Difference between revisions of "Iptables Block MSN"
(New page: This is iptables config stored under /etc/sysconfig/iptables :<br>(eth0 = WAN interface, eth1 = LAN interface) You’ll notice 192.168.1.16 is allowed to connect to any services<br> <pre>...) |
|||
| Line 1: | Line 1: | ||
| − | This is iptables config stored under /etc/sysconfig/iptables :<br>(eth0 = WAN interface, eth1 = LAN interface) | + | This is iptables config stored under /etc/sysconfig/iptables :<br>(eth0 = WAN interface, eth1 = LAN interface) |
| − | You’ll notice 192.168.1.16 is allowed to connect to any services<br> | + | You’ll notice 192.168.1.16 is allowed to connect to any services<br> |
<pre>*filter | <pre>*filter | ||
:INPUT DROP [0:0] | :INPUT DROP [0:0] | ||
| Line 7: | Line 7: | ||
:OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||
</pre><pre># Basic protections against syn floods and other stuff | </pre><pre># Basic protections against syn floods and other stuff | ||
| + | |||
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT | -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT | ||
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | ||
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT</pre><pre># Block MSN | -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT</pre><pre># Block MSN | ||
| + | |||
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP | -I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP | ||
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > " | -I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > " | ||
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT</pre><pre># Block AIM/ICQ | -I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT</pre><pre># Block AIM/ICQ | ||
| + | |||
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP | -I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP | ||
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > " | -I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > " | ||
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT</pre><pre># Block Yahoo IM | -I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT</pre><pre># Block Yahoo IM | ||
| + | |||
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP | -I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP | ||
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > " | -I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > " | ||
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT</pre><pre># Allowing anything else | -I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT</pre><pre># Allowing anything else | ||
| + | |||
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
</pre> | </pre> | ||
Revision as of 10:39, 12 August 2008
This is iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)
You’ll notice 192.168.1.16 is allowed to connect to any services
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0]
# Basic protections against syn floods and other stuff-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Block MSN-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP -I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > "
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT
# Block AIM/ICQ-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP -I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > "
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT
# Block Yahoo IM-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP -I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > "
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT
# Allowing anything else-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
