http://www.zago.eti.br/firewall/kazaa-bloquear.txt Diversos modelos e maneiras de bloqueio do Kazaa e outras redes p2p. Use CTRL+F para refinar a pesquisa. Linha de: **************** separa mensagens ou tópicos. ******************************************************** Zago http://www.zago.eti.br/menu.html FAQ da Linux-br e artigos sobre Linux veja também neste diretório (site) iptables.txt kazaa.txt -> no diretório principal. DICA. Pesquise no google por: "iptables-p2p" http://www.underlinux.com.br/modules.php?name=Sections&op=viewarticle&artid=286 Tutorial pra bloquear redes p2p, passos para aplicação do patch-o-matic, a atualização do iptables, neste tutorial foi utilizado o sistema operacional Slackware 9.0 com kernel 2.4.20. ******************************************************** De: Helder Jean Para: linuxes Cc: linux-br@bazar.conectiva.com.br Assunto: Re: (linux-br) Dica de Bloquear o Kazaa com Iptables Data: 12 Jun 2003 19:24:40 -0300 linuxes wrote: > > Ola amigos > > Pelo numero variados de mensagens de como bloquear o Kazaa estou > disponibilizando o testo a baixo > (corta) Uma dica pra complementar/finalizar a do usuário linuxes, que eu achei na lista debian-firewall: Usar o patch de strings pro iptables indicado acima, e bloquear as strings "GET /.hash=" ou "X-Kazaa-" que aparecem nos pacotes do KaZaA. O único porém é que no caso de uma rede de tamanho e tráfego considerável e/ou de um firewall com configuração fraquinha, vai dar uma "sobrecarga" nele ter que analizar o tráfego da rede assim. Mas sempre existe a alternativa de se fazer uma boa pressão sobre quem estiver usando o programa! :) []'s ******************************************************** ******************************************************** De:  Adriano Frare Responder-a:  alfrare@terra.com.br Para:  'Fábio Ribeiro' , linux-br@bazar2.conectiva.com.br Assunto:  RES: (linux-br)barrar kaazar Data:  Tue, 30 Sep 2003 09:49:27 -0300 Inclua as seguintes regras no seu IPTABLES. IPTABLES="/usr/sbin/iptables" # Portas e Redes Kazaa e Morpheus echo -en "\\033[1;32m" echo "DROP -> Ports and Network - Kazaa/Morpheus" sleep 1 echo -en "\\033[1;37m" $IPTABLES -A FORWARD -p TCP --dport 1214 -j LOG $IPTABLES -A FORWARD -p UDP --dport 1214 -j LOG $IPTABLES -A FORWARD -d 213.248.112.0/24 -j LOG $IPTABLES -A FORWARD -d 206.142.53.0/24 -j LOG $IPTABLES -A FORWARD -p TCP --dport 1214 -j REJECT $IPTABLES -A FORWARD -p UDP --dport 1214 -j REJECT $IPTABLES -A FORWARD -d 213.248.112.0/24 -j REJECT $IPTABLES -A FORWARD -d 206.142.53.0/24 -j REJECT Abraços. Adriano          ******************************************************** De:  William da Rocha Lima Para:  Lista Linux Br Cc:  honeypot-br@yahoogrupos.com.br Assunto:  (linux-br) Implemente e Configure o seu Linux com IPTABLES - Revisão 1.2 Data:  Sat, 12 Jul 2003 01:05:20 -0300 Implemente e Configure o seu Linux com IPTABLES - Revisão 1.2 Srs. Usuários, Neste artigo você saberá a importância do firewall, softwares de firewall para Linux, firewalls conforme o kernel, Regras de firewall, Políticas do IPtables, exemplos do firewall, redirecionamento correto de portas, para você que tenha algum problema com redirecionamento como de smtp e ele fica com relay aberto. Usando String match para bloquear kazaa lite e deseja evitar que worms com código arbitrários que usam o comando cmd.exe, Ruleset semi pronto para usar. Ler Artigo: http://www.linuxit.com.br/modules.php?name=Sections&op=viewarticle&artid=21 ******************************************************** KAZAA De: William da Rocha Lima Para: lista linux Assunto: Re: (linux-br) Como posso proibir o trafego do KAZAA com iptables Data: 03 Feb 2003 23:16:02 -0200 Caro, Entre neste link: http://www.linuxit.com.br/modules.php?name=Sections&op=viewarticle&artid=100 ******************************************************** De: Fábio de Oliveira Dias Para: Marcio - Lista LinuxBR , linux-br@bazar.conectiva.com.br Assunto: Re: (linux-br) Regra para bloquear download pelo Kazaa? Data: 30 Sep 2002 14:20:42 -0300 Serve iptables? Se servir, aí estão as regras. Aqui têm funcionado perfeitamente. #Bloqueia Kazaa, Morpheus and AudioGalaxy $IPTABLES -A FORWARD -d 0/0 -p tcp --dport 1214 -j REJECT $IPTABLES -A FORWARD -d 0/0 -p udp --dport 1214 -j REJECT $IPTABLES -A FORWARD -d 213.248.112.0/24 -j REJECT $IPTABLES -A FORWARD -d 64.245.58.0/24 -j REJECT $IPTABLES -A FORWARD -d 64.245.59.0/24 -j REJECT $IPTABLES -A FORWARD -d 64.245.58.0/23 -j REJECT $IPTABLES -A FORWARD -d 64.124.41.0/24 -j REJECT $IPTABLES -A FORWARD -d 216.35.208.0/24 -j REJECT $IPTABLES -A FORWARD -p tcp --dport 6346 -j REJECT $IPTABLES -A FORWARD -d 209.61.186.0/24 -j REJECT $IPTABLES -A FORWARD -d 64.49.201.0/24 -j REJECT $IPTABLES -A FORWARD -d 209.25.178.0/24 -j REJECT [[]] Fábio Subject: (linux-br) Regra para bloquear download pelo Kazaa? Bom dia lista. Gostária se tem alguma regra que eu possa aplicar utilizando ipchains para bloquear download pelo Kazaa por um determinado IP da minha LAN. Agradeço desde já. ******************************************************** De:  zgrp unknow Para:  seguranca@distro2.conectiva.com.br Cc:  Mauricio Assunto:  Re: [seguranca] Kazaa - Emule x iptables(spam?) Data:  Thu, 11 Sep 2003 15:11:52 -0300 (ART) Sim, o matching-string funciona comparando a assinatura gerada com o pacote que chega, e deixa a maquina um pouco mais lenta (dependendo de quanto trafego vc tem). Mas uma opção para o modulo strings para o iptables eh utlizar IDS's para fazer isso. O snort prove recursos que pode fazer a mesma coisa e com muito mais checagens, incluindo flags, etc ... ;) t+ ******************************************************** De:  Antônio Augusto Para:  Listas Inter.Net Cc:  seguranca@distro.conectiva.com.br Assunto:  Re: [seguranca] Kazaa - Emule x iptables Data:  Thu, 11 Sep 2003 12:42:04 -0300 Eu uso o STRING e ele tem se mostrado ótimo, apesar de experimental, a vantagem que ele pode barrar ataques causados por WARMS, como opaserv, nimda, codered, etcc, além de poder barrar o Kasaa. A instalação dele é muito difícil, tive que recompilar o Kernel n vezes, mas vale a pena. Antônio Augusto Listas Inter.Net wrote: Senhores, > > Como vocês tem bloqueado o uso do kazaa/e-mule nas > redes ? > Li a respeito do módulo string que vem com o iptables, > mas no mesmo texto tem dizendo que ainda não é > instável, não acho bom usar isso em um firewall em > produção. > Quem tiver alguma dica eu agradeço. ******************************************************** De: Andre Luiz Felix Nunes Para: Antonio F. Zago Assunto: Re: (linux-br) barrando pedido de conexao de alguns arquivos Data: 18 Jun 2003 19:48:57 -0300 ja usou isso aqui? iptables -A FORWARD -p tcp -m string --string X-Kazaa-Username: -j REJECT --reject-with tcp-reset iptables -A FORWARD -p tcp -m string --string X-Kazaa-Network: -j REJECT --reject-with tcp-reset iptables -A FORWARD -p tcp -m string --string X-Kazaa-IP: -j REJECT --reject-with tcp-reset iptables -A FORWARD -p tcp -m string --string X-Kazaa-SupernodeIP: -j -j REJECT --reject-with tcp-reset ainda nao testei, mas dizem que resolve. so tenho medo de detontar o link, pois ele vai checar cada pacote que passar pelo Proxy. ******************************************************** De: linuxes Para: linux-br@bazar.conectiva.com.br Assunto: (linux-br) Dica de Bloquear o Kazaa com Iptables Data: 02 Jun 2003 09:02:59 -0200 Ola amigos Pelo numero variados de mensagens de como bloquear o Kazaa estou disponibilizando o testo a baixo Gleiton Fagner Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel version 1.2.1 in 1995. Ipfwadm enabled standard TCP/IP packet filtering features such as filtering by source/target addresses and port numbers. Then, in early 1999, when the first stable 2.2.0 kernel was released, firewalling code was replaced with new ipchains-controlled code. New features included support for chains of rules, fragmentation handling, better network address translation (NAT) support and several usability improvements. Readers should be reminded that Linux firewalling includes kernel-level code (usually in form of loadable module or kernel source patch) and user-level code (a control utility such as /usr/bin/ipchains, that is used to insert packet rules into kernel-space). Thus whenever new Linux firewalling code was introduced it involved both kernel and userspace code rewrite. With the release of 2.4 in 2001, iptables code came out. It introduced many important improvements such as stateful firewalling, filtering packets based on any combination of TCP flags and on MAC address, more configurable and flexible logging, powerful and easy to use support for network address translation (NAT) and transparent proxies, DoS blocking support by rate-limiting and others. (For details see, for example A Comparison of iptables Automation Tools .) However, the most important architectural addition was the introduction of the modular architecture. For example, ipchains and ipfwadm compatibility mode is implemented as a set of kernel modules that can be inserted into the running kernel to provide the corresponding functionality. In addition, user-coded modules are now possible. For example, filtering by port range, TTL value and time of packet arrival, stateful inspection for custom protocols, and random packet inspection are not part of the iptables suite, but were implemented later. Many new and interesting modules were coded. To program a module one has to create a kernel-level part that will be compiled into a loadable module and user-level part that will be used to control the filtering behavior. For more details see Rusty Russell's Linux iptables HOWTO. This article will cover string pattern matching functionality (evidently, implemented as a module), which allows limited investigation of the packet payload. This is a significant breakthrough for iptables technology since it goes beyond inspecting TCP/IP flags, which is standard for packet filter firewalls. It is well-known that firewalls can be loosely categorized into proxies and packet filters. The latter "know" the application-level protocols such as telnet, HTTP or SMTP and can inspect the protocol payloads and verify the commands. This comes at a significant performance penalty since packets have to be processed higher in the network protocol stack in application layer. For each inspected protocol a new proxy should be written. The packet filters, on the other hand, can usually only inspect source and target addresses and ports, TCP/IP flags and have to totally ignore higher-layer protocol payloads. Due to that reason, they are usually much faster than proxy firewalls (3-10 times). Thus proxies are used for more granular security while packet filters are used on higher bandwidth lines for higher throughput. In light of the above, adding content inspection capabilities in iptables presents an attempt to cross the bridge between two firewall groups without getting stuck in disadvantages of either method. It also clearly demonstrated an advantage of a new modular architecture over old ipchains code. It should be noted that packet filter such as iptables does not become higher-layer-protocol-aware since it still operates at network level (layer 3 in OSI structure), but is only allowed to peek at payloads, rather than analyze the application-level communication structure. Before the string matching module was started in May 2001, there were attempts to add content inspection to iptables-based firewalls. One such project is Hogwash , which couples the Snort IDS rule-matching engine with iptables in order to respond to packets with attack signatures in them. Now we will provide a step-by-step direction for enabling string matching packet inspection for RedHat Linux. Standard RH 7.2 comes with iptables 1.2.3 and 1.2.4 is available as an RPM update. However, string-matching functionality is not included in either since it is marked as "experimental" by developers. Thus some kernel recompilation is required. If you are using RH 7.1-7.2 you already have kernel version 2.4 installed. You need at least 2.4.4 for the latest iptables 1.2.4 to function. It is always recommended to download the latest kernel version available from you system distributor. At present, there is one exception from this rule: iptables-1.2.4 string matching patch does not seem to work with 2.4.9 kernel version. You should have kernel source RPM package installed (that usually puts the full source tree in /usr/src/linux-2.4.x) or just have the kernel source downloaded from elsewhere (such as www.kernel.org or one of its mirrors). For this article, the latest 2.4.16 will be used as an example. Test were also run with 2.4.7 kernel shipped with RedHat 7.2, but the 2.4.7 kernel is not recommended due to several minor bugs in security mechanisms such as SYN-cookie protection and iptables save/restore functionality. Surely it is redundant to remind the reader to backup the entire kernel source tree before starting the experiment or keep a source RPM handy. Keep in mind, that the latter will only help if you have not compiled the kernel before. Now, iptables code should be downloaded from http://netfilter.samba.org/iptables-1.2.4.tar.bz2 . After archive is unpacked, the iptables should be configured and the appropriate source code merged with the kernel source tree. The semi-automated program is available for that purpose. First, one might want to run the program to include the iptables patches that are already considered stable, but have not been included in the kernel release. From the directory where iptables are unpacked (in this example iptables are in /home/anton/iptables-1.2.4 and kernel source is in /usr/src/linux-2.4.16) run: make pending-patches KERNEL_DIR=/usr/src/linux-2.4.16 That will start the process of interactive patch application. It appears, that, while you can safely apply all of those patches, none are required for iptables string support. Say |y| (yes) to whichever patches you think will be needed for your installation. If you want to play it safe choose none. Now we are ready to apply experimental patches such as string matching support. Run: make patch-o-matic KERNEL_DIR=/usr/src/linux-2.4.16 In the interactive session that follows answer |y| (yes) to application of string.patch. The program will go though all available patches, including the stable ones. Testing... string.patch NOT APPLIED ( 2 missing files) The string patch: Author: Emmanuel Roger Status: Working, not with kernel 2.4.9 This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to match a string in a whole packet. THIS PATCH DOES NOT WORK WITH KERNEL 2.4.9 ! Do you want to apply this patch [N/y/t/f/q/?] y While the rest of the patches may sound like fun as well, they are not relevant to this article. If you choose to install any other patches, heed the warnings given by developers about what patches break functionality (such as dropped tables patch). Make sure you do not install the MAC filtering patch since it was recently found to contain a bug. Now we are ready to compile the user-space code and the libraries: make KERNEL_DIR=/usr/src/linux-2.4.16 and then install them (iptables program goes in /usr/local/user/sbin and libraries go into /usr/local/lib/iptables). As root: make install KERNEL_DIR=/usr/src/linux-2.4.16 Now we are ready to configure and compile the kernel: cd /usr/src/linux-2.4.16 Any of the kernel configuration methods can be used. Detailed discussion of this is provided in a huge number of Internet sources such as kernel HOWTO. In brief: make xconfig In the GUI that appears got to Netfilter configuration and choose |m| (for modular support) in |String match support (EXPERIMENTAL)|. See picture Then follow with a standard make dep ; make bzImage ; make modules ; make modules_install Now install the kernel itself using you favorite method and reboot. Upon reboot, test whether the iptables with string support is enabled. As root: /usr/local/sbin/iptables -m string -help It should produce the iptables standard help message appended by: STRING match v1.2.4 options: --string [!] string Match a string in a packet The resulting functionality will allow you to match packets by the content. Some real life tests can be performed using netcat or telnet to make sure we can really grab packets by the content. Run: iptables -A INPUT -m string --string "test" -j LOG --log-level info --log-prefix "TEST" Then start a netcat server by: nc -l -p 3456 Connect to it via: telnet localhost 3456 Now type: test whatevertestdoes It should produce the message similar to the following in your log files (providing you log messages with severity level ‘info’ somewhere) Nov 27 23:16:53 pua kernel: TEST IN=lo OUT=MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=2154 TOS=0x00 PREC=0x00 TTL=64 ID=42880 DF PROTO=TCP SPT=3128 DPT=33018 WINDOW=32767 RES=0x00 ACK PSH URGP=0 Nov 27 23:16:53 pua kernel: TEST IN=lo OUT=MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1LEN=1830 TOS=0x00 PREC=0x00 TTL=64 ID=17451 DF PROTO=TCP SPT=8000 DPT=33017 WINDOW=32767 RES=0x00 ACK PSH URGP=0 Every time the string |test| is present in TCP/IP packets, the above log message is produced. What is it good for? Many things. As was suggested in the excellent article, Filtering packets based on string matching , by sysctl at Linuxguru.net, it can be used to block all those pesky IIS worms from filling your UNIX web server log files with requests to |cmd.exe| etc. Those worms cannot hurt you, but if your /var partition (where logs are usually stored) is not too big this measure can be pretty helpful. Just silently drop all those port 80 requests or log them using the message limiting facility: To silently drop them: iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" To only log no more then 1 message per hour: iptables -I INPUT -j LOG -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" -m limit --limit 1/hour Replace the string with whatever the new Windows "worm-of-the-moment" is requesting and just add another rule. You can also stop requests to things you do not want to have retrieved from your Web server. Apparently, |test.cgi| should be removed, rather than put into iptables rules. However, in some cases the ability to stop requests for specific documents at the TCP/IP level before they reach the Web server access control facility might provide the needed "defense in-depth" for your Web infrastructure. Another great suggestion from Bill Stearns (author of Mason firewall building script) is to convert your Snort network IDS rules into iptables rules with string support. Snort IDS attack signature database contains about 1200 signatures and appears to be the biggest publicly available attack database suitable for instant deployment. The ability to use the ready-made signatures for iptables is of immense value. The page that describes his experimental software is at http://www.stearns.org/snort2iptables/ . There, you can find the shell script to convert a standard Snort ruleset into iptables rules. Here are a couple of examples for well-known Linux attacks against mountd and bind network daemons: Snort rules: 1. alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux overflow"; content:"|0103 0000 000 0 0001 0002 02e8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:2;) 2. alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig infoleak"; content: "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CAN-2000-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:3;) 3. alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; reference:cve,CVE-1999-0002; classtype:attempted-admin; sid:315; rev:1;) Converted iptables rules: 1. iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 518 -m string --string " è" -j LOG --log-prefix "SID313 " # "EXPLOIT ntalkd x86 linux overflow" bugtraq,210 classtype: attempted-admin sid:313 2. iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "«Í .a" -j LOG --log-prefix " SID303 " # "EXPLOIT named tsig infoleak" cve,CAN-2000-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303 3. iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "^° ‰ þȉF ° ‰F" -j LOG --log-prefix " cve-CVE-1999-0002 " # "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:315 It is easy to see that the above conversion uses the buffer overflow string used for the above exploits to catch the attack. Some rules are not converted mostly due to the fact that Snort is still "smarter" than iptables in fragmentation handling. Overall, iptables with string support can be used to protect networks (if deployed on the organization gateway) and individual hosts (deployed as a part of host hardening) from many attacks on the network services that have to be open to the world (WWW, mail, DNS, ftp) and have not been protected by ordinary packet filters. In addition, iptables string matching can also help with policy enforcement - just implement the rules that stop inappropriate content by keyword. There might be better solutions of implementing the content scanning, but another layer of protection never hurts. --===============81518717845874944== Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit --------------------------------------------------------------------------- Esta lista é patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utilização da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html --===============81518717845874944==-- ******************************************************** ******************************************************** De:  Rubens A. Mascari Para:  linux-br@bazar2.conectiva.com.br Assunto:  Re: (linux-br)Comom Bloquear KAZaa ??? Data:  Thu, 06 Nov 2003 16:16:35 -0200 > Olá Galera.... > Gostaria de saber dos que já conseguiram, como eu posso bloquear o Kazzaa > com o IPTABLES, pois já fiz de tudo e ainda esta funcionando o Kazzaa dentro > de nossa rede interna... Luiz, Na minha rede eu consegui bloquear o kazaa e o icq apenas bloqueando as portas altas (1024 a 65535). Já para o messenger foi necessário bloquear o IP da servidor que ele autentica. Segue abaixo as regras que uso: iptables -A FORWARD -i eth1 -d 207.46.104.20 -j DROP #IP USADO PELO MESSENGER PARA AUTENTICAÇÃO (messenger.hotmail.com) iptables -A FORWARD -i eth1 --protocol tcp --destination-port 1024:65535 -j DROP #PORTAS ALTAS. iptables -A FORWARD -i eth1 --protocol udp --destination-port 1024:65535 -j DROP #PORTAS ALTAS. obs: eth1 é a interface da rede interna. []'s -- .. Rubens Aurelio Mascari ........................................   _ .. Linux & Internet Developer .... ICQ# 2730907 .................. ******************************************************** De:  Robson Dantas Silva Para:  linux-br@bazar2.conectiva.com.br Assunto:  Re: (linux-br)Comom Bloquear KAZaa ??? Data:  Thu, 6 Nov 2003 13:42:43 -0300 > Olá Galera.... Opa... > Gostaria de saber dos que já conseguiram, como eu posso bloquear o Kazzaa > com o IPTABLES, pois já fiz de tudo e ainda esta funcionando o Kazzaa > dentro de nossa rede interna... Aqui na empresa que eu trabalho, eles instalaram o squid, e com ajudas de umas regrinhas, bloquearam o kazaa e instant messages look. http://www.linuxrapido.linuxdicas.com.br/modules.php?name=Sections&op=viewarticle&artid=61 -- Robson Dantas Engebras S/A ******************************************************** De:  alrferreira@carol.com.br Para:  jdapper , seguranca@distro2.conectiva.com.br Assunto:  Re: [seguranca] Fast Track - p2p Data:  Thu, 20 Nov 2003 17:29:04 -0200 Olá... Consegui barrar o Kazaa usando o Snort (c/ a opção flexresp). Criei a seguinte regra: var RESET resp:rst_all,icmp_all alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Acesso Kazaa"; flow:to_client,established; content:"X-Kazaa"; nocase; rev:2;$RESET;) Na prática, ele "reseta" qualquer conexão com a string: X-Kazaa Espero ter ajudado... Na paz, ---------------------------------------------- André Luiz Rodrigues Ferreira CAROL - Divisão de Informática Analista de Suporte Orlandia - SP - Brasil ---------------------------------------------- ******************************************************** De:  Thiago Macieira Para:  linux-br@bazar2.conectiva.com.br Assunto:  Re: (linux-br)regras de iptables Data:  Mon, 19 Apr 2004 20:02:58 -0300 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rafael.nery wrote: >Olá! >Alguém pode me ajudar com uma regra de >iptables... >Eu preciso bloquear acesso ao xmule, >emule e kazaa para a rede toda, menos >para os ips 192.168.1.201 a 209 >Como ficaria essa regra?? Algo do tipo: iptables -N teste_p2p iptables -A FORWARD -p tcp -i $IFACE_INTERNA--mmultiport --dports 1214, $PORTA_XMULE -j teste_p2p iptables -A teste_p2p -s 192.168.1.200 -j REJECT iptables -A teste_p2p -s 192.168.1.200/29 -j ACCEPT iptables -A teste_p2p -s 192.168.1.209 -j ACCEPT iptables -A teste_p2p -j REJECT (obviamente, $IFACE_INTERNA e $PORTA_XMULE devem estar corretamente acertada. E não há uma quebra de linha entre o 1214 e o $PORTA_XMULE) Por que há regras especiais para o .200 e o .209? Porque você nos deu uma faixa de IPs esdrúxula. Se tivesse separado um bloco igual a uma sub-rede (por exemplo, do 200 ao 208), bastaria a regra do meio. Mas como o .200 faz parte da lista de rejeições e o .209 faz parte da lista de aceitações, são necessárias regras à parte. Outras coisas: as  conexões só funcionarão se houver uma regra para a conexão recíproca, como por exemplo: iptables -A FORWARD -o $IFACE_INTERNA -mstate --state ESTABLISHED,RELATED -j ACCEPT Cabe lembrar também que a regra que eu dei acima de bloqueio funciona por portas. Algumas redes P2P são conhecidas por funcionar em qualquer porta, de modo que você se virá obrigado a bloquear por IP do servidor. - --   Thiago Macieira  -  Registered Linux user #65028    thiago (AT) macieira (DOT) info     ICQ UIN: 1967141   PGP/GPG: 0x6EF45358; fingerprint: ******************************************************** De:  José Elias Mussauer Neto Para:  'Fábio Ribeiro' , linux-br@bazar2.conectiva.com.br Assunto:  RES: (linux-br)iptables-p2p Data:  Wed, 19 May 2004 16:40:12 -0300 Hoje mesmo tivemos uma colaboração de um link de como instalar esse patch. Provavelmente vc não fez as modificações no Makefile e nos outros arquivos para indicar o caminho correto do iptables Dê uma olhada em www.slackware-brasil.com.br sessão de artigos. [ ]´s Neto Mussauer ******************************************************** De:  Silvio Souza Para:  caio Cc:  linux-br Assunto:  Re: (linux-br)iptables barrando kazaa Data:  Fri, 4 Jun 2004 15:23:05 -0300 > > alguem tem uma solucao concreta quando a barrar o infeliz do kazaa.. Tenta: iptables -A FORWARD -d 213.248.112.0/24 -j REJECT iptables -A FORWARD -p TCP --dport 1214 -j REJECT iptables -A FORWARD -m string --string "X-Kazaa-Username:" -j DROP iptables -A FORWARD -m string --string "X-Kazaa-Network:" -j DROP iptables -A FORWARD -m string --string "X-Kazaa-IP:" -j DROP iptables -A FORWARD -m string --string "X-Kazaa-SupernodeIP" - j DROP iptables -A FORWARD -m string --string "Kazaa" -j DROP #iptables -A FORWARD -m string --string "msn." -j DROP iptables -A FORWARD -m string --string ".mp3" -j DROP Att. Silvio Souza silviosam@uol.com.br De:  José Elias Mussauer Neto Para:  'Silvio Souza' , caio Cc:  linux-br Assunto:  RES: (linux-br)iptables barrando kazaa Data:  Fri, 4 Jun 2004 16:39:56 -0300 Não eskece que para funcionar essas strings vc deve recompilar o kernel com o patch apropriado! [ ]´s Neto Mussauer > -----Mensagem original----- > De: Silvio Souza [mailto:silviosam@uol.com.br] > Enviada em: sexta-feira, 4 de junho de 2004 15:23 > Para: caio > Cc: linux-br > Assunto: Re: (linux-br)iptables barrando kazaa > > > > > alguem tem uma solucao concreta quando a barrar o infeliz > do kazaa.. > > Tenta: > > iptables -A FORWARD -d 213.248.112.0/24 -j REJECT > iptables -A FORWARD -p TCP --dport 1214 -j REJECT > iptables -A FORWARD -m string --string "X-Kazaa-Username:" -j > DROP > iptables -A FORWARD -m string --string "X-Kazaa-Network:" -j > DROP > iptables -A FORWARD -m string --string "X-Kazaa-IP:" -j DROP > iptables -A FORWARD -m string --string "X-Kazaa-SupernodeIP" - > j DROP > iptables -A FORWARD -m string --string "Kazaa" -j DROP > #iptables -A FORWARD -m string --string "msn." -j DROP > iptables -A FORWARD -m string --string ".mp3" -j DROP ******************************************************** De:  Bruno Jesus Para:  Silvio Souza Cc:  Linux-br Assunto:  Re: (linux-br)iptables barrando kazaa Data:  Fri, 4 Jun 2004 17:16:48 -0300 Funciona para qualquer versão do kazaa? Bruno > > alguem tem uma solucao concreta quando a barrar o infeliz do kazaa.. Tenta: iptables -A FORWARD -d 213.248.112.0/24 -j REJECT iptables -A FORWARD -p TCP --dport 1214 -j REJECT iptables -A FORWARD -m string --string "X-Kazaa-Username:" -j DROP iptables -A FORWARD -m string --string "X-Kazaa-Network:" -j DROP iptables -A FORWARD -m string --string "X-Kazaa-IP:" -j DROP iptables -A FORWARD -m string --string "X-Kazaa-SupernodeIP" - j DROP iptables -A FORWARD -m string --string "Kazaa" -j DROP #iptables -A FORWARD -m string --string "msn." -j DROP iptables -A FORWARD -m string --string ".mp3" -j DROP Att. Silvio Souza silviosam@uol.com.br ******************************************************** De:  caio ferreira Para:  - Lista Linux-BR Assunto:  Re: (linux-br)IPtables + kazaa Data:  Tue, 29 Jun 2004 11:19:01 -0300 Renato wrote: Estou usando o slack 9 com kernel 2.4.22 e iptables 1.2.8 porem nao nao > estou conseguindo usar a opcao -m string > iptables -A FORWARD -m string --string "X-Kazaa-Username:" -j DROP > iptables -A FORWARD -m string --string "X-Kazaa-Network:" -j DROP > iptables -A FORWARD -m string --string "X-Kazaa-IP:" -j DROP > iptables -A FORWARD -m string --string "X-Kazaa-SupernodeIP" -j DROP > iptables -A FORWARD -m string --string "Kazaa" -j DROP > iptables v1.2.8: Couldn't load match > `string':/usr/lib/iptables/libipt_string.so: cannot open shared object file: > No such file or directory >  Try `iptables -h' or 'iptables --help' for more information. >   o q devo fazer???? >         Se eu nao me engano voce tem que aplicar um patch no iptables para poder utilizar essa opcao. Da uma olhada nesse link http://www.slackwarenaveia.org/modules.php?name=Sections&op=printpage&artid=281 ******************************************************** De:  Brunhara Para:  Marcus Vinicius Guandelini , - Linux - BR Assunto:  Re: (linux-br)Kazaa Lite Data:  Thu, 29 Jul 2004 19:44:58 -0300 Bom aqui eu fiz o seguinte, tirei o nat de todo mundo e todos tem  passar pelo squid dai eu tem regras de maqs e downloads, tem apena algumas maq com 100%  de nat a do chefe e da pessoa do financeiro, e contabilidade. para que o mail funcione eu dou nat apenas para as seguinte portas. eu tenho a seguinte regras no iptables voce tem adaptar para o ipchains. iptables -A POSTROUTING -p tcp -s $rede -d $all --dport 53  -t nat -o $DevGW -j MASQUERADE iptables -A POSTROUTING -p udp -s $rede -d $all --dport 53  -t nat -o $DevGW -j MASQUERADE iptables -A POSTROUTING -p tcp -s $rede -d $all --dport 25  -t nat -o $DevGW -j MASQUERADE iptables -A POSTROUTING -p tcp -s $rede -d $all --dport 110 -t nat -o $DevGW -j MASQUERADE ###### aqui eu libero apenas  as maq que eu quero ############### iptables -A POSTROUTING -s 192.168.1.1   -d $all -t nat -o $DevGW2 -j MASQUERADE iptables -A POSTROUTING -s 192.168.1.2   -d $all -t nat -o $DevGW2 -j MASQUERADE iptables -A POSTROUTING -s 192.168.1.3   -d $all -t nat -o $DevGW2 -j MASQUERADE ######  tambem estou barando esta porta do kazzar iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 1412 -j REJECT iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 1412 -j REJECT iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 1412 -j REJECT iptables -A INPUT -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 1412 -j REJECT existe ainda uma outra opção de voce impedir que flag's com SYN nao sejam aceitos, isto ai eu nao me lembro de cabeça. ----- Original Message ----- From: "Marcus Vinicius Guandelini" > Pessoal, > > Seguinte, antes de mais nada, já procurei nos arquivos da lista mas não > encontrei nada muito satisfatório para minha dúvida. > Estou tendo um problema na minha rede com o pessoal do próprio depto de > informática, que passam o dia no kazaa lite. Já dei o comando "ipchains -A > input -b -s 213.248.112.0/24 -j DENY", mas eles ainda conseguem conectar, > enviar e receber arquivos. > Alguém tem uma dica boa aí ? Bloqueando as portas 1024 e 1080 será que > resolveria ? > > Obrigado mais uma vez ... ******************************************************** De:  Andre Responder-a:  Andre Para:  linux-br@bazar2.conectiva.com.br Assunto:  Re: (linux-br)Bloqueio de p2p com iptables Data:  Mon, 27 Sep 2004 15:35:06 -0000 robsoncb2 wrote: >Pessoal preciso de uma lista de regras de iptables ou >portas atualizadas para bloqueio de p2p ( kazaa. >emule, ...), bittorrent, e programas semelhantes que >os usuários usam para fazer dowload de filems, jogos, >mp3. Acho que o conteudo abaixo vai te ajudar !!! Bloquear Napster com IPChains: ipchains -A input -b -s 64.124.41.0/24 -j DENY Bloquear Napster com IPTables: iptables -A FORWARD -d 64.124.41.0/24 -j REJECT Bloquear IMesh com IPChains: ipchains -A input -b -s 216.35.208.0/24 -j DENY Bloquear IMesh com IPTables: iptables -A FORWARD -d 216.35.208.0/24 -j REJECT Bloquear Bearshare com IPChains: ipchains -A input -b -p TCP --sport 6346 -j DENY Bloquear Bearshare com IPTables: iptables -A FORWARD -p TCP --dport 6346 -j REJECT Bloquear ToadNode com IPChains: ipchains -A input -b -p TCP --sport 6346 -j DENY Bloquear ToadNode com IPTables: iptables -A FORWARD -p TCP --dport 6346 -j REJECT Bloquear WinMX com IPChains: ipchains -A input -b -s 209.61.186.0/24 -j DENY ipchains -A input -b -s 64.49.201.0/24 -j DENY Bloquear WinMX com IPTables: iptables -A FORWARD -d 209.61.186.0/24 -j REJECT iptables -A FORWARD -d 64.49.201.0/24 -j REJECT Bloquear Napigator com IPChains: ipchains -A input -b -s 209.25.178.0/24 -j DENY Bloquear Napigator com IPTables: iptables -A FORWARD -d 209.25.178.0/24 -j REJECT Bloquear Morpheus com IPChains: ipchains -A input -b -s 206.142.53.0/24 -j DENY Bloquear Morpheus com IPTables: iptables -A FORWARD -d 206.142.53.0/24 -j REJECT iptables -A FORWARD -p TCP --dport 1214 -j REJECT Bloquear KaZaA com IPChains: ipchains -A input -b -s 213.248.112.0/24 -j DENY Bloquear KaZaA com IPTables: iptables -A FORWARD -d 213.248.112.0/24 -j REJECT iptables -A FORWARD -p TCP --dport 1214 -j REJECT Bloquear Limewire com IPChains: ipchains -A input -b -p TCP --sport 6346 -j DENY Bloquear Limewire com IPTables: iptables -A FORWARD -p TCP --dport 6346 -j REJECT Bloquear Audiogalaxy com IPChains: ipchains -A input -b -d 64.245.58.0/23 -j DENY Bloquear Audiogalaxy com IPTables: iptables -A FORWARD -d 64.245.58.0/23 -j REJECT Messaging Bloquear AIM com IPChains: ipchains -A input -b --sport 5190 -j DENY ipchains -A input -b -s login.oscar.aol.com -j DENY Bloquear AIM com IPTables: iptables -A FORWARD --dport 5190 -j REJECT iptables -A FORWARD -d login.oscar.aol.com -j REJECT Bloquear ICQ com IPChains: ipchains -A input -b-p TCP --dport 5190 -j DENY ipchains -A input -b -s login.icq.com -j DENY Bloquear ICQ com IPTables: iptables -A FORWARD -p TCP --dport 5190 -j REJECT iptables -A FORWARD -d login.icq.com -j REJECT Bloquear MSN Messenger com IPChains: ipchains -A input -p TCP -b --sport 1863 -j DENY ipchains -A input -b -d 64.4.13.0/24 -j DENY Bloquear MSN Messenger com IPTables: iptables -A FORWARD -p TCP --dport 1863 -j REJECT iptables -A FORWARD -d 64.4.13.0/24 -j REJECT Bloquear Yahoo Messenger com IPChains: ipchains -A input -b -d cs.yahoo.com -j DENY ipchains -A input -b -d scsa.yahoo.com -j DENY Bloquear Yahoo Messenger com IPTables: iptables -A FORWARD -d cs.yahoo.com -j REJECT iptables -A FORWARD -b scsa.yahoo.com -j REJECT _____________________________________________________ Webmail Lagoaminas Internet - Sua conexão com o mundo Esta mensagem foi verificada pelo Kaspersky Antívirus http://www.kaspersky.com.br ******************************************************** De:  Marcos Montuleze Para:  'Ricardo Barros' , 'br-linux' Assunto:  RES: (linux-br)Bloqueio do Yahoo Messenger Data:  Fri, 17 Dec 2004 10:24:33 -0300 Ricardo, está regras estão funcionando na minha rede. #Bloquear Napster iptables -A FORWARD -d 64.124.41.0/24 -j REJECT #Bloquear IMesh iptables -A FORWARD -d 216.35.208.0/24 -j REJECT #Bloquear Bearshare e ToadNote iptables -A FORWARD -p tcp --dport 6346 -j REJECT #Bloquear WinMx iptables -A FORWARD -d 209.61.186.0/24 -j REJECT iptables -A FORWARD -d 64.49.201.0/24 -j REJECT #Bloquear Napigator iptables -A FORWARD -d 209.25.178.0/24 -j REJECT #Bloquear Morpheus iptables -A FORWARD -d 206.142.53.0/24 -j REJECT iptables -A FORWARD -p tcp --dport 1214 -j REJECT #Bloquear Kazaa iptables -A FORWARD -d 213.248.112.0/24 -j REJECT iptables -A FORWARD -p tcp --dport 1214 -j REJECT #Bloquear Kazaa Lite iptables -A FORWARD -p tcp --dport 1290 -j REJECT #Bloquear LimeWire iptables -A FORWARD -p tcp --dport 6346 -j REJECT #Bloquear AudioGalaxy iptables -A FORWARD -d 64.245.58.0/23 -j REJECT #Bloquear AIM iptables -A FORWARD -p tcp --dport 5190 -j REJECT #iptables -A FORWARD -d login.oscar.aol.com -j REJECT #Bloquear ICQ iptables -A FORWARD -p tcp --dport 5190 -j REJECT #ptables -A FORWARD -d login.icq.com  -j REJECT #Bloquear MSN iptables -A FORWARD -p tcp --dport 1863 -j REJECT -d $REDEINTERNA  (IPs da minha rede) #iptables -A FORWARD -p tcp --dport 1863 -j REJECT -d 10.3.0.0/24 iptables -A FORWARD -d 64.4.13.0/24 -j REJECT #Bloquear Yahoo iptables -A FORWARD -d 216.136.233.128 -j REJECT iptables -A FORWARD -d 216.136.233.137 -j REJECT > Caros Colegas, > > Qual é a regra que posso utilizar no IPTABLES para Bloquerar Yahoo > Messenger. Já pesquisei varias regras na internet e nenhuma funciona. > Fiz com o MSN e deu certo. ******************************************************** De:  Adriano Frare Responder-a:  alfrare@e-alinux.com Para:  alfrare@e-alinux.com Cc:  br-linux Assunto:  Re: (linux-br)Bloqueio do Yahoo Messenger Data:  Fri, 17 Dec 2004 14:21:49 -0200  Ricardo,  Use a regra abaixo  # Yahoo! Messenger  #echo -en "\\033[1;32m"  #echo "DROP -> Yahoo! Messenger"  #sleep 1  #echo -en "\\033[1;37m"  #$IPTABLES -A FORWARD -d cs.yahoo.com -j LOG  #$IPTABLES -A FORWARD -d cs.yahoo.com -j REJECT  #$IPTABLES -A FORWARD -b scsa.yahoo.com -j LOG  #$IPTABLES -A FORWARD -b scsa.yahoo.com -j REJECT #$IPTABLES -A FORWARD -p TCP --dport 5000:5010 -i $LAN_IFACE1 -o $INET_IFACE -j LOG #$IPTABLES -A FORWARD -p TCP --dport 5000:5010 -i $LAN_IFACE1 -o $INET_IFACE -j REJECT #$IPTABLES -A FORWARD -p TCP --dport 5000:5010 -i $LAN_IFACE2 -o $INET_IFACE -j LOG #$IPTABLES -A FORWARD -p TCP --dport 5000:5010 -i $LAN_IFACE2 -o $INET_IFACE -j REJECT #$IPTABLES -A FORWARD -p TCP --dport 5000:5010 -i $DMZ_IFACE -o $INET_IFACE -j LOG #$IPTABLES -A FORWARD -p TCP --dport 5000:5010 -i $DMZ_IFACE -o $INET_IFACE -j REJECT #$IPTABLES -A FORWARD -p UDP --dport 5000:5001 -i $LAN_IFACE1 -o $INET_IFACE -j LOG #$IPTABLES -A FORWARD -p UDP --dport 5000:5001 -i $LAN_IFACE1 -o $INET_IFACE -j REJECT #$IPTABLES -A FORWARD -p UDP --dport 5000:5001 -i $LAN_IFACE2 -o $INET_IFACE -j LOG #$IPTABLES -A FORWARD -p UDP --dport 5000:5001 -i $LAN_IFACE2 -o $INET_IFACE -j REJECT #$IPTABLES -A FORWARD -p UDP --dport 5000:5001 -i $DMZ_IFACE -o $INET_IFACE -j LOG #$IPTABLES -A FORWARD -p UDP --dport 5000:5001 -i $DMZ_IFACE -o $INET_IFACE -j REJECT Abraços  Adriano ******************************************************** De: Fabrício Lamonica Para: Linux-br Assunto: (linux-br)Utilidade =?iso-8859-1?q?p=FAblica_-_bloquear?=Kazaa Data: Wed, 11 May 2005 15:53:08 -0300 Pessoal, segue as regras de iptables agora para bloquear Kazaa. Aqui funcionou belezinha. iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1214 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1286 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1334 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1337 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1349 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1374 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1406 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 1894 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2206 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2243 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2250 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2258 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2358 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2391 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2464 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2589 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2597 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 2861 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3003 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3074 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3292 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3474 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3640 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3756 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3808 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3958 -j DROP iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 32656 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.155.63.5/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 64.14.124.65/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.155.63.7/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 68.97.73.224/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 67.140.33.50/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 64.233.161.104/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 12.202.146.153/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 172.164.197.186/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 68.35.78.53/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 69.70.244.213/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 85.226.71.201/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.113.117.79/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 201.13.83.97/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 68.204.44.183/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 68.119.69.171/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 69.149.82.100/24 -j DROP iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 24.122.71.237/24 -j DROP -- [ ]'s Fabrício Lamonica Analista de T.I. Linux User # 169949 Net & Net Tecnologia em Informática Ltda. http://www.netenet.com.br De: Edson Ricardo Simão Responder A: edyssomn@yahoo.com.br Para: linux-br@bazar2.conectiva.com.br Assunto: Re: (linux-br)Utilidade pública - bloquearKazaa Data: Wed, 11 May 2005 18:25:33 -0300 Sem querer desmerecer o seu trabalho, não seria mais fácil mudar a política padrão das chains para DROP e liberar só o que é necessário, ao invés de usar esse tanto de regras? Em Qua 11 Mai 2005 15:53, Fabrício Lamonica escreveu: > Pessoal, > segue as regras de iptables agora para bloquear Kazaa. Aqui funcionou > belezinha. De: Fabrício Lamonica Para: linux-br@bazar2.conectiva.com.br Assunto: Re: (linux-br)Utilidade pública - bloquearKazaa Data: Thu, 12 May 2005 08:16:12 -0300 Galera, como nós sabemos, cada empresa tem suas necessidades e muitas vezes bloquear tudo e liberar somente o necessário não é o ideal por vários motivos. O que tentei fazer aqui foi compartilhar as informações mais relevantes que são os servidores do MSN e Kazaa e suas portas, mas a forma como isso vai ser aplicado no firewall vai depender da preferência de cada um. Agradeço as sugestões, mas não quis levantar nenhuma discussão a respeito, e sim disponibilizar uma pequena ajuda as pessoas que por ventura tenham procurado alguma coisa na Internet e não tiveram sucesso. -- [ ]'s Fabrício Lamonica Analista de T.I. Linux User # 169949 Net & Net Tecnologia em Informática Ltda. http://www.netenet.com.br ******************************************************** De: Djames Suhanko Para: Fabrício Lamonica Cc: Linux-br Assunto: Re: (linux-br)Utilidade =?iso-8859-1?q?p=FAblica_-_bloquear?=Kazaa Data: Thu, 12 May 2005 08:31:32 -0300 Você já leu sobre o layer7 do iptables? http://www.demarctech.com/techsupport/rwv-support/rwv-faq.htm Alguns exemplos: iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j DROP iptables -A PREROUTING -t mangle -m layer7 --l7proto fasttrack -j MARK --set-mark 100 iptables -A PREROUTING -t mangle -m layer7 --l7proto bittorrent -j MARK --set-mark 101 iptables -A PREROUTING -t mangle -m layer7 --l7proto edonkey -j MARK -- set-mark 102 iptables -A PREROUTING -t mangle -m layer7 --l7proto gnutella -j MARK --set-mark 103 iptables -A PREROUTING -t mangle -m layer7 --l7proto audiogalaxy -j MARK --set-mark 104 iptables -A PREROUTING -t mangle -m layer7 --l7proto bearshare -j MARK --set-mark 105 iptables -A PREROUTING -t mangle -m layer7 --l7proto openft -j MARK -- set-mark 106 Em Qua, 2005-05-11 às 15:53 -0300, Fabrício Lamonica escreveu: > Pessoal, > segue as regras de iptables agora para bloquear Kazaa. Aqui funcionou belezinha. ********************************************************