block internet traffic
I configured NAT on redhat using DSL modem, My objective is I want to allow/access only pop(110) and smtp(25) thru it, I want to block all http, https traffic from lan.
Pls tell me how do i add rules to achive the same. do not gv me any link pls. setup:(NATTING) ppp0=internet eth0-Lan |
# opens up ports 25 (SMTP) and 110 (POP3)
iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # drop all other traffic iptables -A FORWARD -j DROP you could drop only http and https traffic, but then you'd have to worry about proxies. |
slack. it didn't help.. pls look at given NAT configuration n suggest me
#!/bin/sh # IPTABLES PROXY script for the Linux 2.4 kernel. # This script is a derivitive of the script presented in # the IP Masquerade HOWTO page at: # http://www.tldp.org/HOWTO/IP-Masquer...-examples.html # It was simplified to coincide with the configuration of # the sample system presented in the Guides section of # www.aboutdebian.com # # This script is presented as an example for testing ONLY # and should not be used on a production proxy server. # # PLEASE SET THE USER VARIABLES # IN SECTIONS A AND B OR C echo -e "\n\nSETTING UP IPTABLES PROXY..." # === SECTION A # ----------- FOR EVERYONE # SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK # The default value below is for "eth0". This value # could also be "eth1" if you have TWO NICs in your system. # You can use the ifconfig command to list the interfaces # on your system. The internal interface will likely have # have an address that is in one of the private IP address # ranges. # Note that this is an interface DESIGNATION - not # the IP address of the interface. # Enter the internal interface's designation for the # INTIF variable: INTIF="eth0" # SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION # The default value below is "ppp0" which is appropriate # for a MODEM connection. # If you have two NICs in your system change this value # to "eth0" or "eth1" (whichever is opposite of the value # set for INTIF above). This would be the NIC connected # to your cable or DSL modem (WITHOUT a cable/DSL router). # Note that this is an interface DESIGNATION - not # the IP address of the interface. # Enter the external interface's designation for the # EXTIF variable: EXTIF="ppp0" # ! ! ! ! ! Use ONLY Section B *OR* Section C depending on # ! ! ! ! the type of Internet connection you have. # === SECTION B # ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES # SET YOUR EXTERNAL IP ADDRESS # If you specified a NIC (i.e. "eth0" or "eth1" for # the external interface (EXTIF) variable above, # AND if that external NIC is configured with a # static, public IP address (assigned by your ISP), # UNCOMMENT the following EXTIP line and enter the # IP address for the EXTIP variable: #EXTIP="your.static.IP.address" # === SECTION C # ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS # SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING # If you get your IP address dynamically from SLIP, PPP, # BOOTP, or DHCP, UNCOMMENT the command below. # (No values have to be entered.) # Note that if you are uncommenting these lines then # the EXTIP line in Section B must be commented out. EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # -------- No more variable setting beyond this point -------- echo "Loading required stateful/NAT kernel modules..." /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo " Enabling IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " External interface: $EXTIF" echo " External interface IP address is: $EXTIP" echo " Loading proxy server rules..." # Clearing any existing rules and setting default policy iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -t nat -F # FWD: Allow all connections OUT and only existing and related ones IN iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -j DROP # Enabling SNAT (MASQUERADE) functionality on $EXTIF iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e " Proxy server rule loading complete\n\n" |
Quote:
edit: also DNS uses udp 53 for queries. tcp 53 is for zone transfers. so the following line needs to be changed from: iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT to iptables -I FORWARD -m udp -p udp --dport 53 -j ACCEPT |
thanx dude.. I liked ur prompt reply..solved
U guys take linux to the moon.. |
Quote:
|
Quote:
edit: Junior's right. It appears that if organizations use virtual IPs for their server farms and have a certain number of servers, the DNS information is considerably larger. This is not uncommon in larger organizations nowadays. You'll want to add the TCP 53 port back into your script if you have removed it. |
All times are GMT -5. The time now is 05:59 PM. |