FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-04-2008, 04:57 PM
Raven
 
Default iptables "whitelist" rule

Hi
I am currently implementing level7 packet filtering on my debian gateway
with ipp2p. This has been done to prevent wireless users from using well
known file sharing applications (edonkey, bittorrent, kazaa, ecc).
The current iptables configuration that I have is doing everything very
well.

Now I want to be able to run the amuled daemon ON the debian router but
I am not really sure how to tell iptables to whitelist the traffic that
is not being forwarded.
In other words, the ipp2p module should not drop the packets originating
from/destinated to the router itself.

Here is my current script:


# Interface connected to Internet
INTERNET="eth1"

# Address connected to LAN
LOCAL="10.0.1.0/24"

# VPN
VPN="5.0.0.0/8"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable Munin stats
iptables -A INPUT -d 37.244.81.222
iptables -A OUTPUT -s 37.244.81.222
iptables -A FORWARD -i eth1

iptables -A INPUT -d 10.0.1.2
iptables -A OUTPUT -s 10.0.1.2
iptables -A FORWARD -i eth0

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# unlimited access to VPN
iptables -A INPUT -s $VPN -j ACCEPT
iptables -A OUTPUT -s $VPN -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP



Thanks for your help guys


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-04-2008, 07:29 PM
Kevin Buhr
 
Default iptables "whitelist" rule

Raven <raven@vp44.net> writes:
>
> Now I want to be able to run the amuled daemon ON the debian router but
> I am not really sure how to tell iptables to whitelist the traffic that
> is not being forwarded.
> In other words, the ipp2p module should not drop the packets originating
> from/destinated to the router itself.

[ . . . ]

> # Block P2P
> iptables -A FORWARD -m ipp2p --ipp2p -j DROP
> iptables -A INPUT -m ipp2p --ipp2p -j DROP
> iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

I haven't used "ipp2p" before, but if you delete the INPUT and OUTPUT
rules and keep the FORWARD rule, I think that would do what you want.
Packets to and from the amuled daemon (whether from the Internet,
wireless nodes, or whatever) will pass through the INPUT and OUTPUT
tables and be permitted, but P2P packets between wireless nodes and
the big, bad Internet will pass through the FORWARD table and be
dropped by the remaining rule.

--
Kevin Buhr <buhr+debian@asaurus.net>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-04-2008, 09:23 PM
"Adrian Levi"
 
Default iptables "whitelist" rule

2008/5/5 Raven <raven@vp44.net>:
> I am not really sure how to tell iptables to whitelist the traffic that
> is not being forwarded.
> In other words, the ipp2p module should not drop the packets originating
> from/destinated to the router itself.
>
> Here is my current script:

As Kevin has already stated, The input and output chains/tables are
for the local machine only. And all forwarded traffic goes through the
forward chain only.

With a quick glance your current script seems to do what you want.
Do some testing both from expected IP Ranges and not expected IP ranges.

Adrian

--
24x7x365 != 24x7x52 Stupid or bad maths?
<erno> hm. I've lost a machine.. literally _lost_. it responds to
ping, it works completely, I just can't figure out where in my
apartment it is.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-04-2008, 09:45 PM
Raven
 
Default iptables "whitelist" rule

On Mon, 2008-05-05 at 07:23 +1000, Adrian Levi wrote:
> 2008/5/5 Raven <raven@vp44.net>:
> > I am not really sure how to tell iptables to whitelist the traffic that
> > is not being forwarded.
> > In other words, the ipp2p module should not drop the packets originating
> > from/destinated to the router itself.
> >
> > Here is my current script:
>
> As Kevin has already stated, The input and output chains/tables are
> for the local machine only. And all forwarded traffic goes through the
> forward chain only.
>
> With a quick glance your current script seems to do what you want.
> Do some testing both from expected IP Ranges and not expected IP ranges.
>
> Adrian
>

Works like a charm. Thanks!

-Raven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 02:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org