Urgently ! need help about iptable and internet gateway/firewall [Archive]

View Full Version : Urgently ! need help about iptable and internet gateway/firewall

pratchaya

2006-01-24, 11:42 AM CST

Hi,

I need your help about internet gateway. ( firewall :iptable )
Now , i key command like below but i can't use my computer at local network to use internet
( web browser + MSN )

My Objective =
1. Only want computer IP 192.168.0.111 to use web+MSN
( No allow others connection such as flashget/getright/bittorence )
2. No permit others computer to use internet anyway

Anyone can help me ?
Thank you very much
Pratchaya

######################

My Network Diagram.

ADSL Router <===> { eth1::: My Server :::: eth0 <===> Local network (192.168.0.xx )

################## My command line ############################
/sbin/service iptables stop

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport 3128 -j ACCEPT

service iptables save
################## End My command line ############################

################## Result 1 ############################
[root@firewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:http
ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:1863
ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:https
ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:squid

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@firewall ~]#

################## Result 2 ############################
[root@firewall ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@firewall ~]#

SickFreak

2006-01-24, 10:19 PM CST

pratchaya,
My first instinct here is that you can block all
outgoing connetions using the nat table. If the only
computer you want to allow to have internet connectivity
is 192.168.0.111, you can block all outgoing connections
from other computers by using a command such as this:

iptables -t nat -I POSTROUTING -s ! 192.168.0.111 -j DROP

What this will do is effectively block all outgoing
packets, regardless of interface or connection type from
any host that is not you. This will work as long as your
IP address remains 192.168.0.111. If you change it to
another address, your packets will also be blocked by this
rule. To see if this rule is being enacted, please enter
this command:

iptables-save -c -t nat

Here I have included the results of such a command. In the
brackets at the far left is [packets:bytes]. This number
will get bigger when hosts other than you attempt to send
packets off your home network. It shows you how often this
particular rule has been used.

[9:544] -A POSTROUTING -s ! 192.168.0.111 -j DROP

I tested this command on my home network to see if it works,
and it does.

I hope this helps you safeguard your network. If you need
further help, please feel free to post again.

SickFreq

pratchaya

2006-01-24, 11:59 PM CST

Hi., Again

Thank you very much about your idea.
it's very useful and idea for me. sir

But i need your help again sir.

My another objective is =
1. to study iptalbe for more deep.

Caz Next i want to specify. somethin like these
1. want 192.168.0.111 , 192.168.0.20 , 192.168.0.45 can be use web + msn
2. want 192.168.0.112 only use web ( no msn and others )
3. want 192.168.0.113 can use all ( web + msn + flashget )
4. want to block all p2p program ( bittorrence , bitcomet , kaza and others .. )

special may be
5. want only specific ip = 192.168.0.114 can use bittorence

Can u help me. sir?
Thank you very much.
Pratchaya

PS. My problem and test upper message
: i still can be use 192.168.0.111 to use web+msn
:: What something i wrong in my command line about iptable ? sir

SickFreak

2006-01-25, 08:59 AM CST

pratchaya,
Let's take this one step at a time. Did my suggestion for only allowing 192.168.0.111 internet access work? Before we tackle the other issues, I want to be certain we can get the small steps down.

Can you tell me if the suggestion worked. If not, we can fix it. If it did, we will move on to bigger things.

SickFreq

pratchaya

2006-01-25, 11:39 PM CST

Hi,

Now, i success make my server as firewall.
( as internet-gateway/firewall. )

I need your help and you suggestion again about more security.
Caz. i know my INPUT / OUTPUT Chain is open.
How can i make it more secure ?

Thank you very much
Pratchaya

My Network Diagram.
===============

ADSL Router <===> { eth1::: My Server :::: eth0 <===> Local network
(192.168.0.xx )

================================================== =========================*======================== ======
My Command line
===============

service iptables stop
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
tcp --dport 53,80,110,143,443,993,995,3128 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
udp --dport 53,110,143,993,995,1863 -j ACCEPT
service iptables save

================================================== =========================*======================== ======
My Iptable List
===============

[root@firewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 anywhere multiport
dports domain,http,pop3,imap,https,imaps,pop3s,squid
ACCEPT udp -- 192.168.0.0/24 anywhere multiport
dports domain,pop3,imap,imaps,pop3s,1863

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@firewall ~]#