| |
| |
| |
|
Page: 1 2 3
Comments:
<0> Hey anyone here know how to use "tc" well?
<1> hello all
<2> hi, is there a timeout option i can turn on or off i keep getting disconnected from my ssh sessions
<1> can some one tell me how can i restrict users, so they can not by p*** proxy server
<2> ....?
<3> L|NUX: yes
<3> do transparent proxying
<3> thats the easiest way
<2> hello?
<1> well
<1> but still user byp*** proxy on local lan
<1> :(
<2> can anyone help me with my ssh issue? i keep geting disconnected
<3> hmm
<3> that is not iptables issue
<4> junix-other: it's probably some non-Linux router upstream from you.
<2> really?
<4> What's your immediate upstream router?
<2> i guess i don't understand
<3> you might be loosing packet or two somewhere
<2> the server is directly connected the internet
<4> do other extended TCP connections get cut off too, like FTP?
<3> that causes ssh to hang
<2> i have a linksys router here
<4> I once saw a 2wire router which killed every TCP session every 60 seconds!
<2> hmmm....
<2> i can't even get to the server anymore
<5> hello all
<5> is it possible to allow 2 different ports with one iptables-command? i want this: "$IPTABLES -A INPUT -s $IP -p tcp --dport 13, 14 -j ACCEPT"
<6> Scan the man page. Look for "multiport"
<5> okay im looking :)
<5> /sbin/iptables -A INPUT -s $IP -p tcp --dports 13, 14 -j ACCEPT
<5> iptables v1.2.8: Unknown arg `--dports'
<5> oh i see
<5> /sbin/iptables -A INPUT -m multiport -s $IP -p tcp --dport 22,3306,10000 -j ACCEPT <- okay i have the right syntax
<5> and iptables -L shows that correct... but the port issent open
<5> upps one moment :)
<5> ai2097: okay its running well, thnxs :)
<6> I'm running a usability study, so you've been more help to me than I to you ;).
<5> what kind of usability-study?
<6> I'm taking a cl*** in usability... so, whatever kind will get me a p***ing grade :p. But seriously... I'm looking at ways that the iptables command-line client could be improved, to help its end-users.
<5> the 'right' syntax i have found in google :)
<6> Ah, that's a good bit of information to know.
<5> i need only the keyword, in the man-page there is "--dports" and that doesnt run, sure my problem, cause i havent read the manual completly, but i want a fast way - so im lookingh in google
<7> on my firewall, anything that is logged, shows on the main console. Is this normal?
<5> that way i use mostly, manpages are good for me, if i know the complet syntax, and want only look for a special parameter
<6> Great. What do you regularly use iptables for? On a router box? A personal machine? Workstation?
<6> ******in5: Check your system logger settings.
<7> ok
<5> ai2097: on servers, for privbat-maschiens im using an hardware-router
<6> So, just to make sure I understand correctly, you mostly use it for firewalling the machine itself?
<5> how do u mean?
<5> im uning iptables for server's like webserver/mailserver
<5> and on business-pcs
<5> private i have a boxed router with an integrated firewall (via web-fontend)
<5> perhaps iptables based too, but i dont know
<7> ai2097, it all seems to be off. syslog.conf has #kern.* so nothing there. and the /etc/sysconfig/syslog has: SYSLOGD_OPTIONS="-m 0", KLOGD_OPTIONS="-x", so according to the comments it's dissabled.
<6> Hmm. Well, something is logging the output to the console. AFAIK, iptables/netfilter just hands it off to the kernel logger -- no more, no less.
<7> and thinkingabout it, nothing else gets logged to the console on this box. weird
<1> can i scan whole ip pool using tcpdump
<1> ?
<8> hi L|NUX
<1> hey Regit
<8> tcpdump will just sniff network
<1> yeah
<1> i need to sniff whole 192.168.129.1
<1> i need to sniff whole 192.168.129.1/24
<6> Then either 1) work on a hub-based network, or 2) (try to) force all traffic through one box. (2) is not easy to do.
<3> and (1) is not something you really want to do
<3> dont want*
<6> rza: Your initial statement was correct :p.
