LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-27-2006, 01:29 AM   #16
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15

I think it is rather the FORWARD chain that we should use since the packet is coming from one network to another network.

What do you think about it?

red
 
Old 10-27-2006, 01:53 AM   #17
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
Wink dropping SKYPE

hello guys

How could i drop SKYPE using IPTABLES for a particular PC (192.168.0.5)

I have a PC with two NIC's:
- 192.168.0.2 my LAN
- 192.168.1.2 attached to the ADSL modem which have 192.168.1.1 as NIC IP adress
- a DHCP serving of course the 192.168.0.0 subnet

Thanks guy for helps

red
 
Old 10-27-2006, 02:37 AM   #18
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Quote:
Originally Posted by hermouche
do we have to use the FORWARD or the INPUT chain?

Yes you need to use the FORWARD chain, not the INPUT chain, it is used only for connecting to the firewall (locally) itself. The FORWARD chain is the one needed to stop the packets from travelling between the networks.

Also could you post the contents of your firewall script, this will help in understanding all the rules you have already setup. Also we will be able to see if there is already a rule in place that maybe accepting the packet before it gets to your rule that blocks it.

Once a packet of data has been accpeted it will be let through on it's merry way, once this happens you can no longer stop the packet with the firewall.
 
Old 10-27-2006, 03:50 AM   #19
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
thanks photoguy

Quote:
Originally Posted by fotoguy
Yes you need to use the FORWARD chain, not the INPUT chain, it is used only for connecting to the firewall (locally) itself. The FORWARD chain is the one needed to stop the packets from travelling between the networks.

Also could you post the contents of your firewall script, this will help in understanding all the rules you have already setup. Also we will be able to see if there is already a rule in place that maybe accepting the packet before it gets to your rule that blocks it.

Once a packet of data has been accpeted it will be let through on it's merry way, once this happens you can no longer stop the packet with the firewall.
OK here is my stuff

I' ve got a PC which has 2 NICs:
- 192.168.0.2 my LAN "GATEWAY"
- 192.168.1.2 the WAN NIC which is connected to the ADSL modem with IP 192.168.1.1

MY LAN is from 192.168.0.3 to 192.168.0.24 using DHCPD

Right now i flushed every thing, which means that all is accepted INPUT, FORWARD anf OUTPUT.
I used the MASQUERADE for my LAN.

From here i would like to settup a firewall which can stop SKYPE,AMULE,MSN using iptables chains.

However,if I can stop just SKYPE alone it will be great.

red
 
Old 10-27-2006, 06:13 AM   #20
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
hey maan how many threads will u open for the same query .i already told u in ur other thread that skype is interesting

if u have squid then just do

tail -f /var/log/squid/access.log

and see how horrible it is

it can be blocked using squid with a regular expression....search google...

Last edited by ~=gr3p=~; 10-27-2006 at 06:15 AM.
 
Old 10-27-2006, 09:29 AM   #21
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ~=gr3p=~
hey maan how many threads will u open for the same query .i already told u in ur other thread that skype is interesting

if u have squid then just do

tail -f /var/log/squid/access.log

and see how horrible it is

it can be blocked using squid with a regular expression....search google...

OK thanks gr3p
 
Old 10-27-2006, 10:21 AM   #22
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
It is possible to block using a 3 layer approach..

Going back to jlightner's comments at the beginning of this thread, it is much easier to have a blanket block and then specifically allow services out..
This means adding proxies for different protocols, pop, imap, smtp, ftp, http, ntp, dns, (maybe socks) etc to allow services out.

Blocking just the high ports leaves access through ports 80 & 443.
Forcing all traffic through an http proxy and/or http filter will stop skype's non-http type encrypted connection on those ports.

From the analysis of the skype protocol at http://www.eecs.harvard.edu/~mema/co...nfocom2006.pdf the central point of blocking comes from denying access to the login server.
Once a client has logged in however, you need some stronger defenses.

Having said all that, most companies I have added blocks to have asked for them to be removed as skype is such a valuable tool for calling, that now we are doing bandwidth control instead on port 443.
To avoid mistaking http traffic with skype traffic, don't force 443 to the proxy & make sure users have an https proxy set in their browser settings.

You can also add another layer of control by only allowing an outgoing NAT to some permitted services, preventing clients from accessing the internet directly.
 
Old 11-06-2006, 09:59 AM   #23
hermouche
Member
 
Registered: Nov 2004
Location: Algeria
Posts: 111

Original Poster
Rep: Reputation: 15
OK thank you every one.

It seem's that it is impossible to stop SKYPE, well the right word is not impossible but rather not an easy job.

Never mind.

Thanks again
red

Last edited by hermouche; 11-06-2006 at 10:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh ports and iptables mjmwired Linux - Networking 2 08-09-2006 10:35 PM
iptables ports Roosta21 Linux - Software 2 03-16-2006 04:00 AM
Open All Ports - iptables Artik Linux - Networking 2 06-21-2005 03:17 PM
Iptables not forwarding ports pIscIs Linux - Networking 9 05-02-2005 07:56 AM
UDP ports and IPTables estranged0877 Linux - Networking 4 02-18-2003 01:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration