Re: Ipchains help
From: Nigel Wade (nmw_at_ion.le.ac.uk)
Date: 09/03/04
- Previous message: Jones: "Kaspersky Anti-Hacker or Sygate Pro 5.5.2710?"
- In reply to: Robert Law: "Re: Ipchains help"
- Next in thread: Micheal Robert Zium: "Re: Ipchains help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 03 Sep 2004 16:01:43 +0100
On Thu, 02 Sep 2004 10:19:53 -0700, Robert Law wrote:
> Nigel Wade <nmw@ion.le.ac.uk> wrote in message news:<pan.2004.09.02.10.39.32.859925@ion.le.ac.uk>...
>> On Wed, 01 Sep 2004 19:17:15 -0700, Robert Law wrote:
>>
>> > I am using ipchains and am trying to do two things that I seem to be
>> > unable to figure out.
>> >
>> > The first thing is I want to disable outgoing http over port 80 since
>> > I'm using squid. The second thing is that I would like to disable all
>> > outgoing traffic from my network at certain times. I know how to
>> > conditionally execute the script but it doesn't seem to disable the
>> > traffic.
>> >
>> > I have a linux box acting as a router and it is masquerading the boxes
>> > on the internal network.
>> >
>> > Here is my ipchains stmt.
>> > ipchains -A input -p tcp -s 192.168.1.0/24 -d \! 192.168.1.0/24
>> > --destination-port 80 -j DENY
>> >
>> > To cancel all output i think this should work.
>> > ipchains -a output -d \! 192.168.1.0/24 -j DENY
>> >
>> > Any help is greatly appreciated.
>> >
>> > Thanks.
>>
>> Don't forget that those rules are being *added* to the chains. If any rule
>> prior to those accepts the packet then the rule won't be reached.
>>
>> The easiest way to turn of packet forwarding entirely is to echo 0 into
>> /proc/sys/net/ipv4/ip_forward (dependent on kernel version, which you
>> don't mention).
>
> I can use the ip_forward okay. I have the first statement as the one
> just after I have flushed everything and set the default deny rules.
> What I'm wondering, is why doesn't it work.
I can't see anything obviously wrong with it. I don't really know ipchains
that well, I use iptables.
You might add a new chain and jump into that chain rather than DENY. Then
you can log the packets traversing that chain. Turn on logging on all
chains and see if you can determine where those packets are being
accepted.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
- Previous message: Jones: "Kaspersky Anti-Hacker or Sygate Pro 5.5.2710?"
- In reply to: Robert Law: "Re: Ipchains help"
- Next in thread: Micheal Robert Zium: "Re: Ipchains help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
