Re: filtering ruleset help sought

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2005-08-15 at 16:27 -0400, Barry Fawthrop wrote:
> Hi
> 
> I was given a iptables ruleset (that I think was generated by firestarter)
> I don't have GUI nor do I want to so I have no means to test it.
> It runs on a gateway machine ETH0 = Wan and ETH1 = LAN NICs
> 
> I'm looking for a simple ruleset that will deny all outgoing traffic 
> accept to a list of IP addresses found in a file
> and only on port 80 for HTTP access only.
> 
> I have this:
> 
> $IPT -t filter -A INPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j DROP
> $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j DROP
> 
> while read s1 s2
>      do
>            $IPT -t filter -A INPUT  -s $INNET -d $s1 --dport 80 -j ACCEPT
>            $IPT -t filter -A OUTPUT -s $INNET -d $s1 --dport 80 -j ACCEPT
>            $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
>      done < /allowed-hosts
> 
> 
> 1) doesn't work complains about --dport
> 2) I can still ping other ip addresses not found in the allowed-hosts file?
> 
> Any help, most welcome
> Thank You
> Barry
> 
Hmm . . .looks a little strange.  Do you want such access for this
specific device or for other devices on the internal network that use
this device as a gateway? The INPUT and OUTPUT chains will only handle
traffic to and from this device.

I would suggest you use connection tracking and you may find it easier
to use DROP policies. Thus:

$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Then you can allow the outbound access including the protcol:

while read s1 s2
     do
           $IPT -t filter -A OUTPUT -s $INNET -d $s1 -p 6 --dport 80 -j
ACCEPT
           $IPT -t filter -A OUTPUT -p icmp -s $INNET -d $s1 -j ACCEPT
     done < /allowed-hosts

If you want to allow other devices to access these sites through this
device, you will need rules in the FORWARD chain and probably an SNAT
rule in the nat table POSTROUTING chain.  Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux