Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
For some reason , i used one client with kazza, limeware, ares together and tried to browse . three of the p2p programs were unable to connect but my browsing became very slow, its taking long to display the page. any suggestion to this script very helpfull for me, because i am very new to firewall scripting trying something please help
Distribution: Debian Etch (8), XP (1), FreeBSD (1), HP-UX (1)
Posts: 23
Rep:
Comment the default Policy for Drop forward at the top of your script. Policy doesn't allow you to add log option.
Add this chain setup to the very END of the script, this will drop all traffic not otherwise specified
iptables -N DROPNLOG
iptables -A DROPNLOG -j LOG
iptables -A DROPNLOG -j DROP
iptables -A FORWARD -j DROPNLOG
This makes a new chain (DROPNLOG) that "tees" the packet through both the log and drops it, and the last line in the script (last line above), will drop all forward traffic not forwarded, and also put the info in syslog.
on a flushed IPTables, the policy will look like this once commands are run:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ohhh my script is mainly for blocking p2p programs, i am happy with that , i mean p2p applications are unable to connect i have no problem, wht i want to know y browsing become slow, whn i tried to run three of the p2p of programs, p2p programs running but they not able to connet, but browsing become slow thats the problem
Distribution: Debian Etch (8), XP (1), FreeBSD (1), HP-UX (1)
Posts: 23
Rep:
I apologize for misunderstanding the full question.
When you surf, does the load level go up on the NAT machine? use 'uptime' or 'top' to watch, if programs are bombarding your system, just a thought on the fringe.
What were the firewall rules before browsing slowed down?
ETA:
Also, what is the load on your local machine? (CTRL+SHIFT+ESC For WinXP, just a guess with that many p2p programs). See if it is getting bogged down by all the p2p apps sending out request packets, and waiting (since you have it on inside to drop). Maybe change policy to REJECT so the port is closed instead of "ignored".
i have tried ur iptables script
it successfully block p2p and only allow http and yahoo msger.
i also happy with that.
i do agree with u.
browsing becoming slow.
iptables -A FORWARD -i eth1 -p tcp --destination-port 5051:65535 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -p udp --destination-port 5051:65535 -o eth0 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#for transparent proxy (If you are using any )
#if not working, give your public ip on the place of eth0
iptables -t nat -A PREROUTING -s eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.