| |
| |
| |
|
Page: 1 2 3
Comments:
<0> use iptables.
<0> and block the sites ip
<1> psycho: thanks, what the best way to block spyware, iptables or hosts.deny?
<0> if this iptables computer a firewall/gateway?
<0> for the rest of the network?
<1> psycho: stand alone linux box with firewall
<0> ah k
<0> gnubien - there is no spyware for linux.
<0> iptables is the best way to protect your pc against attack from crackers.
<0> but thats about it
<1> psycho: not even javascript, java spyware?
<0> you want an antivirus/antispyware to block spyware
<0> and a proxy to block certain websites
<0> gnubien - even if there was, it cant infect your machine if you dont browse the net as root.
<1> psycho: ok, thanks for the info
<0> np
<1> psycho: the major route of virus/spyware is email ?
<0> gnubien - there is no viruses for linux either.
<0> or at least, none that work without root.
<1> psycho: yea, i've heard that you have to make the virus files executable and then run them as root for any damage to occur
<0> yep
<0> your worrying about nothing :-)
<1> psycho: so browsers are not vulnerable to spyware using linux?
<0> if they are not running as user root, then no.
<1> psycho: cool, thanks for all the info
<0> np
<2> how i forward 4899 (radmin) port request to other ip address ?
<3> you mean on a router to nated host?
<2> liata: host
<2> Debian linux
<3> iptables --table nat --append PREROUTING -p tcp --dport 4899 -j DNAT --to 1.2.3.4:4899
<3> that would direct packets from the router to a host on your lan, ***uming it's nat
<4> -A PREROUTING -p tcp -m tcp --dport 6697 -j DNAT --to-destination 192.168.0.3 and -A FORWARD -d 192.168.0.3 -p tcp -m tcp --dport 6697 -j ACCEPT look right to you?
<3> i dont think you need that forward rule
<3> and you should supply a port to the --to-destination like 192.168.0.3:6697
<4> liata: My forward chain is set to drop.
<5> Actually spyware is possible on Linux; user-level privileges would be fine.
<4> liata: But besides aesthetics, is there something wrong there? I could have swore these were the rules I used yesterday, and my friend was able to connect. Then I changed a couple and he couldn't, so I'm trying to get them back.
<5> it looks right.
<4> Damned.
<4> I was hoping I had it wrong.
<5> What's your IP, same as /whois?
<6> HAHAHAHA!
<6> Thanks rob0
<6> My dyndns client seems to have failed.
<5> trying the wrong IP huh?
<5> yup
<5> I run my own dynamic DNS service.
<5> The others always had reliability issues.
<6> I haven't learned quite enough yet.
<6> I've had no problems with their service, only with my own.
<6> Ok, off for breakfast. Have a good day.
<5> ok bye
<0> rob0 - if the box was rebooted
<0> spyware couldnt auto reboot
<0> unless of course it was in crontab which should be denied for users anyway
<5> it could put itself in a ~/.profile or similar.
<0> true
<5> Don't get me wrong, I am talking in theory only, for the time being I am pretty confident we are safe.
<0> yeah
<5> For the foreseeable future, too. The Windows userbase is a juicier target for malware.
<0> yep
<0> more market base
<7> MI
<8> hi all
<8> i want to access a windows share from internet, how can I do it?
<8> I have a Linux based route and firewall (Mandriva 2006)
<8> any ideas?
<9> payal: Do you mean you need the iptables rules nessusary for making it able to share the files ?
<8> yes
<8> sorry was away
<8> any ideas?
<8> ?
<8> brb
<5> FWIW many ISP's block SMB/CIFS ports. In many cases it's not possible to access a Windows share through the Internet.
<9> rob0: I would be glad. I get flooded from SMB logs :-/
<5> hmmm, well the dialup ISP's I have used in the USA, and Comcast cable, do block SMB.
<5> We did have an amusing experience at a motel recently.
<5> /dev/wife runs Windows on a laptop which has always been behind my Linux firewalls. Not so at this motel.
<5> Within minutes of turning it on, she got her very first Winpopup spam. :)
<10> hey, is it correct that state/conntrack match cannot be used within the output chain?
<11> no, state works find in OUTPUT
<10> maybe you can tell me whats wrong with "$IPTABLES -A OUPUT -o $EXT -m conntrack --ctstate ESTABLISHED -j ACCEPT"
<11> lack of a T in OUTPUT?
<10> oh, damn
<6> Heh.
