- Posts: 4
- Thank you received: 0
Custom egress filter for IPCop
17 years 3 months ago #22297
by trogers
Custom egress filter for IPCop was created by trogers
I am trying to block all but certain traffic from leaving our local (GREEN) network with IPCop. My goal is to DROP all outgoing traffic from most machines on the local network except IMAP/IMAPS, SMTP, HTTP/HTTPS, and so on.
I found some nice code here which, if included in rc.local, would block all outgoing traffic from most IP addresses on the GREEN interface.
[code:1]
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT
#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
[/code:1]
I am hoping that someone can show me how to modify this code to permit, for example, outgoing packets to port 143 from all machines on the GREEN interface, while still blocking all other outgoing traffic.
My thanks in advance for your help.
I found some nice code here which, if included in rc.local, would block all outgoing traffic from most IP addresses on the GREEN interface.
[code:1]
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT
#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
[/code:1]
I am hoping that someone can show me how to modify this code to permit, for example, outgoing packets to port 143 from all machines on the GREEN interface, while still blocking all other outgoing traffic.
My thanks in advance for your help.
17 years 3 months ago #22301
by DaLight
Replied by DaLight on topic Re: Custom egress filter for IPCop
Welcome to firewall.cx, trogers. You simply need to add a line to the above code. The new modified code should now be:
[code:1]# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT
#allow access to specific ports
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 143 -j ACCEPT
#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP [/code:1]
[code:1]# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT
#allow access to specific ports
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 143 -j ACCEPT
#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP [/code:1]
17 years 3 months ago #22308
by trogers
Replied by trogers on topic Custom egress filter for IPCop
Thank you very much. I really appreciate it!
17 years 3 months ago #22351
by trogers
Replied by trogers on topic Custom egress filter for IPCop
I wanted to share a draft of my rc.local egress filter script. Following the pattern that DaLight suggested, I have tried to open all of the ports between GREEN and RED which my staff should need.
I haven't tried this yet...so I have no idea how well it will work. Any comments or suggestions would be very welcome!
[code:1]
#!/bin/sh
# shorthand helper
# $IPT="/sbin/iptables"
# variables defined therein
# . /var/ipcop/ethernet/settings
# Flush CUSTOMINPUT and CUSTOMFORWARD rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
# Allow full access to the RED interface for specific IP addresses
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.1 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.2 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.4 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.5 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.11 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.12 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.13 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.14 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.15 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.101 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.102 -o $RED_DEV -j ACCEPT
# Allow ssh to the RED interface from all addresses on the GREEN interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 21 -j ACCEPT
# Allow ftp to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 22 -j ACCEPT
# Allow SMTP to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 25 -j ACCEPT
# Allow http, https, and proxy to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 80 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 443 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 800 -j ACCEPT
# Allow IMAP and IMAPS to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 143 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 993 -j ACCEPT
# Allow IPSEC VPN (FIX ME!)
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 500 -j ACCEPT
# Allow Jabber to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5222 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5223 -j ACCEPT
# Allow VNC to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5900 -j ACCEPT
# Allow GoToAssist to the RED interface from certain GREEEN addresses
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 80 -j ACCEPT
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 443 -j ACCEPT
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.120 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.121 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.122 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.123 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.124 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
# Drop all other outbound traffic to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
[/code:1]
I haven't tried this yet...so I have no idea how well it will work. Any comments or suggestions would be very welcome!
[code:1]
#!/bin/sh
# shorthand helper
# $IPT="/sbin/iptables"
# variables defined therein
# . /var/ipcop/ethernet/settings
# Flush CUSTOMINPUT and CUSTOMFORWARD rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
# Allow full access to the RED interface for specific IP addresses
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.1 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.2 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.4 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.5 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.11 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.12 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.13 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.14 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.15 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.101 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.102 -o $RED_DEV -j ACCEPT
# Allow ssh to the RED interface from all addresses on the GREEN interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 21 -j ACCEPT
# Allow ftp to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 22 -j ACCEPT
# Allow SMTP to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 25 -j ACCEPT
# Allow http, https, and proxy to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 80 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 443 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 800 -j ACCEPT
# Allow IMAP and IMAPS to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 143 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 993 -j ACCEPT
# Allow IPSEC VPN (FIX ME!)
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 500 -j ACCEPT
# Allow Jabber to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5222 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5223 -j ACCEPT
# Allow VNC to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5900 -j ACCEPT
# Allow GoToAssist to the RED interface from certain GREEEN addresses
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 80 -j ACCEPT
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 443 -j ACCEPT
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.120 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.121 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.122 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.123 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.124 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
# Drop all other outbound traffic to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
[/code:1]
17 years 2 months ago #22358
by DaLight
Replied by DaLight on topic Re: Custom egress filter for IPCop
SSH is port 22 and FTP port 21 ...# Allow ssh to the RED interface from all addresses on the GREEN interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 21 -j ACCEPT
# Allow ftp to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 22 -j ACCEPT
17 years 2 months ago #22371
by trogers
Replied by trogers on topic Custom egress filter for IPCop
Thank you.
What about VPNs? We have 14 net-to-net VPNs. Do I need to do anything in this script to ensure that the VPNs work correctly?
What about VPNs? We have 14 net-to-net VPNs. Do I need to do anything in this script to ensure that the VPNs work correctly?
Time to create page: 0.133 seconds