Difference between revisions of "Iptables Block MSN"
| Line 6: | Line 6: | ||
:FORWARD DROP [0:0] | :FORWARD DROP [0:0] | ||
:OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||
| − | </pre><pre># Basic protections against syn floods and other | + | </pre><pre># Basic protections against syn floods and other stuf |
| − | |||
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT | -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT | ||
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | ||
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT</pre><pre># Block MSN | -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT</pre><pre># Block MSN | ||
| − | |||
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP | -I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP | ||
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > " | -I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > " | ||
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT</pre><pre># Block AIM/ICQ | -I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT</pre><pre># Block AIM/ICQ | ||
| − | |||
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP | -I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP | ||
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > " | -I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > " | ||
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT</pre><pre># Block Yahoo IM | -I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT</pre><pre># Block Yahoo IM | ||
| − | |||
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP | -I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP | ||
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > " | -I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > " | ||
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT</pre><pre># Allowing anything else | -I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT</pre><pre># Allowing anything else | ||
| − | |||
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
</pre> | </pre> | ||
Revision as of 10:42, 12 August 2008
This is iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)
You’ll notice 192.168.1.16 is allowed to connect to any services
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0]
# Basic protections against syn floods and other stuf-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Block MSN-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP -I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > "
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT
# Block AIM/ICQ-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP -I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > "
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT
# Block Yahoo IM-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP -I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > "
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT
# Allowing anything else-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
