iptables and ports
hy
I want to use iptables in order to reject a range of ports, from 1025 to 2025. What is the syntax? The following chain is valid for just one port: iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024 -j REJECT The following is valid for two ports: iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 -m multiport --dport 1024,1025 -j REJECT Since i can't enumerate all the ports one by one, it will be to long. So what if I would like to reject many more ports let say from port 1025 until port 2025, how to write it using iptables of course? thanks a lot for your reply i looked in 'man iptables' but i could'nt sort it out. thanks again red |
You would be much better served to put in a broad reject all ports statement then add accept statements for only those ports you do want to accept. That is to say do your iptables by inclusion rather than exclusion. The list of ports you actually need to have open would be much shorter. It's not clear why you would only want to reject the range you gave given that there are thousands of ports.
On a DNS server for example I only open port 22 for ssh on the internal NIC along with 1 port for our backup software on that same NIC. I also open up transfer port for the slave DNS on that NIC. Externally I only open up the port that allows for DNS lookups. A total of 5 ports out of the thousand possible. Even on a system where you were running more than that you likely can limit it to very few ports. Remember you can limit inbound without limiting outbound. |
hy jlightner
Quote:
So i want to restrict some ports. Well if you have a better idea it will be greatfull. thanks a lot for your reply red:scratch: |
better use squid or setup htb and shape bandwidth and put the assh0l3s ip in the low priority class...
understand HTB reading this: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm and modify this script and apply it to both the external(to control upload speed) and internal(to control download speed of your lan clients) interface: http://lartc.org/wondershaper/ I use both squid on my proxy server and htb on my router...and since then i'm in complete control of the bandwidth hogers on my network :) blocking skype is not easy but doable with squid and a regular expression i found posted on another site by a pro... |
The sintaxis to enumerate a range of ports with iptables is with ":", for example
iptables -A INPUT -i eth0 -p tcp \ -d --dport 1024:65535 \ -j DROP Will drop all incoming packet from the eth0 interface with destination any unprivileged port Hope it will be of help to you |
thanks gr3p for your reply
Quote:
I am still a newbie and when i went through your links, i was afraid because i did not understand what they where talking about. Do you have a less complicated answer. I want to stop "SKYPE, AMULE and MSN" because i think that they are killing the bandwidth. can't we use iptables? Sorry but i am still a newbie and perhaps after a while i will try to go through your links. The other way is to tell me wat should i do exactly, i mean step by step. I downloaded the wondershaper but i don't know what to do after. where should i put the script for example? How to use htb? red thanks again red:study: |
hy wistoka
Quote:
thanks for replying. I followed your suggestio and i wrote since i 've got a LAN and a GATEWAY: iptables -A FORWARD -p tcp --dport 1025:50000 -s O/O -d 192.168.0.5 -j REJECT It says "invalid mask" what does this means? I have an adsl, a subnet LAN 192.168.0.0, the masquerade is started, a Gateway which has two network cards: 192.168.0.2 which is my LAN and 192.168.1.2 which is linked to the modem. I want to stop the 192.168.0.5 computer from using Skype, MSN and Amule. red thanks again:scratch: |
ok tell me your total upstream/downstream bandwidth? Also tell me a client IP too...you can monitor the top bandwidth hoger by using a tool like iptraf ..
Quote:
|
Quote:
Modem 56k Modem 56k 56 Kbps (7 KB/sec) 56 Kbps (7 KB/sec) Cable/Numeris 64k Cable/Numeris 64k 64 Kbps (8 KB/sec) 64 Kbps (8 KB/sec) Cable/ADSL/Numeris 128k Cable/ADSL/Numeris 128k 128 Kbps (16 KB/sec) 128 Kbps (16 KB/sec) Cable 256k Cable 256k 256 Kbps (32 KB/sec) 256 Kbps (32 KB/sec) Cable/ADSL 512k Cable/ADSL 512k 512 Kbps (64 KB/sec) 512 Kbps (64 KB/sec) Cable/ADSL 1024k Cable/ADSL 1024k 1024 Kbps (128 KB/sec) 1024 Kbps (128 KB/sec) Cable 1100k Cable 1100k 1100 Kbps (137.5 KB/sec) 1100 Kbps (137.5 KB/sec) T1 T1 1500 Kbps (187.5 KB/sec) 1500 Kbps (187.5 KB/sec) Cable/DSL 2M Cable/DSL 2M 2000 Kbps (250 KB/sec) 2000 Kbps (250 KB/sec) Your BandWidth Your BandWidth 130.729 Kbps (16.341 KB/sec) 130.729 Kbps (16.341 KB/sec) EDPnet Speed Test the ip adress that i want to drop or reject is 192.168.0.55 which has a mac adress 00:08:a1:34:96:f7. Since I am using a DHCPD, it means that this ip adress could change. red |
Try something like this:
Code:
iptables -A INPUT -p tcp --dport 1025:50000 -s --mac-source XX:XX:XX:XX:XX:XX -d 192.168.0.5 -j REJECT You might want to think you might need both tcp and udp included? Do you want to block it going to any destination rather than just 192.168.0.5? ( -d any) |
Thanks mossy for replying
Quote:
on the other hand i tried this folowing rule but without any good result: iptables -A INPUT -p tcp --dport 1025:65000 -m mac --mac-source 00:08:A1:26:20:A1 -d 0/0 -j REJECT Now since i can't deselecte the 80 and 443 ports (it is not my computer) so i am still scratching my head :scratch: |
do we have to use the FORWARD or the INPUT chain?
|
Quote:
and 'iptables -A INPUT -p tcp -s 0/0 -d 192.168.0.163 --dport 1024:2025 -j REJECT' should do it, unless im missing something :/ |
I will check and you will get the response soon, actually i am outside my desk
thanks for following with me. red |
hy bruj3w
Quote:
Well, i am sorry but still working. I also stopped the port 80: still working also. I stopped both tcp and udp still working. I stopped from ports "1025:60000": still working. I am still searching how to stop SKYPE, MSN and AMULE with iptables red Thanks |
I think it is rather the FORWARD chain that we should use since the packet is coming from one network to another network.
What do you think about it? red |
dropping SKYPE
hello guys:)
How could i drop SKYPE using IPTABLES for a particular PC (192.168.0.5) I have a PC with two NIC's: - 192.168.0.2 my LAN - 192.168.1.2 attached to the ADSL modem which have 192.168.1.1 as NIC IP adress - a DHCP serving of course the 192.168.0.0 subnet Thanks guy for helps red:scratch: |
Quote:
Yes you need to use the FORWARD chain, not the INPUT chain, it is used only for connecting to the firewall (locally) itself. The FORWARD chain is the one needed to stop the packets from travelling between the networks. Also could you post the contents of your firewall script, this will help in understanding all the rules you have already setup. Also we will be able to see if there is already a rule in place that maybe accepting the packet before it gets to your rule that blocks it. Once a packet of data has been accpeted it will be let through on it's merry way, once this happens you can no longer stop the packet with the firewall. |
thanks photoguy
Quote:
I' ve got a PC which has 2 NICs: - 192.168.0.2 my LAN "GATEWAY" - 192.168.1.2 the WAN NIC which is connected to the ADSL modem with IP 192.168.1.1 MY LAN is from 192.168.0.3 to 192.168.0.24 using DHCPD Right now i flushed every thing, which means that all is accepted INPUT, FORWARD anf OUTPUT. I used the MASQUERADE for my LAN. From here i would like to settup a firewall which can stop SKYPE,AMULE,MSN using iptables chains. However,if I can stop just SKYPE alone it will be great. red :study: |
hey maan how many threads will u open for the same query .i already told u in ur other thread that skype is interesting ;)
if u have squid then just do tail -f /var/log/squid/access.log and see how horrible it is :D it can be blocked using squid with a regular expression....search google... |
Quote:
OK thanks gr3p |
It is possible to block using a 3 layer approach..
Going back to jlightner's comments at the beginning of this thread, it is much easier to have a blanket block and then specifically allow services out.. This means adding proxies for different protocols, pop, imap, smtp, ftp, http, ntp, dns, (maybe socks) etc to allow services out. Blocking just the high ports leaves access through ports 80 & 443. Forcing all traffic through an http proxy and/or http filter will stop skype's non-http type encrypted connection on those ports. From the analysis of the skype protocol at http://www.eecs.harvard.edu/~mema/co...nfocom2006.pdf the central point of blocking comes from denying access to the login server. Once a client has logged in however, you need some stronger defenses. Having said all that, most companies I have added blocks to have asked for them to be removed as skype is such a valuable tool for calling, that now we are doing bandwidth control instead on port 443. To avoid mistaking http traffic with skype traffic, don't force 443 to the proxy & make sure users have an https proxy set in their browser settings. You can also add another layer of control by only allowing an outgoing NAT to some permitted services, preventing clients from accessing the internet directly. |
OK thank you every one.
It seem's that it is impossible to stop SKYPE, well the right word is not impossible but rather not an easy job. Never mind. Thanks again red |
All times are GMT -5. The time now is 09:28 PM. |