<12> I want to install iptables, and patch it in order to use l7-filter and ipp2p patches
<12> what do you think is the best way?
<10> "$IPTABLES -A OUTPUT -o $EXT -p tcp --sport $P_HIGH --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m helper --helper ftp-21 -j web_ftp_owner" this rule does not match "ftp ftp.kernel.org" on commandline, the logs show that already the first syn is blocked, and the iptables counter of that rule stays 0, any ideas? (hopefully no spelling error again)
<12> install a linux distro remove all about iptables, and then get the sources(iptables and kernel), apply the patches, install iptables, and recompile the new kernel with the new options?
<13> I want to log only connection attempts to a TCP port with ULOG, not all packets, but I can't find how to do this... do I have to change the rule or ulogd.conf ? I'm using iptables -A OUTPUT -p TCP --dport port -j ULOG
<5> You might try -m state --state NEW to only log the new connections. Perhaps --syn would work in a similar fashion.
<13> rob0: ok... I'll try it... thank you
<14> what does this mean:
<14> # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<14> iptables: No chain/target/match by that name
<14> I must be missing some state matching functionality in the kernel I guess
<11> I think so. What kernel?
<14> vanilla 2.6.16-rc1
<11> oh. 2.6.16 is going through a redesign of the iptables interface
<11> what iptables binary?
<14> I know (:
<14> 1.3.4
<11> try 1.3.5
<14> hm, gentoo doesn't have an ebuild for 1.3.4 yet
<14> s/1.3.4/1.3.5/
<11> it's on netfilter.org, but I'm not sure it will work. You might have to wait for iptables 1.4
<14> what's the kernel config token for packet state matching?
<11> in pre-2.6.16, it's CONFIG_IP_NF_MATCH_STATE
<11> I'm not sure it changed in 2.6.16
<14> it's in the Xtables config area
<14> NETFILTER_XT_MATCH_STATE
<14> this is good:
<14> # modprobe xt_state
<14> FATAL: Error inserting xt_state (/lib/modules/2.6.16-rc1/kernel/net/netfilter/xt_state.ko): Unknown symbol in module, or unknown parameter (see dmesg)
<14> (:
<11> #netfilter might know more, that's the development channel
<14> I'm going to reboot to see if it helps to be running the kernel I just built since I have changed (added) a lot of modules
<14> danieldg: success. Rebooting into the new kernel did the trick
<3> rebooting always does tricks :P
<11> so the state module works with iptables 1.3.4?
<14> yup
<11> I might have to try 2.6.16 then
<11> have you noticed any problems with it?
<14> the way I understand it is that Harald redesigned {ip|ip6|arp}_tables to wrap x_tables functions
<14> http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=3235
<11> ok, I thought they might have done something like that
<14> danieldg: I haven't but written the simplest rule yet, and yeah, I _had_ problems (:
<11> ok, any _other_ problems ;)
<14> not yet. It tastes like the iptables I have always known.
<14> but if I do, I'll be asking here
<15> hello, with a rule like iptables -A FORWARD -j ACCEPT, does it accept every protocol ? because we seeem to be having problems with netbios (when trying to join a computer in a windows domain, where the domain controller is on the other side of the router, it asks for p***word but the joining itself doesn't work
<11> TimothyP: yes, it will accept everything
<15> that is so weird :(
<15> we're setting up 15 iptables servers :) one is playing up
<14> can you see anything relevant in tcpdump or another packet sniffer?
<15> don't know, it was getting so late, we went home, just about to go to bed, but I still wanted to ask , just to be sure the rule without -p allows everything tommorow we'll debug some more. of course we're not gonna use a forward all rule, but it was our last resort to test what was wrong
<16> Can I use a hostname configured in a DNS daemon on the local LAN to comfigure port forwarding instead of IPs ?
<5> root________: I answered that last night
<16> rob0, it left the chatlog so I can't see the answer >,.,<
<16> rob0, sorry ^,.,^
<5> will pastebin, hang on
<16> tyvm :)
<5> http://pastebin.com/538972
<5> <== was up past bedtime
<16> as was I, so I didn't get it last night :P
<5> That was 3AM my time.
<16> Mmm
<16> you prolly answered just after I fell asleep :P
<16> >,.,<
<16> my openwrt box hath not lan
Return to
#iptables
or
Go to some related
logs:
mysqldump +--no-opt
#php
sum90
#debian
ImportError: No module named fpconst
Module i915 not found gentoo
Failed to read: session.tabs + gentoo
#kde
tbsource module
javascript associate a function with an element
|
|