|
opening kazaa and paltalk port in iptables
hi all,
i m using RedHat Linux 9.0 and running a firewall with iptalbles. i m trying to open only specific port for my client for specific software and block all other ports. i need to know what ports should be used for using Kazaa, Net2Phone and Paltalk . where or how i can find out which software use whic ports ? is there any way ?? |
Instead of opening specific ports, why don't you try state matching. If you have a rule like this:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT when you are running Kazaa (or any other program) the data returned from the internet will be ESTABLISHED and RELATED packets and will be accepted regardless of the port. |
hi,
thanx for ur reply. infact i was doing so because of 2 reason. first i don know abt state matching. second, i must must must block all ports because of some fukin broadcasting from my network computers. i should put this line in the last of my iptables firewall iptables -A FORWARD -s 0/0 -d 0/0 -j REJECT if i don write this line my whole network crashed because of broadcasting. i've written ur line just before my last line iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT but still kaza or net2phone is not working. may i've to do something else just besides putting this line in my firewall ?? |
You're going to have to post your whole firewall. I'm not going to be able to make any sense out of just a couple of lines.
Quote:
iptables -P FORWARD DROP |
thanx !
well, i know this is not anything normal for the network. i've noticed some of my clients computer is sending packets automaticly (even thousands of bytes per second) and asked for help to someone. then he told me that itz "broadcasting" from windows machine. then he suggest me to use a firewall which is almost writteng by him. i m giving u my firewall script here. hope that it'll help u to help me :) my eth0 (ip 216.236.104.124) is connected with internet and eth1 (192.168.100.254) is connected with LAN i m running a squid proxy in this 192.168.100.254 machine and client can browse through this proxy. my /etc/rc.d/rc.local is as followings: depmod -a modprobe ipt_mac modprobe ip_contrack_* modprobe ip_nat_* iptables -F iptables -t nat -F /etc/rc.d/rc.firewall and my rc.firewall script is as followings: iptables -A INPUT -s 192.168.100.254 -d 0/0 -j ACCEPT iptables -A FORWARD -s 192.168.100.254 -d 0/0 -j ACCEPT iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 8- -j ACCEPT iptables -A FORWARD -tcp -s 0/0 -d 0/0 --dport 6801 -j ACCEPT iptables -A FORWARD -udp -s 0/0 -d 0/0 --dport 6801 -j ACCEPT .... and so on .....simply added tcp or udp port that i wanted to forward..... ..... iptables -A FORWARD - s 192.168.100.0/24 -d 0/0 -j REJECT iptables -t nat -A POSTROUTING -0 eth0 -j SNAT --to-source 216.236.104.124 that is all !! now i think u can understand why i was searching for net2phne, paltalk and kazaa ports .... because i wanted to open these ports in my firewall script. if u suggest ... i'll redesign my firewall script. but if possible plz tell me how i can use those softwares within my current firewall. i didn't want to delete it because itz working well...... at least browsing, yahoo, msn is wokirng fine. thank u again. waiting for ur reply |
OK, this could get a bit ugly. Before making any changes to your script, make sure you have a backup copy so you can at least get back to where you are.
First, you don't set your table defaults. Not a biggie, but in order to have a proper firewall, you need to KNOW what the defaults are. Since this box is connected to the internet, unless you have good security, you are going to get owned. So, near the top of your script I would add these: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP Now you are shut down tight. The next thing is to allow the traffic you want in. By and large, you've already got that done for your FORWARD table, but you probably want to add some lines to allow you in and out from this box iptables -A INPUT -i lo -j ACCEPT #accept all loopback iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -i lo -j ACCEPT iptables -A OUTPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Leave your FORWARD lines and nat line as they are. Quote:
Now I'm making the assumption that you want to use kazaa and the other programs from the box this script is running on. If that isn't true, please let me know. |
hello,
when i tried to restart my firewall i go the msg Can't use -i with OUTPUT :( |
Oops... Sorry, not enough coffee this morning. Just drop the -i eth0 in the second output rule and you probably don't need the lo OUTPUT rule at all
iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED -j ACCEPT |
hello friend,
sorry for bothering u again. but still itz not working. simply state matching is not working untill i ACCEPT FORWARDING . i've also tried followings: .......................................... iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o et0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ........................................... i like to let u know that if i put allow forwarding rule Accept for a specic ip before blocking all .... all softwares like kazaa, paltalk, net2phone works fine from that ip. iptables -A FORWARD -s 192.168.100.135 -d 0/0 -j ACCEPT iptables -A FORWARD -s 0/0 -d 0/0 -j DROP |
I'm starting to think that I really don't understand the entire problem.
Are you trying to use the computer running this iptables script for net2phone and the others or are you trying to use this computer as a router and your running the other programs on different computers? |
Quote:
but those windows machine r infected with some kinda worms which r sending packets continiously. |
Quote:
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT I'm assuming that eth0 is your external interface and eth1 is your internal interface. Adjust this line accordingly. You might want to have a quick look at this firewall script as it shows an example of forwarding using state matches. It has one more interface than you do, but I think it is a decent example. If that doesn't work, then you are going to have to do some digging and find out what ports these programs do run on. That may not be easy since some of them (I think Kazaa is an example) search for open ports and may not always use the same one. Quote:
|
Quote:
well, i've already noticed them to download windows patch and cleaning the worms with remover . but u know itz not professional solution. i must make my router to prevent everything . infact i m also new in Linux. before this i was using windows router. but........... after worm attack.......ive lost all faith on windows. |
Quote:
|
...I'd first like to comment that using KaZaA is a foolish thing with wild and far reaching security implications. Now, with that being said, here are some things to consider:
1) The iptables -A switch will APPEND or put at the end of a chain, whereas iptables -I will INSERT at the beginning of the chain. Packets are probably being dropped before a pass rule is examined. 2) Get a better understanding of how KaZaA works before opening/forwarding ports. It is my understanding that P2P NETWORKING (part of the KaZaA bundle from Joltid) uses port 3531 for peer communication in establishing whois the supernode /etc. This port may have to be opened and forwarded for both tcp and udp to the KaZaA box. Use PREROUTING for this. Fire up ethereal and then KaZaA, watch what it tries to do and ALLOW one piece at a time. 3) Look at the structure of your tables as you retool with: iptables -L --line-numbers | less If your pass rules are at the end of a chain, it won't work... |
| All times are GMT -5. The time now is 11:14 PM. |