<6> You don't really want to do (2), either, since you bottleneck the whole network around that one box.
<3> and you dont want (1) either in long term
<3> L|NUX: why do you want to sniff the whole network?
<6> A monitored switch might be what you need -- all-out traffic collection is an enterprise-level feature.
<3> layer7 filtering hardware <3
<6> Isn't there an l7 filter for iptables? Not that I'm arguing software is better speed-wise or anything ;).
<3> yes
<3> but it ****s
<1> rza : i want to see what my clients doing
<1> i don't want to use ethreal
<1> ai2097 : switch based network
<6> L|NUX: Well, unless you flood the switches out, you aren't going to be able to capture all the traffic. Switches are designed to make network traffic safer from "spying" like that.
<1> humm
<6> It's a design feature, and a side effect to making the network more (way, way more) efficient.
<1> :)
<3> L|NUX: do you need to spy all traffic?
<3> or just http / msn or something?
<1> well i just want to see why there is too load on my network
<1> because people do webcaming :(
<1> i want to track them and block them right away
<1> ;)
<1> just browsering :)
<1> nothing else
<3> ok, try forwarding http traffic to transparent proxy
<6> So, you don't want to block internal traffic, just traffic to/from the Internet?
<3> and then in for example in squid check what they are browsing
<3> in squid you can block with urls, regular expressions, by words, by content and so on
<6> It might be simpler than that... overall bandwidth throttling on a per-client basis might be what he needs.
<6> E.g., no internal IP is allowed to hog more than x KiB/S down and y KiB/S up on the Internet link.
<3> the people on that network might be doing more than just webcaming
<3> online chats, porn, funny pages
<3> its sysadmins job to block all fun
<6> Yes, but if the problem is bandwidth consumption (which is how it sounds) Squid doesn't cover all the bases.
<3> if its webcaming via http you should be able to block headers
<3> webcam pages have to send correct headers
<6> Yes, but what if I'm rsyncing gentoo at work?
<3> then i will kill you
<6> Or otherwise causing huge bandwidth spikes?
<6> Well, an rsync isn't really a huge bandwidth spike... say I'm downloading OOO with an accelerator :p.
<6> Or over BT. Or through some other channel. Squid only touches HTTP -- it doesn't solve the overall network overload problem.
<3> of course not
<3> but i presume it drop 99% of users doing nasty things
<6> "<1> well i just want to see why there is too load on my network"
<3> iptraf in router
<3> if its linux / unix
<1> :)
<1> thanks bro
<6> But as far as filtering goes... trying to filter web content away from users who want it is like trying to filter salt out of water. Filtering out crap they don't want is way easier -- you have their cooperation :p.
<9> to block all incoming/outgoing traffic for one IP what should I write?
<10> iptables -A INPUT -s ip -i iface -j DROP
<9> thanks
<10> mhm
<10> for or from ?
<9> for
<11> hi there
<3> hello to you too
<12> hi
<12> i want to priorize the connection from my lan to outside in some services...
<3> ok..
<12> where i have to put the TOS rules ?
<12> FORWARD, OUTPUT or mangle ?
<12> ?
<3> http://lartc.org/howto/lartc.cookbook.fullnat.intro.html
<13> hello
<12> rza, but i dont want to use QoS?
<12> i dont want...
<13> im setting iptables rules on a transparent bridge, however when I use -i or -o my rules dont work I've checked interface names and they are not mixed up, any ideas?
<3> x3me: forward chain i presume
<13> yes forward
<12> right..
<12> i will try
<13> ops ;-)
<14> hello to all
<14> i have a question
<14> about iptables
<15> ask
<14> i was wqondering how can i block all internet traffic on ssh but only allow access from 192.168.1.*
<14> or
<3> iptables -A INPUT -p tcp --destination-port 22 -s !192.168.1.0/24 -j DROP
<3> i presume
Return to
#iptables
or
Go to some related
logs:
Couldn't run Build.PL: Argument list too long
pylint undefined '_'
#math
#kernel
#osdev
#qemu
#python
gentoo xmms alternative
dbv fstab
g_object_compat_control suse
|
|