[CLUE-Tech] iptables?

Chris Ernst penguin-guy at home.com
Wed Aug 22 21:44:57 MDT 2001 

Hi Robert,

	I hope I'm understanding this correctly.....

	It sounds like you want to set the policy for INPUT on the internal
interface to DROP.

	ACCEPT outbound connections only to ports 22 and 80.

	Use SNAT only for connections with a destination port of 22.

	REDIRECT outbound connections to port 80 to port 3128 (or wherever squid is
listening).

	Please don't copy and paste this as I'm not positive, but I believe it
should look something like this:

/sbin/iptables -P INPUT DROP
/sbin/iptables -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -p tcp -m
tcp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -A PREROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -p udp -m
udp --dport 80 -j REDIRECT --to-ports 3128
/sbin/iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source
204.XXX.XXX.XXX
/sbin/iptables -A INPUT -s 192.168.1.0 -d 204.XXX.XXX.XXX -p tcp -m
tcp --dport 22 -j ACCEPT

As for squid acl's, try something like:

acl localhost src 127.0.0.1/255.255.255.255
acl clients src 192.168.1.0/255.255.255.0
.
.
http_access allow localhost
http_access allow clients
http_access deny all

Obviously, this is incomplete.  But I hope it gives you a starting place.
There is a nice little tutorial for iptables at
http://www.cs.princeton.edu/~jns/security/iptables/ .   Additionally, I
highly recommend checking out gShield
(http://muse.linuxmafia.org/gshield.html).  It's an excellent tool to help
you configure iptables.

	- Chris


-----Original Message-----
From: clue-tech-admin at clue.denver.co.us
[mailto:clue-tech-admin at clue.denver.co.us]On Behalf Of Robert L. Harris
Sent: Wednesday, August 22, 2001 11:40 AM
To: Clue-Tech
Subject: [CLUE-Tech] iptables?




Is anyone using iptables on 2.4.X?  I have a "theorectical" question.

I'm trying to get nazi on a firewall I'm helping with.  I've got this:

  ################# iptables ############################
  # first chain is for allowing established and related connections
  /sbin/iptables -N first
  /sbin/iptables -A first -m state --state ESTABLISHED,RELATED -j ACCEPT

  # this is a rule to let all my local traffic through
  /sbin/iptables -N local
  /sbin/iptables -A local -m state --state NEW -i ! eth0 -j ACCEPT

  # I'm using logging and reject with my cleanup rule, these are both
  # optional modules
  /sbin/iptables -N cleanup
  /sbin/iptables -A cleanup -j LOG --log-prefix "Firewall " --log-level
debug
#  /sbin/iptables -A cleanup -j LOG
  /sbin/iptables -A cleanup -j REJECT

  #
  # Lets initialize the chain
  #
  /sbin/iptables -A INPUT -j first

.
.
.
 Some rules to allow ssh and www in from the outside
.
.
.

  #
  # allows local
  #
  /sbin/iptables -A INPUT -j local
  /sbin/iptables -A INPUT -j cleanup
  /sbin/iptables -P INPUT DROP

  #/sbin/iptables -P INPUT ACCEPT

  # FORWARD chain only allows local traffic
  /sbin/iptables -A FORWARD -j first
  /sbin/iptables -A FORWARD -j local
  /sbin/iptables -A FORWARD -j cleanup
  /sbin/iptables -P FORWARD DROP


This box is also running a squid server.  I want users behind the firewall
to be able to hit the proxy server and do www stuffs, but I don't want
them to be able to bypass the proxy server, but  I'd like to be able to
ssh out also.  In otherwords, block all direct outbound traffic except
ssh, but allow the internal 192.168.0.X subnet to connec to the squid
server and allow the squid server to go out.

Anyone have a quick rundown on the rules for the ssh out part?

Anyone using squid ACL's for address blocking?  We're sure these middle
schoolers don't need to be going to *sex*, *XXX* etc.  I've got a
hand maintained wall up now, but it's ugly and if I can force the squid
and get squid to do ACL's with wildcards it'll be alot easier.

Robert



:wq!
---------------------------------------------------------------------------
Robert L. Harris                |  Micros~1 :
Senior System Engineer          |    For when quality, reliability
  at RnD Consulting             |      and security just aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list