Re: IPTABLES - FIREWALL - USER BLOCK

From: Balbino Brito (nospam_at_hotmail.com)
Date: 09/30/03 

Date: Mon, 29 Sep 2003 22:36:36 -0400

Hello Sasa, and everyone else.

I solved it.

The problem is that in the FORWARD chain when you run firestarter and
activate NAT, firestarter adds these rules to the FORWARD CHAIN in iptables:

ACCEPT all 172.16.0.0/24 anywhere
ACCEPT all anywhere 172.16.0.0/24

And when you block an IP, firestarter doesnīt change those rules. So the
Blocked IPs can still forward packets through.

I added a simple rule with this command:

iptables -I FORWARD -s iptoblock -p tcp --dport 80 -j DROP

Example:

iptables -I FORWARD -s 172.16.0.2 -p tcp --dport 80 -j DROP

To explain further, what Iīm doing here is INSERTING a rule in the FORWARD
table, where any packet coming from iptoblock to the tcp destination port
80, is Dropped.

I use INSERT instead of ADD so that way my rule will come first in the
FORWARD table.

As soon as i did that, the computer couldnīt browse anymore through the
Linux Gateway.

So, now if i want to stop a internal computer from browsing the internet, I
can do it. We could add also other ports. I tried 1863 for MSN Messenger,
and I couldnīt connect to MSN Service...

Thanks to everyone who tried to solve this issue, and took the time to
answer..

I feel gooooooood

BB

"Sasa Stupar" <sasa@stupar.homelinux.net> escribió en el mensaje
news:bl9agm$o7g$1@planja.arnes.si...
> Balbino Brito wrote:
> > Hello Sasa.
> >
> > Yes, you are right, I canīt access Samba anymore, but I CAN browse the
> > Internet using the firestarter machine as a gateway.
> >
> > So, firestarter is blocking my access to the firestarter machine itself,
but
> > itīs not blocking browsing the internet, or downloading email or
messenger
> > or anything through the firestarter machine.
> >
> > It should block everything coming from the ip I added to the rule,
forward
> > packets or input packets.
> >
> > So thatīs why I say that maybe the program is not suited for that.
> >
> > Any other ideas or suggestions will be appreciated.
> >
> > Thanks in advance.
> >
> > BB
> >
> >
> > "Sasa Stupar" <sasa@stupar.homelinux.net> escribió en el mensaje
> > news:bl8mu4$fii$1@planja.arnes.si...
> >
> >>Balbino Brito wrote:
> >>
> >>
> >>>>Why don't you try Firestarter ( http://firestarter.sourceforge.net ).
It
> >>>>is GUI firewall and gateway tool. Very easy to setup everything you
> >
> > want.
> >
> >>>
> >>>Hello
> >>>
> >>>I followed your advice and installed firestarter. In fact, it seems to
> >
> > be a
> >
> >>>great program, but it doesnīt block the internal IP from browsing the
> >>>Internet.
> >>>
> >>>I added the internal IP address to the Blocked Hosts list, and it
> >
> > continued
> >
> >>>browsing without any problems. So i guess I canīt what i need using
> >>>iptables.
> >>>
> >>>Thanks for your input anyway. If you have any other ideas.
> >>>
> >>>BB
> >>>
> >>>
> >>
> >>I have just tested your conclusion and must say that you have something
> >>wrong with your setup. I have put one of my intarnal machines to the
> >>Blocked Host (I put IP address) and it was blocked completely. No way to
> >>access the machine where is Firestarter installed.
> >>So check out again your configuration. I have done this change without
> >>restaring Firestarter but maybe you should restart it.
> >>
> >
> >
> >
> This is very strange. For me it blocked completely. I was not able to
> access i-net services.
> Are you also running iptables or ipchains ?
> Please stop these services and then try again.
> If this isn't working then you should post your problem on the
> firestarter mailling list.
>

Relevant Pages

  • problem with dmz firewall script - cant connect to inet via plan
    ... Everything is fine but I can not access the internet from my private ... I have a dmz and seperate trusted private lan multihomed on the ... # Create chain for bad tcp packets ...
    (comp.os.linux.security)
  • Re: Firestarter service fails to start
    ... and during boot I saw a message that Firestarter ... Chain FORWARD (policy ACCEPT) ... Chain LOG_FILTER (5 references) ...
    (Ubuntu)
  • Re: Firestarter: how to auto start it?
    ... the firestarter still doesn't load when the system boot ... to administer iptables firewall rules. ... Chain FORWARD (policy ACCEPT) ...
    (Debian-User)
  • RE: DHCP appears not to be working
    ... That's why I stay away from the starter scripts. ... the box hit the internet just seems like the smarter thing to do. ... When I ran the firestarter wizard, I added DHCP to the list of stuff I run. ... unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ...
    (RedHat)
  • Re: IPTABLES - FIREWALL - USER BLOCK
    ... Internet using the firestarter machine as a gateway. ... itīs not blocking browsing the internet, ...
    (linux.redhat)