RE: (no subject)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> now i happen to have a proxy server running on the 
> same machine as the web server, and i would like to 
> block incoming traffic to my web server from addresses
> wich are not portuguese. i already got a list of the 
> 
> ip ranges and net masks of all autonomous systems 
> located in portugal. i first tried to accept all those 
> ip ranges, and then droped all other incoming. what 
> happens is that proxy will accept connections only 
> from those ip ranges i accepted initialy ( the 
> postuguese ones). Let´s say i'm trying to connect to 
> hotmail.com. i won't work since that ip range is not 
> being accepted.

If I understand this correctly... :

If you don't want to accept IP's that are not from Portugal then you
should put the block in the INPUT chain only.
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s <ip/mask> -j ACCEPT
...
iptables -A INPUT -s <ip/mask> -j ACCEPT
Accept everything that has a rule ; drop the rest.
The RELATED,ESTABLISHED rule catches everything you need in addition to
the initial connection.


If you want Squid to connect to hotmail.com for you, it generates
outgoing traffic -> it needs an OUTPUT rule to let it do that.
When you set the default policy of the OUTPUT chain to DROP, it can
cause unexpected results if you don't accept packets coming back from
the server. If set to ACCEPT, you shouldn't need a rule for the OUTPUT
chain to accept.
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3128 -j ACCEPT

> is there a way to accept connections related with 
> previous conections made to this machine to por 3128 
> (squid default port)?

See above.

> i want to accept conections that even if they do not 
> match with ipranges i'm accepting, they're related 
> with a previous connection made to the proxy server, 
> related with proxy port whatever it'll be ;))

The connections are 2 way :
1. from webbrowser to proxy and vv (initital conn. is INPUT)
2. from proxy to webserver and vv (initial conn. is OUTPUT)
You have to write rules for the initial connection, and catch the rest
with "RELATED,ESTABLISHED".

> i'm aware this can not be this easy... but still 
> believe there is a way out :))

Of course ;-)


Gr,
Rob
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux