Re: how to filter applications with iptables

Re: how to filter applications with iptables

[Cedric Blancher]

Le jeu 26/06/2003 à 10:03, Liber ChrXtien a écrit :
> I've a LAN at home with mdk as server and win and mdk on the clients
> My question is : is there a way to block certain applications, such as specific 
> softwares (office suite for example), to access internet with iptables?
>  How to identify the packets emitted from such applications and block them ?

If you've planed to do this remotly, I mean on a dedicated firewall,
such as your network gateway, you can't, as Netfilter is a packet
filter. Thus, you can say "allow TCP/80 as destination, but cannot force
HTTP usage through this port. To filter application protocols, you'll
have to use an application proxy (e.g. HTTP proxy). Eventhough,
distinguishing IE on Win, Word on Win or Mozilla on Win or Linux will be
difficult if they all use HTTP. You can only rely on related HTTP fields
that can be changed/forged.

If you've planed to do this locally, I mean using Netfilter on the
GNU/Linux clients, then you can use owner match which provides a command
line match (-m owner --owner-cmd $CMD). Although it is not as strict as
expected (you can use a well named symlink to gain access through an
authorized command), it allows some kind of valuable "personnal firewall
like" filtering.

For Win clients, use a personnal firewall, such as Kerio or Outpost. But
this part is off-topic ;)

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: how to filter applications with iptables

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1424 bytes --]

There are verious ways to 'block' packets from unwanted apps. Some use
netfilter some don't.

You can block mime types using a squid proxy.
You can block arbitrary strings in packets using the string match
support in the P-O-M for netfilter, e.g. -m string --string 'KAZAA'
Most applications use specific ports and protocols, so you could find a
combination of those and block the app that way, e.g. MSN messenger uses
TCP port 1863
Some apps need to contact a central server, so blocking that server will
effectively disable the app, e.g. Yahoo messenger. 

Regards

Ray

On Thu, 2003-06-26 at 10:03, Liber Chrétien wrote:
> Hello,
> I've been looking for some information but couldn't find, so here it goes, I'm asking 
> to the list : (excuse my technical english if I'm not clear enough)
> 
> I've a LAN at home with mdk as server and win and mdk on the clients
> 
> My question is : is there a way to block certain applications, such as specific 
> softwares (office suite for example), to access internet with iptables?
>  How to identify the packets emitted from such applications and block them ?
> 
> Thanks 
> 
> Bruno
> 
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: how to filter applications with iptables

[Joel Newkirk]

On Thu, 2003-06-26 at 04:03, Liber Chrétien wrote:
> Hello,
> I've been looking for some information but couldn't find, so here it goes, I'm asking 
> to the list : (excuse my technical english if I'm not clear enough)
> 
> I've a LAN at home with mdk as server and win and mdk on the clients
> 
> My question is : is there a way to block certain applications, such as specific 
> softwares (office suite for example), to access internet with iptables?
>  How to identify the packets emitted from such applications and block them ?
> 
> Thanks 
> 
> Bruno

The only way to accomplish this is blocking by IP and ports.  If there
is a certain type of connection you want to block you can perhaps
accomplish it by port.

If you want to run an iptables firewall and filter out explicitly
traffic from a certain windows application that communicates on
'standard' ports that you otherwise want open, you're out of luck.  That
would be better handled on the Win box itself with something like
ZoneAlarm that lets you grant/deny connection privileges per
application.

j

how to filter applications with iptables

[Liber =?unknown-8bit?q?Chr=E9tien?=]

Hello,
I've been looking for some information but couldn't find, so here it goes, I'm asking 
to the list : (excuse my technical english if I'm not clear enough)

I've a LAN at home with mdk as server and win and mdk on the clients

My question is : is there a way to block certain applications, such as specific 
softwares (office suite for example), to access internet with iptables?
 How to identify the packets emitted from such applications and block them ?

Thanks 

Bruno