Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
Due to network maintenance being performed by our provider, LQ will be down starting at 05:01 AM UTC. The exact duration of the downtime isn't currently known. We apologize for the inconvenience.
|
 |
02-14-2006, 01:46 PM
|
#1
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Rep: 
|
Help me by advance shaping my network ...
Ok. Let me describe my frustration or problem. But first my network setup as it is:
I have an 4Mbit/512kbit ADSL pppoe line. My computer (running Suse 10.0 64bit linux) is the gateway for other computers internet (also dns server etc. but that doesnt matter). So my computer which is gateway has a ip 192.168.0.1. All computers have inet just fine (they all are mostly WIN XP computers), so they have ip`s from 192.168.0.2 to 192.168.0.9 but more will join in my little network soon. So all that inet link goes to more people not just myself, so i am kinda a little "ISP" for all those others, and i am also responsible that inet works etc. etc.
Now the problem is our upload speed as you see is more than CRAP 
And users keep on running those p2p stuff, all kinds of it (Nazareus,donkey ... don`t know any more names, not realy a fan of p2p ). So they are hitting the upload speed 24/7/365. And when those 60kb/s is full our download is 1kb/s It eats up all the line. Now i want to shape the traffic which goes through my server gateway, so that is nicely possible. Suse has iptables, so i would like to do:
1. or completly dissalow them to use any kind of p2p stuff (preffered this solution if possible)
2. limit their combined upload speed to 5kb/s so they cant get much out of those p2p programs, download doesnt bother me, because it splits fine. But the limits should not applie to me, because i am a web developer and its kinda hard to upload something with 5kb/s when i need it, others are just kids with those p2p needs ... 
My inet realy dies totaly (its dead most of them time, until i get angry and pull out the cable for them from switch  )
I can see great who is uploading and when and what ... lots of nifty tools in *nix :P
Im not good at iptables. So i would need a example how i can end this madness and get some justice to my network, so we all have equal rights when we need the inet Except me that is, i need upload but like once per week for 30 mins, not 24/7/365 @ max
So i am begging you to give me some nice solutions to this problem.
Oh, my kernel is: 2.6.13-15.7-default , which is latest from suse update page.
I hope i wasnt too long, but i am realy frustrated already by all this, and cant find a solution which i would have the knowledge to implement on my own. So any insights,examples,suggestions are very welcome.
THX. |
|
|
|
|
02-14-2006, 02:35 PM
|
#2
|
|
Member
Registered: Jul 2004
Posts: 34
Rep:
|
Hi,
If want to shape P2P bandwith u can use CBQ easally but I suggest u should block P2P.
however u decide what u should do. Here is example how u can shape P2P.
Download cbq.init script from http://sourceforge.net/projects/cbqinit/
after download follow these steps
== copy downloaded cbq.init script to /etc/rc.d
# cp cbq.init.7.0.3** /etc/rc.d/cbq.init
== Make cbq configuration directory to /etc/sysconfig
# mkdir /etc/sysconfig/cbq
== Go to /etc/sysconfig/cbq
# cd /etc/sysconfig/cbq
== You should create two configuration file, one for P2P traffic and second is for all other traffic.
== Create cbq config file
# vi cbq-500.p2p
== and type
DEVICE=eth0,10Mbit,1Mbit
RATE=12Kbit
WEIGHT=1.2Kbit
PRIO=5
#Kaaza port
RULE=:1214,192.128.0.0/24
#Torrent port
6881-6889, 6969
RULE=:6881,192.128.0.0/24
RULE=:6882,192.128.0.0/24
RULE=:6883,192.128.0.0/24
RULE=:6884,192.128.0.0/24
RULE=:6885,192.128.0.0/24
RULE=:6886,192.128.0.0/24
RULE=:6887,192.128.0.0/24
RULE=:6888,192.128.0.0/24
RULE=:6889,192.128.0.0/24
: save & exit
== and add all other P2P port, u can get P2P port by iptraf. DEVICE=eth0 is your local interface
# vi cbq-501.traffic
== and type
DEVICE=eth0,10Mbit,1Mbit
RATE=4Mbit
WEIGHT=500Kbit
PRIO=5
#for Other all traffid
RULE=192.128.0.0/24
: save & exit
== now make executable cbq.init and start and make start on boot
# chmod 755 /etc/rc.d.cbq.init
# /etc/rc.d/cbq.init start
# echo "/etc/rc.d/cbq.init start" >> /etc/rc.local
I implement on my own network and it works. pls let me know if it is not work.
AND if want to block P2P pls let me know.
TRY NOW |
|
|
|
|
02-14-2006, 02:40 PM
|
#3
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
I preffer blocking p2p if possible, will shift traffic later if cant block all p2p So post what u got :P
I realy hate p2p, etaing last nervs of mine
Thx for the guide on how to easily shape traffic, gona try that if i cant block completly p2p. |
|
|
|
|
02-15-2006, 01:29 AM
|
#4
|
|
Member
Registered: Jul 2004
Posts: 34
Rep:
|
u can block P2P using iptbales, I don't know what is ur current iptables configuration but i show work for you. You need find out P2P port AND block INPUT-TCP/UDP & FORWARD-TCP/UDP protocol
#iptabels -A INPUT -s 192.168.0.0/24 -p tcp --dport 1214 -j DROP
#iptabels -A INPUT -s 192.168.0.0/24 -p udp --dport 1214 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1214 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p udp --dport 1214 -j DROP
#iptabels -A INPUT -s 192.168.0.0/24 -p tcp --dport 6881:6889 -j DROP
#iptabels -A INPUT -s 192.168.0.0/24 -p udp --dport 6881:6889 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p tcp --dport 6881:6889 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p udp --dport 6881:6889 -j DROP
== see this to know more about port http://www.chebucto.ns.ca/~rakerman/port-table.html |
|
|
|
|
02-15-2006, 02:26 PM
|
#5
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
Do i have to restart something to get it to work ?
Because i tried this lines:
# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 1000:30000 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 1000:30000 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 1000:30000 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1000:30000 -j DROP
so blocking quite few ports, just to test it, they still upload like maniacs eating all line ... :S
What did i do wrong ??
|
|
|
|
|
02-15-2006, 03:21 PM
|
#6
|
|
Member
Registered: Jul 2004
Posts: 34
Rep:
|
Type these lines and try to access from your client to any FTP server
# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
|
|
|
|
|
02-16-2006, 03:25 PM
|
#7
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
Made those rules u wrote for iptables. Gone to computer with ip adress 192.168.0.2 and tried to connect to ftp on port 21. Worked fine, and all other ports also which should be blocked. So whats wrong ? Do i have to restart network interface or what ? Im now completly lost  |
|
|
|
|
02-16-2006, 03:29 PM
|
#8
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
Well let me post output from iptables -L it`s long because i made all routing stuff etc. with suse yast, so probaby half of this is crap and maybe make this on hand and better, to get my comp act as gateway and have local shares etc...
Here it goes:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
DROP tcp -- 192.168.0.0/24 anywhere tcp dpts:cadlock2:30000
DROP udp -- 192.168.0.0/24 anywhere udp dpts:cadlock2:30000
DROP tcp -- 192.168.0.0/24 anywhere tcp dpt:ftp
DROP udp -- 192.168.0.0/24 anywhere udp dpt:fsp
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere
DROP udp -- 192.168.0.0/24 anywhere udp dpts:cadlock2:30000
DROP tcp -- 192.168.0.0/24 anywhere tcp dpts:cadlock2:30000
DROP udp -- 192.168.0.0/24 anywhere udp dpt:fsp
DROP tcp -- 192.168.0.0/24 anywhere tcp dpt:ftp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain input_ext (3 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-dgm
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:10010 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:10010
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:vlsi-lm flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:vlsi-lm
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:5900 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:5900
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:7750 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:7750
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:irdmi flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:fde flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:fde
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:epmap flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:epmap
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
|
|
|
|
|
02-17-2006, 10:31 PM
|
#9
|
|
Member
Registered: Jul 2004
Posts: 34
Rep:
|
Quote:
|
Originally Posted by tomazN
Made those rules u wrote for iptables. Gone to computer with ip adress 192.168.0.2 and tried to connect to ftp on port 21. Worked fine, and all other ports also which should be blocked. So whats wrong ? Do i have to restart network interface or what ? Im now completly lost |
It doesn't work for you local network, u should connect any ftp server on internet not local network. |
|
|
|
|
02-18-2006, 02:01 AM
|
#10
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
Ofcourse i connected to ftp on internet LOL, i have just gone to computer with local ip adress 192.168.0.2 because i didnt want to try from mine which is gateway ...
I tried to connect to ftp.nvidia.com or some others works fine.
|
|
|
|
|
02-18-2006, 09:37 AM
|
#11
|
|
Member
Registered: Jul 2004
Posts: 34
Rep:
|
May be something wrong with your server bcoz I block BitTorrent port with this command
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 6881:6999 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 6881:6999 -j REJECT
and it work, but why not work to you I don't know.
|
|
|
|
|
02-18-2006, 09:40 AM
|
#12
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
Quote:
|
Originally Posted by ikillu
Type these lines and try to access from your client to any FTP server
# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
|
and now you wrote REJECT on those lines, so whats correct now ?? |
|
|
|
|
02-18-2006, 11:21 AM
|
#13
|
|
Member
Registered: Jul 2004
Posts: 34
Rep:
|
The diffrent between DROP and REJECT is if you set DROP then no message u get and if u set REJECT then u get an unrechable/connection refuse message.
Last edited by ikillu; 02-18-2006 at 11:23 AM.
|
|
|
|
|
02-18-2006, 03:46 PM
|
#14
|
|
Member
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127
Original Poster
Rep:
|
Can someone examine my iptables ruleset and tell me how can i block users on ip`s 192.168.0.X some ports of my choosing ?
I was trying diffrent approaches, nothing seems to block the ports. And it shouldnt block port for me, and i am gateway for other users inet. My ip 192.168.0.1 .
And by blocking i mean so they couldnt use some services like msn for example, or edonkey etc.
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_int all -- anywhere anywhere
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int all -- anywhere anywhere
forward_int all -- anywhere anywhere
forward_ext all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain forward_int (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain input_ext (2 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-dgm
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT tcp -- anywhere anywhere tcp dpt:10010
ACCEPT tcp -- anywhere anywhere tcp dpt:vlsi-lm
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:5900
ACCEPT tcp -- anywhere anywhere tcp dpt:7750
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi
ACCEPT tcp -- anywhere anywhere tcp dpt:fde
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:epmap
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
DROP all -- anywhere anywhere
Chain input_int (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:17 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
