From: "hare ram" <hareram@sol.net.in>
To: Tasha Smith <tashamaillist@yahoo.com>, netfilter@lists.netfilter.org
Subject: Re: How is Kazaa getting out without a rule?
Date: Sat, 8 Mar 2003 17:10:16 +0530 [thread overview]
Message-ID: <055b01c2e567$7d48a420$13fcc5cb@Housecall> (raw)
In-Reply-To: 20030307233027.80633.qmail@web80410.mail.yahoo.com
Hi
AFAIK
Kazaa 2 runs on different ports all together
its depend on customer setup p2p based
when you allow ports from 1024:.. to 65xxx
then default kazaa user 1214..
you want to block kazaa
you can --string based route to stop kazaa
hare
----- Original Message -----
From: "Tasha Smith" <tashamaillist@yahoo.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, March 08, 2003 5:00 AM
Subject: How is Kazaa getting out without a rule?
> Hiiii,
> I was wandering if somone can help explain this to me, Below is my
firewall script,
> eth1 is my LAN interface and eth0 is Internet in the on the
FIREWALL/ROUTER machine.
> But from my LAN windows machines could not connect MSN messanger until i
created a
> forward rule for port 1863. BUT kazaa from my LAN CAN connect to the
outside world
> without creating rule. How is this possible? and does that mean if i have
a trojan
> on one of my windows machine it can get out and make a connection to
somewhere on
> the NET tooo? Thanks guys for the help!
>
> ########################################################
> # This will also update my ipaddress.
> IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
>
> # Remove any existing rules from all chains.
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
>
> # Unlimited access on the loopback interface.
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop.
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
>
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy OUTPUT ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
>
> iptables -t mangle --policy PREROUTING ACCEPT
> iptables -t mangle --policy OUTPUT ACCEPT
>
> # Allow stateful connections
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow Access for DNS UDP for my ISP DNS server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.130 --dport 53 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.130 --dport 53 -j ACCEPT
>
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.150 --dport 53 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.150 --dport 53 -j ACCEPT
>
> # Allow access for my ISP DHCP server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_NET --sport 1024:65535 \
> -d 208.53.4.129 --dport 67 \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
> -s $IP_INET --sport 1024:65535 \
> -d 208.53.4.129 --dport 67 -j ACCEPT
>
>
> # Allow access to remote webservers PORT 80.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 80 -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 80 -j ACCEPT
>
>
> # Attempt to connect to HHTPS connections.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p tcp \
> -m state --state NEW --dport 443 \
> --sport 1024:65535 \
> -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
> -s $IP_INET --sport 1024:65535 \
> --dport 443 -j ACCEPT
>
>
> # Fragmented ICMP Messages.
> iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
> --log-prefix "Fragmented ICMP: "
> iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
>
> # Source Quench Control
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type source-quench -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type source-quench -j ACCEPT
>
> # Parameter Problem Status.
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type parameter-problem -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type parameter-problem -j ACCEPT
>
> # Destination Unreachable Error.
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type destination-unreachable -j DROP
>
> # Time Exceeded Status
> iptables -A INPUT -i eth0 -p icmp \
> --icmp-type time-exceeded -d $IP_INET -j ACCEPT
>
> # Allow Outgoing pings to remote hosts
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-request \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-request -j ACCEPT
>
> # Incoming ping from Remote Hosts.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A INPUT -i eth0 -p icmp \
> -s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
> -m state --state NEW -j ACCEPT
> fi
>
> iptables -A INPUT -i eth0 -p icmp \
> -s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
> -s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
>
> # Fowarding is allowed in the direction
> iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j
ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
>
> # Enables Packet Forwarding
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
next prev parent reply other threads:[~2003-03-08 11:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-07 23:30 How is Kazaa getting out without a rule? Tasha Smith
2003-03-08 11:40 ` hare ram [this message]
2003-03-08 12:26 ` Arnt Karlsen
2003-03-09 3:02 ` IPTABLES SO ESTRANGE Franco Antonio Catena
2003-03-08 19:08 ` How is Kazaa getting out without a rule? i.t
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='055b01c2e567$7d48a420$13fcc5cb@Housecall' \
--to=hareram@sol.net.in \
--cc=netfilter@lists.netfilter.org \
--cc=tashamaillist@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox