tvlad Posted January 28, 2003 Report Share Posted January 28, 2003 After getting white hair, i managed to modify the ip-masq howto to fit my own needs.I'm thinking of also blocking some ports from the inside, like the ones for kazaa, winmx........, because i don't want one guy to eat the bandwith of all. What other ports should i block from the inside ???? From the outside there is no problem, because the fw is a stateful one and plus, i blocked all icmp, tcp, udp input for the ext interface. Quote Link to comment Share on other sites More sharing options...
MottS Posted January 28, 2003 Report Share Posted January 28, 2003 I presume the server has 2 network interface and you run MDK 9.0. I don't now what you mean by 'modify the ip-masq' but it would have been really easy using ShoreWall, the default firewall on MDK 9. By default all the requests from the web to your lan/masq are blocked. To block all the request from your lan/masq to the net you could put the following in /etc/shorewall/policy fw net DROP loc net DROP masq net DROP Now, to allow your lan to surf the web (if you want them to) just put the following in /etc/shorewall/rules ACCEPT fw net tcp 80 - ACCEPT loc net tcp 80 - ACCEPT masq net tcp 80 - If you want to allow only 1 of them then put masq:ip in /etc/shorewall/rules instead of just masq. Like that ACCEPT masq:192.168.1.100 net tcp 80 - Now restart shorewall by typing 'service shorewall restart' Hope that help MOttS Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 28, 2003 Author Report Share Posted January 28, 2003 by "modify the ip masq howto" i mean that i took their firewall config from chapter 6.4 as a starting point and adapted it to my needs. masq=masquerade Quote Link to comment Share on other sites More sharing options...
Michel Posted January 29, 2003 Report Share Posted January 29, 2003 I understand that you don't want one person to have all the bandwith, but if you also want to allow other connections than tcp, there is a very good websites that tells you wich program uses wich ports and protocols and if they are outgoing or incoming(You could also check the log of shorewall) (For example:Kazaa(I think), msn, .....) I hope you only block what is needed. Some things are just pleasant. Here is the link: http://www.pcflank.com/ Quote Link to comment Share on other sites More sharing options...
MottS Posted January 29, 2003 Report Share Posted January 29, 2003 by "modify the ip masq howto" i mean that i took their firewall config from chapter 6.4 as a starting point and adapted it to my needs. masq=masquerade I knew that masq=masquerade man.. And you took their firewall config --> what are you talking about ? From which website, for which firewall .. ??????? I still don't know what you did, which os you are using, firewall brand/version ... Check /etc/services for a list of ports to block/accept if you only need that info. Once you are done check you security with that: http://www.google.ca/search?hl=en&lr=&ie=U...ty+test&spell=1 MOttS Quote Link to comment Share on other sites More sharing options...
MottS Posted January 29, 2003 Report Share Posted January 29, 2003 If you would be using Shorewall, the question would not be What other ports should i block from the inside ???? but 'Which ports should I let my users to access' .. which is easier to answer. MOttS Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 29, 2003 Author Report Share Posted January 29, 2003 And you took their firewall config --> what are you talking about ? From which website, for which firewall .. ??????? From here : http://www.tldp.org/HOWTO/IP-Masquerade-HO...-2.4.X-STRONGER I knew about pcflank, it's not that good. 'Which ports should I let my users to access' .. which is easier to answer. This is the question i should have asked, it makes much more sense. The "server" is a P200 mmx, 32mb , 1mb S3 running Mdk 9.And i am not running shorewall, or firestarter, or smth similar. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.