LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page iptables "whitelist" rule
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-03-2008, 06:02 PM   #1
rven
LQ Newbie
 
Registered: May 2008
Posts: 4

Rep: Reputation: 0
iptables "whitelist" rule

Hi
I am currently implementing level7 packet filtering on my debian router with ipp2p. This has been done to prevent wireless users from using well known file sharing applications (edonkey, bittorrent, kazaa, ecc).
The current iptables configuration that I have is doing everything very well.

Now I want to be able to run the amuled daemon ON the debian router but I am not really sure how to tell iptables to whitelist the traffic that is not being forwarded.
In other words, the ipp2p module should not drop the packets originating from/destinated to the router.

Here is my current script:

Code:
# Interface connected to Internet
INTERNET="eth1"

# Address connected to LAN
LOCAL="10.0.1.0/24"

# VPN
VPN="5.0.0.0/8"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable Munin stats
iptables -A INPUT -d 37.244.81.222
iptables -A OUTPUT -s 37.244.81.222
iptables -A FORWARD -i eth1

iptables -A INPUT -d 10.0.1.2
iptables -A OUTPUT -s 10.0.1.2
iptables -A FORWARD -i eth0

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# unlimited access to VPN
iptables -A INPUT -s $VPN -j ACCEPT
iptables -A OUTPUT -s $VPN -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Thanks for your help guys
 
Old 05-04-2008, 02:44 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
You should be able to remove the following 2 lines to do that. They're only stopping traffic to and from the box running iptables and don't affect the traffic being forwarded:
Code:
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP
 
Old 05-04-2008, 03:15 PM   #3
rven
LQ Newbie
 
Registered: May 2008
Posts: 4

Original Poster
Rep: Reputation: 0
thanks for the tip. I'll try immediately
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem in Makefile-" No rule to make target " asprakash Linux - Kernel 4 08-07-2008 08:39 AM
IPTables "Best Practice" default rule set robinBones Linux - Networking 2 01-09-2008 08:11 AM
Iptables problem with "--dport" or "--sport" jmhal Slackware 5 07-03-2007 10:50 AM
Can Not install driver "No Rule to Make" zonemikel Linux - Software 4 09-05-2006 10:34 PM
Help with Installation. "No rule to make target.." Aries311 Linux - Software 2 07-02-2005 03:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:27 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration