Pai si daca blochezi direct accesul la serverul (ele) respective? (ma rog, mie mi se pare un instrument util, nu vad ce ai avea cu el, dar...)
Radu wrote: >Frate, nu este nici o problema. >Ideea este cum s-ar putea face totusi cu nenorocitul ala de yahoo >messenger... ca si pe mine ma streseaza treaba asta. >Si nu am nici prea multe idei... in directia asta... >Poate s-a ocupat cineva totusi... doar de blocarea lui yahoo messenger ...? > >Radu. >----- Original Message ----- >From: "Knight" <[EMAIL PROTECTED]> >To: "Radu" <[EMAIL PROTECTED]> >Sent: Tuesday, October 14, 2003 8:23 AM >Subject: [rlug] Re: ICQ & YM and firewall > > > > >>Radu, >> >>cred ca mia culpa >>da de unde dracu am citit eu cu ipchains ca stiu sigur ca asa am citit >>what so ever >>sorry >> >>Wednesday, October 15, 2003, 2:05:25 AM, you wrote: >> >>R> Frate Knight, >> >>R> Ar fi bine sa stai sa te uiti cu atentie la threaduri. Sarmanul om >>R> intrebase pentru iptables. Asa, de chestie doar, uita-te in urma sa >> >> >vezi ca > > >>R> dai putin aiurea cu raspunsurile. Chestia cu deschisul ochilor... este >>R> foarte adevarata. Incepe chiar din primul mail.... >>R> Din ratiuni de documentare... il listez mai jos... sper sa nu te >> >> >superi > > >>R> pe mine, dar mi se pare ca scrie iptables. Stiu asta pentru ca am >> >> >terminat > > >>R> clasa I premiant... :)) >> >>R> Sa fi cuminte, >>R> Radu. >> >> >> >> >> >R> ------------------------------------------------------------------------- >-- > > >>R> Salut, >> >>R> Am un script de firewall, facut cu iptables, pe un gateway care >> >> >are > > >>R> ca politica pe chain-ul forward "DROP" si permite userilor din >>R> reteua locala sa se conecteze, in internet, doar la porturile 80, >> >> >25, > > >>R> 110. >>R> Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi decat >> >> >pe > > >>R> web si pe mail. >>R> Problema apare cand ICQ sau YM foloseste orice port pentru a >> >> >se > > >>R> conecta in exterior si se leaga la o multitudine de adrese. Astfel >>R> din reteua locala se poate face chat in voie. >>R> Imi poate spune cineva cum se rezolva beleua asta ? >> >> >>R> -- >>R> Multumesc anticipat, >>R> Liviu mailto:[EMAIL PROTECTED] >> >> >>R> --- >>R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >R> ------------------------------------------------------------------------ > > >> >> >> >> >>R> ----- Original Message ----- >>R> From: "Knight" <[EMAIL PROTECTED]> >>R> To: "Radu" <[EMAIL PROTECTED]> >>R> Sent: Tuesday, October 14, 2003 7:55 AM >>R> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> >>>>Radu, >>>> >>>>tu ai citit macar ce am scris? >>>>omu care a postat threadul a cerut help pentru ipchains >>>>asa ca nu sari la mine >>>>chestie de alfabet pe dracu, chestie de urmarit un thread si de >>>>deschis ochii larg :)) >>>> >>>>Wednesday, October 15, 2003, 1:48:55 AM, you wrote: >>>> >>>>R> Mosule, IPTABLES. Nu ipchains. >>>>R> Chestie de alfabet. >>>>R> ----- Original Message ----- >>>>R> From: "Knight" <[EMAIL PROTECTED]> >>>>R> To: "Dekxter X." <[EMAIL PROTECTED]> >>>>R> Sent: Tuesday, October 14, 2003 7:01 AM >>>>R> Subject: [rlug] Re: ICQ & YM and firewall >>>> >>>> >>>> >>>> >>>>>>Dekxter, >>>>>> >>>>>>da dar omu a specificat ca vrea ipchains >>>>>>:((((((( >>>>>>cu -y cred ca era in ipchains :)) in loc de --syn >>>>>> >>>>>>Monday, October 13, 2003, 6:32:40 PM, you wrote: >>>>>> >>>>>>DX> va trebui sa modifici FORWARD cu: >>>>>> >>>>>>DX> iptables --policy FORWARD DROP >>>>>> >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 25 --jump >>>>>> >>>>>> >>R> ACCEPT >> >> >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 80 --jump >>>>>> >>>>>> >>R> ACCEPT >> >> >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 110 --jump >>>>>> >>>>>> >>R> ACCEPT >> >> >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport 143 --jump >>>>>> >>>>>> >>R> ACCEPT >> >> >>>>>>DX> # aceste 4 reguli sunt pentru acces la orice adresa pentru >>>>>>DX> # mail prin POP3, IMAP, send shi www >>>>>> >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 --syn --jump DROP >>>>>>DX> iptables -A FORWARD -s 192.168.0.0/24 --syn --jump DROP >>>>>>DX> # aceste 2 reguli resping orice tentativa de initiere a unei >>>>>> >>>>>> >>R> conectari >> >> >>>>>>DX> # in reteaua locala sau de la reteaua locala spre internet >>>>>> >>>>>>DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --jump ACCEPT >>>>>>DX> # acesta regula accepta orice alt tip de conexiune tcp >>>>>> >>>>>> >>>>>> >>>>>>DX> # man iptables >>>>>> >>>>>>DX> [!] --syn >>>>>>DX> Only match TCP packets with the SYN bit set and the ACK and >>>>>> >>>>>> >>R> RST >> >> >>>>>>DX> bits cleared. Such packets are used to request TCP >>>>>> >>>>>> >connection > > >>>>>>DX> initiation; for example, blocking such packets coming in an >>>>>> >>>>>> >>R> interface >> >> >>>>>>DX> will prevent incoming TCP connections, but outgoing TCP >>>>>> >>>>>> >connections > > >>>>R> will >>>> >>>> >>>>>>DX> be unaffected. >>>>>>DX> It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the "!" flag >>>>>>DX> precedes the "--syn", the sense of the option is inverted. >>>>>> >>>>>>DX> ps: daca greshesc va rog sa ma corectatzi ... >>>>>> >>>>>>DX> Liviu wrote: >>>>>> >>>>>> >>>>>> >>>>>>>>Salut, >>>>>>>> Ideea mea ar fi ca lumea din reteua locala sa nu poata iesi >>>>>>>> >>>>>>>> >>R> decat >> >> >>>>R> pe >>>> >>>> >>>>>>>> web si pe mail. >>>>>>>> >>>>>>>> >>>>>> >>>>>>-- >>>>>>Best regards, >>>>>> Knight >>>>>> >>>>>>This message was brought to you by the numbers 0 and 1. >>>>>> >>>>>> >>>>>>--- >>>>>>Detalii despre listele noastre de mail: http://www.lug.ro/ >>>>>> >>>>>> >>>>>> >>>>>> >>>>R> --- >>>>R> Detalii despre listele noastre de mail: http://www.lug.ro/ >>>> >>>> >>>> >>>>-- >>>>Best regards, >>>> Knight >>>> >>>>This message was brought to you by the numbers 0 and 1. >>>> >>>> >>>>--- >>>>Detalii despre listele noastre de mail: http://www.lug.ro/ >>>> >>>> >>>> >>>> >>R> --- >>R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >>-- >>Best regards, >> Knight >> >>This message was brought to you by the numbers 0 and 1. >> >> >>--- >>Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> > > >--- >Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > >. > > > --- Detalii despre listele noastre de mail: http://www.lug.ro/
