hi all,
i m using RedHat Linux 9.0 and running a firewall with iptalbles.

i m trying to open only specific port for my client for specific software and block all other ports.

i need to know what ports should be used for using Kazaa, Net2Phone and Paltalk .

where or how i can find out which software use whic ports ? is there any way ??

Instead of opening specific ports, why don't you try state matching. If you have a rule like this:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

when you are running Kazaa (or any other program) the data returned from the internet will be ESTABLISHED and RELATED packets and will be accepted regardless of the port.

hi,
thanx for ur reply.
infact i was doing so because of 2 reason. first i don know abt state matching. second, i must must must block all ports because of some fukin broadcasting from my network computers. i should put this line in the last of my iptables firewall

iptables -A FORWARD -s 0/0 -d 0/0 -j REJECT

if i don write this line my whole network crashed because of broadcasting.

i've written ur line just before my last line

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

but still kaza or net2phone is not working.
may i've to do something else just besides putting this line in my firewall ??

You're going to have to post your whole firewall. I'm not going to be able to make any sense out of just a couple of lines.

Do you know what's broadcasting (and how do you know)? This isn't normal behavior for a network. However, instead of the forwarding rule you've got, why don't you just set the FORWARD table default to DROP?

iptables -P FORWARD DROP

thanx !
well, i know this is not anything normal for the network. i've noticed some of my clients computer is sending packets automaticly (even thousands of bytes per second) and asked for help to someone. then he told me that itz "broadcasting" from windows machine. then he suggest me to use a firewall which is almost writteng by him. i m giving u my firewall script here. hope that it'll help u to help me
my eth0 (ip 216.236.104.124) is connected with internet
and eth1 (192.168.100.254) is connected with LAN
i m running a squid proxy in this 192.168.100.254 machine and client can browse through this proxy.


my /etc/rc.d/rc.local is as followings:

depmod -a
modprobe ipt_mac
modprobe ip_contrack_*
modprobe ip_nat_*

iptables -F
iptables -t nat -F

/etc/rc.d/rc.firewall


and my rc.firewall script is as followings:

iptables -A INPUT -s 192.168.100.254 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 192.168.100.254 -d 0/0 -j ACCEPT

iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 8- -j ACCEPT
iptables -A FORWARD -tcp -s 0/0 -d 0/0 --dport 6801 -j ACCEPT
iptables -A FORWARD -udp -s 0/0 -d 0/0 --dport 6801 -j ACCEPT
....
and so on .....simply added tcp or udp port that i wanted to forward.....
.....
iptables -A FORWARD - s 192.168.100.0/24 -d 0/0 -j REJECT
iptables -t nat -A POSTROUTING -0 eth0 -j SNAT --to-source 216.236.104.124


that is all !! now i think u can understand why i was searching for net2phne, paltalk and kazaa ports .... because i wanted to open these ports in my firewall script.
if u suggest ... i'll redesign my firewall script. but if possible plz tell me how i can use those softwares within my current firewall. i didn't want to delete it because itz working well...... at least browsing, yahoo, msn is wokirng fine.

thank u again.
waiting for ur reply

OK, this could get a bit ugly. Before making any changes to your script, make sure you have a backup copy so you can at least get back to where you are.

First, you don't set your table defaults. Not a biggie, but in order to have a proper firewall, you need to KNOW what the defaults are. Since this box is connected to the internet, unless you have good security, you are going to get owned.

So, near the top of your script I would add these:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Now you are shut down tight. The next thing is to allow the traffic you want in. By and large, you've already got that done for your FORWARD table, but you probably want to add some lines to allow you in and out from this box

iptables -A INPUT -i lo -j ACCEPT #accept all loopback
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Leave your FORWARD lines and nat line as they are.

I have to admit that I don't get what these rules are trying to accomplish, especially the INPUT rule. I'd disable them (just comment them out) and see if that helps.


Now I'm making the assumption that you want to use kazaa and the other programs from the box this script is running on. If that isn't true, please let me know.

hello,
when i tried to restart my firewall i go the msg
Can't use -i with OUTPUT

Oops... Sorry, not enough coffee this morning. Just drop the -i eth0 in the second output rule and you probably don't need the lo OUTPUT rule at all


iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED -j ACCEPT

hello friend,
sorry for bothering u again. but still itz not working.
simply state matching is not working untill i ACCEPT FORWARDING .
i've also tried followings:
..........................................
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o et0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

...........................................

i like to let u know that if i put allow forwarding rule Accept for a specic ip before blocking all .... all softwares like kazaa, paltalk, net2phone works fine from that ip.

iptables -A FORWARD -s 192.168.100.135 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j DROP

I'm starting to think that I really don't understand the entire problem.

Are you trying to use the computer running this iptables script for net2phone and the others or are you trying to use this computer as a router and your running the other programs on different computers?

yap !i m using this box as a router and trying to run other programs on different windows machine which r running behind it .
but those windows machine r infected with some kinda worms which r sending packets continiously.

My apologies... I thought you were trying to run those programs on the linux box. I'm a little out of my depth here since I don't use linux for a router, but I think you can do the same sort of state matching for forwarding.

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

I'm assuming that eth0 is your external interface and eth1 is your internal interface. Adjust this line accordingly.

You might want to have a quick look at this firewall script as it shows an example of forwarding using state matches. It has one more interface than you do, but I think it is a decent example.

If that doesn't work, then you are going to have to do some digging and find out what ports these programs do run on. That may not be easy since some of them (I think Kazaa is an example) search for open ports and may not always use the same one.

If those are your machines, you need to clean them. If they are not your machines,you need to contact the owners and get them to clean them. Or shut them off of internet access until they do. It is completely inexcusible to knowingly have an infected machine and not do anything about it.

may i need to write anything else for INPUT and OUTPUT ??


well, i've already noticed them to download windows patch and cleaning the worms with remover . but u know itz not professional solution. i must make my router to prevent everything . infact i m also new in Linux. before this i was using windows router. but........... after worm attack.......ive lost all faith on windows.

Since the INPUT and OUTPUT chains only affect the packets that are destined for the linux box, you shouldn't need to change them. Of course if you actually use the linux box for network access other than routing, you will need to modify INPUT and OUTPUT accordingly.

...I'd first like to comment that using KaZaA is a foolish thing with wild and far reaching security implications. Now, with that being said, here are some things to consider:

1) The iptables -A switch will APPEND or put at the end of a chain, whereas iptables -I will INSERT at the beginning of the chain. Packets are probably being dropped before a pass rule is examined.

2) Get a better understanding of how KaZaA works before opening/forwarding ports. It is my understanding that P2P NETWORKING (part of the KaZaA bundle from Joltid) uses port 3531 for peer communication in establishing whois the supernode /etc. This port may have to be opened and forwarded for both tcp and udp to the KaZaA box. Use PREROUTING for this. Fire up ethereal and then KaZaA, watch what it tries to do and ALLOW one piece at a time.

3) Look at the structure of your tables as you retool with:

iptables -L --line-numbers | less

If your pass rules are at the end of a chain, it won't work...