* Firewall L7 @ 2007-04-18 12:38 Stephan Higuti 2007-04-18 12:42 ` Pablo Sanchez 2007-04-18 12:44 ` Leonardo Rodrigues Magalhães 0 siblings, 2 replies; 8+ messages in thread From: Stephan Higuti @ 2007-04-18 12:38 UTC (permalink / raw) To: netfilter Hello guys. I have a firewall L7 as a bridge in my work. The firewall are blocking Gmail, Hotmail, and attachments from my mail server.... Anybody can help me? =D Best Regards Stephan -- --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@hotmail.com Email: higuti.sam@gmail.com --------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7 2007-04-18 12:38 Firewall L7 Stephan Higuti @ 2007-04-18 12:42 ` Pablo Sanchez 2007-04-18 12:44 ` Leonardo Rodrigues Magalhães 1 sibling, 0 replies; 8+ messages in thread From: Pablo Sanchez @ 2007-04-18 12:42 UTC (permalink / raw) To: netfilter On Wednesday 18 April 2007 at 8:38 am, Stephan Higuti etched: > Hello guys. > > I have a firewall L7 as a bridge in my work. The firewall are > blocking Gmail, Hotmail, and attachments from my mail server.... > Anybody can help me? =D If you have a home server, you can tunnel from work to it and circumvent the 'problem' Depending on what you're running on your desktop at work (Unix or Windows), you can use either ssh or putty, to create a local SOCKS server, which tunnels to your home server. If work blocks port 22, setup your sshd daemon at home to listen to port 443. ;) Cheers, --- pablo ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7 2007-04-18 12:38 Firewall L7 Stephan Higuti 2007-04-18 12:42 ` Pablo Sanchez @ 2007-04-18 12:44 ` Leonardo Rodrigues Magalhães 2007-04-19 18:15 ` Stephan Higuti 1 sibling, 1 reply; 8+ messages in thread From: Leonardo Rodrigues Magalhães @ 2007-04-18 12:44 UTC (permalink / raw) To: Stephan Higuti; +Cc: netfilter What is your question ? What is your problem ?? Please tell us whats wrong .... Or .... are you trying to bypass your work blocking rules ???? is that ? Stephan Higuti escreveu: > Hello guys. > > I have a firewall L7 as a bridge in my work. > The firewall are blocking Gmail, Hotmail, and attachments from my mail > server.... > Anybody can help me? =D > > -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7 2007-04-18 12:44 ` Leonardo Rodrigues Magalhães @ 2007-04-19 18:15 ` Stephan Higuti [not found] ` <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> 0 siblings, 1 reply; 8+ messages in thread From: Stephan Higuti @ 2007-04-19 18:15 UTC (permalink / raw) To: Leonardo Rodrigues Magalhães; +Cc: netfilter My rulez.... ## Limpando as regras do IPTABLES iptables -F iptables -t nat -F iptables -t mangle -F ## Ativando repasse de pacotes ## echo 1 > /proc/sys/net/ipv4/ip_forward ## instalando modulos do IPTABLES ## modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_conntrack modprobe ipt_conntrack modprobe ip_conntrack_ftp modprobe ip_tables modprobe ipt_LOG modprobe ipt_limit modprobe ipt_REJECT modprobe ipt_layer7 # Criando NAT para toda a rede. #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE ## Ativando regras do Layer 7 # Bloqueando de skype para skype iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP # Bloqueando o Skypeout iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP # Bloqueando o Messenger #iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP #iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP #Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se usar o km tambem) iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm #Bloquendo torrents iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP # Mudando para Statefull #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT These rules are blockin' gmail, hotmail and my mail server..... But its just a few rulez.... Some wrong? Cheers Stephan -- --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@hotmail.com Email: higuti.sam@gmail.com --------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com>]
* Re: Firewall L7 [not found] ` <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> @ 2007-05-11 17:53 ` Stephan Higuti [not found] ` <4644CC76.80502@zensoluciones.com> 0 siblings, 1 reply; 8+ messages in thread From: Stephan Higuti @ 2007-05-11 17:53 UTC (permalink / raw) To: Juan León; +Cc: netfilter Thanks for help guys! It works! Just another question.... What I do to let a free IP behind my Bridge firewall (L7)? I need an Ip that can acess all....... Best Regards Stephan On 4/19/07, Juan León <debjuanca@gmail.com> wrote: > > Hi Stephan, with my experience firewalling, you can try using this rules > with yours. > > Lets take a close look of your rules. > > > #iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm > > Maybe this line is associated with gmail, I suggest you use a proxy to match > strings like orkut. > Read Oscar Adreasson's paragraph. > > "For example, if we use a string match and match for a specific string > inside the packet, lets say get /index.html. Will that work? Normally, yes. > However, if the packet size is very small, it will not. The reason is that > iptables is built to work on a per packet basis, which means that if the > string is split into several