Ok Ray Leach It could send me the rule of iptables please? Thanks?
On Mon, 2002-07-22 at 14:49, Thiego Xavier (MIU) wrote:
Ok Ray Leach It could send me the rule of iptables please? Thanks?
To enable Kazaa clients to share with other internet users: iptables -A FORWARD -p tcp --dport 1214 -j ACCEPT iptables -A FORWARD -i $INTERNAL_INTERFACE -p tcp --dport 1024: -s $INTERNAT_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL_INTERFACE -p udp --dport 1024: -s $INTERNET_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET_INTERFACE -p tcp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET_INTERFACE -p udp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT If you run a NAT firewall also these: iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -p tcp --dport 1024: -s $INTERNAL_NET -j SNAT --to-source $INET_IP iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -p udp --dport 1024: -s $INTERNAL_NET -j SNAT --to-source $INET_IP Substitute the correct interfaces and ips for the $VARIABLES. Ray
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
----- Original Message ----- From: "Ray Leach" <raymondl@knowledgefactory.co.za> To: "Thiego Xavier (MIU)" <xavier@miu.com.br> Cc: <suse-security@suse.com> Sent: Monday, July 22, 2002 3:06 PM Subject: Re: Fw: [suse-security] Kazaa
On Mon, 2002-07-22 at 14:49, Thiego Xavier (MIU) wrote:
Ok Ray Leach It could send me the rule of iptables please? Thanks?
To enable Kazaa clients to share with other internet users: iptables -A FORWARD -p tcp --dport 1214 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -p tcp --dport 1024: -s $INTERNAT_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL_INTERFACE -p udp --dport 1024: -s $INTERNET_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET_INTERFACE -p tcp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET_INTERFACE -p udp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
SuSEfirewall2 does the same with following Rule (without Masquerading): 13.) [...] FW_FORWARD="192.168.0.0/24,0.0.0.0/0,tcp,1024: 192.168.0.0/24,0.0.0.0/0,udp,1024: 0.0.0.0/0,192.168.0.0/24,tcp.1024: 0.0.0.0/0,192.168.0.0/24,udp,1024:" Add forther rules for Portrange to do not forward to the Internet (e.g. 1024:3305 3307:65535 for not showing Mysql ...)
If you run a NAT firewall also these: iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -p tcp --dport 1024: -s $INTERNAL_NET -j SNAT --to-source $INET_IP iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -p udp --dport 1024: -s $INTERNAL_NET -j SNAT --to-source $INET_IP
Use following Rule with SuSEfirewall2 and Masquerading: 14.) [...] FW_FORWARD_MASQ="192.168.0.0/24,0.0.0.0/0,tcp,1024: 192.168.0.0/24,0.0.0.0/0,udp,1024: 0.0.0.0/0,192.168.0.0/24,tcp.1024: 0.0.0.0/0,192.168.0.0/24,udp,1024:"
Substitute the correct interfaces and ips for the $VARIABLES.
Interfaces have to be set correct in 2.) FW_DEV_EXT="DEVICE" 3.) FW_DEV_INT="DEVICE" and 4.) FW_DEV_DMZ="DEVICE" Philippe
* Ray Leach wrote on Mon, Jul 22, 2002 at 15:06 +0200:
On Mon, 2002-07-22 at 14:49, Thiego Xavier (MIU) wrote: To enable Kazaa clients to share with other internet users: iptables -A FORWARD -p tcp --dport 1214 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -p tcp --dport 1024: -s $INTERNAT_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL_INTERFACE -p udp --dport 1024: -s $INTERNET_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Why UDP? Shouldn't this get blocked on the extrenal interface (such a "default" rule assumed)? And isn't Kaaza using userport->1214 alway? And if so, why allowing connections to all user ports here?
iptables -A FORWARD -i $INTERNET_INTERFACE -p tcp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
Why not additionally requiring --dport 1214? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Wed, 2002-07-24 at 11:08, Steffen Dettmer wrote:
* Ray Leach wrote on Mon, Jul 22, 2002 at 15:06 +0200:
On Mon, 2002-07-22 at 14:49, Thiego Xavier (MIU) wrote: To enable Kazaa clients to share with other internet users: iptables -A FORWARD -p tcp --dport 1214 -j ACCEPT
iptables -A FORWARD -i $INTERNAL_INTERFACE -p tcp --dport 1024: -s $INTERNAT_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL_INTERFACE -p udp --dport 1024: -s $INTERNET_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Why UDP? Shouldn't this get blocked on the extrenal interface (such a "default" rule assumed)? And isn't Kaaza using userport->1214 alway? And if so, why allowing connections to all user ports here?
iptables -A FORWARD -i $INTERNET_INTERFACE -p tcp --sport 1024: -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
Why not additionally requiring --dport 1214?
Sorry, I use these rules to allow passive ftp as well.
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (4)
-
Philippe Vogel -
Ray Leach -
Steffen Dettmer -
Thiego Xavier (MIU)