| |
| |
| |
|
Page: 1 2
Comments:
<0> is there someone, that can help me with a novice problem on iptable ?
<0> I have added a user chain to INPUT - now can I remove that from INPUT ?
<1> just delete the rule that jumps to the chain
<0> ? - what do you mean?
<0> Chain FORWARD (policy ACCEPT)
<0> target prot opt source destination
<0> RH-Firewall-1-INPUT all -- anywhere anywhere
<0> Chain INPUT (policy ACCEPT)
<0> target prot opt source destination
<0> RH-Firewall-1-INPUT all -- anywhere anywhere
<0> STI-Firewall-Input all -- anywhere anywhere
<0> Chain OUTPUT (policy ACCEPT)
<0> target prot opt source destination
<0> Chain RH-Firewall-1-INPUT (2 references)
<0> target prot opt source destination
<0> ACCEPT all -- anywhere anywhere
<0> ACCEPT icmp -- anywhere anywhere icmp any
<0> ACCEPT ipv6-crypt-- anywhere anywhere
<0> ACCEPT ipv6-auth-- anywhere anywhere
<0> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
<0> ACCEPT udp -- anywhere anywhere udp dpt:ipp
<0> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
<0> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
<0> Chain STI-Firewall-Input (1 references)
<0> target prot opt source destination
<0> ACCEPT tcp -- anywhere anywhere tcp dpt:5900
<1> please use a pastebin next time you paste something
<0> wants to move the STI-Firewall-Input up, before RHs default in the INPUT chain
<0> is that possible
<0> Yeah - sorry
<1> yes. Delete the rule and insert it again using -I
<0> ok, I will try
<0> Hi danieldg, it worked ;-) - thank you -- have a nice evening
<2> I want to deny all inbound requests except for pings. So I drop all inbound: iptables -P INPUT DROP
<2> But I can't find how to target ping for dropping packets. It seems that ping doesn't use a port (at least that I can find)
<1> it uses ICMP
<1> so -p icmp --icmp-type echo-request
<2> Thanks danieldg!
<2> danieldg: Oooo... lots of ICMP types to learn about. Lets see how bad I can screw up my network!
<1> most of them aren't used any more
<2> Well thanks for that. I would end up wasting a lot of time otherwise.
<2> Any suggestions on a site I should use as a resource for that type of info? googling often ends up with old information...
<3> danieldg: yes they are
<3> just maybee not by you =
<2> It looks like icmp is used in the lower levels to support sending/receiving tcp packets.
<2> So I would ***ume I only need to mess with icmp to handle things like syn floods. Yes?
<2> And ping. ;-)
<1> syn floods don't have anything to do with ICMP
<1> hard__ware: yeah, for some reason I thought there were a lot of useless ones, but I think that's IP protocol types
<2> <--- needs to read more before opening mouth. Back to the books!
<2> Thanks again danieldg.
<4> can iptables see what userid is requestion/sending data?
<4> (unix user id)
<1> yes, using the owner module
<2> I need help with a learning excercise. I want to disable everything and build it up so I can ping my system.
<2> I start by flushing the tables: iptables -F INPUT; iptables -F OUTPUT; iptables -F FORWARD
<2> Then I set the default policy to DROP: iptables -P INPUT DROP; iptables -P OUTPUT DROP
<2> As expected, I cannot ping the server now. So now I see if I can make ping work.
<2> Accept inbound icmp echo_request: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
<2> Accept outbound icmp echo_reply: iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
<2> As expected, Ping now works.
<2> HOWEVER, ping no longer works if I set the policy on FORWARD to DROP: iptables -P FORWARD DROP
<2> Why does a ping go through FORWARD?
<2> (Does multiline paste work on IRC? Let me know if that isn't readable...)
<1> try adding LOG rules and see what is being dropped
<1> I don't think a ping goes through FORWARD
<1> does the system have multiple network interfaces?
<2> Yes. I am using xen. eth0 -> internet. dummy1 bridges to xenbr0.
<2> I logged and am now trying to figure it out.
<1> it might be that the packets first go through forward, then through INPUT
<1> although I didn't think it worked that way
<2> None of the documentation would indicate it. All show PREROUTING -> INPUT -> OUTPUT -> POSTROUTING
<1> yes
<2> LOG shows it is coming in on xenbr0, out xenbr0.
<1> where is the log from? FORWARD?
<2> PHYSIN=peth PHYSOUT=vif0.0
<2> This may have something to do with xen.
<2> yes, log from forward
<1> that's what I think now, looking at Xen
<2> It may be bridging messing me up.
<1> bridged packets go through FORWARD on the machine doing the bridging
<1> at least they do if CONFIG_BRIDGE_NETFILTER=y
<2> Logically though, packets coming in on eth0 destined for eth0's ip address should not be forwarded.
<1> is eth0 part of a bridge?
<2> No. Only dummy1
<2> Hmmmm....
