| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> question about limit. how can this be used to stop a script kiddy from running a dictionary attack on your server without causing others to be blocked also?
<0> EX. kiddy 1.2.3.4 runs a dictionary attack on port 21 you have --limit 10/m to block how cna i ***ure that real users would also not be blocked for other ip addresses?
<1> Lazydog, try fail2ban
<0> kikov: ok but is it possible to setup iptables so that it'll block from an ip address when the limit is hit but still allow other to get in?
<1> Lazydog, I think I have seen that
<1> two hours ago
<1> http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.5
<1> http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.16 -> sorry, this one
<1> anyway, fail2ban is good enough
<1> http://packages.debian.org/unstable/net/fail2ban -> fail2ban
<1> fail2ban it's a simple script that parses your log files and create iptables rules
<1> I use it for ssh attacks
<0> kikov: thnx this is some good reading for tonight. :)
<1> http://fail2ban.sourceforge.net/ -> that's the homepage for fail2ban
<1> you can configure regular expression to match against bad guys...
<0> kikov: i've looked at fail2ban but i'm wondering how it would fit my system as i have a firewall on another system other then the one someone would be logging into
<1> well.. fail2ban should be in the box having the services or at least the logs
<1> maybe you can use syslog-ng to send ftp logs to the firewall ;)
<0> yeah and there would be the problem as the firewall is different then the system suppling access
<0> don'
<0> t want to do that
<1> no.. you can control exactly the rule to use when a match occur
<0> i thought there would be a way with iptables if is see an ip address more then x timeg on a port it would block that ip address
<1> maybe you have to replace -A INPUT by -A FORWARD, but it's still configurable
<0> this is what i was thinking iptables -A FORWARD -p tcp --dport 300 -m limit ! --limit 5/s --limit-burst 10 -j DROP
<1> ok.. go with that ;)
<1> how do you know if it's a true user or a badguy?
<0> yeah but if other clients want to get in and the rule is already matched by a script kiddy then they will not get in either
<0> a true user would try 10/s to log in. :)
<0> what i'm wondering is if this match would be ip based or port based
<0> i'm thinking port based
<0> and if port based this would cause a DoS for any true user and this is what i want to avoid
<2> oh my god
<2> there *is* hope for the world
<3> hello all
<3> how to load one set rules iptables when computer is booting ?
<3> where I can put these rules ?
<4> CrocoJet: in any system startup script
<4> what distro?
<3> ubuntu breezy
<3> system startup script ?
<3> where ?
<4> /etc/network/interfaces, in the pre-up section
<4> that's where I have mine
<4> startup scripts are in /etc/init.d
<4> linked from /etc/rc?.d/
<3> I will try put /etc/network/interfaces
<4> make a script somewhere (mine is /etc/network/iptables) that applies the rules, then have /etc/network/interfaces run that script
<3> to run that script I put
<3> sh scriptname ?
<4> that or put "#!/bin/bash" (no quotes) at the top, chmod +x script, and just use the scriptname
<3> ok
<3> I put command to run script before
<3> iface lo inet loopback
<4> no, put it after iface eth0
<4> pre-up /etc/network/iptables
<4> read man interfaces for more info
<3> ok
<3> thanks help
<5> how can i do this:
<5> -A FORWARD -s 10.10.0.20 -p tcp -m multiport --dport NOT 20,21,22,23,25,80,110,443,3389,5190,6667 -j DROP
<4> s/NOT/!/
<5> so ! in front of each port?
<5> or --dport ! 20,21....
<4> ! --dport may be better
<5> seems to work
<5> nice
<5> thanks
<5> -A FORWARD -s 10.10.0.21 -p tcp -m multiport ! --dport 20,21,22,23,25,80,110,443,3389,5190,6667 -j DROP
<3> any knows that is a problem with this rule
<3> iptables -A FORWARD -m unclean -j DROP
<4> unclean is bad
<3> iptables -A FORWARD -m bad -j DROP
<3> is this ?
<4> no
<4> don't use unclean
<3> ops
<3> lol
<3> iptables -A FORWARD -m -j DROP
<3> that ?
<4> no
<4> don't do it at all
<3> ouch
<3> why do not work ?
<4> the unclean match is a bad idea, and it's being taken out.
<3> oh ok
<3> thanks again, danieldg
<4> yw
<5> damn
<5> that rule didnt work
<5> its connecting to shareza on port 80
<4> error message?
<5> no the rule worked
<5> im trying to block p2p
<4> oh. you might want to look at ipp2p module
<5> is there something else i should use?
<5> nice
<5> thanks
<5> this is a nightmare
<5> # iptables-restore /etc/sysconfig/iptables
<5> iptables-restore: match `ipp2p' v1.3.3 (I'm v1.3.0).
<5> does that mean that my kernel module is the wrong match for the iptables-ipp2p module?
<4> iptables version is wrong
<5> hmm
<5> ok
<5> it seems to still be working
<5> weird
<5> ill try to downgrade ipp2p
<4> why not upgrade iptables?
<2> I still think it's odd that everone says IPTables when they really mean NetFilter
<2> :(
<4> there is a distinct difference, yes. But I meant iptables there
<2> how did that happen ?
<2> ah, ok
<2> iptables being the command-line config program, yes ?
<4> yes
<2> ok
<5> iptables is updated via yum/up2date... easier to let them handle the stability of it all
<4> iptables is the interface to netfilter, which is the kernel code
<2> NetFilter being what gets configured
<2> yeah
<4> Alives: iptables is a 1.3.5, they should have a newer version by now. Debian testing is at 1.3.3 iirc
<5> wow
<5> fedora is 1.3.0
<5> i just checked
<5> ****s
<5> if i manually update it
<5> will yum/up2date start patching it as they see updates?
<4> don't know - the manual update may go into /usr/local, in which case it won't be touched by package managers
<5> hmm
<6> what should be the output rule for transperent proxy
<7> hello, I was wondering if it is possible to use domain name in iptables rules , like iptables -t nat -A PREROUTING -p tcp -d 192.168.0.0/24 --dport 80 -j RETURN , but instead of 192.168.0.0/24 I would like to use datalab. , so that any domain containing datalab would not be redirected by my router rules.
<8> robert83a2: no, name resolution is done during rules generation (before kernel rules injection)
<7> hmmm, so I would then need to check these few domain names 5 , and allow them all by hand
<2> it's a bad idea to allow by domain name, anyway]
<2> because those can be hijackede
<7> it's because of a "stupid" program that has a proxy setting, but cannot use a proxy due to some bug
<7> we bought this program for accouting because the boss has a hard head, nothing I can do here...
<7> so it's either I allow everyone to byp*** my proxy "bad" , or I allow everyone to byp*** proxy if destination is xxx.xxx.xxx.xxx "better"
<9> g'day all. I want to make iptables log all attempts on a given port, but not actually block/p*** them, just log
<9> I was thinking of 'iptables -A rule -i $interface --dport $port -j LOG --log-prefix "thisport:"
<9> but I'm worried that if I ***ign it to -j LOG the packet will be absorbed
<9> mmm... it's a non-terminating target isn't it ?
<10> hello, I am trying to divert web requests to dansguardian at port 8080 and then to squid at 3128. I have fc5 with ip 192.168.1.101. I have not been successful till now, please help
<11> Hi, with iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP is it possible to block groups?
<11> Hi, Has anyone got this to work: iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
<11> its from the iptables man page
<12> xDamox: what's the error?
<11> [root@localhost ~]# iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
<11> iptables: Unknown error 4294967295
Return to
#iptables
or
Go to some related
logs:
ubuntu booting kernel
#linuxhelp
Cannot initialize proxy daemon: Proxy.pm
#fedora
#lisp
skypetoskype iptables
gentoo Recipient addresses must be specified on the command line
gdm local-proxy
#web
#lisp
|
|