How is Kazaa getting out without a rule?

How is Kazaa getting out without a rule?

[Tasha Smith]

Hiiii,
I was wandering if somone can help explain this to me, Below is my firewall script,
eth1 is my LAN interface and eth0 is Internet in the on the FIREWALL/ROUTER machine.
But from my LAN windows machines  could not connect MSN messanger until i created a
forward rule for port 1863. BUT kazaa from my LAN CAN connect to the outside world
without creating rule. How is this possible? and does that mean if i have a trojan
on one of my windows machine it can get out and make a connection to somewhere on
the NET tooo? Thanks guys for the help!   

########################################################
# This will also update my ipaddress.
IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\  -f1`

# Remove any existing rules from all chains.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Unlimited access on the loopback interface.
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
      
# Set the default policy to drop.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT

iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT

iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# Allow stateful connections 
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow Access for DNS UDP for my ISP DNS server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
   iptables -A OUTPUT -o eth0 -p udp \
            -s $IP_INET --sport 1024:65535 \
            -d 208.53.4.130 --dport 53 \
            -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p udp \
         -s $IP_INET     --sport 1024:65535 \
         -d 208.53.4.130 --dport 53 -j ACCEPT


if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p udp \
             -s $IP_INET --sport 1024:65535 \
             -d 208.53.4.150 --dport 53 \
             -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p udp \
         -s $IP_INET --sport 1024:65535 \
         -d 208.53.4.150 --dport 53 -j ACCEPT
       
# Allow access for my ISP DHCP server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p udp \
             -s $IP_NET --sport 1024:65535 \
             -d 208.53.4.129 --dport 67 \
             -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p udp \
         -s $IP_INET      --sport 1024:65535 \
         -d 208.53.4.129  --dport 67 -j ACCEPT


# Allow access to remote webservers PORT 80.
if [ "$CONNECTION_TRACKING" = "1" ]; then
    iptables -A OUTPUT -o eth0 -p tcp \
             -s $IP_INET --sport 1024:65535 \
             --dport 80 -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p tcp \
         -s $IP_INET --sport 1024:65535 \
         --dport 80 -j ACCEPT


# Attempt to connect to HHTPS connections.
if [ "$CONNECTION_TRACKING" = "1" ]; then
     iptables -A OUTPUT -o eth0 -p tcp \
              -m state --state NEW --dport 443 \
              --sport 1024:65535 \
              -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p tcp \
         -s $IP_INET --sport 1024:65535 \
         --dport 443 -j ACCEPT
 

# Fragmented ICMP Messages.
iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
         --log-prefix "Fragmented ICMP: "
iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \

# Source Quench Control
iptables -A INPUT -i eth0 -p icmp \
         --icmp-type source-quench -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
         -s $IP_INET --icmp-type source-quench -j ACCEPT

# Parameter Problem Status.
iptables -A INPUT -i eth0 -p icmp \
         --icmp-type parameter-problem -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
         -s $IP_INET --icmp-type parameter-problem -j ACCEPT

# Destination Unreachable Error.
iptables -A INPUT -i eth0 -p icmp \
         --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
         -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
         -s $IP_INET --icmp-type destination-unreachable -j DROP

# Time Exceeded Status
iptables -A INPUT -i eth0 -p icmp \
         --icmp-type time-exceeded -d $IP_INET -j ACCEPT

# Allow Outgoing pings to remote hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
     iptables -A OUTPUT -o eth0 -p icmp \
              -s $IP_INET --icmp-type echo-request \
              -m state --state NEW -j ACCEPT
fi

iptables -A OUTPUT -o eth0 -p icmp \
         -s $IP_INET --icmp-type echo-request -j ACCEPT

# Incoming ping from Remote Hosts.
if [ "$CONNECTION_TRACKING" = "1" ]; then
     iptables -A INPUT -i eth0 -p icmp \
              -s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
              -m state --state NEW -j ACCEPT
fi

iptables -A INPUT -i eth0 -p icmp \
         -s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp \
         -s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT

# Fowarding is allowed in the direction
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT

# Enables Packet Forwarding
iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: How is Kazaa getting out without a rule?

[hare ram]

Hi

AFAIK

Kazaa 2 runs on different ports all together
its depend on customer setup  p2p based

when you allow ports from 1024:.. to 65xxx
then default kazaa user 1214..

you want to block kazaa

you can --string based route to stop kazaa

hare
----- Original Message -----
From: "Tasha Smith" <tashamaillist@yahoo.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, March 08, 2003 5:00 AM
Subject: How is Kazaa getting out without a rule?


