I am running Fedora Core 2 2.6.5-1.358 and want to use it as a firewall. I have about 35 desktop users and I want to restrict their internet access to only 4 sites. Also, I need to SSH in from one external IP address and restrict SSH from all other internet addresses.
I have eth0 connected to the internet dsl circuit and eth1 connected to the local LAN.
Below is the script I am trying to use. However, it does not allow me to access SSH from the external IP address. SSH works fine from the LAN.
Also, I am able to access 2 of the internet sites but the other 2 do not work (times out).
The server for some reason also cannot access the internet for browsing. However, it can ping the sites.
Is there a better way to block internet access to just 4 sites? Possibly something that works with site names instead of IP addresses?
Also, I know the /24 for my subnet is strange but there is a reason for it.

# Flush and initialize tables
iptables -F
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain

# If a packet doesn't match one of the built-in chains, drop it
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD ACCEPT

#block outside packets that pretend to be from the firewall server
iptables -A INPUT -p all -s 172.16.1.1 -i eth0 -j DROP

# Loopback interface should accept all traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ping in and out
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow masquerading (NAT) -- eth0 connects to internet and eth1 to local LAN
iptables -A POSTROUTING -t nat -o eth0 -s 172.16.1.0/24 -d 216.xx.xxx.0/18 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -s 172.16.1.0/24 -d 66.xx.xxx.0/20 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -s 172.16.1.0/24 -d 12.xx.xxx.xx -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -s 172.16.1.0/24 -d 207.xx.xxx.xxx -j MASQUERADE

# Enable forwarding of NAT packets to internet
echo 1 > /proc/sys/net/ipv4/ip_forward

# Prior to masquerading, the packets are routed via the filter table's FORWARD
# chain.
# Allowed outbound: New, established, and related connections
# Allowed inbound: Established and related connections
iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS queries in and out of the firewall Port 53 is DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

# Allow all bi-directional traffic from the firewall to the LAN
iptables -A INPUT -j ACCEPT -p all -s 172.16.1.0/24 -i eth1
iptables -A OUTPUT -j ACCEPT -p all -d 172.16.1.0/24 -o eth1

# Allow ssh from anywhere to server - Change to specific IP address to restrict
iptables -A INPUT -p tcp -i eth0 -s xx.xxx.xxx.xx -d 172.16.1.125 --dport 22 -j ACCEPT

# Log and drop all other packets to /var/log/messages
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

Any help would be appreciated.

i dont think doing MASQUERADE for certain destination only is a good idea. do MASQUERADE for all destination. and BLOCK them from FORWARD chain.

iptables -A POSTROUTING -t nat -o eth0 -s 172.16.1.0/24 -j MASQUERADE

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 172.16.1.0/24 -d 216.x.x. -j ACCEPT
...
...

i think the best way blocking web sites is SQUID proxy. it is easier to configure also has cache to improve web performans. u can also install squidguard as redirect program of squid. squidguard can block most of addware warez crack porn etc. sites. i use squid as transparent proxy and squidguard at office. they r very good couple if u want to go with squid i can explain more about squid
so u can add a new rule to accept ssh from internet. if u dont specify the source address (-s x.x.x.x) it will accpet all of ssh connections comes to ext_NIC.
iptables -A INPUT -p tcp -i ext_NIC -s xx.xxx.xxx.xx --dport 22 -j ACCEPT

as i see your output chain blocks your server to access web sites. it just allows dns queries and ping. u can try following to allow web access
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

good luck

I made the changess you suggested. However, that does not work. It allows the desktops to access any site now. And the server still cannot get out to the internet.
I do not want to block sites via a list. There are millions of sites and I want to block them all except for 4. Basically I want the employees to only access the 4 sites that the customer does business with. Other than those 4, they should not have internet access at all.
I was hoping there was a simple way to do this. It would be especially good if I could allow them access to these 4 sites by name instead of IP address.
Thanks.

dont blame me, i just give u an example about blocking sites with iptables. if u dont block local requests to internet from FORWARD chain, that packets will be send to intertnet. only local ip that MASQUERADed, can connect that sites because the answers of that packets can return to local computer. others are routed without MASQUERADEded. because of this i told it wasnt a good idea.

if u flush FORWARD chain to remove all rules in forward chain then do the rules that i suggested, it must work. so u can try following:
u can use squid to block or allow requests by destionation domain name.

good luck.

maxut, I'm not blaming you for anything. I appreciate your help. I was just telling you the result of the changes I made. I will try these additional entries that you show later today. Do they have to be put at any particular location in the script?
Also, if I use Squid for a proxy server, from what I read, that will work. However, can the user not defeat that by going into his browser Internet Options and unchecking the option to use a proxy server?
Any suggestions you have will be appreciated. Thanks for your input.

Yes, this is true when you define Squid box as a proxy by supplying it's address into client's one by one. Thus, users can cancel that. So, you should do port forwarding and route all the port 80 requests to your Squid box' 3128 (or whatever) port. This is called transparent proxy, ie. users isn't aware of a proxy server.. An example rule:

barisdemiray, thanks for the information. I will install Squid and play with it. One other question about the Squid proxy server -- can I have it only forward requests for the sites that I list and reject all others?

barisdemiray, one other question. Can the same Linux server be used as the firewall and proxy server? I would like to be able to use IPTABLES and Squid on the same machine. If this is the case, do I make the PREROUTING DNAT statement point to localhost?

vay baris kardesh!! naber?

2buck56: users dont have to configure their browsers to use squid. but squid will control only http requests in this case. u need REDIRECT instead of SNAT, if u use proxy and firewall on same box:
iptables -t nat -A PREROUTING -i eth_local -p tcp --dport 80 -j REDIRECT --to-port 3128
and u must add the following lines in squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

an example how to allow users for only certain domains :
acl users1 src 172.0.0.0/24
acl allowed_domains dstdomain "/etc/squid/allowed_domains"
http_access allow users1 allowed_domains
...
http_access deny all

create the file /etc/squid/allowed_domains
and add the domain names in this file like this:
.domain1.com
.domain2.com
...

ps: ".domain.com" means that include subdomains. if just want to allow only domain not its subdomain remove the "."

maxut, your last post solved the problem. I am able to restrict all sites except the ones in the list I created. This is exactly what I was wanting to do!
The only thing not working now is SSH access from outside of the LAN. I have tried everything but so far no luck. I will keep working on that one. The critical one was the website controls.
Thanks very much for your help. You saved me many hours of work!

barisdemiray, thanks for your help also.

np. enjoy with linux i think the following command will open ssh port for all interfaces:
but be carefull, i see lots of attacks to ssh port in my logs nowadays. at least dont allow login as root via sshd. login as normal user and when u need root rights, become root with "su" or "su -" command. also choose a very complex root pasword includes acsii chars to improve security.

by the way i recommend u to use squidguard (or dansguardian etc.) with squid. so u will be able to block most of addware porn warez etc. domains or URLs.
www.squidguard.org
redhat fedora rpms:
http://dag.wieers.com/packages/squidguard/
http://dag.wieers.com/packages/squidguard-blacklists/

good luck.