[ale] Limiting web browsing with IPTables?

Michael D. Hirsch mhirsch at nubridges.com
Tue Jun 17 09:20:04 EDT 2003 

On Monday 16 June 2003 10:05 pm, James Sumners wrote:

> I started looking at gShield but it doesn't seem configurable to do what
> I want. Does anyone know some simple rules that would do this?

I founds fwbuilder to be a really powerful and flexible firewall builder.  
The Linux Journal has a couple of tutorials on it (last month and the 
month before) that explains it pretty well.  

As a test, I just tried it.  I defined two hosts (1.2.3.4 and 9.8.7.6) and 
then put them in a group named "Allowed hosts".  I defined a firewall 
named "Web filter".

I then used the wizard, telling it to allow ssh connections in and any 
connection on loopback.  I specified Linux and iptables as the destination 
rule set.

Then I made two custom rules by drag'n'dropping the objects.  The first 
rule said to allow http and https connections from Web filter to allowed 
hosts.  The second said to deny any http https connections to anywhere.

I turned on logging on those two rules and saved my config file.

Finally, I ran the rules compiler.  This is what I got:

#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v1.0.9-1 
#
#  Generated Tue Jun 17 09:13:04 2003 EDT by hirsch
#
#
#
#

check() {
  N=$1
  F=$2
  test "Z$F" = "Z" && F=$N
  F=`which $F 2>/dev/null`
  test ! -x "$F" && {
    echo "$1 not found or is not executable"
    exit 1
  }
}


log() {
  test -x "$LOGGER" && logger -p info "$1"
}

va_num=1

add_addr() {
  addr=$1
  nm=$2
  dev=$3
  ( $IP -4 addr show dev $dev | grep -q "${addr}/" ) || 
    { 
      echo "$dev: $addr/$nm"
      $IP -4 addr add $addr/$nm dev $dev brd + scope global label 
$dev:FWB${va_num}
      va_num=$((va_num + 1))
    } 
}


LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"

check lsmod    $LSMOD
check modprobe $MODPROBE
check iptables $IPTABLES
check ip       $IP

cd /etc || exit 1

log "Activating firewall script generated Tue Jun 17 09:13:04 2003 EDT by 
hirsch"


INTERFACES="lo "
for i in $INTERFACES ; do
  $IP link show "$i" > /dev/null 2>&1 || {
    echo Interface $i does not exist
    exit 1
  }
done



FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward




add_addr 127.0.0.1 8 lo

$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done



MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do 
  if $LSMOD | grep ${module} >/dev/null; then continue; fi
  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" 
]; then 
    $MODPROBE ${module} ||  exit 1 
  fi 
done


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(lo)
# 
# allow everything on loopback
# 
$IPTABLES -A FORWARD  -i lo  -j ACCEPT 
$IPTABLES -A FORWARD  -o lo  -j ACCEPT 
# 
# Rule 0(global)
# 
# Only allow web connections to these hosts
# 
$IPTABLES -N Cid3EEF1322.0
$IPTABLES -A OUTPUT  -d 1.2.3.4  -m state --state NEW  -j Cid3EEF1322.0 
$IPTABLES -A OUTPUT  -d 9.8.7.6  -m state --state NEW  -j Cid3EEF1322.0 
$IPTABLES -N RULE_0
$IPTABLES -A Cid3EEF1322.0 -p tcp  -m multiport  --destination-port 80,443  
-m state --state NEW  -j RULE_0 
$IPTABLES -A RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- 
ACCEPT " 
$IPTABLES -A RULE_0  -j ACCEPT 
# 
# Rule 1(global)
# 
# Deny web connections evrywhere else
# 
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p tcp  -m multiport  --destination-port 80,443  -j 
RULE_1 
$IPTABLES -A RULE_1  -j LOG  --log-level info --log-prefix "RULE 1 -- DROP 
" 
$IPTABLES -A RULE_1  -j DROP 
# 
# Rule 2(global)
# 
# 
# 
$IPTABLES -A INPUT -p tcp  --destination-port 22  -m state --state NEW  -j 
ACCEPT 
# 
# Rule 3(global)
# 
# allow all outgoing connections
# 
$IPTABLES -A OUTPUT  -m state --state NEW  -j ACCEPT 
# 
# Rule 4(global)
# 
# 'catch all' rule
# 
$IPTABLES -N RULE_4
$IPTABLES -A INPUT  -j RULE_4 
$IPTABLES -A RULE_4  -j LOG  --log-level info --log-prefix "RULE 4 -- DROP 
" 
$IPTABLES -A RULE_4  -j DROP 
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list