Re: blocking ports outbound

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

Maybe I got my question wrong.

I'm very new to iptables coming from a ipfilter background. In ipfilter I just state block all in and then open the ports I wish to allow through. Is there something similiar in iptables.

I wish to stop the outside world from seeing the ports upon the firewall/proxy and beyond into my internal network.

My problem is I cannot join certain irc servers due to there open proxy policy.

So really how do I block all ports internally while allowing a something like a connection internally to go outbound and recieve the packets back.

My current iptables config is

#!/bin/bash
/bin/echo "Firewall rules starting up now..."
/sbin/modprobe ipt_MASQUERADE
/usr/local/sbin/iptables -F
/usr/local/sbin/iptables -t nat
/usr/local/sbin/iptables -t mangle -F
/usr/local/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/local/sbin/iptables -A OUTPUT --dport 3128 -j DENY
/usr/local/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
/usr/local/sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
Pl,ease pick apart my rules and tell me what I'm doing wrong.

As I stated, I'm a complete newbie to iptables.

My system is a firewall/proxy unit with a adsl connection running pppoe to the outside world. I recieve a permanent ip upon te ppp0 interface.

I hope I make some sense.

thanks

Joseph

Rob Sterenborg wrote:
I would like to know the rule to block ports outbound.

I am trying to block port 3128 my squid/proxy port.
    

Soo, ehm, you want to prevent outbound packets from squid ?
If you don't want that squid is sending packets, then why start squid at
all.

Well, if that's what you really want to :
iptables -A OUTPUT -p tcp --sport 3128 -j REJECT --reject-with tcp-reset
or simply
iptables -A OUTPUT -p tcp --sport 3128 -j DROP


Or don't you want users from the outside (internet) to connect ?

# Drops everything by default
iptables -P INPUT DROP

# Accepts anything coming in on your LAN interface,
# but you may want something more secure.
iptables -A INPUT -i <if_lan> -j ACCEPT


Rob

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux