LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-10-2011, 06:50 AM   #1
sanjibgupta
Member
 
Registered: Apr 2003
Location: Kolkata
Posts: 214

Rep: Reputation: 30
iptables


Hi

I have proxy running. I have seen LAN machines sending packets by iftop -P -F 192.168.10./24
192.168.10.203:kazaa => known.net.reach.com:http 0b 40b 40b
<= 0b 0b 0b

kazaa port is 1214



How do i set my iptables so that I can only send and recieve http,smtp,ssh,dns,dhcp request in and out of the proxy

My iptables is

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s xxx.yyy.148.65/28 -d 0/0 -p all -j ACCEPT
-A INPUT -i eth1 -s 192.168.1.0/24 -d 0/0 -p all -j ACCEPT
-A INPUT -i eth2 -s 192.168.10.0/24 -d 0/0 -p all -j ACCEPT
-A FORWARD -i eth2 -s 192.168.10.0/24 -d 192.168.20.0/24 -p all -j ACCEPT
-A FORWARD -s 0/0 -d 192.168.10.0/24 -p all -j ACCEPT
-A FORWARD -p ALL -i eth2 -s 192.168.10.0/255.255.255.0 -d 192.168.20.0/255.255.255.0 -j ACCEPT
-A FORWARD -p ALL -i eth2 -s 192.168.20.0/255.255.255.0 -d 192.168.10.0/255.255.255.0 -j ACCEPT
COMMIT
 
Old 06-10-2011, 09:05 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,961

Rep: Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693
Quote:
Originally Posted by sanjibgupta View Post
Hi
I have proxy running. I have seen LAN machines sending packets by iftop -P -F 192.168.10./24
192.168.10.203:kazaa => known.net.reach.com:http 0b 40b 40b
<= 0b 0b 0b

kazaa port is 1214

How do i set my iptables so that I can only send and recieve http,smtp,ssh,dns,dhcp request in and out of the proxy
As with some of your other posts, you omit a good bit of actual detail. As always, what version/distro of Linux? WHAT proxy and what version? And did you bother to try to look this up? This is a well-documented issue, with lots of folks dealing with it.

Try this in your IPtables
Code:
-m string --string "X-Kazaa-Username:" -j DROP
-m string --string "X-Kazaa-Network:" -j DROP
-m string --string "X-Kazaa-IP:" -j DROP
-m string --string "X-Kazaa-SupernodeIP:" -j DROP
Which may (or may not) work, depending on the client they're using, and where they're connecting. Again, if you tried to look this up, you'd find you need an L7 based module, to make SURE this traffic is blocked.
http://l7-filter.clearfoundation.com/
http://www.ipp2p.org/
 
Old 06-10-2011, 01:38 PM   #3
sanjibgupta
Member
 
Registered: Apr 2003
Location: Kolkata
Posts: 214

Original Poster
Rep: Reputation: 30
Sorry I am using RHEL5.0. I am masquerading my internal network. I need close all other ports that from 80,25,443,22for both out going and incoming connections
Sanjib Gupta
 
Old 06-10-2011, 04:28 PM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,961

Rep: Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693
Quote:
Originally Posted by sanjibgupta View Post
Sorry I am using RHEL5.0. I am masquerading my internal network. I need close all other ports that from 80,25,443,22for both out going and incoming connections
Ok. Re-read my previous post, since you asked about Kazaa filtering, and it was answered.

Again, did you try to look up any of the very well documented IPtables examples, that show you how to block all this? First hit in Google:
http://www.cyberciti.biz/faq/iptables-block-port/

Give that a try before posting next time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables can't initialize iptables table `filter': Bad file descriptor donalbane Linux - Networking 2 08-17-2011 09:36 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 05:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration