Hi,
I am trying to allow intranet (any 10.1.???.??) traffic but block internet. I have created a new chain (chk_nointernet_user) for a group called nointernet
iptables --new-chain chk_nointernet_user
iptables -A OUTPUT -m owner --gid-owner nointernet -j chk_nointernet_user
and I have added these entries:
iptables -A chk_nointernet_user -p tcp --syn -d 10.1.0.0/16 -j RETURN
iptables -A chk_nointernet_user -o lo -j REJECT
This is blocking everything. I want intranet but block internet. I must not be using the right rules. Any help on this would would be appreciated.
Ron
iptables to allow intranet but block all internet
Re: iptables to allow intranet but block all internet
And when you return from chk_nointernet_user does your OUTPUT chain allow the access or does it drop through and take a REJECT or DROP from that or the OUTPUT policy?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables to allow intranet but block all internet
Return allows internet and intranet (full access). The new chain is the last part of the iptables. If the user group is not nointernet then everything works fine (full access). Does the chain need to go first?
Thanks,
Ron
Thanks,
Ron
Re: iptables to allow intranet but block all internet
You misunderstood the question. It'll be easier if you just post the complete output from iptables-save
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables to allow intranet but block all internet
Hi Trevor,
Here is the output from iptables-save;
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*filter
:INPUT ACCEPT [107:15386]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:283]
:chk_nointernet_user - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -m owner --gid-owner 1001 -j chk_nointernet_user
-A chk_nointernet_user -d 10.1.0.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j RETURN
-A chk_nointernet_user -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*nat
:PREROUTING ACCEPT [23823:3963103]
:INPUT ACCEPT [15686:2932377]
:OUTPUT ACCEPT [2230:144602]
:POSTROUTING ACCEPT [2228:144281]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*mangle
:PREROUTING ACCEPT [5455332:768774259]
:INPUT ACCEPT [5447195:767743533]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5610505:15476793205]
:POSTROUTING ACCEPT [5378126:754001018]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
Thanks,
Ron
Here is the output from iptables-save;
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*filter
:INPUT ACCEPT [107:15386]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:283]
:chk_nointernet_user - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -m owner --gid-owner 1001 -j chk_nointernet_user
-A chk_nointernet_user -d 10.1.0.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j RETURN
-A chk_nointernet_user -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*nat
:PREROUTING ACCEPT [23823:3963103]
:INPUT ACCEPT [15686:2932377]
:OUTPUT ACCEPT [2230:144602]
:POSTROUTING ACCEPT [2228:144281]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
# Generated by iptables-save v1.4.21 on Wed Oct 3 15:30:25 2018
*mangle
:PREROUTING ACCEPT [5455332:768774259]
:INPUT ACCEPT [5447195:767743533]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5610505:15476793205]
:POSTROUTING ACCEPT [5378126:754001018]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Oct 3 15:30:25 2018
Thanks,
Ron
Re: iptables to allow intranet but block all internet
HI,
Only the new chain (chk_nointernet_user) is the only thing I have created (the rest is default). We have some users that have no internet access. It is correct that only 1 group should be blocked to outside devices(group nointernet).
We are using this as a terminal server that supports about 150 users using XRDP. Each user has their own desktop. Some users are not allowed to use the internet but must have access to everything on 10.1.?.?.
This includes internal web sites, printers, etc....
If I remove iptables -A chk_nointernet_user -j REJECT (using -D instead -A) , then they have access to everything including the internet. With that line in there they are also losing connections to the 10.1.?.? including the XRDP Login. I can login as them on the machine and with that line they can not connect to 10.1.?.?.
Ron
Only the new chain (chk_nointernet_user) is the only thing I have created (the rest is default). We have some users that have no internet access. It is correct that only 1 group should be blocked to outside devices(group nointernet).
We are using this as a terminal server that supports about 150 users using XRDP. Each user has their own desktop. Some users are not allowed to use the internet but must have access to everything on 10.1.?.?.
This includes internal web sites, printers, etc....
If I remove iptables -A chk_nointernet_user -j REJECT (using -D instead -A) , then they have access to everything including the internet. With that line in there they are also losing connections to the 10.1.?.? including the XRDP Login. I can login as them on the machine and with that line they can not connect to 10.1.?.?.
Ron