| |
| |
| |
|
Page: 1 2
Comments:
<0> I'm getting a lot of iptables matches on 'INVALID' state for TCP packets with the ACK and FIN bits set, anyone know why this would be matching?
<1> #netfilter might have more idea, but I'd check some of the parameters in /proc/sys/net/ipv4/netfilter
<0> it apperes to be one app causing the packets
<2> what's COMMIT rule for? it gives me an error
<2> iptables-restore: line 37 failed
<1> that means there is an error somewhere above
<1> and it just realized it now, when trying to apply the rules
<2> danieldg: can you take a look at it please: http://pastebin.com/553466
<2> that's from: http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
<1> try inserting each rule manually
<2> can someone provide me with URL to good basic tutorial of iptables?
<1> topic has a good one
<3> /topic?
<4> lng: check /topic
<3> :)
<1> appears we all agree :)
<4> hehe
<2> ok
<1> http://daniel.6dns.org/info/iptables/mkscript will convert the ruleset into a script for testing
<1> or you could do it manually since you only have a few rules
<4> Any freenode ops here? troll in ##slackware...
<4> nm - got UDK
<2> complex enough, but i have to get it
<2> why one change his nick sometimes? like: 'jekil2 is now known as jekil'?
<3> Maybe one of them is a registered nick.
<2> ok, thanx
<5> lng: the answer is "ghost"
<2> jekil: ghost?
<2> what's that?
<5> lng: rtfm the faq
<2> faq of what
<1> freenode.net
<2> got it
<6> morn, i have a quick iptables question: i have a machine with a single leg. I want to make it so that port X on that machine is DNAT'ed to port Y on some machine somewhere else in the world. Is it more than just making the INPUT table accept port X and DNAT in NAT table to x.x.x.x:Y`, and also allowing FORWARD?
<1> _snd: yes. see the second link in the topic, but you also need an SNAT rule
<6> thanks :)
<6> so the SNAT would be basically from 0/0 to x.x.x.x:Y SNAT to the IP of the machine?
<1> yes
<6> makes sense :)
<6> thanks, that worked treat, now bedtime :)
<7> hi
<7> I'm getting "no such chain/target/match by that name" when trying to place an IP into the tarpit
<1> you probaly don't have the TARPIT target compiled in your kernel
<1> it requires a kernel patch
<7> danieldg: hmm, damn
<7> danieldg: i will have to upgrade then ;)
<7> i've been using a vendor kernel on this machine
<1> you'll need to get patch-o-matic-ng from netfilter.org - it's in the subversion repository
<8> anybody available for a rather indepth question regaurding sendmail?
<8> and firewalling it
<1> sure, ask
<8> awesome
<8> may i PM you?
<8> it's quite a lengthy explaination
<1> ask here unless it contains private info, then other people can also answer
<8> alright
<8> heres what i have done
<8> I allowed input from anywhere via tcp
<8> and blocked outpout form anywhere
<8> accept 192.168.0.0
<8> but that seems redundant
<8> i FORWARD it to my e-mail server
<8> port 25 that is.
<1> pasting the output of iptables-save is more readable than a description of the firewall rules
<8> agreed...
<1> paste to a pastebin, not the channel
<8> url
<8> forgot it
<1> pastebin.com
<8> haven't had to come to freenode for help in a while!
<8> brb phone
<8> ok back
<8> http://pastebin.com/553704
<8> there have a look see
<8> what i want to know is if i add
<8> iptables -I OUTPUT -o eth0 -s 192.168.0.10 -j DROP
<1> OUTPUT is for packets generated by the firewall
<1> not for packets forwarded by it
<8> ****...
<1> same with INPUT
<8> didn't know that
<1> you would want to filter in FORWARD
<8> alright
<8> the work the same as INPUT and OUTPUT?
<1> yes. You just have to remember that traffic is going in both directions in FORWARD
<1> you can use a state match so you only have to deal with new connections
<8> never really used forward...
<8> so how would i allow incomming packates and dissalow outgoing packets to a sepcific IP
<8> i hate sendmail...
