Block outbound host to specific port(s) using Masq./NAT?

Block outbound host to specific port(s) using Masq./NAT?

[Jerry2A]

Hello - this is probably a dumb question....I'm using iptables for my
home network (DSL) and I have masquerading, some port forwarding,
etc., etc., and everything works great...EXCEPT....I have a situation
where I occaisionally want to block outbound traffic from a certain
host inside to a certain destination IP and/or port.  For example, I'd
like to block one host from within my network from using Instant
Messenger but still allow web surfing.  I've been able to dynamically
block ALL outbound access to the internet but I'm unable to restrict
access to certain destination ports.

So this works:
iptables -A INPUT -s 10.1.1.10 -j DROP
iptables -A OUTPUT -d 10.1.1.10 -j DROP
iptables -A FORWARD -d 10.1.1.10 -j DROP

And I thought I could do something like this:
iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
....but it has no effect.

I've tried different combinations of "-d and -s" and "--dport and
--sport" just to see if I was doing something backwards....no dice.  I
was wondering if I needed to set up some kind of pre or post routing
because of the masquerading?

Any help would be appreciated.

Thanks!

Jerry A.

Re: Block outbound host to specific port(s) using Masq./NAT?

[Jason Opperisano]

On Mon, 2005-01-03 at 16:52, Jerry2A wrote:
> Hello - this is probably a dumb question....I'm using iptables for my
> home network (DSL) and I have masquerading, some port forwarding,
> etc., etc., and everything works great...EXCEPT....I have a situation
> where I occaisionally want to block outbound traffic from a certain
> host inside to a certain destination IP and/or port.  For example, I'd
> like to block one host from within my network from using Instant
> Messenger but still allow web surfing.  I've been able to dynamically
> block ALL outbound access to the internet but I'm unable to restrict
> access to certain destination ports.
> 
> So this works:
> iptables -A INPUT -s 10.1.1.10 -j DROP
> iptables -A OUTPUT -d 10.1.1.10 -j DROP
> iptables -A FORWARD -d 10.1.1.10 -j DROP
> 
> And I thought I could do something like this:
> iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
> iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
> ....but it has no effect.
> 
> I've tried different combinations of "-d and -s" and "--dport and
> --sport" just to see if I was doing something backwards....no dice.  I
> was wondering if I needed to set up some kind of pre or post routing
> because of the masquerading?
> 
> Any help would be appreciated.
> 
> Thanks!
> 
> Jerry A.

first--NAT/MASQ has nothing to do with this--we're talking about
FILTER-ing here.

second--INPUT and OUTPUT have nothing to do with blocking Internet
access for a host behind a gateway--that is the domain of FORWARD.

third--whatever rule you use to block access from host 10.1.1.10 needs
to come *before* any rule that allows all traffic from network
10.1.1.0/24 or from interface $inside.

finally:

  iptables -I FORWARD -p tcp -s 10.1.1.10 --dport 5190 -j DROP

will insert a rule as the first rule in FORWARD that drops port 5190
traffic from 10.1.1.10.

keep in mind that blocking IM apps from connecting is often much more
complicated than dropping a single port, as they have a habit of
tunneling themselves through port 80.

-j

--
"I have thought this through. First, I will send Bart the money to
 fly home. Then I will murder him."
	--The Simpsons

Fwd: Block outbound host to specific port(s) using Masq./NAT?

[ASHISH]

Sometimes knowing something about the protocol amy help. For example
all ymessenger messages start with the string "YMSG" as a header in
application payload. I believe you can use string match to detect such
packets and drop them.

 iptables -A FORWARD -m string --string 'YMSG' -j DROP

I haven't analysed any other IM protocol as of now, but i'm sure a
little bit of googling will help ya out of the situation.


