Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a small (5 computer) home network. Four computers are Winblows and one is a linux (fedora) system being used as a gateway/firewall. I have a guest in my house who insists on using kazaa even though I have asked him not to. How can I block that traffic using the firewall?
This is how I am set up;
sprint ADSL modem 192.168.1.1 has dhcp server with one addr in pool
linux gateway has 192.168.1.2 connected to the ADSL (eth1)
linux gateway has 192.168.2.1 connected to LAN (eth0)
All ohter systems are static IP.
I found this firewall online and tried to modify it to block ports 1214 and 3531 but I obviously don't know what I am doing because it does not have the desired effect.
when I look at the log I have the system generate all of the ports specified seem to be random port numbers pulled out of a hat. I expected to see traffic on ports 80, 21, etc... I assume this has something to do with forwarding (see note above about not knowing what I am doing).
Any help would be great.
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
%%%%%%%%%%%%%%%%%%%%% THIS IS WHAT I ADDED %%%
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s 192.168.2.103 -j LOG --log-level INFO --log-prefix "Richard Acessed: "
$IPTABLES -A INPUT -p TCP --dport 1214 -j DROP
$IPTABLES -A INPUT -p TCP --dport 3531 -j DROP
$IPTABLES -A OUTPUT -p TCP --dport 1214 -j DROP
$IPTABLES -A OUTPUT -p TCP --dport 3531 -j DROP
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.2.0/24 -j DROP
#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.1.0/12 -j DROP
#
# Enable simple IP Forwarding and Network Address Translation
#
Try to move the section you added to right at the bottom just above the log wierd packets section.
Be sure to backup your current configuration and that you have a console access to your f/w. Just in case this dosen't work you should be able to revert back to your working conf.
If your guest has a clue, he can still proxy Kazaa over another port. Wouldn't it be better to reduce his bandwidth or just kick him off the network if he's ignoring the rules? It is _your_ network after all.
Pete
(who learned long ago that a human solution - the public bollocking - is easier to apply than a technological one)
You Are right, frogman, it is my network. But I am trying not to be a complete ogre. Though he may leave me no choice. Lucky for me he is not too computer savy.
Both projects offer a kernel module + iptables module. They provide a more or less reliable means to detect P2P traffic (various protocols supported, you can specify which ones you want). This way, you can either drop all those packets in general or limit traffic.
If your main problem is that the Kazaa user steals all other user's bandwidth, you might also have a look at my own script on http://www.metamorpher.de/fairnat/, which uses Traffic Shaping to share bandwidth in a fair manner among clients in your LAN. This script also supports (experimental feature) IPP2P mentioned above.
HTH
Last edited by frostschutz; 05-09-2004 at 09:12 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.