trying to block users from accessing web site with iptables

Histamine · 08-09-2007, 02:19 PM

I'm trying to block my users from accessing an external website through iptables, not having much luck. need some help please.... my firewall script follows

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " INPUT: Blocking ports that have no reason being open to the internet"
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 37 -j REJECT # Time
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 53 -j REJECT # DNS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT # POP3
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 111 -j REJECT # RPCbind
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT # Samba
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 631 -j REJECT # IPP
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 799 -j REJECT #
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2049 -j REJECT # NFS
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 2844 -j REJECT # checkups
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT # X Windows
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 4000 -j REJECT # Service CEO forward
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 800 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 813 -j REJECT
$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 819 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 3000 -j REJECT # MDaemon Worldclient forwad

#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 110 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 137 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p udp --dport 138 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 139 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 515 -j REJECT
#$IPTABLES -A INPUT -s 0/0 -d xxxxx -p tcp --dport 6000 -j REJECT

echo " Blocking all peer-to-peer ports"
$IPTABLES -A FORWARD -p tcp --destination-port 554 -j REJECT # streaming
$IPTABLES -A FORWARD -p tcp --destination-port 1214 -j REJECT # KaZaa
$IPTABLES -A FORWARD -p tcp --destination-port 6699 -j REJECT # Napster WinMX
$IPTABLES -A FORWARD -p tcp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p udp --destination-port 6346 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6347 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6348 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6349 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6350 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6351 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6352 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6353 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6354 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 6355 -j REJECT # Limewire
$IPTABLES -A FORWARD -p tcp --destination-port 5634 -j REJECT # Limewire

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE

$IPTABLES -A FORWARD -s 68.28.144.66 -d 192.168.0.40 -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.40 -d 68.28.144.66 -j REJECT
$IPTABLES -A INPUT -s 68.28.144.66 -j DROP
$IPTABLES -A OUTPUT -d 68.28.144.66 -j DROP

I use IP masq to forward the internet around the building. the last four lines are what I've been trying, they don't seem to work.

If you also have a way to kill a forwarded connection, I'd like to hear it.

TIA

bakfupai · 08-09-2007, 02:52 PM

Problem is you have this rule:
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
Which obviously allows everything to be forwarded from $INTIF to $EXTIF to wherever. A firewall reads from top to bottom and when it finds a match it simply ignores the rest. So if you want to reject that website (and deny that IP to access anything on your MASQ box, and your MASQ box to access anything on that IP) you need to put:
$IPTABLES -A FORWARD -s 68.28.144.66 -d 192.168.0.40 -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.40 -d 68.28.144.66 -j REJECT
$IPTABLES -A INPUT -s 68.28.144.66 -j DROP
$IPTABLES -A OUTPUT -d 68.28.144.66 -j DROP
ABOVE the mentioned rule.

Anyway, the general consensus is that firewalls should be built like this:
DENY everything.
then allow the things you need.

So maybe you can do:
iptables -P INPUT DROP
iptables -A INPUT -p tcp -i <interface> --dport <port to allow> -j ACCEPT

It's not exactly perfect but it's a start. Also, REJECTing ports means it sends an active response that the port is closed while DROP will just simply time out which is considered better.

yawe_frek · 08-10-2007, 09:36 AM

hi Histamine,

ohh ..are u sure p2p are been blocked. i dont think so. p2p has the ability to switch ports automatically. confirm this?