ip tables

Protecting your Linux box

ip tables

Postby rmira » Sun Dec 24, 2006 5:49 pm

This is my Ip tables
[root@hnet]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.16.83 anywhere
DROP all -- 192.168.16.48 anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h ttps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s mtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h ttp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s sh
REJECT all -- anywhere anywhere reject-with icmp-ho st-prohibited
i can't stop internet access this 2 ip (192.168.16.83 and 192.168.16.48),
what wrong i am ?, i use transparent proxy ,by squid. Eth0 is internet and eth1 is Lan, i want block, Kazza,emule,and all p2p connection,cause my Bandwidth is slow,pls help me.
thanks
rmira
Lance Naik
 
Posts: 22
Joined: Sat Dec 17, 2005 1:50 pm

Re: ip tables

Postby kbukhari » Mon Dec 25, 2006 1:39 am

rmira wrote:This is my Ip tables
[root@hnet]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.16.83 anywhere
DROP all -- 192.168.16.48 anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h ttps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s mtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h ttp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s sh
REJECT all -- anywhere anywhere reject-with icmp-ho st-prohibited
i can't stop internet access this 2 ip (192.168.16.83 and 192.168.16.48),
what wrong i am ?, i use transparent proxy ,by squid. Eth0 is internet and eth1 is Lan, i want block, Kazza,emule,and all p2p connection,cause my Bandwidth is slow,pls help me.
thanks


squid is an http proxy and have no chance squid will deal with kazaa etc
u need stop them at your firewall iptables use policy based nating
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Re:

Postby LinuxFreaK » Tue Dec 26, 2006 9:16 am

Dear rmira,
Salam,

Use below Iptables rules. This will block access to internet and allow LAN.

# iptabels -t nat -A PREROUTING -s 192.168.16.83 -d ! 192.168.16.0/24 -j DROP
# iptabels -t nat -A PREROUTING -s 192.168.16.4 -d ! 192.168.16.0/24 -j DROP


Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

block Kazza ,emule,Bittorent

Postby rmira » Sun Dec 31, 2006 5:02 pm

Thanks for ur iptables rules,its work for me,
next bittorent ,emuls,and kazza. how to control this p2p service,and how I identify who,s use p2p, i use nmap, but my user use firewall,nmap can,t discover any port, have any solution,which lan scaner is best for detection p2p port.
rmira
Lance Naik
 
Posts: 22
Joined: Sat Dec 17, 2005 1:50 pm

Re: block Kazza ,emule,Bittorent

Postby kbukhari » Wed Jan 03, 2007 9:35 am

rmira wrote:Thanks for ur iptables rules,its work for me,
next bittorent ,emuls,and kazza. how to control this p2p service,and how I identify who,s use p2p, i use nmap, but my user use firewall,nmap can,t discover any port, have any solution,which lan scaner is best for detection p2p port.


you can use iptstat -s on your gateway for watching requesters coming from clients
--

Syed Kashif Ali Bukhari

+92-345-8444420

http://sysadminsline.com

http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron