topic block unwanted traffic to internet via IPTABLES - help in Operating System - Linux

block unwanted traffic to internet via IPTABLES - help

Maaz — Tue, 25 Mar 2008 07:10:23 GMT

eth0(lan_interface) IP: 192.168.0.1
eth1(internet_Interface) IP: 192.168.1.1

this machine is a gateway for the lan, running iptables and squid.

the problem is that 90% of the lan is Windows XP, and we dont have a good Anti-virus installed on all of our windows XP machines.
These Windows XP machines does Broadcast due to viruses and Trojans, and consumes almost 80% of our internet bandwidth.

Is there any iptables rule that can stop these unwanted traffic to internet.

our users are allowed to connect almost every thing e.g msn/yahoo/skype messengers, webcam, outlook(smtp/pop).

I am also attaching the iptables script for the kind consideration of you GURUS.

Regards
Maaz

Re: block unwanted traffic to internet via IPTABLES - help

Maaz — Tue, 25 Mar 2008 07:13:20 GMT

iptables script attached

Re: block unwanted traffic to internet via IPTABLES - help

Alexander Chuzhoy — Tue, 25 Mar 2008 08:54:40 GMT

Basically you should get rid of the viruses/trojans in the first place.Knowing that viruses exist in your network and ignoring it is just wrong.

iptables is not an "application intelligent" firewall so you need to specify the port/IP you wish to block.

Implement strict rules - for example everything is blocked except:
ports 25/110 from all machines
ports 80/443 from squid

all proxy aware applications sould be configured to work via squid.

Re: block unwanted traffic to internet via IPTABLES - help

Maaz — Tue, 25 Mar 2008 09:20:36 GMT

Thanks A lot Alexander for your suggestions.
If you can please edit the attached iptables-script file that just allow smtp/pop/http traffic to internet. And also allow dns queries traffic to this gateway machine(as this machine is cache-only dns server too).

Regards

Re: block unwanted traffic to internet via IPTABLES - help

Steven E. Protter — Tue, 25 Mar 2008 09:34:46 GMT

Shalom Maaz,

There is very little iptables can do concerning virus transmission.

All you should do is modify your script to block as many ports as possible.

You might find an alternative to firewall scripting is firestarter.

Though the product has not been updated in some time, it is very effective with a motif gui at shutting down ports.

http://www.fs-security.com

If you want a distribution of Linux that includes firewall, anti-virus and anti-spam thing about this:

http://www.clarkconnect.com/

SEP

Re: block unwanted traffic to internet via IPTABLES - help

Alan_152 — Tue, 25 Mar 2008 17:24:49 GMT

"These Windows XP machines does Broadcast due to viruses and Trojans, and consumes almost 80% of our internet bandwidth."

This also means you are consuming a fair amount of your internal network resources as well. You'd do well to install virus scanners at the very least on each workstation.

Re: block unwanted traffic to internet via IPTABLES - help

Huc_1 — Wed, 26 Mar 2008 08:45:22 GMT

clamav from http://www.clamav.net on the server could be usefull and somethink like avast from http://www.avast.com/ on the Microsoft client, could probably also be usefull.

Enjoy life.

Jean-Pierre Huc

Re: block unwanted traffic to internet via IPTABLES - help

Maaz — Thu, 27 Mar 2008 10:04:15 GMT

Nice peoples and Nice replies... Thanks EveryOne ;).

Our Directors are ready to buy the Symantec Norton Antivirus license for all M$ machines.

ok Gurus, if I add the following rule on top of all other rules then ?
iptables -A INPUT -d 255.255.255.255 -j DROP

I mean does the above rule will work in my case ?

Re: block unwanted traffic to internet via IPTABLES - help

Johannes Krackowizer — Wed, 16 Apr 2008 21:15:59 GMT

as mentioned before http://www.fs-security.com/ Firestarter is a good simple firewall with graphical frontend you can tell to drop anything exept the rules you set for openening some ports. you will have a log that shows anything that is blocked by the firewall (rightclick them to add them to the firewall rules) so it's easy to open ports for services you need.

OR

try the attached script. it is a good starting point for a self skripted firewall. you will find helpfull howto's at http://www.netfilter.org/documentation/index.html#documentation-howto

copy the attachment to /etc/rc.d/init.d and add it with chkconfig to your system but be aware that this script will block your system because it is configured for my lan and it's only a simplified version so you have to add your rules. there are some small exampels for blocking some ip's from i-net (bad servers trying to harm your system), masquerade lan clients to connect to internet, open ports for local server and dnat rules to forward some special ports to one lan client. it also includes a panic option for shuting down any traffic on the server when you think you got hacked.

but a firewall don't protect you from viruses . and rtfm ;) http://www.netfilter.org/documentation/

Re: block unwanted traffic to internet via IPTABLES - help

Maaz — Fri, 18 Apr 2008 03:43:00 GMT

Thanks