iptables "whitelist" rule

To: debian-user@lists.debian.org
Subject: iptables "whitelist" rule
From: Raven <raven@vp44.net>
Date: Sun, 04 May 2008 18:57:46 +0200
Message-id: <[🔎] 1209920266.4476.71.camel@osmosis.gnet.eu>
Reply-to: raven@vp44.net

Hi
I am currently implementing level7 packet filtering on my debian gateway
with ipp2p. This has been done to prevent wireless users from using well
known file sharing applications (edonkey, bittorrent, kazaa, ecc).
The current iptables configuration that I have is doing everything very
well.

Now I want to be able to run the amuled daemon ON the debian router but
I am not really sure how to tell iptables to whitelist the traffic that
is not being forwarded.
In other words, the ipp2p module should not drop the packets originating
from/destinated to the router itself.

Here is my current script:


# Interface connected to Internet
INTERNET="eth1"

# Address connected to LAN
LOCAL="10.0.1.0/24"

# VPN
VPN="5.0.0.0/8"

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable Munin stats
iptables -A INPUT -d 37.244.81.222
iptables -A OUTPUT -s 37.244.81.222
iptables -A FORWARD -i eth1

iptables -A INPUT -d 10.0.1.2
iptables -A OUTPUT -s 10.0.1.2
iptables -A FORWARD -i eth0

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP

# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT

# unlimited access to VPN
iptables -A INPUT -s $VPN -j ACCEPT
iptables -A OUTPUT -s $VPN -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP



Thanks for your help guys

Reply to:

Follow-Ups:
- Re: iptables "whitelist" rule
  - From: Kevin Buhr <buhr+debian@asaurus.net>
- Re: iptables "whitelist" rule
  - From: "Adrian Levi" <adrian.levi@gmail.com>

Prev by Date: Re: Clearing SWAP
Next by Date: Re: Newbie trying to configure his hardware (video, sound and wifi).
Previous by thread: Re: Trying to install the Ralink wireless drivers
Next by thread: Re: iptables "whitelist" rule
Index(es):
- Date
- Thread