Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: User

Firewall L7

  

 
iptables user RSS feed   Index | Next | Previous | View Threaded


higuti.sam at gmail

Apr 18, 2007, 5:38 AM

Post #1 of 8 (712 views)
Permalink
Firewall L7
Hello guys.

I have a firewall L7 as a bridge in my work.
The firewall are blocking Gmail, Hotmail, and attachments from my mail
server....
Anybody can help me? =D

Best Regards

Stephan


--
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam[at]hotmail.com
Email: higuti.sam[at]gmail.com
---------------------------------------------------------------------


pablo at blueoakdb

Apr 18, 2007, 5:42 AM

Post #2 of 8 (683 views)
Permalink
Re: Firewall L7 [In reply to]
On Wednesday 18 April 2007 at 8:38 am, Stephan Higuti etched:
> Hello guys.
>
> I have a firewall L7 as a bridge in my work. The firewall are
> blocking Gmail, Hotmail, and attachments from my mail server....
> Anybody can help me? =D

If you have a home server, you can tunnel from work to it and
circumvent the 'problem'

Depending on what you're running on your desktop at work (Unix or
Windows), you can use either ssh or putty, to create a local SOCKS
server, which tunnels to your home server.

If work blocks port 22, setup your sshd daemon at home to listen to
port 443. ;)

Cheers,
---
pablo


leolistas at solutti

Apr 18, 2007, 5:44 AM

Post #3 of 8 (684 views)
Permalink
Re: Firewall L7 [In reply to]
What is your question ? What is your problem ?? Please tell us whats
wrong ....

Or .... are you trying to bypass your work blocking rules ???? is that ?


Stephan Higuti escreveu:
> Hello guys.
>
> I have a firewall L7 as a bridge in my work.
> The firewall are blocking Gmail, Hotmail, and attachments from my mail
> server....
> Anybody can help me? =D
>
>

--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertrudes[at]solutti.com.br
My SPAMTRAP, do not email it


higuti.sam at gmail

Apr 19, 2007, 11:15 AM

Post #4 of 8 (680 views)
Permalink
Re: Firewall L7 [In reply to]
My rulez....

## Limpando as regras do IPTABLES
iptables -F
iptables -t nat -F
iptables -t mangle -F

## Ativando repasse de pacotes ##
echo 1 > /proc/sys/net/ipv4/ip_forward

## instalando modulos do IPTABLES ##
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ipt_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_REJECT
modprobe ipt_layer7

# Criando NAT para toda a rede.
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE

## Ativando regras do Layer 7
# Bloqueando de skype para skype
iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP

# Bloqueando o Skypeout
iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP

# Bloqueando o Messenger
#iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
#iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP

#Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se
usar o km tambem)
iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm

#Bloquendo torrents
iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP

# Mudando para Statefull
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


These rules are blockin' gmail, hotmail and my mail server.....
But its just a few rulez....
Some wrong?

Cheers

Stephan

--
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam[at]hotmail.com
Email: higuti.sam[at]gmail.com
---------------------------------------------------------------------


higuti.sam at gmail

May 11, 2007, 10:53 AM

Post #5 of 8 (609 views)
Permalink
Re: Firewall L7 [In reply to]
Thanks for help guys!
It works!
Just another question....
What I do to let a free IP behind my Bridge firewall (L7)?
I need an Ip that can acess all.......

