Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: hatsa on January 06, 2009, 10:22:37 AM

Title: If you want to block p2p without using ipp2p module try this
Post by: hatsa on January 06, 2009, 10:22:37 AM

hii all u can use this ip tables  script to block p2p
this script allow only http, shell access, ftp, yahoo and MSN

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT


#
#
iptables -F INPUT

iptables -F FORWARD

iptables -F OUTPUT

iptables -F -t nat

#eth0 is local ip

#eth1 is public ip

#
#
#INPUT Rule

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT

iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 -j ACCEPT

iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 53 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 1863 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 5050 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 21 -j ACCEPT

#

#Forward rule

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 80 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 443 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p udp --destination-port 53 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 1863 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 5050 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 22 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth0 -p tcp --destination-port 21 -o eth1 -j ACCEPT

#

#nat table

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Title: Re: If you want to block p2p without using ipp2p module try this
Post by: Stefano on January 06, 2009, 10:32:49 AM

hatsa: DON'T modify iptables chains..

you should read the documentation (in particular the developer manual) to understand how iptables/firewall rules are in SME.

IMHO you are trying to use SME for something it is not designed for.. you should put a real firewall/proxy in front of your lan (see ipcop, m0n0wall, smoothwall, pfsense, endian.. what you prefer) and leave SME do other things than firewalling

@all: don't use hatsa's suggestion as it would break your SME

Ciao
Stefano