> http://www.google.com/search?q=yahoo+voice+chat+firewall > > Primul rezultat: > > Voice chat data packets are sent by this server using both TCP and UDP. > TCP packets that are sent to a user's computer originate from source > ports 5000 and 5001. UDP packets that are sent to a user's computer > originate from source port 5000 and are addressed to a port in the range > 5000-5010 on the user's computer.
In urmatorul firewall trebuie sa dau voie la masina (windows) 192.168.1.114 (ip_cristi) sa aiba acces la serviciul voice chat prin intermediul unui squid. Ce trebuie modificat in acesta? #!/bin/bash IPT=/sbin/iptables IPADDR1="193.223.152.62" IPADDR2="192.168.1.31" INTERNAL_NET="192.168.1.31/16" EXTERNAL_INTERFACE=eth1 INTERNAL_INTERFACE=eth0 ANYWHERE="any/0" mac_cristi="00:00:21:CF:B6:68" mac_galina="00:40:05:50:83:D2" mac_mihaela="00:02:A5:84:82:62" #mac_x="00:10:A7:02:A7:3F" #mac_y="00:10:DC:04:71:93" mac_z="00:50:22:B1:67:E1" mac_k="00:00:21:E1:D5:20" mac_servsal="00:D0:B7:40:A5:A0" ip_cristi="192.168.1.114" ip_galina="192.168.1.46" ip_mihaela="192.168.1.152" #ip_x="192.168.1.117" #ip_y="192.168.1.69" ip_z="192.168.6.15" ip_k="192.168.1.8" ip_servsal="193.226.151.64" up="eth0" sursa="192.168.1.31" $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -X #$IPT -A input -j DROP #$IPT -A output -j DROP #taiat internetul $IPT -t nat -A PREROUTING -p tcp --dport 8000 -s 192.168.0.0/16 -j DROP $IPT -A INPUT -p tcp -m state --state NEW ! --syn -j DROP $IPT -A INPUT -d localhost -s localhost -i lo -j ACCEPT $IPT -A OUTPUT -d localhost -s localhost -o lo -j ACCEPT #accept conecsiuni numai de la cristi,galina $IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_cristi -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 5001 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 5001 -o $up -s $ip_cristi -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 5000 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 5000 -o $up -s $ip_cristi -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p udp --dport 5001 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT $IPT -t nat -I POSTROUTING -p udp --dport 5001 -o $up -s $ip_cristi -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p udp --dport 5000 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT $IPT -t nat -I POSTROUTING -p udp --dport 5000 -o $up -s $ip_cristi -j SNAT --to-source $sursa #$IPT -t nat -I PREROUTING -p tcp --dport 25 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT #$IPT -t nat -I POSTROUTING -p tcp --dport 25 -o $up -s $ip_cristi -j SNAT --to-source $sursa #$IPT -t nat -I PREROUTING -p tcp --dport 110 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT #$IPT -t nat -I POSTROUTING -p tcp --dport 110 -o $up -s $ip_cristi -j SNAT --to-source $sursa #$IPT -t nat -I PREROUTING -p tcp --dport 110 -s $ip_cristi -m mac --mac-source $mac_cristi -j ACCEPT #$IPT -t nat -I POSTROUTING -p tcp --dport 110 -o $up -s $ip_cristi -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_galina -m mac --mac-source $mac_galina -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_galina -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_mihaela -m mac --mac-source $mac_mihaela -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_mihaela -j SNAT --to-source $sursa #$IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_x -m mac --mac-source $mac_x -j ACCEPT #$IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_x -j SNAT --to-source $sursa #$IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_y -m mac --mac-source $mac_y -j ACCEPT #$IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_y -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_z -m mac --mac-source $mac_z -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_z -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_k -m mac --mac-source $mac_k -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_k -j SNAT --to-source $sursa $IPT -t nat -I PREROUTING -p tcp --dport 8000 -s $ip_servsal -m mac --mac-source $mac_servsal -j ACCEPT $IPT -t nat -I POSTROUTING -p tcp --dport 8000 -o $up -s $ip_servsal -j SNAT --to-source $sursa #accept pachetele venite din internet pe interfata externa $IPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT #ident $IPT -A INPUT -p tcp --dport 113 -j ACCEPT $IPT -A INPUT -p tcp --sport 113 -j ACCEPT #ssh din reteaua locala $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 22 -j ACCEPT #telnet din reteaua locala #$IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 23 -j ACCEPT #dns stuff -- masina asta e si server autoritar pt un anumit domeniu #raspunsuri de la alte servere DNS $IPT -A INPUT -p tcp --sport 53 -j ACCEPT $IPT -A INPUT -p udp --sport 53 -j ACCEPT #permisiuni pt. posta (postfix_ul) $IPT -A INPUT -p tcp --dport 25 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 25 -j ACCEPT #permisiuni pt. posta (courier-imap pop_ul) $IPT -A INPUT -p tcp --dport 110 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 110 -j ACCEPT #permisiuni pt. modulul SSL al apache_ului $IPT -A INPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 443 -j ACCEPT #permisiuni pt. FTP #$IPT -A INPUT -p tcp --dport 21 -j ACCEPT #$IPT -A OUTPUT -p tcp --sport 21 -j ACCEPT #$IPT -A INPUT -p tcp --dport 20 -j ACCEPT #$IPT -A OUTPUT -p tcp --sport 20 -j ACCEPT #cereri catre serverul local $IPT -A INPUT -p tcp --dport 53 -j ACCEPT $IPT -A INPUT -p udp --dport 53 -j ACCEPT #cereri catre alte servere DNS $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT #raspunsuri de la serverul DNS local $IPT -A OUTPUT -p tcp --sport 53 -j ACCEPT $IPT -A OUTPUT -p udp --sport 53 -j ACCEPT #web server local, cereri $IPT -A INPUT -p tcp --dport 80 -j ACCEPT #server samba pt reteaua locala $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 139 -j ACCEPT $IPT -A INPUT -p udp -i $INTERNAL_INTERFACE --dport 138 -j ACCEPT $IPT -A INPUT -p udp -i $INTERNAL_INTERFACE --dport 137 -j ACCEPT $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 515 -j ACCEPT $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 995 -j ACCEPT #squid $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 3128 -j ACCEPT #ntop - traffic analyzer $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 3000 -j ACCEPT #squid $IPT -A INPUT -p tcp -i $INTERNAL_INTERFACE --dport 8000 -j ACCEPT #raspunsuri la ident query $IPT -A OUTPUT -p tcp --sport 113 -j ACCEPT #cereri catre alte ident-uri $IPT -A OUTPUT -p tcp --dport 113 -j ACCEPT #raspunsruri de la serverul de ssh catre reteaua interna $IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --sport 22 -j ACCEPT # pe vremuri DNS era restrictionat numai la reteaua lcala # intre timp masina a fost promovata ca server autoritar pe domeniu # si a trebuit deschis spre exterior. vezi mai sus #$IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --sport 53 -j ACCEPT #$IPT -A OUTPUT -p udp -o $INTERNAL_INTERFACE --sport 53 -j ACCEPT #apache, raspunsuri $IPT -A OUTPUT -p tcp --sport 80 -j ACCEPT #samba, raspunsuri $IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --dport 139 -j ACCEPT $IPT -A OUTPUT -p udp -o $INTERNAL_INTERFACE --dport 138 -j ACCEPT $IPT -A OUTPUT -p udp -o $INTERNAL_INTERFACE --dport 137 -j ACCEPT $IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --sport 515 -j ACCEPT #squid, raspunsuri $IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --sport 3128 -j ACCEPT #ntop, raspunsuri $IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --sport 3000 -j ACCEPT #squid, raspunsuri $IPT -A OUTPUT -p tcp -o $INTERNAL_INTERFACE --sport 8000 -j ACCEPT #cereri catre sshd local $IPT -A INPUT -p tcp -i $EXTERNAL_INTERFACE --dport 22 -j ACCEPT #raspunsuri de la alte servere ssh $IPT -A INPUT -p tcp -i $EXTERNAL_INTERFACE --sport 22 -j ACCEPT #vezi mai sus apropo de dns #la inceput era permis doar sa emita interogari catre alte servere #$IPT -A INPUT -p tcp -i $EXTERNAL_INTERFACE --sport 53 -j ACCEPT #$IPT -A INPUT -p udp -i $EXTERNAL_INTERFACE --sport 53 -j ACCEPT #$IPT -A INPUT -p tcp -i $EXTERNAL_INTERFACE --dport 53 -j ACCEPT #$IPT -A INPUT -p udp -i $EXTERNAL_INTERFACE --dport 53 -j ACCEPT #raspunsuri de la sshd $IPT -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE --sport 22 -j ACCEPT #cereri catre alte sshd $IPT -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE --dport 22 -j ACCEPT #pachete catre alte DNS $IPT -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE --dport 53 -j ACCEPT $IPT -A OUTPUT -p udp -o $EXTERNAL_INTERFACE --dport 53 -j ACCEPT #raspunsuri de la DNS local $IPT -A OUTPUT -p tcp -o $EXTERNAL_INTERFACE --sport 53 -j ACCEPT $IPT -A OUTPUT -p udp -o $EXTERNAL_INTERFACE --sport 53 -j ACCEPT #acu vin diverse trick-erii $IPT -A INPUT -m state --state INVALID -j DROP #orice icmp din reteaua locala $IPT -A INPUT -p icmp -i $INTERNAL_INTERFACE -j ACCEPT #din exterior icmp e mai limitat ca sa evite ping flood si alte rahaturi $IPT -A INPUT -p icmp -m limit --limit 20/m -i $EXTERNAL_INTERFACE -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type 0 -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type 3 -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type 4 -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type 11 -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type 12 -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type fragmentation-needed -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -s $ANYWHERE --icmp-type time-exceeded -d $IPADDR1 -j ACCEPT $IPT -A INPUT -i $EXTERNAL_INTERFACE -p icmp -d $IPADDR1 -j DROP $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR1 --icmp-type 4 -d $ANYWHERE -j ACCEPT $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR1 --icmp-type 8 -d $ANYWHERE -j ACCEPT $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR1 --icmp-type 12 -d $ANYWHERE -j ACCEPT $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR1 --icmp-type fragmentation-needed -d $ANYWHERE -j ACCEPT $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR1 --icmp-type time-exceeded -d $ANYWHERE -j ACCEPT $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -m limit --limit 30/m -s $IPADDR1 --icmp-type echo-reply -d $ANYWHERE -j ACCEPT $IPT -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR1 -j DROP #windows-ii fac tot felul de requesturi ciudate. nu are rost sa fie logate $IPT -A INPUT -p udp --dport 68 -j DROP $IPT -A INPUT -d 224.0.0.1 -j DROP $IPT -A INPUT -d 255.255.255.255 -j DROP #log si drop la tot ce nu am permis mai sus #$IPT -A INPUT -j LOG --log-prefix "dropped: " $IPT -A INPUT -j LOG --log-level "info" --log-prefix "dropped: " #aici inchid tot ce vine din interior #regulile anterioare acesteia cu refereire la reteau interioara #vor fi luate in considerare fiin primele intalnite in lantul de reguli (Ex: ftp) #$IPT -A INPUT -j DROP #masq $IPT -t nat -A POSTROUTING -s $INTERNAL_NET -o $EXTERNAL_INTERFACE -j SNAT --to-source $IPADDR1 #elimina atacuri catre alte servere samba $IPT -A FORWARD -p tcp --sport 137 -j REJECT --reject-with icmp-port-unreachable $IPT -A FORWARD -p udp --sport 138 -j REJECT --reject-with icmp-port-unreachable $IPT -A FORWARD -p udp --sport 139 -j REJECT --reject-with icmp-port-unreachable $IPT -A FORWARD -s $INTERNAL_NET -j ACCEPT $IPT -A FORWARD -d $INTERNAL_NET -j ACCEPT --- Detalii despre listele noastre de mail: http://www.lug.ro/
