 -j DROP > > >Or don't you want users from the outside (internet) to connect ? > ># Drops everything by default >iptables -P INPUT DROP > ># Accepts anything coming in on your LAN interface, ># but you may want something more secure. >iptables -A INPUT -i <if_lan> -j ACCEPT > > >Rob > > > > [-- Attachment #2: Type: text/html, Size: 2778 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: blocking ports outbound 2003-03-12 20:15 ` Joseph Sirucka @ 2003-03-12 21:06 ` Rob Sterenborg 2003-03-13 0:32 ` Arnt Karlsen 0 siblings, 1 reply; 5+ messages in thread From: Rob Sterenborg @ 2003-03-12 21:06 UTC (permalink / raw) To: netfilter > Maybe I got my question wrong. > > I'm very new to iptables coming from a ipfilter background. > In ipfilter I just state block all in and then open the ports > I wish to allow through. Is there something similiar in iptables. Yes. iptables -P INPUT DROP Does just what is says : it droppes all inbound packets where there is no ACCEPT rule for. I guess you'd want the thing to be stateful : iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT If you want to accept packets on a certain port, you just do : iptables -A INPUT -p <proto> --dport <port> -j ACCEPT Or iptables -A INPUT -i <if_in> -p <proto> --dport <port> -j ACCEPT Or iptables -A INPUT -s <src_ip|net> -p proto --dport <port> -j ACCEPT There are of course more options that I didn't mention here, some can be used together. In the examples above you could use both -i and -s in one rule to make sure an IP will match on a certain NIC. > I wish to stop the outside world from seeing the ports upon > the firewall/proxy and beyond into my internal network. > > My problem is I cannot join certain irc servers due to there > open proxy policy. Actually I'm not quite familiar with irc ; never used it. > So really how do I block all ports internally while allowing > a something like a connection internally to go outbound and > recieve the packets back. On what port does the irc client connect ? Is it 6667 ? What if you forward port 6667 so it can contact the irc server directly ? > My current iptables config is > > > #!/bin/bash > /bin/echo "Firewall rules starting up now..." > /sbin/modprobe ipt_MASQUERADE > /usr/local/sbin/iptables -F > /usr/local/sbin/iptables -t nat ^^^^^^^^ What does this do ? On my box it gives an error. You specify what table iptables should use, but you don't give it any "command". > /usr/local/sbin/iptables -t mangle -F > /usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > /usr/local/sbin/iptables -A OUTPUT --dport 3128 -j DENY ^^^^^^ Do you want to DROP or REJECT ? DENY was in ipchains, not in iptables. > Pl,ease pick apart my rules and tell me what I'm doing wrong. > > As I stated, I'm a complete newbie to iptables. > > My system is a firewall/proxy unit with a adsl connection > running pppoe to the outside world. I recieve a permanent ip > upon te ppp0 interface. So eth0 and eth2 are connected to your lan I suppose, and are on different subnets. If I'd have to make it work I'd try this : # Stop forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # Load some modules modprobe ipt_MASQUERADE modprobe ip_conntrack_ftp modprobe ip_nat_ftp # You may need ip_conntrack_irc and ip_nat_irc. Do you have these modules ? # Flush all rules iptables -F iptables -t nat -F iptables -t mangle -F # Set the default policy iptables -P INPUT DROP iptables -P FORWARD DROP # Make it stateful iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Don't know if you need to access the box itself from your lan ? # If so then you need to do something like this. iptables -A INPUT -i eth0 -j ACCEPT iptables -A INPUT -i eth2 -j ACCEPT # Forward traffic from eth0 and eth2 iptables -A FORWARD -i eth0 -o ppp0 -s <lan_net1> -j ACCEPT iptables -A FORWARD -i eth2 -o ppp0 -s <lan_net2> -j ACCEPT # Redirect webclients to squid iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128 # MASQ traffic from eth0 and eth2 destined for the internet # You're using ppp so I don't think SNAT will work for you (it doesn't for me..) iptables -t nat -A POSTROUTING -o ppp0 -s <lan_net1> -j MASQUERADE iptables -t nat -A POSTROUTING -o ppp0 -s <lan_net2> -j MASQUERADE # Start forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Again : this may not work for your purpose, but it can be a start. For more information about iptables there is a nice tutorial from Oskar : http://iptables-tutorial.frozentux.net/ You may want to look there for a lot of information. Rob ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: blocking ports outbound 2003-03-12 21:06 ` Rob Sterenborg @ 2003-03-13 0:32 ` Arnt Karlsen 0 siblings, 0 replies; 5+ messages in thread From: Arnt Karlsen @ 2003-03-13 0:32 UTC (permalink / raw) To: netfilter On Wed, 12 Mar 