iptables

[(Shovel)]

OK, I thought it was going quite well, but I've hit a snag that I'm confused over:

I've been trying to following some HOWTO page that I found, but for reasons beyond me, I can't find some nice simple introduction to iptables, so I was wondering if you kind people could fill me in.

I understand that there are three default chains: INPUT, OUTPUT and FORWARD, and I know that I can make my own.

However, I don't know what it is that decides which packet follows whcih chain... Similarly, I don't know if I have to jump from one of the default chains to a custom one or whether they all get traversed?

Also, I can't find a definitive word on whether I can use wildcards in destination hostnames.

So, here's an example script that I've got - it filters the internet from my brother's computer.

#!/bin/sh
# Script to enable blocking of external Internet 
# connections from Nathan's machine.

# Create a new chain
iptables -N NATHAN

# Allow 100% LAN Access
iptables -A NATHAN -s 192.168.1.30 -d 192.168.1.0/255.255.255.0 -j ACCEPT

# Blacklist

# Whitelist
iptables -A NATHAN -p tcp -s 192.168.1.30 -d *.microsoft.com -j ACCEPT
iptables -A NATHAN -p tcp -s 192.168.1.30 -d *.nvidia.com -j ACCEPT

# Deny everything else
iptables -A NATHAN -s 192.168.1.30 -j DROP

Now, I understand that it is based on the order the rules come in that causes connections to be accepted or dropped, hence the "DROP everything" at the end of the script, which I understand will only be reached if the packet does not match any of the preceding rules.

Secondly, whether sticking it in a chain called "Nathan" is actually a good idea, or whether I need an extra rule on INPUT/OUTPUT/FORWARD to match his IP and jump to the NATHAN chain?

The other point is regarding the wilcards on *.microsoft.com, whether they are allowed or whether I have to specify every subdomain on MS that I want Nathan to have access to.

I think I'm on the right lines, but I know there is stuff wrong with the above.

It's not been tested yet, Nathan has gone out so I can't actually get on to his computer to test the script if I were to run it.

Thankies.

EDIT:// Right, I've established that wildcards aren't allowed using trial and error, the problem is the rest of it. I've tried adding in some of the filtering rules and then tried adding a jump rule for input and forward, but it doesn't seem to block anything.

Do I need to position a "-j NATHAN" rule in a particular place in the rules list?

 

[Sibanac]

I wouldnt use custom chains

# Allow 100% LAN Access
iptables -A NATHAN -s 192.168.1.30 -d 192.168.1.0/255.255.255.0 -j ACCEPT

This shouldnt be needed since all filtering will be done on the WAN interface.
The machine is already on the network and can connect to anymachine on it by default.

for the blocking of sites try :

iptables -A OUPUT -p tcp -s 192.168.1.30 -d *.microsoft.com -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.30 -d *.nvidia.com -j ACCEPT

# Deny everything else
iptables -A OUTPUT -s 192.168.1.30 -j DROP

its been a long time since i used ipchains and not sure about the wildcards.
An easy way to test it would be to just hook up your brothers pc and, set NAT up then

ptables -A OUTPUT -s 192.168.1.30 -d  -d *.nvidia.com -j DROP

if you can still access www.nvidia.com from your brothers pc try :

ptables -A OUTPUT -s 192.168.1.30 -d  -d .nvidia.com -j DROP

I'dd look further into it but i actualy got some stuff to do here today

 

[(Shovel)]

iptables reports and error when attempting to use Wildcards. HOwever, it seems that it will be ok.

Thank you very much for the help, I'll give it a try.

 

[(Shovel)]

OK, this isn't working.

I started simple, adding basic rules to test it.

Initially tried dropping specific websites on the output chain, this didn't work.

I then tried dropping everything on the output chain and still the websites were popping up. I made sure to access unique sites btw - e.g, one's that he hadn't visted before and therefore wont have been cached.

Does anyone know what sort of information I should be looking for to find out why it's getting through?

I'm going expand the research horizons a bit too, I've just discovered that Smoothwall themselves have a support forum, so I'm going to add a query there, since they are the ones who know how the buggery iptables has been configured

Thanks very much for all the help so far though