| |
| |
| |
|
Page: 1 2
Comments:
<0> NAT :)
<0> anyone delt with tcp timeouts?
<1> New0rder: what about them? like changing the settings in /proc?
<2> TCP timeouts: "You go sit in the corner until you can behave, TCP!"
<0> this may be more of a routing then nat.... We have checkpoint firewalla here at work. I do not even have access to them.. They have it set so that after 60 minutes, it drops all idle connections
<2> oh
<0> So, having persistent connections from an app server in the DMZ to the DB server in the priveate network is difficult, if the site doen't have activity durning off hours.
<0> So, in the morning, the app server (apache, perl apache::dbi). just hangs.
<0> Apache/linux/DBI thinks the sockets are open, but at the firewall, they are not.
<0> The network guys tell me that they can't not disable these timeouts on a per IP/port/mac address basis.
<2> I once had to work at a site with a 2wire homeportal router. It reset every TCP connections every 60 seconds!
<2> Hard to do anything through ssh that way.
<2> I fixed it by using openvpn with udp.
<3> Hello
<3> this is a really dumb question but
<3> I have a box set up to do some routing
<3> {10.10.1.1}-----{10.10.1.2|192.168.1.1}-----{192.168.1.2}
<3> this is all on an internal network
<3> now, my question
<3> can I straight out add a FORWARD rule from 192.168.1.2 to 10.10.1.1 and from 10.10.1.1 to 192.168.1.2
<3> and expect it to work
<3> or do I need to add a DNAT/SNAT pair to ports on the near side interface
<3> djwhitey: how are you at routing
<2> NFS. :(
<2> I have a user-mode Linux virtual machine that's going to be part of a virtual DMZ. I want to restrict the virtual DMZ from accessing the physical host.
<2> Unfortunately the one UML needs NFS on the physical host. And I'm not sure what to allow for that.
<4> hello, i have a weired question..
<4> which may prove human stupidity im just in a situation which i had to ask it
<4> ok, i found a solution now to ask :/
<2> Glad we could help.
<5> my roommate has learned about bit torrent... how can i block him?
<5> i control the router (linux box) but i dont know iptables too well
<1> accidentally cut the network cable :)
<5> i know his ip and i know the port he is using
<5> that will happen as soon as he goes to sleep :)
<5> hes on 10.10.0.21:50000
<1> oh, then just block that port, but he can switch ports pretty easily
<5> i need to block traffic to/from that
<5> he wont know how
<5> i think thats the default port on azureus
<5> but how do i block that?
<1> iptables -I FORWARD -d 10.10.0.21 -p tcp --dport 50000 -j REJECT
<5> oh
<5> nice
<5> thanks
<5> -I or -A?
<5> whats the difference?
<5> all my rules have -A in them
<1> -I inserts it a the top
<5> oh
<5> what does -A do?
<1> adds it to the end
<5> hmm
<5> i tried it on my client
<5> pointing to my ip
<5> and its still downloading
<5> nothing is connecting to it (its connecting to them)
<5> how do i block the outbound data?
<2> check the conntrack table and see what ports it's using
<5> ok
<5> how do i do that?
<2> your client: is it on the iptables machine, or elsewhere?
<5> elsewhere
<2> and you used its IP address in the -d argument?
<5> yes
<5> same port and i made a rule for udp too
<1> that rule will only block the *incoming* packets, not the outgoing connections
<1> try blocking port 6881
<2> conntrack table is somewhere in /proc, I can't remember.
<5> ahh /proc/net/ip_conntrack
<2> there it is
<5> damn
<5> its using sports all over the place
<1> yes, those are the remote ports. You could just block his IP altoghether
<5> yeah
<5> i want to allow him www and aol
<5> that way he will just think his computer is broken and cant download
<2> You're a bofh :)
<5> ha
<1> hmm, AIM? try allowing only 5190, 443, and 80
<5> he wont know the difference and i dont want him downloading pirated software/movies/music on my cable account
<5> (my ip that is in my name)
<5> test
<5> i blocked it
<5> thats cool
<5> haha
<2> Meanie
<6> hmm
<6> i dont think it worked too well
<1> why not?
<6> i put these rules in
<6> -I FORWARD -d 10.10.0.2 -p tcp --dport 1:79 -j REJECT
<6> -I FORWARD -d 10.10.0.2 -p tcp --dport 81:442 -j REJECT
<6> -I FORWARD -d 10.10.0.2 -p tcp --dport 444:5189 -j REJECT
<6> -I FORWARD -d 10.10.0.2 -p tcp --dport 5191:6666 -j REJECT
<6> -I FORWARD -d 10.10.0.2 -p tcp --dport 6668:65535 -j REJECT
<6> i got disconnected from irc and the www wouldnt work
<1> well, that's not the right way to do it
<2> ok, that's not quite the :)
<5> oh
<1> you need to (1) allow outgoing connections to the allowed ports
<5> i should reject all and accpet the ports i want
<1> (2) allow RELATED and ESTABLISHED
<1> (3) REJECT or DROP everything else
<5> ok
<2> http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html (and maybe the ACCEPT rules in FORWARD before the DROP.)
<2> Do you know what you have to allow for NFS? Port 111, but there seem to be others too.
<7> http://howtos.rlworkman.net/NFS_Firewall_HOWTO
<1> no, haven't used NFS (they insist on using AFS here, which I haven't gotten working either)
<2> I have a DMZ'ed NFS client. I don't want other DMZ nodes to have access.
<2> Woohoo!
<7> rob0: that last part about lockd module options is important - lockd will bind to a random port and really fubar an otherwise good setup if you don't :)
<2> NFS ****s.
<7> yep
<7> see other channel :D
<4> hello all, after installing kernel 2.6.16 , do i have to upgrade my iptables to a newer version?
<4> i wonder if this is necessary as the modules are changed from ipt_* to xt_*
<8> when does --dports 80:400 was implemented? why 2.6.9 does not do that?
<9> RE
<10> hello all
<10> could somebody tell me any site that contains good firewall using iptables ?
<11> Devilion: /topic
<10> uhm
<10> are there any site that give a complete firewall with iptables ?
<10> i lost mine yesterday when the electricity down suddenly
<11> Devilion: No firewall in the world suits everyone perfect, so write your own.
<10> uhm ok..
<10> and 1 more problem
<10> i see alot of request to dns server from my server ?
<10> how to turn it off ?
<11> Where do you see it?
<10> it looks like it request something but i don't know what is it
<10> iptra
<10> iptraf
<10> port 53
<11> Configure it properly
<10> UDP request
<10> configure what
<11> I don't know if this is a kind of parser which uses /var/log/syslog as input
<11> If it is so, you have to configure it properly or write your own parser
<12> Anybody know how to output the time with a LOG entry?
<2> Your syslogd should put a timestamp on every -j LOG hit.
<12> it is ending up in dmesg without a timestamp
<12> using metalogd
<2> I think dmesg(1) reads the kernel's log buffer directly. The syslogd has nothing to do with dmesg.
<2> There's the -m time module, did you mess with that?
<1> -m time doesn't do timestamps, it does rule on/off by time
<2> but would it add the time to a LOG?
<1> I doubt it
<1> never tried it either though
Return to
#iptables
or
Go to some related
logs:
knotify xubuntu
#ubuntu
#css
debian sarge fa511
#centos
#lisp
ironpython multicore GIL
js injection
#math
#perl
|
|