LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-26-2007, 06:01 AM   #1
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 226

Rep: Reputation: 30
block internet traffic


I configured NAT on redhat using DSL modem, My objective is I want to allow/access only pop(110) and smtp(25) thru it, I want to block all http, https traffic from lan.

Pls tell me how do i add rules to achive the same.

do not gv me any link pls.

setupNATTING)
ppp0=internet
eth0-Lan
 
Old 06-26-2007, 06:15 AM   #2
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
# opens up ports 25 (SMTP) and 110 (POP3)

iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop all other traffic

iptables -A FORWARD -j DROP


you could drop only http and https traffic, but then you'd have to worry about proxies.
 
Old 06-26-2007, 06:42 AM   #3
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 226

Original Poster
Rep: Reputation: 30
slack. it didn't help.. pls look at given NAT configuration n suggest me

#!/bin/sh

# IPTABLES PROXY script for the Linux 2.4 kernel.
# This script is a derivitive of the script presented in
# the IP Masquerade HOWTO page at:
# http://www.tldp.org/HOWTO/IP-Masquer...-examples.html
# It was simplified to coincide with the configuration of
# the sample system presented in the Guides section of
# www.aboutdebian.com
#
# This script is presented as an example for testing ONLY
# and should not be used on a production proxy server.
#
# PLEASE SET THE USER VARIABLES
# IN SECTIONS A AND B OR C

echo -e "\n\nSETTING UP IPTABLES PROXY..."


# === SECTION A
# ----------- FOR EVERYONE

# SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK
# The default value below is for "eth0". This value
# could also be "eth1" if you have TWO NICs in your system.
# You can use the ifconfig command to list the interfaces
# on your system. The internal interface will likely have
# have an address that is in one of the private IP address
# ranges.
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the internal interface's designation for the
# INTIF variable:

INTIF="eth0"


# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
# The default value below is "ppp0" which is appropriate
# for a MODEM connection.
# If you have two NICs in your system change this value
# to "eth0" or "eth1" (whichever is opposite of the value
# set for INTIF above). This would be the NIC connected
# to your cable or DSL modem (WITHOUT a cable/DSL router).
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the external interface's designation for the
# EXTIF variable:

EXTIF="ppp0"


# ! ! ! ! ! Use ONLY Section B *OR* Section C depending on
# ! ! ! ! the type of Internet connection you have.


# === SECTION B
# ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES

# SET YOUR EXTERNAL IP ADDRESS
# If you specified a NIC (i.e. "eth0" or "eth1" for
# the external interface (EXTIF) variable above,
# AND if that external NIC is configured with a
# static, public IP address (assigned by your ISP),
# UNCOMMENT the following EXTIP line and enter the
# IP address for the EXTIP variable:

#EXTIP="your.static.IP.address"



# === SECTION C
# ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS


# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
# If you get your IP address dynamically from SLIP, PPP,
# BOOTP, or DHCP, UNCOMMENT the command below.
# (No values have to be entered.)
# Note that if you are uncommenting these lines then
# the EXTIP line in Section B must be commented out.

EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"


# -------- No more variable setting beyond this point --------


echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading proxy server rules..."

# Clearing any existing rules and setting default policy
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# FWD: Allow all connections OUT and only existing and related ones IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT

iptables -A FORWARD -j DROP


# Enabling SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e " Proxy server rule loading complete\n\n"
 
Old 06-26-2007, 06:47 AM   #4
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
Quote:
Originally Posted by sunlinux

iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT


iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT

iptables -A FORWARD -j DROP
The colored line needs to be removed

edit: also DNS uses udp 53 for queries. tcp 53 is for zone transfers. so the following line needs to be changed from:

iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT

to

iptables -I FORWARD -m udp -p udp --dport 53 -j ACCEPT

Last edited by SlackDaemon; 06-26-2007 at 06:49 AM.
 
Old 06-26-2007, 07:24 AM   #5
sunlinux
Member
 
Registered: Feb 2006
Distribution: RHCL 5
Posts: 226

Original Poster
Rep: Reputation: 30
thanx dude.. I liked ur prompt reply..solved






U guys take linux to the moon..
 
Old 06-26-2007, 11:13 AM   #6
jrbush82
Member
 
Registered: Mar 2002
Location: Hampton, VA
Posts: 86

Rep: Reputation: 15
Quote:
Originally Posted by SlackDaemon
edit: also DNS uses udp 53 for queries. tcp 53 is for zone transfers. so the following line needs to be changed from:
TCP is not only used for zone transfers. If there is a need for a DNS server to send more than 512 bytes of data, then TCP is used.
 
Old 06-26-2007, 11:08 PM   #7
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
Quote:
Originally Posted by jrbush82
TCP is not only used for zone transfers. If there is a need for a DNS server to send more than 512 bytes of data, then TCP is used.
true but thats quite a rare occurence

edit: Junior's right. It appears that if organizations use virtual IPs for their server farms and have a certain number of servers, the DNS information is considerably larger. This is not uncommon in larger organizations nowadays. You'll want to add the TCP 53 port back into your script if you have removed it.

Last edited by SlackDaemon; 06-26-2007 at 11:36 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Block Out Traffic on IPCop depam Linux - Software 2 08-23-2006 02:38 AM
how block this traffic echox Linux - Security 5 06-21-2006 11:21 PM
possible to block msn traffic? flamesrock Linux - Software 3 05-26-2005 10:10 PM
How can block my SMTP Traffic? krishnakishore Linux - Networking 3 06-19-2004 08:49 AM
Block Kazaa2 traffic jekyl Linux - Security 4 03-13-2003 04:53 AM


All times are GMT -5. The time now is 11:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration