Author Topic: ALLOWING and BLOCKING certain LOCAL IPADDRESS on IPTABLES (Read 9852 times)

ronaldjayr_jover · « **on:** August 26, 2005, 02:56:50 AM »

Good day to all!!!

Just want to ask on how can I block a port or a website on a certain IP on my local network, I have a software that uses port 3000-3005, but my manager wants me to block internet access on that PC and only our software will pass through.

Also my manager just want to give a certain person all the port privilleges,meaning he can surf the internet and access our software.

I know that i can just doit on squid, but im not yet that familiar with squid, can i do this on IPTABLES?

Plshelp me anyone.

Thanks so much.

JAY

Ricky · « **Reply #1 on:** August 26, 2005, 08:10:13 AM »

yes, you can do it with iptables also,

Your requirements are :

1. Allow access to everyone via port 3000-3005 !
2. Block internet for everyone apart of few like your manager and you !

So let me try to have solution:

Here in this one we will also enable Masquerading ie . NAT or internet sharing.

Code: [Select]


 #Flushing any previous iptable rules
iptables --flush            
iptables --table nat --flush
iptables --delete-chain 
iptables --table nat --delete-chain

 #Enableing masquerade, considering eth0 as 
 #your internect connection and eth1 as local lan.
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward 
 
 #Allowing loopback access for ports
iptables -A INPUT -i lo -p all -j ACCEPT                       
iptables -A OUTPUT -o lo -p all -j ACCEPT

 #Allowing full access to certain IPs, Say 192.168.0.4 is your manager's IP
 #The the IP 192.168.0.4 has access to all services and ports
 # You can add other also.. say your computer's IP 192.168.0.10
iptables -A INPUT -s 192.168.0.4  -j ACCEPT
iptables -A INPUT -s 192.168.0.10  -j ACCEPT

 # Accept established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 

 #Rejects with tcp reset
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT 

 #Now your ports
iptables -A INPUT -p tcp -i eth0 --dport 3000 -j ACCEPT  
iptables -A INPUT -p tcp -i eth0 --dport 3001 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 3002 -j ACCEPT 
iptables -A INPUT -p tcp -i eth0 --dport 3004 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 3005 -j ACCEPT

 #Now drops every port than this
iptables -P INPUT DROP

Hmm.. little big firewall script ..
Well I tried logically to keep it error free but still you have to test and may be you need to do modifications in it. It really took me time to make it.
Now according to above script enables internet sharing, it allows full access to two compters(192.168.0.4 and 192.168.0.10) and allow access to every computer in lan for port 3000-3005. It also allows those connection which are initiated by firewall machine ie. no other computer can access it untill the connection is not initiated by this machine. The ports other than 3000-3005 are blocked for all machine apart of those two ips.

Try it and tell me if it worked or totally failed.

ronaldjayr_jover · « **Reply #2 on:** August 28, 2005, 01:26:53 AM »

Thanks Ricky the implemetation of this is on tuesday. I'll let you know once ive tested it. Thnks for your time and effort on helping.

"Your good deeds will never be forgotten"

Thanks so much.

Ronald

ilias · « **Reply #3 on:** September 01, 2005, 04:02:41 AM »

Hi Ricky
where this script has to be written, is it in /etc/rc.d/rc.nat

Ricky · « **Reply #4 on:** September 01, 2005, 02:57:16 PM »

yes you have to put it in that.. actually we have to execute this script at startup so adding in that will do!

jaga_karur · « **Reply #5 on:** October 02, 2005, 05:16:21 PM »

hi friends,

i configure my iptables in GUI mode and i see /etc/sysconfig/iptables there bellow lines what is mean
of bellow plz explain me..
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
:?:

ronaldjayr_jover · « **Reply #6 on:** October 03, 2005, 02:07:29 AM »

These is the default rules on your /etc/sysconfig/iptables. You can just edit on what services you want to accept or drop.