| |
| |
| |
|
Page: 1 2 3 4 5 6
Comments:
<0> danieldg: my workstation is stuck in SSH1 and SSH2 tables but doesn't get to SSH3/4/5.
<1> hmm, strange
<0> let's try this from the start.
<0> how do I just flush my SSH* and BANME tables?
<1> echo flush > file
<0> ok.
<0> thanks
<0> er
<0> it didn't do it.
<0> danieldg: it didn't flush anything..
<1> oops, it's clear not flush
<0> oh
<0> thanks
<0> ok that did it
<0> lemme try anew.
<0> ok
<0> danieldg: I did this command to knock:
<0> nmap -r -T4 -P0 -sT -p10001,20002,30003,40004,50005 $OPENVPN_LOCAL_IP
<0> where the local ip is my home machine.
<0> danieldg: and I see that it only gets into SSH1 and SSH2 tables but no further
<0> what's wrong??
<1> that might not do it in order
<0> well the -r tells it not to randomize.
<0> this worked yesterday from my home (now I'm attempting the same thing but from my apartment)
<1> no idea why then
<1> is it in BANME?
<2> Is there a way to send a packet to MASQUERADE and specifically set it's masked address?
<1> wasabi: SNAT
<2> Hmm. What's the diff between SNAT and MASQUERADE?
<0> danieldg: no it's not in BANME
<1> wasabi: MASQUERADE determines the IP automatically
<0> danieldg: I had to execute this command to get it into the other tables:
<2> that's it?
<2> Seems like SNAT should jsut replace masquerade and by default determine it automatically, then
<1> wasabi: pretty much
<0> danieldg: nmap -r -T4 -P0 -sT -p30003,40004,50005 $OPENVPN_LOCAL_IP
<0> danieldg: but then it won't get into SSHK5 for some reason
<0> -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 300 --name SSHK5 -j ACCEPT
<1> maybe nmap can only do 2 ports at a time then
<0> that's the SSHK5 table
<0> doh
<0> danieldg: maybe it wasn't doing them one-at-a-time.
<1> right
<0> one se
<0> sec
<0> #security may know what that flag is...
<0> danieldg: hmm
<0> doesn't help
<0> :(
<0> yeah
<0> this thing just doesn't get into the SSHK5 table at all
<0> danieldg: http://rafb.net/paste/results/fNt6nE16.html
<1> Roey: lines 31-33 all reference SSH1 - is that what you want?
<1> and line 34 should be --name SSH5 not --name SSHK5
<0> hmm
<0> what did the K come from?
<0> oh
<0> hmm
<0> http://rafb.net/paste/results/7gwVvS86.html
<0> danieldg: whoops! I typed it by hand from my laptop that I had used yesterday
<1> so, does it work better now?
<0> typed it by hand into my computer here at the apartment
<0> lemme try
<0> ahhhh
<0> sweetness :)
<0> yes, it works now.
<0> danieldg: btw... I tried with the -PE option in Nmap
<0> didn't work.
<0> but without the -PE option, it did.
<0> also, I used -P0
<0> aye
<0> but yeah it works now.l
<1> good
<0> thanks! :)
<1> you might want to change the port numbers,btw. Those are kinda easy to guess
<0> for the life of me I had no idea why this was not working
<0> heh :)
<0> well it doesn't susbstitute for the p***word of course
<1> right
<0> I'm just tryi g to figure out how to make it complete faster.
<1> have fewer ports - like 2
<0> alright I gues s;)
<3> I have an (odd?) problem. I have 64 IPs and two servers, each server needs about half of those IPs, however certain ports have to be open to certain IPs. I have a router box, with three NICs in it, eth0 comes from the internet connection at the co-lo, eth1 goes to the windows server, and eth2 goes to the linux server. Right now eth1 and eth2 are bridged. I have to use public IPs on the servers themselves, and I can't have a switch or hub.
<3> What do I need to do, is there more than one way to do what I need to do, if so what's the best, and where can I start reading about it (some examples would be great too)?
