[clue-tech] port access protocol restriction?
Jim Ockers
ockers at ockers.net
Wed May 11 15:18:41 MDT 2005
Hi everyone,
Does anyone know how, using Linux of course, to restrict traffic
that passes through a Linux NAT router/firewall by protocol?
Suppose I have the following rule in place because I want to
allow the IMAP2 protocol and nothing else, and I specifically
want to deny web access.
iptables -t filter -A FORWARD -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
However, someone who is clever and who has the assistance of
someone somewhere else on the 'net could set up a web server on port
143 like this:
http://niamey.ockers.net:143/
and by sending HTTP commands on port 143 they could get web access.
They could set up a proxy server on port 143 as well and allow
access to the entire Internet.
How can I make sure that only valid IMAP traffic passes through
port 143, and that there is no HTTP or HTTPS traffic? (And there
should not be any SSL traffic at all since that's not the IMAPS
port.)
For example port 110 is POP3, so we'd expect commands like
USER, PASS, HEAD, RETR, QUIT, ... We would NOT expect commands
like GET or POST, so maybe we could deny the packets if we see
the wrong protocol? I'm not sure how though.
Yes I know they could set up a VPN that uses port 143 as well, or
do IP over DNS queries, etc. etc. etc. We aren't trying to restrict
people who are more clever (or have more time to hack on it) than
us. I'm just wondering what the options are.
Thanks,
Jim
--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/
More information about the clue-tech
mailing list