Policy Enforcment on linux

I am trying to enforce the security policy where I can allow only
connections through certain ports listed in a file.

The file will contain a port number on each line, followed by in, out
or both. in indicates that inbound connections should be allowed on
that port, out permits outbound connections, and both will permit
bidirectional connectivity. The default policy should be to block. In
other words, unless a port is explicitly mentioned in the file, it
should deny access to it from both directions. For each port
explicitly mentioned in the policy file, log the allowed/denied
statistics.
I also have to block the list of IP addresses provided in a file.
Where I have to refuse any HTTP access to those sites, no matter what
the above mentioned file says.

I am sure I have to look into tcp_v4_rcv function, and the connect
system call, but was unable to follow it.

I would appericiate any help in this subject.

Thanks,
Eric Freeman

Eric Freeman wrote:
> I am trying to enforce the security policy where I can allow only
> connections through certain ports listed in a file.
> The file will contain a port number on each line, followed by in, out
> or both. in indicates that inbound connections should be allowed on
> that port, out permits outbound connections, and both will permit
> bidirectional connectivity. The default policy should be to block. In
> other words, unless a port is explicitly mentioned in the file, it
> should deny access to it from both directions. For each port
> explicitly mentioned in the policy file, log the allowed/denied
> statistics.
> I also have to block the list of IP addresses provided in a file.
> Where I have to refuse any HTTP access to those sites, no matter what
> the above mentioned file says.
>
> I am sure I have to look into tcp_v4_rcv function, and the connect
> system call, but was unable to follow it.
>
> I would appericiate any help in this subject.


Sounds like iptables to me.

Best tool I've seen for that is "shorewall." http://www.shorewall.net

It generates iptables rules, and while it's a bit tricky to set up it's very
well-documented and can handle a lot of configurations. Free of course.

(E-Mail Removed) (Eric Freeman) writes:

]I am trying to enforce the security policy where I can allow only
]connections through certain ports listed in a file.

]The file will contain a port number on each line, followed by in, out
]or both. in indicates that inbound connections should be allowed on
]that port, out permits outbound connections, and both will permit
]bidirectional connectivity. The default policy should be to block. In

This is called a firewall. Why are you reinventing the wheel?