iptables "whitelist" rule
in [Debian]
|
Prev: printing from KDE apps messed up
Next: Newbie trying to configure his hardware (video, sound and wifi).
From: Raven on 4 May 2008 13:10 Hi I am currently implementing level7 packet filtering on my debian gateway with ipp2p. This has been done to prevent wireless users from using well known file sharing applications (edonkey, bittorrent, kazaa, ecc). The current iptables configuration that I have is doing everything very well. Now I want to be able to run the amuled daemon ON the debian router but I am not really sure how to tell iptables to whitelist the traffic that is not being forwarded. In other words, the ipp2p module should not drop the packets originating from/destinated to the router itself. Here is my current script: # Interface connected to Internet INTERNET="eth1" # Address connected to LAN LOCAL="10.0.1.0/24" # VPN VPN="5.0.0.0/8" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # Enable Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Enable Munin stats iptables -A INPUT -d 37.244.81.222 iptables -A OUTPUT -s 37.244.81.222 iptables -A FORWARD -i eth1 iptables -A INPUT -d 10.0.1.2 iptables -A OUTPUT -s 10.0.1.2 iptables -A FORWARD -i eth0 # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # Block P2P iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables -A INPUT -m ipp2p --ipp2p -j DROP iptables -A OUTPUT -m ipp2p --ipp2p -j DROP # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -s $LOCAL -j ACCEPT # unlimited access to LAN iptables -A INPUT -s $LOCAL -j ACCEPT iptables -A OUTPUT -s $LOCAL -j ACCEPT # unlimited access to VPN iptables -A INPUT -s $VPN -j ACCEPT iptables -A OUTPUT -s $VPN -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP Thanks for your help guys -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Kevin Buhr on 4 May 2008 16:00 Raven <raven(a)vp44.net> writes: > > Now I want to be able to run the amuled daemon ON the debian router but > I am not really sure how to tell iptables to whitelist the traffic that > is not being forwarded. > In other words, the ipp2p module should not drop the packets originating > from/destinated to the router itself. [ . . . ] > # Block P2P > iptables -A FORWARD -m ipp2p --ipp2p -j DROP > iptables -A INPUT -m ipp2p --ipp2p -j DROP > iptables -A OUTPUT -m ipp2p --ipp2p -j DROP I haven't used "ipp2p" before, but if you delete the INPUT and OUTPUT rules and keep the FORWARD rule, I think that would do what you want. Packets to and from the amuled daemon (whether from the Internet, wireless nodes, or whatever) will pass through the INPUT and OUTPUT tables and be permitted, but P2P packets between wireless nodes and the big, bad Internet will pass through the FORWARD table and be dropped by the remaining rule. -- Kevin Buhr <buhr+debian(a)asaurus.net> -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Adrian Levi on 4 May 2008 17:30 2008/5/5 Raven <raven(a)vp44.net>: > I am not really sure how to tell iptables to whitelist the traffic that > is not being forwarded. > In other words, the ipp2p module should not drop the packets originating > from/destinated to the router itself. > > Here is my current script: As Kevin has already stated, The input and output chains/tables are for the local machine only. And all forwarded traffic goes through the forward chain only. With a quick glance your current script seems to do what you want. Do some testing both from expected IP Ranges and not expected IP ranges. Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? <erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Raven on 4 May 2008 17:50
On Mon, 2008-05-05 at 07:23 +1000, Adrian Levi wrote: > 2008/5/5 Raven <raven(a)vp44.net>: > > I am not really sure how to tell iptables to whitelist the traffic that > > is not being forwarded. > > In other words, the ipp2p module should not drop the packets originating > > from/destinated to the router itself. > > > > Here is my current script: > > As Kevin has already stated, The input and output chains/tables are > for the local machine only. And all forwarded traffic goes through the > forward chain only. > > With a quick glance your current script seems to do what you want. > Do some testing both from expected IP Ranges and not expected IP ranges. > > Adrian > Works like a charm. Thanks! -Raven -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org |