Shorewall users - May 2003 - how to enable icq and drop kazaa

Hi all,

I am using shorewall version 1.4.2 running under redhat linux: Linux 
tracker 2.4.20-13.8 #1 Mon May 12 12:20:54 EDT 2003 i686 i686 i386 GNU/Linux.

I want to enable icq from my LAN but not kazaa. For icq, i have the 
following rule:

ACCEPT          loc             fw              udp     4000
ACCEPT          net             loc             tcp     4000:4100

but the rule seems to be not working since my LAN still cant login to icq.

Any help is a big help!

Thanks.


---------------------------
cheers,
jaws

If there''s one thing you need to remember it''s this...
ALL SYSTEMS ARE VULNERABLE!

On Thu, 22 May 2003 16:30:44 +0800, jaws <jaws@skyinet.net> wrote:

> I am using shorewall version 1.4.2 running under redhat linux: Linux 
> tracker 2.4.20-13.8 #1 Mon May 12 12:20:54 EDT 2003 i686 i686 i386 
> GNU/Linux.
>
> I want to enable icq from my LAN but not kazaa. For icq, i have the 
> following rule:
>
> ACCEPT          loc             fw              udp     4000
> ACCEPT          net             loc             tcp     4000:4100
>
> but the rule seems to be not working since my LAN still cant login to 
> icq.
>
> Any help is a big help!
>
First of all, I know of no effective way to filter Kazaa using standard 
iptables. The string match extension in Patch-O-Matic can be used to filter 
Kazaa but that extension isn''t available in the standard iptables
releases
(and hence has no support in Shorewall).

If you have only a single external IP address then only one client behind 
your firewall can use ICQ. If that client''s IP address is 192.168.1.3
then
the rules are:

DNAT	net	loc:192.168.1.3	TCP	4000:4100

This assumes that:

a) You have the standard loc->net policy of ACCEPT; and
b) The ICQ client must be configured to use local ports 4001:4100.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On top of that, Kazza adapts to anything you try to throw in it''s way.
It''s a nasty beast.

On Thu, 22 May 2003 09:02:16 -0700
Tom Eastep <teastep@shorewall.net> opened up to us and said:
> On Thu, 22 May 2003 16:30:44 +0800, jaws <jaws@skyinet.net> wrote:
> 
> 
> > I am using shorewall version 1.4.2 running under redhat linux: Linux
> > 
> > tracker 2.4.20-13.8 #1 Mon May 12 12:20:54 EDT 2003 i686 i686 i386 
> > GNU/Linux.
> >
> > I want to enable icq from my LAN but not kazaa. For icq, i have the 
> > following rule:
> >
> > ACCEPT          loc             fw              udp     4000
> > ACCEPT          net             loc             tcp     4000:4100
> >
> > but the rule seems to be not working since my LAN still cant login
> > to icq.
> >
> > Any help is a big help!
> >
> 
> First of all, I know of no effective way to filter Kazaa using
> standard iptables. The string match extension in Patch-O-Matic can be
> used to filter Kazaa but that extension isn''t available in the
> standard iptables releases (and hence has no support in Shorewall).
> 
> If you have only a single external IP address then only one client
> behind your firewall can use ICQ. If that client''s IP address is
> 192.168.1.3 then the rules are:
> 
> DNAT	net	loc:192.168.1.3	TCP	4000:4100
> 
> This assumes that:
> 
> a) You have the standard loc->net policy of ACCEPT; and
> b) The ICQ client must be configured to use local ports 4001:4100.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

[ The information transmitted is intended only for the addressee   ]
[ and may contain confidential, proprietary and/or privileged      ]
[ material.  Any unauthorized review, distribution or other use    ]
[ of or the taking of any action in reliance upon this information ]
[ is prohibited. If you received this in error, please contact the ]
[ sender and delete or destroy this message and any copies.        ]

Hi Tom,

I''ve tried your suggestion but still cant login to icq.
here is my rule:

DNAT            net             loc:192.168.100.2       tcp     4001:4100

my default loc->net policy is ACCEPT.


At 09:02 AM 5/22/2003 -0700, Tom Eastep wrote:
>On Thu, 22 May 2003 16:30:44 +0800, jaws <jaws@skyinet.net> wrote:
>
>
>>I am using shorewall version 1.4.2 running under redhat linux: Linux 
>>tracker 2.4.20-13.8 #1 Mon May 12 12:20:54 EDT 2003 i686 i686 i386
GNU/Linux.
>>
>>I want to enable icq from my LAN but not kazaa. For icq, i have the 
>>following rule:
>>
>>ACCEPT          loc             fw              udp     4000
>>ACCEPT          net             loc             tcp     4000:4100
>>
>>but the rule seems to be not working since my LAN still cant login to
icq.
>>
>>Any help is a big help!
>
>First of all, I know of no effective way to filter Kazaa using standard 
>iptables. The string match extension in Patch-O-Matic can be used to 
>filter Kazaa but that extension isn''t available in the standard
iptables
>releases (and hence has no support in Shorewall).
>
>If you have only a single external IP address then only one client behind 
>your firewall can use ICQ. If that client''s IP address is
192.168.1.3 then
>the rules are:
>
>DNAT    net     loc:192.168.1.3 TCP     4000:4100
>
>This assumes that:
>
>a) You have the standard loc->net policy of ACCEPT; and
>b) The ICQ client must be configured to use local ports 4001:4100.
>
>-Tom
>--
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://www.shorewall.net
>Washington USA  \ teastep@shorewall.net
>

> I''ve tried your suggestion but still cant login to icq.
> here is my rule:
> 
> DNAT            net             loc:192.168.100.2       tcp     4001:4100
> 
> my default loc->net policy is ACCEPT.
ICQ works for me with "loc net ACCEPT" and the appropriate masq
setting.
AFAICT even with multiple clients behind the firewall.

Only file transfers do not work, as that needs the DNAT rule.

  karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

Hi,

	If you want to chat with ICQ, I suggest you add this line in your rules
files:
	ACCEPT          loc:192.168.100.2             net              udp     4000

	TCP port are only use for other ICQ services than chat (talk, file
transfert...)

	Matthieu
>
> > I''ve tried your suggestion but still cant login to icq.
> > here is my rule:
> >
> > DNAT            net             loc:192.168.100.2       tcp
> 4001:4100
> >
> > my default loc->net policy is ACCEPT.
>
> ICQ works for me with "loc net ACCEPT" and the appropriate masq
setting.
> AFAICT even with multiple clients behind the firewall.
>
> Only file transfers do not work, as that needs the DNAT rule.
>
>   karsten
>
>
> --
> Hi, I''m a signature virus. Copy me into your ~/.signature to help
> me spread!
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>