Hi I am currently implementing level7 packet filtering on my debian gateway with ipp2p. This has been done to prevent wireless users from using well known file sharing applications (edonkey, bittorrent, kazaa, ecc). The current iptables configuration that I have is doing everything very well.
Now I want to be able to run the amuled daemon ON the debian router but I am not really sure how to tell iptables to whitelist the traffic that is not being forwarded. In other words, the ipp2p module should not drop the packets originating from/destinated to the router itself. Here is my current script: # Interface connected to Internet INTERNET="eth1" # Address connected to LAN LOCAL="10.0.1.0/24" # VPN VPN="5.0.0.0/8" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # Enable Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Enable Munin stats iptables -A INPUT -d 37.244.81.222 iptables -A OUTPUT -s 37.244.81.222 iptables -A FORWARD -i eth1 iptables -A INPUT -d 10.0.1.2 iptables -A OUTPUT -s 10.0.1.2 iptables -A FORWARD -i eth0 # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # Block P2P iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables -A INPUT -m ipp2p --ipp2p -j DROP iptables -A OUTPUT -m ipp2p --ipp2p -j DROP # set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -A FORWARD -s $LOCAL -j ACCEPT # unlimited access to LAN iptables -A INPUT -s $LOCAL -j ACCEPT iptables -A OUTPUT -s $LOCAL -j ACCEPT # unlimited access to VPN iptables -A INPUT -s $VPN -j ACCEPT iptables -A OUTPUT -s $VPN -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP Thanks for your help guys -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
