iptables question

enrique_arong · 09-28-2004, 09:43 AM

Hi, I have a simple ip table question I don't know.

I already posted it on the newbie forum
but I got not luck.

I got a linux server and a network with some connected pcs,
I want to block the internet access to all the pcs except one
on the network.

Can you tell me what is the iptables command line I should put
to block the pcs.

I think is this one, but it does not work:

iptables -A INPUT -s ! pc with internet -j DROP

----------------------------------------------

iptables -n -L -v

Chain INPUT (policy ACCEPT 5715K packets, 2104M bytes)
pkts bytes target prot opt in out source destination

712K 129M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128
0 0 REJECT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
tcp dpts:!1:1024 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0
tcp dpts:!1:1024 flags:0x16/0x02 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

52669 2528K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:139 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:1024
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
tcp spts:1:1024
46939 3753K ACCEPT tcp -- * eth2 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:1024
14804 9083K ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0
tcp spts:1:1024
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:5222
64257 3707K ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.
68
76506 114M ACCEPT tcp -- * * 192.168.100.68 0.0.0.0/0

24314 1529K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 6608K packets, 2972M bytes)
pkts bytes target prot opt in out source destination

thank you very much

Aaron

maxut · 09-28-2004, 10:05 AM

Quote:

Originally posted by enrique_arong

I think is this one, but it does not work:

iptables -A INPUT -s ! pc with internet -j DROP

nop! wrong. input chain is only interseted in INPUT for linux itself. u must block the packets which goes from FORWARD chain. for more info, read the docs at www.netfilter.org about iptables.

[/B]

Quote:

iptables -n -L -v

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

52669 2528K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:139 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:1024
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
tcp spts:1:1024
46939 3753K ACCEPT tcp -- * eth2 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:1024
14804 9083K ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0
tcp spts:1:1024
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5222
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:5222
64257 3707K ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.
68
76506 114M ACCEPT tcp -- * * 192.168.100.68 0.0.0.0/0

24314 1529K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
[/B]

i think u must change your FORWARD chain like this:

Code:

iptables -F FORWARD # remove all rules in FORWARD chain
iptables -P FORWARD DROP # set the policy of FORWARD to DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # to allow replies of packets comes from internet
iptables -A FORWARD -s ip_of_allowed_pc -j ACCEPT # allow if packets comes from that pc

thats all. only ip of allowed pc will able to reach internet. all of others will be dropped automaticly. because default policy is DROP. if u want to allow more pcs just add them like that:
iptables -A FORWARD -s ip_of_allowed_other_pc -j ACCEPT

good luck.

enrique_arong · 09-28-2004, 10:38 AM

Yes, Thats good but I have many pcs here,
and I don't want to run the risk of reconfigure the FOWARD chain
couse I could be fired

in case the network stops much time.

Just want to enter a line which drops all the pcs except mine,
and when I delete it everything comes back to normality.

anyway your comment was of great help for me.
Ill read the stuff of netfilter.com
thanks
Aaron

maxut · 09-28-2004, 11:42 AM

i use similar of that configuration (DROP as default policy) right now. my pc and other 3 pc are allowed to access internet for all ports. others can access http,ftp,https,nntp,1863,211,3050 ports. i did that for more security. and also i dont want users to play web games or listen to radio or watch tv via browser

hmmm. another way: u can edit iptables save file. it is "/etc/sysconfig/iptables" for redhat like systems. or if u have a script that does that, edit it. change palace of rules. but it is hard way, i think.
think like that :
first rule runs first. iptables checks if the packets match with first rule. if it match apply the 1. rule, it never check other rules. then second then 3. .... it goes like that. if packet doesnt match any of rule, it applies the default policy.
actually the last line your FORWARD chain is REJECT all. so it doesnt matter to add rules. because it will apply reject rule before and never look at the last rule that u added.

i think my suggestion is better. because the last rule will be able to be checked. after that, it will aply DROP rule as default policy. so it will be more easy to change rules.

dont u have a test boxes? tell your boss to buy test boxes for u. u need at least 2 right now

good luck.

enrique_arong · 09-28-2004, 01:51 PM

Your explanation is cool, I can understand better how it works.
I will study my rules and make changes.

thank you for your time
Aaron