| |
| |
| |
|
Comments:
<0> anyone here?
<1> I have a firewall server and I want to allow HTTP traffic
<1> I'v managed to block everything so far
<1> So its just open port 80?
<2> iptables -A INPUT -p tcp --dport 80 -j ACCEPT ?
<2> But again you want to allow port 80 incoming or outgoing ?
<1> whats the diff? I want to just surf the web
<1> I suppose if I allow anything outgoing then its ok
<2> yes its okay
<3> Hi!
<3> a question, I have a DHCP server, how do I do to block network access to the computers that do not have a ip address my server gave?
<4> how can i make something like this work:
<4> #-A FORWARD -s 10.10.0.2 -p tcp -m tcp -j DROP
<4> #-A FORWARD -s 10.10.0.2 -p tcp -m multiport --dport 53,80,222,443,5190,995,465,50000,2710 -j ACCEPT
<4> i want to block everything except traffic to basic style ports
<5> hi
<5> FATAL: Module ip_tables not found.
<5> iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
<5> Perhaps iptables or your kernel needs to be upgraded.
<5> :-O
<5> wtf?
<5> what i need to include on kernel to support iptables?
<6> e1z0, you must see the topic
<5> :-O
<7> hello i could someone help me with this rule: [friend's server somehost.com and some port 8888 (which will be redirect to my ssh] -------ssh --- [my home server (codeplanet.org) ssh on port 84] || i would like to connect over ssh on box somehost.com:8888 which would redirect to my box codeplanet.org on port: 84 so i could access my box . does anyone know what kind of rule should there be for this ?
<8> coder: on host somehost.com iptables -t nat -I PREROUTING -p tcp --dport 8888 -j DNAT --to codeplanet.org:84 ?
<7> ok let me try
<8> you can do that at application layer too, with ssh port-forwarding facility e.g
<8> does not require r00t privileges for redirecting >1024 ports, that's cool.
<8> (just to mention it)
<7> matth_
<7> moses@moses:~> ssh -p 8888 zazi.siska.org
<7> doesn't wonna to connect to my box
<8> (to enable anybody querying the 8888 be redirected to your ssh, you'll do stuff like user@somehost.com~$ ssh -g -NL8888:codeplanet.org:84 user@somehost.com)
<8> coder: that rule does the deed but could be blocked by other rules in your conf, you gotta check that
<7> so my firewall on codeplanet.org could block this ?
<8> oh, well too yes, I have no clue about your conf in both sides
<7> i can my fw online so you can see it there is problem in my box
<8> (and does not want to know :p)
<7> w8
<7> oh :)
<7> hehe
<7> maybe you could just check
<7> matth_ xs.codeplanet.org/rc.firewall (this is codeplanet.org firewall)
<9> GOOD MORNING.
<9> oh drat. and i got my hopes up when i saw the topic.
<7> matth_ found anything ?
<9> but no that's just for simple nat.
<9> any reason my SIP traffic would not be parsed by my SNAT rule ?
<9> there is a snat that maps from a cl*** c private network to an external ip
<9> and it works fine except for the sip traffic
<7> matth_ ?
<6> is stateful firewall need for build a firewall?
<5> kuki, i cant find
<6> e1z0, i am spanish my english very bad by you can found information up the modules of the kernel to load in http://iptables-tutorial.frozentux.net/iptables-tutorial.html#KERNELSETUP
<9> anyone else ever have wierd problems with SNAT and SIP traffic ?
<9> iptables: Unknown error 4294967295
<9> :D
<10> I've heard SIP isn't the most NAT-friendly protocol ... but I've never NAT'ed it.
<9> yeah. it definitely isn't.
<9> it's wierd though that it just wouldn
<9> t match though ?
<9> well.
<11> if i want to masq' packets from the inside lan to the outside all i need is 'iptables -A -t nat POSTROUTING -o eth0 -j MASQUERADE' right? so what is the FORWARD chain for? why do i need a rule like 'iptables -A FORWARD -i eth0 -j ACCEPT' ?
<10> Read the early part of "man iptables" about the tables. The "nat" table is for Network Address Translation, and the "filter" table (default when -t is not given) is for filtering. And ...
<10> ... if the LAN interface is eth1, you'd want "iptables -A FORWARD -i eth1 -j ACCEPT", not -i eth0.
<10> You should also restrict the MASQ rule with a -i eth1, as well.
<11> im just wondering in general what is the purpose of the FORWARD policy as opposed to the MASQ action?
<10> And I thought I answered that. Hmmm.
<9> heh.
<9> liran_: the nat table is for manipulating the packet itself abnd the filter is for your actual access control
<10> (Although a lot of people and a lot of scripts you might download do try to do access control in the nat table ...)
<9> :(
<12> how can we limit the max tcp sessions per user on iptables?
<13> Bloated: -m connlimit --connlimit-above <number>
<12> that will limit for all the users that are masquerading ?
<10> You have to do the rest of the rule, of course. :) Woody's partial rule would match connections in excess of <number>. Perhaps you should review the part about connlimit in the man page.
<14> I'm having a little trouble with my iptables ruleset
<14> even when I explicitly drop packets from the services pop3/smtp/ftp
<14> when I nmap the machine (from another computer on the internet) it still shows the ports as open
<14> http://140.193.8.10/~xous/anubis.xml
<10> My browser didn't know what to do with that.
<14> hrm... I'll provide a text based one in a sec.
<14> http://140.193.8.10/~xous/anubis.nmap.txt
Return to
#iptables
or
Go to some related
logs:
aircrak deb
php code for yahoo email exists or not
syntax error: unknown group `postdrop' in statusoverride file
snd_pcm_format_name
quiet ban eggdrop
gpg --export -a FBABB737 | apt-ke
how to ungunzip
#kde
rawplayer volume
#perl
|
|