multiport

multiport

[Sadus .]

Hello i want to drop ALL connections on my internal NIC except:
20,21,80,443
is this correct? (although not working)


iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport !
--destination-port  20,21,80,443 -j DROP #USERS

which basicaly means if source is in 172.16.3.0 then drop all except for
HTTP,FTP,HTTPS. that's in order for that IP range to not be able to
connect to Instant Messenging services such as MSN, AIM, Yahoo etc...
while keeping other IP ranges be able to use them.

Thanks
-- 
Sadus . <sadus@swiftbin.net>
Swiftbin.net

Re: multiport

[Jason Opperisano]

On Thu, Jun 16, 2005 at 04:59:51PM +0300, Sadus . wrote:
> Hello i want to drop ALL connections on my internal NIC except:
> 20,21,80,443
> is this correct? (although not working)
> 
> 
> iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport !
> --destination-port  20,21,80,443 -j DROP #USERS
> 
> which basicaly means if source is in 172.16.3.0 then drop all except for
> HTTP,FTP,HTTPS. that's in order for that IP range to not be able to
> connect to Instant Messenging services such as MSN, AIM, Yahoo etc...
> while keeping other IP ranges be able to use them.

unless you're trying to keep them from connecting to MSN, AIM, Yahoo etc
on your firewall vs. hosts on the internet, you want those rules in
FORWARD, not INPUT.  also, it's often much more logical to explicitly
allow what you want and then deny everything else vs. using negation in
your rules.  so *i* would do this:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 \
    -m multiport --dports 21,80,443 -j ACCEPT

  iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 -j DROP

keep in mind that most messenger apps (i know msn does this) will
connect to a proxy at microsoft over port 80 if its default port (TCP
1863) is blocked.  the proper way to stop this is to force all TCP port
80 traffic through an application-level proxy such as squid.

-j

--
"Cult Leader: Are you a confused adolescent desperately seeking
 acceptance from an undifferentiated ego mass that demands conformity?"
        --Family Guy

Re: multiport

[Carl Holtje ;021;vcsg6;]

On Thu, 16 Jun 2005, Sadus . wrote:

> Hello i want to drop ALL connections on my internal NIC except:
> 20,21,80,443
> is this correct? (although not working)
>
>
> iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport !
> --destination-port  20,21,80,443 -j DROP #USERS

iptables -P INPUT DROP
iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport \
--destination-port  20,21,80,443 -j ALLOW

Which does what your english description says.. drops all by default, but
allows ports 20, 21, 80, 443 to your 172.16.3.0/16 network, over eth1.

Carl

- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."

Re: multiport

[/dev/rob0]

On Thursday 16 June 2005 09:16, Jason Opperisano wrote:
> On Thu, Jun 16, 2005 at 04:59:51PM +0300, Sadus . wrote:
> > iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport !
> > --destination-port  20,21,80,443 -j DROP #USERS
> >
> > which basicaly means if source is in 172.16.3.0 then drop all
> > except for HTTP,FTP,HTTPS. that's in order for that IP range to not
> > be able to connect to Instant Messenging services such as MSN, AIM,
> > Yahoo etc... while keeping other IP ranges be able to use them.
>
> unless you're trying to keep them from connecting to MSN, AIM, Yahoo
> etc on your firewall vs. hosts on the internet, you want those rules
> in FORWARD, not INPUT.  also, it's often much more logical to
> explicitly allow what you want and then deny everything else vs.
> using negation in your rules.  so *i* would do this:
>
>   iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>   iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 \
>     -m multiport --dports 21,80,443 -j ACCEPT
>
>   iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 -j DROP

Minor additions here. First be aware of the CIDR specification, as it 
might not be what you want:
# iptables -vA INPUT -s 172.16.3.0/16
  all opt -- in * out *  172.16.0.0/16  -> 0.0.0.0/0
It takes you up to the /16 which contains 172.16.3.0. The written 
description sounded like you wanted 172.16.3.0/24 (172.16.3.0-255.)

Jason properly left out the --dport 20 because it's used outbound. You 
will need the ipt_nat_ftp module to NAT FTP connections.

> keep in mind that most messenger apps (i know msn does this) will
> connect to a proxy at microsoft over port 80 if its default port (TCP
> 1863) is blocked.  the proper way to stop this is to force all TCP
> port 80 traffic through an application-level proxy such as squid.

Right again. It's VERY difficult to block MSN in particular. If you're 
serious about it you need to keep an eye on their servers and block 
them by IP. I did it once, but they are a moving target. My blocks are 
probably no longer effective (except for the transparent HTTP proxy.)

'Net censorship is not an easy thing. I think it's more effective to 
deal with human issues in human terms. I do what the management wants 
me to do, but when they ask for things like this I tell them what I 
think of it. :)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: multiport

[Sadus .]

Maybe a misconception from my part here, please correct me:

When you want to block an IP from connecting to the internet, should i
use: 
iptables -A INPUT -i $INTERNAL -s 192.168.1.2 -j DROP
or 
iptables -A FORWARD -i $INTERNAL -s 192.168.1.2 -j DROP or both?

since the firewall is set to the gateway, then any client will try to
connect to the IP of the gateway to then establish a connection with the
site needed, if i already block that IP to connect to my NIC via the
INPUT chain, then there is no need for me to DROP in FORWARD, or is it
the other way around? 


correction,
i want to drop MSN to all 172.168.3.* to /24 should be used since
172.168.2.* should be able to connect to MSN.



On Thu, 2005-06-16 at 09:57 -0500, /dev/rob0 wrote:
> On Thursday 16 June 2005 09:16, Jason Opperisano wrote:
> > On Thu, Jun 16, 2005 at 04:59:51PM +0300, Sadus . wrote:
> > > iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport !
> > > --destination-port  20,21,80,443 -j DROP #USERS
> > >
> > > which basicaly means if source is in 172.16.3.0 then drop all
> > > except for HTTP,FTP,HTTPS. that's in order for that IP range to not
> > > be able to connect to Instant Messenging services such as MSN, AIM,
> > > Yahoo etc... while keeping other IP ranges be able to use them.
> >
> > unless you're trying to keep them from connecting to MSN, AIM, Yahoo
> > etc on your firewall vs. hosts on the internet, you want those rules
> > in FORWARD, not INPUT.  also, it's often much more logical to
> > explicitly allow what you want and then deny everything else vs.
> > using negation in your rules.  so *i* would do this:
> >
> >   iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >   iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 \
> >     -m multiport --dports 21,80,443 -j ACCEPT
> >
> >   iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 -j DROP
> 
> Minor additions here. First be aware of the CIDR specification, as it 
> might not be what you want:
> # iptables -vA INPUT -s 172.16.3.0/16
>   all opt -- in * out *  172.16.0.0/16  -> 0.0.0.0/0
> It takes you up to the /16 which contains 172.16.3.0. The written 
> description sounded like you wanted 172.16.3.0/24 (172.16.3.0-255.)
> 
> Jason properly left out the --dport 20 because it's used outbound. You 
> will need the ipt_nat_ftp module to NAT FTP connections.
> 
> > keep in mind that most messenger apps (i know msn does this) will
> > connect to a proxy at microsoft over port 80 if its default port (TCP
> > 1863) is blocked.  the proper way to stop this is to force all TCP
> > port 80 traffic through an application-level proxy such as squid.
> 
> Right again. It's VERY difficult to block MSN in particular. If you're 
> serious about it you need to keep an eye on their servers and block 
> them by IP. I did it once, but they are a moving target. My blocks are 
> probably no longer effective (except for the transparent HTTP proxy.)
> 
> 'Net censorship is not an easy thing. I think it's more effective to 
> deal with human issues in human terms. I do what the management wants 
> me to do, but when they ask for things like this I tell them what I 
> think of it. :)
-- 
Sadus . <sadus@swiftbin.net>
Swiftbin.net

Re: multiport

[/dev/rob0]

On Thursday 16 June 2005 10:26, Sadus . wrote:
> Maybe a misconception from my part here, please correct me:
>
> When you want to block an IP from connecting to the internet, should
> i use:
> iptables -A INPUT -i $INTERNAL -s 192.168.1.2 -j DROP
> or
> iptables -A FORWARD -i $INTERNAL -s 192.168.1.2 -j DROP or both?

INPUT blocks someone connecting to the firewall machine. FORWARD blocks 
forwarding through the firewall machine.

> since the firewall is set to the gateway, then any client will try to
> connect to the IP of the gateway to then establish a connection with
> the site needed, if i already block that IP to connect to my NIC via
> the INPUT chain, then there is no need for me to DROP in FORWARD, or
> is it the other way around?

http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html

Every packet hits exactly one of the builtin filter chains (except lo 
traffic, which hits OUTPUT when generated and then INPUT if/when 
accepted.) INPUT is not touched when both source and destination are 
not local.

> correction,
> i want to drop MSN to all 172.168.3.* to /24 should be used since
> 172.168.2.* should be able to connect to MSN.

Right.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: multiport

[Jörg Harmuth]

Hi,

Sadus . schrieb:
> Maybe a misconception from my part here, please correct me:
> 
> When you want to block an IP from connecting to the internet, should i
> use: 
> iptables -A INPUT -i $INTERNAL -s 192.168.1.2 -j DROP
> or 
> iptables -A FORWARD -i $INTERNAL -s 192.168.1.2 -j DROP or both?
> 
> since the firewall is set to the gateway, then any client will try to
> connect to the IP of the gateway to then establish a connection with the
> site needed, if i already block that IP to connect to my NIC via the
> INPUT chain, then there is no need for me to DROP in FORWARD, or is it
> the other way around? 

It depends on your configuration. If you use a proxy on your gateway /
firewall like squid, then the INPUT chain will be hit, because your
clients connect to your proxy. BTW, in this configuration you don't need
to set ip_forward to 1.

If, on the other hand, there is no proxy, then your clients connect
directly to the respective site on the internet and thus the forward
chain will be hit. Because your clients use RFC 1918 addresses, which
will be dropped on the first router on the internet, you need a
MASQUERADE / SNAT rule in nat / POSTROUTING in this case. Otherwise
nothing will work. And you must set ip_forward to 1.

Generally I agree with with all the people saying, that the best
approach is to have a DROP policy in INPUT / FORWARD and then only allow
the traffic you want. It's simple and clean in my opinion.

HTH and have a nice time,

Joerg