Topic: portforward question...

[KRS]

Is it possible to portforvard all ports (1-65545) to a nonexixting ip like 192.168.0.250 like /dev/null  ??
Then do a new portforward like 80 to the other computers 192.168.0.10-20
and so on for the real/used ports...
so it is harder to hack the sme...

I'm using 6.0beta3

[Dan Brown]

What on earth would be the point of this?  If the SME doesn't have any service running that's listening on the port in question, it won't accept connections on that port, in which case you're entirely secure.  If it does have a service running on that port, you won't be able to forward that port until you disable that service.  If you disable the service, there's nothing listening on that port, and therefore nothing to connect to, and therefore nothing to hack.

[KRS]

We all know how secure windows is... and i would like sme to block all outgoing/incomming suspicius connections...  like backdoors, virus,trojans andso on...

[Dan Brown]

Well, SME blocks all incoming connections, period.  Unless you forward a port, nothing from the outside world hits the LAN except in response to something from the LAN.  To block the outgoing connections, port forwarding isn't what you'd need to do; you'd need to do some modification of the iptables rules to only route traffic for certain ports.  Not sure exactly how you'd do that (or whether it'd be useful), but it should be possible.  AFAIK, none of the existing port forwarding packages will do this.

[Doug M.]

I've set up cron events to control the internet time from my daughters computer. This iptables setup I use may be what you are looking for.

This line drops all outbound traffic on port 80 (bye bye web browsing as this is the extent of her knowledge now. I'm sure more rules will follow as she gains experiance)

/sbin/iptables -A PREROUTING -t nat -j DROP -m mac --mac-source 00:00:00:00:72:fe -p tcp --dport 80


This lines removes the following rules allowing normal port 80 traffic. Set up in a cron event this provides a perfect control time limits to her internet use.

/sbin/iptables -D PREROUTING -t nat -j DROP -m mac --mac-source 00:00:00:00:72:fe -p tcp --dport 80

But I digressed, change the port to what ever you want and it will drop that port. Also this points to only one computer via it's MAC address which you can change though to cover you entire LAN.