| |
| |
| |
|
Page: 1 2
Comments:
<0> http://www.rafb.net/paste/results/9Fhzbq15.html
<0> that is my current iptables script, can anyone tell me what im doing wrong to help prevent DDos attacks
<1> actually
<1> you can't avoid ddos attacks, and you can't prevent, and if it's a true ddos attack you're just ****ed up.
<2> can ebtables be used on interfaces that are not part of a bridge?
<3> I don't think so
<3> you could create a one-interface bridge if you needed something that it does - what are you trying to do?
<2> damn, I just want filter rules on INPUT
<2> layer 2
<3> -m mac --mac-source?
<4> arptables?
<2> isn't arptables only for ARP packets?
<2> danieldg: mac source is a start. but thats only for addresses, nothing else
<5> is someone awake?
<5> i think i have an iptables problem
<5> ACCEPT udp -- anywhere anywhere udp dpt:1194
<5> i made this rule
<5> but when i do netcat on it
<5> i cant get through
<5> nor my openvpn server accepts connections
<3> maybe you have another rule above it?
<6> .-""""-. IF THERE IS A MEMBER OF
<6> / \ THE HUMAN RACE DIRECTLY
<6> /_ _\ DESCENDING FROM THE
<6> // \ / \\ ALIENZ, THEN THAT RACE
<6> |\__\ /__/| WOULD PROBABLY BE
<6> \ || / FROM ASIA
<6> \ /
<6> \ __ / >>THE ALIENZ ARE COMING<<
<6> '.__.' >>OOOOOHHH<<
<6>
<7> hello. I need to forward DNS requests from the local network to the internet. which rules in forward do I need?
<7> I tried udp dest 53 but it don't work
<7> thanks. at least a comp***ionate soul :)
<8> hi i need help testing my firewall
<9> hi, can anyone tell me whether portforwarding is possible from interface 1 on a box to another interface?
<9> i am doing nat and packets coming on on ppp0 port 443 shall be forwarded to the same box interface eth0 port 1100
<9> however a "cl***ical forward" doesnt work
<7> sounds like you should use the 'mangle' table
<9> no
<9> i am using nat
<7> well, but in the mangle table you can play around with packet internals like destination port
<9> however i still do not get it why -j DNAT --to doesnt work on a the same box the packets hit in
<4> callee: -j REDIRECT
<9> rob0: thought about that as well
<9> however,do i need any specific rules? like opening both ports in the input chain or so
<4> Open the rewritten port in INPUT.
<4> Open=ACCEPT of course
<4> You might have to bind the service on the ppp0 IP address, not sure.
<9> rob0: thats the target port and where to open it? (input, forward, both?)
<9> rob0: i do that binding anyway
<9> thing is: where to open the target port (in which table/chain)
<4> 12:56 < rob0> Open the rewritten port in INPUT.
<10> hello
<11> hey, calmdown.
<4> maxine: I am calm. ;)
<11> OK, rob0.
<10> maxine, rob0, haha hello
<11> calmdown: excuse me?
<10> maxine: just saying hello
<11> calmdown: huh?
<4> who is maxine?
<11> well, i am the bot?
<9> rob0: thx, works
<10> yeah
<10> bot smells fishy
<10> maxine smells fishy
<11> calmdown: sorry...
<10> haha
<4> The bot is a lot of fun.
<10> i know
<4> The bot?
<11> the bot is a lot of fun.
<10> you know what its running?
<4> no
<10> calmdown is not calm
<10> calmdown?
<11> you are probably not calm
<10> hm
<4> calmdown: calm down :)
<10> similar to mine but diff tweaks
<10> :( ok robo
<12> maxine what are you?
<11> well, i am the bot?
<12> maxine: help
<11> simonrvn: sorry...
<12> bah, you dont even have a help
<12> don't
<10> :p
<10> iptables --rate-limit on her
<10> er burst-limit
<9> is it possible to hit packets for a specific port both tcp AND udp?
<9> i mean OR of course
<9> like iptables --dport 222 -j ACCEPT (matching tcp 222 and udp 222)
<8> yes sir
<8> and icmp
<9> mariooliveira: and how?
<9> as icmp doesnt need a port that shouldnt be a problem
<9> the above rule has a syntax error
<9> so whats the correct syntax
<8> you can ping a port
<8> ti think
<9> mariooliveira: no you cant, as icmp is ip protocol such as tcp and udp. icmp is ip level only
<8> tmy firewall dont alow any pings because i dont have any icmp allow
<9> mariooliveira: well, thats just stupid, you probably want to restrict only some of icmp but never all, as there are useful icmp messages which you probably need in case you are using nat
<9> redirects/echo-requests etc. can and should be blocked in a non-coprorate network (corporate networks may need it, depending on the setup)
<9> anyway, blocking echo-requests just helps to save very few bandwidth nothing more, dropping it doesnt stealthen you (this is a major superstition many people believe in)
<8> an hacker can test witch ports you have open with that
<9> mariooliveira: nope
<9> icmp-echo-request is just good for "hackers" to detect which hosts are up and which not. This applies for both those that block it and those that dont
<8> so witch ports do i have open on my server 82.155.202.96?
<9> mariooliveira: scanning is mostly done with udp packets
<9> shall i do it?
<8> wait a bit i have to remove some iptables i
<9> ok
<9> tell me when you're ready
<8> you are right that icmp uses tcp
<8> i tryed to block all icmp and i still can see the open ports i think you are right
<8> hum how the hell do i disable from anyone seeing my open ports?
<9> mariooliveira: the thing is you cant
<9> not as long as the ports are open for a reason
<8> i see
<9> mariooliveira: there is a good strategy to block portscans
<8> how?
<9> at least non-distributed
<8> non-distributed??
<9> look at the ipt_recent module. portscans can be detected by multiple requests to closed ports (as well as to open ones, but we dont care about the open ones now) in a short amount of time
<9> distributed portscans are portscans originated from many different ips. lets say you have access to a zombie-farm and scan all ports from different boxes
<8> i see
<9> those are hard to detect and yet much harder to counteract (there is not much you can do but close your whole connection)
<8> there is a trick too is too limit ip sources so the hacker has to make a port scan fron a short range ips
<9> mariooliveira: ?
<8> i mean make an and rule that allows incoming from a short range of ips
<9> mariooliveira: that will restrict access to that port to that range, in many cases this is useless (i.e for webservers)
<8> like this iptables -A INPUT -p tcp -s 85.123.0.0/16 --dport 10000 -j ACCEPT
<8> tlet me test another trick
<9> yes, but as i said, if you want someone from another range to access that service you've got a problem.
<9> this works sometimes for static vpn connections
<8> tyes
<9> however i usually tunnel via openvpn home from various locations (sometimes even through http proxies) so that will not work for me
<8> wait a bit i might have a smal solution against port scans
<8> testing now
<9> i was not finished, i just forgot that my iptables version doesnt yet support ipv6-stateful-filtering
<9> how much did you recieve?
<8> wait im not ready yet
<8> forget doent work
<11> mariooliveira, I didn't have anything matching doent work
<8> i had to reboot my server
<9> mariooliveira: huh?
<8> im nuts
Return to
#iptables
or
Go to some related
logs:
#suse
#lisp
#physics
adaptec 7902 cli debian
incompatible client synergy
#math
#php
#oe
#linux
#linux
|
|