separate packets, iptables will not see that > whole string. For this reason, you are much, much better off using a proxy > of some sort for filtering in the application layer" > > > For hotmail your can add this line just above of every FORWARD line, see > "-I", the same with your mail.server.com > > #iptables -I FORWARD -d www.hotmail.com -j ACCEPT > #iptables -I FORWARD -d mail.server.com -j ACCEPT > > > Hope this help. > > > > 2007/4/19, Stephan Higuti <higuti.sam@gmail.com>: > > My rulez.... > > > > ## Limpando as regras do IPTABLES > > iptables -F > > iptables -t nat -F > > iptables -t mangle -F > > > > ## Ativando repasse de pacotes ## > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > ## instalando modulos do IPTABLES ## > > modprobe iptable_nat > > modprobe ip_nat_ftp > > modprobe ip_conntrack > > modprobe ipt_conntrack > > modprobe ip_conntrack_ftp > > modprobe ip_tables > > modprobe ipt_LOG > > modprobe ipt_limit > > modprobe ipt_REJECT > > modprobe ipt_layer7 > > > > # Criando NAT para toda a rede. > > #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE > > > > ## Ativando regras do Layer 7 > > # Bloqueando de skype para skype > > iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP > > > > # Bloqueando o Skypeout > > iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP > > > > # Bloqueando o Messenger > > #iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > #iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP > > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > > > #Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se > > usar o km tambem) > > iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm > > > > #Bloquendo torrents > > iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP > > > > # Mudando para Statefull > > #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > > > These rules are blockin' gmail, hotmail and my mail server..... > > But its just a few rulez.... > > Some wrong? > > > > Cheers > > > > Stephan > > > > -- > > > --------------------------------------------------------------------- > > Stephan Higuti > > MSN: higutisam@hotmail.com > > Email: higuti.sam@gmail.com > > > --------------------------------------------------------------------- > > > > > > -- --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@hotmail.com Email: higuti.sam@gmail.com --------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <4644CC76.80502@zensoluciones.com>]
* Re: Firewall L7 [not found] ` <4644CC76.80502@zensoluciones.com> @ 2007-05-14 17:17 ` Stephan Higuti 2007-05-14 18:13 ` Fernando R. Durso 2007-05-14 20:03 ` Jan Engelhardt 0 siblings, 2 replies; 8+ messages in thread From: Stephan Higuti @ 2007-05-14 17:17 UTC (permalink / raw) To: Sébastien CRAMATTE; +Cc: netfilter Thankz guys! My block rules isn't works! I'm using this rules to block msn protocol... iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP Any idea? Best Regards Stephan - --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@hotmail.com Email: higuti.sam@gmail.com --------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7 2007-05-14 17:17 ` Stephan Higuti @ 2007-05-14 18:13 ` Fernando R. Durso 2007-05-14 20:03 ` Jan Engelhardt 1 sibling, 0 replies; 8+ messages in thread From: Fernando R. Durso @ 2007-05-14 18:13 UTC (permalink / raw) To: Stephan Higuti, netfilter give an ls /lib/iptables/ or /usr/lib/iptables or wherever your iptables libs are and look for libipt_layer7.so if you don't find it it's because your kernel and/or iptables compilation has failed.... by the way you can remove the "-t filter" Stephan Higuti escreveu: > Thankz guys! > > My block rules isn't works! > I'm using this rules to block msn protocol... > > > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > > Any idea? > > Best Regards > > Stephan > > - > --------------------------------------------------------------------- > Stephan Higuti > MSN: higutisam@hotmail.com > Email: higuti.sam@gmail.com > --------------------------------------------------------------------- > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7 2007-05-14 17:17 ` Stephan Higuti 2007-05-14 18:13 ` Fernando R. Durso @ 2007-05-14 20:03 ` Jan Engelhardt 1 sibling, 0 replies; 8+ messages in thread From: Jan Engelhardt @ 2007-05-14 20:03 UTC (permalink / raw) To: Stephan Higuti; +Cc: netfilter On May 14 2007 14:17, Stephan Higuti wrote: > > My block rules isn't works! That is _not_ a precise error description. > I'm using this rules to block msn protocol... > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP Jan -- ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-05-14 20:03 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-18 12:38 Firewall L7 Stephan Higuti
2007-04-18 12:42 ` Pablo Sanchez
2007-04-18 12:44 ` Leonardo Rodrigues Magalhães
2007-04-19 18:15 ` Stephan Higuti
[not found] ` <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com>
2007-05-11 17:53 ` Stephan Higuti
[not found] ` <4644CC76.80502@zensoluciones.com>
2007-05-14 17:17 ` Stephan Higuti
2007-05-14 18:13 ` Fernando R. Durso
2007-05-14 20:03 ` Jan Engelhardt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox