Iptables rule placement and other firewalling questions
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I then have exceptions built for certain devices by MAC address (my laptop, the Vonage VoIP adapter etc) using the following bewteen the two lines above:
Code:
-A PREROUTING -m mac --mac-source aa:bb:cc:dd:ee:ff -j RETURN
Again, this works.
HOWEVER, what I also want to do is to block all traffic not coming to / from those devices when the kids should be in bed (stop illicit nocturnal gaming, NetFlix, Skype, Facebook etc).
I tried to put the following in to my file immediately after the MAC exclusions, but before the redirect:
Code:
-A PREROUTING -m time --timestart 00:00 --timestop 06:00 --weekdays Mon,Tue,Wed,Thu,Fri -j DROP
but when I try to impliment, I get the error
Quote:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
So, my question is, where should I put it? If I put it in the FILTER table, will the excluded MAC addresses also be blocked (since they are excluded in the nat table) or should the whole lot (including transparent proxying) really be in the FILTER table? Or do I need to duplicate the exclusions in both tables?
I guess I'm unclear on the order of operations and what overrides what with all the different tables.
I'd like to recommend a completely different approach.
If you really want to learn about iptables construction, read the tutorial at http://www.frozentux.net/iptables-tu...-tutorial.html
This tutorial is really great for demonstrating just how complex it is to create your own firewall command structure. And it will steer you clear of trying to modify prerouting.
Instead, I recommend using one of the firewall builders having pre-constructed templates that handle the more arcane issues....just like the question you asked. The one I like best is at: http://www.fwbuilder.org
It lets you put in scripting and deploy variants to multiple machines. It has nice defaulting for logging issues. And you'll find it plenty complex enough.
There are simpler ones too...which was where I started. You may discover (just like I did) that you prefer one of those. And darn-it, I can't remember the name of the firewall helper I started with.
There's a list of firewall helper builders somewhere. I encourage you to at least google for those.
And I don't think your application requires modification of prerouting at all. See the diagram I uploaded. Its from the above tutorial site. Your stuff should be in the left fork AFTER all the nat translation is done. But forget that. Just use a helper.
Last edited by linuxStudent11; 10-11-2012 at 02:10 PM.
I had a good play with that utility, unfortunately, it doesn't support filtering by MAC address, so I can't use it. (Yes, I know, static IPs via DHCP would also work, but I know my kids - that would make it easier to hack ;-)
I'll have a Google around like you suggest though!
Can you implement your access filtering at the proxy level instead of at the kernel (iptables) level?
Unfortunately not.
The proxy works fine for the web, but I need to completely shut down access "out of hours" so to speak.
What I have done is to add the MAC exclusions to both tables. I will post my config file (with anything "interesting" removed, of course) a little later, in case it helps anyone else.
The various tutorials posted above really helped me get my head around the processing order of it all, which was why I was struggling. Yes, it complex, but not overly-so!
Jase, thanks and I will need to do this as well however, with respect, you are missing the point!
My entire family is very "online". We use not only the web, but Skype, Netflix, xBox Live etc etc. Some of these use port 80 /443 but many do not, or only as a fall-back.
What I have is Dans Guardian / Squid set up to transparently proxy web access, but it won't affect any traffic on other ports. What I need(ed) was a way to completely shut down routing for those devices in the kids rooms / accessible by the kids at times of the day that my wife and I deem inappropriate. In addition, however, we don't want OUR activities, or those of certain services (like our Vonage phone) affected. A tall order!
I think I have now more-or less managed it. I have had to treat the web filter bypass separately from the time restriction. What I have ended up with is as follows (note, I have remove specific addresses and lines that perform the same action. I am also not yet finished with hardening my firewall.)
Code:
# Generated by iptables-save v1.4.12 on Sat Oct 13 11:02:31 2012
*filter
:INPUT ACCEPT [1998392:1755458531]
:FORWARD DROP [2791:164160]
:OUTPUT ACCEPT [1664895:1253313402]
# Prevent anyone from outside using my proxy
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Bypass time restrictions for selected devices, by MAC address
-A FORWARD -i eth1 -m mac --mac-source AA:BB:CC:DD:EE:FF -j ACCEPT
# Allow forwarding at "reasonable" times of the day (10:00 on scool nights, midnight at the weekend).
-A FORWARD -i eth1 -m time --timestart 06:00:00 --timestop 22:00:00 --weekdays Mon,Tue,Wed,Thu,Sun -j ACCEPT
-A FORWARD -i eth1 -m time --timestart 06:00:00 --timestop 00:00:00 --weekdays Fri,Sat -j ACCEPT
COMMIT
# Completed on Sat Oct 13 11:02:31 2012
# Generated by iptables-save v1.4.12 on Sat Oct 13 11:02:31 2012
*nat
:PREROUTING ACCEPT [32226:2452060]
:INPUT ACCEPT [16898:1601223]
:OUTPUT ACCEPT [11732:958719]
:POSTROUTING ACCEPT [11732:958719]
# Bypass transparent proxy for selected devices, by MAC address
-A PREROUTING -m mac --mac-source AA:BB:CC:DD:EE:FF -j RETURN
# Transparent proxy
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# NAT
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Oct 13 11:02:31 2012
# Generated by iptables-save v1.4.12 on Sat Oct 13 11:02:31 2012
*mangle
:PREROUTING ACCEPT [9173359:8508176836]
:INPUT ACCEPT [1998396:1755458703]
:FORWARD ACCEPT [7174948:6752710066]
:OUTPUT ACCEPT [1664913:1253317574]
:POSTROUTING ACCEPT [8837070:8005863480]
COMMIT
# Completed on Sat Oct 13 11:02:31 2012
I hope this helps anyone else trying to do the same thing
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.