Hi - i'd like to allow kazaa access to an internal network, and was
considering using a dante proxy server and some carefully crafted
iptables rules to only allow outgoing traffic.
Now, at first i thought just allowing access to destination ports 1214,
both tcp and udp would be enough but that wasn't getting me diddly. i
stopped the client from attempting to use the proxy and did a tcpdump to
see what it was up to. As it started up it began sending a lot of udp
packets with source port 1214 out. The destination ports were always
different but usually somewhere above 3000.
Now i'm not too happy to allow out this traffic as it's not as easy to
be sure of but i'm thinking to myself that since dante is run by user
sockd, i can put in a few owner matching rules and make this slightly
secure.
however after allowing the proxy server to make udp connections from
source port 1214 i did a tcpdump and still found it was sending out no
traffic. This could be because of a badly crafted rule or a complete
lack of understanding of the situation on my part.
I checked dantes logs and spotted this:
Nov 21 12:21:17 sockd[17507]: internal addresses (1):
Nov 21 12:21:17 sockd[17507]: 192.168.0.207.6001
Nov 21 12:21:17 sockd[17507]: external addresses (1):
Nov 21 12:21:17 sockd[17507]: 172.20.1.2/0.0.0.0
Nov 21 12:21:17 sockd[17507]: compatibility options:
Nov 21 12:21:17 sockd[17507]: extensions enabled:
Nov 21 12:21:17 sockd[17507]: logoutput goes to: syslog, files (2)
Nov 21 12:21:17 sockd[17507]: debug level: 0
Nov 21 12:21:17 sockd[17507]: resolveprotocol: udp
Nov 21 12:21:17 sockd[17507]: address/host mismatch tolerated: yes
Nov 21 12:21:17 sockd[17507]: unresolvable addresses tolerated: yes
Nov 21 12:21:17 sockd[17507]: negotiate timeout: 0s
Nov 21 12:21:17 sockd[17507]: I/O timeout: 0s
Nov 21 12:21:17 sockd[17507]: euid: 0
Nov 21 12:21:17 sockd[17507]: userid.privileged: 0
Nov 21 12:21:17 sockd[17507]: userid.unprivileged: 504
Nov 21 12:21:17 sockd[17507]: userid.libwrap: 0
Nov 21 12:21:17 sockd[17507]: method(s): none
Nov 21 12:21:17 sockd[17507]: clientmethod(s): none
Nov 21 12:21:17 sockd[17507]: dante/server v1.1.10 running
Nov 26 09:21:35 sockd[17516]: run_request(): sending ack to mother
failed: Broken pipe (errno = 32)
my iptables rules look like this:
to allow kazaa traffic:
#allow tcp destination port 1214 out
$ipt -A OUTPUT -o eth1 -p tcp -s $outip -d $0/0 --dport 1214 -m state
--state NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i eth1 -p tcp -d $outip -s $0/0 --sport 1214 -m state
--state ESTABLISHED -j ACCEPT
#allow udp destination port 1214 out
$ipt -A OUTPUT -o eth1 -p udp -s $outip -d $0/0 --dport 1214 -m state
--state NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i eth1 -p udp -d $outip -s $0/0 --sport 1214 -m state
--state ESTABLISHED -j ACCEPT
#allow tcp source port 1214 out
$ipt -A OUTPUT -o eth1 -p tcp -s $outip -d $0/0 --sport 1214 -m state
--state NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i eth1 -p tcp -d $outip -s $0/0 --dport 1214 -m state
--state ESTABLISHED -j ACCEPT
#allow udp source port 1214 out
$ipt -A OUTPUT -o eth1 -p udp -s $outip -d $0/0 --sport 1214 -m state
--state NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i eth1 -p udp -d $outip -s $0/0 --dport 1214 -m state
--state ESTABLISHED -j ACCEPT
to allow socks:
$ipt -A INPUT -i eth0 -p tcp -d $intip -s $intnws --dport 6001 -m state
--state NEW,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -o eth0 -p tcp -s $intip -d $intnws --sport 6001 -m state
--state ESTABLISHED -j ACCEPT
Socks proxy is running on port 6001. outip is the external ip address of
the proxy server. intip is the internal ip address of the proxy server.
ipt is iptables. eth1 is the external interface of the proxy server.
eth0 is the internal interface of the proxy server. As i said, ideally
i'd like to put in some process owner matching rules too but to my mind
the above should be sufficient to test anyway.
it takes up space so i dont want to post my entire sockd.conf but this
is the output of sockd -V. If anyone thinks it will be beneficial i'll
post my sockd.conf
gw:/home/john # sockd -V
Nov 27 17:14:35 sockd[2265]: internal addresses (1):
Nov 27 17:14:35 sockd[2265]: 192.168.0.207.6001
Nov 27 17:14:35 sockd[2265]: external addresses (1):
Nov 27 17:14:35 sockd[2265]: 172.20.1.2/0.0.0.0
Nov 27 17:14:35 sockd[2265]: compatibility options:
Nov 27 17:14:35 sockd[2265]: extensions enabled:
Nov 27 17:14:35 sockd[2265]: logoutput goes to: syslog, files (2)
Nov 27 17:14:35 sockd[2265]: debug level: 0
Nov 27 17:14:35 sockd[2265]: resolveprotocol: udp
Nov 27 17:14:35 sockd[2265]: address/host mismatch tolerated: yes
Nov 27 17:14:35 sockd[2265]: unresolvable addresses tolerated: yes
Nov 27 17:14:35 sockd[2265]: negotiate timeout: 0s
Nov 27 17:14:35 sockd[2265]: I/O timeout: 0s
Nov 27 17:14:35 sockd[2265]: euid: 0
Nov 27 17:14:35 sockd[2265]: userid.privileged: 0
Nov 27 17:14:35 sockd[2265]: userid.unprivileged: 504
Nov 27 17:14:35 sockd[2265]: userid.libwrap: 0
Nov 27 17:14:35 sockd[2265]: method(s): none
Nov 27 17:14:35 sockd[2265]: clientmethod(s): none
Do i have something misconfigured? Can anyone suggest a secure (or
mostly secure) way to allow enough kazaa traffic for searches and
downloads? Should i scrap the whole project? I was thinking maybe
there's some sort of problem with dante and udp? running dante version
dante v1.1.10 on a suse 8.0 box.
any advice would be appreciated
thanks
John
- Re: kazaa, dante, and iptables John Allman
- Re: kazaa, dante, and iptables Alex 'CAVE' Cernat
