iptables rules for an ubuntu gateway (filtering connections to and from Internet)
I followed this article:
Setting up a simple Debian gateway
on an ubuntu server 6.10 linux box and it worked perfectly!
(many thanks to the author!!!)
Now I only need to put some limitations (but I don't know iptables rules...) in 00-firewall script.
This script is loaded at startup and it is:
- ONLY some MAC ADDRESSES (I decide which ones) must be able to use this gateway to surf the net
- machines behind the gateway can access only some ports (say ONLY 80) and estabilish connections only to/from some google subdomains (say ####.google.com and maps.google.it)
Well, my users should use Google earth (that makes connections to various ####.google.com domains) and http://maps.google.it
These must be THE ONLY CONNECTIONS ENABLED to and from Internet.
No other internet connection should be available through the gateway (no ssh, no smtp, no pop, no emule, no ftp, and so on...).
Can you help me to implement the right iptables rules (without using any proxy)?
How should I modify that script?
Thanks in advance for any suggestion.
beside checking out the man pages of iptables might bring you some more ideas I will start with a bit of direction to accomplish your task.
First thing do have for a firewall script is clean up. What you allready have in your script
iptables -F ...
Afte that you should generally set the Policies of all chains to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
After that you have to explicitly allow every little bit.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
I would not do this cause you would allow everything to go out
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
rather try something like
iptables -A FORWARD -i eth0 -o eth1 -d google.com -j ACCEPT
-d stands for destination. There is also the counterpart -s which stands for source.
I think you can set up the needed domains on your own from here. If not check back and i gladly help u.
To further improve the restriction to google.com see this
iptables -A FORWARD -i eth0 -o eth1 -d google.com -p tcp --dport 80 --sport 1024:65355 -j ACCEPT
OK, this one is rather long but brings best control (beside not having the mac inside)
-p stands for protocol. We have tcp udp icmp or any. --dport means destination port. (80 for http) --sport stands for sourceport. I'm normaly using all unpriviliged ports but there is a tweak in /proc/sys/net/ipv4/.. which restricts the ports that can be used.
The MAC address should work similar like that (taken from mind. check page )
iptables -A FORWARD -m mac MACADDRESS -s -d -..... -j ACCEPT
I'm not getting it right, but the -m is what you need to look out for. It stands for modules. Which there are a lot of. They all are well documented in the man pages.
One last thing for further ideas could be HomeLanSecurity, a very well developed gateway script, which you can download from sourceforge.net
Hope this answers most of your questions.
Thank you very very very much!!!
I'll try your suggestions as soon as possible and I'll let you know.
We are really near to our goal but... -d parameter only wants host or host/mask expressed as numeric ip address
google.com has got several different ip addresses... so I cannot write an iptable rule for every one of them!
Is there a way to express destination parameter as "google.com" (without quotes, and including all subdomains)?
Thanks for your help,
This a bit strange. It works for me. Using this iptables rule
iptables -A OUTPUT -d google.com -j LOG
on my laptop with kbunut these entrys come up
0 0 LOG all -- any any anywhere py-in-f99.google.com LOG level warning
0 0 LOG all -- any any anywhere jc-in-f99.google.com LOG level warning
0 0 LOG all -- any any anywhere eh-in-f99.google.com LOG level warning
(Try iptables -L -v to see all rules)
I also checked the manpage and it states that you can use an hostname or ip address with -d. Just make sure that you allow dns or have the names resolve localy inside your /etc/hosts file.
Please state the rule your trying to use and the error message it generates. Maybe you have a typo somewhere ?
|All times are GMT -5. The time now is 08:30 AM.|