| |
| |
| |
|
Page: 1 2 3
Comments:
<0> On my box it's /etc/init.d/iptables status
<1> it says firewall is stopped?
<0> try /etc/init.d/iptables start
<1> i did
<1> then i started a script with a ton of iptables commands
<2> does anyone have experience with ebtables+iptables? i'm having some trouble getting packets to go where i want them to..
<1> and then i do service iptables status and it says stopped again...
<2> i've got a linux 'bridge' with three physical interfaces and one bridge if. br0 consists of eth0 (ext) and eth2 (int), and then eth1, which actually has an ip.
<3> p0ts: iptables-save(8) lists rules
<1> 10x
<3> <== has done a couple of bridges but no ebtables(8) filtering
<1> iptables-save(8)
<1> -bash: syntax error near unexpected token `8'
<2> i've set up a DNAT rule in the iptables nat prerouting table that should forward packets to a specific ip. based on the tcpdump output, the address is getting translated but i'm not sure what's happenign to the packets after that.
<3> haha
<3> iptables-save
<1> that's better...
<3> (8) refers to the man page in section 8 of the manual :)
<1> :)))))))
<1> robo, can you help me figure out what i'm doing wrong with my firewall?
<3> I don't know yet. :)
<2> there's a great png of the ebtables/iptables traversal at http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png, but i'm still pretty ignorant about how this is (not) working.
<1> well if i gave you a hint as in what i'm trying to do, a look at my script with rules, and a look at the output from iptables-save
<3> edict: is CONFIG_BRIDGE_NETFILTER set?
<0> A hint? I love puzzles!
<3> edict: if so, your packets are hitting the iptables filter FORWARD chain.
<3> I have an early rule in FORWARD to ACCEPT from -i br0.
<2> rob0: thanks, i'll check it out now.
<1> ok... the idea is to forbid all ports except 21,80,110,25,443 for outgoing trafic. i would also like all 80 and 443 trafic to be redirected to port 8080 on the proxy (same box), and have some protection from the outside world... here is my firewall script... http://pastebin.com/536060 and here is the output from iptables-save: http://pastebin.com/536062
<1> as far as i can see, i can still use p2p, so there's something wrong with my rules?
<1> eth2 is the out interface, with ip of 10.0.0.1, eth0 in interface, 192.168.0.15
<2> rob0: i'm using the 2.4 series kernel. there's no CONFIG_BRIDGE_NETFILTER option but CONFIG_NETFILTER=y
<3> Ooooh! My new gigabit switch is delivered! Now if only I had a giganic to plug in ...
<3> hmmm, one of my bridges is on 2.4.32, checking .config ...
<2> rob0: there's also CONFIG_BRIDGE_NF_EBTABLES=y
<0> I almost bought a gigabit switch, then I realized the chance of me getting NICs/Boxen any time soon that would push that much was pretty slim.
<3> I have a new system with gigabit already ordered
<0> I liked you until now.
<3> :)
<3> The bad (good?) news is that it's in limbo because someone else paid for it and hasn't confirmed the shipping address.
<1> hazard, i thought you loved puzzles?
<0> I do.
<0> I just don't like rob0 anymore. :P
<0> And, considering I have to do the audit and get off work soon, I can't really give that firewall script the attention you need.
<1> point taken, i have to get out of here soon too:)
<0> With my limited iptables skill set, I would have to spend a substantial amount of time pouring over it.
<1> wife & kid will dissown me
<0> Is that good news or bad news?
<3> p0ts: are you thinking that your INPUT/OUTPUT rules will affect the MASQUERADE clients?
<0> p0ts: Ovie se za konekcii VON firewall (od mrezha kon nadvor) <--translation?
<1> there are conections going out the firewall
<1> rob0, i'm new to iptables, so, no idea?
<1> will they?
<0> p0ts: So I ***ume the other German line is the incoming?
<3> no
<1> it's not german, and yes, it's incoming:)
<3> the MASQUERADE clients hit the FORWARD chain only.
<1> hm...
<0> I was just about to ask you to excuse me. I noticed that it wasn't German too late.
<1> so basicly all the rules apply for the firewall only?
<3> INPUT => packet is to a local IP
<3> OUTPUT => packet originated from a local process
<1> mmm, that wasnt in the manuel:)
<1> back to the drawing board
<3> FORWARD => both origin and destination not local AND YES IT IS IN THE MANUAL :)
<1> not in the manuel i read:)
<1> rob0, concept wise, is the whole thing solid?
<1> does it hold water?
<1> for what i'm trying to acheve?
<3> yes, it's a container for fire :)
<0> Or Magic Smoke(tm)
<1> ok then...
<1> tomorrow is a new day:)
<1> btw, does anyone know how to monitor in real time squid activity?
