| |
| |
| |
|
Page: 1 2 3
Comments:
<0> Hey guys
<0> If I have a bash loop
<0> And for every run through, I want to set a variable
<0> With name and a number
<0> Like VAR1 first round
<0> VAR2 next round etc
<0> Any idea on how to do that?
<0> I've been trying with setting a variable COUNT, and increase what it holds once per run through
<0> And then do VAR$COUNT=whatever
<1> Sarah: try #bash
<0> Good idea!
<2> Sarah: comp.unix.shell is good too - probably in the archives
<3> hi
<3> what is the option to show a source lan ip in packets sent or received using tcpdump?
<3> i once used a tcpdump from some linux distribution that had that option enabled by default
<3> so i think there is one
<3> i didn't find it in the manpage though
<4> anybody awake?
<4> i'm having trouble getting https working? i can acess all other pages, but not https
<3> p0ts, maybe some proxy missing?
<4> http://www.pastebin.com/545722
<4> no i tried exiting directly, without the proxy, same result
<4> so it's not the proxy
<4> something to do with iptables i'm guessing?
<4> those are my iptables rules
<3> p0ts, dunno, if you want to find out if it is the reason, you could flush the iptables rules
<5> pastebin the iptables-save output, it's easier to read
<4> http://pastebin.com/545731
<5> I don't think you can do transparent proxying of https like that
<5> #
<5> -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
<5> sorry about the ##
<4> i think it doesnt work without it as well
<4> just a sec
<5> you're testing from a machine behind this firewall, right?
<4> ooh it works
<4> that was it...
<4> sorry boys, danieldg, you were right the first time...
<4> i guess it didnt loke transparent prxying
<4> 10x again
<5> you can't transparently prox https
<5> *proxy
<4> well it was commented by default in the script... i guessed that you could:)
<4> have to go now, wasted enough time for today:)
<6> hi :)
<6> where can I find mostcomplet OS fingerprint database?
<7> not in here
<6> I meen - the description of responses TCP/IP stack of OS Unix (most popular clones: BDS, Linux, Solaris) Windows (all SP)
<6> hm....may be anyone knows
<3> zarathushtra, nmap must have it somewhere
<8> hi all, anybody advise on any real informative and helpful books to purchase for firewalls for a linux box using iptables?
<9> hi folx
<10> hey all.. this is quite a nooby question, but here it goes anyway. I'm trying to set up ntpd because my sysclock is drifting like a madman. I have the following rules:
<10> $IPTABLES -A INPUT -i ${EXTIF} -m state --state RELATED,ESTABLISHED -j ACCEPT
<10> and $IPTABLES -A INPUT -p TCP -i ! ${INTIF} -d 0/0 --dport 0:1023 -j DROP
<10> same with udp
<10> ok, ntp is port 123, so i opened those with $IPTABLES -A INPUT -p UDP --dport 123 -i $EXTIF -j ACCEPT , plus the same with udp
<10> running "ntpq -p" or anything else with ntpq, i get a timeout. if i remove the upmost iptables rule, it all works
<11> you have to put this line _before_ $IPTABLES -A INPUT -p TCP -i ! ${INTIF} -d 0/0 --dport 0:1023 -j DROP
<10> thanks for the suggestion mage, however, it didn't change anything
<10> heh. could i be blocking local connections?
<12> ntp outbound requires both udp src and dst port to be 123
<12> for clinet query's that is , like ntpdate
<10> ntpdate works fine.. it's just ntpd that doesn't
<12> =P Client
<10> well it seems to work now
<12> ok ,, good stuff =)
<10> i had for some reason blocked -i lo, which made it not work at all
<12> ah ... hehe
<10> :)
<10> this is only a temporary solution though.. my sysclock is drifting like 10 minutes an hour
<12> -i lo -j ACCEPT , is generally a very good idea =)
<10> must be some kernel issue
<12> dang ... timeshifting properties maybee ?
<12> =P
<10> hard__ware: you mean like adjtime?
<12> Ja, it is possible kernel has a timer / timing issue
<12> lol , nah was just joking arround, like time travel =P
<10> hehe ok :D
<10> i'm not really into the scifi scene, could explain my ignorance :)
<7> mogguh
<13> hello all
<13> anyidea how to use the netfilter hashlimit module in iptables ?
<14> Hi, When designing databases, one can use ERD, when designing software we can use UML, is there something simular for firewalls, in order to graphically represent firewall rules?
<11> vim :p
<14> lol
<14> :)
<14> that's what I use to write it :)
<14> but I need to put it in a schema
<14> :)
<15> How do I define an ip range (from - to) for --dst-range
<15> I tried 10.0.0.60-10.0.0.70 and also 10.0.0.60:10.0.0.70 and it does not work
<16> --dst-range ip-ip according to TFM. Maybe you don't have the iprange match extension? What error?
<15> I think maybe I did something else wrong, just a sec
<15> ok my bad
<2> Seems like I remember reading something about iprange being broken in some kernels, but maybe not
<15> i'm running 2.6.8 on that specific box
<15> not very good, I know...
<15> will upgrade it soon
<16> what especially is wrong about 2.6.8 ? 2.6 in general hasn't really stabilized, but much of the instability came after 2.6.8. :)
<15> I see ;-)
<15> specifically just the ACPI and APM support for my specific hardware
<17> is it possible to limit bandwhit usage on each port?
<16> oh, then that makes sense to upgrade.
<15> On my other boxes I run 2.6.11 and APM/ACPI are perfect and I can monitor temperatures and fan speeds
<17> :)
<16> It just sounded like you were upgrading for no real reason. I don't do that.
<15> I never do that as well
<16> (On *most* machines that is :) )
<15> that would be looking for trouble
<16> sometimes trouble is fun ;)
<15> ;-)
<15> not on a production box!! :)
<17> but is it possible to limit how must bandwihit eahc protocol or port uage
<16> paistis, I think I have seen that explained at lartc.org. I don't do it.
<17> okay
<17> thanks :)
<18> Hi I want to block a source IP for 5 minutes, it is ipt_recent the right choice to me?
<5> it is a choice that will work
<5> if you wanted to patch the kernel, there is a -m expire match in patch-o-matic
<5> but if you're blocking many IPs, recent will be more efficent because it uses a hashtable to store the entries
<18> Hi danieldg we was talking yesterday
<18> thanks, but it seems that ipt_recent isnt doing what I want hehehe
<18> example
<18> I create a ipt_recent table: iptables -D INPUT -m recent --update --name SPAM --seconds 60 -j DROP
<18> and I put a specific IP within SPAM: iptables -A INPUT -p tcp -s 69.60.111.102 --dport 25 -m recent --name SPAM --set -j DROP
<18> but 69.60.111.102 is blocked forever
<18> even after 60 seconds it can't connect again
<18> iptables -A of course
<2> Cae2: you're --set'ing the entry in a table and dropping the packet, then telling it to keep dropping it for 60 more seconds, then afterward, the next connection --set's it again
<2> If you want to accept the first connection, then change your second rule to -j ACCEPT
<18> makes sense, I will try
<2> Cae2: and the --update in the first rule will require 60 *continuous* seconds with no new connection attempts before new ones will be accepted again
<18> if it tries to connect in 59 seconds, the timer reset and it must wait more entire 60 seconds?
<2> yep
<18> hmmm must change to 15 seconds
<5> you can use --rcheck to make it 60 seconds then allow again
<5> --rcheck instead of --update, that is
<18> damn I'm thinking something...
<2> danieldg: I didn't get a chance to play around with your irc_conntrack module patch; I'll get to this weekend hopefully -- I had a paper due in clas tonight
<18> I'm trying to connect via telnet to my server, the connections open but there is a LAG of 60 seconds, this is because I already be included in ipt_recent right?
<5> Cae2: accept ESTABLISHED connections before this rule
<2> That rule specifies only port 25 - shouldn't affect telnet
<2> but danieldg is still correct about ESTABLISHED first
<18> telnet on port 25 ;)
<2> oh
<18> hehehe
<18> accepting ESTABLISHED will permit my current session right? if I try again before 60 seconds I will droped
Return to
#iptables
or
Go to some related
logs:
manual grub installation
portage binhost
#ai
sh: -c: line 0: unexpected EOF while looking for matching `'' + centos
#gentoo
550 relaying denied domino
#perl
zlib library not found ubuntu
#debian
#ubuntu
|
|