Limit Internet access by MAC, by Port

I am a networking novice, researching which may be easier/better, IPCop
vs iptables to accomplish my goals of limiting Internet access:
1. by MAC address
2. by port request.

#2 means:
user1 only gets Internet email, with no other Internet access.
user2 gets none.
user3 gets email, browsing, FTP, etc.

Can IPCop get this granular?

Thanks in advance.

DevNull wrote:
> I am a networking novice, researching which may be easier/better, IPCop
> vs iptables to accomplish my goals of limiting Internet access:
> 1. by MAC address
> 2. by port request.
>
> #2 means:
> user1 only gets Internet email, with no other Internet access.
> user2 gets none.
> user3 gets email, browsing, FTP, etc.
>
> Can IPCop get this granular?
>
> Thanks in advance.

IPCop uses iptables for port filtering.

Robert

On 3 Apr 2006 10:45:17 -0700, "DevNull" <(E-Mail Removed)> wrote:

>I am a networking novice, researching which may be easier/better, IPCop
>vs iptables to accomplish my goals of limiting Internet access:
> 1. by MAC address
> 2. by port request.
>
>#2 means:
> user1 only gets Internet email, with no other Internet access.
> user2 gets none.
> user3 gets email, browsing, FTP, etc.
>
>Can IPCop get this granular?
>
>Thanks in advance.

Here at work we use an access control list where, by IP (could also be
by MAC if desired but users can alter the MAC), a user is granted
certain ports and "everything" else is denied. You can FTP the
iptables script from here

ftp://yesican.chsoft.biz/pub/lartc/firewall.sh.tar.gz

Look for ACL

And here are the lines from /etc/firewall/ACL for one user:
192.168.1.60;tcp;1024:65535;-m mport --dports;53,80,443 # tape
192.168.1.60;tcp;1024:65535;--dport;1024:65535
192.168.1.60;udp;1024:65535;--dport;1024:65535

As you can see, user "tape" gets to surf. Cannot send or receive
mail, FTP, Etc.

BEWARE: File sharing programs use high ports for the entire connection
so this won't stop that. You could alter the ACL entries so that
ESTABLISHED connections are allowed or that NEW connections initiated
on high ports are rejected or dropped.

NOTE also that UDP is not restricted on high ports.

Plain English DISCLAIMER: Use this as a template and test your setup
when you think you have correctly configured everything. If it
breaks, you get to keep the pieces; I refuse to be held responsible.
HTH,
buck

On 3 Apr 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed). com>, DevNull wrote:

>I am a networking novice, researching which may be easier/better, IPCop
>vs iptables to accomplish my goals of limiting Internet access:

Both are front ends to the netfilter code in the kernel. iptables is more
versatile.

> 1. by MAC address
> 2. by port request.
>
>#2 means:
> user1 only gets Internet email, with no other Internet access.
> user2 gets none.
> user3 gets email, browsing, FTP, etc.

Firewalls don't know about users. Firewalls operate at networking level,
not application or above. You can restrict access to (example) port 25
from HOST_A, or IP address w.x.y.z or even MAC address in some cases. The
netfilter code does not look inside the TCP/UDP packet to see usernames.
That would be an application level function. See RFC1180.

Old guy

Thanks Buck, and a big God Bless You!

This is exactly the information I have needed to get started. I will
study the shell script, and you are not liable for anything.

I am new to this level of networking, and though I did know that
firewalls don't filter by user, I didn't know that the firewall was
created and shaped by a script using the iptables command, and I really
didn't know where to start, short of wading through the several
tutorials I have downloaded.

And since IPCop and its associated addons are just GUI's to manipulate
the firewall via iptables, I do know shell scripting enough--and can
learn the iptables command syntax--to just use a script like yours to
create the rules that I need.

Someone let me know if I'm missing someting--otherwise thanks to all !

