only allowing web browsing accross the linux box

antken · 09-17-2003, 03:10 PM

hello,

i have a linux box set up thats acting as a router type device for 5 workstations on my lan, on one particular host i want to disable everything but web browsing from this host.

so a thought i would add the following lines to my iptables:

-A INPUT -s 10.0.0.2 -p tcp --dport ! 80 -j DROP
-A INPUT -s 10.0.0.2 -p tcp --dport 80 -j ACCEPT

if i put the above lines into my blank input table it blocks everything and does not even allow web trafic through.

i could not remember what protocol web browsing was so i tried both and still no results

does any one have any ideas?

Please Help

hakcenter · 09-17-2003, 03:17 PM

I would setup the rule earlier then that on the host, remove the inputs.

iptables -t nat -A PREROUTING -s 10.0.0.2/255.0.0.0 -p tcp --dport ! 80 -j DROP

antken · 09-17-2003, 03:43 PM

ah, thanks for that

now the packet numbers are going up

the only thing is i notice that the msn messenger thing is still working on there i know it runs over port 1863 but the packet numbers do not go up when a message is sent, which i thought it would ( ? )

i'll have to play with the rules, but its working now but:

Thanks

i presume then there is an order in which the iptables are approched by the kernel, is there a how to availible that details this?

thanks once again

antken

hakcenter · 09-17-2003, 03:53 PM

I don't remember there being an 'howto' but you are amoung many that are trying to block msn messenger.

I presume a better way of blocking it could be to setup a http proxy perhaps.

The Tables I believe go in this order.

Nat

Mangle

Default

And the chains go in descending order from --list

Try using email on that blocked machine to make sure all traffic is killed. Secondly you could always block access to msn's login server as well

iptables -t nat -A PREROUTING -s 10.0.0.2 -d msnIP -j DROP

antken · 09-17-2003, 04:14 PM

i found this page:

http://www.venkydude.com/articles/msn.htm

it details that msn connects to messenger.hotmail.com on port 1863, the msn server then in plain text directs the client to connect to another server, and then starts communication in plain text (

)

its pretty useful, perhaps i could use snort against it in some way

thanks for your help, i seem to have pretty much have sealed it up

and only web browsing is going on ( oh and dns lookups are required for the browser i nealy forgot

)

thanks

hakcenter · 09-17-2003, 04:31 PM

Then block access to messenger.hotmail.com via ip through prerouting on that machine and your gold.

antken · 09-17-2003, 04:41 PM

i have done,

and i have blocked the outgoing port ( 1863 ) from that machine as an extra, as you say 'its gold'