Reply With Quotewhat program are you connecting with and what address?
i tried to close some ports with iptables but i still can connect to irc
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 6000:65535 -j DROP
please help me thanks for your time
what program are you connecting with and what address?
whatdoyougetwhenyoumultiplysixbynine??
What Linux distribution/version are you running?
Description of your network setup would help alot.
Jim H
i'm using slackware 8.1
irc client mirc
Well since I know nothing about how your network is setup I can only make a couple of generic suggestions.
Port 6667 is the default port used by IRC. This will drop all outgoing/forwarded packets from 192.168.0.0/24 ( I assume this is your internal ip address range from your first post)
iptables -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 6667 -j DROP
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 6667 -j DROP
Jim H
i tried the way u adviced me ... but still can get access to irc . and if a try the section with forward it will became the first rule and will block some acsess ??? after i wrote with forward internet n/a >amd mirc could connect on 7777 if specified . please help me to understood what to do . all i want is to cut connection for irc. also i flushed all channels . thanks a lot
If you are running an IRC client on 7777 besides the default port of 6667 then you will have to close that port also with similar lines.
The best way is to set the default table policies to DROP and write rules that only allow access you want.
Jim H
so i only make forwarding for 25 53 80 110 (the ports i need)Originally Posted by JimH
i'm not sure about 53 for my lan . if u're kind can u explain with some examples the use of iptables (i`ve read the how-to)
need some explination about how it works, chains, policies .... in other words an example with some explination .
ps. i know it's kind off topic , but please help ...
best regards !
Yes you will need port 53 open for DNS.
A few examples
I imagine if you are masquerading the boxes on the Lan you are currently using....
iptables -A FORWARD -i <lan> -o <external dev> -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i <external dev> -o <lan> -m state --state ESTABLISHED,RELATED -j ACCEPT
You need to remove the "NEW" from the first one above.
Then create rules like below for what you wish to allow.
iptables -A FORWARD -o <external dev> -p udp --sport 1024:65535 -d <nameserver> --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o <external dev> -p tcp --sport 1024:65535 -d <nameserver> --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o <external dev> -p tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
Understand what is going to here?
Jim H
yes and no???
first yes i'm using masquerade... but let me tell u how it's done. 1 server 166Mhz 3GB hdd/48MB RAM with Slackware 8.1 - mail server, gateway and web server. 2 nics -1 eth0 - external and eth1 internal. also i have a zone for bind , server is primary master and the nameserver from the isp is secondary master. i've chrooted bind for security reasons.
u said :
iptables -A FORWARD - i <lan> -o <external device> -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A FORWARD -i <external device> -o <lan> -m state --state ESTABLISHED, RELATED -j ACCEPT
so ... external device and internal device (lan) can be specified like IP's .... external device aaa.bbb.ccc.aaa
and internal device 192.168.0.0/24 or like devices meaning
internal device eth1 and external device eth0 ?
second what's the meaning of state, ESTABLISHED and RELATED ?
i've seen that u are using sport between 1024 and 65535
and i'm wondering why ? looking at this i'm thinking that the connection from the clients (LAN) to server is made on ports bigger than 1024.
<nameserver> the nameserver from isp isnt'it ?
thanks a lot jim
have a great time
Posting Permissions
Bookmarks