Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have used quicktables to generate this iptables script.
Please can someone indicate as to why kazaa is not working.
My external interface is ppp0 and the internal ip is 192.168.1.10
on which kazaa is to be run through nat.
Thanks
#!/bin/sh
#
# generated by ./quicktables-2.3 on 2004.05.08.22
#
# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i ppp0 -s 127.0.0.0/8 -j DROP
# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i ppp0 -j DROP
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewal
echo " applying the open port(s) to the firewall rules from internal"
echo ""
##Allow incoming TCP port 8888 proxy traffic from internal
$iptables -A INPUT -p tcp -s 192.168.1.10 --dport 8888 -j ACCEPT
# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i ppp0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i ppp0 -p udp --dport 0:65535 -j DROP
Your rules look alright, but are you sure that Kazaa uses port 1450? The Kazaa website and all the port lists that I use all say Kazaa uses port 1214 tcp and udp (you are also only allowing the tcp traffic through).
Your rules are setup to allow all outbound traffic and all inbound traffic that is related or established. So the Kazaa clients can initiate connections outbound and then inbound dowload traffic is allowed into the LAN because it is related to the clients initial outbound connection (it's now part of an established connection). Because the traffic matches the established related rule, it never reaches the rule that specifically allows kazaa (port 1450). I would guess that is why it works even though the rule is using the wrong port number. If you wish to block it, you'd have to specifically add a rule above the RELATED,ESTABLISHED rule to block the traffic.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.