Special Forums IP Networking iptables allow access to one site Post 302892538 by wa1ed on Thursday 13th of March 2014 10:45:35 AM
I need help writing iptables rules that will allow a certain range of private address (192.168.0.80-100) outgoing access to one or two specific named sites and nothing else.

Here is my current setup
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.

but....

we could use any site as an example:
so 192.168.0.80-100 are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
 
Test Your Knowledge in Computers #959
Difficulty: Medium
The first virus attack against a Linux machine was by a virus called Stooge,
True or False?

9 More Discussions You Might Find Interesting

1. IP Networking

port access to site to site VPN

Setup a site to site VPN between two cisco routers. One of the site locations is unable to access ports such as https://example.com:9001 How do I let them go into port 9001? They can ssh, ftp, telnet and everything else. Is this a VPN issue or ACL access issue? I put permit ip host... (0 Replies)
Discussion started by: photon
0 Replies

2. Shell Programming and Scripting

How to check site access in shell script

Hello every one, I have a little issue that has been killing me now for the past couple of days, I have tried to find solutions online, but its been hard to, ok here it goes... I have created a site that is based on amount of user that have access at a time, based on cookie. So if the browser... (1 Reply)
Discussion started by: heman007
1 Replies

3. Shell Programming and Scripting

Unable to access http site using wget through proxy

Hi there I am currently trying to access an http site using the wget utility from a solaris box. I am going through proxies to do this and we have two types of proxies. For the first one, which is a netcache proxy, I am able to use the wget command to export the proxy information export... (2 Replies)
Discussion started by: memonks
2 Replies

4. Programming

Unable to use libcurl to access a site requiring client authentication

I’m using the below snipped for setting the certificate and key for client authentication. curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem"); curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit"); curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM"); ... (2 Replies)
Discussion started by: old_as_a_fossil
2 Replies

5. Solaris

Access Sharepoint site using SOAP request in unix

Hi, We are using a java application (Java 6 , Using JAX-WS 2.0 to Create a Simple Web Service) that accesses SharePoint API through web services. We were able to get the data in windows and do all operations the API allows. When we deploy this application on UNIX environment (Solaris 10)... (0 Replies)
Discussion started by: johninweb
0 Replies

6. UNIX for Advanced & Expert Users

squid: Allow access to only one site and only via 80 or 443

Can someone please give me the conf file line to allow access to myexample.com and only that site, and only through http and https? So far I have only that site accessible via http, but all https sites are opened. Squid 3.1 on Cent 6 ---------- Post updated at 12:06 PM ---------- Previous... (0 Replies)
Discussion started by: glev2005
0 Replies

7. IP Networking

How to establish site to site vpn - Linux machine and cisco asa?

Hi, I am trying to establish vpn between my linux server and cisco asa at client side. I installed openswan on my cent os. Linux Server eth0 - 182.2.29.10 Gateway - 182.2.29.1 eth1 - 192.9.200.75 I have simple IPtables Like WAN="eth0" LAN="eth1" (0 Replies)
Discussion started by: ashokvpp
0 Replies

8. Cybersecurity

A little iptables help for Guest Access

Hey folks, I've setup a wifi guest network on an E2500 router running TomatoUSB, that I only want to have internet access provided for. Did this by creating a separate bridge (br1), then putting it in it's own VLAN, created a virtual wifi interface, then set some firewall rules to isolate... (0 Replies)
Discussion started by: mcaramb
0 Replies

9. Post Here to Contact Site Administrators and Moderators

Regarding not able to access UNIX.com site

Hello MODs/Admins, Could you please help me here as from last 6 to 7 days I(and checked with my fellow friends too) am not able to access unix.com site at all. It is very very slow, it never loads completely. Even I checked with different people and different computers it results same only,... (8 Replies)
Discussion started by: RavinderSingh13
8 Replies
UFW 
FRAMEWORK(8) August 2009 UFW FRAMEWORK(8) NAME
ufw-framework - using the ufw framework DESCRIPTION
ufw provides both a command line interface and a framework for managing a netfilter firewall. While the ufw command provides an easy to use interface for managing a firewall, the ufw framework provides the administrator methods to customize default behavior and add rules not supported by the command line tool. In this way, ufw can take full advantage of Linux netfilter's power and flexibility. OVERVIEW
The framework provides boot time initialization, rules files for adding custom rules, a method for loading netfilter modules, configuration of kernel parameters and configuration of IPv6. The framework consists of the following files: /lib/ufw/ufw-init initialization script /etc/ufw/before[6].rules rules file containing rules evaluated before UI added rules /lib/ufw/user[6].rules rules file containing UI added rules (managed with the ufw command) /etc/ufw/after[6].rules rules file containing rules evaluated after UI added rules /etc/default/ufw high level configuration /etc/ufw/sysctl.conf kernel network tunables /etc/ufw/ufw.conf additional high level configuration BOOT INITIALIZATION
ufw is started on boot with /lib/ufw/ufw-init. This script is a standard SysV style initscript used by the ufw command and should not be modified. It supports the following arguments: start: loads the firewall stop: unloads the firewall restart: reloads the firewall force-reload: same as restart status: basic status of the firewall force-stop: same as stop, except does not check if the firewall is already loaded flush-all: flushes the built-in chains, deletes all non-built-in chains and resets the policy to ACCEPT ufw uses many user-defined chains in addition to the built-in iptables chains. If MANAGE_BUILTINS in /etc/default/ufw is set to 'yes', on stop and reload the built-in chains are flushed. If it is set to 'no', on stop and reload the ufw secondary chains are removed and the ufw primary chains are flushed. In addition to flushing the ufw specific chains, it keeps the primary chains in the same order with respect to any other user-defined chains that may have been added. This allows for ufw to interoperate with other software that may manage their own firewall rules. To ensure your firewall is loading on boot, you must integrate this script into the boot process. Consult your distribution's documentation for the proper way to modify your boot process if ufw is not already integrated. RULES FILES
ufw is in part a front-end for iptables-restore, with its rules saved in /etc/ufw/before.rules, /etc/ufw/after.rules and /lib/ufw/user.rules. Administrators can customize before.rules and after.rules as desired using the standard iptables-restore syntax. Rules are evaluated as follows: before.rules first, user.rules next, and after.rules last. IPv6 rules are evaluated in the same way, with the rules files named before6.rules, user6.rules and after6.rules. Please note that ufw status only shows rules added with ufw and not the rules found in the /etc/ufw rules files. Important: ufw only uses the *filter table by default. You may add any other tables such as *nat, *raw and *mangle as desired. For each ta- ble a corresponding COMMIT statement is required. After modifying any of these files, you must reload ufw for the rules to take effect. See the EXAMPLES section for common uses of these rules files. MODULES
Netfilter has many different connection tracking modules. These modules are aware of the underlying protocol and allow the administrator to simplify his or her rule sets. You can adjust which netfilter modules to load by adjusting IPT_MODULES in /etc/default/ufw. Some popular modules to load are: nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns nf_conntrack_pptp KERNEL PARAMETERS
ufw will read in /etc/ufw/sysctl.conf on boot when enabled. Please note that /etc/ufw/sysctl.conf overrides values in the system systcl.conf (usually /etc/sysctl.conf). Administrators can change the file used by modifying /etc/default/ufw. IPV6 IPv6 is enabled by default. When disabled, all incoming, outgoing and forwarded packets are dropped, with the exception of traffic on the loopback interface. To adjust this behavior, set IPV6 to 'yes' in /etc/default/ufw. See the ufw manual page for details. EXAMPLES
As mentioned, ufw loads its rules files into the kernel by using the iptables-restore and ip6tables-restore commands. Users wanting to add rules to the ufw rules files manually must be familiar with these as well as the iptables and ip6tables commands. Below are some common examples of using the ufw rules files. All examples assume IPv4 only and that DEFAULT_FORWARD_POLICY in /etc/default/ufw is set to DROP. IP Masquerading To allow IP masquerading for computers from the 10.0.0.0/8 network to share the single IP address on eth0: Edit /etc/ufw/sysctl.conf to have: net.ipv4.ip_forward=1 Add to the end of /etc/ufw/before.rules, after the *filter section: *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE COMMIT If your firewall is using IPv6 tunnels or 6to4 and is also doing NAT, then you should not usually masquerade protocol '41' (ipv6) packets. For example, instead of the above, /etc/ufw/before.rules can be adjusted to have: *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/8 --protocol ! 41 -o eth0 -j MASQUERADE COMMIT Port Redirections To forward tcp port 80 on eth0 to go to the webserver at 10.0.0.2: Edit /etc/ufw/sysctl.conf to have: net.ipv4.ip_forward=1 Add to the *filter section of /etc/ufw/before.rules: -A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -m state --state NEW -i eth0 -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT Add to the end of /etc/ufw/before.rules, after the *filter section: *nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.2:80 COMMIT Egress filtering To block RFC1918 addresses going out of eth0: Add in the *filter section of /etc/ufw/before.rules: -A ufw-before-forward -o eth0 -d 10.0.0.0/8 -j REJECT -A ufw-before-forward -o eth0 -d 172.16.0.0/12 -j REJECT -A ufw-before-forward -o eth0 -d 192.168.0.0/16 -j REJECT Full example This example combines the other examples and demonstrates a simple routing firewall. Warning: this setup is only an example to demonstrate the functionality of the ufw framework in a concise and simple manner and should not be used in production without understanding what each part does and does not do. Your firewall will undoubtedly want to be less open. This router/firewall has two interfaces: eth0 (Internet facing) and eth1 (internal LAN). Internal clients have addresses on the 10.0.0.0/8 network and should be able to connect to anywhere on the Internet. Connections to port 80 from the Internet should be forward to 10.0.0.2. Access to ssh port 22 from the administrative workstation (10.0.0.100) to this machine should be allowed. Also make sure no internal traf- fic goes to the Internet. Edit /etc/ufw/sysctl.conf to have: net.ipv4.ip_forward=1 Add to the *filter section of /etc/ufw/before.rules: -A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -i eth1 -s 10.0.0.0/8 -o eth0 -m state --state NEW -j ACCEPT -A ufw-before-forward -m state --state NEW -i eth0 -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT -A ufw-before-forward -o eth0 -d 10.0.0.0/8 -j REJECT -A ufw-before-forward -o eth0 -d 172.16.0.0/12 -j REJECT -A ufw-before-forward -o eth0 -d 192.168.0.0/16 -j REJECT Add to the end of /etc/ufw/before.rules, after the *filter section: *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.2:80 -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE COMMIT For allowing ssh on eth1 from 10.0.0.100, use the ufw command: # ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp SEE ALSO
ufw(8), iptables(8), ip6tables(8), iptables-restore(8), ip6tables-restore(8), sysctl(8), sysctl.conf(5) AUTHOR
ufw is Copyright 2008-2009, Canonical Ltd. ufw and this manual page was originally written by Jamie Strandboge <jamie@canonical.com> August 2009 UFW FRAMEWORK(8)

Featured Tech Videos

All times are GMT -4. The time now is 06:18 PM.
Unix & Linux Forums Content Copyright 1993-2019. All Rights Reserved.
Privacy Policy