| |
| |
| |
|
Page: 1 2 3
Comments:
<0> http://en.pastebin.ca/raw/45073
<0> I try and use iptables -F to flush the rules in the chain and then rerun the new script, It tells me that the chain already exists.
<0> syslog.conf has kern.*
<1> ello, I'm trying to set up a system on my firewall to email me when a certain rule is used (I'd like to be notified when my client logs into the VPN). How could I do this, using iptables?
<0> Use the TARGET EXTENTION "LOG" and link it up with your syslog.conf file.
<1> zethreth: ok, I've already got a rule in place to log when the port's accessed. You're saying that I can get syslog to run a command when iptables logs to it?
<0> well I'm not an expert but you can specify loging of mail boxes in the syslog.conf file and I'm thinking that is where you would have to send your rule LOG, ULOG or whatever will get the job done.
<0> man syslogd
<2> I can't get the -m nth extension to load. what is wrong with this syntax:
<3> lazzarello: you have the kernel patched?
<2> -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m nth --every 2 --counter 0 --packet 0 -m state --state NEW -j DNAT --to-destination 192.168.76.129:80
<2> danieldg, no. it's a stock Debian 2.6.8 kernel from stable.
<3> lazzarello: ah, that's the problem. -m nth requires a kernel patch
<2> but
<2> root@hud****er:/usr/src/kernel-source-2.6.8# ls -l /lib/iptables/libipt_nth.so
<2> -rw-r--r-- 1 root root 5120 2004-12-01 19:38 /lib/iptables/libipt_nth.so
<3> right. that's the userspace library
<3> you need a kernel module - ipt_nth
<2> crapy. kernel patches. maybe there's another way. I need very simple round-robin or weighted incoming load balancing to a mirrored web server pool.
<2> I was recommended nth and random
<3> you might be able to --to-destination ip-ip range
<2> I tried the BALANCE target, but that's not on my system either.
<3> but both nth and random require pom
<2> pom?
<3> patch-o-matic
<2> --to-destination ip-ip for the DNAT target?
<3> yes, that's a valid syntax
<2> cool. I'll try that. I may need that kernel patch. random would be nice to have.
<2> but round robin is cool for now.
<3> ftp://ftp.us.netfilter.org/netfilter/patch-o-matic-ng/snapshot/ - it's really easy to apply
<0> http://en.pastebin.ca/raw/45073 don't mean to interupt, I'm new to this iptables program and wouldn't mind a second opinion on my script.
<3> the log will never be hit
<4> zethreth: 2 comments: 1. LOG lines must come before the ACCEPT/DROP rules, you won't log what you think you are logging. 2. You definitely cannot afford to log all RELATED,ESTABLISHED packets. Not sure what the -m limit default is.
<0> also like macka was asking about logging rules to his/her mail. Would that be done with the LOG extension. This only alows for kernel loging though, with the specified level. How would you tell it to log to a different facility
<0> I'll be back in 20
<3> zethreth: use ULOG
<2> danieldg, I'm not too keen on building kernels. you wouldn't happen to know if there's a Debian way to apply this patch?
<3> lazzarello: just extract the kernel in /usr/src/linux, and run the ./runme base
<2> k
<3> then I just use make-kpkg to complie it
<2> thanks
<3> be sure to enable the nth module after patching - it's not compiled by default
<2> and download the iptables source ;0
<3> ah, it does like to insist on that. I don't think it changes anything for nth though
<2> "Your iptables version is unknown for patch-o-matic at ./runme line 217"
<2> too old and pom too new?
<3> what iptables version?
<2> iptables v1.2.11
<2> maybe I have the wrong source package...searching.
<3> hmm. I don't think that is really that old...
<3> you could always upgrade to 1.3.5 or use an older pom snapshot
<2> older snapshot it is.
<2> danieldg, what's the config keyword for nth and random?
<3> CONFIG_IP_NF_MATCH_NTH
<3> and _RANDOM
<2> crap. maybe the pom version I took is /too/ old.
<5> howdy
<5> Totally OT but there might be some brains to pick here, anybody running Linux-HA v2 with MySQL as a ressource?
<6> Hiya ticallion
<5> Sarah! Hey! Long time
<5> please disregard my OT, I think I got it
<5> omg, v2 is beautiful!
<5> oops
<5> sorry
<7> hey, can somebody help me with the rule for allowing ssh connections from wan please
<7> hmm, irc isn't nicknaming me.
<7> or at least i cannot see it
<3> what do you mean
<7> i'm getting strangeness from my terminal
<7> what's wrong with the following rule
<7> -A INPUT -p tcp --dport 22 -j ACCEPT
<5> nothing
<5> your nick is Steve973
<7> i can't ssh into the box
<7> thanks, can't see it in my terminal
<5> do you have a live ssh connection?
