| |
| |
| |
|
Page: 1 2
Comments:
<0> hello
<0> is it possibile to forward a connection to another ip ext?
<0> like this with nat: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6667 -j DNAT --to-destination otherip:6667
<1> hi all, I am suffering here with msn remote ***istance, what port do I need to forward in order for it to function ? I have one public ip, and clients behind it, I only need 1 client to use msn remote ***istance
<1> is it 3389 ?
<2> folks, bit of an emergency, i need a box we have here to be accessible to everyone on the local network (192.168.0.x), can someone give me a quick rule to add to iptables for me to learn from later?
<3> hello all
<4> hello
<5> hi, i have a situtation where someone is trying to dictionary attack my server via sshd, but i don't have port 22 open to the public, so i'm wondering how they're connecting to the daemon
<5> example error log: sshd[3168]: Failed p***word for root from 222.39.47.92 port 57882 ssh2
<6> i have an interface sit0 which is for ipv6 connections, would opening ports open them on that as well as eth0 as usually is the case
<5> no, you have to specifiy rules for sit0 specifically
<5> well, you can do wildcard rules
<7> Skywise: Have you figured out how they are attempting to connect to ssh yet?
<5> no
<5> i just nmap scanned from an unprivileged host and all ports but 80 are closed
<5> the only rules they i think could be involved would be these 2:
<5> iptables -v -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<5> iptables -v -A INPUT -p tcp ! --syn -j ACCEPT
<7> That second one looks bad. But honestly, I haven't read into how syn is used. However, it is clearly pretty open.
<5> i thought that was for non syn packets
<7> My reading is: Anything tcp packet without a syn bit set will be accepted.
<7> Aren't most packets non-syn packets?
<5> i've used that rule for so long, i forget its intent
<8> iptables v1.2.11: can't initialize iptables table `filter': Module is wrong version
<8> Perhaps iptables or your kernel needs to be upgraded.
<8> i keep getting that error with the command iptables -L
<8> can anyone help me?
<8> (08:53:48) <8> my system kernel is: Linux dlx1 2.6.8-12-em64t-p4-smp #1 SMP Thu Feb 9 08:38:33 UTC 2006 x86_64 GNU/Linux
<8> (08:54:08) <8> and my ip tables version is: iptables v1.2.11
<5> can you compile a kernel?
<9> re
<10> How can I block all traffic on port 22(sshd)...but then allow traffic if it's from two ip ranges... 10.0.* and 144.223.*
<11> hi, all... i setup proftpd on the server, and the client (commandline) gets this: ftp: setsockopt: Bad file descriptor
<11> it seems to connect ok, but the server shows the connection as "IDLE"
<11> any command issued does not return to the client
<11> i tried setting p***ive mode, but i get the same results
<11> googling seems to indicate that the server is setup as a nat/masq
<11> but i set this box up and, since i don't know enough about it _to_ set it up that way, i'm sure its not
<11> however, all the indications seemt to point to the iptables ruleset as the common denominator
<11> does iptables-restore < filename reload the rules in filename?
<11> it definitely is the iptables ruleset
<11> i opened the box completely, and ftp worked fine
<11> as soon as i reload the ruleset, it quits again
<11> i'm not quite sure where to look, since ports 20 and 21 are set to accept both inbound and outbound
<10> iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
<10> That is how to block all inbound tcp traffic to port 22....yes how can I now allow only two ip ranges... is 137.125.0.0 through 137.125.255.255
<11> sid: 137.125.0.0/24
<10> iptables -A INPUT -s 137.125.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
<10> gymsmoke: Like that?
<11> sid: looks right
<10> gymsmoke: Doesn't that only do... 137.125.0.0 through 137.125.0.255 though and not 137.125.0.0 through 137.125.255.255
<11> sid: oh, yeah - it does
<10> gymsmoke: So how do I do 137.125.0.0 through 137.125.255.255?
<11> sid: not sure
<10> iptables -A INPUT -s 137.125.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
<10> maybe
<10> I dunno...the iptables man page is really long
<12> sid: skip the -m tcp
<10> callee: Is /16 right?
<12> sid: the rule becomes more readable like this: iptables -A INPUT -p tcp -s 137.125.0.0/16 --dport 22 -j ACCEPT
<12> /16 is with the last 16 bit masked
<12> means: and in that case its right
<12> its 137.125.x.y with x,y [0.255]
<10> iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
<12> sid: skip the -m tcp
<12> thats useless, even if it works
<10> iptables -A INPUT -p tcp --dport 22 -j DROP
<10> iptables -A INPUT -s 137.125.0.0/16 -p tcp --dport 22 -j ACCEPT
<10> That will ONLY allow inbound port 22 tcp traffic from 137.125.0.0 through 137.125.255.255 callee?
<12> sid: just drop by default at the end of a chain/table and allow the rest before that
<10> just drop by default...I don't know what that means
<10> This is my first time using iptables
<12> sid: well. there is a good howto: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
<12> its long i know, but filtering is not that easy and you can do many things with iptables
<12> so you should read it.
<10> k, I'll bookmark it
<12> if you read that, traffic shaping is possible with almost 0 additional effort, so you in fact get both for 1 price - read one get one free
<10> I just want to stop people who I don't know from sshing to my ssh daemon...and I only ssh from this ip range.
<12> however there are good example scripts on the net, so if you like learning by doing, maybe starting with one of these is not bad
<10> I don't have any other services running on any other ports besides 22
<10> callee: I'm still confused as to whether my two lines are right/will work.
<10> They'll work?
<12> sid: read it, you need the stateful part anyway.
<12> callee: probably not, you may be lucky depending on your setup.
<12> but you should do it the right way, because all other can do more harm than it prevents
<12> why do you want to firewall ssh anyway?
<10> Because I see a lot of korean ips and some scattered american cable ips...I do'nt want them to be even allowed to attempt to login to ssh.
<12> ssh is almost completely unnecessary depending on what sshd you use
<10> Since I only ssh from one ip range...and that's it.
<10> I'll never ssh from another ip range.
<12> sid: ever heard about strong p***words?
<10> yea, I use strong p***words.
<10> But if there was ever a remote openssh server exploit or something...
<10> I just feel better only allowing one ip range inbound tcp 22 with iptables.
<13> ah, you've got to be kiddin'
<13> indeed
<13> restrict access to any logins to authorized IP blocks
<13> very easy to do for me, since I am on a static IP which is subnetted at my ISP.
<10> Sneaky_Bastard: That's what I'm trying to do.
<10> iptables -A INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -s 137.125.0.0/16 -p tcp --dport 22 -j ACCEPT;
<13> allowing an entire 16-block in ?
<10> although I'm not sure if it's going to work...or if my order is right...meaning I allow first, then block.
<10> This is my first time using iptables.
<13> might as well not lock it
<13> unless that 16-block is your own company
<10> Sneaky_Bastard: I want 137.125.0.0 through 137.125.255.255 to be allowed
<12> sid
<12> http://rafb.net/paste/results/roqtJP91.html you want this
<12> replace $WAN with your outside interface
<11> i have ip_conntrack_ftp installed, and ports 20 and 21 set to ACCEPT for both inbound and outbound, but my ftp client gets sockopt errors connecting
<10> I'm using debian GNU/Linux so I have no iptable rules by default it allows all
<12> sid: i posted a simple ruleset above
<12> http://rafb.net/paste/results/3vNoMi27.html
<12> this one may be even a little better
<10> thanks a lot callee
<12> http://rafb.net/paste/results/f6rUUe68.html
<10> I appreciate the help
<12> this one, there was a spelling error in the others
<12> i missed a blank
<12> argh
<12> another stupid error
<12> http://rafb.net/paste/results/aTkdXD81.html
<12> this is the right version
<12> no more syntax flaws
<12> and all you now need to do is add the proper source network to the ! 22 rule
<12> i'd give you my ruleset, if it was wise to disclose it :)
<12> but my rulset is grey magic, nice if nobody knows the ruleset but a real pain if an attacker knows :)
<8> callee
<8> how can i set up an ip stable ?
<12> turi: read the manual, it just a shell script containing rules
<12> http://iptables-tutorial.frozentux.net/iptables-tutorial.html this is the best start i know
<12> i'm off watching x-files
<8> xfiles geh
<11> turi: www.iptablesrocks.org
<14> hi, may be not a iptables-question (couldn't find the iproute 2 channel..) but my problem: ONE computer, 2 isp, 2 ip, 2 gateway. I want both to work (the machine is dns/mail and is moving to another isp)
<14> ie, traffic goes to ip.1 then i want the server to respond and have default route:ip.1.gw but if traffic comes to my new ip ip.2, then i want it to respond via ip.2.gw
<14> is it possible to mark packets comming in to dev0:1 and then use a different routeing table provided by ip route2?
<13> is it possible to use iptables to reflect packets coming in on a particular IP to a different IP *out the same interface they came in* ?
<13> (*based upon port numbers*)
<14> use a proxy?
<14> i.e simpleproxy
<13> qzio: I don't want ot use a proxy
<13> and you didn't answer my damned question
<15> thats just ip forwarding
<15> and technically it is proxying
<14> "why do it the easy way.."
<16> Sneaky_Bastard: does the ROUTE target with --tee option answer to your "damned question" ?
<16> qzio: #lartc on irc.oftc.net
<16> qzio: http://www.lartc.org/howto/lartc.rpdb.multiple-links.html (and the whole howto btw) may be of any interest
Return to
#iptables
or
Go to some related
logs:
rtl8201cl + debian
duyal layer
#centos
#linux
ubuntu all superblocks are bad
#perl
#linux
unbuntu install amule
join two lists together with push + perl
debootstrap base-config debian etch
|
|