| |
| |
| |
|
Page: 1 2 3 4 5 6
Comments:
<0> thats how i configured my iptables http://paste.ubuntu-nl.org/8985, bot why i can not connect to NFS ?
<1> i'm looking for an easy-to-use iptables configuration tool.. any suggestions?
<2> ipkungfu
<0> thats how i configured my iptables http://paste.ubuntu-nl.org/8985, bot why i can not connect to NFS on both, 192.168.178.25 and ...21 ??
<3> quicktables
<2> firestarter
<3> fwbuilder
<2> etc.
<2> search freshmeat.net and you'll find dozens if not hundreds
<1> i can find a long list, but i can't go through all of them.. hence the consultation!
<2> well I'm partial to ipkungfu since I wrote it
<2> but firestarter's the first one I ever used and it's pretty nice
<4> xored: I can't see any problems; can you paste iptables-save output?
<2> it was nice 5 years ago, it must be pretty awesome by now :)
<0> danieldg: what is that iptables-save ?
<4> xored: a part of iptables, it produces output for saving your current ruleset
<0> danieldg: http://paste.ubuntu-nl.org/8986
<0> hmm, i should delete speere and test..
<4> xored: ok, I don't think it is iptables that is the problem
<0> danieldg: if i flush the table, it works
<4> hmm. ok, then try adding some log rules
<0> danieldg: i just created this iptables with a much of work but i dod not read about logs ?
<0> just before "handling" a packet, somthin with -j LOG ?
<0> danieldg: where will he log it
<4> you might also want to allow communication on the loopback interface
<0> http://paste.ubuntu-nl.org/8989
<0> thats the log of my NFS request, is anybody able to help ?
<0> danieldg: http://paste.ubuntu-nl.org/8989
<0> danieldg: thats all i get when i try to mount an nfs drive from ..21
<0> danieldg: somehow rpcinfo -p is not able to get any infos. mybe the box itself cannot communicyt beween it services ?
<4> xored: are these the packets you allowed?
<0> danieldg: sure, as i see in the log, this are exactly the packets are alloew ( i greped for 192.168.178.21 )
<0> danieldg: but iam not able to moutn anything
<4> xored: just log the packets you drop
<0> ok
<0> danieldg: globaly, or only that ones coming form eth0 ?
<4> globally unless there are too many
<0> danieldg: i did it in too steps : thats whats dropped when i log it only from eth0 :http://paste.ubuntu-nl.org/8990
<4> ok, what about lo? anything there?
<5> xored: portmapper allocates ports for NFS lockd, statd, quotad, and so on dynamically
<0> robw810: so ?
<5> You either need to have your iptables script parse rpcinfo -p for hte proper ports
<5> or make it bind to others manually so you can have static rules
<0> danieldg: thats drop log for all : http://paste.ubuntu-nl.org/8992
<0> robw810: sound pretty comilcated ?
<5> http://howtos.rlworkman.net/NFS_Firewall_HOWTO
<6> what are the requirements to compiling ipkungfu?
<5> I wrote that for slackware, so it's likely not completely portable, but the basic principles are the same
<0> robw810: but why do i need this ? i mean i have all ports opened to my 2 clients
<5> xored: hmmm... okay, I guess I should've looked at your rules first -- if *all* ports are opened to the NFS clients, then iptables probably isn't the culprit
<0> robw810: i gues, it the communitcation in the inner of the biox, loopback or something
<0> robw810: e.g. rpcinfi -p does print me nothing, it hangs
<5> Okay, forget I said anything - I just scrolled up and noticed that you've got other issues with portmapper
<5> :-)
<4> xored: are you saying the packet with SRC=192.168.178.25 DST=192.168.178.1 is dropped?
<0> but if i flush the tables robw810 , he shows me anthing
<0> danieldg: normaly not danieldg
<0> alls packages with that sources are not to drop danieldg or i would not even be ablee to connect through ssh
<4> xored: right. So what is this log of? http://paste.ubuntu-nl.org/8992
<0> but guys just following thing : if i use my fw script, rpcinfo -po cannot print me anything
<0> danieldg: hmm, maybe i did a mistake putting in the log line, one second
<0> (if i flush the tbale, rpcinfo -p shows me the used ports) <- does this have to do with my problem ?
<5> xored: maybe danieldg already pointed this out, but in your initial post of your ruleset, I don't see anything enabling loopback traffic
<4> xored: add a log rule to the end of INPUT
<0> danieldg: how to easily add ONe rule to get all "drops" logged
<0> robw810: hmm, do i have to ?
<4> xored: remove your two REJECT rules, then add iptables -A INPUT -j LOG
<4> xored: yes, allow loopback traffic
<0> danieldg: as you saw, i splitted it ( ok =
<0> ipatbles -A INPUT -i lo -j ACCEPT ?
<0> somethign like that ?
<4> yes
<0> do i need this fo forward ?
<5> also -A OUTPUT -o lo -j ACCEPT
<5> That should solve your problem
<4> oh yeah, forgot about OUTPUT filtering
<4> why are you even doing it? you're just accepting all
<0> soo
<0> http://paste.ubuntu-nl.org/8997
<0> thats my current iptables-save
<0> i added output poilicy : accept
<0> and loopback trqaffic
<0> doesnt work, as i see
<0> or no
<0> one second
<4> ok, you're logging things 1 or 3 times depending on their IP
<0> yes
<0> when packets coming from internet to the box
<0> and from the ethernet ( eth0 iinner lan) to the box
<0> it doesnt work
<4> does anything get logged in triplicate?
<4> I would remove all your LOG rules and add iptables -A INPUT -j LOG
<5> http://paste.ubuntu-nl.org/8997
<5> oops
<0> http://paste.ubuntu-nl.org/8998
<0> thats my current iptables-save with std policy accept for output
<4> xored: ok, what gets logged (just interested in the packets that hit the second LOG target)
<0> http://paste.ubuntu-nl.org/8999
<0> danieldg: thats my script(rules)
<5> danieldg: I'm gonna drop out of this one and go home; you were handling it fine before I butted in :-)
<0> here you can see how i set logs
<0> robw810: thank you anyway
<5> :-)
<4> xored: remove line 60 and 70
<0> ok
<4> I would also add iptables -A INPUT -j LOG at the end
<0> ## Packets to the lan from the internet
<0> iptables -A TOlanFROMinet -j ACCEPT
<0> iptables -A TOboxFROMlan -j LOG
<0> thats the only line with log left, keep it ?
<4> no, remove it and replace with a log rule at the end
<0> danieldg: ok, but this will log much, cause this will log any incmoing requests
<0> but ok
<0> as you pleased )
<0> danieldg: nothing is logged, maybe i placed ti wrong
<0> no
<0> one line now
<0> Feb 21 00:14:03 sweethome rpc.mountd: authenticated mount request from 192.168.178.21:607 for /mnt/backup (/mnt/backup)
<0> thats the only line logged
<0> twice now
<0> danieldg: i placed the log lione there :http://paste.ubuntu-nl.org/9004
<4> add a log rule to the end of FORWARD. I don't think INPUT is your problem
<0> hmm
<0> are you sure
<0> as i understand "forward" all packats which are going "through" are logged
<0> but the NFS request is an request to the box, so input, or ?
<4> yes, I would think it is forward.
<0> (just a question, iam adding the line during..)
<0> ok
<4> it still works when you flush?
<0> danieldg: yes
<0> it also works with masquerading activated
<4> ok, then just add things one at a time. Still works when you add all FORWARD rules??
<0> one second
<0> ill need to "change" something
<0> danieldg: with only the forward rules it worked ( std input and output on ACCEPT)
<0> danieldg: http://paste.ubuntu-nl.org/9005
<4> ok, then try adding INPUT rules one by one. See which one breaks it
<0> that was the ruleset
<0> danieldg: keep default policy of input on ACCEPT ?
<0> danieldg: and drop manually ?
<4> yes. Then change it to drop last
<0> yes to what ? :)
<4> keep it on ACCEPT. apply rules one by one. Change policy to DROP
<4> see when it breaks
<0> so default policy of input will be ACCEPT, iam adding drop to the chain itself, right ?
<4> add one rule. Test. add the second rule. test ..... keep policy at ACCEPT
<0> ok
<0> ok#
<0> so the error is on
Return to
#iptables
or
Go to some related
logs:
dapper drake rclocal
grub freq 60
debian phpbb patch application
ubuntu change runlevel'
how to intall and ipw2200
#ubuntu
eclipse workspace in use
qmailadmin could not be added
#perl
compile usb_storage
|
|