Ioan, pai atunci incerci sa pui asa: iptables -I FORWARD -m string --string "SSH-2.0-PuTTY" -j DROP
si ca sa fii sigur ca nu foloseste ssh1 sau openssh pui si asta iptables -I FORWARD 2 -m string --string "-PuTTY" -j DROP tot pe ssh mai functioneaza si stringurile urmatoare: "SSH-" "non-commer.." Tuesday, October 14, 2003, 5:10:27 PM, you wrote: IA> Knight, IA> Da asa merge, dar daca sshd-ul este configurat sa "asculte" pe alt port de IA> ex 8383. IA> ----- Original Message ----- IA> From: "Knight" <[EMAIL PROTECTED]> IA> To: "Ioan Alin" <[EMAIL PROTECTED]> IA> Sent: Tuesday, October 14, 2003 6:07 PM IA> Subject: [rlug] Re: ICQ & YM and firewall >> Ioan, >> >> iptables -A FORWARD -p tcp --dport 22 -j DROP >> iptables -I FORWARD -s ip_care_are_voi_1 --dport 22 -j ACCEPT >> iptables -I FORWARD -s ip_care_are_voi_2 --dport 22 -j ACCEPT >> iptables -I FORWARD -s ip_care_are_voi_3 --dport 22 -j ACCEPT >> iptables -I FORWARD -s ip_care_are_voi_4 --dport 22 -j ACCEPT >> iptables -I FORWARD -s ip_care_are_voi_5 --dport 22 -j ACCEPT >> iptables -I FORWARD -s ip_care_are_voi_6 --dport 22 -j ACCEPT >> iptables -I FORWARD -s ip_care_are_voi_7 --dport 22 -j ACCEPT >> ... >> >> si ai rezolvat problema >> nu se conecteaza pe 22 afara numai cei care au voie >> >> >> Tuesday, October 14, 2003, 5:00:20 PM, you wrote: >> >> IA> Nu vreau sa las pe oricine sa iasa din reteaua interna pe ssh inspre IA> alte >> IA> servere. >> >> IA> ----- Original Message ----- >> IA> From: "Knight" <[EMAIL PROTECTED]> >> IA> To: "Ioan Alin" <[EMAIL PROTECTED]> >> IA> Sent: Tuesday, October 14, 2003 5:54 PM >> IA> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> Ioan, >> >> >> >> adica tu nu vrei sa lasi pe oricine sa iasa din reteaua interna pe ssh >> >> inspre alte servere? >> >> sau nu vrei sa se poata comecta la tine la server pe ssh numai de la >> >> anumite ip-uri? >> >> >> >> Tuesday, October 14, 2003, 4:46:39 PM, you wrote: >> >> >> >> IA> Problema este ca nu stiu ip-ul destinatie (ar fi usor). Tot ce as IA> vrea >> IA> este, >> >> IA> ca din router, sa tai clientii de ssh de pe ip-uri .(cand cineva IA> vrea >> IA> sa >> >> IA> faca o conexiune pe un server oarecare de ssh). >> >> >> >> IA> ----- Original Message ----- >> >> IA> From: "Radu" <[EMAIL PROTECTED]> >> >> IA> To: <[EMAIL PROTECTED]> >> >> IA> Sent: Wednesday, October 15, 2003 2:41 AM >> >> IA> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> >> >> >> Frate Alin, >> >> >> >> >> >> Din ce imi aduc aminte, dar nu sunt sigur, trebuie totusi sa >> IA> verifici. >> >> >> Urmatoarele: >> >> >> Daca este router: >> >> >> iptables -A FORWARD -s <ip pe cine vrei sa arzi> -d <ip-ul >> >> >> serverului ssh> -j DROP >> >> >> Daca vrei de pe un anume host sa nu permiti iesirea: >> >> >> iptables -A OUTPUT -d <ip-ul serverului ssh> -j DROP >> >> >> Chestiile de mai sus taie tot traficul catre serverul respectiv. >> >> >> >> >> >> >> >> >> Cu plecaciuni, maestre. >> >> >> >> >> >> ----- Original Message ----- >> >> >> From: "Ioan Alin" <[EMAIL PROTECTED]> >> >> >> To: <[EMAIL PROTECTED]> >> >> >> Sent: Tuesday, October 14, 2003 7:32 AM >> >> >> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> >> >> >> >> >> >> > >> >> >> > Pe mie m-ar interesa sa tai si toate iesirile catre un server de IA> ssh >> >> >> .(orice >> >> >> > port, nu neaparat 22). >> >> >> > >> >> >> > ----- Original Message ----- >> >> >> > From: "Radu" <[EMAIL PROTECTED]> >> >> >> > To: <[EMAIL PROTECTED]> >> >> >> > Sent: Wednesday, October 15, 2003 2:29 AM >> >> >> > Subject: [rlug] Re: ICQ & YM and firewall >> >> >> > >> >> >> > >> >> >> > > Frate, nu este nici o problema. >> >> >> > > Ideea este cum s-ar putea face totusi cu nenorocitul ala de IA> yahoo >> >> >> > > messenger... ca si pe mine ma streseaza treaba asta. >> >> >> > > Si nu am nici prea multe idei... in directia asta... >> >> >> > > Poate s-a ocupat cineva totusi... doar de blocarea lui yahoo >> IA> messenger >> >> >> > ...? >> >> >> > > >> >> >> > > Radu. >> >> >> > > ----- Original Message ----- >> >> >> > > From: "Knight" <[EMAIL PROTECTED]> >> >> >> > > To: "Radu" <[EMAIL PROTECTED]> >> >> >> > > Sent: Tuesday, October 14, 2003 8:23 AM >> >> >> > > Subject: [rlug] Re: ICQ & YM and firewall >> >> >> > > >> >> >> > > >> >> >> > > > Radu, >> >> >> > > > >> >> >> > > > cred ca mia culpa >> >> >> > > > da de unde dracu am citit eu cu ipchains ca stiu sigur ca asa IA> am >> >> IA> citit >> >> >> > > > what so ever >> >> >> > > > sorry >> >> >> > > > >> >> >> > > > Wednesday, October 15, 2003, 2:05:25 AM, you wrote: >> >> >> > > > >> >> >> > > > R> Frate Knight, >> >> >> > > > >> >> >> > > > R> Ar fi bine sa stai sa te uiti cu atentie la threaduri. >> >> IA> Sarmanul >> >> >> > om >> >> >> > > > R> intrebase pentru iptables. Asa, de chestie doar, uita-te in >> IA> urma >> >> IA> sa >> >> >> > > vezi ca >> >> >> > > > R> dai putin aiurea cu raspunsurile. Chestia cu deschisul >> IA> ochilor... >> >> >> > este >> >> >> > > > R> foarte adevarata. Incepe chiar din primul mail.... >> >> >> > > > R> Din ratiuni de documentare... il listez mai jos... sper IA> sa >> IA> nu >> >> >> te >> >> >> > > superi >> >> >> > > > R> pe mine, dar mi se pare ca scrie iptables. Stiu asta pentru IA> ca >> IA> am >> >> >> > > terminat >> >> >> > > > R> clasa I premiant... :)) >> >> >> > > > >> >> >> > > > R> Sa fi cuminte, >> >> >> > > > R> Radu. >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > >> >> >> > >> >> >> >> >> >> R>>>> ----------------------------------------------------------------------- IA> - >> IA> - >> >> >> > > -- >> >> >> > > > R> Salut, >> >> >> > > > >> >> >> > > > R> Am un script de firewall, facut cu iptables, pe un >> >> IA> gateway >> >> >> > care >> >> >> > > are >> >> >> > > > R> ca politica pe chain-ul forward "DROP" si permite >> IA> userilor >> >> IA> din >> >> >> > > > R> reteua locala sa se conecteze, in internet, doar la >> >> IA> porturile >> >> >> > 80, >> >> >> > > 25, >> >> >> > > > R> 110. >> >> >> > > > R> Ideea mea ar fi ca lumea din reteua locala sa nu poata >> IA> iesi >> >> >> > decat >> >> >> > > pe >> >> >> > > > R> web si pe mail. >> >> >> > > > R> Problema apare cand ICQ sau YM foloseste orice IA> port >> >> IA> pentru >> >> >> a >> >> >> > > se >> >> >> > > > R> conecta in exterior si se leaga la o multitudine de >> IA> adrese. >> >> >> > Astfel >> >> >> > > > R> din reteua locala se poate face chat in voie. >> >> >> > > > R> Imi poate spune cineva cum se rezolva beleua asta IA> ? >> >> >> > > > >> >> >> > > > >> >> >> > > > R> -- >> >> >> > > > R> Multumesc anticipat, >> >> >> > > > R> Liviu mailto:[EMAIL PROTECTED] >> >> >> > > > >> >> >> > > > >> >> >> > > > R> --- >> >> >> > > > R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > > > >> >> >> > > >> >> >> > >> >> >> >> >> >> R>>>> ----------------------------------------------------------------------- IA> - >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > R> ----- Original Message ----- >> >> >> > > > R> From: "Knight" <[EMAIL PROTECTED]> >> >> >> > > > R> To: "Radu" <[EMAIL PROTECTED]> >> >> >> > > > R> Sent: Tuesday, October 14, 2003 7:55 AM >> >> >> > > > R> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> > > > >> >> >> > > > >> >> >> > > > >> Radu, >> >> >> > > > >> >> >> >> > > > >> tu ai citit macar ce am scris? >> >> >> > > > >> omu care a postat threadul a cerut help pentru ipchains >> >> >> > > > >> asa ca nu sari la mine >> >> >> > > > >> chestie de alfabet pe dracu, chestie de urmarit un thread IA> si >> IA> de >> >> >> > > > >> deschis ochii larg :)) >> >> >> > > > >> >> >> >> > > > >> Wednesday, October 15, 2003, 1:48:55 AM, you wrote: >> >> >> > > > >> >> >> >> > > > >> R> Mosule, IPTABLES. Nu ipchains. >> >> >> > > > >> R> Chestie de alfabet. >> >> >> > > > >> R> ----- Original Message ----- >> >> >> > > > >> R> From: "Knight" <[EMAIL PROTECTED]> >> >> >> > > > >> R> To: "Dekxter X." <[EMAIL PROTECTED]> >> >> >> > > > >> R> Sent: Tuesday, October 14, 2003 7:01 AM >> >> >> > > > >> R> Subject: [rlug] Re: ICQ & YM and firewall >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> Dekxter, >> >> >> > > > >> >> >> >> >> > > > >> >> da dar omu a specificat ca vrea ipchains >> >> >> > > > >> >> :((((((( >> >> >> > > > >> >> cu -y cred ca era in ipchains :)) in loc de --syn >> >> >> > > > >> >> >> >> >> > > > >> >> Monday, October 13, 2003, 6:32:40 PM, you wrote: >> >> >> > > > >> >> >> >> >> > > > >> >> DX> va trebui sa modifici FORWARD cu: >> >> >> > > > >> >> >> >> >> > > > >> >> DX> iptables --policy FORWARD DROP >> >> >> > > > >> >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> >> >> > 5 --jump >> >> >> > > > R> ACCEPT >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> >> >> > 0 --jump >> >> >> > > > R> ACCEPT >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> >> >> > 110 --jump >> >> >> > > > R> ACCEPT >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --dport >> >> >> > 143 --jump >> >> >> > > > R> ACCEPT >> >> >> > > > >> >> DX> # aceste 4 reguli sunt pentru acces la orice adresa >> IA> pentru >> >> >> > > > >> >> DX> # mail prin POP3, IMAP, send shi www >> >> >> > > > >> >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 --syn --jump IA> DROP >> >> >> > > > >> >> DX> iptables -A FORWARD -s 192.168.0.0/24 --syn --jump IA> DROP >> >> >> > > > >> >> DX> # aceste 2 reguli resping orice tentativa de IA> initiere a >> >> IA> unei >> >> >> > > > R> conectari >> >> >> > > > >> >> DX> # in reteaua locala sau de la reteaua locala spre >> IA> internet >> >> >> > > > >> >> >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p tcp --jump >> IA> ACCEPT >> >> >> > > > >> >> DX> # acesta regula accepta orice alt tip de conexiune IA> tcp >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> DX> # man iptables >> >> >> > > > >> >> >> >> >> > > > >> >> DX> [!] --syn >> >> >> > > > >> >> DX> Only match TCP packets with the SYN bit set and >> IA> the >> >> IA> ACK >> >> >> > and >> >> >> > > > R> RST >> >> >> > > > >> >> DX> bits cleared. Such packets are used to request IA> TCP >> >> >> > > connection >> >> >> > > > >> >> DX> initiation; for example, blocking such packets IA> coming >> IA> in >> >> IA> an >> >> >> > > > R> interface >> >> >> > > > >> >> DX> will prevent incoming TCP connections, but outgoing IA> TCP >> >> >> > > connections >> >> >> > > > >> R> will >> >> >> > > > >> >> DX> be unaffected. >> >> >> > > > >> >> DX> It is equivalent to --tcp-flags SYN,RST,ACK SYN. If IA> the >> >> IA> "!" >> >> >> > flag >> >> >> > > > >> >> DX> precedes the "--syn", the sense of the option is >> IA> inverted. >> >> >> > > > >> >> >> >> >> > > > >> >> DX> ps: daca greshesc va rog sa ma corectatzi ... >> >> >> > > > >> >> >> >> >> > > > >> >> DX> Liviu wrote: >> >> >> > > > >> >> >> >> >> > > > >> >> >> Salut, >> >> >> > > > >> >> >> Ideea mea ar fi ca lumea din reteua locala sa nu >> IA> poata >> >> >> > iesi >> >> >> > > > R> decat >> >> >> > > > >> R> pe >> >> >> > > > >> >> >> web si pe mail. >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> -- >> >> >> > > > >> >> Best regards, >> >> >> > > > >> >> Knight >> >> >> > > > >> >> >> >> >> > > > >> >> This message was brought to you by the numbers 0 and 1. >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> --- >> >> >> > > > >> >> Detalii despre listele noastre de mail: IA> http://www.lug.ro/ >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> R> --- >> >> >> > > > >> R> Detalii despre listele noastre de mail: IA> http://www.lug.ro/ >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> -- >> >> >> > > > >> Best regards, >> >> >> > > > >> Knight >> >> >> > > > >> >> >> >> > > > >> This message was brought to you by the numbers 0 and 1. >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> --- >> >> >> > > > >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > > > >> >> >> >> > > > >> >> >> >> > > > >> >> >> > > > >> >> >> > > > R> --- >> >> >> > > > R> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > -- >> >> >> > > > Best regards, >> >> >> > > > Knight >> >> >> > > > >> >> >> > > > This message was brought to you by the numbers 0 and 1. >> >> >> > > > >> >> >> > > > >> >> >> > > > --- >> >> >> > > > Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > > > >> >> >> > > > >> >> >> > > >> >> >> > > >> >> >> > > --- >> >> >> > > Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > > >> >> >> > >> >> >> > >> >> >> > --- >> >> >> > Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> --- >> >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> >> IA> --- >> >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> >> >> >> -- >> >> Best regards, >> >> Knight >> >> >> >> This message was brought to you by the numbers 0 and 1. >> >> >> >> >> >> --- >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> >> IA> --- >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> >> -- >> Best regards, >> Knight >> >> This message was brought to you by the numbers 0 and 1. >> >> >> --- >> Detalii despre listele noastre de mail: http://www.lug.ro/ >> IA> --- IA> Detalii despre listele noastre de mail: http://www.lug.ro/ -- Best regards, Knight This message was brought to you by the numbers 0 and 1. --- Detalii despre listele noastre de mail: http://www.lug.ro/
