LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-09-2007, 02:28 PM   #1
Histamine
LQ Newbie
 
Registered: Jun 2007
Posts: 20

Rep: Reputation: 0
trying to block user from accessing external web site with iptables


I'm trying to block my users from accessing an external website through iptables, not having much luck. need some help please.... my firewall script follows

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " INPUT: Blocking ports that have no reason being open to the internet"
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 37 -j REJECT # Time
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 53 -j REJECT # DNS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT # POP3
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 631 -j REJECT # IPP
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 799 -j REJECT #
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2844 -j REJECT # checkups
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT # X Windows
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 4000 -j REJECT # Service CEO forward
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 800 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 813 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 819 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 3000 -j REJECT # MDaemon Worldclient forwad

#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT

echo " Blocking all peer-to-peer ports"
$IPTABLES -A FORWARD -p tcp --destination-port 554 -j REJECT # streaming
$IPTABLES -A FORWARD -p tcp --destination-port 1214 -j REJECT # KaZaa
$IPTABLES -A FORWARD -p tcp --destination-port 6699 -j REJECT # Napster WinMX
$IPTABLES -A FORWARD -p tcp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p udp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6347 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6348 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6349 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6350 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6351 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6352 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6353 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6354 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6355 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 5634 -j REJECT # Limewire


echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE

$IPTABLES -A FORWARD -s 68.28.144.66 -d 192.168.0.40 -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.40 -d 68.28.144.66 -j REJECT
$IPTABLES -A INPUT -s 68.28.144.66 -j DROP
$IPTABLES -A OUTPUT -d 68.28.144.66 -j DROP

I use IP masq to forward the internet around the building. the last four lines are what I've been trying, they don't seem to work.

If you also have a way to kill a forwarded connection, I'd like to hear it.

TIA
 
Old 08-10-2007, 08:43 AM   #2
TylerD75
Member
 
Registered: Aug 2004
Location: Norway
Distribution: Gentoo
Posts: 96

Rep: Reputation: 18
You could create a new chain:

Code:
$IPTABLES -t filter -N LOGDROP
$IPTABLES -I FORWARD 1 -s 68.28.144.66 -j LOGDROP
$IPTABLES -A FORWARD -o $EXTIF -d 68.28.144.66 -j LOGDROP

$IPTABLES -t filter -A LOGDROP -j LOG --log-prefix "BLOCKED: "
$IPTABLES -t filter -A LOGDROP -j REJECT
If you're not interested in logging, you only need line 2 and 3 (just change LOGDROP to REJECT).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
trying to block users from accessing web site with iptables Histamine Linux - Security 2 08-10-2007 09:36 AM
How to block web site? General Linux - General 2 10-08-2006 09:07 PM
Is there a way to block people from accessing my site if they came from a certin url? abefroman Linux - Security 5 02-14-2006 12:16 AM
Accessing Web Site dudeman41465 Linux - Networking 2 09-17-2005 11:36 AM
How I can block a IP to view my web site?? AZIMBD03 Linux - Networking 6 02-26-2004 04:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration