Skypee can still login with out access on a linux box?

Protecting your Linux box
Post Reply
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Skypee can still login with out access on a linux box?

Post by sevensins »

AOA,
I am running an FC2 transparent with squid 2.5 stable 12 and djbdns.
eth0 - to DSL
eth1 - to lan

my iptables are as follows;
#################### BEGINS HERE ###############
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING DROP

echo -e ".........................."
echo -e "Setting Proc Settings...."
echo -e ".........................."
echo -e ".........................."
######## Few Things I Like to Do ############
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "128" > /proc/sys/net/ipv4/ip_default_ttl
echo "1" > /proc/sys/net/ipv4/tcp_low_latency
echo 8388608 > /proc/sys/net/core/wmem_max
echo 8388608 > /proc/sys/net/core/rmem_max
echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem

echo -e ".........................."
echo -e "Loading allowed MAC Address...."
echo -e ".........................."
echo -e ".........................."
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT


echo -e ".........................."
echo -e "Loading denied MAC Address...."
echo -e ".........................."
echo -e ".........................."
/sbin/iptables -A INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT
/sbin/iptables -t nat -A PREROUTING -i eth1 -s $IP -p tcp --dport 80 -j REDIRECT --to-port 8082
/sbin/iptables -t nat -A PREROUTING -i eth1 -s $IP -p tcp --dport 8080 -j REDIRECT --to-port 8082

(PORT 8082 virtual website in apache)

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-port 8080

/sbin/iptables -t nat -A PREROUTING -p tcp -s LAN_NET$ -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p udp -s LAN_NET$ -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -p tcp -s LAN_NET$ --dport 443 -o eth0 -j MASQUERADE #SSL
.
.
.
.
.
/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT

#################### ENDS HERE ###############

As you can see, I have binded ip to its mac and as a rule DEFAULT INPUT, FORWARD and PREROUTING POLICY is DENY.. But I have tried it my self with a network card that has no account whatsoever in allow or deny list, to connect skypee..
It connects and makes calls even but cannot browse nor can connect yahoo or msn etc etc.. just skypee... can anyone help me?
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Re: Skypee can still login with out access on a linux box?

Post by lambda »

sevensins wrote:can anyone help me?
i don't see how you're setting $IP and $MAC, but here's how you can track down the skype problem. run

Code: Select all

tcpdump -n -p -i eth1 -w tcpdump-log src a.b.c.d
replace a.b.c.d with the ip.

use that machine to connect to skype. hit control-c to quit out of tcpdump, and then run

Code: Select all

tcpdump -v -r tcpdump-log | more
and see how it bypasses your rules.
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Post by sevensins »

Thanks for ur reply and I will definately do what you have said.

im reading the values of $IP and $MAC from a file ... i left out a lot of scripting regarding that cause it aint directly connected to setting iptables.... :D

and found a solution....

added to allowed users section
/sbin/iptables -t nat -I PREROUTING -p all -s $IP -m mac --mac-source $MAC -j ACCEPT

and at the end added this
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -s LAN_NET$ -j DROP

by this... my default chain policies remained DROP, and after the PREROUTING filtering (ALLOWING ALLOWED USERS), everything gets droped....
iptables -t nat -nL shows (e.g)

Chain PREROUTING (policy DROP)
ACCEPT all -- 192.180.11.3 0.0.0.0/0 MAC 00:01:02:DA:D9:2E
.
.
.
.
DROP tcp -- 192.168.11.0/24 0.0.0.0/0

if this is wrong in any way...plz do let me know... I would love to correct it...
Last edited by sevensins on Thu Dec 15, 2005 5:53 pm, edited 1 time in total.
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear sevensins,
Salam,
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -s LAN_NET$ -j DROP
Will be look like this

# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -s $LAN_NET -j DROP

BTW, use this rule it will solve your problem.

# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -j DROP

Best Regards.
Farrukh Ahmed
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Post by sevensins »

Thanx for the correction....
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
Post Reply