I've been reading and trying everything about iptables, but can't seem to get it right. Here's what I need along with my server info.

This setup is for a classroom environment. I am using Ubuntu 9.04 Desktop for this setup. I have a local server setup behind a DMZ. I have only 1 ethernet card (eth0). I wish to have total internet access for my server so I can use synaptic, the internet, and etc. I get my dhcp ip address from the local router/switch, usually something like 10.229.1.87. I also have my server's mac address to use and prefer if possible.

I need to allow local classroom computers, based on their mac address, access to ssh(thru a shell) to write/do each student's work in their "jailed home" and allow access to my local web(10.229.1.87) through Firefox so students can access my lessons. I put my lessons in my server(/var/www) for them to view.

I wish to DROP/REJECT all others trying anything else from within the DMZ. Logging would be nice and perhaps then I can place them in "hosts.deny" .

This is what I've gotten so far, which doesn't work.

#!/bin/bash
# Location of the iptables command
IPTABLES=/sbin/iptables

# Flush existing firewtcp rules
$IPTABLES -F

# Delete any extraneous chains which may exist from a previous script
$IPTABLES --delete-chain

# Change the default policy of tcp three chains to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# the server's own settings
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -m mac --mac-source 00:11:25:--:--:-- -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -m mac --mac-source 00:11:25:--:--:-- -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT # tcp lo loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT # tcp lo loopback

# my laptop's settings wireless and hard-wired
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:17:--:--:--:-- -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:21:--:--:--:-- -j ACCEPT

# put each classroom computer's 'info' below
# computer #1
# $IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:23:ae:--:--:-- --syn -m limit --limit 3/m -j ACCEPT
# computer #2
# $IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:23:ae:--:--:-- --syn -m limit --limit 3/m -j ACCEPT
# etc for each local classroom computer

# drop others activity
# $IPTABLES -A INPUT -j DROP
# $IPTABLES -A FORWARD -j DROP
# $IPTABLES -A OUTPUT -j ACCEPT
# End
exit 0

-----
Thank you for your efforts!

What aspect doesn't work?

Also, the final DROPs will override everything before. The policy settings at the top are enough.

Nothing works. From the server I can't access the internet. From my laptop, I can't ssh onto the server. From another internal LAN computer that shouldn't have access, I can't ssh....which is good.

I'm really bad with iptables, but I found that using fwbuilder helped a lot (should be in the Ubuntu repos somewhere). It's a nice graphical package that creates the iptables rules for you. You can build them on a different machine than you want to install on if so desired.

Here are a couple of good tutorials:
http://www.howtoforge.com/getting-st...rewall-builder
http://debaday.debian.net/2009/03/15...rofessionally/

Okay let's start with your server. You basically want to allow inbound connections to TCP ports 21, 22, 80, and 443 from hosts within the same subnet and with a specific set of MAC addresses, while at the same time allowing all outbound connections from the server. Is my understanding correct? If so, this should do the trick:If my understanding of your intentions is not correct, please let me know and I'll make the appropriate changes for you. At this point, I'm starting to have doubts about whether you are referring to iptables rules on the server, or on a router/firewall sitting in front of it. As for your laptop, I would need you to elaborate a little bit before I could give you a script.

I got these errors related to "CHECK_MAC"

iptables v1.4.1.1: Couldn't load target `CHECK_MAC':/lib/xtables/libipt_CHECK_MAC.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

I made several changes to the script minutes after posting it, including a fix for the problem you just described. On a side note, make sure you edit the LAN variable accordingly (make it reflect your actual subnet).

Thank you win32sux!!! Your rewrite works!!! Yeehaw. I got the LAN variable first thing. I also added:

$IPT -A CHECK_MAC -j LOG --log-prefix "CHECK_MAC DROP: "
$IPT -A CHECK_MAC -j DROP

to the end again. It is cool? Looks like it might work.

Question: What adjustments can prohibit DOS attacks via a student trying so from the classroom(approved mac) on the ssh port? I'd like something around 3/m limit per mac address.

Thanks again.

PS -> By the way, if you are OK with it, I'm going to add you as "win32sux" from linuxquestions.org as a contributor to this project. I'm also going to add "blackhole54" for his contribution to an earlier script to prevent multiple users from logging on from the 'same' computer. IE. prevent copying(cheating).

I'm happy to hear that.

Yeah, that should work fine. The packet would get sent to DROP at the end of the CHECK_MAC chain, instead of at the end of the INPUT chain. Even though the packet would have still been sent to DROP in my version, your addition makes it easy to spot packets that are being sent to DROP specifically because they don't match any of the allowed MACs. So yeah, I think it's cool.

Maybe this thread can give you some ideas. I don't think the solution we ended up with there made use of MAC-based filtering, but it shouldn't be too hard to introduce with a few tweaks.

Sure, I'm totally cool with that.

Awesome! Here's a link to that thread in case anyone wishes to check it out.

Moved: This thread is more suitable in 'Linux Security' and has been moved accordingly to help your thread/question get the exposure it deserves.

Thanks again! I remembered this bit, setting the /etc/security/limits.conf to:

@students - maxlogins 2

where @students is a group consisting of all my students.

This combined with this iptable script(from win32sux) should do the trick. Especially with the "jail" setup, and blackhole54 script. Thanks!