<0> One of my co-workers actually fell for "You saved the smoke right? It won't work again unless you saved the Magic Smoke."
<3> p0ts: maybe Sarah can look, I have a new swtich to set up :)
<3> bbiab
<0> Enjoy
<0> Man, the potato salad the chef just made is awesome.
<1> Sarah, you in the mood to help out?
<2> rob0: some config issue on the bridge, http://jakeb.supportteam.net/rules.txt
<2> rob0: s/issue/info/
<4> p0ts, what's up?
<1> can you look at http://pastebin.com/536060 and see if theoreticaly the script is ok for securing my network?
<1> it has flaws, and generaly doesnt work, but is the principle ok, or am i missing some ports / principles that i'm not protecting that i should be
<4> It looks fine to me
<4> Overly complex, but looks okay
<1> everything covered then?
<4> No
<4> Do you really need all those ports listed open?
<2> Sarah: do you have any experience with ebtables/iptables and bridging? i'm losting packets after DNAT.
<4> None with ebtables
<2> i'm not sure that ebtables is related to this. i've got 3 ifs, 2 of them are part of the transparent bridge, the third has an ip and is routeable. my question is whether it's possible to route dnat'd packets on the 3rd if, which actually goes through a switch and has to go back over the bridge. does that make sense?
<2> or maybe it would be easier just to route the dnat'd packets back to the ext if. i dunno. 3 ifs seems like overkill to me for something so conceptually simple.
<2> but then again, i can't get the dang thing to work, so my opinion is sorta moot. any advice or direction is much appreciated.
<3> edict: can machines using the bridge ping across it? Can the bridged machine ping out all the bridged physical interfaces?
<3> oic, it's not a bridge issue, it's same-subnet NAT, see /topic, "having NAT issues?"
<3> why not set up the DNAT on the router at 192.168.0.1 ?
<3> Bcast:63.255.255.255 ???
<3> BTW iptables -L is useless, iptables-save(8) is much better.
<3> <== enjoying the blinking lights on the new switch
<5> has anyone used ip_conntrack_tftp successfully?
<6> hi guys
<6> is it possible that using prerouting firewall rules could slow down my network traffic?
<6> it might just be dns thoug hactually
<6> i just set up a new box, and i dcied to mainly configure it with webmin to save some time..
<6> but the masquerading seems a bit slow at the moment..
<6> it was fine before i configured some firewallrules and the dns serveer
<7> it might be possible if you have a lot of rules or a very slow CPU
<6> well, it's a celeron 633.. and i only have a few rules..
<6> thing is.. in webmin, i have added a rule for forwarding, and also one for prerouting. with dnat as the target..
<6> is that wrong?
<7> dnat is usually for incoming traffic, is that what you wanted?
<6> uhm.. as in.. for each forwarded port there is one prerouting rule, and one forwarding rule..
<6> yes, it's for forwarding connections that come in from the net
<7> ah. then yes
<6> thought that was ok
<7> what kind of slowdown is it?
<6> well.. i'm coming to think that it might be the dns.. it seems that all connections take at least ten seconds before they start going..
<6> i have a fast connection, and it is usually instant..
<7> sounds more like DNS. try running host on a bunch of domains
<6> my desktop is uing external dns though, which should be fast..
<7> try comparing from external to internal servers
<6> dig is effective here yes?
<7> yes
<6> my nameserver seems pretty fast actually
<6> firefox does spend a long time looking up names though..
<7> try names you haven't resolved before too
<6> 10 seconds..
<6> damn fast hehe...
<7> #dns may have more ideas. What happens when you try to look up an IPv6 record?
<6> but firefox is just spending ages.. and opera too
<6> links has no such problems...
<6> it's instant...
<6> but at least ten seconds of name resolving with gui browsers.
<6> maybe something to do with my localhost/hostname...
<7> try dig www.ipv6.org IN AAAA
<6> i did get a message about how it couldn't lookup my hostname when i logged in
<6> less than a second for that one hehe
<7> hmm
<7> make sure you're using the right IP and that the ports are open
<6> the dhcp server automatically gives out my servers ip... so it automatically sets /etc/resolv.conf..
<6> ah, actually..
<6> domain t0mb.net
<6> nameserver 192.168.0.254
<6> it's searching t0mb.net..
<6> my domain... it's on the dns server..
<6> bingo..
<6> back to having instant internet desktop wide :D
Return to
#iptables
or
Go to some related
logs:
blue screen while installing xp
#gimp
shamos-hoey
#perl
drm.ko needs unknown symbol
xubuntu root password
rsync port firewall fedora
gentoo stop from emerging xorg
ltsp noapic
linux fedora core 3,full commands
|
|
