iptables p2p block

jibskg · 06-01-2007, 08:47 AM

hello i have made a firewalll script to allow only http and yahoo and messenger, my main moto was disabling p2p usage below is my script

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

#
#
iptables -F INPUT

iptables -F FORWARD

iptables -F OUTPUT

iptables -F -t nat

#eth0 is local ip

#eth1 is public ip

#
#
#INPUT Rule

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT

iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 53 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 1863 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 5050 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 21 -j ACCEPT

#

#Forward rule

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 80 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 443 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p udp --destination-port 53 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 1863 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 5050 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 22 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 21 -o eth1 -j ACCEPT

#

#nat table

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

For some reason , i used one client with kazza, limeware, ares together and tried to browse . three of the p2p programs were unable to connect but my browsing became very slow, its taking long to display the page. any suggestion to this script very helpfull for me, because i am very new to firewall scripting trying something please help

thanks a lot

troybtj · 06-01-2007, 12:36 PM

to fill your syslog fast, you could append to your default DROP rule: LOG --log-ip-options

Then you will see what is getting blocked so you can add a rule. If you have more than one user on the inside, it will make a big log fast.

jibskg · 06-01-2007, 02:23 PM

can u explain me how to do that wht rule and how to write that rule pleaseeee

troybtj · 06-01-2007, 06:37 PM

Comment the default Policy for Drop forward at the top of your script. Policy doesn't allow you to add log option.

Add this chain setup to the very END of the script, this will drop all traffic not otherwise specified

iptables -N DROPNLOG
iptables -A DROPNLOG -j LOG
iptables -A DROPNLOG -j DROP
iptables -A FORWARD -j DROPNLOG

This makes a new chain (DROPNLOG) that "tees" the packet through both the log and drops it, and the last line in the script (last line above), will drop all forward traffic not forwarded, and also put the info in syslog.

on a flushed IPTables, the policy will look like this once commands are run:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROPNLOG 0 -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DROPNLOG (1 references)
target prot opt source destination
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

run:
tail -f /var/log/messages

And watch the src/dst/ports of what is being dropped when you try an app, best is one app at a time, from one system, otherwise it goes by too fast.

Once it is set up, comment those lines out of your script, and set the default policy back to DROP

jibskg · 06-02-2007, 07:54 AM

ohhh my script is mainly for blocking p2p programs, i am happy with that , i mean p2p applications are unable to connect i have no problem, wht i want to know y browsing become slow, whn i tried to run three of the p2p of programs, p2p programs running but they not able to connet, but browsing become slow thats the problem

troybtj · 06-02-2007, 01:48 PM

I apologize for misunderstanding the full question.

When you surf, does the load level go up on the NAT machine? use 'uptime' or 'top' to watch, if programs are bombarding your system, just a thought on the fringe.

What were the firewall rules before browsing slowed down?

ETA:
Also, what is the load on your local machine? (CTRL+SHIFT+ESC For WinXP, just a guess with that many p2p programs). See if it is getting bogged down by all the p2p apps sending out request packets, and waiting (since you have it on inside to drop). Maybe change policy to REJECT so the port is closed instead of "ignored".

mypiju · 07-08-2008, 11:47 PM

i have tried ur iptables script
it successfully block p2p and only allow http and yahoo msger.
i also happy with that.
i do agree with u.
browsing becoming slow.

anybody can help ?

im also new to iptables and linux.

batabai · 05-17-2010, 01:33 AM

TRY THIS 1.

#eth1 is local ip
#eth0 is public ip

# For blocking torrent & p2p applications.

iptables -F FORWARD

iptables -F -t nat

iptables -A FORWARD -i eth1 -p tcp --destination-port 5051:65535 -o eth0 -j DROP

iptables -A FORWARD -i eth1 -p udp --destination-port 5051:65535 -o eth0 -j DROP

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#for transparent proxy (If you are using any )
#if not working, give your public ip on the place of eth0
iptables -t nat -A PREROUTING -s eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE

win32sux · 05-17-2010, 02:27 AM

batabai, please don't resurrect dead threads – help us keep LQSEC as zombie-free as possible.