<2> You know, I think xen is moving eth0 to the name vif0.0. eth0 would then be bridged to vif0.0.
<2> Ix there some way to tell that? Some command to list bridges? I haven't worked with them yet.
<1> brctl
<1> 'brctl show' actually
<2> It shows xenbr0 with interfaces peth0 (physical interface 0) and vif0.0 (virtual interface created for my primary virtual machine).
<2> ifconfig peth0 shows a hardware address of FE:FF:FF:FF:FF:FF so I don't think that is my real, physical network.
<2> s/physical network/physical interface/
<2> I think there is something goofy going on because I am using xen. I'll see if someone in the xen room can shed light on this.
<2> Thanks danieldg. Virtual beer for you: [ ] :-)
<5> As Salaam e laikum
<5> Translation: Peace b upon u.
<5> In the Name of God, Most Gracious, Most Merciful http://www.submission.org/ . . . . . .Happiness is submission to God. There is no other god besides GOD.
<2> I hated to see him go... such a nice guy.
<2> danieldg and anyone else interested... this is what I learned.
<2> Default Xen 3.0 install puts a bridge before eth0.
<1> before? what does that mean?
<1> traffic goes through the bridge, then into eth0?
<2> What I think happens is the physical eth0 gets renamed then the bridge gets installed on peth0.
<2> Then another virtual interface gets created, named eth0 and added to the bridge.
<1> ok, that kinda makes sense
<2> II have no idea how you rename eth0. I had tried doing that before using mapping in etc/network/interfaces but it didn't work.
<2> But they do it.
<1> ifrename
<2> And there you have it.
<1> I do it for all my interfaces
<6> Hi all, i've got a pretty strange problem with udp masquerading:
<6> My router has two interfaces (vlan2 and ppp0, which is the default route), for which it does Masquerading
<6> It works fine for tcp, but apperantly udp packages that are routed via ppp0 are *masqueraded* with the vlan2 ip
<7> Hi everybody... does anyone know of a LARTC mirror?
<7> LARTC DNS is down... maybe someone knows it's IP?
<7> Does nexthop + equalize respect connections? I want to load balance over multiple providers.
<8> folks, can you please help me with an IPtables line? I have two IPs on the same nic (86.105.x.x - net, and 10.11.x.x - lan). now, 411 port is open with the "-A INPUT -p tcp -m tcp --dport 411 -j ACCEPT". I want to keep 411 open but ONLY to the LAN IP (10.11.x.x). can you help?
<9> hi all
<9> Does anybody use firestarter to set up a firewall?
<10> hi, everybody
<10> i have crossover connected 2 computers with slackware and winxp. i would like to share internet from linux to winxp. i tried a lot of hours and i can't. i wrote line for ipforwarding and 'iptables -A POSTROUTING -o ppp0 -j MASQUERADE -t nat' but windows don't see me. i have ip adress 192.168.0.1 winxp *.2 and i cant ping it from any side. please very much - help me.
<11> You probably only need to add the default route on XP, and enable IP forwarding on Slackware (/etc/rc.d/rc.ip_forward).
<10> well, i tried write in xp ip number etc and i turn on ip_formarward
<10> forward
<11> you say ping doesn't work between the two?
<10> yes,i cant even ping any computer
<10> welli can poing me from me but not from xp
<11> That suggests a lower-level problem, cabling or adapter[s].
<10> normally routing is very simple?
<11> If your Ethernet isn't working, no. :)
<10> hmm...i was looking on 2 winxp (on my computer and thoose second) and it said that connect i good (i could repiar connect)
<10> and there was not write: "net cable is disconnected"
<11> but you can't ping.
<10> if i have stored ip adress on 2 computers and i cann't ping its mean that i have bad cable, yes?
<10> ;(
<10> i have idea, i will try ping on 2 winxp
<10> ok, thank you very much
<11> I obviously don't have enough information to say for sure, but I would try swapping cables.
<10> ok, thank you
<11> mii-tool(8) might help on the Linux side.
<12> hrm I'm trying to get pinging through my router working. I have all packets forwarded accepted, and if protocol is icmp and connection is established and related accepted as well.
<12> what else do I need to put in?
<12> (I can ping my router, I can ping from the router, I just can't ping /through/ the router)
<11> FORWARD chain.
<12> forward all packets from my internal interface is what I have.
<11> What about reply packets?
<13> is it necessary to open ports in my firewall scripts for apache ??
<11> 1. If you don't want anyone from the outside accessing it, of course not. :) 2. If you *do* want it open, that depends on your rules, but most likely you would want to open 80 and/or 443 (both TCP).
<14> hi folx
Return to
#iptables
or
Go to some related
logs:
#css
#debian
#sdl
#web
#ai
fgrlx FC5
uninstall kubuntu
#perl
#debian
ubuntu 3ware rebuild monitor
|
|