On Thu, Jun 16, 2005 at 04:59:51PM +0300, Sadus . wrote:
> Hello i want to drop ALL connections on my internal NIC except:
> 20,21,80,443
> is this correct? (although not working)
>
>
> iptables -A INPUT -i eth1 -s 172.16.3.0/16 -p tcp -m multiport !
> --destination-port 20,21,80,443 -j DROP #USERS
>
> which basicaly means if source is in 172.16.3.0 then drop all except for
> HTTP,FTP,HTTPS. that's in order for that IP range to not be able to
> connect to Instant Messenging services such as MSN, AIM, Yahoo etc...
> while keeping other IP ranges be able to use them.
unless you're trying to keep them from connecting to MSN, AIM, Yahoo etc
on your firewall vs. hosts on the internet, you want those rules in
FORWARD, not INPUT. also, it's often much more logical to explicitly
allow what you want and then deny everything else vs. using negation in
your rules. so *i* would do this:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 \
-m multiport --dports 21,80,443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 172.16.3.0/16 -j DROP
keep in mind that most messenger apps (i know msn does this) will
connect to a proxy at microsoft over port 80 if its default port (TCP
1863) is blocked. the proper way to stop this is to force all TCP port
80 traffic through an application-level proxy such as squid.
-j
--
"Cult Leader: Are you a confused adolescent desperately seeking
acceptance from an undifferentiated ego mass that demands conformity?"
--Family Guy
