| |
| |
| |
|
Page: 1 2
Comments:
<0> FA
<1> hi. someone speak spanish here??
<2> Does "iptables -F" removes ALL rules, or only all rules in the filer-table?
<2> does iptables "drive througt" alle tables when a package is being checked?
<3> AdvancedWeb, can you re-phrase that?
<3> AdvancedWeb, http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
<3> chech that out
<2> I'm not quite understand that graph :)
<2> but... i have a router with iptables as firewall.. and I don't understand when i should use the different tables to define the rules in..
<4> Hello, can anyone help me with layer7 match?
<5> AT|M
<6> hello
<7> Is there a way to see how long a packet has taken to go from 1:1 to exitting the interface with tc? I can't find a way to do it... I think that would be a useful way of testing how my bandwidth shaping is going
<8> hi there
<8> need help to block outgoing software ports (MSN, VNC etc.) on my dedicated iptbales firewall
<8> i tried "iptables -A FORWARD -p TCP --dport 1863 -j REJECT" but i can still connect to msn
<9> Stop all outbound ports ??
<10> http://nscsysop.hypermart.net/no_chat.html
<8> how to block all outbound ports in one line?
<11> iptables -P OUTPUT DROP
<11> And remove all rules in output
<12> hehe
<12> hi Sarah long time no see
<11> Hiya
<13> hello all...im tring to use -m string but im getting the follow error: iptables: No chain/target/match by that name when I try to add this: iptables -A FORWARD -s 192.168.1.31 -p tcp -m string --string 'msn' -o eth2 -j REJECT. when I type this: iptables -m string -help, I get STRING match v1.3.3 options - --string [!] string Match a string in a packet....what im doing wrong ?
<14> lzsilva: make sure you have the string module in your kernel
<13> how can I do that without make menuconfig ?
<13> I have one /lib/iptables/libipt_string.so ...
<14> I think you need to patch your kernel
<14> lzsilva: check CONFIG_IP_NF_MATCH_STRING
<13> danieldg..ok...im downloading the sources here....thanks a lot !! :-)
<7> lzsilva: Can you do modprobe ipt_string ?
<13> no: FATAL: Module ipt_string not found.
<15> Some of you will remember this situation, but now I'm actually ready to address it. Would there be any easier way to differentiate between two sets of SSL traffic than the source
<15> ?
<15> My only idea so far, is to grab the packets from logins to each different game I won, and set DNAT rules to forward those to the PS2, and everything else to my webserver.
<15> Is it possible to set DNAT rules that are negative? (-s !xx.xx.xx.xx ?)
<16> hazard: yes, in a way. Just carefully consider what you need and what will happen.
<16> If you can separate them by source IP, put those specific rules at the beginning.
<16> I'd do a user chain, to jump to for -p tcp --dport https packets in nat/PREROUTING.
<15> Looks like I need to go look up user chain.
<16> it's the -N thing
<16> iptables -t nt -N NatHTTPS
<16> add rules to that, and jump to it from nat/PREROUTING.
<17> im trying to diagnostic a simple problem, unable to forward an outside port inside
<17> so i started with the basics of just forwarding an ftp port
<17> i like to look at the packets being sent and see whats going on
<17> any tips ?
<14> ftp isn't a good basic port; try with http
<17> ok
<14> if you're doing ftp, make sure you have ip_conntrack_ftp and ip_nat_ftp modules loaded
<17> already done that thanks :)
<17> i set the port to 21 too
<16> DNAT on the same subnet is different, see "having NAT issues?" in /topic.
<18> can someone take a look at my firewall.iptables file i am trying to use on fedora and help me add allow for httpd http://ip.gnov.com:8080/~garrett/junk/firewall.iptables
<18> I am using chillispot for accounting my wireless users on the same box as my web server so i need to use the rules in the firewall.iptables doc but i also need to add to allow port 80 on the external port
<19> Hi everyone :)
<19> on my network there are some PC infected with the worm BEAGLE
<19> this worm listen on port 4751 and sends some registration containing this port number
<19> so I wanna stop this problem on my network
<19> if i add this to my firewall rules:
<19> #$IPT -I FORWARD 1 -p udp -m state --state NEW -i $EXT_INT -m multiport --dport 4751 -j DROP
<19> #$IPT -I FORWARD 1 -p tcp -m state --state NEW -i $EXT_INT -m multiport --dport 4751 -j DROP
<19> #$IPT -I FORWARD 1 -p udp -m state --state NEW -i $INT_INT -m multiport --dport 4751 -j DROP
<19> #$IPT -I FORWARD 1 -p tcp -m state --state NEW -i $INT_INT -m multiport --dport 4751 -j DROP
<19> is this a solution??? can anyone give me some advice
<19> anyone....
<20> matehortua, oe
<20> matehortua, que mas mijo
<21> what's the iptables statement to drop all but icmp?
<22> Hello ive added this line to my iptables file -A INPUT -p udp -m udp --dport 21 -m state --state NEW -j DROP
<22> when i portscan it still shows port 21 as open. Why is that?
<22> also fot tcp too!
<22> *for.
<23> LaF0rge: Around?
<24> Chance: because ftp is tcp not udp
<22> trappist: i added booth incase the other was cacelling the other out.
<24> oh, you said that :)
<24> well then replace -A with -I because you probably have a rule before it that's allowing the traffic
<22> I will try that i added a drop as the very first thing in my input chain incase i had another line i was missing.
<22> i tried that and on port scan its showing it as open you can telnet and theres something there however i am not running anything ftp.
<24> fuser -v -n tcp 21
<22> trappist: is that something i should add.?
<24> no, it's something you should run to see what's running on port 21
<22> oh sorry!
<22> 2 secs
<22> all it says is here: 21
<24> try netstat -natlp | grep :21
<22> tcp 0 0 ::ffff:x.x.x.x:22 ::ffff:86.141.23.:63871 ESTABLISHED 23217/0
<22> tcp 0 48 ::ffff:x.x.x.x.2:22 ::ffff:86.141.23.:63024 ESTABLISHED 23288/1
<22> i put x to hide my ip :)
<24> there's no point trying to hide your ip on irc
<22> its my server not my own ip.
<24> are you sure you put | grep 21?
<24> err :21
<22> yes
<24> *shrug*
<24> are you flushing your rules before adding stuff to your script?
<22> i do this service iptables stop then service iptables start after ive made changes to the script.
<24> oh, I have no idea what that does on your distro
<24> sounds like either redhat or mandrake
<22> before i have blocked and filterd things no problem and for some reson no matter what i do or try i cant block 21.
<22> yeah its fedora
<22> not my choice.
<24> ok on the command line say iptables -I INPUT -p tcp --dport 21 -j DROP
<22> still open :(
<24> how are you testing
<22> nmap and also telneting to that port
<24> from where?
<22> from my computer to the server.
<22> diffrent machines diffrent parts of the globe
<24> across the internet, or on the same network?
<24> gotcha
<22> across the web.
<24> ok then do this
<24> iptables -t nat -I PREROUTING -p tcp --dport 21 -j DROP
<22> port scan is still working but i can telnet no problem into 21 and i get a connection.
<22> my other ports i blocked are blocked okay
<22> just this one port.
<24> I'm beginning to think you have a router or something in front of the server that's listening on 21
<22> will i nmap localhost on the server?
<25> Um, how about killall -9 [vs|pro|whatever]ftpd
<24> that'll be helpful, yeah
<24> robw810: there's no evidence of any ftp server (or anything else) running on that box and listening on 21
<22> on the server i get a diffrent answer from nmap 21/tcp filtered ftp
<25> oh, then I agree with your ***essment
<24> except nmap and telnet, of course
<25> There *has* to be something else seeing those packets
<24> which is circumstantial ;)
<22> and i cant telnet to port 21 localhost
<22> from within the server
<22> if that makes sense :)
<24> it does
<24> I'm pretty sure your router, or whatever sits in front of your server, is eating port 21
<22> its just a router or something on the way and i dont need to be paranoid. Then what happens when i open ftp i can start ftp and ftp to my server?
<24> hopefully you can tell your router to nat port 21
<22> i dont have acess to the router :/
<24> then you're probably SOL on that front
<22> ok just to clear my head a little if i cant telnet from the server to localhost then no one outside the server can yeah?
<24> not to your server, presumable, but apparently to your router
<24> *presumably
<22> i know its hot an iptables question but when i open ftp and run ftp server how does that work. I can ftp to the server from outside should i run the service?
<22> the router part with the service is confusing me a little.
<22> mabye a badly worded question
<22> thanks very much with your help tho.
<26> i used to be able to receave mail traffic from the outside world (25,110,143), but i made some changes, and now i cant... can anyone help me out? http://pastebin.com/556591
<27> hello how can i stop this: ICMP echo rply (84 bytes) from 83.103.187.103 to localhost on eth0 . I have a lot of trafic on this port. about 1mb . help me pls
<26> try iptables -A INPUT -p icmp -s 83.103.187.103 -i eth0 -j DROP
<27> nop...dos't work :(
Return to
#iptables
or
Go to some related
logs:
#asm
#css
ubuntu set default sound card
turn on 3d acceleration radeon mobility powerpc ubuntu
umbutu 6800
#osdev
Sunplus Technology sources.list kubuntu
kill dpkg
#css
#perl
|
|