<7> at least i cannot ssh from the lan into the box
<7> don't know if external works
<5> if so, issue a "iptables -I INPUT -p tcp --dport 22 -j ACCEPT"
<5> if that works than something in your rules is blocking it
<7> i'm on the box right now
<7> i have -A
<7> is that ok
<7> or should it be -I
<4> -A append at the end. -I insert at the begining.
<7> i see. what takes precedence?
<7> i see that i'm open on port 22 from the outside. why doesn't it allow ssh from the lan
<4> First match wins, rules taken in order.
<4> ah, sounds like a DNS / same subset NAT issue.
<4> see "having NAT issues" in /topic, or just use the LAN IP address!
<7> i'm using the ip address of this box from the lan
<7> same subnet
<7> ssh 192.168.0.1
<7> refused
<7> but i bet if you try to ssh to me, it'll ask you for a p***word.
<7> can i show you my ruleset?
<4> pastebin
<7> http://pastebin.com/593719
<4> netstat(8), make sure sshd is listening on 192.168.0.1
<7> anything wrong?
<7> ok one sec
<7> netstat(8)?
<7> sshd is started but if i run netstat, i don't see anything on port 22 on 192.168.0.1
<3> most likely it's on 0.0.0.0
<7> i am not sure if i'm running netstat properly to see
<3> or :::22
<3> netstat -lp
<7> tcp 0 0 *:ssh *:* LISTEN
<3> good
<7> are my rules prohibiting it from lan?
<7> and not from wan?
<7> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
<7> from iptables-save
<7> danieldg: what's your web page with examples?
<3> daniel.6dns.org/info/iptables/
<8> danieldg, rob0: Ah, since you're both around, I can ask you at the same time. Would you guys be willing to do 6, one-liner iptables tasks later?
<8> I'd like to test the difference between 3 tasks using the current module switches, and 3 using a slightly modified syntax.
<7> thanks danieldg i'm going to reboot and see what happens.
<3> ai2097: I'm not sure what you mean
<8> danieldg: I'll essentially give a series of short, explicit story problems, and ask that you provide an iptables rule that the problem describes.
<8> More or less what you do in here day in/day out ;).
<4> ai2097: If I'm around at the time, sure.
<8> rob0: I've got the next four days to come up with the tests and find you... hopefully it'll work out ;).
<4> Lately I've been here most evenings, just not always looking in of course.
<4> (Evenings US-CST)
<8> I'm PST myself, so things should work out all right.
<9> Hi. I know maybe the basics of iptables, but not enough to write a through ruleset by hand. I need to make a ruleset for a remote computer and I wanted to ask if anyone recommended any particular tool that would help me doing this... a GUI or script
<10> I'm trying to craft a iptables rule that limits the number connections per IP (say 3 per ip) to httpd, I came up with this: iptables -A INPUT -p tcp -dport 80 -m state --state NEW -m limit --limit 60/seconds --limit-burst 3 -j ACCEPT; It doesn't seem to be working, is there another module I should use or did I mess up the wording on this?
<11> hmm
<11> limiting to three connections to httpd is just stupid
<11> because http is stateless protocol
<11> each pageload is new connection
<10> Well it make it simpleer for things it really is acting as a simple file sever.
<10> I'm trying to stop dl managers from hogging up connections
<10> It has no actual webpages on it that are surfed by users, the main site is hosted elsewhere.
<11> why dont you just cap the bandwith per ip?
<10> Because in the end this would be simpler for all involed, capping the bandwidth per user still doesn't stop a user from hogging 20 connections to the http with a dl (not manager but acclerator, sorry) accelerator
<11> i think it would be best to limit connections in webservers side
<11> if youre using apache then it should work just fine
<11> or make for example php script which p***es the files
<10> I would love to, but I can't (or haven't found the mod for 2.0.xx) do it per ip, only max connections.
<10> php isn't the optimal approach. I would prefer to do it at a system level, There are work arounds to beat any script.
<11> mod_limitipconn.c
<11> This is the distribution page for the Apache module mod_limitipconn.c, which allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address.
<10> I tried that
<10> Its for 1.3 not 2.0
<11> hmm
<10> Won't compile.
<11> you havent read at all
<11> This page is for Apache 1.3 users. If you use Apache 2.0, see the Apache 2.0 version of mod_limitipconn.
Return to
#iptables
or
Go to some related
logs:
#mysql
#postfix
#mysql
give user rights to a folder ubuntu
#fedora
#perl
boo yield coroutine
glxinfo caveat ncon
#perl
sudo oem
|
|