iptables help

iptables help

[Ashley M. Kirchner]

    I need some help adding a few blocking rules (*) to an iptables 
script that I once inherited, and grown over time.  I don't want to post 
the whole thing here because I don't need to be spamming everyone with 
it, but if there's a kind soul willing to help, I'll gladly send it 
(unless no one objects to getting the whole file.)

    (*) the basic gist is that I need to block places like hotmail.com, 
yahoo.com, and other sites from getting accessed from only two machines 
on our private network, during a specific period of time.  If we like 
the way it works, we'll add more machines/IPs to it later.

Re: iptables help

[Antony Stone]

On Thursday 29 July 2004 12:20 am, Ashley M. Kirchner wrote:

>     I need some help adding a few blocking rules (*) to an iptables
> script that I once inherited, and grown over time.  I don't want to post
> the whole thing here because I don't need to be spamming everyone with
> it, but if there's a kind soul willing to help, I'll gladly send it
> (unless no one objects to getting the whole file.)
>
>     (*) the basic gist is that I need to block places like hotmail.com,
> yahoo.com, and other sites from getting accessed from only two machines
> on our private network, during a specific period of time.  If we like
> the way it works, we'll add more machines/IPs to it later.

1. What help do you need?   Adding rules to block specific traffic is quite 
simple:

iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p tcp --dport 80 -j REJECT

(this is assuming that you meant you want to block web access - I've assumed 
this because the domains you mentioned are best known as large websites)

a.b.c.d is the machine in your network you want the block to apply to
w.x.y.z is a machine on the Internet you don't want them to access

2. Applying a time window to rules is also fairly simple once you've applied 
the 'time' match from patch-o-matic:

iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p txp --dport 80 -m time 
--timestart 09:00 --timestop 17:00 -j REJECT

Do block the same packets as for the previous rule, but only between 09:00 and 
17:00 each day.

3. If it is primarily web access you want to restrict, you may well find that 
Squid http://www.squid-cache.org is a better way of doing it; that can 
control access to domains by domain name rather than requiring a rule for 
each web server IP address (as netfilter does), and can also do time-based 
matching as a standard facility.

Hope this helps,

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Re: iptables help

[Ashley M. Kirchner]

On Thu, 29 Jul 2004, Antony Stone wrote:

> 1. What help do you need?   Adding rules to block specific traffic is quite 
> simple:

	Simple, yes, I agree.  However, because there are several sections 
in this iptables file, I'm not sure _where_ I need to be inserting more 
rules for it to work properly.

> iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p tcp --dport 80 -j REJECT
> 
> a.b.c.d is the machine in your network you want the block to apply to
> w.x.y.z is a machine on the Internet you don't want them to access

	However, with places such as Yahoo and Hotmail, where there's a 
whole farm of machines doing the work, blocking per IP will simply result 
in a long list of rules, correct?  Is there a way to use a CIDR address?

> 3. If it is primarily web access you want to restrict, you may well find that 
> Squid http://www.squid-cache.org is a better way of doing it; that can 
> control access to domains by domain name rather than requiring a rule for 
> each web server IP address (as netfilter does), and can also do time-based 
> matching as a standard facility.

	I agree with this point as well, except we're time strapped right 
now and I'm not in a position to go install a new application, configure 
it, test it, make sure it all works, before I can block this particular 
traffic.  Unfortunately it's something that needed to happen last Monday, 
and I just haven't had time to even address the problem.  Right now, I 
just need to block that traffic, before management decides to blow their 
top.

-- 
L | I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:ashley@pcraft.com>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.

Re: Re: iptables help

[Antony Stone]

On Thursday 29 July 2004 5:29 pm, Ashley M. Kirchner wrote:

> On Thu, 29 Jul 2004, Antony Stone wrote:
> > 1. What help do you need?   Adding rules to block specific traffic is
> > quite simple:
>
> 	Simple, yes, I agree.  However, because there are several sections
> in this iptables file, I'm not sure _where_ I need to be inserting more
> rules for it to work properly.
>
> > iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p tcp --dport 80 -j REJECT

"-I" will insert the rule at the top of the FORWARD chain, and therefore 
guarantees that these packet will be REJECTed, no matter other rules follow 
in your ruleset.

> > a.b.c.d is the machine in your network you want the block to apply to
> > w.x.y.z is a machine on the Internet you don't want them to access
>
> 	However, with places such as Yahoo and Hotmail, where there's a
> whole farm of machines doing the work, blocking per IP will simply result
> in a long list of rules, correct?  Is there a way to use a CIDR address?

Yes, you can say:

iptables -I FORWARD -s a.b.c.d -d w.x.y.z/n -p tcp --dport 80 -j REJECT

where w.x.y.z could be 192.168.38.64/29 for example, to block destination 
addresses 192.168.32.64 to 192.168.38.72

Regards,

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Re: iptables help

[Ashley M. Kirchner]

Antony Stone wrote:

>>>iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p tcp --dport 80 -j REJECT
>>>
>
>"-I" will insert the rule at the top of the FORWARD chain, and therefore 
>guarantees that these packet will be REJECTed, no matter other rules follow 
>in your ruleset.
>
    Thanks for the explanation.  So I'm testing this out now, and I 
inserted:

iptables -I FORWARD -s 66.218.75.184 -d 192.168.1.253 -p tcp --dport 80 
-j REJECT

    66.218.75.184 == mail.yahoo.com (or login.yahoo.akadns.net, or 
l1.login.vip.scd.yahoo.com according to iptables -L), however that 
machine (.253) can still reach that address just fine.  What am I missing?

    I don't see a round-robin IP setup for mail.yahoo.com (much like 
what you'd see if you lookup www.yahoo.com) so I'm not quite sure why 
it's not blocking it.

-- 
W | I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:ashley@pcraft.com>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.

Re: Re: iptables help

[Antony Stone]

On Thursday 29 July 2004 10:07 pm, Ashley M. Kirchner wrote:

> Antony Stone wrote:
> >>>iptables -I FORWARD -s a.b.c.d -d w.x.y.z -p tcp --dport 80 -j REJECT
> >
> >"-I" will insert the rule at the top of the FORWARD chain, and therefore
> >guarantees that these packet will be REJECTed, no matter other rules
> > follow in your ruleset.
>
>     Thanks for the explanation.  So I'm testing this out now, and I
> inserted:
>
> iptables -I FORWARD -s 66.218.75.184 -d 192.168.1.253 -p tcp --dport 80
> -j REJECT
>
>     66.218.75.184 == mail.yahoo.com (or login.yahoo.akadns.net, or
> l1.login.vip.scd.yahoo.com according to iptables -L), however that
> machine (.253) can still reach that address just fine.  What am I missing?

You're missing the fact that 192.168.1.253 connects to 66.218.75.184 on 
destination port 80, not the other way round.

Try reversing the source & destination addresses in your rule and see if that 
does what you wanted.

Regards,

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Re: iptables help

[Ashley M. Kirchner]

Antony Stone wrote:

>You're missing the fact that 192.168.1.253 connects to 66.218.75.184 on 
>destination port 80, not the other way round.
>  
>
    Yeah, I noticed that after sending the message.

Re: Re: iptables help

[Ashley M. Kirchner]

Antony Stone wrote:

>where w.x.y.z could be 192.168.38.64/29 for example, to block destination 
>addresses 192.168.32.64 to 192.168.38.72
>
    Heh, I just realized this won't help a whole helluva lot because 
www.yahoo.com's round-robin setup isn't contiguous:

    66.94.230.35
             .39
             .41
             .45
             .48
             .49
             .51
             .52

    And neither is www.hotmail.com (which redirects to passport.net anyway:

    207.68.171.233
              .239
              .245


    Do you suppose there are servers on the missing IPs, but they're 
just not operational at the moment?  (Which wouldn't surprise me to be 
honest.)

-- 
W | I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:ashley@pcraft.com>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.

Re: Re: iptables help

[Antony Stone]

On Thursday 29 July 2004 10:18 pm, Ashley M. Kirchner wrote:

> Antony Stone wrote:
> >where w.x.y.z could be 192.168.38.64/29 for example, to block destination
> >addresses 192.168.32.64 to 192.168.38.72
>
>     Heh, I just realized this won't help a whole helluva lot because
> www.yahoo.com's round-robin setup isn't contiguous:
>
>     And neither is www.hotmail.com (which redirects to passport.net anyway:
>
>     Do you suppose there are servers on the missing IPs, but they're
> just not operational at the moment?  (Which wouldn't surprise me to be
> honest.)

One way of looking at this is: "what does it matter anyway?"

Just block all TCP destination port 80 to the entire contiguous blocks - I 
really can't imagine there are going to be any interesting websites in the 
middle of the IPs of the ones you want to block, and restricting the rule to 
port 80 means you don't affect any other services such as DNS or SMTP.

Regards,

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Re: iptables help

[Jason Opperisano]

>     Heh, I just realized this won't help a whole helluva lot because
> www.yahoo.com's round-robin setup isn't contiguous:
>
>     66.94.230.35
>              .39
>              .41
>              .45
>              .48
>              .49
>              .51
>              .52

$ i=35; while [ $i -le 52 ]; do echo -n "$i:"; lynx -dump 66.94.230.$i | head -3; let "i = $i + 1"; done

gives me nuthin' but "[1]Yahoo!"  so i'd say you're safe in blocking the range 66.94.230.35 - 66.94.230.52.

$ i=34; while [ $i -ge 1 ]; do echo -n "$i:"; lynx -dump 66.94.230.$i | head -3; let "i = $i - 1"; done

gives me Yahoo's down to .16 so i'd say you'd be safe blocking 66.94.230.16 - 66.94.230.52.

"-d 66.94.230.16/28" will block .16 - .31
"-d 66.94.230.32/28" will block .32 - .47
"-d 66.94.230.48/30" will block .48 - .51
"-d 66.94.230.52" will block .52

i'll leave hotmail as an excercise for the user...

someone already mentioned this--but this is *not* the "best" way to do this.  a transparent redirect to a squid server with a "dstdomain .yahoo.com" will block access to anything.yahoo.com regardless of IP address.

-j

Re: Re: iptables help

[Ashley M. Kirchner]

Jason Opperisano wrote:

>someone already mentioned this--but this is *not* the "best" way to do this.  a transparent redirect to a squid server with a "dstdomain .yahoo.com" will block access to anything.yahoo.com regardless of IP address.
>  
>
    This I understand, however this was the fastest solution I could 
implement considering the time constraints I'm working with.  I will 
most certainly look into installing/setting up squid in the future.

    Hey Jason?  Thanks for all your help.  Really appreciate it.  The 
same goes to the list in general as well.

-- 
W | I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:ashley@pcraft.com>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.