LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   trying to block user from accessing external web site with iptables (https://www.linuxquestions.org/questions/linux-networking-3/trying-to-block-user-from-accessing-external-web-site-with-iptables-575950/)

Histamine 08-09-2007 01:28 PM
trying to block user from accessing external web site with iptables
 
I'm trying to block my users from accessing an external website through iptables, not having much luck. need some help please.... my firewall script follows

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " INPUT: Blocking ports that have no reason being open to the internet"
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 37 -j REJECT # Time
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 53 -j REJECT # DNS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT # POP3
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 631 -j REJECT # IPP
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 799 -j REJECT #
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2844 -j REJECT # checkups
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT # X Windows
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 4000 -j REJECT # Service CEO forward
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 800 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 813 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 819 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 3000 -j REJECT # MDaemon Worldclient forwad

#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT

echo " Blocking all peer-to-peer ports"
$IPTABLES -A FORWARD -p tcp --destination-port 554 -j REJECT # streaming
$IPTABLES -A FORWARD -p tcp --destination-port 1214 -j REJECT # KaZaa
$IPTABLES -A FORWARD -p tcp --destination-port 6699 -j REJECT # Napster WinMX
$IPTABLES -A FORWARD -p tcp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p udp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6347 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6348 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6349 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6350 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6351 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6352 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6353 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6354 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6355 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 5634 -j REJECT # Limewire


echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE

$IPTABLES -A FORWARD -s 68.28.144.66 -d 192.168.0.40 -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.40 -d 68.28.144.66 -j REJECT
$IPTABLES -A INPUT -s 68.28.144.66 -j DROP
$IPTABLES -A OUTPUT -d 68.28.144.66 -j DROP

I use IP masq to forward the internet around the building. the last four lines are what I've been trying, they don't seem to work.

If you also have a way to kill a forwarded connection, I'd like to hear it.

TIA

TylerD75 08-10-2007 07:43 AM
You could create a new chain:

Code:
$IPTABLES -t filter -N LOGDROP
$IPTABLES -I FORWARD 1 -s 68.28.144.66 -j LOGDROP
$IPTABLES -A FORWARD -o $EXTIF -d 68.28.144.66 -j LOGDROP

$IPTABLES -t filter -A LOGDROP -j LOG --log-prefix "BLOCKED: "
$IPTABLES -t filter -A LOGDROP -j REJECT
If you're not interested in logging, you only need line 2 and 3 (just change LOGDROP to REJECT).


All times are GMT -5. The time now is 05:59 AM.