LinuxQuestions.org - iptables rules for an ubuntu gateway (filtering connections to and from Internet)

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - iptables rules for an ubuntu gateway (filtering connections to and from Internet) (https://www.linuxquestions.org/questions/linux-networking-3/iptables-rules-for-an-ubuntu-gateway-filtering-connections-to-and-from-internet-549482/)

iptables rules for an ubuntu gateway (filtering connections to and from Internet)

I followed this article:
Setting up a simple Debian gateway
http://www.debian-administration.org/articles/23
on an ubuntu server 6.10 linux box and it worked perfectly!

(many thanks to the author!!!)

Now I only need to put some limitations (but I don't know iptables rules...) in 00-firewall script.
This script is loaded at startup and it is:

Code:

#!/bin/sh



PATH=/usr/sbin:/sbin:/bin:/usr/bin



#

# delete all existing rules.

#

iptables -F

iptables -t nat -F

iptables -t mangle -F

iptables -X



# Always accept loopback traffic

iptables -A INPUT -i lo -j ACCEPT





# Allow established connections, and those not coming from the outside

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT



# Allow outgoing connections from the LAN side.

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT



# Masquerade.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE



# Don't forward from the outside to the inside.

iptables -A FORWARD -i eth1 -o eth1 -j REJECT



# Enable routing.

echo 1 > /proc/sys/net/ipv4/ip_forward

Now I want that :
- ONLY some MAC ADDRESSES (I decide which ones) must be able to use this gateway to surf the net
AND
- machines behind the gateway can access only some ports (say ONLY 80) and estabilish connections only to/from some google subdomains (say ####.google.com and maps.google.it)

Well, my users should use Google earth (that makes connections to various ####.google.com domains) and http://maps.google.it

These must be THE ONLY CONNECTIONS ENABLED to and from Internet.

No other internet connection should be available through the gateway (no ssh, no smtp, no pop, no emule, no ftp, and so on...).

Can you help me to implement the right iptables rules (without using any proxy)?

How should I modify that script?

Thanks in advance for any suggestion.

Hi Zingaro,

beside checking out the man pages of iptables might bring you some more ideas I will start with a bit of direction to accomplish your task.

First thing do have for a firewall script is clean up. What you allready have in your script
iptables -F ...

Afte that you should generally set the Policies of all chains to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

After that you have to explicitly allow every little bit.

Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

I would not do this cause you would allow everything to go out
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

rather try something like
iptables -A FORWARD -i eth0 -o eth1 -d google.com -j ACCEPT

-d stands for destination. There is also the counterpart -s which stands for source.
I think you can set up the needed domains on your own from here. If not check back and i gladly help u.

To further improve the restriction to google.com see this
iptables -A FORWARD -i eth0 -o eth1 -d google.com -p tcp --dport 80 --sport 1024:65355 -j ACCEPT

OK, this one is rather long but brings best control (beside not having the mac inside)
-p stands for protocol. We have tcp udp icmp or any. --dport means destination port. (80 for http) --sport stands for sourceport. I'm normaly using all unpriviliged ports but there is a tweak in /proc/sys/net/ipv4/.. which restricts the ports that can be used.

The MAC address should work similar like that (taken from mind. check page )
iptables -A FORWARD -m mac MACADDRESS -s -d -..... -j ACCEPT
I'm not getting it right, but the -m is what you need to look out for. It stands for modules. Which there are a lot of. They all are well documented in the man pages.

One last thing for further ideas could be HomeLanSecurity, a very well developed gateway script, which you can download from sourceforge.net

Hope this answers most of your questions.

Greets zhjim

Hi zhjim,
Thank you very very very much!!!

I'll try your suggestions as soon as possible and I'll let you know.
Thanks again,
Zingaro2002

Quote:

Originally Posted by zhjim

...To further improve the restriction to google.com see this
iptables -A FORWARD -i eth0 -o eth1 -d google.com -p tcp --dport 80 --sport 1024:65355 -j ACCEPT

well... thank you very much!
We are really near to our goal but... -d parameter only wants host or host/mask expressed as numeric ip address

google.com has got several different ip addresses... so I cannot write an iptable rule for every one of them!

Is there a way to express destination parameter as "google.com" (without quotes, and including all subdomains)?

Thanks for your help,
Zingaro2002

This a bit strange. It works for me. Using this iptables rule
iptables -A OUTPUT -d google.com -j LOG

on my laptop with kbunut these entrys come up
0 0 LOG all -- any any anywhere py-in-f99.google.com LOG level warning
0 0 LOG all -- any any anywhere jc-in-f99.google.com LOG level warning
0 0 LOG all -- any any anywhere eh-in-f99.google.com LOG level warning

(Try iptables -L -v to see all rules)

I also checked the manpage and it states that you can use an hostname or ip address with -d. Just make sure that you allow dns or have the names resolve localy inside your /etc/hosts file.

Please state the rule your trying to use and the error message it generates. Maybe you have a typo somewhere ?