* filtering ruleset help sought
@ 2005-08-15 20:27 Barry Fawthrop
2005-08-15 20:49 ` John A. Sullivan III
2005-08-17 5:40 ` Grant Taylor
0 siblings, 2 replies; 5+ messages in thread
From: Barry Fawthrop @ 2005-08-15 20:27 UTC (permalink / raw)
To: netfilter
Hi
I was given a iptables ruleset (that I think was generated by firestarter)
I don't have GUI nor do I want to so I have no means to test it.
It runs on a gateway machine ETH0 = Wan and ETH1 = LAN NICs
I'm looking for a simple ruleset that will deny all outgoing traffic
accept to a list of IP addresses found in a file
and only on port 80 for HTTP access only.
I have this:
$IPT -t filter -A INPUT -s $INNET -d 0/0 -j DROP
$IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j DROP
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j DROP
while read s1 s2
do
$IPT -t filter -A INPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
$IPT -t filter -A OUTPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
done < /allowed-hosts
1) doesn't work complains about --dport
2) I can still ping other ip addresses not found in the allowed-hosts file?
Any help, most welcome
Thank You
Barry
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: filtering ruleset help sought
2005-08-15 20:27 filtering ruleset help sought Barry Fawthrop
@ 2005-08-15 20:49 ` John A. Sullivan III
2005-08-15 21:02 ` Barry Fawthrop
2005-08-17 5:40 ` Grant Taylor
1 sibling, 1 reply; 5+ messages in thread
From: John A. Sullivan III @ 2005-08-15 20:49 UTC (permalink / raw)
To: Barry Fawthrop; +Cc: netfilter
On Mon, 2005-08-15 at 16:27 -0400, Barry Fawthrop wrote:
> Hi
>
> I was given a iptables ruleset (that I think was generated by firestarter)
> I don't have GUI nor do I want to so I have no means to test it.
> It runs on a gateway machine ETH0 = Wan and ETH1 = LAN NICs
>
> I'm looking for a simple ruleset that will deny all outgoing traffic
> accept to a list of IP addresses found in a file
> and only on port 80 for HTTP access only.
>
> I have this:
>
> $IPT -t filter -A INPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j DROP
>
> while read s1 s2
> do
> $IPT -t filter -A INPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> done < /allowed-hosts
>
>
> 1) doesn't work complains about --dport
> 2) I can still ping other ip addresses not found in the allowed-hosts file?
>
> Any help, most welcome
> Thank You
> Barry
>
Hmm . . .looks a little strange. Do you want such access for this
specific device or for other devices on the internal network that use
this device as a gateway? The INPUT and OUTPUT chains will only handle
traffic to and from this device.
I would suggest you use connection tracking and you may find it easier
to use DROP policies. Thus:
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Then you can allow the outbound access including the protcol:
while read s1 s2
do
$IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j
ACCEPT
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
done < /allowed-hosts
If you want to allow other devices to access these sites through this
device, you will need rules in the FORWARD chain and probably an SNAT
rule in the nat table POSTROUTING chain. Good luck - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: filtering ruleset help sought
2005-08-15 20:49 ` John A. Sullivan III
@ 2005-08-15 21:02 ` Barry Fawthrop
2005-08-15 21:22 ` John A. Sullivan III
0 siblings, 1 reply; 5+ messages in thread
From: Barry Fawthrop @ 2005-08-15 21:02 UTC (permalink / raw)
To: netfilter; +Cc: jsullivan
[-- Attachment #1: Type: text/plain, Size: 1281 bytes --]
Thanks John
Yes I want this machine and every other machine on the LAN to be denied
access to the Internet except to the sites or IPs listed
in the allowed-hosts file
So could you help what addionional rules would I need ?
John A. Sullivan III wrote:
>Hmm . . .looks a little strange. Do you want such access for this
>specific device or for other devices on the internal network that use
>this device as a gateway? The INPUT and OUTPUT chains will only handle
>traffic to and from this device.
>
>I would suggest you use connection tracking and you may find it easier
>to use DROP policies. Thus:
>
>$IPT -t filter -P INPUT DROP
>$IPT -t filter -P OUTPUT DROP
>$IPT -t filter -P FORWARD DROP
>$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>Then you can allow the outbound access including the protcol:
>
>while read s1 s2
> do
> $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> done < /allowed-hosts
>
>
also what is the -p 6 ???
>If you want to allow other devices to access these sites through this
>device, you will need rules in the FORWARD chain and probably an SNAT
>rule in the nat table POSTROUTING chain. Good luck - John
>
>
Thanks
Barry
[-- Attachment #2: "AVG certification" --]
[-- Type: text/plain, Size: 144 bytes --]
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: filtering ruleset help sought
2005-08-15 21:02 ` Barry Fawthrop
@ 2005-08-15 21:22 ` John A. Sullivan III
0 siblings, 0 replies; 5+ messages in thread
From: John A. Sullivan III @ 2005-08-15 21:22 UTC (permalink / raw)
To: Barry Fawthrop; +Cc: netfilter
You may find it helpful to review a good tutorial on iptables. You can
find an excellent one at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
You can also find training slide shows (slightly dated) in the training
section of the ISCS network security management project
(http://iscs.sourceforge.net).
Basically, you will need the same rules in the FORWARD chain as in the
INPUT chain. You will also need a NAT rule, e.g.,
iptables -t nat -A POSTROUTING -o <ExternalIF> -s <Internal Network> -j
SNAT --to-source <ExternalIP>
On Mon, 2005-08-15 at 17:02 -0400, Barry Fawthrop wrote:
> Thanks John
>
> Yes I want this machine and every other machine on the LAN to be denied
> access to the Internet except to the sites or IPs listed
> in the allowed-hosts file
>
> So could you help what addionional rules would I need ?
>
>
>
> John A. Sullivan III wrote:
>
> >Hmm . . .looks a little strange. Do you want such access for this
> >specific device or for other devices on the internal network that use
> >this device as a gateway? The INPUT and OUTPUT chains will only handle
> >traffic to and from this device.
> >
> >I would suggest you use connection tracking and you may find it easier
> >to use DROP policies. Thus:
> >
> >$IPT -t filter -P INPUT DROP
> >$IPT -t filter -P OUTPUT DROP
> >$IPT -t filter -P FORWARD DROP
> >$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >Then you can allow the outbound access including the protcol:
> >
> >while read s1 s2
> > do
> > $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j ACCEPT
> > $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> > done < /allowed-hosts
> >
> >
> also what is the -p 6 ???
>
> >If you want to allow other devices to access these sites through this
> >device, you will need rules in the FORWARD chain and probably an SNAT
> >rule in the nat table POSTROUTING chain. Good luck - John
> >
> >
> Thanks
> Barry
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.9/72 - Release Date: 8/14/2005
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: filtering ruleset help sought
2005-08-15 20:27 filtering ruleset help sought Barry Fawthrop
2005-08-15 20:49 ` John A. Sullivan III
@ 2005-08-17 5:40 ` Grant Taylor
1 sibling, 0 replies; 5+ messages in thread
From: Grant Taylor @ 2005-08-17 5:40 UTC (permalink / raw)
To: netfilter
Yesh! That snippet of firewall code is, um, well interesting to say the least if not broken. (I'm very tired if I come off a bit crass.)
To do what you are wanting to do I would attempt something like the following:
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -N InternetTraffic
iptables -t filter -A InternetTraffic -d <IP of site 1> -j ACCEPT
iptables -t filter -A InternetTraffic -d <IP of site 2> -j ACCEPT
...
iptables -t filter -A InternetTraffic -d <IP of site n> -j ACCEPT
iptables -t filter -A InternetTraffic -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j InternetTraffic
iptables -t filter -A FORWARD -i eth1 -o eth0 -p tcp --dport 443 -j InternetTraffic
iptables -t filter -A OUTPUT -o eth0 -p tcp --dport 80 -j InternetTraffic
iptables -t filter -A OUTPUT -o eth0 -p tcp --dport 443 -j InternetTraffic
iptables -t filter -A OUTPUT -o eth1 -j ACCEPT
One word to the wise. You will likely need to have DNS somewhere for your systems to be able to find the hosts that they want to get to. If said DNS needs to pass through your firewall you will need to update the rules accordingly to allow it.
Grant. . . .
Barry Fawthrop wrote:
> Hi
>
> I was given a iptables ruleset (that I think was generated by firestarter)
> I don't have GUI nor do I want to so I have no means to test it.
> It runs on a gateway machine ETH0 = Wan and ETH1 = LAN NICs
>
> I'm looking for a simple ruleset that will deny all outgoing traffic
> accept to a list of IP addresses found in a file
> and only on port 80 for HTTP access only.
>
> I have this:
>
> $IPT -t filter -A INPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j DROP
>
> while read s1 s2
> do
> $IPT -t filter -A INPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
> done < /allowed-hosts
>
> 1) doesn't work complains about --dport
> 2) I can still ping other ip addresses not found in the allowed-hosts file?
>
> Any help, most welcome
> Thank You
> Barry
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-08-17 5:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-15 20:27 filtering ruleset help sought Barry Fawthrop
2005-08-15 20:49 ` John A. Sullivan III
2005-08-15 21:02 ` Barry Fawthrop
2005-08-15 21:22 ` John A. Sullivan III
2005-08-17 5:40 ` Grant Taylor
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.