On 12/17/07, Agnello George <[EMAIL PROTECTED]> wrote: > On 12/16/07, Dinesh Joshi <[EMAIL PROTECTED]> wrote: > > On 12/13/07, Agnello George <[EMAIL PROTECTED]> wrote: > > > how do i block a client from accessing yahoo chat > > > My current set ups is as follows -- have a firewall and behind it have > > > a proxy server running on port 3128. > > > > > > now to block yahoo chat access i did the following in my squid.conf > > > > I'm a little late in replying. The best way to setup access control is > > to start with a completely closed Firewall and Proxy. Open the ports > > you require and setup port redirection 80 -> 3128 ( if SQUID is > > running as transparent proxy ). Then open only THOSE services in squid > > which you require. Also remember NOT to NAT the machines or put ANY > > machine in DMZ. > > > > Sorry of the late reply on this, i did exactly what every one was > suggesting, Blocking all the ports and enabling all only those ports > that that we require ( 80 8080 21 22 443 ) . By doing so we > automatically block gtalk, yahoo chat and msn messenger. > Here is what i did > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > iptables -A INPUT -p tcp -m multiport --dport 21,22,80,8080,443 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables --A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 3128 > > this is all great and all , but i have one IM installed on my system > called "pidgin".. i am able to log in here in when configured to yahoo > messenger. > > Does any one have any idea why this happens ?? > >
As mentioned before i said i was able to block all chats ... i was however wrong. i am kind of lost here.... bellow is my iptables file ( generated by the command system-config-securitylevel ) # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth2 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth2 -j MARK --set-mark 0x9 COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT can some one just help me out here :( Thanks -- Agnello . G .Dsouza -- http://mm.glug-bom.org/mailman/listinfo/linuxers
