* How is Kazaa getting out without a rule?
@ 2003-03-07 23:30 Tasha Smith
2003-03-08 11:40 ` hare ram
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Tasha Smith @ 2003-03-07 23:30 UTC (permalink / raw)
To: netfilter
Hiiii,
I was wandering if somone can help explain this to me, Below is my firewall script,
eth1 is my LAN interface and eth0 is Internet in the on the FIREWALL/ROUTER machine.
But from my LAN windows machines could not connect MSN messanger until i created a
forward rule for port 1863. BUT kazaa from my LAN CAN connect to the outside world
without creating rule. How is this possible? and does that mean if i have a trojan
on one of my windows machine it can get out and make a connection to somewhere on
the NET tooo? Thanks guys for the help!
########################################################
# This will also update my ipaddress.
IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
# Remove any existing rules from all chains.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited access on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT
iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT
# Allow stateful connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Access for DNS UDP for my ISP DNS server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 208.53.4.130 --dport 53 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 208.53.4.130 --dport 53 -j ACCEPT
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 208.53.4.150 --dport 53 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 208.53.4.150 --dport 53 -j ACCEPT
# Allow access for my ISP DHCP server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_NET --sport 1024:65535 \
-d 208.53.4.129 --dport 67 \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 208.53.4.129 --dport 67 -j ACCEPT
# Allow access to remote webservers PORT 80.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -j ACCEPT
# Attempt to connect to HHTPS connections.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p tcp \
-m state --state NEW --dport 443 \
--sport 1024:65535 \
-j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 443 -j ACCEPT
# Fragmented ICMP Messages.
iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
--log-prefix "Fragmented ICMP: "
iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
# Source Quench Control
iptables -A INPUT -i eth0 -p icmp \
--icmp-type source-quench -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type source-quench -j ACCEPT
# Parameter Problem Status.
iptables -A INPUT -i eth0 -p icmp \
--icmp-type parameter-problem -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type parameter-problem -j ACCEPT
# Destination Unreachable Error.
iptables -A INPUT -i eth0 -p icmp \
--icmp-type destination-unreachable -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type destination-unreachable -j DROP
# Time Exceeded Status
iptables -A INPUT -i eth0 -p icmp \
--icmp-type time-exceeded -d $IP_INET -j ACCEPT
# Allow Outgoing pings to remote hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-request \
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-request -j ACCEPT
# Incoming ping from Remote Hosts.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i eth0 -p icmp \
-s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i eth0 -p icmp \
-s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
-s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
# Fowarding is allowed in the direction
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
# Enables Packet Forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How is Kazaa getting out without a rule?
2003-03-07 23:30 How is Kazaa getting out without a rule? Tasha Smith
@ 2003-03-08 11:40 ` hare ram
2003-03-08 12:26 ` Arnt Karlsen
2003-03-08 19:08 ` How is Kazaa getting out without a rule? i.t
2 siblings, 0 replies; 5+ messages in thread
From: hare ram @ 2003-03-08 11:40 UTC (permalink / raw)
To: Tasha Smith, netfilter
Hi
AFAIK
Kazaa 2 runs on different ports all together
its depend on customer setup p2p based
when you allow ports from 1024:.. to 65xxx
then default kazaa user 1214..
you want to block kazaa
you can --string based route to stop kazaa
hare
----- Original Message -----
From: "Tasha Smith" <tashamaillist@yahoo.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, March 08, 2003 5:00 AM
Subject: How is Kazaa getting out without a rule?
> Hiiii,
> I was wandering if somone can help explain this to me, Below is my
firewall script,
> eth1 is my LAN interface and eth0 is Internet in the on the
FIREWALL/ROUTER machine.
> But from my LAN windows machines could not connect MSN messanger until i
created a
> forward rule for port 1863. BUT kazaa from my LAN CAN connect to the
outside world
> without creating rule. How is this possible? and does that mean if i have
a trojan
> on one of my windows machine it can get out and make a connection to
somewhere on
> the NET tooo? Thanks guys for the help!
>
> ########################################################
> # This will also update my ipaddress.
> IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
>
> # Remove any existing rules from all chains.
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
>
> # Unlimited access on the loopback interface.
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop.
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
>
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy OUTPUT ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
>
> iptables -t mangle --policy PREROUTING ACCEPT
> iptables -t mangle --policy OUTPUT ACCEPT
>
> # Allow stateful connections
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow Access for DNS UDP for my ISP DNS server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.130 --dport 53 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.130 --dport 53 -j ACCEPT
>
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.150 --dport 53 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.150 --dport 53 -j ACCEPT
>
> # Allow access for my ISP DHCP server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_NET --sport 1024:65535 \
> -d 208.53.4.129 --dport 67 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.129 --dport 67 -j ACCEPT
>
>
> # Allow access to remote webservers PORT 80.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 80 -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 80 -j ACCEPT
>
>
> # Attempt to connect to HHTPS connections.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p tcp \
> -m state --state NEW --dport 443 \
> --sport 1024:65535 \
> -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 443 -j ACCEPT
>
>
> # Fragmented ICMP Messages.
> iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
> --log-prefix "Fragmented ICMP: "
> iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
>
> # Source Quench Control
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type source-quench -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type source-quench -j ACCEPT
>
> # Parameter Problem Status.
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type parameter-problem -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type parameter-problem -j ACCEPT
>
> # Destination Unreachable Error.
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type destination-unreachable -j DROP
>
> # Time Exceeded Status
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type time-exceeded -d $IP_INET -j ACCEPT
>
> # Allow Outgoing pings to remote hosts
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-request \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-request -j ACCEPT
>
> # Incoming ping from Remote Hosts.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A INPUT -i eth0 -p icmp \
> -s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A INPUT -i eth0 -p icmp \
> -s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
>
> # Fowarding is allowed in the direction
> iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j
ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
>
> # Enables Packet Forwarding
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How is Kazaa getting out without a rule?
2003-03-07 23:30 How is Kazaa getting out without a rule? Tasha Smith
2003-03-08 11:40 ` hare ram
@ 2003-03-08 12:26 ` Arnt Karlsen
2003-03-09 3:02 ` IPTABLES SO ESTRANGE Franco Antonio Catena
2003-03-08 19:08 ` How is Kazaa getting out without a rule? i.t
2 siblings, 1 reply; 5+ messages in thread
From: Arnt Karlsen @ 2003-03-08 12:26 UTC (permalink / raw)
To: netfilter
On Fri, 7 Mar 2003 15:30:27 -0800 (PST),
Tasha Smith <tashamaillist@yahoo.com> wrote in message
<20030307233027.80633.qmail@web80410.mail.yahoo.com>:
> Hiiii,
> I was wandering if somone can help explain this to me, Below is my
> firewall script, eth1 is my LAN interface and eth0 is Internet in the
> on the FIREWALL/ROUTER machine. But from my LAN windows machines
> could not connect MSN messanger until i created a forward rule for
> port 1863. BUT kazaa from my LAN CAN connect to the outside world
> without creating rule. How is this possible? and does that mean if i
> have a trojan on one of my windows machine it can get out and make a
> connection to somewhere on the NET tooo? Thanks guys for the help!
..for ideas, try grep kaaza from a tcpdump run, I'd guess it uses
high ports. These high ports _are_ open, until _you_ close them.
..check your box to see what apps etc you have running, shut down
and remove those you don't need/want, close ports on whatever you
need/want running for internal but not external users, X, webmin,
dhcp, tftp etc, ymmv.
> ########################################################
> # This will also update my ipaddress.
> IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
>
> # Remove any existing rules from all chains.
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
>
> # Unlimited access on the loopback interface.
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop.
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
>
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy OUTPUT ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
>
> iptables -t mangle --policy PREROUTING ACCEPT
> iptables -t mangle --policy OUTPUT ACCEPT
>
> # Allow stateful connections
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
..why this stateful OUTPUT ?
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow Access for DNS UDP for my ISP DNS server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.130 --dport 53 \
..here, many prefer calling their hosts etc "A.B.C.130" when asking
online, some feel safer that way etc, ymmv.
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.130 --dport 53 -j ACCEPT
>
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.150 --dport 53 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.150 --dport 53 -j ACCEPT
>
> # Allow access for my ISP DHCP server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_NET --sport 1024:65535 \
> -d 208.53.4.129 --dport 67 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.129 --dport 67 -j ACCEPT
>
>
> # Allow access to remote webservers PORT 80.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 80 -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 80 -j ACCEPT
>
>
> # Attempt to connect to HHTPS connections.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p tcp \
> -m state --state NEW --dport 443 \
> --sport 1024:65535 \
> -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 443 -j ACCEPT
>
>
> # Fragmented ICMP Messages.
> iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
> --log-prefix "Fragmented ICMP: "
> iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
>
> # Source Quench Control
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type source-quench -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type source-quench -j ACCEPT
>
> # Parameter Problem Status.
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type parameter-problem -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type parameter-problem -j ACCEPT
>
> # Destination Unreachable Error.
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type destination-unreachable -j DROP
>
> # Time Exceeded Status
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type time-exceeded -d $IP_INET -j ACCEPT
>
> # Allow Outgoing pings to remote hosts
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-request \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-request -j ACCEPT
>
> # Incoming ping from Remote Hosts.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A INPUT -i eth0 -p icmp \
> -s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A INPUT -i eth0 -p icmp \
> -s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j
> ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
>
> # Fowarding is allowed in the direction
..which direction, outbound?
> iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443
> -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863
> -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863
> -j ACCEPT
>
> # Enables Packet Forwarding
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
..I don't see any problems with your script except where noted.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How is Kazaa getting out without a rule?
