| View previous topic :: View next topic |
| Author |
Message |
hindoo
n00b
Joined: 04 Oct 2003
Posts: 9
|
 Posted: Sat Oct 04, 2003 2:22 am Post subject: n00b @ iptables |
 |
|
First post here...
I'm using projectfiles.com firewall. I just wanted to ask if this is a good firewall for a gateway.
Other thing, if i want to block trafic to (ex;) 192.168.0.3 I use:
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.3 -j REJECT ? |
|
| Back to top |
|
 |
zaftro
n00b
Joined: 07 Jan 2003
Posts: 39
Location: Melbourne, Australia
|
| Posted: Sat Oct 04, 2003 8:06 am Post subject: |
|
|
Haven't had any experience with projectfiles.com
As for blocking, use '-d' for destination. And you may want to do the same rule for the FORWARD chain.
_________________
You may well be reading my signature. Don't be alarmed.
JID: dan.farrell@jabber.zim.net.au |
|
| Back to top |
|
|
jaska
Bodhisattva
Joined: 06 Jun 2003
Posts: 725
Location: Finland
|
| Posted: Sat Oct 04, 2003 10:02 pm Post subject: |
|
|
| You could read some docs from netfilter.org but they are quite confusing and complex, maybe im just too wasted to understand. |
|
| Back to top |
|
|
hindoo
n00b
Joined: 04 Oct 2003
Posts: 9
|
| Posted: Sun Oct 05, 2003 12:14 am Post subject: |
|
|
| Quote: | | As for blocking, use '-d' for destination. And you may want to do the same rule for the FORWARD chain. |
the eth1 is my lan interface if I set a rule to input iptables will filter pkg from the network as so I have to define the source not destination. I could use -d if :
-> iptables -A OUTPUT -d 192.168.0.3 -j REJECT
I tried to use all 3 filter chains but still no result ... I have to look again in my firewall script, I could be putting these comands on bad places.
I'm asking all this because I'm trying to use the fuzzy module of iptables:
| Code: | | iptables -A OUTPUT -o eth1 -d 192.168.0.3 -m fuzzy --lower-limit 10 --upper-limit 100 -j REJECT |
(testing rule - used iptraf to check if it was doing any good)
This result in 0,void,rien,nada ... it dind't affect the connection to 192.168.0.3
1- I can use fuzzy module to limit bandw, can't I?
2- what am i doing wrong? |
|
| Back to top |
|
|
zaftro
n00b
Joined: 07 Jan 2003
Posts: 39
Location: Melbourne, Australia
|
| Posted: Sun Oct 05, 2003 5:58 am Post subject: |
|
|
Hi Hindoo,
Could provide some info on your network topology? For example is you network something along the lines of:
PC 1 (?) -----> gateway (?) --------> PC 2 (192.168.0.3)
From what I can gather you are trying to block traffic from 'PC 1' to 'PC 2' with the use of a firewall script on 'gateway'. But this is a guess, and that doesn't help anyone.
If you could post a diagram like the one above and give info about the traffic you want to block (ie blocking 'gateway' to 'PC 2') then I will probably be able to help you.
Regards,
zaftro
_________________
You may well be reading my signature. Don't be alarmed.
JID: dan.farrell@jabber.zim.net.au |
|
| Back to top |
|
|
hindoo
n00b
Joined: 04 Oct 2003
Posts: 9
|
| Posted: Sun Oct 05, 2003 12:13 pm Post subject: |
|
|
I have a cable connection and 4 computers in my lan, the cable modem is connected to one of these computers witch is connected to the other through a switch.
INETRNET --->c_modem--->Gateway (pc1)---->switch------->Lan Computers (pc2, pc3 and laptop
I'm tryng to limit the bandw and number of connection to one of my lan computers (my brother's) guess why? kazza, emule, directconnect ... he as them all working at once and of course, I must wait 3-4 minutes for google.com to load. 
what makes me mad is that he knows hes consuming all the band and doesn't give a s*** but he forgets I'm the one who controls the firewall  but he knows I'm doing this and doesn't mind ...
Have you ever tried to emerge -u world with this kind of conditions?
