Re: dhcp windows client port (nfcan: addressed to exclusive sender for this address)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2005.11.12 13:45, P theodorou - props666999@xxxxxxxxxxx wrote:
Thanks Rob for you detailed reply.

My intention is to secure this side  of network as much as possible
I'm not a guru but common sense says that if i block everything apart from the
web access then this is   well restricted policy  OR IT IS NOT ?

First, it may be overly restrictive.
For instance, some people find ftp useful,
some people send and receive email,
and some use network time protocol.

Second, some clients you may not approve of
will contact outside servers on port 80
when their preferred ports are blocked.
I believe that skype, for instance, does this.

The firewall rules below work at the level of
internet protocols, such as 'tcp',
and, for tcp, the ports that tcp uses.
These rules do not distinguish what flows
through a tcp connection on port 80;
they do not distinguish 'http' from other traffic.
And even the http protocol can be used as a
wrapper for many other things - it does not
have to originate from a web browser, for instance.
So, you should not feel overly secure just because
of the limits on which ports are allowed.

Jim


regards

From: "Rob Sterenborg" <rob@xxxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Subject: RE: dhcp windows client port Date: Sat, 12 Nov 2005 18:08:14 +0100

> i wish  the windows machine which receives Internet from the
> firewall pc to be restricted fully apart from the port needed to
> access the internet
>
> the windows machine has got fully access when my rc.firewall
> contains
>
> $iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
>
> which gives to the windows machine access to every port
>
> i've tried unsuccesully the following command
>
> $iptables -A FORWARD -p TCP -i $LAN_IFACE -- sport XX -j ACCEPT
>
> my netstat on the windows machine displays various connections
> few questions now
>
>
> 1 which port should be alolwed for the windows machine to see internet
> 2 can i restrct it to  something like :
> $iptables -A FORWARD  -p TCP -i $LAN_IFACE  -sport XX -dport XX -j
> ACCEPT
>
> in other words, allow  the windows relevant port for accesing on the
> internet  to be connected to the specific port of the firewall

You will not connect to any port on the firewall. The firewall will
route your packets through to the internet.

To access websites you need DNS (port 53/udp, sometimes tcp) to be able
to resolve the hostname of the website. Further, most websites use http
and/or https, ports 80/tcp and 443/tcp.
So, your ruleset would look like :

$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
  -p udp --dport 53 -j ACCEPT
$ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
  -p tcp --dport 53 -j ACCEPT
$ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
  -p tcp --dport 80 -j ACCEPT
$ipt -A FORWARD -i $IF_LAN -o $IF_INET -m state --state NEW \
  -p tcp --dport 443 -j ACCEPT

But, this way you will not be able to browse a website that is not
hosted on a standard port (eg 81/tcp).
For more information about Netfilter, check out
http://iptables-tutorial.frozentux.net/iptables-tutorial.html.


--
Jim Laurino
nfcan.x.jimlaur@xxxxxxxx
Please reply to the list.
Only mail from the listserver reaches this address.


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux