[ale] Limiting web browsing with IPTables?

James Sumners james at sumners.ath.cx
Tue Jun 17 09:43:27 EDT 2003 

Thanks.

On Tue, 17 Jun 2003 09:20:04 -0400
"Michael D. Hirsch" <mhirsch at nubridges.com> wrote:

> On Monday 16 June 2003 10:05 pm, James Sumners wrote:
> 
> > I started looking at gShield but it doesn't seem configurable to do what
> > I want. Does anyone know some simple rules that would do this?
> 
> I founds fwbuilder to be a really powerful and flexible firewall builder.  
> The Linux Journal has a couple of tutorials on it (last month and the 
> month before) that explains it pretty well.  
> 
> As a test, I just tried it.  I defined two hosts (1.2.3.4 and 9.8.7.6) and 
> then put them in a group named "Allowed hosts".  I defined a firewall 
> named "Web filter".
> 
> I then used the wizard, telling it to allow ssh connections in and any 
> connection on loopback.  I specified Linux and iptables as the destination 
> rule set.
> 
> Then I made two custom rules by drag'n'dropping the objects.  The first 
> rule said to allow http and https connections from Web filter to allowed 
> hosts.  The second said to deny any http https connections to anywhere.
> 
> I turned on logging on those two rules and saved my config file.
> 
> Finally, I ran the rules compiler.  This is what I got:
> 
> #!/bin/sh 
> #
> #  This is automatically generated file. DO NOT MODIFY !
> #
> #  Firewall Builder  fwb_ipt v1.0.9-1 
> #
> #  Generated Tue Jun 17 09:13:04 2003 EDT by hirsch
> #
> #
> #
> #
> 
> check() {
>   N=$1
>   F=$2
>   test "Z$F" = "Z" && F=$N
>   F=`which $F 2>/dev/null`
>   test ! -x "$F" && {
>     echo "$1 not found or is not executable"
>     exit 1
>   }
> }
> 
> 
> log() {
>   test -x "$LOGGER" && logger -p info "$1"
> }
> 
> va_num=1
> 
> add_addr() {
>   addr=$1
>   nm=$2
>   dev=$3
>   ( $IP -4 addr show dev $dev | grep -q "${addr}/" ) || 
>     { 
>       echo "$dev: $addr/$nm"
>       $IP -4 addr add $addr/$nm dev $dev brd + scope global label 
> $dev:FWB${va_num}
>       va_num=$((va_num + 1))
>     } 
> }
> 
> 
> LSMOD="/sbin/lsmod"
> MODPROBE="/sbin/modprobe"
> IPTABLES="/sbin/iptables"
> IP="/sbin/ip"
> LOGGER="/usr/bin/logger"
> 
> check lsmod    $LSMOD
> check modprobe $MODPROBE
> check iptables $IPTABLES
> check ip       $IP
> 
> cd /etc || exit 1
> 
> log "Activating firewall script generated Tue Jun 17 09:13:04 2003 EDT by 
> hirsch"
> 
> 
> INTERFACES="lo "
> for i in $INTERFACES ; do
>   $IP link show "$i" > /dev/null 2>&1 || {
>     echo Interface $i does not exist
>     exit 1
>   }
> done
> 
> 
> 
> FWD=`cat /proc/sys/net/ipv4/ip_forward`
> echo "0" > /proc/sys/net/ipv4/ip_forward
> 
> 
> 
> 
> add_addr 127.0.0.1 8 lo
> 
> $IPTABLES -P OUTPUT  DROP
> $IPTABLES -P INPUT   DROP
> $IPTABLES -P FORWARD DROP
> 
> 
> 
> cat /proc/net/ip_tables_names | while read table; do
>   $IPTABLES -t $table -L -n | while read c chain rest; do
>       if test "X$c" = "XChain" ; then
>         $IPTABLES -t $table -F $chain
>       fi
>   done
>   $IPTABLES -t $table -X
> done
> 
> 
> 
> MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
> MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  | sed 's/\.o.*$//')`
> for module in $(echo $MODULES); do 
>   if $LSMOD | grep ${module} >/dev/null; then continue; fi
>   if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" 
> ]; then 
>     $MODPROBE ${module} ||  exit 1 
>   fi 
> done
> 
> 
> $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # 
> # Rule 0(lo)
> # 
> # allow everything on loopback
> # 
> $IPTABLES -A FORWARD  -i lo  -j ACCEPT 
> $IPTABLES -A FORWARD  -o lo  -j ACCEPT 
> # 
> # Rule 0(global)
> # 
> # Only allow web connections to these hosts
> # 
> $IPTABLES -N Cid3EEF1322.0
> $IPTABLES -A OUTPUT  -d 1.2.3.4  -m state --state NEW  -j Cid3EEF1322.0 
> $IPTABLES -A OUTPUT  -d 9.8.7.6  -m state --state NEW  -j Cid3EEF1322.0 
> $IPTABLES -N RULE_0
> $IPTABLES -A Cid3EEF1322.0 -p tcp  -m multiport  --destination-port 80,443  
> -m state --state NEW  -j RULE_0 
> $IPTABLES -A RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- 
> ACCEPT " 
> $IPTABLES -A RULE_0  -j ACCEPT 
> # 
> # Rule 1(global)
> # 
> # Deny web connections evrywhere else
> # 
> $IPTABLES -N RULE_1
> $IPTABLES -A OUTPUT -p tcp  -m multiport  --destination-port 80,443  -j 
> RULE_1 
> $IPTABLES -A RULE_1  -j LOG  --log-level info --log-prefix "RULE 1 -- DROP 
> " 
> $IPTABLES -A RULE_1  -j DROP 
> # 
> # Rule 2(global)
> # 
> # 
> # 
> $IPTABLES -A INPUT -p tcp  --destination-port 22  -m state --state NEW  -j 
> ACCEPT 
> # 
> # Rule 3(global)
> # 
> # allow all outgoing connections
> # 
> $IPTABLES -A OUTPUT  -m state --state NEW  -j ACCEPT 
> # 
> # Rule 4(global)
> # 
> # 'catch all' rule
> # 
> $IPTABLES -N RULE_4
> $IPTABLES -A INPUT  -j RULE_4 
> $IPTABLES -A RULE_4  -j LOG  --log-level info --log-prefix "RULE 4 -- DROP 
> " 
> $IPTABLES -A RULE_4  -j DROP 
> #
> #
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 

All governments suffer a recurring problem: Power attracts pathological
personalities. It is not that power corrupts but that it is magnetic to the
corruptible. Such people have a tendency to become drunk on violence, a
condition to which they are quickly addicted. 

Missionara Protectiva, Text QIV (decto)
CH:D 59
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list