> Hiiii,
> I was wandering if somone can help explain this to me, Below is my
firewall script,
> eth1 is my LAN interface and eth0 is Internet in the on the
FIREWALL/ROUTER machine.
> But from my LAN windows machines  could not connect MSN messanger until i
created a
> forward rule for port 1863. BUT kazaa from my LAN CAN connect to the
outside world
> without creating rule. How is this possible? and does that mean if i have
a trojan
> on one of my windows machine it can get out and make a connection to
somewhere on
> the NET tooo? Thanks guys for the help!
>
> ########################################################
> # This will also update my ipaddress.
> IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\  -f1`
>
> # Remove any existing rules from all chains.
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
>
> # Unlimited access on the loopback interface.
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop.
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
>
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy OUTPUT ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
>
> iptables -t mangle --policy PREROUTING ACCEPT
> iptables -t mangle --policy OUTPUT ACCEPT
>
> # Allow stateful connections
> iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow Access for DNS UDP for my ISP DNS server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>    iptables -A OUTPUT -o eth0 -p udp \
>             -s $IP_INET --sport 1024:65535 \
>             -d 208.53.4.130 --dport 53 \
>             -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
>          -s $IP_INET     --sport 1024:65535 \
>          -d 208.53.4.130 --dport 53 -j ACCEPT
>
>
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A OUTPUT -o eth0 -p udp \
>              -s $IP_INET --sport 1024:65535 \
>              -d 208.53.4.150 --dport 53 \
>              -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
>          -s $IP_INET --sport 1024:65535 \
>          -d 208.53.4.150 --dport 53 -j ACCEPT
>
> # Allow access for my ISP DHCP server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A OUTPUT -o eth0 -p udp \
>              -s $IP_NET --sport 1024:65535 \
>              -d 208.53.4.129 --dport 67 \
>              -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p udp \
>          -s $IP_INET      --sport 1024:65535 \
>          -d 208.53.4.129  --dport 67 -j ACCEPT
>
>
> # Allow access to remote webservers PORT 80.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A OUTPUT -o eth0 -p tcp \
>              -s $IP_INET --sport 1024:65535 \
>              --dport 80 -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
>          -s $IP_INET --sport 1024:65535 \
>          --dport 80 -j ACCEPT
>
>
> # Attempt to connect to HHTPS connections.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>      iptables -A OUTPUT -o eth0 -p tcp \
>               -m state --state NEW --dport 443 \
>               --sport 1024:65535 \
>               -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p tcp \
>          -s $IP_INET --sport 1024:65535 \
>          --dport 443 -j ACCEPT
>
>
> # Fragmented ICMP Messages.
> iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
>          --log-prefix "Fragmented ICMP: "
> iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
>
> # Source Quench Control
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type source-quench -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type source-quench -j ACCEPT
>
> # Parameter Problem Status.
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type parameter-problem -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type parameter-problem -j ACCEPT
>
> # Destination Unreachable Error.
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type destination-unreachable -j DROP
>
> # Time Exceeded Status
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type time-exceeded -d $IP_INET -j ACCEPT
>
> # Allow Outgoing pings to remote hosts
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>      iptables -A OUTPUT -o eth0 -p icmp \
>               -s $IP_INET --icmp-type echo-request \
>               -m state --state NEW -j ACCEPT
> fi
>
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type echo-request -j ACCEPT
>
> # Incoming ping from Remote Hosts.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>      iptables -A INPUT -i eth0 -p icmp \
>               -s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
>               -m state --state NEW -j ACCEPT
> fi
>
> iptables -A INPUT -i eth0 -p icmp \
>          -s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
>
> # Fowarding is allowed in the direction
> iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j
ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863 -j ACCEPT
>
> # Enables Packet Forwarding
> iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>

Re: How is Kazaa getting out without a rule?

[Arnt Karlsen]

On Fri, 7 Mar 2003 15:30:27 -0800 (PST), 
Tasha Smith <tashamaillist@yahoo.com> wrote in message 
<20030307233027.80633.qmail@web80410.mail.yahoo.com>:

> Hiiii,
> I was wandering if somone can help explain this to me, Below is my
> firewall script, eth1 is my LAN interface and eth0 is Internet in the
> on the FIREWALL/ROUTER machine. But from my LAN windows machines 
> could not connect MSN messanger until i created a forward rule for
> port 1863. BUT kazaa from my LAN CAN connect to the outside world
> without creating rule. How is this possible? and does that mean if i
> have a trojan on one of my windows machine it can get out and make a
> connection to somewhere on the NET tooo? Thanks guys for the help!   

..for ideas, try grep kaaza from a tcpdump run, I'd guess it uses 
high ports.  These high ports _are_ open, until _you_ close them.

..check your box to see what apps etc you have running, shut down 
and remove those you don't need/want, close ports on whatever you 
need/want running for internal but not external users, X, webmin, 
dhcp, tftp etc, ymmv.

