Web based Netfilter Frontend?

Web based Netfilter Frontend?

[Fred Richards]

	Ok, here comes another goofy thread attempt by yours truely.  (Last time 
my request ended up being possible to accomplish in a much different 
matter).

  	I have a simple question... I've been using netfilter on a few 
different machines, Slackware mostly, 2.4.18 and .19 kernels, IPtables 
1.2.6a.  I like using the endosheild script, I've modified it to do 
exactly what I need to.  I pay for 3 IP addresses from my cable provider 
and am thinking of cancelling 2 to route everything through the main 
dedicated linux box ... it's all set and ready to go.

	And the question is... are there any web-based frontends for modifying 
IPtables rules?  Something in PHP or maybe perl?  Even if they're not 
that fancy, and only allow modifications of incoming DNAT rules (kinda 
like port forwarding.)  My thinking is that my wife runs servers all the 
time, on different ports all the time.  I want her to be able to go to a 
local page, on the Lan side of the linux machine, use a few drop down 
boxes to modify incoming rules to forward ports to her machine.  I know 
how to do this on the command line... but to have her be able to do it 
on the fly instead of me modifying them all the time is desirable.  (Her 
local ip would also never change.  The local network is 172.16.0.0/28 
with the lower 7 ips reserved for static addresses, and the upper handed 
out by a dhcp server on the linux box, for guests, etc.)

	Anyone know of a good way to do this?  I have everything in place ... the 
dhcp server, the netfilter script, the rules, the natting, etc.  Just 
need a simple way to modify already exsisting rules.  I've looked on 
freshmeat, but can't find exactly what I need ... any help would be 
appreciated ... thanks...

						-- Fred

RE: block Kazaa download

[LunarFox]

> -----Original Message-----
> From: netfilter-admin@lists.samba.org 
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Allan Parreno
> Sent: Tuesday, June 04, 2002 11:08 AM
> To: netfilter
> Subject: block Kazaa download
> 
> anybody has a sample how to block Kazaa download?

KaZaA appears to listen on port 1214.  So if you block that port
*inbound* to your machine, in theory no one should be able to download
FROM you.  Of course, you can also just tell the program not to share
files.

If you block *outbound* connections to 1214, your users should be not
able to download from anyone ELSE.  At least, that's my limited
understanding of it, I could be completely wrong.  ;)

Shouldn't hurt to try one of these rules, depending on which way you're
trying to block:

$IPT -A INPUT -p tcp --dport 1214 -j DROP   # Avoid people downloading
from you, and/or
$IPT -A OUTPUT -p tcp --dport 1214 -j DROP  # Block your users from
downloading via KaZaA

I use the first rule above, because I was sick and tired of seeing
logged packets being dropped when I wasn't even running the client.

The usual caveat:  people are often able to get around fixed port
assignments and your blocking of same.  I don't know if the main KaZaA
client can do this, but I suspect it wouldn't be too hard to hack it
(consider what's been done with KaZaA Lite).

HTH,

Jeff Bonner

Re: block Kazaa download

[Raymond Leach]

><snip>
 > anybody has a sample how to block Kazaa download?
>
> KaZaA appears to listen on port 1214.  So if you block that port
> *inbound* to your machine, in theory no one should be able to download
> FROM you.  Of course, you can also just tell the program not to share
> files.
>
> If you block *outbound* connections to 1214, your users should be not
> able to download from anyone ELSE.  At least, that's my limited
> understanding of it, I could be completely wrong.  ;)
>
> Shouldn't hurt to try one of these rules, depending on which way you're
> trying to block:
>
> $IPT -A INPUT -p tcp --dport 1214 -j DROP   # Avoid people downloading
> from you, and/or
> $IPT -A OUTPUT -p tcp --dport 1214 -j DROP  # Block your users from
> downloading via KaZaA
>
> I use the first rule above, because I was sick and tired of seeing
> logged packets being dropped when I wasn't even running the client.
>
> The usual caveat:  people are often able to get around fixed port
> assignments and your blocking of same.  I don't know if the main KaZaA
> client can do this, but I suspect it wouldn't be too hard to hack it
> (consider what's been done with KaZaA Lite).
>
I think the latest kazaa can use http proxies too, so you'll need to block 
that too (with squidGuard or something similar).
> HTH,
>
> Jeff Bonner

-- 
----------------------------------------

Ray Leach (Technical Network Specialist)

Knowledge Factory

www: http://www.knowledgefactory.co.za

Tel: +27-11-445-8100 Direct: 445-8263

Fax: +27-11-445-8101

"No matter where you go, there you are."

----------------------------------------

Re: block Kazaa download

[Erik Pagel]

--On Dienstag, 4. Juni 2002 11:07 -0400 Allan Parreno 
<allan@atlas.iloilo.fapenet.org> wrote:

>
> hello,
>
> anybody has a sample how to block Kazaa download?
>
> TIA
>
Hi,
beside blocking the ports Kazaa use, you can also try to block the hole 
kazaa domain.
That should do the job because the login needs access to a kazaa server. 
Without a connection to a kazaa index-server your user are not able to 
share  or load any files.

bye Erik

RE: block Kazaa download

[Jeff Bonner]

> -----Original Message-----
> From: netfilter-admin@lists.samba.org 
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Erik Pagel
> Sent: Tuesday, June 04, 2002 3:43 AM
> To: Allan Parreno; netfilter
> Subject: Re: block Kazaa download

> > anybody has a sample how to block Kazaa download?
> 
> beside blocking the ports Kazaa use, you can also try to 
> block the hole kazaa domain.
> That should do the job because the login needs access to a 
> kazaa server. 
> Without a connection to a kazaa index-server your user are 
> not able to share  or load any files.

Argh, I didn't think of that.  ;)  It would indeed be the best
option.  You're absolutely right, until it can talk to the main
server, it's dead in the water -- it grays out all the options.

I want to say it's "desktop.kazaa.com" IIRC, but according to
at least one site I read, you have to block the entire range of
213.248.112.0/24.

Something else I should have thought about previously was to
search Google for that answer:

  http://google.com/search?q=block+kazaa

Jeff Bonner

block Kazaa download

[Allan Parreno]

hello,

anybody has a sample how to block Kazaa download?

TIA

Re: block Kazaa download

[Tim]

----- Original Message ----- 
From: "Allan Parreno" <allan@atlas.iloilo.fapenet.org>
To: "netfilter" <netfilter@lists.samba.org>
Sent: Tuesday, June 04, 2002 11:07 AM
Subject: block Kazaa download


> 
> hello,
> 
> anybody has a sample how to block Kazaa download?
> 
> TIA
> 
> 
> 

generically this should work
iptables -A FORWARD -p TCP --dport 1214 -j REJECT