Nat Rule ( Req help ASAP)

[Jason Opperisano]

On Mon, Nov 08, 2004 at 11:04:56PM -0800, Nilesh wrote:
> Hello All, 
> 
> I am using Squid proxy and IPtables Firewall 
> through squid I am able to block Messenger and other
> sites but If I put this in firewall I couldnt able to
> block messenger 
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
> $EXTIP 

that's a NAT rule that translates the source IP address of all your
outbound traffic leaving $EXTIF to $EXTIP.

> In connection settings If I choose no proxies the
> Yahoo messenger easily get connected.
> 
> also we use CISCO VPN client to connect Outside VPN
> server If I want to connect VPN I need to put that
> rules otherwise I wont connect.
> 
> Could any one please tell How to solve my problem
> I want to block messengers also want to connect VPN
> server though client 

i'm going to assume that your FORWARD policy must be set to ACCEPT
(note:  i wouldn't have to assume if you had included your rules via:
 iptables -t mangle -vnxL; iptables -t nat -vnxL; iptables -vnxL).

if your FORWARD policy is set to ACCEPT, you can explicitly drop the
ports used by yahoo messenger:

  # yahoo messenger
  iptables -A FORWARD -p tcp --dport 5050 -j DROP
  # yahoo messenger voice chat
  iptables -A FORWARD -p tcp --dport 5000:5001 -j DROP
  iptables -A FORWARD -p udp --dport 5000:5010 -j DROP
  # yahoo messenger web cam
  iptables -A FORWARD -p tcp --dport 5100 -j DROP

if your FORWARD policy is set to DROP, and need to allow the VPN client,
you should be able to allow it with:

  # IKE
  iptables -A FORWARD -i $INT_IF -p udp --dport 500 -j ACCEPT
  # IPSec
  iptables -A FORWARD -i $INT_IF -p 50 -j ACCEPT
  # UDP Encapsulation
  iptables -A FORWARD -i $INT_IF -p udp --dport 4500 -j ACCEPT

the specific encapsulation ports/protocols may vary depending on your
client settings.

-j

--
"I saw weird stuff in that place last night. Weird, strange, sick,
 twisted, eerie, godless, evil stuff. And I want in."
        --The Simpsons