I have few clients that require only few destinations to access. I want to setup it by iptables via any method i-e Destination IP address based or Domain name based.
Is it possible.
Blocking all except few host via iptables.
Blocking all except few host via iptables.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
Email : azfarhashmi@hotmail.com
-
- Lance Naik
- Posts: 18
- Joined: Fri Mar 04, 2005 1:48 pm
- Location: Ghy
Re: Blocking all except few host via iptables.
If eth0 is ur externel interface...... i.e. the interface which is either connected to the internet or the interface which is not connected to the LAN=eth1 (your clients i assume have LAN ip address).
then issue the following commands :
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address1>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address2>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address3>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p all --destination xyz.com -m state --state RELATED,ESTABLISHED -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p all --destination 0/0 -m state --state NEW -i eth0 -j DROP
You better write these lines to a file..with any filename u like and save it (say save it in root directory with filename as allow-destination)
[root@Fed3 ~]# chmod +x /root/allow-destination <hit-enter>
[root@Fed3 ~]#/root/allow-destination <hit enter>
Next add a line /root/allow-destination at the bottom of your /etc/rc.local file.... so that on any reboot the above commands get run automatically.
Regards,
linuxgossip
Enjoy Linux !
then issue the following commands :
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address1>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address2>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s <destination-ip-address3>/32 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p all --destination xyz.com -m state --state RELATED,ESTABLISHED -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p all --destination 0/0 -m state --state NEW -i eth0 -j DROP
You better write these lines to a file..with any filename u like and save it (say save it in root directory with filename as allow-destination)
[root@Fed3 ~]# chmod +x /root/allow-destination <hit-enter>
[root@Fed3 ~]#/root/allow-destination <hit enter>
Next add a line /root/allow-destination at the bottom of your /etc/rc.local file.... so that on any reboot the above commands get run automatically.
Regards,
linuxgossip
Enjoy Linux !
Last edited by linuxgossip on Sun Apr 17, 2005 8:28 pm, edited 3 times in total.
Thanks All I am currently doing it like following and its working but I am also going to try your one.
iptables -A FORWARD -s 202.69.48.170 -d worldspan.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.worldspan.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d aeroasia.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.aeroasia.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d shaheenair.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.shaheenair.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d airblue.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.airblue.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.49.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.48.0/255.255.255.128 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.48.128/255.255.255.128 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d gmail.google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 0/0 -j REJECT
iptables -A FORWARD -s 202.69.48.170 -d worldspan.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.worldspan.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d aeroasia.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.aeroasia.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d shaheenair.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.shaheenair.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d airblue.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.airblue.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.49.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.48.0/255.255.255.128 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 202.69.48.128/255.255.255.128 -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d gmail.google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d www.google.com -j ACCEPT
iptables -A FORWARD -s 202.69.48.170 -d 0/0 -j REJECT
Azfar Hashmi
Email : azfarhashmi@hotmail.com
Email : azfarhashmi@hotmail.com
Well I am facing a problem here that I am able to control this on static sites but cant able on sites like hotmail.com or mail.yahoo.com
Although I added as many sites which on they redirect but still not able to fix it completety. Ay idea.
Although I added as many sites which on they redirect but still not able to fix it completety. Ay idea.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
Email : azfarhashmi@hotmail.com
-
- Lance Naik
- Posts: 18
- Joined: Fri Mar 04, 2005 1:48 pm
- Location: Ghy
Dear Azfar,
I am sure if u use my example.. u 'll finally be successful..bcoz
after issuing ACCPET to known and intended sites/address/destination I have used the following command in the last line
/sbin/iptables -A INPUT -p all --destination 0/0 -m state --state NEW -i eth0 -j DROP
This blocks all excpet those address/destinations that u have allowed.
Also make sure u write the DROP command in the last line.
Regards,
linuxgossip
Enjoy Linux !
I am sure if u use my example.. u 'll finally be successful..bcoz
after issuing ACCPET to known and intended sites/address/destination I have used the following command in the last line
/sbin/iptables -A INPUT -p all --destination 0/0 -m state --state NEW -i eth0 -j DROP
This blocks all excpet those address/destinations that u have allowed.
Also make sure u write the DROP command in the last line.
Regards,
linuxgossip
Enjoy Linux !