| |
| |
| |
|
Page: 1 2
Comments:
<0> like: iptables -I OUTPUT -p icmp -d 83.103.187.103 -j DROP
<0> ?
<1> yes
<0> :)
<2> Can one use -A PREROUTING # the same way as -D PREROUTING #?
<1> no, but you can use -I PREROUTING #
<2> Or perhaps -I?
<2> Ah, thank you.
<2> iptables are like Chess.
<2> You can learn in a few minutes, and spend the rest of your life trying to perfect it.
<3> danielg, -A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.144
<3> how do i tell that command to ignore all local lan (192.168.0.0)
<3> it's redirecting all 21 trafic to that ip...
<1> add a command before it: -A PREROUTING -s 192.168.0.0/16 -j ACCEPT
<3> and that would?
<4> I can't understand why I can open other pages normally except hotmail.com .......... my firewall is ok .... how can I check if hotmail.com is blocking me?
<3> forward all traffic from the lan?
<3> on all ports?
<1> p0t5: that would not modify any traffic from 192.168.0.0/16
<5> ACCEPT in PREROUTING means "don't do anything and ignore all later rules which might match"
<1> (later rules in PREROUTING, of course. it still goes through FORWARD and such)
<3> i realy need a book on this subject...
<1> tutorial in /topic
<3> or that:)
<1> it's just like a book :)
<3> now if i can get imap to work from the outside, i'm set...
<3> but that's all the time i have for today...
<3> byez all
<4> danieldg, please suggest me something, my clients still whitout access to hotmail.com or MSN messanger ... is posible that the problem might be the hotmail old signatures in the server or in the clients?
<1> doesn't sound likely, but in your case I have no idea what the problem could be....so maybe
<4> so maybe ???
<1> probably not
<4> danieldg, ok snif .... my last days like ISP administrator snif
<4> snif
<6> my firends if i have in my firewall 2 cards where 1 is internal net and other dmz but my server mail thereis in my dmz . my dns is im my internal netdworx, how i do the rule for my users use smtp and pop im my dmz ?
<1> the two networks have different IP ranges, right?
<1> your dns server should resolve the DNS entries for mail to the DMZ IPs
<6> right danieldg
<6> yes danieldg
<6> danieldg , you speak portuguese ?
<1> np
<1> no
<6> then are you understand my problem ?
<6> i have a server im my internal network
<6> dns server
<1> you have (mail) --- (firewall) -- (DNS + internal)
<6> i have this
<1> what IPs?
<6> right
<1> or I'll make some up :)
<6> mail 192.,168.200.1 --- firewall 10.0.0.1 ---- dns internal 10.0.0.4
<6> my users need to get your emails in the dmz
<6> how i resolv this ?
<1> internal users go to the IP 192.168.200.1 to get their mail
<6> yes
<6> for exemplo
<6> the ip mail is 192.168.200.4 defauklt gw is 192.168.200.1 in the firewall
<1> right
<6> the users in internal networ going to gatewayy 10.0.0.1
<6> to get yours emails
<1> yes
<6> how i resolv this
<1> just have the firewall forward the packets
<6> i create a rule
<6> yes yes
<1> no NAT needed for this either
<6> i dont need to put a NAT ???
<1> no
<6> dont have NAT
<1> use NAT only for access to the internet
<6> but i neet to create a rule where thereis a forward betwen internal network (10.0.0.0) and 192.168.0.2 port 25
<6> right ?
<1> no, just don't block that traffic
<1> that could mean adding an ACCEPT rule
<6> how ??
<6> i use this rule
<6> the principal rule is DROP in forward , input and output
<6> then a create this rule
<1> iptables -A FORWARD -s 10.0.0.0/24 -d 192.168.0.0/16 -j ACCEPT; iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
<6> yes this rule a create
<6> but i use this
<6> iptables -t filter -A FORWARD -i $IF_INT -o $IF_DMZ -s 10.0.0./24 -d $192.168.0.2 -p tcp --dport 25 --sport 1024: -j ACCEPT
<6> iptalbes -t filter -A FORWARD -i $IF_DMZ -o $IF_INT -s 192.168.0.2 -d 10.0.0.0/24 -p tcp -dport 1024: --sport 25 -j ACCEPT
<6> i create this rles
<6> is corret,, ok !!
<1> that works; using --state is better for the second rule if possible
<6> danieldg , why need to use state in forward ?
<6> why?
<6> i didnt understand this
<1> you don't need to. It's just better
<1> consider a compromised mail server connecting from port 25 to port 1028 - yours would allow and --state would not
<6> then if i user my rules the connection isnt going to be completed
<6> only ports is going to p*** i need to control state the connection where this inst realize with my rules
<6> correct ?
<1> I didn't understand that
<7> how can i accept the incoming traffic from tun0? see: 190634 179248722 ACCEPT all -- eth0 * 0.0.0.0/0 200.161.11.163
<7> ops
<7> http://channels.debian.net/paste/1844
<7> sorry
<7> there i accept traffic from eth0 eth1 and lo
<7> but i have a vpn installed
<7> and i cant ping any 10.x.x.x ip
<1> pm_: iptables-save output is better for showing rulesets
<1> but I think you can just use -i tun0
<7> and this will set the other chains too?
<1> no, you'd have to do that everywhere; use -i tun0 and -o tun0
<7> with -j ACCEPT?
<1> yes
<6> danieldg ineed to use this rules: iptables -t filter -A FORWARD -i $IF_INT -o $IF_DMZ -s 10.0.0./24 -d $192.168.0.2 -p tcp --dport 25 --sport 1024: -j ACCEPT and this iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
<7> iptables -i tun0 -j ACCEPT?
<6> right ?
<1> jsan: yes
<1> pm_: iptables -A INPUT -i tun0 -j ACCEPT
<6> ok my friend i understand this is more securety for me
<7> danieldg how can i add this rule before the last 2 rules in the chain?
<1> use -I INPUT <rulenum>; see man iptables
<7> because i have a drop all as last rule
<7> ahh
<6> becou se there is more control in the connectios stablished and related
<1> jsan: you can combine the -s and -d with the state rule if you really want to
<6> ok my friend !!
<6> thanks !!
<1> yw
<6> i gong to put the state im my rule
<6> yes ?
<6> is possible to do this
<1> yes
<6> ok!!
<6> thanks :)
<6> iam going to try and return now
<7> danieldg how can add a rule to output chain too?
<1> same thing, just use OUTPUT and -o instead of INPUT and -i
<7> how can i change this rule: iptables -I FORWARD 3 -i tun0 -j ACCEPT, to be: in interface eth1 out interface tun0?
<7> it would be: iptables -I FORWARD 3 -i eth1 -o tun0 -j ACCEPT?
<8> Hi all
<9> is this the right channel to ask about QoS HTB and iptables CL***IFY
<9> the packages on the external interface with IPSEC are getting cl***ified but are not getting traffic shaped
<9> it seems that packets over the IPSEC tunnel lose there cl***ifier
<10> hi folx
<9> hi
<9> you have any knowledge of QoS HTB in combination with IPSEC
<11> hello, anyone here ?
<12> hi anyone ON?
<12> if you guyz don't mind can i ask a lame question?
<13> no
<13> we do mind
<12> it is possible to connect to the game server which is behind NAT?
<13> yes
<13> you need to forward its udp ports
<12> *its* means?
Return to
#iptables
or
Go to some related
logs:
gentoo booting hangs coldplugging
gentoo mdns hosts.conf
#mysql
lexmark z715 and dapper drake
php split numbers
#linux
#web
access query avg that doesn't include 0
MSWMExt totem plugin
#perl
|
|