On 10/23/19 20:58, Aaron Gray wrote:
Ah that explains it, I cannot believe I did that, yes it should have
been 192.168.1.0/8 <http://192.168.1.0/8> !
And that explains the ! too ?
It should probably be 192.168.1.0/24. The '!' means "not" -- i.e. don't
translate things with that destination.
You don't use MASQUERADE or the nat chain for filtering. Try this:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment
"HTTP/3"
iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -j REJECT
iptables -P FORWARD DROP
This is exactly what I want to be prohibitive as I can first to start
off with, for windows instillation, No HTTP, or other ports, then I want
to use IPSET to only allow specific Microsoft IP's too. So all the
others go in the 'filter' chain by default ?
If you're going to do this then what you may also want to do is log
anything you're blocking, e.g.:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 443 -j ACCEPT --comment
"HTTP/3"
iptables -A FORWARD -i enp5s5 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i enp5s5 -j LOG --log-prefix "enp5s5 rejected:"
iptables -A FORWARD -i enp5s5 -j REJECT
iptables -P FORWARD DROP
Then check the logs on a regular basis and see what's there, because if
anything shows up it means that something is wrong -- either you're
blocking something you shouldn't be or you're blocking something you
should be but then it shouldn't even be trying to do that and you may
want to go remediate whatever is attempting to misbehave.
Note however that blocking arbitrary _outgoing_ connections to other
ports generally does more harm than good, because nearly all "bad"
things today are either using very specific ports (e.g. SMTP) or
(along with most things in general) are using TCP/443.
The primary result of blocking arbitrary outgoing ports by default
is to inconvenience applications that have to make connections to
peers with more than one computer behind the same IP address, which
thereby need to use more than one port. They then either break or
have to respond by falling back to typically slower/higher
latency/more expensive/centralized relaying through an external
server using TCP/443.
Instead you generally want to start here:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
And then reject the things you actually want to prohibit, e.g.:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment
"no spamming"
iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment
"no unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
what about 137 and 139 I want them blocked.
Those would be incoming connections, right? The only ACCEPT rule
matching packets coming in the external interface is the one with "-m
state --state RELATED,ESTABLISHED", which doesn't match NEW connections,
so they hit the default policy (-P FORWARD DROP).
