Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My brother has started 'boosting' and it is quite annoying.. opens a few hundred connections to yahoo servers, whilst creating yahoo IDs. I believe he is probably trying to sell them online, to make money.. He wont give me a reason why he is creating thousands of similarly named yahoo game IDs, with high grades.
I don't wish to be responsible for the consequences, so am going to block him from using the program. I have found out that he "booster" connects to yogXX.games.scd.yahoo.com
Doing a 'host' on yogxx.games.scd.yahoo.com, shows them to be on the IP range
66.218.68.*
So would this suffice
iptables -A OUTPUT -o eth1 -s 192.168.0.3 -p tcp -d 66.218.68.0/8 -j DROP
? have i got the subnet right?
Is it best to block it outbound, or block it on the INPUT chain?
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820
Rep:
I would suggest you block it in both chains, as well as maybe the FORWARD chain, if he proxies through your linux box. Your rule looks good to me, but I am not sure about the subnet. Also a good idea to use DROP as you did, it will make him pull his hair out trying to figure out what happened. lol
Remember the golden rule of iptables.
1. Write the rules
2. implement the rules
3. test the rules
3.5 Pull hair out.
4. repeat until perfect or no hair left.
If he is using your pc, put a -j LOG rule in the nat table POSTROUTING chain to catch any of the extra ip numbers he may jump to,
then block them in the OUTPUT chain.
For your example...
iptables -A OUTPUT -o eth1 -s 192.168.0.3 -p tcp -d 66.218.68.0/8 -j DROP
...
don't worry about the -s source ip address if it is your pc,
the subnet will be 24 not 8,
do -I rather than -A to place it first in the rule list.
Rules should run from the most specific first to the most general last.
If he is FORWARDING through your pc from his pc, add the rule to the FORWARD chain.
you say put the most general rules last, the specific ones first? .. i guess it makes sense. but isn't a packet more likely to be hit by a general rule, than a specific one??
I run iptables -vL | more, and usually always see that the rules are in correct order of packet count... so i must have them the right way round i think
I have the rules so that the ones with the highest packet count (shown by iptables -vL) are at the top .. regardless of the byte count? .. i take it this is the correct way to go
The logic of the rulesets...
As soon as a packet matches a rule, it follows the -j target.
If it is ACCEPT or DROP or SNAT or DNAT etc, the packet stops traversing the rules.
The first rule that matches, dumps the packet out of the rule set, (generally)...
It is very likely a packet won't match a specific rule but very likely it will match a general rule.
So if the general rule comes first, the specific rule is a waste of time...
The best example of a general rule is the chain POLICY... imagine if that came first...!
Last edited by peter_robb; 02-25-2003 at 03:33 PM.
# INPUT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -j REJECT
# FORWARD: Allow all connectionz out, but only existing and related ones
# back in
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCE
PT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
#iptables -A FORWARD -j LOG --log-prefix "FORWARD: "
#iptables -A FORWARD -j REJECT
# Do the funky masquerading
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Apologies for the comments, i was having a weird day
This way you can use $INTIP where you used to type the full ip address. Saves a lot of time as you can then just change the variable definition and it will effect all rules that use the variable.
Take a look at the example scripts in the tutorial,
anti spoofing rules, flood rules, LOG rules, invalid packet rules, ACCEPT policies, you have an open FORWARD policy, module loading and sysctl settings as a minimum recommendation...
If someone scanned your system, they would discover a lot of information about what is/isn't open etc and you wouldn't know they were even looking...
I'm not being devil's advocate just because some extra rules are nice,
it's because they are necessary.
A good example would be blocking outward connections, especially ports 137-139 which you will find in a LOG file.
Last edited by peter_robb; 02-25-2003 at 05:21 PM.
So I see a default ACCEPT policy... coz this line is commented out...
#iptables -A FORWARD -j REJECT
That to me is an open FORWARD policy...
You haven't stated whether your brother is using your box or one in the LAN.
My guess it is in the LAN, but guesses can cause trouble... especially if you want to be restrictive...
''My brother has started 'boosting' and it is quite annoying.. opens a few hundred connections to yahoo servers, whilst creating yahoo IDs. I believe he is probably trying to sell them online, to make money.. He wont give me a reason why he is creating thousands of similarly named yahoo game IDs, with high grades.
I don't wish to be responsible for the consequences, so am going to block him from using the program. I have found out that he "booster" connects to yogXX.games.scd.yahoo.com''
So I'm going on what's posted, and you need to supply the rest...
Restricting in the OUTPUT chain if he is local, in the FORWARD chain & the nat table POSTROUTING chain if he is LAN based.
You will need to cover your bases and get a list of his traffic in order to make a sensible blocking rule set.
Use -j LOG rules for that... many of them...
The tutorial covers all the necessary settings and the reasons why.
It's long, but covers everything you are asking.
And it's much better you read this than we keep posting excerpts. The format is much better in the tutorial.
If there's something confusing in the tutorial, we're here to help with that...
Last edited by peter_robb; 02-26-2003 at 04:10 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.