Navigation
Block Ports
Thu, 10/04/2007 - 18:05 — local_loopback
Hello,
I have the usual P2P problem at an internet cafe. How can I block ports with CoovaAP?
Thanks in advanced
- Login to post comments
Re: Block Ports
Hello,
I have the same problem:
"the above rule works on the LAN side but not the WLAN (Hotspot) side"
it´s not possible the rule works in both interfaces?
thanks.
Re: Block Ports
To filter traffic not originated by the AP, you must use the chain FORWARD, is the chain that traverse all the packets routed by the ap. INCOMING is for packets witch have the AP as destination and OUTPUT the packets generated by the AP to the outside world. All the traffic that traverses the AP is filtered through FORWARD chain.
good luck
Thank you very very much for your help. I really appreciated it. However, the above rule works on the LAN side but not the WLAN (Hotspot) side. sigh!!!!
Re: Block Ports
Ok, sorry, the ipp2p is included in the kmod-ipt-filter package. Try to install it.
To filter traffic not originated by the AP, you must use the chain FORWARD, is the chain that traverse all the packets routed by the ap. INCOMING is for packets witch have the AP as destination and OUTPUT the packets generated by the AP to the outside world. All the traffic that traverses the AP is filtered through FORWARD chain.
try
iptables -I FORWARD1 -p tcp -d 192.168.0.1 --dport 80 -j DROP
good luck
Re: Block Ports
Sorry dutch, i think it is included in some of the default installed packages and loaded by default.
You can check it with the command
lsmod |grep ipp2p
It should give-you at least this line:
ipt_ipp2p 7332 2
Also, if executing
iptables -I FORWARD 2 -m ipp2p --ipp2p -j DROP
don't give-you any error that means that's up & running :)
I get the following:
root@CoovaAP:~# iptables -I FORWARD 2 -m ipp2p --ipp2p -j DROP
iptables: No chain/target/match by that name
so I did a check of installed packages and no such pkg (ipp2p) is installed
Also thanks for the -p tcp tip... When I excute the following:
iptables -I INPUT 1 -p tcp -d 192.168.0.1 --dport 80 -j DROP
I can see the rule in postion #1 when I do IPTABLES -L ie:
DROP tcp -- anywhere 192.168.0.1 tcp dpt:80
however, it still allows my web browser to go that IP :(
dutch
Re: Block Ports
Sorry dutch, i think it is included in some of the default installed packages and loaded by default.
You can check it with the command
lsmod |grep ipp2p
It should give-you at least this line:
ipt_ipp2p 7332 2
Also, if executing
iptables -I FORWARD 2 -m ipp2p --ipp2p -j DROP
don't give-you any error that means that's up & running :)
Re: Block Ports
You can try the ipp2p module for iptables http://www.ipp2p.org/ it's available in coova repository
Joan.
Thanks Joan
FWIW the ipp2p module is not availabe in the current coova 1.06 beta release
dutch
Re: Block Ports
Ok, the default chain for doing this kind of things forwarding_wan in firewall.user is useless because of coova firewall rules I think.
The fast & ugly way for doing it is to put the rule above these rules in the FORWARD chain
iptables -I FORWARD 2 -m ipp2p --ipp2p -j DROP
I have to inspect more /etc/init.d/S35firewall to understand it and find a better solution.
Re: Block Ports
Can you explain by example were you place the rule in firewall.user
Re: Block Ports
Hi,
You can try the ipp2p module for iptables http://www.ipp2p.org/ it's available in coova repository i have made some tests, some moths ago, and it can block all sort of p2p traffic with a single rule in firewall.user for example. You don't have to worry about port numbers it identify almost all kind of p2p itself.
Check the web page & feel free to ask me any questions
Joan.