ranjan303

[Log in to get rid of this advertisement]

Hi /bin/bash ,

I think that backtick was the problem. I will fix it and try again.

Homey I will try your scripy as well , but for a newbie like me its very complicated, but will give it a go for sure.

thanx again guys , I will keep u posted.

Ranjan.

je_fro

#!/bin/sh
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptales -N MAC_RULE
for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
iptables -A MAC_RULE -j DROP <---Don't forget to drop the unknown macs.

/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE

ranjan303

Hi Je_fro

when I run the script I get the error
Can't delete the chain with refrences left. If I comment out the -X rule it works fine, but, then I loose all conitivity to my LAN clients even though their MACs are in the macs.allow file. If I comment out the -F rule then the scripts runs file but then those machines whoes MACs are not there in the file are still able to connect. I am using the script for MASQ from http://www.tldp.org/HOWTO/IP-Masquer...-examples.html which has the bare minimum firewall rule set just to get MASQ working. Also with the /sbin/iptables -N MAC_RULE ruleset first time it runs fine but next I get the error Chain already exists . That problay is cos I have commented out the -F and -X rules i think.

I donno where I am going wrong. Please help.

Thanx again,

Ranjan.

je_fro

IPTABLES=/sbin/iptables
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -F
$IPTABLES -X

The -X flag should delete the MAC_RULE chain before it is freshly reloaded. This is so that every time your script does $IPTABLES -N MAC_RULE it doesn't error out saying "rule exists".
If this doesn't work, since MAC_RULE exists, just take out the IPTABLES -X option.
Let me know if that works...

ranjan303

Hi je_fro

do I add the above lines to my firewall.sh script or do a fresh one ? thanx for your time.

Ranjan.

je_fro

I guess you want to avoid duplication. All you're doing is flushing the rules. I hope this will help (I haven't tried it, but it should load okay):




#!/bin/sh
echo -e "\n\nLoading /etc/conf.d/rc.firewall.\n"
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
INTERNAL_NET="192.168.1.0/24"
echo -e " Internal Net: $INTERNAL_NET\n"
echo -e " External Interface: $EXTIF\n"
echo -e " External Interface: $INTIF\n"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -e " Clearing any existing rules and setting default policy to DROP\n"

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -F
$IPTABLES -X

echo -e " FWD: Allow all connections OUT and only existing and related ones IN\n"

<<<PUT MAC_RULE HERE>>>

$IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -j MASQUERADE

$IPTABLES -A FORWARD -j MAC_RULE
$IPTABLES -A FORWARD -j ACCEPT -i $INTIF -s $INTERNAL_NET
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -j MAC_RULE
$IPTABLES -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i $INTIF --dport 67 -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTIF -j ACCEPT

echo -e " Done loading rules.\n"

ranjan303

thanx for that Je_fro , I will have to try it tomorrow as its 11:30 PM in Brisbane/Australia. Need to hit the sack.

Thanx for ur help and time,

Ranjan.

ranjan303

Hi je_fro

I tried the code and it worked fine but i lost my internet connection , I added the line

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

that fixed the internet connection, now I will try the MAC blocking.

thanx for ur help,

Ranjan

ranjan303

Its WORKING )

THANX EVERYONE FOR YOUR HELP .
Special thanx to je_fro a lot.

Ranjan

ranjan303

just a small question, I am putting squid on this box. Will this rulebase work out with the modifications for squid ?


thanx again for everyones help and support.

Ranjan

je_fro

I'm out of town, and no time to research the matter. There's nothing I can think of to prevent squid from working, though.
Good Luck

com90185

Hi ALL,

I have a linux box running squid and iptables for Transparent proxy. I was lookin for permiting connection just a valid computers. Then i read the message DESPERATE: Iptables block users by MAC address. I probe the advised that je_fro post it and all is ok.

But when i including it to my rules the clients can connect to Web request. But when the clients need connect via ssh to other servers can't do it. If i comment blocking mac address rule, they can connect ssh without problem.
I follow the advised that ranjan303 post it but don't work. What do u suggest me?

thanks a lot to everyone
####################################################################
#!/bin/bash
echo -e Beginning rules.........
#inicializa modulos

/sbin/depmod -a

#modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Flush all

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F

# default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

############# blockin computers via mac address
/sbin/iptables -N MAC_RULE
#valid computers (just test)
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:02:C1:F4:BF -j ACCEPT
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:12:12:C3:B7 -j ACCEPT
#the rest is block
/sbin/iptables -A MAC_RULE -j DROP

/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE


##### blocking syn flooding
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP


##### no spoofing
/sbin/iptables -A INPUT -i eth0 -s $IPLOCAL -j DROP

######## let ssh connection
/sbin/iptables -A INPUT -s $MAQ1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -d $MAQ1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

################### NAT:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -s $LOCALNET -d 0/0 -j SNAT --to-source $VALIDIP
#####
#/sbin/iptables -A FORWARD -j MAC_RULE #adding this line, don't work yet
#######
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LOCALNET -d 0/0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


############### Forwarding PORTS

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $VALIDIP --dport 22 -j DNAT --to-destination $LOCALSERVER:22


/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d $LOCALSERVER --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $VALIDIP --dport 443 -j DNAT --to-destination $LOCALSERVER2:443

/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d $LOCALSERVER2 --dport 443 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

######### Forwarding connection to port 80 to squid proxy port 3128 (in the same linux box)

/sbin/iptables -t nat -A PREROUTING -i eth1 -s $LOCALNET -p tcp --dport 80 -j REDIRECT --to-port 3128

/sbin/iptables -A INPUT -p tcp -i eth1 -s $LOCALNET -d $IPSERVERLOCAL --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e Ending rules .....................................................

#####################################################################

ranjan303

you are correct, but the hacker needs to know a trusted mac to get in and in the last two years this script has been in use, none of the users have been able to guess it. Ranj.

johnnydangerous

##### blocking syn flooding
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood this is doing what?
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
why return?

/sbin/iptables -A syn-flood -j DROP



##### no spoofing
/sbin/iptables -A INPUT -i eth0 -s $IPLOCAL -j DROP

how do you set the $IPLOCAL -> non routable IP or externel?

thanks in advance