LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-12-2005, 07:47 AM   #1
Ammad
Member
 
Registered: Apr 2004
Distribution: redhat 9.0, fc4, redhat as 4
Posts: 517

Rep: Reputation: 31
Question security policy iptables


i am running linux fc4, for internet shairing, i want to block all peer 2 peer softwares, but want to allow all http , ftp ,webcam.
so running squid, and nat using iptables.
query is that when i set FORWARD default policy to DROP, users (clients) are unable to connect yahoo messenger, but able to connect msn.
that is to block all kind of softwares. ,
so getting complaigns.
when i set default policy to ACCEPT of FORWARD Chain. no problem.

my rules related to yahoo. are

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 5000:50001 -j ACCEPT
iptables -A INPUT -p udp --dport 5000:50010 -j ACCEPT
iptables -A INPUT -p tcp --dport 5050 -j ACCEPT



iptables -A FORWARD -p tcp --dport 5000:50001 -j ACCEPT
iptables -A FORWARD -p udp --dport 5000:50010 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5050 -j ACCEPT




any suggestion ?


thanks for help advance
 
Old 11-12-2005, 09:36 AM   #2
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
yes:
1. you need not allow the ports into the INPUT chain, unless you want to use yahoo from the firewall itself, which i do not recomend.

2. it should be enough to allow ESTABLISHED,RELATED in the FORWARD chain, and allow the internal interface.
example: eth0 = external connetion, eth1 = internal connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
this will allow everything outgoing.
then you start closing things, and test, while you create new rules, so that you know which rules are causing trouble.
 
Old 11-14-2005, 06:15 AM   #3
Ammad
Member
 
Registered: Apr 2004
Distribution: redhat 9.0, fc4, redhat as 4
Posts: 517

Original Poster
Rep: Reputation: 31
Thanks for help , i'll check this .
Take care
Bye
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DEFAULT POLICY lappen Linux - Newbie 8 02-23-2011 03:55 AM
mysql entry in catalina.policy when using security option gschrade Linux - Software 5 03-23-2004 11:23 AM
Domain Security Policy talkinggoat Linux - Networking 0 10-10-2003 11:25 AM
designing security policy for organisations sadiboyz Linux - Security 2 09-03-2003 03:18 AM
iptables: Bad policy name rioguia Linux - Security 10 01-09-2003 11:21 PM


All times are GMT -5. The time now is 02:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration