here my policy for outbound trafic

Port - Service
21 = FTP
22 = SSH
25 = SMTP
53 = DNS
67-68 = DHCP
80 = HTTP
110 = POP3
137-139 = SMB
143 = IMAP
443 = HTTPS
1863 = MSN Messanger
3306 = MYSql
5000-5003 = uPNP
5050 = Yahoo Messanger
5222 = GTalk
5900 = VNC
8080, 8181, 8282, 8787, 8888 = Aditional for accesing virtual server

here my policy for inbound trafic
Port - Service
20-21 = FTP
22 = SSH
80 = HTTP
443 = HTTPS


is this good enough to be gateway/firewall?
the problem is..i cant block streaming download, like from real player..

yahoo and msn messenger not that easy to block .....

to block streaming you need block in tcp pattern instead ports, bit complicated to do that ...

Configuring iptables for this is nice, but if you use squid+iptables that would be more restrictive.

ICQ and AOL:

# iptables -A FORWARD –dport 5190 -j DROP


# iptables -A FORWARD -d login.oscar.aol.com -j DR


OP

MSN:

# iptables -A FORWARD -p TCP –dport 1863 -j DROP


# iptables -A FORWARD -d 64.4.13.0/24 -j DROP


Yahoo Messenger:

# iptables -A FORWARD -p TCP –dport 5000:5010 -j REJECT


# iptables -A FORWARD -d cs.yahoo.com -j REJECT

# iptables -A FORWARD -b scsa.yahoo.com -j REJECT




IIHT Malaysia
Professional IT certificate training from globally recognized IT training
partner of Cisco, Microsoft, and other giants of the IT industry
3G Infocom Training Sdn Bhd
Subang Jaya, Selangor DE
Webpage: www.iiht-malaysia.com
Tel: +6(03) 5638 1036 Fax: +6(03) 5638 8036

ym/msn..i do the above method only..if i remove it from my iptable..none user can access their ym/msn
tcp pattern? mind explain more? being looking forward with this..


thanks for deails way to block ym n msn..i added extra aol and icq..

what bout mirc or skype?

for IRC depends on what port their using, but most common port will be

6661 until 6669 & 7000

iptables conf will be same as ICQ

1. ym /msn can set to use anonymous proxy, unless totally block source ip, otherwise, client still can still connect.

2. block ports doesn't really help coz both ym/msn can use port 80, it mean no difference we block the source ip because disable http browsing.

3. in theory block destination authentication login servers should work better, but required a team of people to manage it coz too many servers and dynamic.

that why modern firewall block tcp pattern in application layer instead of tcp ports.

install shorewall for managing iptables and also squid proxy.

It will make life much much much easier.

All msn, aol, messenger and streaming can be blocked from squid.

thanks


tcp pattern? sure a lot of work there monitor the tcp/login server..if you over ~100 client pc.


tried shorewall before..not really suit me..hehe..
can i use squid without setting up client pc browser to use proxy?

I'm not networking guy thus I might be asking stupid question... does it allow us to specify rule by protocol, says RTP, for blocking streaming?

have a look with this http://www.vbrick.net/whitepapers/Streamin...20Firewalls.pdf

yes, you can setup something called transparent proxy in squid. That means it uses default port 80 as the squid port. Since all browsers uses port 80 by default, they will then use squid automatically. No need to configure the browser. Just change your squid setting to use port 80. I think there might be other settings but can't remember. Refer to guides.

As for shorewall, once you learn how to use it, any changes in the future will be easy. Just follow the example guides in shorewall site. They have very good documentation.

its u..btw check ur pm..thanks for the reply///

i havent played much with proxy yet..maybe soon..coz need to make level access for internet access for user..and filter download..

as i know, shorewall management is using webmin only..i want somethin maybe comae with gui like firestarter, or fwbuilder..

btw : i still cant block streaming yet..

hehe...yeah it's me. Let me know if you need my "service".

Yes, I manage shorewall using webmin which is good enough. Using firestarter would means u need to install GUI which is not recommended for servers. Webmin is minimalistic and very un-intrusive.

With webmin, you can also manage your squid proxy and pretty much anything in linux.

As for blocking streaming, you will either need to block from the website level (block youtube or radio sites and so on) or you need something called trafficshaper. If not mistaken shorewall support this but need to install and configure additional stuffs.

Oh yeah, BTW, you can try looking into using Untangled. This is some sort of internet access blocking package. It has everything setup, you just configure it. Very easy to setup.

yep..if i want install firestarter, i need to install gui.. ehehe..its just gateway for local LAN internet filtering.. nobody cares.. as long as i finish my work..lol

Untangle.. seems good..will play with it later.. thanks for good recommendation..