LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-09-2007, 02:19 PM   #1
Histamine
LQ Newbie
 
Registered: Jun 2007
Posts: 20

Rep: Reputation: 0
trying to block users from accessing web site with iptables


I'm trying to block my users from accessing an external website through iptables, not having much luck. need some help please.... my firewall script follows

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " INPUT: Blocking ports that have no reason being open to the internet"
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 37 -j REJECT # Time
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 53 -j REJECT # DNS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT # POP3
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 631 -j REJECT # IPP
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 799 -j REJECT #
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2844 -j REJECT # checkups
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT # X Windows
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 4000 -j REJECT # Service CEO forward
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 800 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 813 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 819 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 3000 -j REJECT # MDaemon Worldclient forwad

#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT

echo " Blocking all peer-to-peer ports"
$IPTABLES -A FORWARD -p tcp --destination-port 554 -j REJECT # streaming
$IPTABLES -A FORWARD -p tcp --destination-port 1214 -j REJECT # KaZaa
$IPTABLES -A FORWARD -p tcp --destination-port 6699 -j REJECT # Napster WinMX
$IPTABLES -A FORWARD -p tcp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p udp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6347 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6348 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6349 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6350 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6351 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6352 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6353 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6354 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6355 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 5634 -j REJECT # Limewire


echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE

$IPTABLES -A FORWARD -s 68.28.144.66 -d 192.168.0.40 -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.40 -d 68.28.144.66 -j REJECT
$IPTABLES -A INPUT -s 68.28.144.66 -j DROP
$IPTABLES -A OUTPUT -d 68.28.144.66 -j DROP

I use IP masq to forward the internet around the building. the last four lines are what I've been trying, they don't seem to work.

If you also have a way to kill a forwarded connection, I'd like to hear it.

TIA
 
Old 08-09-2007, 02:52 PM   #2
bakfupai
Member
 
Registered: Apr 2006
Location: Sweden
Distribution: CentOS, RHEL, SourceMage, OpenBSD
Posts: 40

Rep: Reputation: 15
Problem is you have this rule:
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
Which obviously allows everything to be forwarded from $INTIF to $EXTIF to wherever. A firewall reads from top to bottom and when it finds a match it simply ignores the rest. So if you want to reject that website (and deny that IP to access anything on your MASQ box, and your MASQ box to access anything on that IP) you need to put:
$IPTABLES -A FORWARD -s 68.28.144.66 -d 192.168.0.40 -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.40 -d 68.28.144.66 -j REJECT
$IPTABLES -A INPUT -s 68.28.144.66 -j DROP
$IPTABLES -A OUTPUT -d 68.28.144.66 -j DROP
ABOVE the mentioned rule.

Anyway, the general consensus is that firewalls should be built like this:
DENY everything.
then allow the things you need.

So maybe you can do:
iptables -P INPUT DROP
iptables -A INPUT -p tcp -i <interface> --dport <port to allow> -j ACCEPT

It's not exactly perfect but it's a start. Also, REJECTing ports means it sends an active response that the port is closed while DROP will just simply time out which is considered better.
 
Old 08-10-2007, 09:36 AM   #3
yawe_frek
Member
 
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144

Rep: Reputation: 15
hi Histamine,

ohh ..are u sure p2p are been blocked. i dont think so. p2p has the ability to switch ports automatically. confirm this?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to block web site? General Linux - General 2 10-08-2006 09:07 PM
Is there a way to block people from accessing my site if they came from a certin url? abefroman Linux - Security 5 02-14-2006 12:16 AM
Accessing Web Site dudeman41465 Linux - Networking 2 09-17-2005 11:36 AM
prevent irc script accessing web site dtra Linux - Networking 3 06-09-2005 07:10 AM
How I can block a IP to view my web site?? AZIMBD03 Linux - Networking 6 02-26-2004 04:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration