Question for iptables.

mkp · 11-14-2009, 02:10 PM

Hi, i have network of 10-15 pc, i want to block some sites with iptables, but allow for 2-3 pc. How to do it?

Tinkster · 11-14-2009, 02:37 PM

Depends on your existing rule-set. What have you got? Sanitise output
before posting - don't tell the world your public IP ;}

Cheers,
Tink

arckane · 11-14-2009, 02:55 PM

Just an idea, but look up Squid Proxy as well

win32sux · 11-14-2009, 05:38 PM

Yeah, if by "sites" you mean Web sites, then Squid would be a much better choice than iptables.

To get an idea of what's involved, check out this thread.

mkp · 11-15-2009, 12:44 PM

Ok, lets say i have rules to block 1.2.3.4 for my network (10 pc), like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

so, how i allow this web site(1.2.3.4) to 1 pc of these 10?

etc. i have squid, but want do it with iptables. And tanks to all.

r3sistance · 11-15-2009, 01:24 PM

Use a rule previous to that one with a defined destination... for example.

iptables -I INPUT -s 1.2.3.4 -d 192.168.0.9 -j ACCEPT

Where 192.168.0.9 is the machine you wish to allow to connect to the IP.

mkp · 11-15-2009, 01:40 PM

Thanks, i'll try it tomorrow.

win32sux · 11-15-2009, 08:09 PM

Quote:

Originally Posted by mkp

Ok, lets say i have rules to block 1.2.3.4 for my network (10 pc), like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

so, how i allow this web site(1.2.3.4) to 1 pc of these 10?

etc. i have squid, but want do it with iptables. And tanks to all.

If this is for your network, why are you using the INPUT chain? If you're doing packet forwarding you're gonna need to do this in the FORWARD chain. Here's an example of what it might look like:

Code:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.3 -d 1.2.3.4 -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -d 1.2.3.4 -j REJECT
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j ACCEPT

Here, the LAN PC with IP 192.168.1.3 is allowed to connect to IP 1.2.3.4 on the WAN side, while al the other PCs are denied access. Keep in mind that a Web site's IP address can change any time, and there can be multiple IPs for a given site, so don't rely on iptables for this sort of thing if you're looking for effective access control measures (use Squid instead).

mkp · 11-16-2009, 01:04 AM

Quote:

Originally Posted by win32sux

........ Keep in mind that a Web site's IP address can change any time, and there can be multiple IPs for a given site, ......

I now that.

Quote:

Originally Posted by win32sux

............. (use Squid instead).

I think that what i need, can't do it with squid. Lets say i have 5 pc(IT dep.) with full rights,have 100 pc with limit rights and have 10 pc(design studio) witch must have full rights, but their boss want they cannot open web sites like facebook,twitter, etc. So, how i do it with squid? I have squid, here is my squid.conf:

mynet.acl - IT dep.
banned.acl - blocked web sites by ip.
block_url.acl - words like porno, sex, etc.
ogranichenaskorost.acl - limit speed

Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
#acl Safe_ports port 21         # ftp
acl Safe_ports port 443 563     # https, snews
#acl Safe_ports port 70         # gopher
#acl Safe_ports port 210                # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280                # http-mgmt
#acl Safe_ports port 488                # gss-http
#acl Safe_ports port 591                # filemaker
#acl Safe_ports port 777                # multiling http
#acl Safe_ports port 901                # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"

#acl malkoprava src "/etc/squid/malkoprava.acl"
#acl mnogoprava src "/etc/squid/mnogoprava.acl"
acl banned dst "/etc/squid/banned.acl"
#acl ebanking src "/etc/squid/ebanking.acl"
#acl ebanking_url url_regex -i e-postbank.bg
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
# Facebook range
acl block_range dst 69.63.0.0/16

##max connections per ip
acl maxuserconn src 192.168.0.0/16
acl limitusercon maxconn 30
http_access deny maxuserconn limitusercon

Код:
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
acl our_networks src 192.168.0.0/16

#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks

# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range

#http_access deny malkoprava
#http_access allow mnogoprava
http_access allow good
http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all

How block specific web sites for these 10 pc?

win32sux · 11-16-2009, 02:14 AM

Quote:

Originally Posted by mkp

I think that what i need, can't do it with squid. Lets say i have 5 pc(IT dep.) with full rights,have 100 pc with limit rights and have 10 pc(design studio) witch must have full rights, but their boss want they cannot open web sites like facebook,twitter, etc. So, how i do it with squid?

Did you search LQ? I ask because there's been tons of discussions which show how to achieve this sort of configuration. For example, see this thread. Assuming that what you meant is that those 100 PCs can only browse certain sites (while the 10 PCs will only be blocked from certain sites), then this could fit together like this:

Code:

acl IT_department src 192.168.1.11-192.168.1.15
acl the_hundred src 192.168.1.101-192.168.1.200
acl design_studio src 192.168.1.231-192.168.1.240
acl allowed_sites dstdomain "/etc/squid/allowed_sites.txt"
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"

# Grant full access for the IT department:
http_access allow IT_department

# Grant access to certain sites for the 100 PCs:
http_access allow the_hundred allowed_sites

# Deny access to certain sites for the design studio PCs:
http_access deny banned_sites design_studio

# Grant access to anything not banned for the design studio PCs:
http_access allow design_studio

# Take care of everything else:
http_access deny all

mkp · 11-16-2009, 02:26 AM

Thanks win32sux for help, you are very patient. I can't believe, but i think this will work. I'll try it now.

mkp · 11-16-2009, 06:55 AM

My new squid.conf:

Code:

acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
acl banned dst "/etc/squid/banned.acl"
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
acl block_range dst 69.63.0.0/16
acl design_studio src 192.168.10.185
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
http_access deny banned_sites design_studio
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
http_access allow download design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_portsacl our_networks src 192.168.0.0/16

#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks

# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
http_access deny banned_sites design_studio
http_access allow good
http_access allow our_networks
http_access allow design_studio
http_access allow download design_studio
# And finally deny all other access to this proxy
http_access deny all

Now they can't download, what i miss?

win32sux · 11-16-2009, 07:59 AM

Quote:

Originally Posted by mkp

My new squid.conf:

Code:

acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
acl banned dst "/etc/squid/banned.acl"
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
acl block_range dst 69.63.0.0/16
acl design_studio src 192.168.10.185
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
http_access deny banned_sites design_studio
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
http_access allow download design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_portsacl our_networks src 192.168.0.0/16

#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks

# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
http_access deny banned_sites design_studio
http_access allow good
http_access allow our_networks
http_access allow design_studio
http_access allow download design_studio
# And finally deny all other access to this proxy
http_access deny all

Now they can't download, what i miss?

I'm not sure if this is what you're referring to (you didn't state who they are), but the condition I painted in green wouldn't ever happen, as the line I painted in red would have denied access already. The effect would be what you've described, and one possible fix would be to move the green line above the red one. You'll probably want to move the line I painted blue above both of those too (unless your intention is to let them download from the banned sites).

BTW, you've got a bunch of duplicate lines in there which you should clean up.

mkp · 11-16-2009, 08:36 AM

Yes, it's now working. Thanks win32sux, you are the man. My new squid.conf:

Code:

acl our_networks src 192.168.0.0/16
# Only allow cachemgr access from localhost
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny bad
http_access deny banned
http_access deny banned_sites design_studio
http_access allow download design_studio
http_access deny download
http_access allow our_networks
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#acl our_networks src 192.168.0.0/16

# And finally deny all other access to this proxy
http_access deny all