| |
| |
| |
|
Page: 1 2 3
Comments:
<0> I see
<0> So, it only works with TCP?
<1> hard__ware is awesome.
<1> ;)
<2> no, --state works with all protcols
<0> Then why is it bad to use $INCHK with all of them?
<2> because think of the return packets when you go out to www.google.com
<2> they have sport=80, dport=12345
<2> they are ESTABLISHED state
<2> normally, a firewall will only filter the new connections, just accepting any current connections
<0> Okay, can you put a corrected version on pastebin so I understand?
<0> I would appreciate that
<2> http://pastebin.com/539486
<0> Oh, I see
<0> You want to automatically accept RELATED and ESTABLISHED
<0> You want to filter NEW
<0> Makes sense
<2> yes
<0> Woohoo!
<0> It works now!
<3> lol
<3> all good =)
<0> BRB.
<3> danieldg: that is the better way ... but since nickv111: has already tried to lock them down so tight .. i just followd suit
<2> hard__ware: I was looking at your firewall script, and I have some ideas for other things you could include - ssh brute-force prevention
<0> hard__ware: Well, I'm trying to have a mix of convenience and security
<0> Sweet. My firewall is blocking nmap, so it won't show the correct ports
<1> hi all
<1> ;)
<4> /c/c
<1> ?
<4> /c
<5> Hi! I'm having trouble using bittorrentfrom behind my router
<5> my client machine cannot access 6881:6889
<3> SkramX: you about ?
<5> why does forwarding a port to my laptop not work? I get a NAT error when testing the port on mylappy
<6> Hello i want to block entire 21.21.0.* cl*** on UDP. Is correct this: iptables -I INPUT -p udp -s 21.21.0.* -j ACCEPT ?
<6> -j DROP
<6> :D sorry
<6> help ?
<7> tziku: Whats the matter ?
<6> hello, how i deactivate iptables ?
<6> to stop iptables...i add some setings and i want to deactivate all...
<8> iptables -P INPUT ACCEPT
<8> iptables -P OUTPUT ACCEPT
<8> iptables -P FORWARD ACCEPT
<8> iptables -X
<8> iptables -F
<8> should do the trick
<6> thx
<8> np
<3> for anyone intersted in helping me build a MySQL / PHP IP Accounting package please /msg me in #hardwall or take a look at http://windy.zapto.org/iptables/ and /msg hard__ware =)
<9> galera queria uma ajuda em uma regra no iptables
<9> eu tenho um firewall configurado de modo q o mesmo possue a eth0 para internet eth1 para a rede 192.168.0.0 e a eth2 para a rede 172.16.32.0 e as regras estao todas bloqueadas... liberei o acesso do ssh externamente. blz. mas qria qndo logado no firewall poder acessar via ssh as maquinas linux da rede 172.16.32.0 no entanto naum ta funcionado.... eu to usando o iptables -A OUTPUT -d 172.16.32.2 -p tcp --dport 22 -j ACCEPT mas naum funciona.. o q esta
<9> errado ???
<2> english?
<9> danieldg, I have a firewal configured in a way that had a eth0 for internet eth1 for a net 192.168.0.0 and the eth2 for the net 172.16.32.0 and the tules are all blocked... I allowed the acess do ssh externally. okay, but when I'm on line in the firewall I want to acess in the ssh way the linux computers of the net 172.16.32.0, but isn't working... i'm using the iptables - A OUTPUT - d 172.16.32.2 -p tcp --dport22 -j ACCEPT, but isn't working... what
<9> is wrong??
<2> add an iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<2> I've got to go soon
<10> Another case of INPUT/OUTPUT v. FORWARD confusion ...
<11> hi
<11> how i can limit some port bandwhit usage?
<12> god evening
<13> hello :)
<13> i have a strange problem .. i run iptables scripts and after 10 minutes there arent any rules .. what could be a problem
<14> the scripts is not working
<13> when i run it they work
<15> you run iptables -F somewhere
<15> periodically
<13> huh
<13> is anyone using sshdfilter ?
<15> no
<1> hard__ware: i am installing mysql so i can test that script, thanks.
<13> hm .. the iptables become smaller and smaller ..
<1> wha?
<10> TheDarkSide: sounds like some cron job maybe.
<13> thanks :)
<10> I'd like to see something like sshdfilter integrated into sshd.
<13> http://www.csc.liv.ac.uk/~greg/sshdfilter/
<1> If I want to be able to connect a mysql server, do I need to have mysql installed on the server connecting to the actual mysql db?
<10> Yes I found it already. I still think it would make sense for sshd to manage its own access rules, even if not interfacing with the firewall.
<15> SkramX: no
<15> but this is not #mysql
<1> i know :)
<1> No one is answering int here ;)
<1> welp, how do I get just the "mysql" bin/utils to be able to connect via CLI?
<15> what?
<15> mysql -u user -p --host="somehost"
<1> yeah
<1> like that
<1> so i need the mysql bin file(s)..
<13> http://pastebin.com/540398 is this a good rule for logging ?
<10> I don't do routine logging.
<13> i want to log if someone is flooding me ..
<10> You want your system to crash because of load? If I was being flooded I would know, and *then* I would do a log rule to find out who. And regardless, would probably end up calling the ISP to shut them off upstream.
<13> how will you understand ? ..
<10> understand what?
<13> who is flooding you :)
<13> or he just stop ..
<10> It doesn't really matter what I understand. It HAS to be stopped upstream. My ISP is so stupid, it doesn't matter what information I give them. They'll have to fix it.
<16> can someone tell me why this iptables statements doesn't affect traffic to the specified ip? - http://pastebin.com/540433 - all traffic goes trough the default 1:20 queue..
<16> err http://pastebin.com/540548
<11> i'm not sure but is it CL***IFIED
<10> LOL
<11> okey my englesh is very bad
<11> daam
<16> ha ha..
<10> paistis: it was a very good joke actually, too bad it was unintended. "CL***IFIED" in gov't terms means "secret".
<16> :)
<16> besides the funny part, is there anything wrong with it?
<10> is the rule being hit? Packet counters being incremented as they should?
<16> nope
<11> :
<11> :)
<10> try a -d 192.168.1.70 -j LOG rule and look at what you get.
<16> but i was wondering.. when using the postrouting chain.. will it match the packet before or after it has been nat'ed?
<10> after nat
<16> okay..
<10> oh actually I am not sure
<10> It's after DNAT of course
<16> well, better safe than sorry :)
<16> how can i view the log'd entries?
<10> dmesg | tail
<10> or look where your syslogd puts kern.* messages
<2> I think mangle POSTROUTING is before nat POSTROUTING
<16> that's true
<16> weee :)
<16> thx alot
<16> was using the wrong output interface
<16> rob0, thanks for yer help - the log entries did help me alot ;)
<10> I thought it might be something like that.
<1> weeeee
<14> weee
<1> or somethng like that
Return to
#iptables
or
Go to some related
logs:
#linux
install rhes on dell 2850
gentoo rev-rebuild
#ubuntu
geoip Undefined subroutine
#osdev
gentoo FAILLOG_ENAB
emake failed with profiledbootstrap
ubuntu movies samba
#nvidia
|
|