Trophy #267
have spent most of the day trying to lock down internet access in vain.
have an sh script which currently works but allows all outwards.
I want to lock down port 80 via squid, and only allow a few ports / ips.
When i comment out the allow all line the individual rules dont work ! any advice
#!/bin/sh
# squid server IP
SQUID_SERVER="10.1.0.11"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# web_server ip
WEB_SERVER="10.1.0.11"
SBS="10.1.0.5"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT ** WONT WORK UNLESS THIS IS ALLOWED !
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT/REDIRECT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
# fudge for apache + squid on same machine
iptables -t nat -A PREROUTING -d $SQUID_SERVER -p tcp --dport 80 -j REDIRECT --to-port 8000
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port 8000
#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# lan port forwarding
#old forward before on this machine
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j DNAT --to $WEB_SERVER:80
#iptables -A FORWARD -p tcp -i $INTERNET -d $WEB_SERVER --dport 80 -j ACCEPT
#new forward to this pc
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:8000
#iptables -A FORWARD -p tcp -i $INTERNET -d $SQUID_SERVER --dport 80 -j ACCEPT
# forward owa and remote desktop to sbs
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j DNAT --to $SBS:443
#iptables -A FORWARD -p tcp -i $INTERNET -d $SBS --dport 443 -j ACCEPT
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 3389 -j DNAT --to $SBS:3389
iptables -A FORWARD -p tcp -i $INTERNET -d $SBS --dport 3389 -j ACCEPT
# allow https out ** these lines should individually pass my required ports out ?
iptables -A INPUT -i $LAN_IN -p tcp --dport 443 -j ACCEPT
# allow mail out from sbs
iptables -A INPUT -i $LAN_IN -p tcp -s $SBS --sport 25 -j ACCEPT
# allow ssh in
iptables -A INPUT -i $LAN_IN -p tcp --dport 22 -j ACCEPT
# allow 80 in?
iptables -A INPUT -i $LAN_IN -p tcp --dport 80 -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
# Setting default filter policy
#iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Have these rules take effect when iptables is started
/sbin/service iptables save
have an sh script which currently works but allows all outwards.
I want to lock down port 80 via squid, and only allow a few ports / ips.
When i comment out the allow all line the individual rules dont work ! any advice
#!/bin/sh
# squid server IP
SQUID_SERVER="10.1.0.11"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# web_server ip
WEB_SERVER="10.1.0.11"
SBS="10.1.0.5"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT ** WONT WORK UNLESS THIS IS ALLOWED !
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT/REDIRECT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
# fudge for apache + squid on same machine
iptables -t nat -A PREROUTING -d $SQUID_SERVER -p tcp --dport 80 -j REDIRECT --to-port 8000
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port 8000
#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# lan port forwarding
#old forward before on this machine
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j DNAT --to $WEB_SERVER:80
#iptables -A FORWARD -p tcp -i $INTERNET -d $WEB_SERVER --dport 80 -j ACCEPT
#new forward to this pc
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:8000
#iptables -A FORWARD -p tcp -i $INTERNET -d $SQUID_SERVER --dport 80 -j ACCEPT
# forward owa and remote desktop to sbs
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j DNAT --to $SBS:443
#iptables -A FORWARD -p tcp -i $INTERNET -d $SBS --dport 443 -j ACCEPT
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 3389 -j DNAT --to $SBS:3389
iptables -A FORWARD -p tcp -i $INTERNET -d $SBS --dport 3389 -j ACCEPT
# allow https out ** these lines should individually pass my required ports out ?
iptables -A INPUT -i $LAN_IN -p tcp --dport 443 -j ACCEPT
# allow mail out from sbs
iptables -A INPUT -i $LAN_IN -p tcp -s $SBS --sport 25 -j ACCEPT
# allow ssh in
iptables -A INPUT -i $LAN_IN -p tcp --dport 22 -j ACCEPT
# allow 80 in?
iptables -A INPUT -i $LAN_IN -p tcp --dport 80 -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
# Setting default filter policy
#iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Have these rules take effect when iptables is started
/sbin/service iptables save