2003-03-07 23:30 How is Kazaa getting out without a rule? Tasha Smith
2003-03-08 11:40 ` hare ram
2003-03-08 12:26 ` Arnt Karlsen
@ 2003-03-08 19:08 ` i.t
2 siblings, 0 replies; 5+ messages in thread
From: i.t @ 2003-03-08 19:08 UTC (permalink / raw)
To: Tasha Smith, netfilter
msg Samstag 08 März 2003 00:30 by Tasha Smith:
> without creating rule. How is this possible? and does that mean if i have a
if ip_forwarding is set to 1
kazaa comes out if not further restricted on a very lot of ports (starting
with 1214 and so on...)
Regards
--
. ___
| | Irmund Thum
| |
^ permalink raw reply [flat|nested] 5+ messages in thread
* IPTABLES SO ESTRANGE
2003-03-08 12:26 ` Arnt Karlsen
@ 2003-03-09 3:02 ` Franco Antonio Catena
0 siblings, 0 replies; 5+ messages in thread
From: Franco Antonio Catena @ 2003-03-09 3:02 UTC (permalink / raw)
To: 'Arnt Karlsen', netfilter
Hi,
I have a linux box with 2 netcardas eth0 External and eth1 intternal. I
want that apache runs in port 81 instead of 80 becouse I have a nat
forwarding to IIS. The problem is that the script dont work. Im not able
to telnet from internal address to port 81. The Apache was started but I
dont know why I cant telnet 192.168.1.1 81?
for i in `ls /lib/modules/2.4.18-2cl/kernel/net/ipv4/netfilter/ip*|cut
-f \ 3 -d "."|cut -f 6 -d "/"|grep -v ipchains`;do modprobe $i;done
#modprobe ip_tables
#insmod ip_conntrack
#insmod ip_conntrack_ftp
#modprobe ipt_LOG
#modprobe ipt_multi[Bport
#modprobe ipt_REJECT
#modprobe ipt_MASQUERADE
iptables -F
# Politicas default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i eth0 --fragment -p icmp -j LOG --log-prefix
"Fragmented ICMP: " iptables -A INPUT -i eth0 --fragment -p icmp -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j LOG --log-prefix "USO
DO SQUID "
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 81 -j LOG
--log-prefix "WEB INTERNA " iptables -A INPUT -i eth0 -m multiport -p
tcp --dport 21,22,25,53,80,81,110,500,3128 -j ACCEPT iptables -A INPUT
-s 192.168.1.0/255.255.255.0 -m multiport -p tcp -d 192.168.1.1 --dport
21,22,25,53,80,81,110,500,3128 -j ACCEPT iptables -A INPUT -i eth0 -m
multiport -p udp --dport 21,25,53,80,110,500 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 22 -j
ACCEPT iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 81
-j ACCEPT
iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j DROP
iptables -A INPUT -i eth0 -j LOG --log-prefix "FIREWALL : INPUT "
iptables -A INPUT -i eth0 -j DROP
# Regras de Saida
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 443
--sport 1024:65535 -j ACCEPT
#Bloqueando saida NETbios
iptables -A OUTPUT -o eth0 -m multiport -p tcp --dport 135,137,138,139
-j DROP iptables -A OUTPUT -o eth0 -m multiport -p udp --dport
135,137,138,139 -j DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
# NAT
#iptables -t nat -A PREROUTING -j NAT --to-dest 192.168.1.1 -d
apache.surson.com.br -p tvp
iptables -t nat -A PREROUTING -j DNAT --to-dest 192.168.1.2 -i eth0 -p
tcp -m multiport --dport 21,25,80,110,3389,137,50,51,1723 #iptables -t
nat -A PREROUTING --dst apache.surson.com.br -p TCP --dport 80 -j DNAT
--to-destination 192.168.1.1
# Masquerade
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.0.0 -d
192.168.0.0/255.255.0.0 -j LOG --log-prefix "Firewall VPN "
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.0.0 -d \!
192.168.0.0/255.255.0.0 -j MASQUERADE
# Bloqueio de saida de pacotes do tipo Windows Networking iptables -A
FORWARD -i eth0 -m multiport -p tcp --dport 135,137,138,139 -j LOG
--log-prefix " Fire BLOQ TCP NETBIOS "
iptables -A FORWARD -i eth0 -m multiport -p udp --dport 135,137,138,139
-j LOG --log-prefix " Fire BLOQ UDP NETBIOS " iptables -A FORWARD -i
eth0 -m multiport -p tcp --dport 135,137,138,139 -j DROP iptables -A
FORWARD -i eth0 -m multiport -p udp --dport 135,137,138,139 -j DROP
# Forwarding para saida
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp --dport
3128 -j DROP iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p
tcp --dport 8080 -j DROP iptables -A FORWARD -i eth1 -j ACCEPT
# Kernel Level
echo "32768" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1" > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_forward
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 0 > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians
do
echo 1 > $i
done
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 25/2/2003
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-03-09 3:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-07 23:30 How is Kazaa getting out without a rule? Tasha Smith
2003-03-08 11:40 ` hare ram
2003-03-08 12:26 ` Arnt Karlsen
2003-03-09 3:02 ` IPTABLES SO ESTRANGE Franco Antonio Catena
2003-03-08 19:08 ` How is Kazaa getting out without a rule? i.t
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.