<1> just drop anything with that destination IP
<8> i think i might be screwed here then.. i'll have to acctually configure sendmail.
<8> i need it to go out as well as in.
<1> what are you want to do?
<8> problem is, i can't have spammers eating my bandwidth
<1> right
<8> setyting up a mail list
<8> the mail list works... it'
<8> s figuring out how to block all the spamming arseholes from using it
<8> it's be much simpler if they just had allow local only...
<8> option in the config
<8> i mean i'll have to read the manuals for the next 4 months
<8> well... thanks alot man
<8> it's back to reading for me.
<1> ok
<9> newbie question, can I message someone?
<4> kogitov: put it in the channel - more people to answer
<9> k
<9> I basically want to know how I can link chains together.
<9> The documentation I read on it explained that you can, but I couldn't find a specific example. I'd like to make a rule in INPUT that refers to another chain.
<9> part 2. recommend some good reading on iptables security tips and tricks?
<4> kogitov: check the /topic -- it addresses both (though #2 in less detail)
<4> kogitov: but you need #1 before #2 is even an issue
<4> That tutorial in the topic is a must-read
<9> second link? (the first one is portugese?)
<4> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
<4> It's English; it needs translation to Portugese
<9> connection refused.
<4> Hmm... it's mirrored here: http://iptables.rlworkman.net
<4> The link in /topic works for me
<9> ok, that one didnt work either... I probably screwed up my proxy. I'll book mark and check out in a bit... thanks. :)
<10> Is there any way with tc to show the amount of latency - i.e. the amount of time (avg/min/max) a packet takes from 1:1 to when it leaves through the interface ?
<10> I take it that's a no? :)
<11> PlutoniumDragon: now thats a good question ...
<11> really thats a lartc question and not a iptables one ..
<11> but yes i dont think you can get that much info from tc
<12> hey all. is there a way to drop an ip that is trying to send a bad string on a certain port?
<12> i know the string.. is there a way to block it or something..?:/
<13> yes
<13> http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-string
<12> uhh, does that require a recompilation of iptables?
<12> this is so complicated for me as i am new to this. anyone who's bored:) would guide me to install patch-o-matic?:)
<14> ok the chalenge of the day ... I have a server with transparent proxy, from the server I can access to any https page, except hotmail.com, from the clients I can't access to any https page, this is my firewall http://pastebin.com/553292 ... please help
<14> how can I make HTTPS requests p*** through router ?
<14> NAT?
<15> hi, can anyone tell me what do I need to do in order to be able to use access my webserver from inside the lan using the firewall external ip ? http://sial.org/pbot/15862 it works from remote locations (outside my lan)
<15> the starnge thing is ftp://public_ip works
<1> robert83: look at the second URL in the topic; basically, you have to add an SNAT rule and proxy the connection at the IP level
<1> I have no idea why ftp would work unless the ftp server is on the firewall
<15> second url says page cannot be found :)
<15> nope, it's behind the firewall
<1> http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html
<1> works for me
<15> now it's ok
<14> danieldg, hello daniel I have one problem I turn off the proxy ... now the clients go to internet directly, but I can't access to hotmail or msn the other HTTPS page works ... only hotmail.com fails
<1> seelen_: that sounds really strange; everything else (both http and https) works except hotmail??
<14> danieldg, yes
<14> danieldg, so strange no??
<1> very strange
<14> danieldg, take a look http://pastebin.com/554348
<15> danieldg : one last question, so I do this iptables -t nat -A POSTROUTING -p tcp --dst 192.168.10.5 --dport 80 -j SNAT --to-source 192.168.0.0/24 , and I do this same line for all my 5 subnets ? and that is it for port 80 ? then do the same for 443, 25,110 and even 21?
Return to
#iptables
or
Go to some related
logs:
#web
isoburn wiki
bash3 backquote
#1044 - Access denied for user importing mysql database PHPMYADMIN
fix corrupted avi file ubuntu
set_auth_mech failed to initialize mechanism rimap
ubuntu ahrd drive
mda plugins
#ai
linux maximum adressable memory
|
|