Blocking Clients with IPTables, but how ?

[TommyD]

I red a lot of documents about firewalling with iptables but i cannot find a working solution for it. Quiet simple .. I have a TorrentFlux client and i wanna block all connecting clients except 1 (just for testing) :

Code:

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT

/sbin/iptables -A INPUT -p udp -s na.me.ser.ver/32 --source-port 53 -d 0/0 -j ACCEPT

/sbin/iptables -A INPUT -s all.owed.clie.nt -j ACCEPT
/sbin/iptables -A INPUT -d blo.ck.every.thing  -j DROP

I was think about something above .. But it isnt really working .. I tried somethings with the above script and SSH ... And yes that works but it looks like torrent clients are not doing what ssh does.

The idea simple .. Block every incoming client (iptables -A INPUT -d blo.ck.every.thing  -j DROP), and just allow one of them (iptables -A INPUT -s all.owed.clie.nt -j ACCEPT) ...

Can anyone tell me how to solve this ??

[Paczesiowa]

/sbin/iptables -A INPUT -d blo.ck.every.thing  -j DROP
this doesnt make sense... why do u use "-d=--destination" in INPUT? it's obvious that if packet is in INPUT chain it's destination is ur computer... this should work with "-s" though...

but it's not enough... with something like this u wont be able to contact tracker...

[TommyD]

/sbin/iptables -A INPUT -d blo.ck.every.thing  -j DROP

This is ment like : Block all incoming connection to the <ipaddress> of that server / client. (Where the Torrent Client is running). But this is not what it does ??

What i want, i think quiet easy, is something like :

1. Drop all incoming connections.
2. Allow <this> or <that> ipaddress.

Do you have an idea of how to get this thing working ??

[Paczesiowa]

u cannot block packets TO his ip in INPUT chain...every packet in INPUT chain is destinated to u... packets TO his ip are inside OUTPUT so they are accepted anyway. to do this u should in INPUT accept packets FROM (source) his ip and FROM (tracker) or use rule that accepts established and related conections.

[TommyD]

You mean something like this ?

Code:

#!/bin/sh

# Flush tables
iptables -F
iptables -X

# Block every incoming request
/sbin/iptables -P INPUT DROP

/sbin/iptables -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT

# For BT Clients
/sbin/iptables -A INPUT -p tcp -s <ip of outside client> -d <ip of my bt client> --dport 49152:49153 -j ACCEPT

# Lets keep SSH available ;-)
/sbin/iptables -A INPUT -s <ip of pc @ home> -d <ip of server> --dport 49152:49153 -j ACCEPT

When i want to add an new client to accept i can just copy this line then ??
/sbin/iptables -A INPUT -p tcp -s <ip of outside client> -d <ip of my bt client> --dport 49152:49153 -j ACCEPT

And just do a /blabla/iptables to reload firewall rules ?

Does it work like that ??

Because i am not using any firewall for outgoing packets i dont think i need something for the way back i guess ... Am i right about that ?

(I am sorry i am really a N00B about this kind of things .. And about a lot else too ;-) )

[Paczesiowa]

/sbin/iptables -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT

there isn't STATE chain by default, I think u meant INPUT...

in "bt client" line u can omit "-d <ip of my bt client> " because every packet in that chain has this destination so why bother checking it? (unless u have multi-IP or multi-NIC or smth more complicated)


and besides this doesnt have to work because tracker isn't forced to give u ip and port of ur friend...

[TommyD]

/sbin/iptables -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT

there isn't STATE chain by default, I think u meant INPUT...

in "bt client" line u can omit "-d <ip of my bt client> " because every packet in that chain has this destination so why bother checking it? (unless u have multi-IP or multi-NIC or smth more complicated)


and besides this doesnt have to work because tracker isn't forced to give u ip and port of ur friend...

So that first thing must be : /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
??

And that '-d <ip>' is because i have 2 ips on one eth0 ... When ip1 is hanging because of a fault in the firewall i can use the second ...

So What i want, i think quiet easy, is something like :

1. Drop all incoming connections.
2. Allow <this> or <that> ipaddress.

And my only question now is ... Is it working like above or isnt it working ? I really need a solution for this problem ... A working one please 

[TommyD]

and besides this doesnt have to work because tracker isn't forced to give u ip and port of ur friend...

So how can i block other clients then

I really dont know how to solve this .. When a client from outside is not giving me his or her ipaddress i dont know how i can block a client ... I red about this module (http://sourceforge.net/projects/iptables-p2p) but there are no examples of what i want ...

Is there someone who knows a solution for this problem ?

[xous]

After reading through the entire thread I still am unsure of what you are trying to do.

Are you trying to block people from accessing TorrentFlux or block other BitTorrent clients from connecting to TorrentFlux? Both?

Are you trying to force everyone in your network to use TorrentFlux rather than their own torrent client?

And that '-d <ip>' is because i have 2 ips on one eth0 ... When ip1 is hanging because of a fault in the firewall i can use the second ...

IP's do not "hang"

I really dont know how to solve this .. When a client from outside is not giving me his or her ipaddress i dont know how i can block a client ...

In order for data to be exchanged over the internet each endpoint MUST know the other's IP Address (Excluding spoofing).