[rlug] Re: ICQ & YM and firewall

Knight Mon, 13 Oct 2003 06:40:03 -0700

Liviu,

imi trebuie sa imi dau seama de ce iti mai merge yahoo messenger si
icq dupa ce ai taiat restu porturilor
ce-i cu ipac_in si ipac_out?!!? cred ca alea is de vina
da outputu de la alea daca e legat de reteaua locala
adica:
ipchains -L ipac_in
ipchains -L ipac_out



si inca o chestie in loc de atatea reguli acolo puteai sa pui asa:
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 80 -j ACCEPT
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 25 -j ACCEPT
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 110 -j ACCEPT
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 443 -j ACCEPT


incearca chestia asta:
ipchains-save >/fisier_salvere_ipchains
ipchains -F FORWARD
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 80 -j ACCEPT
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 25 -j ACCEPT
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 110 -j ACCEPT
ipchains -A FORWARD -s 192.168.0.0/24 -d 0/0 443 -j ACCEPT

si vezi daca iti mai merge doar cu regulile astea 4 icq si yahoo
s-ar putea sa nu mai mearga nici www :<


zi-mi daca iti merge


Monday, October 13, 2003, 4:15:49 PM, you wrote:

L> Hello Knight,

L> Monday, October 13, 2003, 4:10:09 PM, you wrote:

K>> Liviu,

K>> da un output la chestia asta
K>> ipchains -nL
K>> daca nu merge asa incerca doar
K>> ipchains -L

L> Chain FORWARD (policy DROP)
L> target     prot opt source               destination
L> ipac_in    all  --  anywhere             anywhere
L> ipac_out   all  --  anywhere             anywhere
L> ACCEPT     tcp  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
L> ACCEPT     tcp  --  192.168.0.11         anywhere           tcp dpt:www
L> ACCEPT     tcp  --  192.168.0.15         anywhere           tcp dpt:www
L> ACCEPT     tcp  --  192.168.0.17         anywhere           tcp dpt:www
L> ACCEPT     tcp  --  192.168.0.17         anywhere           tcp dpt:smtp
L> ACCEPT     tcp  --  192.168.0.17         anywhere           tcp dpt:pop3
L> ACCEPT     tcp  --  192.168.0.13         anywhere           tcp dpt:www
L> ACCEPT     tcp  --  192.168.0.15         anywhere           tcp dpt:smtp
L> ACCEPT     tcp  --  192.168.0.15         anywhere           tcp dpt:pop3

L> Da' la ce iti trebuie ?

K>> da cat poti de repede, ca lumea se pregateste sa plece de la servici
K>> deja :)


K>> Monday, October 13, 2003, 3:51:19 PM, you wrote:

L>>> Salut,

L>>>         Am un script de firewall, facut cu iptables, pe un gateway care are
L>>>      ca politica pe chain-ul forward "DROP" si permite userilor din
L>>>      reteua locala sa se conecteze, in internet, doar la porturile 80, 25, 110.
L>>>      Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi decat pe
L>>>      web si pe mail.
L>>>          Problema apare cand ICQ sau YM foloseste orice port pentru a se
L>>>      conecta in exterior si se leaga la o multitudine de adrese. Astfel
L>>>      din reteua locala se poate face chat in voie.
L>>>          Imi poate spune cineva cum se rezolva beleua asta ?
L>>>          Ca deja cand i-am spus sefului ca mai dureaza pana o fac a inceput
L>>>      sa ma banuiasca de colaborare cu chatistii din firma.
  








-- 
Best regards,
 Knight

This message was brought to you by the numbers 0 and 1.


--- 
Detalii despre listele noastre de mail: http://www.lug.ro/

[rlug] Re: ICQ & YM and firewall

Raspunde prin e-mail lui