1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Whitelist in iptables how to ?

Discussion in 'Tomato Firmware' started by yaqui, May 15, 2007.

  1. yaqui

    yaqui LI Guru Member

    After looking all over and through numerous iptables examples... I cannot find any good tutorials or examples on how one would set up whitelisting with iptables.

    Does anyone know how or is someone currently doing this??

  2. yaqui

    yaqui LI Guru Member


    nobody knows....... ?
  3. GeeTek

    GeeTek Guest

    I think you can do it with access restictions. Establish "Permit" rules for your white list, and finish with a "Block Everything" rule.
  4. yaqui

    yaqui LI Guru Member

    There is nothing under access restrictions to "allow" sites or permit.... I see only blocking.

    Thats why I am wondering what is the iptables way of doing it.
  5. GeeTek

    GeeTek Guest

    So it does seem. Oh well, scratch that idea. IP tables can prolly do it if you can find somebody to tell you about it. If I knew how, I would tell you.
  6. affer

    affer LI Guru Member

    Hmmm. If you want to be creative, you should be able to achieve something similar to a whitelist by abusing the qos rules. Check strict rule rule ordering & then define the specific destination ips that you want whitelisted into a high qos class. Then make a wildcard rule (any address/any protocol) on the bottom of the list & direct it to the lowest possible qos class. I'd try defining Class E with no bandwidth. If that doesn't work, then choose 1%. Any ip that wasn't "whitelisted" would effectively get no bandwidth. You could also use your OS hosts file as a second layer whitelist. If you disable dns lookup, then any host not explictly listed in the hosts file would fail. Entering a numeric ip would still work, but then run afoul of the qos rules. I haven't tested this qos rules approach, but it should work pretty well in return for almost zero effort.

    If you want a true whitelist & are eschewing third-party software, it can certainly be done with iptables. Below is an idea of how it could be done as a firewall script in Fedora. I'm a lot less familiar with Tomato, so you'll probably have to modify the script for syntax & available libraries.

    #quick iptables based whitelist
    #designate whitelist ips, ports; iptables location
    ALLOWED="80 443"
    #delete existing rules
    #enable localhost
    $IPTABLES -A INPUT -t filter -s -j ACCEPT
    #parse whitelist
       for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
          $IPTABLES -A INPUT -t filter -s $x -j ACCEPT
    #parse tcp port list
       for port in $ALLOWED; do
          $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
    #enforce whitelist
    $IPTABLES -A INPUT -p udp -j DROP
    $IPTABLES -A INPUT -p tcp --syn -j DROP
  7. yaqui

    yaqui LI Guru Member

    I'm assuming that WHITELIST=/path will be pointing to a text file containing list of ip's?

    Problem is, you would have to somehow store that file on the router?

    Would there be any way to just list ip's in the script and have the script just use them?

Share This Page