Iptables No Http
In this sample iptables_no_http_programs.cfg, we log and drop prohibited http traffic.
///////////////////////////////////////////////////////////////////////////////
//
// iptables_no_http_programs.cfg
//
///////////////////////////////////////////////////////////////////////////////
// NO_HTTP -- log and drop blocked http traffic
=iptables -N NO_HTTP
=iptables -A NO_HTTP -j LOG --log-prefix "IPT NO_HTTP: " =logopt
=iptables -A NO_HTTP -j DROP
///////////////////////////////////////////////////////////////////////////////
The =logopt macro
--log-level=3 -m limit --limit 3/minute --limit-burst 3
(defined in the file firewall_macros.cfg) limits how fast we can log such traffic.
This iptables_no_http_programs.cfg file is #included by the higher-level iptables_programs.cfg file. In that file, we might have code invoking the NO_HTTP chain as follows:
for ip in =userips; do
=iptables -A IN_NETWORK -p tcp --syn -d $ip
--dport 80 -j NO_HTTP
=iptables -A IN_NETWORK -p tcp --syn -d $ip
--dport 443 -j NO_HTTP
done
[...]
for ip in =userips; do
=iptables -A OUT_NETWORK -s $ip -m state --state NEW -p tcp
--dport 80 -j NO_HTTP
=iptables -A OUT_NETWORK -s $ip -m state --state NEW -p tcp
--dport 443 -j NO_HTTP
done
=userips is a PIKT macro defined in the file firewall_macros.cfg for example as
userips
192.168.3.250 // Dell PC
192.168.3.251 // HP PC
For more examples, see Samples.
