Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Custom egress filter for IPCop

Custom egress filter for IPCop 9 years 5 months ago #22297

  • trogers
  • trogers's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
I am trying to block all but certain traffic from leaving our local (GREEN) network with IPCop. My goal is to DROP all outgoing traffic from most machines on the local network except IMAP/IMAPS, SMTP, HTTP/HTTPS, and so on.

I found some nice code here which, if included in rc.local, would block all outgoing traffic from most IP addresses on the GREEN interface.

[code:1]
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD

#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT

#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP
[/code:1]

I am hoping that someone can show me how to modify this code to permit, for example, outgoing packets to port 143 from all machines on the GREEN interface, while still blocking all other outgoing traffic.

My thanks in advance for your help.
The administrator has disabled public write access.

Re: Custom egress filter for IPCop 9 years 5 months ago #22301

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
Welcome to firewall.cx, trogers. You simply need to add a line to the above code. The new modified code should now be:
[code:1]# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD

#allow full access for specific IPs
#allow 192.168.0.3 and 192.168.0.4
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.0.4 -o $RED_DEV -j ACCEPT

#allow access to specific ports
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 143 -j ACCEPT

#bar access for all other IPs
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP [/code:1]
The administrator has disabled public write access.

Custom egress filter for IPCop 9 years 5 months ago #22308

  • trogers
  • trogers's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Thank you very much. I really appreciate it!
The administrator has disabled public write access.

Custom egress filter for IPCop 9 years 5 months ago #22351

  • trogers
  • trogers's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
I wanted to share a draft of my rc.local egress filter script. Following the pattern that DaLight suggested, I have tried to open all of the ports between GREEN and RED which my staff should need.

I haven't tried this yet...so I have no idea how well it will work. Any comments or suggestions would be very welcome!

[code:1]
#!/bin/sh

# shorthand helper
# $IPT="/sbin/iptables"

# variables defined therein
# . /var/ipcop/ethernet/settings

# Flush CUSTOMINPUT and CUSTOMFORWARD rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD

# Allow full access to the RED interface for specific IP addresses
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.1 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.2 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.3 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.4 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.5 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.11 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.12 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.13 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.14 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.15 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.101 -o $RED_DEV -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.102 -o $RED_DEV -j ACCEPT

# Allow ssh to the RED interface from all addresses on the GREEN interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 21 -j ACCEPT

# Allow ftp to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 22 -j ACCEPT

# Allow SMTP to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 25 -j ACCEPT

# Allow http, https, and proxy to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 80 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 443 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 800 -j ACCEPT

# Allow IMAP and IMAPS to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 143 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 993 -j ACCEPT

# Allow IPSEC VPN (FIX ME!)
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 500 -j ACCEPT

# Allow Jabber to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5222 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5223 -j ACCEPT

# Allow VNC to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 5900 -j ACCEPT

# Allow GoToAssist to the RED interface from certain GREEEN addresses
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 80 -j ACCEPT
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 443 -j ACCEPT
# /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.120 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.121 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.122 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.123 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.1.124 -o $RED_DEV -p tcp --dport 8200 -j ACCEPT

# Drop all other outbound traffic to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 0/0 -o $RED_DEV -j DROP

[/code:1]
The administrator has disabled public write access.

Re: Custom egress filter for IPCop 9 years 5 months ago #22358

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
# Allow ssh to the RED interface from all addresses on the GREEN interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 21 -j ACCEPT

# Allow ftp to the RED interface
/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $RED_DEV --dport 22 -j ACCEPT
SSH is port 22 and FTP port 21 ...
The administrator has disabled public write access.

Custom egress filter for IPCop 9 years 5 months ago #22371

  • trogers
  • trogers's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Thank you.

What about VPNs? We have 14 net-to-net VPNs. Do I need to do anything in this script to ensure that the VPNs work correctly?
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup