si irc-ul ? ----- Original Message ----- From: "Knight" <[EMAIL PROTECTED]> To: "Dan Uscatu" <[EMAIL PROTECTED]> Sent: Tuesday, October 14, 2003 9:23 AM Subject: [rlug] Re: ICQ & YM and firewall
> Dan, > > stiu, era doar un exemplu ce am dat eu > nu-i nevoie sa sariti imediat > ca daca stiu sa scriu 3 linii in iptables poate stiu si sa modific un > cacat de port in /etc/ssh2/sshd_config > > sau sa ii dau direct la server sa porneasca cu parametru -q port > de exemplu /usr/sbin/sshd -q 1234 > > Tuesday, October 14, 2003, 5:12:07 PM, you wrote: > > DU> nu toate serverele de ssh ruleaza pe portul 22. eu de exemplu am > DU> instalat azi unul pe portul 57233 iar miine o sa il mut pe 23581. > DU> nu ai cum sa filtrezi ceva variabil, trebuie sa te legi de continutul > DU> pachetelor care initializeaza conexiunea. > > >> iptables -A FORWARD -p tcp --dport 22 -j DROP > >> iptables -I FORWARD -s ip_care_are_voi_1 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_2 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_3 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_4 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_5 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_6 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_7 --dport 22 -j ACCEPT > >> ... > >> > >> si ai rezolvat problema > >> nu se conecteaza pe 22 afara numai cei care au voie > >> > >> > >> Tuesday, October 14, 2003, 5:00:20 PM, you wrote: > >> > >> IA> Nu vreau sa las pe oricine sa iasa din reteaua interna pe ssh > DU> inspre alte > >> IA> servere. > >> > >> IA> ----- Original Message ----- > >> IA> From: "Knight" <[EMAIL PROTECTED]> > >> IA> To: "Ioan Alin" <[EMAIL PROTECTED]> > >> IA> Sent: Tuesday, October 14, 2003 5:54 PM > >> IA> Subject: [rlug] Re: ICQ & YM and firewall > >> > >> > >> >> Ioan, > >> >> > >> >> adica tu nu vrei sa lasi pe oricine sa iasa din reteaua interna pe > DU> ssh > >> >> inspre alte servere? > >> >> sau nu vrei sa se poata comecta la tine la server pe ssh numai de > DU> la > >> >> anumite ip-uri? > >> >> > >> >> Tuesday, October 14, 2003, 4:46:39 PM, you wrote: > >> >> > >> >> IA> Problema este ca nu stiu ip-ul destinatie (ar fi usor). Tot ce > DU> as vrea > >> IA> este, > >> >> IA> ca din router, sa tai clientii de ssh de pe ip-uri .(cand > DU> cineva vrea > >> IA> sa > >> >> IA> faca o conexiune pe un server oarecare de ssh). > >> >> > >> >> IA> ----- Original Message ----- > >> >> IA> From: "Radu" <[EMAIL PROTECTED]> > >> >> IA> To: <[EMAIL PROTECTED]> > >> >> IA> Sent: Wednesday, October 15, 2003 2:41 AM > >> >> IA> Subject: [rlug] Re: ICQ & YM and firewall > >> >> > >> >> > >> >> >> Frate Alin, > >> >> >> > >> >> >> Din ce imi aduc aminte, dar nu sunt sigur, trebuie totusi sa > >> IA> verifici. > >> >> >> Urmatoarele: > >> >> >> Daca este router: > >> >> >> iptables -A FORWARD -s <ip pe cine vrei sa arzi> -d > DU> <ip-ul > >> >> >> serverului ssh> -j DROP > >> >> >> Daca vrei de pe un anume host sa nu permiti iesirea: > >> >> >> iptables -A OUTPUT -d <ip-ul serverului ssh> -j DROP > >> >> >> Chestiile de mai sus taie tot traficul catre serverul respectiv. > >> >> >> > >> >> >> > >> >> >> Cu plecaciuni, maestre. > >> >> >> > >> >> >> ----- Original Message ----- > >> >> >> From: "Ioan Alin" <[EMAIL PROTECTED]> > >> >> >> To: <[EMAIL PROTECTED]> > >> >> >> Sent: Tuesday, October 14, 2003 7:32 AM > >> >> >> Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > >> >> >> > >> >> >> > > >> >> >> > Pe mie m-ar interesa sa tai si toate iesirile catre un server > DU> de ssh > >> >> >> .(orice > >> >> >> > port, nu neaparat 22). > >> >> >> > > >> >> >> > ----- Original Message ----- > >> >> >> > From: "Radu" <[EMAIL PROTECTED]> > >> >> >> > To: <[EMAIL PROTECTED]> > >> >> >> > Sent: Wednesday, October 15, 2003 2:29 AM > >> >> >> > Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > >> >> >> > > >> >> >> > > Frate, nu este nici o problema. > >> >> >> > > Ideea este cum s-ar putea face totusi cu nenorocitul ala de > DU> yahoo > >> >> >> > > messenger... ca si pe mine ma streseaza treaba asta. > >> >> >> > > Si nu am nici prea multe idei... in directia asta... > >> >> >> > > Poate s-a ocupat cineva totusi... doar de blocarea lui yahoo > >> IA> messenger > >> >> >> > ...? > >> >> >> > > > >> >> >> > > Radu. > >> >> >> > > ----- Original Message ----- > >> >> >> > > From: "Knight" <[EMAIL PROTECTED]> > >> >> >> > > To: "Radu" <[EMAIL PROTECTED]> > >> >> >> > > Sent: Tuesday, October 14, 2003 8:23 AM > >> >> >> > > Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > > >> >> >> > > > >> >> >> > > > Radu, > >> >> >> > > > > >> >> >> > > > cred ca mia culpa > >> >> >> > > > da de unde dracu am citit eu cu ipchains ca stiu sigur ca > DU> asa am > >> >> IA> citit > >> >> >> > > > what so ever > >> >> >> > > > sorry > >> >> >> > > > > >> >> >> > > > Wednesday, October 15, 2003, 2:05:25 AM, you wrote: > >> >> >> > > > > >> >> >> > > > R> Frate Knight, > >> >> >> > > > > >> >> >> > > > R> Ar fi bine sa stai sa te uiti cu atentie la > DU> threaduri. > >> >> IA> Sarmanul > >> >> >> > om > >> >> >> > > > R> intrebase pentru iptables. Asa, de chestie doar, > DU> uita-te in > >> IA> urma > >> >> IA> sa > >> >> >> > > vezi ca > >> >> >> > > > R> dai putin aiurea cu raspunsurile. Chestia cu deschisul > >> IA> ochilor... > >> >> >> > este > >> >> >> > > > R> foarte adevarata. Incepe chiar din primul mail.... > >> >> >> > > > R> Din ratiuni de documentare... il listez mai jos... > DU> sper sa > >> IA> nu > >> >> >> te > >> >> >> > > superi > >> >> >> > > > R> pe mine, dar mi se pare ca scrie iptables. Stiu asta > DU> pentru ca > >> IA> am > >> >> >> > > terminat > >> >> >> > > > R> clasa I premiant... :)) > >> >> >> > > > > >> >> >> > > > R> Sa fi cuminte, > >> >> >> > > > R> Radu. > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> >> >> > > >> >> >> > >> >> > >> > R>>>> ------------------------------------------------------------------- > DU> ----- > >> IA> - > >> >> >> > > -- > >> >> >> > > > R> Salut, > >> >> >> > > > > >> >> >> > > > R> Am un script de firewall, facut cu iptables, pe > DU> un > >> >> IA> gateway > >> >> >> > care > >> >> >> > > are > >> >> >> > > > R> ca politica pe chain-ul forward "DROP" si permite > >> IA> userilor > >> >> IA> din > >> >> >> > > > R> reteua locala sa se conecteze, in internet, doar > DU> la > >> >> IA> porturile > >> >> >> > 80, > >> >> >> > > 25, > >> >> >> > > > R> 110. > >> >> >> > > > R> Ideea mea ar fi ca lumea din reteua locala sa nu > DU> poata > >> IA> iesi > >> >> >> > decat > >> >> >> > > pe > >> >> >> > > > R> web si pe mail. > >> >> >> > > > R> Problema apare cand ICQ sau YM foloseste orice > DU> port > >> >> IA> pentru > >> >> >> a > >> >> >> > > se > >> >> >> > > > R> conecta in exterior si se leaga la o multitudine > DU> de > >> IA> adrese. > >> >> >> > Astfel > >> >> >> > > > R> din reteua locala se poate face chat in voie. > >> >> >> > > > R> Imi poate spune cineva cum se rezolva beleua > DU> asta ? > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> -- > >> >> >> > > > R> Multumesc anticipat, > >> >> >> > > > R> Liviu > DU> mailto:[EMAIL PROTECTED] > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> --- > >> >> >> > > > R> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > > >> >> >> > > > >> >> >> > > >> >> >> > >> >> > >> > R>>>> ------------------------------------------------------------------- > DU> ----- > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> ----- Original Message ----- > >> >> >> > > > R> From: "Knight" <[EMAIL PROTECTED]> > >> >> >> > > > R> To: "Radu" <[EMAIL PROTECTED]> > >> >> >> > > > R> Sent: Tuesday, October 14, 2003 7:55 AM > >> >> >> > > > R> Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> Radu, > >> >> >> > > > >> > >> >> >> > > > >> tu ai citit macar ce am scris? > >> >> >> > > > >> omu care a postat threadul a cerut help pentru ipchains > >> >> >> > > > >> asa ca nu sari la mine > >> >> >> > > > >> chestie de alfabet pe dracu, chestie de urmarit un > DU> thread si > >> IA> de > >> >> >> > > > >> deschis ochii larg :)) > >> >> >> > > > >> > >> >> >> > > > >> Wednesday, October 15, 2003, 1:48:55 AM, you wrote: > >> >> >> > > > >> > >> >> >> > > > >> R> Mosule, IPTABLES. Nu ipchains. > >> >> >> > > > >> R> Chestie de alfabet. > >> >> >> > > > >> R> ----- Original Message ----- > >> >> >> > > > >> R> From: "Knight" <[EMAIL PROTECTED]> > >> >> >> > > > >> R> To: "Dekxter X." <[EMAIL PROTECTED]> > >> >> >> > > > >> R> Sent: Tuesday, October 14, 2003 7:01 AM > >> >> >> > > > >> R> Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> >> Dekxter, > >> >> >> > > > >> >> > >> >> >> > > > >> >> da dar omu a specificat ca vrea ipchains > >> >> >> > > > >> >> :((((((( > >> >> >> > > > >> >> cu -y cred ca era in ipchains :)) in loc de --syn > >> >> >> > > > >> >> > >> >> >> > > > >> >> Monday, October 13, 2003, 6:32:40 PM, you wrote: > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> va trebui sa modifici FORWARD cu: > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables --policy FORWARD DROP > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 5 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 0 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 110 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 143 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> # aceste 4 reguli sunt pentru acces la orice > DU> adresa > >> IA> pentru > >> >> >> > > > >> >> DX> # mail prin POP3, IMAP, send shi www > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables -A FORWARD -d > DU> 192.168.0.0/24 --syn --jump DROP > >> >> >> > > > >> >> DX> iptables -A FORWARD -s > DU> 192.168.0.0/24 --syn --jump DROP > >> >> >> > > > >> >> DX> # aceste 2 reguli resping orice tentativa de > DU> initiere a > >> >> IA> unei > >> >> >> > > > R> conectari > >> >> >> > > > >> >> DX> # in reteaua locala sau de la reteaua locala > DU> spre > >> IA> internet > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --jump > >> IA> ACCEPT > >> >> >> > > > >> >> DX> # acesta regula accepta orice alt tip de > DU> conexiune tcp > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> # man iptables > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> [!] --syn > >> >> >> > > > >> >> DX> Only match TCP packets with the SYN bit set > DU> and > >> IA> the > >> >> IA> ACK > >> >> >> > and > >> >> >> > > > R> RST > >> >> >> > > > >> >> DX> bits cleared. Such packets are used to > DU> request TCP > >> >> >> > > connection > >> >> >> > > > >> >> DX> initiation; for example, blocking such packets > DU> coming > >> IA> in > >> >> IA> an > >> >> >> > > > R> interface > >> >> >> > > > >> >> DX> will prevent incoming TCP connections, but > DU> outgoing TCP > >> >> >> > > connections > >> >> >> > > > >> R> will > >> >> >> > > > >> >> DX> be unaffected. > >> >> >> > > > >> >> DX> It is equivalent to --tcp-flags SYN,RST,ACK SYN. > DU> If the > >> >> IA> "!" > >> >> >> > flag > >> >> >> > > > >> >> DX> precedes the "--syn", the sense of the option is > >> IA> inverted. > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> ps: daca greshesc va rog sa ma corectatzi ... > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> Liviu wrote: > >> >> >> > > > >> >> > >> >> >> > > > >> >> >> Salut, > >> >> >> > > > >> >> >> Ideea mea ar fi ca lumea din reteua locala > DU> sa nu > >> IA> poata > >> >> >> > iesi > >> >> >> > > > R> decat > >> >> >> > > > >> R> pe > >> >> >> > > > >> >> >> web si pe mail. > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> -- > >> >> >> > > > >> >> Best regards, > >> >> >> > > > >> >> Knight > >> >> >> > > > >> >> > >> >> >> > > > >> >> This message was brought to you by the numbers 0 and > DU> 1. > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> --- > >> >> >> > > > >> >> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> R> --- > >> >> >> > > > >> R> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> -- > >> >> >> > > > >> Best regards, > >> >> >> > > > >> Knight > >> >> >> > > > >> > >> >> >> > > > >> This message was brought to you by the numbers 0 and 1. > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> --- > >> >> >> > > > >> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> --- > >> >> >> > > > R> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > -- > >> >> >> > > > Best regards, > >> >> >> > > > Knight > >> >> >> > > > > >> >> >> > > > This message was brought to you by the numbers 0 and 1. > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > --- > >> >> >> > > > Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> >> >> > > > >> >> >> > > --- > >> >> >> > > Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > > > >> >> >> > > >> >> >> > > >> >> >> > --- > >> >> >> > Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> > >> >> >> --- > >> >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > >> >> > >> >> > >> >> IA> --- > >> >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> > >> >> > >> >> > >> >> -- > >> >> Best regards, > >> >> Knight > >> >> > >> >> This message was brought to you by the numbers 0 and 1. > >> >> > >> >> > >> >> --- > >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> > >> > >> > >> IA> --- > >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > >> > >> -- > >> Best regards, > >> Knight > >> > >> This message was brought to you by the numbers 0 and 1. > >> > >> > >> --- > >> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > > > > DU> --- > DU> Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > -- > Best regards, > Knight > > This message was brought to you by the numbers 0 and 1. > > > --- > Detalii despre listele noastre de mail: http://www.lug.ro/ > > --- Detalii despre listele noastre de mail: http://www.lug.ro/
