how to limit SE clients to just web browsing (port: 53,80,443)
Posted: Thu Jan 12, 2023 12:48 pm
How can we limit clients users to only have access to web browsing.
I am looking for both
1. System Wide rule (iptables)
2. SE server rule (Access List)
I came up with this Access List
And this iptables rules
filter
nat
Please guide me if it has any incorrect settings.
Also which one is preferred in terms of performance.
Regards
I am looking for both
1. System Wide rule (iptables)
2. SE server rule (Access List)
I came up with this Access List
And this iptables rules
filter
Code: Select all
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.11.12.0/24 -p icmp -j DROP
-A INPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p tcp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p udp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -s 10.11.12.0/24 -p icmp -j DROP
-A OUTPUT -s 10.11.12.0/24 -p icmp -j DROP
-A OUTPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p tcp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p udp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 80 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j DROP
-A OUTPUT -d 100.64.0.0/10 -j DROP
-A OUTPUT -d 169.254.0.0/16 -j DROP
-A OUTPUT -d 192.168.0.0/16 -j DROP
-A OUTPUT -d 172.16.0.0/12 -j DROP
-A OUTPUT -d 10.0.0.0/8 -j DROP
Code: Select all
*nat
:PREROUTING ACCEPT [224331:13342409]
:INPUT ACCEPT [223127:13116327]
:OUTPUT ACCEPT [590884:40808004]
:POSTROUTING ACCEPT [590742:40765620]
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -m comment --comment se-server -j MASQUERADE
Also which one is preferred in terms of performance.
Regards