| |
| |
| |
|
Page: 1 2
Comments:
<0> howdy
<0> anyone here?
<1> yes
<0> hello daniel you know of any mangle tables that allow you to change the source or destination ip address without trying to change that of the whole conection (like dna/snat doest
<1> no. I'd try to do that with libipq
<0> thanks
<0> COOOL
<0> Thanks danieldg
<0> that is the most helpful response i have ever had regarding iptables
<1> glad I could help then :)
<0> pfft never mind help you made my day!
<2> mogguh
<3> Hi, I we're debugging some problems with our firewall, it currently has 4 ports, but we're not sure it can handle the traffic. Does everything that goes through the iptables router, go over the loopback interface or not ?
<3> is iptables capable of processing 3.2gigabits per second (bursts)
<4> TimothyP: no
<4> as for the latter question, yes
<4> TimothyP: but thats all depends on just what you are doing
<3> we're using HP Proliant 360ML servers, to connect 4 networks
<4> doing allot of NAT / SNAT ?
<3> no SNAT/DNAT
<3> all snat and dnat features have been moved out to another IPTables server
<4> how baout Conntrack ?
<3> we set up a mac filter, and everything seems to be working fine, except for printing over the network between different subnets, traffic over port 9100, for some reason it loses the mac address there
<3> if we accept port 9100 without mac filter, it works fine
<4> ah, i had the same issue
<3> really ?
<4> with my server at work that is on 2 wans + 2 lans
<3> the windows servers have 2 gigabit cards which run in load balancing, perhaps that's why it can't figure out the mac ?
<4> i had to make a bunch of rules to accept it via Unicast but to 224.0.0.0/8
<4> TimothyP: spot on
<5> i am using rp-pppoe. now i have set up the connection timeout to 3 minutes. but the connection never goes down because of traffic noise on the line. is there a way i can stop counting those invalid packates and bring the connection download at the right time. i found a solution in freebsd to use ppp's own firewall to accomplish this
<4> TimothyP: my major problem endded up being an old MAC server that was for doing old print services
<4> so i got rid of it and replaced it with netatalk
<3> iptables -I FORWARD -p tcp --dport 9100 works, iptables fwd_authorized_mac -p tcp 9100 does not work, but everything else does work in the fwd_authorized_mac chain (which we create from a mysql database)
<4> lol soz ... MAC as in Apple Mac =)
<3> our rules are created something like this: mysql -D networksettings --p***word=test --silent --skip-column-names -e "SELECT CONCAT('iptables -A FORWARD -m mac --mac-source ',Mac, ' -j fwd_authorized_mac') FROM MACADDRESS WHERE Enabled=1;" > /srv/linkedfiles/rogue_fwd_authorized_mac.conf
<4> is the Printer SPooled by the Windoze Boxen ?
<5> can i do this using iptables?
<3> we're using all new servers, prolian 360 and higher, completely new network and we got full support for using linux :)
<3> yes, Windows hosts the windows domain (sorry for that :p) and some of the servers act as fileshare/print share server
<4> jita: huh ? explain again
<4> TimothyP: i think its the Winblows Boxen ... i have put it doen to a SMB protocol issue
<4> and its only with printing ...
<5> hard__ware: ok there is a noise in the internet like like microsoft netbios requests, pings etc which won't allow the connection timeout to reach 3 minutes. i want to bring the internet connection download after 3 minutes of inactivity
<5> download/down
<4> errrr... well i dont know ... how does netbsd do it ?
<4> is this dialup or dsl ?
<5> hard__ware: dsl
<4> lol pppoe ... silly me
<3> for now we solved the printer problem by not applying mac filter to it
<5> hard__ware: set filter alive 0 permit tcp dst eq 80
<3> but we're afraid our server will not be able to cope with all the data
<5> hard__ware: i set up filters in ppp.conf in freebsd
<4> TimothyP: sorry mate ... i dont think you can solve it
<4> really its a design flaw in SMB printing
<5> hard__ware: specify few ports on which will keep the connection alive. like 80, 25 etc
<5> hard__ware: and deny everything else
<4> will a modem drop ? if you are recieveing packets , but not sending back ?
<4> pppoe / LLC protocol for that matter ?
<3> we're using 2 times a 1GB card with 2 ports (1GB on each port) , the PCI-X bus is 4,6Gbits (best case scenario) , the burst 3.6gbits of data in the current situation, soon more than 4.6Gbits, we're afraid the iptables server will become a huge bottleneck
<5> hard__ware: is'nt there anything like set filter alive 0 permit tcp dst eq 80?
<3> any thoughts on that?
<4> TimothyP: well it will be
<4> sorry , but thats allot of work ...
<4> really you need to split it up
<5> hard__ware: that firewall rule does'nt drop/accept anything. it just allows it to keep the connection alive thats it
<4> maybee run 4 servers /w heartbeat , 2 at any givin time are sharing load
<4> jita: i dont think im talking about , what you need
<4> hmmm ... owell i have to run shortly , im sure someone else will help ya
<4> TimothyP: seriously, this will easily do what you need ... -> http://www.extremenetworks.com/libraries/prodpdfs/products/summit5i.asp
<3> but we want to know if iptables can do it :)
<4> well maybee ... i cant really say
<4> only way to ever know with opensource ,, is test it
<4> when your talking those specifics
<4> im sure its possible with the right hardware / tuned iptables rules and well tuned Kernel / NEtfilter
<4> im talking , ripin code it , minimal as possible, extremely optimized for that Arch / Machine , tweaking all of the TCP and IP Timeout code ect ect
<6> TimothyP: I really don't think it's a matter of iptables. Software is software -- unless there's a resource leak somewhere, if it handles 1pps, it'll handle a million, *if* the CPU/memory subsystem can keep up. When you start cramming Gbps down the bus, though, the hardware is going to hit its limit at -some- point. The question isn't "can iptables handle it" it's "can your -hardware- handle it."
<4> ai2097: Ja
<4> =)
<3> that's exactly what we're worried about :p
<3> another question before I go, iptables-save outputs all the rules, but is there a tool somewhere to generate a diagram from this?
<4> TimothyP: thats why you test it
<4> =)
<4> TimothyP: lol funny you asked that
<3> why
<4> a mate of mine was working on one with me /w awk
<4> but he hasnt come back online for weeks , ever since he got really ill
<3> (I've been trying to draw it by hand, but I haven't found a standard for drawing firewalls, so I resorted to ladder diagrams from PLC)
<4> =(
<3> oh sorry to hear that
<4> yeah ...
<3> may I ask what you had in mind?
<4> hopefully he will be good soon
<6> You need a system that's designed for the load. Standard PCs are not designed to handle that kind of abuse. Special-designed hardware with fabric backplanes are :p.
<4> Full output to png or commandline
<4> commandline would be ascii
<3> yes, but how would you visualize it, like we all know you use ERD for databases, UML for software, etc... but what for firewalls
<4> =P
<3> lol, I doubt our proliants are special designed :p
<4> TimothyP: lol well in the M$ world its Visio .. i spose
<4> dont know about evevryone else ?
<3> hehe I can'(t seem to explain my point
<6> Visio is a tool, not a modeling language.
<4> yes i know ...
<3> visio is "the tool" you use to draw the diagram, not the modeling language
<4> but other people dont seem to think so ...
<6> AFAIK, there is no standard language for modeling firewalls.
<4> exactlly
<6> +1 to dia-hating.
<3> then one should be designed, espacially if you want to make software for it hard__ware
<4> lol
<4> +2
<3> like there's an UML taskforce there should be a firewall modeling language taskforce
<3> FML :)
<3> as opposed to UML
<3> so if anybody feels up to it, and cares to join me :)
<6> Meh. Just create a UML package to handle it.
<4> well nice chatting to you all
<7> you can model anything in UML
<4> i gotta go attend to my pregnant wife ...
<4> cyas =)
<3> oh :) coool
<3> good luck
<7> is it yours?
<3> lol guess yiou didn't use a firewall 9 months ago :p
<3> yeah, his iptables collapsed or had an open port
<3> perhaps the connection was already established
<7> TimothyP: "pregnant wife"
<7> so not 9 months ago
<3> I was guessing :p
<6> TimothyP: Why not just diagram it with a regular flowchart? I mean, all it is is a bunch of yes/no decisions interspersed with actions as part of a big data flow.
<3> because it becomes HUGe :)
<3> ladder is even more appropriate for firewalls
<7> how about uml and write UML2iptables parser ?
<3> as the logic behind a firewall is a lot like the logic behind PLC
<3> that's an idea as well
<6> Any diagram is going to get huge if you're diagramming a complex system.
<3> true
<3> then perhaps an application which can generate a graphical representation of the firewall, not for print format, but more dynamic, where you can expand and collapse certain parts , or where you can simulate traffic flow
<6> Ah, but simulating traffic flow is difficult. After all, if you can define the packet you're trying to allow or block, you could already tell the firewall what you're trying to do, no?
<6> Unless you're just talking about something simple, like replaying an existing libpcap-like dump file?
<3> perhaps yes
<8> What is the difference between ctstate and state options?
<1> ctstate has the SNAT and DNAT virtual states
<9> how do you do multiple destination ips with iptables? I want to say "destination is (not 1.1.1.1 or not 2.2.2.2 or not 3.3.3.3)"
Return to
#iptables
or
Go to some related
logs:
wine compatible flstudio
Gentoo nvidia-drivers ACCESS DENIED
#linux
#math
notepad++ ctags
relay_recipient_maps wildcard
How to install Ethereal on Ubuntu
acx iw_handler_set_thrspy
#oe
edubuntu lvecd
|
|