On Mon, 03 Jan 2005 17:05:06 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, 2005-01-03 at 16:52, Jerry2A wrote:
> > Hello - this is probably a dumb question....I'm using iptables for my
> > home network (DSL) and I have masquerading, some port forwarding,
> > etc., etc., and everything works great...EXCEPT....I have a situation
> > where I occaisionally want to block outbound traffic from a certain
> > host inside to a certain destination IP and/or port.  For example, I'd
> > like to block one host from within my network from using Instant
> > Messenger but still allow web surfing.  I've been able to dynamically
> > block ALL outbound access to the internet but I'm unable to restrict
> > access to certain destination ports.
> >
> > So this works:
> > iptables -A INPUT -s 10.1.1.10 -j DROP
> > iptables -A OUTPUT -d 10.1.1.10 -j DROP
> > iptables -A FORWARD -d 10.1.1.10 -j DROP
> >
> > And I thought I could do something like this:
> > iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
> > iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
> > ....but it has no effect.
> >
> > I've tried different combinations of "-d and -s" and "--dport and
> > --sport" just to see if I was doing something backwards....no dice.  I
> > was wondering if I needed to set up some kind of pre or post routing
> > because of the masquerading?
> >
> > Any help would be appreciated.
> >
> > Thanks!
> >
> > Jerry A.
>
> first--NAT/MASQ has nothing to do with this--we're talking about
> FILTER-ing here.
>
> second--INPUT and OUTPUT have nothing to do with blocking Internet
> access for a host behind a gateway--that is the domain of FORWARD.
>
> third--whatever rule you use to block access from host 10.1.1.10 needs
> to come *before* any rule that allows all traffic from network
> 10.1.1.0/24 or from interface $inside.
>
> finally:
>
>   iptables -I FORWARD -p tcp -s 10.1.1.10 --dport 5190 -j DROP
>
> will insert a rule as the first rule in FORWARD that drops port 5190
> traffic from 10.1.1.10.
>
> keep in mind that blocking IM apps from connecting is often much more
> complicated than dropping a single port, as they have a habit of
> tunneling themselves through port 80.
>
> -j
>
> --
> "I have thought this through. First, I will send Bart the money to
>  fly home. Then I will murder him."
>         --The Simpsons
>
>


--
cheers
Ashish


-- 
cheers
Ashish

Re: Block outbound host to specific port(s) using Masq./NAT?

[Jerry2A]

Thanks for the help Gavin and Jason - sorry for the multiple posts.

Jerry

---
Jerry2A

Re: Block outbound host to specific port(s) using Masq./NAT?

[Georgi Alexandrov]

If you're getting into "greping" packets payload for different 
apps/services, you can try layer 7 filtering - 
http://l7-filter.sourceforge.net/

regards,
Georgi Alexandrov


Jerry2A wrote:

>Hello - this is probably a dumb question....I'm using iptables for my
>home network (DSL) and I have masquerading, some port forwarding,
>etc., etc., and everything works great...EXCEPT....I have a situation
>where I occaisionally want to block outbound traffic from a certain
>host inside to a certain destination IP and/or port.  For example, I'd
>like to block one host from within my network from using Instant
>Messenger but still allow web surfing.  I've been able to dynamically
>block ALL outbound access to the internet but I'm unable to restrict
>access to certain destination ports.
>
>So this works:
>iptables -A INPUT -s 10.1.1.10 -j DROP
>iptables -A OUTPUT -d 10.1.1.10 -j DROP
>iptables -A FORWARD -d 10.1.1.10 -j DROP
>
>And I thought I could do something like this:
>iptables -A OUTPUT -s 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
>iptables -A FORWARD -d 10.1.1.10 -p tcp -m tcp --dport 5190 -j DROP
>....but it has no effect.
>
>I've tried different combinations of "-d and -s" and "--dport and
>--sport" just to see if I was doing something backwards....no dice.  I
>was wondering if I needed to set up some kind of pre or post routing
>because of the masquerading?
>
>Any help would be appreciated.
>
>Thanks!
>
>Jerry A.
>
>
>  
>