LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-04-2009, 04:14 AM   #1
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Rep: Reputation: 16
IPTables+Firewall


i WANT TO BYPASS THE SPECIFIC MAC ADDRESS
Given below is my IPTABLES output..
Please help to resolve this problem..

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC 00:15:B7:33:6A:57
ACCEPT all -- anywhere anywhere MAC 00:15:B7:33:6A:57
ACCEPT all -- anywhere anywhere MAC 00:15:B7:33:6A:57

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dptop3 state NEW

DROP tcp -- anywhere anywhere tcp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dptop3 state NEW

DROP tcp -- anywhere anywhere tcp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dptop3 state NEW

DROP tcp -- anywhere anywhere tcp dpt:http

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:http
REJECT tcp -- anywhere anywhere tcp dpt:msnp reject-with icmp-port-unreachable
DROP tcp -- anywhere anywhere tcp dpt:msnp
DROP all -- anywhere 207.46.110.0/25
DROP all -- anywhere 207.46.104.20
REJECT tcp -- anywhere anywhere tcp dpt:msnp reject-with icmp-port-unreachable
DROP tcp -- anywhere anywhere tcp dpt:msnp
DROP all -- anywhere 207.46.110.0/25
DROP all -- anywhere 207.46.104.20
REJECT tcp -- anywhere anywhere tcp dpt:msnp reject-with icmp-port-unreachable
DROP tcp -- anywhere anywhere tcp dpt:msnp
DROP all -- anywhere 207.46.110.0/25
DROP all -- anywhere 207.46.104.20

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
 
Old 08-04-2009, 06:48 AM   #2
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
Where is the problem?
What does not work?
What does "Bypass" mean to you?
 
Old 08-04-2009, 08:17 AM   #3
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
yes
FOR reference below is my iptables script.

/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

#iptables -I INPUT -m mac --mac-source 00-15-B7-33-6A-57 -j DROP # Actual...final statement for droping specific mac address

iptables -I INPUT -m mac --mac-source 00-16-6F-50-64-5B -j ACCEPT # sample mechine MAC addresss

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # every request should go throught the iptables

iptables -A FORWARD -p TCP --dport 1863 -j DROP # block MSN Messanger




/sbin/iptables -A INPUT -p tcp --dport 80 -j DROP

iptables -I FORWARD 1 -p tcp --dport 80 -j DROP

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DROP

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
"rc.nat" 32L, 1219C




Plz reply

Regards,

Rashid
 
Old 08-04-2009, 08:19 AM   #4
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
This is my iptables script file.

referring that I want that specific MAC to browse, can send/receive his emails, download......... means free hand


while remaining network should go through squid proxy server.


Please reply

Regards,


Rashid
 
Old 08-04-2009, 09:47 AM   #5
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
I'd set a policy of DROP - and then only open what you want.
I think that might have been the intention of:
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # every request should go throught the iptables
instead do:
Code:
iptables -P INPUT    DROP
iptables -P FORWARD  DROP
iptables -P OUTPUT   DROP

# then put your mac-specific rules - they seem to be o.k.
# you can also use -A instead of -I if you put them first
# in the mac you need to use colons instead of the minus sign, e.g.: 00:15:B7:33:6A:57

#iptables -I INPUT -m mac --mac-source 00:15:B7:33:6A:57 -j DROP # Actual...final statement for droping specific mac address
iptables -I INPUT -m mac --mac-source 00:16:6F:50:64:5B -j ACCEPT # sample mechine MAC addresss

# then the other rules...for port 25, 110, 1863 and so on
I'm not sure if your rules for squid are o.k. - this is not to worry you but to say that I just don't know.
 
Old 08-05-2009, 01:09 AM   #6
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
thanks for your kind reply

the actual scenario is that I am using squid as a proxy server.............. and for email services(SMTP/POP3) services..

but after running this script the users can easily bypass the squid so I redirect the traffic to squid default port

after that everyone is behind the proxy... but u know some executives need to be fully entertained... I just want that there should be no need to configure any configure on laptop just connect and start their work..............

although remaining should go through squid..................

please guide
 
Old 08-15-2009, 01:20 AM   #7
rashid_47010
LQ Newbie
 
Registered: Nov 2004
Location: Saudi Arabia
Distribution: CentOS/Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
Friend

Yesterday One of my friend do something interesting that in proxy settings under the explorer He simply put the
loop back (127.0.0.1: 9000) and 9 thousand series port.... and I am amazed that he opened all websites even block by me and even block by the our country's gateway..........

Very Interesting

Please advise.

Regards,

Rashid
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall different from iptables jancat Linux - Security 4 07-23-2008 04:26 AM
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 08:20 AM
iptables and firewall J4b0l Linux - Security 5 10-10-2005 09:02 AM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 05:31 AM
firewall iptables SchwipSchwap Linux - Newbie 2 09-14-2002 07:41 AM


All times are GMT -5. The time now is 07:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration