Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 24th July 2007, 09:35 AM
petervoldon Offline
Registered User
 
Join Date: Sep 2006
Posts: 21
Help needed with IPtables.. Please..

hi Fedorites..

Can you help me with my problem :-(

Here is the issue : My work place uses a Linux Box as a router using Fedora 5.. Its working pretty neat.. I have setup some firewall rules using IP tables and its working pretty fine.

Now there is a requirement in my Office which make me block Youtube from internal network. I made some firewall rules to do that.

Code:
/sbin/iptables -o eth0 -A OUTPUT -d 208.65.153.241 -j DROP
/sbin/iptables -o eth0 -A OUTPUT -d 208.65.153.242 -j DROP
/sbin/iptables -o eth0 -A OUTPUT -d 208.65.153.245 -j DROP
/sbin/iptables -o eth0 -A OUTPUT -d 208.65.153.251 -j DROP
/sbin/iptables -o eth0 -A OUTPUT -d 208.65.153.253 -j DROP


/sbin/iptables -i eth1 -A FORWARD -d 208.65.153.253 -j DROP
/sbin/iptables -i eth1 -A FORWARD -d 208.65.153.241 -j DROP
/sbin/iptables -i eth1 -A FORWARD -d 208.65.153.242 -j DROP
/sbin/iptables -i eth1 -A FORWARD -d 208.65.153.245 -j DROP
/sbin/iptables -i eth1 -A FORWARD -d 208.65.153.251 -j DROP
But this is not working and I dont know why!!!

The below is a traceroute result to Youtube from one of the CLIENT machines here.. Please dont care about the IP address as I have changed that a bit..

Code:
--------------------------------------------------------------------------------------------------------
# traceroute youtube.com
traceroute to youtube.com (208.65.153.253), 30 hops max, 40 byte packets                 
1  192.168.1.3 (192.168.1.3)  0.144 ms  0.131 ms  0.120 ms                                                                
2  211.111.167.7 (211.111.167.7)  6.137 ms  11.600 ms  11.947 ms                                                          
3  16.26.24.1 (61.246.224.1)  6.379 ms  6.744 ms  7.068 ms                                                              
4  22.56.223.238 (202.56.223.238)  7.968 ms  8.333 ms  8.852 ms                                                          
5  203.101.10.234 (203.101.100.234)  9.760 ms  10.654 ms  10.999 ms                                                     
6   59.145.0.9 (59.145.0.49)  25.893 ms  20.376 ms  20.675 ms                                                             
7  59.145.7.29 (59.145.7.29)  21.027 ms  20.024 ms  20.332 ms                                                             
8  203.208.43.241 (203.208.143.241)  240.788 ms  242.247 ms  242.562 ms                                                   9  ge-1-0-6-0.plapx-dr1.ix.singtel.com (203.208.149.13)  235.621 ms  236.468 ms  237.288 ms                               10  203.208.154.26 (203.208.154.26)  236.805 ms  237.499 ms  238.063 ms
11  10.254.254.249 (10.254.254.249)  429.983 ms  430.282 ms  395.623 ms
12  208.65.153.253 (208.65.153.253)  233.480 ms  233.830 ms  234.130 ms
--------------------------------------------------------------------------------------------------------
As you see the destination 208.65.153.253 is getting connected without any blocks, which is totally unexpected. From the active Firewall, I double check the chain and it exists:

Code:
# iptables -L | grep 208.65.153.253
DROP       all  --  anywhere             208.65.153.253
DROP       all  --  anywhere             208.65.153.253
Can anyone identify the problem from this data? if not, please let me know what else is needed and I can get you those..

Really looking for some help regarding this matter..

Thanks,
Peter Voldon
Reply With Quote
  #2  
Old 24th July 2007, 12:28 PM
PhillyFloyd Offline
Registered User
 
Join Date: Jun 2007
Location: Washington DC
Posts: 338
I am not sure what the -o and -i options are, but not using those, your above blocks it for me.

As just a matter of preference, I usually like to jump to REJECT rather than DROP so you get a return message.

iptables -A OUTPUT -d {IPADDR} -j REJECT

Make sure you don't have any rules before those or after that conflict with those or have all the ips for youtube -- test your blocking by pinging or traceroute to the IPADDRs, if that works, then some other IPs ar emissing
__________________
"You're as useless as a jiffy in a tickless kernel."