And more!! we have a download limit of 3gb international and 20gb national (pt) /mouth. he can wast 3gb in a week !! errr it drives me mad !! |
|
| Back to top |
|
|
zaftro
n00b
Joined: 07 Jan 2003
Posts: 39
Location: Melbourne, Australia
|
| Posted: Mon Oct 06, 2003 6:13 am Post subject: |
|
|
Hi again,
Hehe, brothers...
Well hindoo its like this... IP-tables deals with packets in the following manner
| Code: |
Incoming / \ Outgoing
-->[Routing ]--->|FORWARD|------->
[Decision] \_____/ ^
| |
v ____
___ / \
/ \ |OUTPUT|
|INPUT| \____/
\___/ ^
| |
----> Local Process ----
|
(This is from here.)
In your situation 'Outgoing' is like your bro's pc, and 'Incoming' is the internet (ie packets coming IN form the internet and going OUT to your bro's pc). 'Routing decision' is where masquerading and DNAT etc occur. So you see this is why I mentioned the FORWARD chain, since all of the packets going to your bro's pc that have come from the internet pass through the FORWARD chain. Are you with me? (at this point you say "Sir yes sir!")
So... for a packet that is at the forward chain: the source address is some internet IP address, and the destination address is your bro's pc lets call it ${BRO_PC}. While we're at it the internal interface may as well be called ${ETH_HOME} and the external interface (the internet one) ${ETH_EXT}. Now a little IP-tables magic and we have:
| Code: |
/sbin/iptables -A FORWARD --in-interface ${ETH_EXT} --out-interface ${ETH_HOME} --destination ${BRO_PC} -j DROP
|
That partiular commant will:
-- Append a rule to the forward chain
-- Match packets that (1) come in on the internet interface, (2) AND are destined to go out on the home interface and (3) AND are destined for your bro's computer
-- The rule will drop all packets that match the above conditions
It is important to note that this rule will be appended to rules that are already there, so if there is already a rule that says 'Go on, let all traffic be forwarded through to my home network' exactly that will happen. So put the command before any other forwarding commands, and after any command that flushes the forward chain.
For maximum effect I recommend testing the command when you brother is 95% through an 'important' download...
If that doesn't work, I don't know what will!!! If it does, try it with the fuzzy modules I guess.
Goodluck dude,
zaftro
_________________
You may well be reading my signature. Don't be alarmed.
JID: dan.farrell@jabber.zim.net.au |
|
| Back to top |
|
|
hindoo
n00b
Joined: 04 Oct 2003
Posts: 9
|
| Posted: Tue Oct 07, 2003 12:59 am Post subject: |
|
|
| thkx zaftro... I'll really "rotflol" when he askes me if i'm doing any large download ... Muahahahah |
|
| Back to top |
|
|
miunk
Apprentice
Joined: 24 Sep 2002
Posts: 199
|
| Posted: Tue Oct 07, 2003 1:42 am Post subject: |
|
|
Is iptables really designed well for an "ACCEPT" all policy with "REJECT" exceptions? For example... if I do the following rules:
| Code: | | iptables -A INPUT -p tcp -d ! 192.168.0.0\24 --dport 139 -j REJECT |
and then:
| Code: | | iptables -A INPUT -p tcp -d ! 127.0.0.1 --dport 139 -j REJECT |
So when I come from 127.0.0.1 I get rejected because I met the first rule and the second was not even considered...
is there a succinct way to do:
! 127.0.0.1 AND ! 192.168.0.0\24
? |
|
| Back to top |
|
|
hindoo
n00b
Joined: 04 Oct 2003
Posts: 9
|
| Posted: Thu Oct 09, 2003 10:09 am Post subject: |
|
|
If you wnat to block all but trafic fot network and loopback you should use
| Code: | | iptables -P INPUT -j DROP |
and then
| Code: | iptables -A INPUT -p tcp -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -d 127.0.0.1 -j ACCEPT
|
you should use this tipe of rules because you only accept trafic for your pc from 127.0.0.1 and 192.168.0.0/24. The first rule will say that drop is the rule to aply if the package don't match any of the other rules defined for the INPUT chain ...
hope this helps |
|
| Back to top |
|
|
|
Networking & Security
