Re: IPTables Blocking Outbound by destination port.

From: NeoSadist (neosad1st_at_charter.net)
Date: 12/02/03 

Date: Mon, 01 Dec 2003 18:18:34 -0700

Glenn wrote:

> I would like to set up some rules to block any internal traffic that
> is destined for any ports other than port 80, and port 443.
> I want to do this to prevent users doing anything other than looking
> at web pages on the internet.
> I would like to make some exceptions to these rules, in that the mail
> server is permitted to access 110, and our I.S team should be given
> unrestricted access to any destination port. (Obviously).
>
> My questions are...
>
> Is this possible with IPTables ?
> How do I go about it ?
> Have I overlooked anything that could cause issues ?
>
>
> With thanks
>
> Glenn

I'd say you need to download and install ethereal on some practice computer
(i.e. unused, if possible). Then sit there and surf the web normally while
recording the packets, stop after about say 100 packets and look at what
you've done.
Then start packet capture again, this time doing things you don't want the
employees to be able to do. You should be able to find some differences.
It is possible with IPTables to do these things. However, some may require
extra things like this:
1. Say you don't want them logging into msn/yahoo/aol/icq/irc from port 80.
You can put a rule at the beginning of the INCOMING chain to not allow
anything to those sites (since the login packets go to a very specific
server in those cases, one not accessed using a browser).
2. Say you don't want them transferring information such as login
information to web email. You can drop packets that contain @hotmail or
such in them.

These are advanced topics, though. However, I'd have to sit down and think
of all the possible "naughty" things I could do on a corporate LAN and get
back with you. As yet, to block msn messenger just block port 1863. Also,
make sure your default policy is to DROP packets (or else your rules will
be useless). 

-- 
Fourth Law of Revision:
        It is usually impractical to worry beforehand about
interferences -- if you have none, someone will make one for you.

Relevant Pages

  • Re: ipfilter problem - seems simple, but Im stuck.
    ... Glenn wrote: ... How about allowing the return packets without blocking them? ... My packets were being blocked going out, ... Hitting reply will work ...
    (comp.unix.solaris)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: OT .. Road Warrior communications question
    ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    (alt.guitar.bass)
  • Re: Logs: Many hits with source port of 80
    ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
    (Incidents)
  • Re: Error 720 connecting to server via VPN
    ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.windows.server.sbs)
Quantcast