security policy iptables
i am running linux fc4, for internet shairing, i want to block all peer 2 peer softwares, but want to allow all http , ftp ,webcam.
so running squid, and nat using iptables. query is that when i set FORWARD default policy to DROP, users (clients) are unable to connect yahoo messenger, but able to connect msn. that is to block all kind of softwares. , so getting complaigns. when i set default policy to ACCEPT of FORWARD Chain. no problem. my rules related to yahoo. are iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 5000:50001 -j ACCEPT iptables -A INPUT -p udp --dport 5000:50010 -j ACCEPT iptables -A INPUT -p tcp --dport 5050 -j ACCEPT iptables -A FORWARD -p tcp --dport 5000:50001 -j ACCEPT iptables -A FORWARD -p udp --dport 5000:50010 -j ACCEPT iptables -A FORWARD -p tcp --dport 5050 -j ACCEPT any suggestion ? thanks for help advance |
yes:
1. you need not allow the ports into the INPUT chain, unless you want to use yahoo from the firewall itself, which i do not recomend. 2. it should be enough to allow ESTABLISHED,RELATED in the FORWARD chain, and allow the internal interface. example: eth0 = external connetion, eth1 = internal connection iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT this will allow everything outgoing. then you start closing things, and test, while you create new rules, so that you know which rules are causing trouble. |
Thanks for help , i'll check this .
Take care Bye |
All times are GMT -5. The time now is 03:57 PM. |