Topic: Block outgoing ports and bypass selective ips

[Gert]

Hi

Can anyone tell me if there is a way to block outgoing ports using

http://wiki.contribs.org/Firewall#Block_outgoing_ports

but to bypass port blocking for a certain IP or IPs?

[mmccarn]

Of course there's a way to bypass port blocking

But not without creating further custom template fragments...

Are you trying to unblock traffic *from* specific LAN IPs, or are you trying to unblock traffic *to* specific WAN destinations?

[Gert]

Thank you for your reply. I am trying to unblock traffic *from* specific internal LAN IPs. In other words: i want specific IPs not to be affected by the outgoing port blocking.

[Stefano]

Thank you for your reply. I am trying to unblock traffic *from* specific internal LAN IPs. In other words: i want specific IPs not to be affected by the outgoing port blocking.

IMVHO you shoul consider to use a firewall in front of your lan and move your SME to server only mode..
SME is a firewall, is a robust one, but if you need many custom rules and granularity you should use a more specific tool (m0n0wall, pfsense, endian, smoothwall, ipcop etc)

[Gert]

Thank you Stefano, but everything is set up and working perfectly, i cant see why i should install another hardware box and change the whole setup just to allow one ip address access the blocked ports.

[Stefano]

because... life sucks?

[Gert]

Thank you Stefano, you are very helpful.

Is there someone that might be able to help me?

[Stefano]

you need to create a custom fragment..

so, first of all you should learn about iptables rules syntax, and their order.. then try to write your custom fragment..

I think you should google a bit to find an example

P.S.

Code: [Select]

yum install irony
will help you

[mmccarn]

If you want to help, we could modify attachment 91adjustPortBlocks in http://bugs.contribs.org/show_bug.cgi?id=2977 to support two new db settings:
IgnoreBlocksFrom
IgnoreBlocksTo

If this appeals to you, lets move this discussion to bug 2977 in the bug tracker. I'll try to figure out how to make it work (and you'll get/have to test it).

Otherwise, in 91adjustPortBlocks you could add a line in the top "accept traffic" section to allow traffic from the desired LAN workstation:

...
$OUT .= " /sbin/iptables --table nat --append $pf_chain \\\n";
    $OUT .= "                --destination \$OUTERNET --jump RETURN\n";
$OUT .= " /sbin/iptables --table nat --append $pf_chain \\\n";
$OUT .=  "                --source 192.168.1.10 --jump RETURN\n";
...


* add the lines in red to /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/91adjustPortBlocks
* replace 192.168.1.10 with the LAN ip of the system you want to allow traffic from.

[warning]
i have not tested the code shown above

In case of problems or errors, re-download 91adjustPortBlocks as described in the wiki.
[/warning]

[Gert]

@mmccarn: Thank you, i will most definately help in any way i can, I will test your code in red and report back. I think it would be great if we could add the two extra db settings and it will benifit a lot of people using port blocking. Lets move this to bug bug 2977 as per your suggestion and do it.

@Stefano: P.S.

Code: [Select]

yum uninstall vilificationwill help you 

[CharlieBrady]

Vilification? You obviously don't know what that means. I'd suggest you look it up.

[Gert]

You obviously dont. Maby you should have looked it up yourself.

vilification - a rude expression intended to offend or hurt.