On 4 Apr 2006 18:51:32 -0700, "DevNull" <(E-Mail Removed)> wrote:

>Thanks Buck, and a big God Bless You!
>
>This is exactly the information I have needed to get started. I will
>study the shell script, and you are not liable for anything.
>
>I am new to this level of networking, and though I did know that
>firewalls don't filter by user, I didn't know that the firewall was
>created and shaped by a script using the iptables command, and I really
>didn't know where to start, short of wading through the several
>tutorials I have downloaded.
>
>And since IPCop and its associated addons are just GUI's to manipulate
>the firewall via iptables, I do know shell scripting enough--and can
>learn the iptables command syntax--to just use a script like yours to
>create the rules that I need.
>
>Someone let me know if I'm missing someting--otherwise thanks to all !

Thanks for the "thank you". Not many on UseNet bother. I appreciate
it.

Since you are new to iptables, here is one pointer that you must
understand when reading my script. The machine where that script runs
is the default gateway for all the computers in our LAN, so
ip_forwarding and NAT are on. The significance of that is that LAN
users are controlled via the FORWARD chain because the combination of
NAT and forwarding causes the FORWARD chain to be used. Most people
think that INPUT is where to get the job done, but that only applies
to the computer where the script runs, not to the LAN users.
--
buck

buck wrote:
> On 4 Apr 2006 18:51:32 -0700, "DevNull" wrote:
> Thanks for the "thank you". Not many on UseNet bother. I appreciate
> it.
You're welcome! Part of my joy was that this thread in particular
really helped close the gap in my understanding on some things; I was
feeling the pressure in needing to come up to speed relatively quickly
on a packet filtering solution.

> The significance of that is that LAN
> users are controlled via the FORWARD chain because the combination of
> NAT and forwarding causes the FORWARD chain to be used. Most people
> think that INPUT is where to get the job done, but that only applies
> to the computer where the script runs, not to the LAN users.
I believe I follow what you're saying here, and it will make more
sense in a few weeks as I get into the iptables terminology and syntax.
This machine will actually be behind a Linksys router, whose gateway
address for the LAN is 192.168.1.1.

On another subject, short of running a proxy server can iptables log
which URLs are reqeusted? I came across a thread that, if I understand
it, implies this can be done using:
iptables -P OUTPUT DROP
iptables -N protocol
iptables -A protocol -j LOG --log-level info --log-prefix MYTRAFFIC
iptables -A protocol -j ACCEPT
iptables -A OUTPUT -j protocol

tail -f /var/log/messages | grep MYTRAFFIC

Thanks again.
TK

On 6 Apr 2006 07:46:00 -0700, "DevNull" <(E-Mail Removed)> wrote:

>On another subject, short of running a proxy server can iptables log
>which URLs are reqeusted? I came across a thread that, if I understand
>it, implies this can be done using:
> iptables -P OUTPUT DROP
> iptables -N protocol
> iptables -A protocol -j LOG --log-level info --log-prefix MYTRAFFIC
> iptables -A protocol -j ACCEPT
> iptables -A OUTPUT -j protocol
>
> tail -f /var/log/messages | grep MYTRAFFIC

That is unnecessarily complex, and it will log a lot of data. It
won't show the URL, only the IP of the site you send requests to. To
the best of my knowledge, if you want the URLs, you have to run a
proxy server. If I wanted to log the IPs my users were accessing:

iptables -A OUTPUT -m state --state NEW -j LOG --log-prefix "MyTraffic
"
or
iptables -A OUTPUT -p tcp -m state --state NEW -m mport --dports
80,443 -j LOG --log-prefix "MyWebTraffic "

because matching NEW will limit what gets logged. The "-P OUTPUT
DROP" is not needed. In my case, the FORWARD chain would have to be
specifed <grin>.
--
buck

That's more good info to add to my notes.
I am getting a grip on it all, and feel better about moving forward
with a solution.

Many thanks, and Happy Easter (soon)!
TK