The input chain is for incoming packets. It is unlikely that kazza clients use a special port - they probably take the first one available, just like web clients.
If the client does essentially port scanning (to find a good server port), there is little you can at the iptables level. You will have to examine packets to deduce kazaa-ness. I don't know of a good way to do this, but I'd be interested in the solution. Another novel solution would be to have a stateful firewall that flags ip's that are trying port 1214 and any ports immediately following. The worst that would happen there is that legitimate uses of the higher ports will be impossible for a single ip until kazaa is shut down on that ip. I like that last solution since it doesn't require knowledge of packet contents! But, I wouldn't know how to implement it, and users could get around it by specifying a different initial port. > -----Original Message----- > From: Jeff [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 19, 2002 9:18 AM > To: Fadel > Cc: debian user list > Subject: Re: Blocking Kazaa with iptables > > Fadel, 2002-Nov-19 13:13 -0300: > > Hi there, > > > > I got a trouble in my network while trying to block Kazaa. > > I tried to drop port 1214 with this rule: > > > > iptables -A FORWARD --dport 1214 -j DROP > > > > but this doesn't work. so I did sniffing to see what kind of packets and > > ports kazaa uses and I saw that it searches for servers in different ports. > > later, I read in various texts around the net, but all recommend to block > > port 1214 and kazaa site. this probably worked in version 1. > > > > how could I block kazaa, since I need accept connections in high ports? > > > > sorry for the bad english. > > Have you tried blocking on the INPUT chain? That's where'd I'd put > that rule. > > jc > > -- > Jeff Coppock Systems Engineer > Diggin' Debian Admin and User > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]