Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Creating iptables filter rules applicable to both FORWARD and OUTPUT chains
Special Forums IP Networking Creating iptables filter rules applicable to both FORWARD and OUTPUT chains Post 302675797 by haggismn on Monday 23rd of July 2012 03:20:50 PM
Old 07-23-2012
Creating iptables filter rules applicable to both FORWARD and OUTPUT chains
Hi all,

I have a script which permits users to access to a large list of IP ranges. Before, access to these ranges was granted by using a shell script to perform the necessary FORWARD chain command to allow traffic coming from the br0 interface and exiting the WAN interface, since br0 was the only interface which would access these ranges.
Code:
iptables -I FORWARD 6 -i br0 -d $CIDR -o $WAN_IFACE -j ACCEPT

However I have now implemented a caching proxy on the local gateway, and so I need to permit access to the IP ranges on the OUTPUT chain.
Code:
iptables -I OUTPUT 8 -d $CIDR -o $WAN_IFACE -j ACCEPT

However, the proxy will not always be running, in which case, the standard FORWARD command will still be needed. The problem I have is that by having several thousand ranges to add, having both these commands run for each range effectively doubles the time taken for the script to run. I was wondering if it is possible to combine these 2 commands in some way to allow both FORWARD and OUTPUT access to the IP ranges in only 1 command? Or am I stuck having to do both commands every single time?


Thanks in advance for any help.
Last edited by haggismn; 07-23-2012 at 04:27 PM..
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

sed command applicable?

Find the messages with BLUE header, collect the telno, and dump to a file. file below: header 1 BLUE 11/20/01 body telno 555 body room1 trailer 1 xxx header 2 BLUE 11/20/01 body telno 444 body room2 trailer 2 xxx header 3 RED 11/20/01 body telno 666 body room3 trailer 3 xxx ... (2 Replies)
Discussion started by: apalex
2 Replies

2. IP Networking

Filter wireshark output

Hi I have a wireshark file saved (from my network) and I have to analyze the flows inside it. The problem is that i have to analyze not the complete file (60.000 pkts!) but just a subset of it. In other words i have to sample the wireshark.file.dump and for example from 60.000 pkts take... (2 Replies)
Discussion started by: Dedalus
2 Replies

3. Shell Programming and Scripting

Copying a files from a filter list and creating their associated parent directories

Hello all, I'm trying to copy all files within a specified directory to another location based on a find filter of mtime -1 (Solaris OS). The issue that I'm having is that in the destination directory, I want to retain the source directory structure while copying over only the files that have... (4 Replies)
Discussion started by: hunter55
4 Replies

4. IP Networking

iptables forward public IP, no NAT, Debian i386

Hello all, got kinda problem. Have two machines in LAN, one of them connected to Internet directly, another one must be forwarded through the first one. Masquerading works perfectly, but is not what is needed here. Both machines have public IP addresses, when the second machine is forwarded its... (0 Replies)
Discussion started by: Action
0 Replies

5. Ubuntu

Iptables forward traffic to forward chain!!!

Hi, I am new to linux stuff. I want to use linux iptables to configure rule so that all my incoming traffic with protocol "tcp" is forwarded to the "FORWARD CHAIN". The traffic i am dealing with has destination addresss of my machine but i want to block it from coming to input chain and somehow... (0 Replies)
Discussion started by: arsipk
0 Replies

6. Debian

Iptables Nat forward port 29070

Hello, the Nat and the forward worked on my debian server up to the reboot of machines. The following rules*: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070 /sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d... (0 Replies)
Discussion started by: titoms
0 Replies

7. Ubuntu

forward packet from input chain to output

Hi, I receive a packet at input chain of iptables in filter table. How can i forward that same packet exactly to the output chain of the iptables in filter table. I need this help desperately. Thanks. (0 Replies)
Discussion started by: arsipk
0 Replies

8. IP Networking

Dividing traffic with u32 iptables filter

I would like to divide traffic between two squid servers. I have been thinking about using iptables u32 filter, to check last bit of ip address which is comming to gateway. Then I would like to direct even IP adresses to one squid host, and odd to the other. Is it reasonable ? Thank you for... (2 Replies)
Discussion started by: new_item
2 Replies

9. Shell Programming and Scripting

How the filter output?

Hey, I'm using some sensors that can be read by http. If I run following command: curl -v 'http://192.168.111.23:8080/sensor/52f5c63cc4221fbbedcb499908a0a823?version=1.0&interval=minute&unit=watt&callback=realtime' I'm getting: I would like to put this now in a sheet with only the... (9 Replies)
Discussion started by: brononius
9 Replies

10. Shell Programming and Scripting

Filter output in curl

Hello guys, I'm writing a little script which sends me sms with my shell script via api of a sms provider. problem is I can't filter my curl output for this site: site url:... (1 Reply)
Discussion started by: genius90
1 Replies

LEARN ABOUT DEBIAN

lockout

LOCKOUT(1)							      lockout								LOCKOUT(1)

NAME

       lockout - avoid slacking and impose productivity and discipline on yourself

WARNING

       This program is VERY DANGEROUS.	If it fails, you may end up not knowing the root password to your own computer (in which case you need to
       boot into single-user mode).  There are no known reports of this actually happening, but we don't know how stupid you are.  Also, you
       should probably not run this on a multi-user system.

SYNOPSIS

	lockout lock HhMm | Hh | Mm
	lockout lock HH:MM
	lockout lock HH:MMam | HH:MMpm
	lockout lock HHam | HHpm
	lockout lock

	lockout unlock [force]

	lockout status

DESCRIPTION

       Lockout is a tool that imposes discipline on you so that you get some work done.  For example, lockout can be used to install a firewall
       that does not let you browse the Web.  Lockout changes the root password for a specified duration; this prevents you from secretly ripping
       down the firewall and then browsing the Web anyway.  In case of an emergency, you can reboot your computer to undo the effects of lockout
       and to restore the original root password.

       Obviously, lockout lock and lockout unlock can only be run by root.  lockout status can be run by any user.

       lockout without any parameters shows a brief help message.

       lockout lock takes one optional parameter.  If no parameter is given, you are dropped in interactive mode and asked for the duration of the
       lock or the time at which the lock should be lifted.  You can also supply this as a parameter on the command line.  Lockout understands
       various time formats.  You can specify a delay, e.g., 3h (3 hours), 1h30m (1 hour and 30 minutes), or 90m (1 hour and 30 minutes), or you
       can specify absolute time, e.g., 2pm, 2:30am, 15:30, etc.  You will be asked to confirm the time at which lockout will unlock your system.
       If you type "yes", lockout executes /etc/lockout/lock.sh and changes the root password to something completely random.  /etc/lock-
       out/lock.sh is a shell script that you write.  It takes measures to make sure you stop slacking.  For example, it could install a firewall
       that prevents outgoing connections to port 80.  See the "EXAMPLES" section below.

       lockout unlock takes an optional force parameter.  Without any parameters, lockout lock will check whether it is time to unlock the system
       and, if so, executes /etc/lockout/unlock.sh, which is a shell script that you write.  It should undo the effects of /etc/lockout/lock.sh,
       executed when the system was locked.  If you pass the force parameter to lockout unlock, lockout will forcibly unlock your system, whether
       it was really time for that or not.  lockout unlock should be called every minute by cron.  See "CONFIGURATION".

       lockout status will print out the time at which the system is going to be unlocked.

CONFIGURATION

       /etc/cron.d/lockout must contain the following two entries:

	   */1 * * * *	       root    /usr/bin/lockout unlock >/dev/null 2>&1
	   @reboot	       root    /usr/bin/lockout unlock force >/dev/null 2>&1

       The examples that follow assume you are using sudo(8) and you have a file, /etc/lockout/sudoers.normal which is the normal /etc/sudoers
       file, and /etc/lockout/sudoers.lock, which is the /etc/sudoers file when lockout locks your computer.  This example also assumes you are
       using iptables(8).  /var/lib/iptables/active should contain your default firewall rules, and /var/lib/iptables/work should contain the
       firewall rules that enforce discipline.	See below for an example.

       /etc/lock/lock.sh imposes discipline.  For example:

	   #!/bin/sh
	   /etc/init.d/iptables load work
	   cp /etc/lockout/sudoers.lock /etc/sudoers
	   /etc/init.d/sudo stop
	   /etc/init.d/sudo start

       /etc/lock/unlock.sh undoes these effects.  For example:

	   #!/bin/sh
	   /etc/init.d/iptables restart
	   cp /etc/lockout/sudoers.normal /etc/sudoers
	   /etc/init.d/sudo stop
	   /etc/init.d/sudo start

       Your /var/lib/iptables/work may look something like this:

	   *filter
	   :INPUT ACCEPT [1047:99548]
	   :FORWARD ACCEPT [0:0]
	   :OUTPUT ACCEPT [1104:120792]

	   # allow incoming packets from localhost, ntp,
	   # and existing connections
	   -A INPUT -i lo -j ACCEPT
	   -A INPUT -p udp -m udp --source-port ntp -m state --state ESTABLISHED -j ACCEPT
	   -A INPUT -m state --state ESTABLISHED -j ACCEPT
	   -A INPUT -p tcp -j DROP
	   -A INPUT -p udp -j DROP

	   # allow outgoing connections for email and DNS
	   -A OUTPUT -d 127.0.0.1/8 -j ACCEPT
	   -A OUTPUT -p tcp -m tcp --dport smtp -j ACCEPT
	   -A OUTPUT -p tcp -m tcp --dport domain -j ACCEPT
	   -A OUTPUT -p udp -m udp --dport domain -j ACCEPT
	   -A OUTPUT -j DROP
	   COMMIT

EXAMPLES

	   lockout lock 2h30m	[locks out for 2h and 30m]
	   lockout lock 90m	[locks out for 1h and 30m]
	   lockout lock 3pm	[locks out until 3pm]
	   lockout lock 3:20am	[locks out until 3:20am]
	   lockout lock 15:20	[locks out until 3:20pm]

	   lockout status	[shows when the system is going to be unlocked]

FILES

       /etc/lockout/lock.sh: executed when running lockout lock

       /etc/lockout/unlock.sh: executed when running lockout unlock

SEE ALSO

       usermod(8), iptables(8), passwd(1), cron(8), crontab(1)

BUGS

       Arguably, a program that changes the root password to something random with the possibility of never recovering the original password might
       be considered a bug by itself.  Other than that, no known bugs.

AUTHOR

       Thomer M. Gil, http://thomer.com/lockout/

lockout 							    2004-09-08								LOCKOUT(1)
All times are GMT -4. The time now is 09:52 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy