iptables

spank · 09-30-2005, 06:14 AM

how can i stop the clients inside the network from connecting to any webpages (80 port) ?

Half_Elf · 09-30-2005, 11:05 PM

yes you can
just make a simple rule like "iptables -A OUTPUT -j DROP"
easy.

You might want to add -o eth0 (or whatever your inetrnal network is) or it will filter ytour own box.

spank · 10-01-2005, 09:08 AM

if I iptables -A OUTPUT -j DROP i can't ssh on the server.
NOTE: I use masq to get the net from the provider to clients

homey · 10-01-2005, 09:47 AM

I have these lines in my firewall script. I don't use them as I don't have a web server but it seems like changing that from ACCEPT to DROP may work for you...
# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

Code:

$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 80 -j DROP

spank · 10-01-2005, 09:56 AM

i was tring to ask how to stop the clients inside the network to use a service outside... for example if i would want to stop the access to www.google.com what would the iptables command look like?

homey · 10-01-2005, 11:09 AM

Maybe like this

iptables -A OUTPUT -d 123.123.123.123 -j DROP
or
iptables -A OUTPUT -p tcp –dport 80 -j DROP

spank · 10-01-2005, 11:25 AM

this rule only work local on server on the clients it has no effect.
the masq is done line this:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE