LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-14-2006, 01:46 PM   #1
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Rep: Reputation: 16
Help me by advance shaping my network ...


Ok. Let me describe my frustration or problem. But first my network setup as it is:

I have an 4Mbit/512kbit ADSL pppoe line. My computer (running Suse 10.0 64bit linux) is the gateway for other computers internet (also dns server etc. but that doesnt matter). So my computer which is gateway has a ip 192.168.0.1. All computers have inet just fine (they all are mostly WIN XP computers), so they have ip`s from 192.168.0.2 to 192.168.0.9 but more will join in my little network soon. So all that inet link goes to more people not just myself, so i am kinda a little "ISP" for all those others, and i am also responsible that inet works etc. etc.

Now the problem is our upload speed as you see is more than CRAP
And users keep on running those p2p stuff, all kinds of it (Nazareus,donkey ... don`t know any more names, not realy a fan of p2p ). So they are hitting the upload speed 24/7/365. And when those 60kb/s is full our download is 1kb/s It eats up all the line. Now i want to shape the traffic which goes through my server gateway, so that is nicely possible. Suse has iptables, so i would like to do:

1. or completly dissalow them to use any kind of p2p stuff (preffered this solution if possible)
2. limit their combined upload speed to 5kb/s so they cant get much out of those p2p programs, download doesnt bother me, because it splits fine. But the limits should not applie to me, because i am a web developer and its kinda hard to upload something with 5kb/s when i need it, others are just kids with those p2p needs ...

My inet realy dies totaly (its dead most of them time, until i get angry and pull out the cable for them from switch )
I can see great who is uploading and when and what ... lots of nifty tools in *nix :P

Im not good at iptables. So i would need a example how i can end this madness and get some justice to my network, so we all have equal rights when we need the inet Except me that is, i need upload but like once per week for 30 mins, not 24/7/365 @ max

So i am begging you to give me some nice solutions to this problem.
Oh, my kernel is: 2.6.13-15.7-default , which is latest from suse update page.

I hope i wasnt too long, but i am realy frustrated already by all this, and cant find a solution which i would have the knowledge to implement on my own. So any insights,examples,suggestions are very welcome.

THX.
 
Old 02-14-2006, 02:35 PM   #2
ikillu
Member
 
Registered: Jul 2004
Posts: 34

Rep: Reputation: 15
Lightbulb

Hi,
If want to shape P2P bandwith u can use CBQ easally but I suggest u should block P2P.

however u decide what u should do. Here is example how u can shape P2P.
Download cbq.init script from http://sourceforge.net/projects/cbqinit/
after download follow these steps

== copy downloaded cbq.init script to /etc/rc.d
# cp cbq.init.7.0.3** /etc/rc.d/cbq.init

== Make cbq configuration directory to /etc/sysconfig
# mkdir /etc/sysconfig/cbq

== Go to /etc/sysconfig/cbq
# cd /etc/sysconfig/cbq

== You should create two configuration file, one for P2P traffic and second is for all other traffic.

== Create cbq config file
# vi cbq-500.p2p
== and type
DEVICE=eth0,10Mbit,1Mbit
RATE=12Kbit
WEIGHT=1.2Kbit
PRIO=5
#Kaaza port
RULE=:1214,192.128.0.0/24
#Torrent port
6881-6889, 6969
RULE=:6881,192.128.0.0/24
RULE=:6882,192.128.0.0/24
RULE=:6883,192.128.0.0/24
RULE=:6884,192.128.0.0/24
RULE=:6885,192.128.0.0/24
RULE=:6886,192.128.0.0/24
RULE=:6887,192.128.0.0/24
RULE=:6888,192.128.0.0/24
RULE=:6889,192.128.0.0/24

: save & exit
== and add all other P2P port, u can get P2P port by iptraf. DEVICE=eth0 is your local interface
# vi cbq-501.traffic
== and type
DEVICE=eth0,10Mbit,1Mbit
RATE=4Mbit
WEIGHT=500Kbit
PRIO=5
#for Other all traffid
RULE=192.128.0.0/24

: save & exit


== now make executable cbq.init and start and make start on boot
# chmod 755 /etc/rc.d.cbq.init
# /etc/rc.d/cbq.init start
# echo "/etc/rc.d/cbq.init start" >> /etc/rc.local

I implement on my own network and it works. pls let me know if it is not work.

AND if want to block P2P pls let me know.

TRY NOW
 
Old 02-14-2006, 02:40 PM   #3
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
I preffer blocking p2p if possible, will shift traffic later if cant block all p2p So post what u got :P

I realy hate p2p, etaing last nervs of mine

Thx for the guide on how to easily shape traffic, gona try that if i cant block completly p2p.
 
Old 02-15-2006, 01:29 AM   #4
ikillu
Member
 
Registered: Jul 2004
Posts: 34

Rep: Reputation: 15
u can block P2P using iptbales, I don't know what is ur current iptables configuration but i show work for you. You need find out P2P port AND block INPUT-TCP/UDP & FORWARD-TCP/UDP protocol

#iptabels -A INPUT -s 192.168.0.0/24 -p tcp --dport 1214 -j DROP
#iptabels -A INPUT -s 192.168.0.0/24 -p udp --dport 1214 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1214 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p udp --dport 1214 -j DROP
#iptabels -A INPUT -s 192.168.0.0/24 -p tcp --dport 6881:6889 -j DROP
#iptabels -A INPUT -s 192.168.0.0/24 -p udp --dport 6881:6889 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p tcp --dport 6881:6889 -j DROP
#iptabels -A FORWARD -s 192.168.0.0/24 -p udp --dport 6881:6889 -j DROP

== see this to know more about port http://www.chebucto.ns.ca/~rakerman/port-table.html
 
Old 02-15-2006, 02:26 PM   #5
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
Do i have to restart something to get it to work ?
Because i tried this lines:

# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 1000:30000 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 1000:30000 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 1000:30000 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1000:30000 -j DROP

so blocking quite few ports, just to test it, they still upload like maniacs eating all line ... :S

What did i do wrong ??
 
Old 02-15-2006, 03:21 PM   #6
ikillu
Member
 
Registered: Jul 2004
Posts: 34

Rep: Reputation: 15
Type these lines and try to access from your client to any FTP server
# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
 
Old 02-16-2006, 03:25 PM   #7
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
Made those rules u wrote for iptables. Gone to computer with ip adress 192.168.0.2 and tried to connect to ftp on port 21. Worked fine, and all other ports also which should be blocked. So whats wrong ? Do i have to restart network interface or what ? Im now completly lost
 
Old 02-16-2006, 03:29 PM   #8
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
Well let me post output from iptables -L it`s long because i made all routing stuff etc. with suse yast, so probaby half of this is crap and maybe make this on hand and better, to get my comp act as gateway and have local shares etc...

Here it goes:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
input_int  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere
DROP       tcp  --  192.168.0.0/24       anywhere            tcp dpts:cadlock2:30000
DROP       udp  --  192.168.0.0/24       anywhere            udp dpts:cadlock2:30000
DROP       tcp  --  192.168.0.0/24       anywhere            tcp dpt:ftp
DROP       udp  --  192.168.0.0/24       anywhere            udp dpt:fsp

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int  all  --  anywhere             anywhere
forward_ext  all  --  anywhere             anywhere
forward_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all  --  anywhere             anywhere
DROP       udp  --  192.168.0.0/24       anywhere            udp dpts:cadlock2:30000
DROP       tcp  --  192.168.0.0/24       anywhere            tcp dpts:cadlock2:30000
DROP       udp  --  192.168.0.0/24       anywhere            udp dpt:fsp
DROP       tcp  --  192.168.0.0/24       anywhere            tcp dpt:ftp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP       all  --  anywhere             anywhere

Chain forward_int (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
DROP       all  --  anywhere             anywhere

Chain input_ext (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            PKTTYPE = broadcast udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            PKTTYPE = broadcast udp dpt:netbios-dgm
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:10010 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10010
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:vlsi-lm flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vlsi-lm
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5900 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5900
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:7750 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:7750
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:irdmi flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:irdmi
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:fde flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:fde
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:epmap flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:epmap
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
reject_func  tcp  --  anywhere             anywhere            tcp dpt:ident state NEW
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP       all  --  anywhere             anywhere

Chain input_int (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain reject_func (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable
 
Old 02-17-2006, 10:31 PM   #9
ikillu
Member
 
Registered: Jul 2004
Posts: 34

Rep: Reputation: 15
Quote:
Originally Posted by tomazN
Made those rules u wrote for iptables. Gone to computer with ip adress 192.168.0.2 and tried to connect to ftp on port 21. Worked fine, and all other ports also which should be blocked. So whats wrong ? Do i have to restart network interface or what ? Im now completly lost
It doesn't work for you local network, u should connect any ftp server on internet not local network.
 
Old 02-18-2006, 02:01 AM   #10
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
Ofcourse i connected to ftp on internet LOL, i have just gone to computer with local ip adress 192.168.0.2 because i didnt want to try from mine which is gateway ...

I tried to connect to ftp.nvidia.com or some others works fine.
 
Old 02-18-2006, 09:37 AM   #11
ikillu
Member
 
Registered: Jul 2004
Posts: 34

Rep: Reputation: 15
May be something wrong with your server bcoz I block BitTorrent port with this command

#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 6881:6999 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 6881:6999 -j REJECT

and it work, but why not work to you I don't know.
 
Old 02-18-2006, 09:40 AM   #12
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by ikillu
Type these lines and try to access from your client to any FTP server
# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 21 -j DROP
# iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 21 -j DROP
and now you wrote REJECT on those lines, so whats correct now ??
 
Old 02-18-2006, 11:21 AM   #13
ikillu
Member
 
Registered: Jul 2004
Posts: 34

Rep: Reputation: 15
The diffrent between DROP and REJECT is if you set DROP then no message u get and if u set REJECT then u get an unrechable/connection refuse message.

Last edited by ikillu; 02-18-2006 at 11:23 AM.
 
Old 02-18-2006, 03:46 PM   #14
tomazN
Member
 
Registered: May 2005
Location: Slovenia
Distribution: Suse 10.2 64bit
Posts: 127

Original Poster
Rep: Reputation: 16
Can someone examine my iptables ruleset and tell me how can i block users on ip`s 192.168.0.X some ports of my choosing ?
I was trying diffrent approaches, nothing seems to block the ports. And it shouldnt block port for me, and i am gateway for other users inet. My ip 192.168.0.1 .

And by blocking i mean so they couldnt use some services like msn for example, or edonkey etc.

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
input_int  all  --  anywhere             anywhere
input_int  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int  all  --  anywhere             anywhere
forward_int  all  --  anywhere             anywhere
forward_ext  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain forward_int (2 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain input_ext (2 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            PKTTYPE = broadcast udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            PKTTYPE = broadcast udp dpt:netbios-dgm
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10010
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vlsi-lm
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5900
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:7750
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:irdmi
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:fde
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:epmap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
reject_func  tcp  --  anywhere             anywhere            tcp dpt:ident state NEW
DROP       all  --  anywhere             anywhere

Chain input_int (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
DROP       all  --  anywhere             anywhere

Chain reject_func (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Very strange but serious problem when shaping a network! saturn_vk Linux - Networking 4 01-16-2005 07:22 PM
Traffic shaping for network w/ 1 NIC johnsto Linux - Networking 2 10-10-2004 05:55 AM
advance ip subneting sqn General 0 03-25-2004 07:08 AM
RH Advance server ust Linux - General 0 02-16-2004 07:26 PM
PLease help. Thanx in advance. wildcard72 Linux - Newbie 5 02-10-2003 12:41 AM


All times are GMT -5. The time now is 05:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration