LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-01-2004, 12:52 PM   #1
GratePayne
LQ Newbie
 
Registered: May 2004
Posts: 2

Rep: Reputation: 0
Blocking Traffic on a specific port (kazaa)


I have a small (5 computer) home network. Four computers are Winblows and one is a linux (fedora) system being used as a gateway/firewall. I have a guest in my house who insists on using kazaa even though I have asked him not to. How can I block that traffic using the firewall?
This is how I am set up;

sprint ADSL modem 192.168.1.1 has dhcp server with one addr in pool
linux gateway has 192.168.1.2 connected to the ADSL (eth1)
linux gateway has 192.168.2.1 connected to LAN (eth0)
All ohter systems are static IP.

I found this firewall online and tried to modify it to block ports 1214 and 3531 but I obviously don't know what I am doing because it does not have the desired effect.

when I look at the log I have the system generate all of the ports specified seem to be random port numbers pulled out of a hat. I expected to see traffic on ports 80, 21, etc... I assume this has something to do with forwarding (see note above about not knowing what I am doing).

Any help would be great.

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.2.1"
LAN_IP_RANGE="192.168.2.0/24"
LAN_BCAST_ADRESS="192.168.2.255"
LAN_IFACE="eth0"

###########################################################################
#
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Internet Configuration.
#

INET_IP="192.168.1.2"
INET_IFACE="eth1"

###########################################################################
#
# IPTables Configuration.
#

IPTABLES="/sbin/iptables"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

%%%%%%%%%%%%%%%%%%%%% THIS IS WHAT I ADDED %%%
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s 192.168.2.103 -j LOG --log-level INFO --log-prefix "Richard Acessed: "

$IPTABLES -A INPUT -p TCP --dport 1214 -j DROP
$IPTABLES -A INPUT -p TCP --dport 3531 -j DROP
$IPTABLES -A OUTPUT -p TCP --dport 1214 -j DROP
$IPTABLES -A OUTPUT -p TCP --dport 3531 -j DROP

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.2.0/24 -j DROP
#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.1.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT OUTPUT packet died:"
 
Old 05-01-2004, 04:20 PM   #2
svbathe
LQ Newbie
 
Registered: Nov 2003
Location: Pune, India
Distribution: RH
Posts: 10

Rep: Reputation: 0
Try to move the section you added to right at the bottom just above the log wierd packets section.
Be sure to backup your current configuration and that you have a console access to your f/w. Just in case this dosen't work you should be able to revert back to your working conf.
 
Old 05-02-2004, 07:23 AM   #3
frogman
Member
 
Registered: Sep 2003
Distribution: Mandrake, Slack, Debian and PicoBSD
Posts: 181

Rep: Reputation: 30
If your guest has a clue, he can still proxy Kazaa over another port. Wouldn't it be better to reduce his bandwidth or just kick him off the network if he's ignoring the rules? It is _your_ network after all.


Pete

(who learned long ago that a human solution - the public bollocking - is easier to apply than a technological one)

Last edited by frogman; 05-02-2004 at 07:26 AM.
 
Old 05-05-2004, 04:51 PM   #4
GratePayne
LQ Newbie
 
Registered: May 2004
Posts: 2

Original Poster
Rep: Reputation: 0
thanks guys. I will try what you say svbathe.

You Are right, frogman, it is my network. But I am trying not to be a complete ogre. Though he may leave me no choice. Lucky for me he is not too computer savy.
 
Old 05-09-2004, 09:10 AM   #5
frostschutz
Member
 
Registered: Apr 2004
Distribution: Gentoo
Posts: 63

Rep: Reputation: 16
Great Pain,

currently there exist two project which might interest you. First is IPP2P (http://rnvs.informatik.uni-leipzig.d.../index_en.html), second is iptables-p2p (http://www.sourceforge.net/iptables-p2p).

Both projects offer a kernel module + iptables module. They provide a more or less reliable means to detect P2P traffic (various protocols supported, you can specify which ones you want). This way, you can either drop all those packets in general or limit traffic.

If your main problem is that the Kazaa user steals all other user's bandwidth, you might also have a look at my own script on http://www.metamorpher.de/fairnat/, which uses Traffic Shaping to share bandwidth in a fair manner among clients in your LAN. This script also supports (experimental feature) IPP2P mentioned above.

HTH

Last edited by frostschutz; 05-09-2004 at 09:12 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking outgoing traffic from a specific port billy3 Linux - Security 10 09-24-2004 08:10 PM
specific port traffic graph using mrtg newpenguin Linux - Networking 7 12-16-2003 06:00 PM
Blocking Kazaa with iptables lorddecker Linux - Security 1 08-21-2003 03:30 PM
More Kazaa Wine(ing) .specific error. abomination Linux - Software 6 07-30-2003 07:11 PM
Blocking Kazaa with Iptables, Anyone? markng Linux - Security 6 06-27-2003 06:35 PM


All times are GMT -5. The time now is 02:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration