[clue-tech] port access protocol restriction?
Ballon, Mike
Mike.Ballon at echostar.com
Wed May 11 16:48:24 MDT 2005
I've never seen nor used....but I've heard netfilter with pattern files is
suppose to.
-----Original Message-----
From: clue-tech-bounces at clue.denver.co.us
[mailto:clue-tech-bounces at clue.denver.co.us] On Behalf Of ockers at ockers.net
Sent: Wednesday, May 11, 2005 3:19 PM
To: clue-tech at clue.denver.co.us
Subject: [clue-tech] port access protocol restriction?
Hi everyone,
Does anyone know how, using Linux of course, to restrict traffic that passes
through a Linux NAT router/firewall by protocol?
Suppose I have the following rule in place because I want to allow the IMAP2
protocol and nothing else, and I specifically want to deny web access.
iptables -t filter -A FORWARD -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
However, someone who is clever and who has the assistance of someone
somewhere else on the 'net could set up a web server on port 143 like this:
http://niamey.ockers.net:143/
and by sending HTTP commands on port 143 they could get web access. They
could set up a proxy server on port 143 as well and allow access to the
entire Internet.
How can I make sure that only valid IMAP traffic passes through port 143,
and that there is no HTTP or HTTPS traffic? (And there should not be any
SSL traffic at all since that's not the IMAPS
port.)
For example port 110 is POP3, so we'd expect commands like USER, PASS, HEAD,
RETR, QUIT, ... We would NOT expect commands like GET or POST, so maybe we
could deny the packets if we see the wrong protocol? I'm not sure how
though.
Yes I know they could set up a VPN that uses port 143 as well, or do IP over
DNS queries, etc. etc. etc. We aren't trying to restrict people who are
more clever (or have more time to hack on it) than us. I'm just wondering
what the options are.
Thanks,
Jim
--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/
_______________________________________________
CLUE-tech mailing list
CLUE-tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list