Best Regards

Stephan

On 4/19/07, Juan León <debjuanca[at]gmail.com> wrote:
>
> Hi Stephan, with my experience firewalling, you can try using this rules
> with yours.
>
> Lets take a close look of your rules.
>
>
> #iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm
>
> Maybe this line is associated with gmail, I suggest you use a proxy to match
> strings like orkut.
> Read Oscar Adreasson's paragraph.
>
> "For example, if we use a string match and match for a specific string
> inside the packet, lets say get /index.html. Will that work? Normally, yes.
> However, if the packet size is very small, it will not. The reason is that
> iptables is built to work on a per packet basis, which means that if the
> string is split into several separate packets, iptables will not see that
> whole string. For this reason, you are much, much better off using a proxy
> of some sort for filtering in the application layer"
>
>
> For hotmail your can add this line just above of every FORWARD line, see
> "-I", the same with your mail.server.com
>
> #iptables -I FORWARD -d www.hotmail.com -j ACCEPT
> #iptables -I FORWARD -d mail.server.com -j ACCEPT
>
>
> Hope this help.
>
>
>
> 2007/4/19, Stephan Higuti <higuti.sam[at]gmail.com>:
> > My rulez....
> >
> > ## Limpando as regras do IPTABLES
> > iptables -F
> > iptables -t nat -F
> > iptables -t mangle -F
> >
> > ## Ativando repasse de pacotes ##
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > ## instalando modulos do IPTABLES ##
> > modprobe iptable_nat
> > modprobe ip_nat_ftp
> > modprobe ip_conntrack
> > modprobe ipt_conntrack
> > modprobe ip_conntrack_ftp
> > modprobe ip_tables
> > modprobe ipt_LOG
> > modprobe ipt_limit
> > modprobe ipt_REJECT
> > modprobe ipt_layer7
> >
> > # Criando NAT para toda a rede.
> > #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
> >
> > ## Ativando regras do Layer 7
> > # Bloqueando de skype para skype
> > iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP
> >
> > # Bloqueando o Skypeout
> > iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP
> >
> > # Bloqueando o Messenger
> > #iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
> > #iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
> > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
> >
> > #Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se
> > usar o km tambem)
> > iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm
> >
> > #Bloquendo torrents
> > iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP
> >
> > # Mudando para Statefull
> > #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> >
> > These rules are blockin' gmail, hotmail and my mail server.....
> > But its just a few rulez....
> > Some wrong?
> >
> > Cheers
> >
> > Stephan
> >
> > --
> >
> ---------------------------------------------------------------------
> > Stephan Higuti
> > MSN: higutisam[at]hotmail.com
> > Email: higuti.sam[at]gmail.com
> >
> ---------------------------------------------------------------------
> >
> >
>
>


--
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam[at]hotmail.com
Email: higuti.sam[at]gmail.com
---------------------------------------------------------------------


higuti.sam at gmail

May 14, 2007, 10:17 AM

Post #6 of 8 (595 views)
Permalink
Re: Firewall L7 [In reply to]
Thankz guys!

My block rules isn't works!
I'm using this rules to block msn protocol...


iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP


Any idea?

Best Regards

Stephan

-
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam[at]hotmail.com
Email: higuti.sam[at]gmail.com
---------------------------------------------------------------------


fernando at intrace

May 14, 2007, 11:13 AM

Post #7 of 8 (590 views)
Permalink
Re: Firewall L7 [In reply to]
give an ls /lib/iptables/ or /usr/lib/iptables or wherever your iptables
libs are and look for
libipt_layer7.so if you don't find it it's because your kernel and/or
iptables compilation has failed.... by the way you can remove the "-t
filter"



Stephan Higuti escreveu:
> Thankz guys!
>
> My block rules isn't works!
> I'm using this rules to block msn protocol...
>
>
> iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
>
>
> Any idea?
>
> Best Regards
>
> Stephan
>
> -
> ---------------------------------------------------------------------
> Stephan Higuti
> MSN: higutisam[at]hotmail.com
> Email: higuti.sam[at]gmail.com
> ---------------------------------------------------------------------
>


jengelh at linux01

May 14, 2007, 1:03 PM

Post #8 of 8 (587 views)
Permalink
Re: Firewall L7 [In reply to]
On May 14 2007 14:17, Stephan Higuti wrote:
>
> My block rules isn't works!

That is _not_ a precise error description.

> I'm using this rules to block msn protocol...
> iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP



Jan
--

iptables user RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.