> ########################################################
> # This will also update my ipaddress.
> IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\  -f1`
> 
> # Remove any existing rules from all chains.
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
> 
> # Unlimited access on the loopback interface.
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>       
> # Set the default policy to drop.
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
> 
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy OUTPUT ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
> 
> iptables -t mangle --policy PREROUTING ACCEPT
> iptables -t mangle --policy OUTPUT ACCEPT
> 
> # Allow stateful connections 
> iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

..why this stateful OUTPUT ?

> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Allow Access for DNS UDP for my ISP DNS server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>    iptables -A OUTPUT -o eth0 -p udp \
>             -s $IP_INET --sport 1024:65535 \
>             -d 208.53.4.130 --dport 53 \

..here, many prefer calling their hosts etc "A.B.C.130" when asking 
online, some feel safer that way etc, ymmv. 

>             -m state --state NEW -j ACCEPT
> fi
> 
> iptables -A OUTPUT -o eth0 -p udp \
>          -s $IP_INET     --sport 1024:65535 \
>          -d 208.53.4.130 --dport 53 -j ACCEPT
> 
> 
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A OUTPUT -o eth0 -p udp \
>              -s $IP_INET --sport 1024:65535 \
>              -d 208.53.4.150 --dport 53 \
>              -m state --state NEW -j ACCEPT
> fi
> 
> iptables -A OUTPUT -o eth0 -p udp \
>          -s $IP_INET --sport 1024:65535 \
>          -d 208.53.4.150 --dport 53 -j ACCEPT
>        
> # Allow access for my ISP DHCP server.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A OUTPUT -o eth0 -p udp \
>              -s $IP_NET --sport 1024:65535 \
>              -d 208.53.4.129 --dport 67 \
>              -m state --state NEW -j ACCEPT
> fi
> 
> iptables -A OUTPUT -o eth0 -p udp \
>          -s $IP_INET      --sport 1024:65535 \
>          -d 208.53.4.129  --dport 67 -j ACCEPT
> 
> 
> # Allow access to remote webservers PORT 80.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A OUTPUT -o eth0 -p tcp \
>              -s $IP_INET --sport 1024:65535 \
>              --dport 80 -m state --state NEW -j ACCEPT
> fi
> 
> iptables -A OUTPUT -o eth0 -p tcp \
>          -s $IP_INET --sport 1024:65535 \
>          --dport 80 -j ACCEPT
> 
> 
> # Attempt to connect to HHTPS connections.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>      iptables -A OUTPUT -o eth0 -p tcp \
>               -m state --state NEW --dport 443 \
>               --sport 1024:65535 \
>               -j ACCEPT
> fi
> 
> iptables -A OUTPUT -o eth0 -p tcp \
>          -s $IP_INET --sport 1024:65535 \
>          --dport 443 -j ACCEPT
>  
> 
> # Fragmented ICMP Messages.
> iptables -A INPUT -i eth0 --fragment -p icmp -j LOG \
>          --log-prefix "Fragmented ICMP: "
> iptables -A INPUT -i eth0 --fragment -p icmp -j DROP \
> 
> # Source Quench Control
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type source-quench -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type source-quench -j ACCEPT
> 
> # Parameter Problem Status.
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type parameter-problem -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type parameter-problem -j ACCEPT
> 
> # Destination Unreachable Error.
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type destination-unreachable -d $IP_INET -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type fragmentation-needed -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type destination-unreachable -j DROP
> 
> # Time Exceeded Status
> iptables -A INPUT -i eth0 -p icmp \
>          --icmp-type time-exceeded -d $IP_INET -j ACCEPT
> 
> # Allow Outgoing pings to remote hosts
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>      iptables -A OUTPUT -o eth0 -p icmp \
>               -s $IP_INET --icmp-type echo-request \
>               -m state --state NEW -j ACCEPT
> fi
> 
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type echo-request -j ACCEPT
> 
> # Incoming ping from Remote Hosts.
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>      iptables -A INPUT -i eth0 -p icmp \
>               -s 208.53.1.231 --icmp-type echo-request -d $IP_INET \
>               -m state --state NEW -j ACCEPT
> fi
> 
> iptables -A INPUT -i eth0 -p icmp \
>          -s 208.53.1.231 --icmp-type echo-request -d $IP_INET -j
>          ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp \
>          -s $IP_INET --icmp-type echo-reply -d 209.53.1.231 -j ACCEPT
> 
> # Fowarding is allowed in the direction

..which direction, outbound?

> iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443
> -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863
> -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 1863
> -j ACCEPT
> 
> # Enables Packet Forwarding
> iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward 
> 

..I don't see any problems with your script except where noted.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

IPTABLES SO ESTRANGE

[Franco Antonio Catena]

Hi,

I have a linux box with 2 netcardas eth0 External and eth1 intternal. I
want that apache runs in port 81 instead of 80 becouse I have a nat
forwarding to IIS. The problem is that the script dont work. Im not able
to telnet from internal address to port 81. The Apache was started but I
dont know why I cant telnet 192.168.1.1 81?
 

for i in `ls /lib/modules/2.4.18-2cl/kernel/net/ipv4/netfilter/ip*|cut
-f \ 3 -d "."|cut -f 6 -d "/"|grep -v ipchains`;do  modprobe $i;done

#modprobe ip_tables
#insmod ip_conntrack
#insmod ip_conntrack_ftp
#modprobe ipt_LOG
#modprobe ipt_multi[Bport
#modprobe ipt_REJECT
#modprobe ipt_MASQUERADE


iptables -F

# Politicas default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT



iptables -P FORWARD ACCEPT


iptables -A INPUT -i eth0 --fragment -p icmp -j LOG --log-prefix
"Fragmented ICMP: " iptables -A INPUT -i eth0 --fragment -p icmp -j DROP



iptables -A INPUT -i eth0 -p tcp --dport 3128 -j LOG --log-prefix "USO
DO  SQUID "

iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 81 -j LOG
--log-prefix "WEB INTERNA " iptables -A INPUT -i eth0 -m multiport -p
tcp --dport 21,22,25,53,80,81,110,500,3128 -j ACCEPT iptables -A INPUT
-s 192.168.1.0/255.255.255.0  -m multiport -p tcp -d 192.168.1.1 --dport
21,22,25,53,80,81,110,500,3128 -j ACCEPT iptables -A INPUT -i eth0 -m
multiport -p udp --dport 21,25,53,80,110,500 -j ACCEPT


iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p  tcp --dport 22 -j
ACCEPT iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p  tcp --dport 81
-j ACCEPT

iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED




iptables -A INPUT -i eth0 -p tcp --dport 3128 -j DROP

iptables -A INPUT -i eth0 -j LOG --log-prefix "FIREWALL : INPUT "

iptables -A INPUT -i eth0 -j DROP

# Regras de Saida

iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 443
--sport 1024:65535 -j ACCEPT

#Bloqueando saida NETbios
iptables -A OUTPUT -o eth0 -m multiport -p tcp --dport 135,137,138,139
-j DROP iptables -A OUTPUT -o eth0 -m multiport -p udp --dport
135,137,138,139 -j DROP


iptables -A OUTPUT -o eth0 -j ACCEPT

# NAT
#iptables -t nat -A PREROUTING -j NAT --to-dest 192.168.1.1 -d
apache.surson.com.br -p tvp 
iptables -t nat -A PREROUTING -j DNAT --to-dest 192.168.1.2 -i eth0 -p
tcp -m multiport --dport 21,25,80,110,3389,137,50,51,1723 #iptables -t
nat -A PREROUTING --dst apache.surson.com.br -p TCP --dport 80  -j DNAT
--to-destination 192.168.1.1

# Masquerade
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.0.0 -d
192.168.0.0/255.255.0.0 -j LOG --log-prefix "Firewall VPN " 

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/255.255.0.0 -d \!
192.168.0.0/255.255.0.0 -j MASQUERADE


# Bloqueio de saida de pacotes do tipo Windows Networking iptables -A
FORWARD -i eth0 -m multiport -p tcp --dport 135,137,138,139 -j LOG
--log-prefix " Fire BLOQ TCP NETBIOS " 
iptables -A FORWARD -i eth0 -m multiport -p udp --dport 135,137,138,139
-j LOG --log-prefix " Fire BLOQ UDP NETBIOS " iptables -A FORWARD -i
eth0 -m multiport -p tcp --dport 135,137,138,139 -j DROP iptables -A
FORWARD -i eth0 -m multiport -p udp --dport 135,137,138,139 -j DROP

# Forwarding para saida
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT



iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p tcp  --dport
3128  -j DROP iptables -A FORWARD -s 192.168.1.1/24 -d ! 192.168.1.1 -p
tcp --dport 8080 -j DROP iptables -A FORWARD -i eth1 -j ACCEPT


# Kernel Level
echo "32768" > /proc/sys/net/ipv4/ip_conntrack_max
echo "1"     > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo "1"     > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1"     > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1"     > /proc/sys/net/ipv4/ip_forward

for i in /proc/sys/net/ipv4/conf/*/rp_filter 
do
  echo 0 > $i 
done

for i in /proc/sys/net/ipv4/conf/*/log_martians
 do
  echo 1 > $i 
 done

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 25/2/2003
 

Re: How is Kazaa getting out without a rule?

[i.t]

msg Samstag 08 März 2003 00:30 by Tasha Smith:
> without creating rule. How is this possible? and does that mean if i have a

if ip_forwarding is set to 1
kazaa comes out if not further restricted on a very lot of ports (starting 
with 1214 and so on...)

Regards
-- 
 . ___
 |  |  Irmund     Thum
 |  |