| |
| |
| |
|
Page: 1 2
Comments:
<0> what do i need to do to prevent nmaps?
<1> do you need to have any open ports?
<0> just 2
<0> http and ssh
<1> both of those are scanned by worms, and would be one of the things that are tried before an nmap
<1> I do have a script to block a portscan - http://daniel.6dns.org/info/iptables/#recent
<0> i know, but i still wanna prevent nmaps, hope i'm not being rude to you ;)
<1> I'm just warning you that it won't stop everything
<0> i understand
<0> hmm
<1> you'd just replace the --dport 12345 with 2 rules for 22 and 80 (or one multiport rule)
<2> nice web page , nice shirt
<1> thanks ;)
<3> not to be a turd or anything, but your sisters are gonna be mighty good looking when they get older
<4> i want to configure encryption on the link between 2 routers
<4> infact i have a central router with many smaller router satellites in a star setup
<4> i would like to encrypt the traffic between the satellites and the central router
<4> what can i use for this?
<5> Not iptables :)
<6> ipsec
<4> memic, know where i could get some docs on peer to peer ipsec tunnel?
<6> which hardware do u have on both sides?
<6> which oses?
<6> running linux ? try http://www.ipsec-howto.org/t1.html and use google
<4> both are linux (gentoo)
<6> use openswan
<6> gtk
<6> cya
<7> anyone see why iptables should complain that the chain name does not exist for these 2 lines: http://pastebin.com/577999
<8> hi
<8> is it possible to set range of ports (like 2000:3000) with iptables 1.2.9?
<5> man iptables
<5> /multiport
<8> according to man it is, but i get error, when i try it...
<8> oh no
<8> i was looking at wrong man
<8> so it isn't according to it;/
<9> hi :). I have a question regarding -m owner. Can I filter all groups a user belongs to? not just primary?
<9> I'd like only users with a special gid to be able to get outside
<10> filip, I doubt it. Did you try? These are all shell users on the iptables machine, correct?
<11> filip: you could just get really fancy with your rules , making use of userchains and -j RETURN
<11> sadly enough, it will be a sudo way, because it will require use of primary group and updateing
<11> although this wouldnt be hard to script at all with the help of maybee a script on creation of account it adds the correct entry to the firewall
<10> I guess that these users are in some other group as primary, so the -j RETURN rules would have to be --uid-owner.
<9> rob0: i found this owner-supgids patch, but it won't apply on 2.6.15, changes are rather significant
<9> hard__ware: userchains?
<12> hi there, i have a ruleset for filtering pings, but the host respond Destination Port Unreachable instead of host .... is teere a manner to have a host not found answer instead of port not found? thanx a lot
<10> What he means is you add a chain (-N) and put rules in there. A --uid-owner X -j RETURN for each user you're allowing out, and a -j REJECT at the end.
<10> Then you jump to that chain from OUTPUT.
<9> hmm
<9> the thing is that those people have a LDAP user management system
<9> so they just tick a checkbox for internet group for a specific user
<9> and this is elegant :)
<9> messing with rules would get dirty
<10> So you're not talking about local shell users on the firewall, are you?
<10> If not, -m owner won't work for you at all.
<13> I want to log all traffic in OUTPUT routing to the internet. I have several internal networks (192.168/16, 10.1/16, 172.168.0/24).
<13> iptables -I OUTPUT -s 192.168/16 -s 10.1/16 etc... won't work because you can't use -s multiple times.
<13> Since there are several networks, I can't use network ranges...
<13> Is there a clean way to do what I am trying in one line?
<1> no; just ACCEPT the local networks first, then log the rest
<14> onweald_tim: how about -i
<13> btw I created a chain for logging internet traffic and want to route to it.
<13> trappist: -i won't work on OUTPUT , right?
<13> danieldg: The problem is I am inserting a bunch of log chains in front of all traffic. I would prefer a nice clean method like multiport. But, this may not exist.
<13> :-(
<1> maybe ipset, but that seems like overkill
<14> oh, forgot about that
<13> I haven't heard of ipset.
<13> It isn't in the iptables tutorial. Is this new?
<1> ipset.netfilter.org
<13> *reading*
<13> danieldg: ipset is overkill but pretty cool. I'll save it in my bag of tricks for later. :-)
<13> Thanks for the info. I guess I have to work around with multiple filters.
<1> yw
<13> I'd appreciate a double check on my understanding of iptables and routing...
<13> I have two bridges (br-dmz, br-apps) and I want a ping to go through br-apps to the internet.
<13> I can see the packet heading out on my bridge PC's eth0 through logging on POSTROUTING but nothing comes back.
<13> My ***umption is that the response won't route since the source ping IP is on a private network (10.1.0.0).
<13> Therefore, I believe I need to use SNAT for anything on 10.1.0.0 headed out eth0.
<13> Question: Once I SNAT the outbound ping, do I have to use DNAT to get the response routed?
<3> no
<14> if you use MASQUERADE instead of SNAT it should be done for you
<13> I understood MASQUERADE shouldn't be used unless you have a dynamic address. (dialup, etc.)
<1> even just using SNAT, the IPs of return packets are corrected
<3> all i ever used was -A POSTROUTING -o eth1 -j SNAT --to-source xx.yy.zz.qq
<1> is eth0 part of a bridge?
<13> Excuse my lack of knowledge (I'm trying to address that now :-) ) but icmp is a stateless protocol. SNAT/DNAT ***ume you have a connection. So SNAT/DNAT wouldn't work, right?
<13> danialdg: eth0 is part of the bridge. It has no ip address.
<1> conntrack sets up an entry for ICMP anyway
<1> -o eth0 won't work if eth0 is part of a bridge, use -o br_if_name
<13> Hmmm... So once I SNAT the ping request, conntrack knows about it and handles the response to my internal address based on the ID?
<1> yes. Look in /proc/net/ip_conntrack
<13> *absorbing...*
<13> So -A POSTROUTING -o br-dmz -s 10.1.0.0/16 -j SNAT --to-source $PUBLIC_IP ???
<1> yes, I think that will work
<13> We'll know soon. :-)
<13> That rocks! Thanks guys.
<15> I'm adding an openwrt router/firewall behing my dsl modem/firewall (disabling the firewall/nat portion of the modem) and am having some trouble wrapping my brain around the iptables rules that are currently in place (on the dsl modem).
<15> the first rule in the filter table's INPUT chain is "DROP tcp -- anywhere anywhere tcp dpt:telnet", why does it allow telnet connections from inside?
<1> look at iptables -vL
<1> it's probably filtering by interface
<15> yp, thx
<15> yup
<15> every year or two I go thru this masochistic phase where I have to screw with my firewall, and I have to remember how all this works.
<15> first ipfwadm, then ipchains, ...
<16> c/
<13> Name resolution isn't working from behind br-apps. resolv.conf looks right. I can ping the nameserver so it can reach it.
<13> I put a LOG in FORWARD and POSTROUTING and don't see anything going by.
<13> Does iptables default to -p tcp or something? Or is the packet not even reaching the bridge?
<1> you put the log before any DROP rules?
<13> Yes. I used -I
<13> Ahhh heck
<13> I think there may be a drop rule in PREROUTING that may kill it.
<1> don't drop anything in PREROUTING
<13> Crap. That was it.
<13> danieldg... so best practice is to drop in INPUT and FORWARD?
<1> yes, do packet filtering in the filter table
<13> Mmmmkay. I have to rethink my firewall.
<15> I seem to recall that ppp does some sort of bridging thing. My ppp0 interface has my external ip and my br0 my interanal ip, but br0:0 also has my external ip.
<15> is there a reason for the existance of br0:0?
<1> using ifconfig instead of iproute to ***ign multiple IPs to an interface
<15> I guess my question is why does br0 need another IP, specifically the address of the external interface?
<1> I don't know, haven't used ppp
<15> I guess I'll stop worrying so much about how the existing firewall/modem works, and concentrate on making the new firewall work.
<15> If I am going to have multiple external addresses, is there anything special that needs to be done to ensure that SNAT addresses match up with DNAT'd requests?
<13> hculver: conntrack handles that for you.
<1> packets on any one connection are only SNAT and DNATed once
<13> danieldg: correct me if I am wrong...
<15> so, if a request comes in on 70.56.42.37:80 and is DNAT'd to 192.168.0.10 and another request comes in on 70.56.42.36:80 which is DNAT'd to 192.168.0.20:80, the responses will leave the firewall with the correct source addresses (37 and 36 respectively)?
<1> hculver: yes
<15> thx, sorry for my verbosity.
<17> re
<18> hi folx
<19> hello
<19> how can i open an port for psyBNC irc port i mean
<19> for example 11923 ?
<19> i use darwin
<20> hi
<20> please may I ask one thing?
<20> I need to use a linux box as gateway for internet in a LAN where clients are all windows...
<20> then I need to filter windows client: a few of windows client may connect to the internet and all the rest are filtered... How can I achieve with iptables?
<1> just filter by IP or MAC, whichever is more convenient
<20> danieldg: may I filter with mac or user???
<1> not with user; MAC address or IP address
<20> danieldg: so client machine may be filter only with IP or MAC, there's a way to do with authentication like ISA???
<1> are you looking for something like http://www.nufw.org/ ?
<20> danieldg: ???
<20> danieldg: yes
<21> how could one write a rule to accept traffic both ways on tcp 1720 ?
<21> (need some sort of example to get me started)
Return to
#iptables
or
Go to some related
logs:
#debian
#gentoo
cfdisk mp3 lsusb firmware
#suse
frostwire wont load ubuntu
#perl
debian fbsetroot
cpan repquota perl
+linux +already mounted +or busy +raid
#gentoo
|
|