* Nat Rule ( Req help ASAP)
@ 2004-11-09 7:04 Nilesh
2004-11-09 17:21 ` Jason Opperisano
0 siblings, 1 reply; 2+ messages in thread
From: Nilesh @ 2004-11-09 7:04 UTC (permalink / raw)
To: netfilter
Hello All,
I am using Squid proxy and IPtables Firewall
through squid I am able to block Messenger and other
sites but If I put this in firewall I couldnt able to
block messenger
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
$EXTIP
In connection settings If I choose no proxies the
Yahoo messenger easily get connected.
also we use CISCO VPN client to connect Outside VPN
server If I want to connect VPN I need to put that
rules otherwise I wont connect.
Could any one please tell How to solve my problem
I want to block messengers also want to connect VPN
server though client
Thanks
Nilesh.
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Nat Rule ( Req help ASAP)
2004-11-09 7:04 Nat Rule ( Req help ASAP) Nilesh
@ 2004-11-09 17:21 ` Jason Opperisano
0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2004-11-09 17:21 UTC (permalink / raw)
To: netfilter
On Mon, Nov 08, 2004 at 11:04:56PM -0800, Nilesh wrote:
> Hello All,
>
> I am using Squid proxy and IPtables Firewall
> through squid I am able to block Messenger and other
> sites but If I put this in firewall I couldnt able to
> block messenger
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
> $EXTIP
that's a NAT rule that translates the source IP address of all your
outbound traffic leaving $EXTIF to $EXTIP.
> In connection settings If I choose no proxies the
> Yahoo messenger easily get connected.
>
> also we use CISCO VPN client to connect Outside VPN
> server If I want to connect VPN I need to put that
> rules otherwise I wont connect.
>
> Could any one please tell How to solve my problem
> I want to block messengers also want to connect VPN
> server though client
i'm going to assume that your FORWARD policy must be set to ACCEPT
(note: i wouldn't have to assume if you had included your rules via:
iptables -t mangle -vnxL; iptables -t nat -vnxL; iptables -vnxL).
if your FORWARD policy is set to ACCEPT, you can explicitly drop the
ports used by yahoo messenger:
# yahoo messenger
iptables -A FORWARD -p tcp --dport 5050 -j DROP
# yahoo messenger voice chat
iptables -A FORWARD -p tcp --dport 5000:5001 -j DROP
iptables -A FORWARD -p udp --dport 5000:5010 -j DROP
# yahoo messenger web cam
iptables -A FORWARD -p tcp --dport 5100 -j DROP
if your FORWARD policy is set to DROP, and need to allow the VPN client,
you should be able to allow it with:
# IKE
iptables -A FORWARD -i $INT_IF -p udp --dport 500 -j ACCEPT
# IPSec
iptables -A FORWARD -i $INT_IF -p 50 -j ACCEPT
# UDP Encapsulation
iptables -A FORWARD -i $INT_IF -p udp --dport 4500 -j ACCEPT
the specific encapsulation ports/protocols may vary depending on your
client settings.
-j
--
"I saw weird stuff in that place last night. Weird, strange, sick,
twisted, eerie, godless, evil stuff. And I want in."
--The Simpsons
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-11-09 17:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-11-09 7:04 Nat Rule ( Req help ASAP) Nilesh
2004-11-09 17:21 ` Jason Opperisano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.