LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-27-2007, 11:00 AM   #1
Zingaro2002
Member
 
Registered: Feb 2002
Location: Italy
Distribution: Fedora Core 1, Red Hat 8, Red Hat 9, Knoppix 3.3 (debian sarge)
Posts: 97

Rep: Reputation: 15
iptables rules for an ubuntu gateway (filtering connections to and from Internet)


I followed this article:
Setting up a simple Debian gateway
http://www.debian-administration.org/articles/23
on an ubuntu server 6.10 linux box and it worked perfectly!

(many thanks to the author!!!)

Now I only need to put some limitations (but I don't know iptables rules...) in 00-firewall script.
This script is loaded at startup and it is:
Code:
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Now I want that :
- ONLY some MAC ADDRESSES (I decide which ones) must be able to use this gateway to surf the net
AND
- machines behind the gateway can access only some ports (say ONLY 80) and estabilish connections only to/from some google subdomains (say ####.google.com and maps.google.it)

Well, my users should use Google earth (that makes connections to various ####.google.com domains) and http://maps.google.it

These must be THE ONLY CONNECTIONS ENABLED to and from Internet.

No other internet connection should be available through the gateway (no ssh, no smtp, no pop, no emule, no ftp, and so on...).

Can you help me to implement the right iptables rules (without using any proxy)?

How should I modify that script?

Thanks in advance for any suggestion.

Last edited by Zingaro2002; 04-27-2007 at 11:02 AM.
 
Old 04-27-2007, 12:11 PM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,467
Blog Entries: 11

Rep: Reputation: 184Reputation: 184
Hi Zingaro,

beside checking out the man pages of iptables might bring you some more ideas I will start with a bit of direction to accomplish your task.

First thing do have for a firewall script is clean up. What you allready have in your script
iptables -F ...

Afte that you should generally set the Policies of all chains to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

After that you have to explicitly allow every little bit.

Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

I would not do this cause you would allow everything to go out
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

rather try something like
iptables -A FORWARD -i eth0 -o eth1 -d google.com -j ACCEPT

-d stands for destination. There is also the counterpart -s which stands for source.
I think you can set up the needed domains on your own from here. If not check back and i gladly help u.

To further improve the restriction to google.com see this
iptables -A FORWARD -i eth0 -o eth1 -d google.com -p tcp --dport 80 --sport 1024:65355 -j ACCEPT

OK, this one is rather long but brings best control (beside not having the mac inside)
-p stands for protocol. We have tcp udp icmp or any. --dport means destination port. (80 for http) --sport stands for sourceport. I'm normaly using all unpriviliged ports but there is a tweak in /proc/sys/net/ipv4/.. which restricts the ports that can be used.

The MAC address should work similar like that (taken from mind. check page )
iptables -A FORWARD -m mac MACADDRESS -s -d -..... -j ACCEPT
I'm not getting it right, but the -m is what you need to look out for. It stands for modules. Which there are a lot of. They all are well documented in the man pages.

One last thing for further ideas could be HomeLanSecurity, a very well developed gateway script, which you can download from sourceforge.net

Hope this answers most of your questions.

Greets zhjim
 
Old 04-27-2007, 12:48 PM   #3
Zingaro2002
Member
 
Registered: Feb 2002
Location: Italy
Distribution: Fedora Core 1, Red Hat 8, Red Hat 9, Knoppix 3.3 (debian sarge)
Posts: 97

Original Poster
Rep: Reputation: 15
Hi zhjim,
Thank you very very very much!!!

I'll try your suggestions as soon as possible and I'll let you know.
Thanks again,
Zingaro2002
 
Old 05-03-2007, 01:06 PM   #4
Zingaro2002
Member
 
Registered: Feb 2002
Location: Italy
Distribution: Fedora Core 1, Red Hat 8, Red Hat 9, Knoppix 3.3 (debian sarge)
Posts: 97

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by zhjim

...To further improve the restriction to google.com see this
iptables -A FORWARD -i eth0 -o eth1 -d google.com -p tcp --dport 80 --sport 1024:65355 -j ACCEPT
well... thank you very much!
We are really near to our goal but... -d parameter only wants host or host/mask expressed as numeric ip address

google.com has got several different ip addresses... so I cannot write an iptable rule for every one of them!

Is there a way to express destination parameter as "google.com" (without quotes, and including all subdomains)?

Thanks for your help,
Zingaro2002
 
Old 05-06-2007, 03:01 AM   #5
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,467
Blog Entries: 11

Rep: Reputation: 184Reputation: 184
This a bit strange. It works for me. Using this iptables rule
iptables -A OUTPUT -d google.com -j LOG

on my laptop with kbunut these entrys come up
0 0 LOG all -- any any anywhere py-in-f99.google.com LOG level warning
0 0 LOG all -- any any anywhere jc-in-f99.google.com LOG level warning
0 0 LOG all -- any any anywhere eh-in-f99.google.com LOG level warning

(Try iptables -L -v to see all rules)

I also checked the manpage and it states that you can use an hostname or ip address with -d. Just make sure that you allow dns or have the names resolve localy inside your /etc/hosts file.

Please state the rule your trying to use and the error message it generates. Maybe you have a typo somewhere ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables firewall makes other internet connections slow down -- diagram included enigma_0Z Linux - Networking 8 04-24-2007 12:00 PM
Internet connections in ubuntu anisa Ubuntu 4 09-07-2006 08:30 PM
iptables rules to ask for password for new connections chingyenccy Linux - Newbie 1 02-25-2005 03:50 PM
Internet gateway on FC3 -Do i need iptables ? dannie Linux - Networking 4 12-08-2004 03:47 PM
iptables rules on gateway alon005 Linux - Security 7 10-05-2004 08:37 PM


All times are GMT -5. The time now is 08:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration