[ale] ipchains question

Gary Maltzen maltzen at mm.com
Wed Jul 12 19:51:03 EDT 2000 

I assume 192.168.0.254 is the 'surfer' you are trying to block?
Port 80 is the port on the WEB server.

You need to block the LOCAL address and REMOTE port

SURFER = 192.168.0.254
ANY = 0.0.0.0
HTTP = 80
# block outbound surfing
ipchains -A input -i eth1 -s ${SURFER} -d ${ANY} ${HTTP} -j DENY -l
# block incoming web reply
ipchains -A output -i eth1 -s ${ANY} ${HTTP} -d ${SURFER} -j DENY -l

----- Original Message ----- 
From: Stephen Lastinger <steve at computernetdesign.com>
To: ale at ale.org
 
>      situation: I have a large network going though a firewall running
> ip chains which is  masquarading and routing trafic perfectly.  I'd like
> to block web traffic for a few individuals who do way too much surffing
> durring the course of a business day.
> 
>      I've tried blocking traffic on port 80 for those machines on the
> input, forwarding, and output chains of the internal interface
> (shouldn't the input chain on the internal interface be the only one
> necessary?) and tried using -I instead of -A but have been unsuccessful
> (although ipchains -L -n -v says that the rules are in force).  No
> entries are being created in /var/log/messages, and I'm still unhappily
> surfing on my test wkstn.
> 
>      Any help here would be greatly appreciated.     
> 
>      Here's an excerpt (minus comments and rules not pertinant to the
> question for brevity) of some of the test rulesets I've set up.  Eth0 is
> the external interface, and eth1 is the internal one:
> 
> 
...[snip]...
> 
> # Input section:
> /sbin/ipchains -A input -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
> tcp -l -j DENY
> /sbin/ipchains -A input -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
> udp -l -j DENY
> 
..[snip]...
> 
> # Forwarding section:
> /sbin/ipchains -A forward -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
> tcp -l -j DENY
> /sbin/ipchains -A forward -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
> udp -l -j DENY
> /sbin/ipchains -A forward -s 192.168.100.0/24 -j MASQ
> 
> # Output section:
> /sbin/ipchains -A output -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
> tcp -l -j DENY
> /sbin/ipchains -A putput -i eth1 -s 192.168.100.254 80 -d 0.0.0.0/0 -p
> udp -l -j DENY
> /sbin/ipchains -A output -i eth1 -s 0.0.0.0/0 -d ${LOCALNET} -j ACCEPT


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list