Hi
I am currently implementing level7 packet filtering on my debian router with ipp2p. This has been done to prevent wireless users from using well known file sharing applications (edonkey, bittorrent, kazaa, ecc).
The current iptables configuration that I have is doing everything very well.
Now I want to be able to run the amuled daemon ON the debian router but I am not really sure how to tell iptables to whitelist the traffic that is not being forwarded.
In other words, the ipp2p module should not drop the packets originating from/destinated to the router.
Here is my current script:
Code:
# Interface connected to Internet
INTERNET="eth1"
# Address connected to LAN
LOCAL="10.0.1.0/24"
# VPN
VPN="5.0.0.0/8"
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Enable Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable Munin stats
iptables -A INPUT -d 37.244.81.222
iptables -A OUTPUT -s 37.244.81.222
iptables -A FORWARD -i eth1
iptables -A INPUT -d 10.0.1.2
iptables -A OUTPUT -s 10.0.1.2
iptables -A FORWARD -i eth0
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block P2P
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A OUTPUT -m ipp2p --ipp2p -j DROP
# set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -A FORWARD -s $LOCAL -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -s $LOCAL -j ACCEPT
iptables -A OUTPUT -s $LOCAL -j ACCEPT
# unlimited access to VPN
iptables -A INPUT -s $VPN -j ACCEPT
iptables -A OUTPUT -s $VPN -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Thanks for your help guys