LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Ubuntu iptables - restricting access assistance
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
Page 2 of 2 1 2
 
LinkBack Search this Thread
Old 01-15-2010, 04:06 PM   #16
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92

Quote:
Originally Posted by qprfact View Post
Yes, I was using 192.168.2.4 and checking access from that IP only.

You say about ethernet card - is this on the server or on 192.168.2.4 and do I find this via ifconfig?
Your small network has several computers, I assume they are connected to switch and as well as the server. Can you tell us, what ethernet card on server is used for it - eth1?
I suppose that eth0 is for internet router.

P.S.

Please post output of: "ifconfig -a" from server.
Last edited by nimnull22; 01-15-2010 at 04:09 PM.
 
Old 01-17-2010, 12:59 PM   #17
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
I think I have it working - sort of - but this may be more by luck than design.

I was looking at the issue afresh, and for some reason began to wonder if there was a DNS issue in here somewhere.

So I added these lines to iptables:

Code:
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT 
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
and internet began to work!

So, I tried a little more experimentation to allow the various PCs to connect, so my FORWARD section now looks like this:

Code:
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT 
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT 
-A FORWARD -s 192.168.2.5/32 -j ACCEPT 
-A FORWARD -s 192.168.2.3/32 -j ACCEPT 
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -s 192.168.2.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
and so on. Using the individual PCs worked too

Next, I tried an alternative version for IM ports:

Code:
-A FORWARD -s 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT 
-A FORWARD -d 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT 
-A FORWARD -s 192.168.2.16/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT 
-A FORWARD -d 192.168.2.16/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT 
-A FORWARD -s 192.168.2.17/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT 
-A FORWARD -d 192.168.2.17/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
So I now have IM and HTTP working in the unrestricted rules.

By removing the lines relating to HTTP, I have an IM only version (my restricted one). The downside, as you will no doubt have spotted, that one of the ports I need to open for MSN Messenger IM via Pidgin is 443, so therefore HTTPS access *IS* available.

Any ideas on how I can restrict this to addresses, or use the traffic shaping ability?

Thanks
 
Old 01-17-2010, 01:04 PM   #18
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 538Reputation: 538Reputation: 538Reputation: 538Reputation: 538Reputation: 538
Quote:
By removing the lines relating to HTTP, I have an IM only version (my restricted one). The downside, as you will no doubt have spotted, that one of the ports I need to open for MSN Messenger IM via Pidgin is 443, so therefore HTTPS access *IS* available.
Does MSN not have a particular selection of IP addresses to which it connects? Maybe by popping open Wireshark and having a look at the destination IP(s) of the MSN traffic, you can tighten up the IM rules to allow port 443 traffic ONLY to IP(s) associated with MSN Messenger.
 
Old 01-17-2010, 02:04 PM   #19
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks - not come across Wireshark before so will give it a try!
 
Old 01-18-2010, 12:58 AM   #20
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
One slight glitch has emerged. The iptables as now stated stop the server (192.168.2.5) from accessing the internet! I tried specifying it in the iptables chain but that did not work. I can do a daft workaround by flushing the iptables each day, running any updates and then reinstalling iptables, but that seems a bit cumbersome. Is there a better way?

Also, is there any preferred set up of static IP addresses on home networks? Should the server have next address along to the router (i.e. become 192.68.2.2), for example?

These are my current (unrestricted - the restricted version does not allow HTTP access in FORWARD rules) iptables:
Quote:
# Generated by iptables-save v1.4.4 on Sun Jan 17 23:06:47 2010
*mangle
:PREROUTING ACCEPT [1647:254606]
:INPUT ACCEPT [1647:254606]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1597:178694]
:POSTROUTING ACCEPT [1595:178330]
COMMIT
# Completed on Sun Jan 17 23:06:47 2010
# Generated by iptables-save v1.4.4 on Sun Jan 17 23:06:47 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2:364]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Jan 17 23:06:47 2010
# Generated by iptables-save v1.4.4 on Sun Jan 17 23:06:47 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.5/32 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -j ACCEPT
-A INPUT -s 192.168.2.1/32 -p tcp -m tcp --dport 60344 -j ACCEPT
-A INPUT -s 192.168.2.3/32 -p tcp -m tcp --dport 49744 -j ACCEPT
-A INPUT -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 139,145 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 5900,5901 -j ACCEPT
-A FORWARD -s 192.168.2.10/32 -p udp -m multiport --dports 28910,29900,29901,29920,443 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -p tcp -m tcp --dport 49743 -j ACCEPT
-A FORWARD -s 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.5/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.3/32 -j ACCEPT
-A FORWARD -s 192.168.2.2/32 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.16/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.16/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.17/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.17/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.18/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.18/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.4/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.4/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.9/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.9/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.14/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -d 192.168.2.14/32 -p tcp -m multiport --dports 1863,5222,5223,443 -j ACCEPT
-A FORWARD -s 192.168.2.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.16/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.16/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.17/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.17/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.18/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.18/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.9/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.9/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.2.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.2.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Sun Jan 17 23:06:47 2010
 
Old 01-21-2010, 04:25 AM   #21
qprfact
LQ Newbie
 
Registered: Jan 2010
Posts: 10

Original Poster
Rep: Reputation: 0
BUMP - can anyone help on the server accessing internet issue please?
 
  


Reply
Page 2 of 2 1 2

Tags
http, im, iptables, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Assistance with iptables Ruler2112 Linux - Security 3 06-08-2009 12:18 PM
iptables -- restricting source access prn Linux - Security 3 03-10-2006 09:46 AM
Restricting access Menestrel Linux - Newbie 1 06-07-2005 08:17 AM
iptables: restricting forwarding?? funkymunky Linux - Security 10 03-15-2005 02:12 PM
Restricting XWindows remote connections (iptables) Harpune Linux - Networking 4 02-17-2004 06:03 AM


All times are GMT -5. The time now is 09:52 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration