On 12/17/07, Agnello George agnello.dsouza@gmail.com wrote:
On 12/16/07, Dinesh Joshi dinesh.a.joshi@gmail.com wrote:
On 12/13/07, Agnello George agnello.dsouza@gmail.com wrote:
how do i block a client from accessing yahoo chat My current set ups is as follows -- have a firewall and behind it have a proxy server running on port 3128.
now to block yahoo chat access i did the following in my squid.conf
I'm a little late in replying. The best way to setup access control is to start with a completely closed Firewall and Proxy. Open the ports you require and setup port redirection 80 -> 3128 ( if SQUID is running as transparent proxy ). Then open only THOSE services in squid which you require. Also remember NOT to NAT the machines or put ANY machine in DMZ.
Sorry of the late reply on this, i did exactly what every one was suggesting, Blocking all the ports and enabling all only those ports that that we require ( 80 8080 21 22 443 ) . By doing so we automatically block gtalk, yahoo chat and msn messenger. Here is what i did
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -p tcp -m multiport --dport 21,22,80,8080,443 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
this is all great and all , but i have one IM installed on my system called "pidgin".. i am able to log in here in when configured to yahoo messenger.
Does any one have any idea why this happens ??
As mentioned before i said i was able to block all chats ... i was however wrong. i am kind of lost here.... bellow is my iptables file ( generated by the command system-config-securitylevel )
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth2 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth2 -j MARK --set-mark 0x9 COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT
can some one just help me out here :(
Thanks