<1> are you planning to make the linux box a router, or a 3-interface bridge?
<3> right now, eth1 and eth2 are bridged, but I'm very open to ideas
<1> I might try bridging eth0,1,2 into one bridge and using BRIDGE_NETFILTER to filter them
<1> then just use -m physdev --physdev eth0 to mark the packets from eth0, etc
<1> (er, that'd be --physdev-in)
<3> ok, do you have some docs, and maybe some examples? I'm pretty crap when it comes to iptables, but I have no problems reading on it
<1> the only example I have is a bit complicated - http://daniel.6dns.org/info/iptables/#bridge
<1> basically, you'd just ***ign the IPs as you want, and the bridge would forward the traffic as needed
<1> then just open the ports that you need by defining rules in FORWARD
<3> http://ipv4.uuoc.com/1291 <-- that's my current config
<3> can you recommend something based on that?
<1> is xx.xx.226.128-196 your range of 64 IPs?
<3> 128-191, yes
<3> ;) I had to look it up
<1> ok, forget the part about bridging all three
<3> ok
<1> just do normal filtering in FORWARD
<3> yeah, that's the one
<3> I just have no idea how to set it up
<1> define each allowed port like iptables -A FORWARD -d $ip -p tcp --dport $port -j ACCEPT
<3> that's it?
<1> add iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT to catch the return packets
<3> ahh, cool
<1> then run iptables -P FORWARD DROP to block everything else
<3> do I need to add a default forward drop rule?
<3> heh, cool
<1> you might want to allow outgoing connections too - at least DNS
<3> outgoing, I can allow all
<3> I know who's using the servers ;)
<1> ok, just use -i br0 -j ACCEPT
<3> iptables -i br0 -j ACCEPT ?
<1> iptables -A FORWARD -i br0 -j ACCEPT
<3> ahh, very nice. Thank you so much
<1> yw
<3> this whole ordeal has been .... long ;)
<3> but losing the stinksys we had is worth it :)
<3> they make a wonderful little home router, but that's all I can say :S I have a Debian box now, with 3 1gig nics, and so far so good
<3> hmm
<3> with these forwarding rules, do I still need to bridge eth1 and eth2 ?
<1> you don't have to, but it's easier to allocate the IPs if you do
<3> ok, very good. What about in the future if I wanted to add a third server, on a third nic, would I just add the third nic to the bridge?
<1> yes
<3> poifect
<1> I would use ifrename so that eth0 doesn't end up on the bridge
<3> could you dumb that down a shade?
<1> sometimes a reboot will shuffle card names
<1> ifreame = program to rename eth0 to ethinet
<3> ahh nice
<1> I have 3 interfaces called builtin, card0 and card1 in here
<3> oh, that reminds me. I'm sure this isn't the right place to ask, but you seem like you'd know. I have eth0 (on another machine) aliased for each IP (eth0:1, and so on) are eth0 and eth0:0 the same thing?
<3> ok, I'll write that ifname down, thanks
<1> ifrename :)
<3> heh, oops
<3> :D thanks
<1> eth0 and eth0:0 are the same. I use iproute to add multiple IPs, which does not use eth0:1
<1> just 'ip addr add 1.2.3.4 dev br0'
<3> ahh, so you'd only have eth0 but it would have many IPs ?
<1> yesa
<3> ip addr add 12.2.209.59/24 dev eth0
<3> ip addr add 38.55.32.11/18 dev eth0
<3> something like that?
<3> (those are just random IPs I picked)
<1> yes
<1> look at 'ip addr help' or man ip
<3> wow, you've been a huge help, thanks again. One last thing. Would you mind having a quick look at my firewall script to make sure I'm not going to blow something up?
Return to
#iptables
or
Go to some related
logs:
#css
ubuntu64 +brother
curl example store page
#perl
dovecot username@domain
VODplayer ubuntu
lightkey
#python
ubuntu man pages epoll_ctl
#asm
|
|