2003 22:06:04 +0100, "Rob Sterenborg" <rob@sterenborg.info> wrote in message <001a01c2e8db$31a31b50$0401000a@sterenborg.info>: > > Maybe I got my question wrong. > > > > I'm very new to iptables coming from a ipfilter background. > > In ipfilter I just state block all in and then open the ports > > I wish to allow through. Is there something similiar in iptables. > > Yes. > > iptables -P INPUT DROP > Does just what is says : it droppes all inbound packets where there is > no ACCEPT rule for. > > I guess you'd want the thing to be stateful : > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > If you want to accept packets on a certain port, you just do : > iptables -A INPUT -p <proto> --dport <port> -j ACCEPT > Or > iptables -A INPUT -i <if_in> -p <proto> --dport <port> -j ACCEPT > Or > iptables -A INPUT -s <src_ip|net> -p proto --dport <port> -j ACCEPT > > There are of course more options that I didn't mention here, some can > be used together. > In the examples above you could use both -i and -s in one rule to make > sure an IP will match on a certain NIC. > > > I wish to stop the outside world from seeing the ports upon > > the firewall/proxy and beyond into my internal network. > > > > My problem is I cannot join certain irc servers due to there > > open proxy policy. > > Actually I'm not quite familiar with irc ; never used it. > > > So really how do I block all ports internally while allowing > > a something like a connection internally to go outbound and > > recieve the packets back. > > On what port does the irc client connect ? Is it 6667 ? > What if you forward port 6667 so it can contact the irc server > directly? > > > My current iptables config is > > > > > > #!/bin/bash > > /bin/echo "Firewall rules starting up now..." > > /sbin/modprobe ipt_MASQUERADE > > /usr/local/sbin/iptables -F > > > /usr/local/sbin/iptables -t nat > ^^^^^^^^ > What does this do ? On my box it gives an error. > You specify what table iptables should use, but you don't give it any > "command". > > > /usr/local/sbin/iptables -t mangle -F > > /usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > > /usr/local/sbin/iptables -A OUTPUT --dport 3128 -j DENY > ^^^^^^ > Do you want to DROP or REJECT ? > DENY was in ipchains, not in iptables. > > > Pl,ease pick apart my rules and tell me what I'm doing wrong. > > > > As I stated, I'm a complete newbie to iptables. > > > > My system is a firewall/proxy unit with a adsl connection > > running pppoe to the outside world. I recieve a permanent ip > > upon te ppp0 interface. > > So eth0 and eth2 are connected to your lan I suppose, and are on > different subnets. > If I'd have to make it work I'd try this : > > # Stop forwarding > echo 0 > /proc/sys/net/ipv4/ip_forward > > # Load some modules > modprobe ipt_MASQUERADE > modprobe ip_conntrack_ftp > modprobe ip_nat_ftp > # You may need ip_conntrack_irc and ip_nat_irc. Do you have these > modules ? > > # Flush all rules > iptables -F > iptables -t nat -F > iptables -t mangle -F > > # Set the default policy > iptables -P INPUT DROP > iptables -P FORWARD DROP > > # Make it stateful > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > # Don't know if you need to access the box itself from your lan ? > # If so then you need to do something like this. > iptables -A INPUT -i eth0 -j ACCEPT > iptables -A INPUT -i eth2 -j ACCEPT > > # Forward traffic from eth0 and eth2 > iptables -A FORWARD -i eth0 -o ppp0 -s <lan_net1> -j ACCEPT > iptables -A FORWARD -i eth2 -o ppp0 -s <lan_net2> -j ACCEPT > > # Redirect webclients to squid > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 3128 > iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT > --to-port 3128 > > # MASQ traffic from eth0 and eth2 destined for the internet > # You're using ppp so I don't think SNAT will work for you (it doesn't > for me..) > iptables -t nat -A POSTROUTING -o ppp0 -s <lan_net1> -j MASQUERADE > iptables -t nat -A POSTROUTING -o ppp0 -s <lan_net2> -j MASQUERADE > > # Start forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward ..reason to put this echo at the end, is you don't want _any_ traffic, until you have the firewall ready for it. > Again : this may not work for your purpose, but it can be a start. > > For more information about iptables there is a nice tutorial from > Oskar: > http://iptables-tutorial.frozentux.net/ > You may want to look there for a lot of information. > > > Rob > > -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-03-13 0:32 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-03-12 12:22 blocking ports outbound Joseph Sirucka 2003-03-12 15:45 ` Rob Sterenborg 2003-03-12 20:15 ` Joseph Sirucka 2003-03-12 21:06 ` Rob Sterenborg 2003-03-13 0:32 ` Arnt Karlsen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.