blocking some port for NAT clients

freelinuxcpp · 02-10-2004, 03:04 AM

hello every1
i have a little linux box that do nat for some windows machines , in order to economize some debit i wanna block undeeded port such liike port used by kazaa and such ptp
for that i used this set of rules ;

[cote]
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 1001:65000 -j DROP
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 80 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 25 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 110 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 1863 - ACCEPT
iptables - t nat -A POSTROUTING -s $LAN -p tcp --dport 5050 - ACCEPT
[/cote]
but this seems to dont work , the clients wasn't able to use any of the common programme they are used to use
i suppose i m using the wront chain , but need some advices to get this working , thus any help would be welcome

schagnot · 02-11-2004, 02:29 PM

With iptables, your internal LAN must pass through your FORWARD chain to get out to the internet. If you are just masquerading internal clients to the outside world, you would want one POSTROUTING rule such as

/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s $LAN -d 0.0.0.0/0 -o eth0

The eth0 in the above example would be your external interface.

Now you would handle your rules in the FORWARD chain. Set the default policy to DROP and then allow the services you want. Put a LOG rule in as your last rule in the FORWARD chain so you will see the packets that are being dropped off the end of the chain (in other words, the ones that are being blocked). You do not need to have an explicit DROP rule as anything that is not accepted is dropped by the DROP policy.

As for Kazaa - it is going to be able to get out through any port that is open. You are going to have a hard time blocking it.

freelinuxcpp · 02-14-2004, 05:06 AM

first thanx for the reply
i tried to do this using the FORWARD chains , my goal now is to block all IM ( instant messangers) for the clients , i start testing with yahoo messanger which seem much more smart tha i thought , when i block the port 5050 it uses telnet one , and this is blocked too it used an IP tunneling throught the http port (80) , is there anyway to block it ?