Last edited by PhillyFloyd; 24th July 2007 at 12:40 PM.
Reply With Quote
  #3  
Old 24th July 2007, 12:30 PM
Knudson Offline
Registered User
 
Join Date: Mar 2005
Location: Italy
Age: 30
Posts: 401
i think you should install tcpdump and see what the problem is. I think that maybe you haven't blacklisted all the possible youtube ip, e.g. 208.65.153.238).

try also blacklisting


DNS1.SJL.YOUTUBE.COM 208.65.152.201
DNS2.SJL.YOUTUBE.COM 208.65.152.137

let me know
__________________
knu - ICQ# 51135890
knu.altervista.org
Help us to give linux a better software support!
Shooby dooby doo shooby dooby doo durul
Reply With Quote
  #4  
Old 26th July 2007, 03:29 AM
petervoldon Offline
Registered User
 
Join Date: Sep 2006
Posts: 21
Hi PhillyFloyd and Knudson,

Thanks a million for your attention. I tried as suggested by PhillyFloyd and did a traceroute. The ip address I specified did not cover all their IPs, I think. Also, I removed the -i and -o parameters and just added this :

Quote:
/sbin/iptables -A OUTPUT -d 208.65.153.0/24 -j DROP
/sbin/iptables -A FORWARD -d 208.65.153.0/24 -j DROP
This should block their whole subnet and its WORKING now!!! Thanks so much for your attention to this matter. But I have another requirement now as I need to exclude one such IP from this block. Lets say, my network is 192.168.1.0/24 and I want to block all computers in there except 192.168.1.10. I am not sure how to do this, but I am sure this can be done.

can you please help me with this? If I get a solution myself, I will update that here immediately!

Once again, thanks a million..

-: Peter Voldon :-
Reply With Quote
  #5  
Old 26th July 2007, 12:26 PM
Knudson Offline
Registered User
 
Join Date: Mar 2005
Location: Italy
Age: 30
Posts: 401
as you might alredy know, iptables policy is like "check - match and execute", which means that if the rule is matched is applied, otherwise it will pass to the next rule. Knowing this, the easy way to do what you want is:

/sbin/iptables -A OUTPUT -s 192.168.1.10 -d 208.65.153.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -d 208.65.153.0/24 -j DROP
/sbin/iptables -A FORWARD -d 208.65.153.0/24 -j DROP

doing this, your telling iptables

check the current packet - is it FROM 192.168.1.10 and the destination is 208.65.153.0/24 ? if so, then accept it, otherwise check the next rule. As you see, with the next rule the packet will be dropped. Then check the next packet.

However, there are nicer way to do this with variables, but that will do the trick. You should add protocols information for a more proper and elegant firewall anyway

i'd do something like (i don't have the man of iptables right now and i don't remember the range port sintax, as client it would be >1024, i think the iptables sintax is 1024:65535)

IPTABLES ="/sbin/iptables"
YOUTUBE="208.65.153.0/24"
MYPC="192.168.1.10"

$IPTABLES -A OUTPUT -p tcp -s $MYPC -d $YOUTUBE --dport 80 -m STATE --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $YOUTUBE -d $MYPC --sport 80 -m STATE --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -d $YOUTUBE -j DROP
$IPTABLES -A FORWARD -d $YOUTUBE -j DROP

that's easier to read and personally i like iptables as a script
__________________
knu - ICQ# 51135890
knu.altervista.org
Help us to give linux a better software support!
Shooby dooby doo shooby dooby doo durul

Last edited by Knudson; 26th July 2007 at 12:33 PM.
Reply With Quote
  #6  
Old 29th July 2007, 07:16 PM
marko Offline
Registered User
 
Join Date: Jun 2004
Location: Laurel, MD USA
Posts: 6,097
Oh, I get it, the boss's PC is the 1.10 one and he/she gets to go to youtube
but nobody else does. Typical ...

Mark
Reply With Quote
  #7  
Old 29th July 2007, 07:57 PM
sej7278 Offline
Registered User
 
Join Date: Sep 2004
Posts: 2,008
Quote:
Originally Posted by marko
Oh, I get it, the boss's PC is the 1.10 one and he/she gets to go to youtube
but nobody else does. Typical ...
yeah i was thinking that - or peter wants to surf youtube!

Knudson, i don't think you need the INPUT rule, youtube doesn't connect to you for anything?

i think i'd keep it simple and not bother with the --state's either.

also, be careful about using ports - what if youtube create a client that doesn't use port 80, or they implement a https site on 443?

i'd say "Keep It Simple Stupid" (KISS) and just drop everything to the ip ranges.
Reply With Quote
  #8  
Old 29th July 2007, 08:08 PM
Knudson Offline
Registered User
 
Join Date: Mar 2005
Location: Italy
Age: 30
Posts: 401
mine wasn't a whole iptables script of course. But concerning network security, KISS doesn't work. IPtables is great and actually on a server must be configured as a sniper
__________________
knu - ICQ# 51135890
knu.altervista.org
Help us to give linux a better software support!
Shooby dooby doo shooby dooby doo durul
Reply With Quote
  #9  
Old 30th July 2007, 09:52 PM
larryc06 Offline
Registered User
 
Join Date: Mar 2007
Posts: 72
Above it was said that it is not known what -i and the -o stand for. The -i stand for input to the named device; in this case it is eth1. The -o stands for output device which is eth0. To leave them out is fine but, for diagnostic purposes it is best to have them. You identifying the exactly what each device is used for therefore you can tell if a device is working properly. I also believe that this is good security since you have designated each to device to only accept out going or incoming. My theory on this is not from anything I have read or know for sure just make sense to say I am only allowing traffic in one direction and I will control that.
Reply With Quote
  #10  
Old 3rd August 2007, 04:23 PM
petervoldon Offline
Registered User
 
Join Date: Sep 2006
Posts: 21
he he.. nice thinking guys.. actually youtube has to be accessed for one of our developers in our office who is working on a distributed video streaming technology like Youtube. That's the only exception for the block.

...and.. thanks a lot for the sugestion by knudson works nice..

/sbin/iptables -A OUTPUT -s 192.168.1.10 -d 208.65.153.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -d 208.65.153.0/24 -j DROP
/sbin/iptables -A FORWARD -d 208.65.153.0/24 -j DROP

I will post any issues that may arise.. and thanks a lot for all your suggestions..

-:Pete:-
Reply With Quote
  #11  
Old 4th August 2007, 11:32 AM
Knudson Offline
Registered User
 
Join Date: Mar 2005
Location: Italy
Age: 30
Posts: 401
you're welcome
__________________
knu - ICQ# 51135890
knu.altervista.org
Help us to give linux a better software support!
Shooby dooby doo shooby dooby doo durul
Reply With Quote
  #12  
Old 4th August 2007, 02:32 PM
shortfatandbald Offline
Registered User
 
Join Date: Aug 2007
Location: Missouri
Posts: 28
Why wouldn't you want to run squid ? just a thought
Reply With Quote
  #13  
Old 9th November 2007, 12:40 PM
petervoldon Offline
Registered User
 
Join Date: Sep 2006
Posts: 21
Quote:
Originally Posted by shortfatandbald
Why wouldn't you want to run squid ? just a thought
Squid was an excellent option . But the company I work for, has an approved list of packages which can be used in the Company Network and unfortunately squid wasnt lucky enough to get into that list (or vice versa). As I mentioned earlier ( or if I haven't, I wanna tell you know that), I am a newbie admin here and this has been a task assigned to me.. Anyways its working just fine with IPTables.. Definitely IPtables rocks!

-:Pete:-
Reply With Quote
Reply

Tags
iptables, needed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
command #service iptables save changed the original config of iptables kesavulur Security and Privacy 0 28th November 2007 07:33 AM
iptables definitions are needed not on google larryc06 Security and Privacy 5 20th October 2007 07:36 PM
Close Pleask admin Port and then open it when needed via IPTABLES darkhalf Security and Privacy 2 15th September 2005 01:20 PM
iptables and syslog.conf HELP NEEDED! vjx Security and Privacy 6 25th February 2005 07:45 PM


Current GMT-time: 18:39 (Wednesday, 26-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Memmingen - Orestiada Travel Photos - Magadan Instagram Photos