LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-10-2004, 03:04 AM   #1
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Rep: Reputation: 15
blocking some port for NAT clients


hello every1
i have a little linux box that do nat for some windows machines , in order to economize some debit i wanna block undeeded port such liike port used by kazaa and such ptp
for that i used this set of rules ;

[cote]
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 1001:65000 -j DROP
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 80 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 25 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 110 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 1863 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 5050 - ACCEPT
[/cote]
but this seems to dont work , the clients wasn't able to use any of the common programme they are used to use
i suppose i m using the wront chain , but need some advices to get this working , thus any help would be welcome
 
Old 02-11-2004, 02:29 PM   #2
schagnot
LQ Newbie
 
Registered: Feb 2004
Location: Connecticut
Distribution: RedHat, Debian, Fedora
Posts: 4

Rep: Reputation: 0
With iptables, your internal LAN must pass through your FORWARD chain to get out to the internet. If you are just masquerading internal clients to the outside world, you would want one POSTROUTING rule such as

/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s $LAN -d 0.0.0.0/0 -o eth0

The eth0 in the above example would be your external interface.

Now you would handle your rules in the FORWARD chain. Set the default policy to DROP and then allow the services you want. Put a LOG rule in as your last rule in the FORWARD chain so you will see the packets that are being dropped off the end of the chain (in other words, the ones that are being blocked). You do not need to have an explicit DROP rule as anything that is not accepted is dropped by the DROP policy.

As for Kazaa - it is going to be able to get out through any port that is open. You are going to have a hard time blocking it.
 
Old 02-14-2004, 05:06 AM   #3
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Original Poster
Rep: Reputation: 15
first thanx for the reply
i tried to do this using the FORWARD chains , my goal now is to block all IM ( instant messangers) for the clients , i start testing with yahoo messanger which seem much more smart tha i thought , when i block the port 5050 it uses telnet one , and this is blocked too it used an IP tunneling throught the http port (80) , is there anyway to block it ?

Last edited by freelinuxcpp; 02-14-2004 at 05:21 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking port 80 on NAT and allowing browsing thru squid krishvij Linux - Networking 2 07-19-2005 05:10 AM
blocking mac address and NAT com90185 Linux - Security 6 03-07-2005 06:37 PM
NAT blocking bandidko Linux - Networking 0 10-05-2004 09:18 AM
port blocking BwiNfon Linux - Security 4 09-25-2003 10:51 AM
Port forward blocking internal lan clients dulaus Linux - Security 1 06-06-2003 06:38 PM


All times are GMT -5. The time now is 11:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration