Thanks for help guys! It works! Just another question.... What I do to let a free IP behind my Bridge firewall (L7)? I need an Ip that can acess all....... Best Regards Stephan On 4/19/07, Juan León <debjuanca@xxxxxxxxx> wrote:
Hi Stephan, with my experience firewalling, you can try using this rules with yours. Lets take a close look of your rules. #iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm Maybe this line is associated with gmail, I suggest you use a proxy to match strings like orkut. Read Oscar Adreasson's paragraph. "For example, if we use a string match and match for a specific string inside the packet, lets say get /index.html. Will that work? Normally, yes. However, if the packet size is very small, it will not. The reason is that iptables is built to work on a per packet basis, which means that if the string is split into several separate packets, iptables will not see that whole string. For this reason, you are much, much better off using a proxy of some sort for filtering in the application layer" For hotmail your can add this line just above of every FORWARD line, see "-I", the same with your mail.server.com #iptables -I FORWARD -d www.hotmail.com -j ACCEPT #iptables -I FORWARD -d mail.server.com -j ACCEPT Hope this help. 2007/4/19, Stephan Higuti <higuti.sam@xxxxxxxxx>: > My rulez.... > > ## Limpando as regras do IPTABLES > iptables -F > iptables -t nat -F > iptables -t mangle -F > > ## Ativando repasse de pacotes ## > echo 1 > /proc/sys/net/ipv4/ip_forward > > ## instalando modulos do IPTABLES ## > modprobe iptable_nat > modprobe ip_nat_ftp > modprobe ip_conntrack > modprobe ipt_conntrack > modprobe ip_conntrack_ftp > modprobe ip_tables > modprobe ipt_LOG > modprobe ipt_limit > modprobe ipt_REJECT > modprobe ipt_layer7 > > # Criando NAT para toda a rede. > #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE > > ## Ativando regras do Layer 7 > # Bloqueando de skype para skype > iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP > > # Bloqueando o Skypeout > iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP > > # Bloqueando o Messenger > #iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > #iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > #Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se > usar o km tambem) > iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm > > #Bloquendo torrents > iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP > > # Mudando para Statefull > #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > These rules are blockin' gmail, hotmail and my mail server..... > But its just a few rulez.... > Some wrong? > > Cheers > > Stephan > > -- > --------------------------------------------------------------------- > Stephan Higuti > MSN: higutisam@xxxxxxxxxxx > Email: higuti.sam@xxxxxxxxx > --------------------------------------------------------------------- > >
-- --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@xxxxxxxxxxx Email: higuti.sam@xxxxxxxxx ---------------------------------------------------------------------
