University Crest

[wlug] iptables question

 
wlug archive index About the wlug list Mailing lists home
To The University of Waikato HomepageWaikato Home > Waikato Mailing Lists > wlug Info > wlug archives
DrWho? x_files_@i...
Tue Apr 27 09:56:47 NZST 2004


At 09:10 27/04/2004, you wrote:


> >>> > >Forward outgoing connections to port 80 through Squid (known
> >> > >as Transparent Proxying) and then get Squid to block access to the
> >> sites that you require.
> >> >
> >> > Thanks, will that work for incoming connections as well? and
> >> > will it stealth the connection? idea is to silence the port
> >> > scanning kiddies.
> >>
> >>Well, you can put the proxy in place of the webserver, and proxy
> >>to a backend webserver that never communicates with anyone except via
> >> the proxy -- which is called reverse proxying --, and then
> >>you could filter incoming connections this way.
> >>
> >>But no, obviously neither of these will "stealth" the ports.
> >
> > I was thinking of something like that, but the non-stealthing is a down
> > side.
> >
> > The idea is to save the DSL cap from being blown by un-needed offshore
> > connections.
> >
> > It looks like some serious coding is in order for an iptables extension.
> >
> > The shame of it all is I can do just what I wont in windows using the
> > Kerio  firewall, but cannot find anything for Linux that will do it.
>
>You are doing things the most illogical and stupid way.  you cant rely on
>DNS, the only fact you can rely on (mostly) is the IP at the other end..
>
>What you do want to do is drop/deny all non nz ip ranges, allow only nz
>ipranges.. and this still may not save your adsl quota from people who
>want to keep poking international data down your adsl to be dropped on the
>floor.
>
>I have had my system setup with a national and international routing
>system.. its not easy.. and not 100%..
>
>Most of the people that want this system are stupid kiddies who want to
>use p2p apps all month or run their own file trading system with only
>their unlimited national adsl connection.
>Is this you?
>

No, I wish to use it for an Apache server to look up booking details for a 
local clubs annual event from MySQL.

As a said at the start I was not to concerned about how good the solution 
was, so if it drops someone from NZ who did not have a .nz at the end of a 
DNS record, so what.

Also it does not have to be a commercial or production grade solution 
either so if it takes 5 seconds to figure out if the traffic is valid then 
I don't care.



>_______________________________________________
>wlug mailing list | wlug@l...
>Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug


More information about the wlug mailing list
NOTICE: This is an archive of a public mailing list. The University of Waikato is not responsible for its contents.

The University of Waikato - Te Whare Wananga o Waikato