Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi, I'm trying to setup gateway server in a local network, and I need to limit the allowed websites in the network to a whitelist. Here is an example of what I'm doing (allowing only gmail, google, and this forum), but it does not seem to work, what am I missing?? thanks.
Code:
# iptables -F
# iptables -A OUTPUT -s www.ubuntuforums.org -j ACCEPT
# iptables -A OUTPUT -s www.google.com -j ACCEPT
# iptables -A OUTPUT -s www.gmail.com -j ACCEPT
# iptables -A OUTPUT -j DROP
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 72.14.205.83 anywhere
ACCEPT all -- 72.14.205.19 anywhere
ACCEPT all -- 72.14.203.104 anywhere
ACCEPT all -- 72.14.203.99 anywhere
ACCEPT all -- 82.211.81.186 anywhere
DROP all -- anywhere anywhere
The truth is I tried with the Ubuntu forums and didn't get an answer after few days. So I'm turning to this forum for help... and being lazy and all, I just did a copy-past!!
anyway, you're right I will eventually route all PCs through my ubuntu server, but now I'm just experimenting on my laptop to learn the syntax.
Okay... Instead of a BUMP message , let me ask this question.
I've been reading on other places about this subject, and I found that I can use Squid and Dansguardian to accomplish Internet filtering. Do I really need to go that far? All I need is to block all websites and allow only those on a whitelist, shouldn't this be simply done using iptables?? if not why? Thanks.
When you say it doesn't work, what do you mean exactly - ie can't get any sites or it doesn't restrict?
For OUTPUT, why don't you make the policy DROP, since this is sort of what you are doing anyway.
Are you testing from the machine running iptables? If not, it's the FORWARD policies you should be restricting.
Not an expert on iptables, but don't you want to check the destination on the OUTPUT chain, not the source (or alternatively use the INPUT chain)? - could be way wrong here.
If you only have a short list, I think squid would be overkill, and dansguardian is more a content filter from what I've seen.
When you say it doesn't work, what do you mean exactly - ie can't get any sites or it doesn't restrict?
Can't get any sites at all, I can't even ping www.google.com although it's in the list.
Quote:
For OUTPUT, why don't you make the policy DROP, since this is sort of what you are doing anyway.
I just tried that and it didn't work either. Still I see what you are saying and I think it would be a more reasonable approach to block everything as a policy and allow only few websites.
Quote:
Are you testing from the machine running iptables? If not, it's the FORWARD policies you should be restricting.
I'm testing from the machine running iptables, once I have it working I'll play with the FORWARD polices and Internet sharing.
Quote:
Not an expert on iptables, but don't you want to check the destination on the OUTPUT chain, not the source (or alternatively use the INPUT chain)? - Could be way wrong here.
tried it with no luck.
Quote:
If you only have a short list, I think squid would be overkill, and dansguardian is more a content filter from what I've seen.
Bill
I think I'm doing something fundamentally wrong in iptables, as from the man pages it looks like it should be easy to do what I'm trying to do... Anyway thank you very much Bill for your help... if you still have other things that I can try please post back.
I had the world's quickest play woith my iptables setup. What I did was change my FORWARD rules so that port 80 was not open, and I inserted the following:
$IPTABLES -A FORWARD --protocol ALL -d 82.211.81.186 -j ACCEPT
where $IPTABLES points to the binary of iptables and the IP above is for the Ubantu forum.
This seems to work fine. Note I used the destination not the source.
What I think is happening to you is that you are blocking more than just every other web address - you are als oblocking DNS, etc., etc.. This means than when you try to browse, say, Ubantu's forum, your computer tries to resolve the domain name to an IP address using DNS on port 53. However, this is blocked, so it can never resolve the address.
Try using the line I had above, or, since iptables seems to resolve the names OK, simply type the IP address into your browser and see if that works.
If it does, try opening port 53 to tcp and udp on the OUTPUT chain.
As I said - I stil lthink you want to specify the destination though.
Rgds
Bill
Last edited by billymayday; 07-06-2006 at 04:45 PM.
What I think is happening to you is that you are blocking more than just every other web address - you are als oblocking DNS, etc., etc.. This means than when you try to browse, say, Ubantu's forum, your computer tries to resolve the domain name to an IP address using DNS on port 53. However, this is blocked, so it can never resolve the address.
Try using the line I had above, or, since iptables seems to resolve the names OK, simply type the IP address into your browser and see if that works.
If it does, try opening port 53 to tcp and udp on the OUTPUT chain.
As I said - I stil lthink you want to specify the destination though.
Thank you so much billymayday, I think you are right. I did have multiple problems in my syntax:
- I was using source instead of using destination in OUTPUT
- I was blocking all ports including DNS (as ping worked fine)
Now I’m using the below syntax with the 1st or 2nd line repeated for each site I want to allow.
Still, with this setup, and due to my novice networking understanding, I have the following two issues:
- I’m only blocking port 80 (the www port as I understand). I need to have complete control over my outbound connections, and so I want to limit all other ports except the ones needed for browsing the allowed sites. How do I do that?
- Little I knew, each site uses more than one IP address, and using the www.website.com name doesn’t help either. For example, I needed to allow about 6 to 9 IPs to be able to get to Slashdot.org. Is there a better way? At least to discover all addresses (IP or names) needed for each website.
All in all, Thank you very much for your help, I know now much more than what I started with!
When you connect to a web site, you use port 80. However when the website responds, a random high number port is used. You should have a statement that accepts incoming established connections.
IMHO, in the long run, the squid/dan guardians/ip tables route may work out better. It is what some schools use, and there are example configurations on the web you could base your setup on. There is a pretty good howto out there, if you google for it, and it has been referenced on this site, a searching for "list guardian" on this site may turn up the answer.
I have a functional filtering example running now and for the input, I will block all except tcp/port 80. But I think it needs some more fine tuning, here is what I have now:
- when a page is filtered out, the browser takes a long time to come back with a "unable to connect" message, I would like to have a "Host prohibited" message display and in short time, shouldn't the reject-with option do that?
-In the example below I needed 5 IP addresses to allow me to check my hotmail, shouldn't the "ESTABLISHED,RELATED" rule allow all trafic comming from Hotmail after the connection is established?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
, let me ask this question.
