| |
| |
| |
|
Page: 1 2 3
Comments:
<0> so what can i do for this ?
<1> Regit: I saw your post ages ago about the problem I mention
<0> matth_> what do you mean ?
<1> Regit: you patch the man to include the missing option, but did you manage to make iptables understand that option ?
<1> (well I may go for a recent iptables compilation, but I'm not keen on doing things out of sync with my distro)
<2> matth_: sorry was away, do you mean : "is --queue-num working ?"
<1> Regit: yep
<2> with debian package ?
<1> well yes, you're probably not on debian, I'm just asking refering to that perticular release version
<2> matth_: on testing, iptables do not support
<2> matth_: you need 1.3.5
<1> okay thanks, I'm on my way building my own package then
<3> good morning
<4> Morning all....
<4> Exists any solution to block skype ?
<5> ccesario: hrmmmm
<5> let me lookskee
<4> hard__ware, ok :D
<5> http://l7-filter.sourceforge.net/protocols
<5> looks like skype somewhat is
<4> hard__ware, well, I'm using it... but I don't have sucess.... SKYPE is working :/
<5> dammm
<5> im gooogling ... so far just found doc's on what the proto does ...
<5> looks to be as if it doesnt use Supernodes ... which can be hard especially with UDP
<5> does skype require conection to HTTP first ?
<4> hard__ware, hmmm it require HTTP conection, but I don't know if is "first"... but require
<5> ok
<5> maybee use Transparent Squid
<5> Deny All access to x.y.z
<4> hard__ware, don't work....
<4> skype use random ports.... OR port 80
<5> http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038646.html
<4> hard__ware, I tested this,,,,, and.... do not work :/
<5> ccesario: hrmmm
<5> well you need to lock down all access ... so it is forced to use squid
<5> where squid can stop it
<4> hard__ware, Only I don't make NAT from my network... and to use proxy to http/pop/smtp...
<6> Hi, I've a question: "iptables -I INPUT -s $IP -j DROP" should drop incoming packets from a specified IP address, right? And "
<6> Oops.
<6> "iptables -I OUTPUT -d $IP -j DROP" should also drop all outgoing packets to a specified host, right? So, in order to block the host completely, I need to run both lines, or is there some easier workaround?
<7> hello
<8> can i define multiple network blocks in one iptables variable
<9> Hi, coul anyone just tell me how to flush all iptables rules?
<9> I did run iptables -F ; iptables -F INPUT ; iptables -F FORWARD ; iptables -F OUTPUT
<9> But cant still access the computer
<10> See the -F command. Run that in each table you're using. Also, danieldg has an iptables-restore ruleset with no rules and policies all ACCEPT.
<9> how do I put them to all ACCEPT?
<1> granden: -F does not change the POLICIY
<10> -P
<1> use -P, and read the man
<9> -P?
<9> ah
<9> thanks
<9> I found out how it was easy, just didnt know it was -P thanks
<8> can i define multiple network blocks in one iptables variable, e.g. WIFI="192.168.0.0/16,172.16.0.0/16,10.0.0.0/24" and then use it in one drop rule as $WIFI?
<11> alright so I have my main router (192.168.0.1) and it has to forward traffic outbound for 10.254.254.60 to the VPN router (192.168.0.3), I've been tinkering with the route command with no luck, any hints?
<10> dasmodell: no, use a "for" loop. In bash: "help for".
<6> rob0: can you answer my question above?
<10> Shadewalker: Blocking either INPUT or OUTPUT effectively ends any kind of interactive connection such as TCP-based protocols. I guess I'm not sure what you're asking. Did you try it and see what happened? You have had almost 3 hours to play with it.
<9> Anyone got a minute and can take a look at this http://files.gcrl.info/iptables.sh
<9> Why dont it work I cant connect through ssh to the comptur running the script
<9> updated it now
<9> still not working though
<9> Or anyone got a already working script that denies INPUT and OUTPUT traffic and allows it on a few port that I specify like 80 for the webserver and such?
<10> What do you gain from the OUTPUT filtering.
<10> ?
<9> If someone root a computer they cant setup a mailserver or such
<9> Or similar
<10> If someone roots you they will change your netfilter rules.
<9> but not if they manage to root a computer behind that one
<9> I dont use the same p***words :)
<10> What do you mean, "a computer behind that one"?
<9> It will be spliting my connection to more computers behind it
<9> gateway is the word in english :)
<10> INPUT and OUTPUT are not used in such a case. FORWARD is.
<12> how much CPU do I need in order to route an intel quad Gigabit interface? does anyone know's? I'm thinking of making a router with an Intel card ( with four Gigabir interfaces).
<13> granden: but on that note... I haven't looked at your ruleset, but make sure you allow DNS to go out, and also make sure you are accepting EST/REL on OUTPUT if you're trying to do outbound filtering (though rob0 is correct - if you have to ask questions about how to do it, you don't need to do it)
<13> ruied: how much cpu do you have?
<12> at the moment a PIII 500MHz (with four 100Mbits intefaces)
<13> I hear stories of people p***ing *large* amounts of traffic on an old Pentium box, though I have no experience with extremely large amounts - I know it will handle quite a bit though
<13> I'm guessing that you'll be fine with that - ***uming you're not doing l7 filtering or something like that
<12> I have several redirects, and some ip's and mac filterings...
<9> Ok both robs :)
<9> I see
<9> If a want a script on a computer just for filtering input
<9> Then I can allaw all outbound connections?
<9> Im setting upp for the clients now.
<14> how do i make eveything from 192.168.1.50 on my LAN go out the internet face Gre1 on the gateway?
<14> iptables -t mangle
<14> right? but what else?
<14> iptables -t nat -A POSTROUTING -i eth0 -o gre1 -j SNAT --to 192.168.1.50
<14> ?
<13> skac: I've never done anything along those lines - lartc is going to be a good resource for you
<14> i am on netfilter.com atm
<14> whats lartc?
<15> lartc is http://lartc.org/howto/ : the Linux Advanced Routing & Traffic Control HOWTO
<14> hahaha
<14> thats awesome
<14> well
<14> i have 2 ips on this box
<14> one is directly routed outbound
<14> god my netstack is crying
<14> ip rule add from 192.168.1.50 lookup 1
<14> ip route add default via 192.168.1.1 table 1
<14> ip route add from 67.131.172.157 table 2
<14> ip route del default
<14> ip route add default via 67.131.172.157
<14> something like that?>
<14> mmm
<14> i don';t delete my default route because that would nail my main ip
<14> GAHHQA>!??!
<14> that didnt work
<14> haha
<14> robw810: this is stupid, i am going to have to reboot it =(
<14> that table is too m***ive to even think about cleaning it up
<14> bash-3.00# traceroute 4.2.2.2
<14> traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets
<14> 1 ssh.7a69.co.uk (192.168.1.1) 0.180 ms 0.090 ms 0.087 ms
<14> 2 ssh.7a69.co.uk (192.168.1.1) 2993.967 ms !H 2999.507 ms !H 3000.636 ms !H
<13> skac: sorry for the delay - had to p*** out some stuff to students
<13> Figure it out yet?
<14> no
<14> lol
<14> URG
<9> Does anyone have a iptables script that I could modify for my own needs. I want it to block all incoming connections but allow a few that I specify
<9> so far only SSH(22) HTTPS(443) and HTTP(80)
<10> granden: there are thousands of them out there.
<9> rob0: But I dont find any couldnt you just link me to one?
<16> www.google.com
<10> freshmeat too
<14> if i post my ip stack details
<14> would someone look at them
<1> who knows
<13> granden: slackwiki.org has mine and a few others (since you're a Slacker)
<14> Lol
<14> slackwarez!!!!!!!11
<9> robw810: Ok
<14> :)
<9> I think yours is not there anymore though
<13> granden: get the one marked "Simple" firewall or something like that
<9> Ok
<9> but the one marked robw810 is gone
<9> I belive
<13> http://slackwiki.org/Simplefirewall
<9> That one I know
<13> http://slackwiki.org/Firewall-robw810
<13> Both from http://slackwiki.org/Category:Iptables_Scripts
<9> ok
<14> robw810: http://ssh.7a69.co.uk/~temp/crap/
<14> err
<10> Oh, danieldg has some good ones too.
Return to
#iptables
or
Go to some related
logs:
#debian
linux-gate.so.1
#perl
Xubuntu inittab
gstreamer-mad ubuntu
#javascript
+quanta-data +missing
libgdiplus.so undefined reference
#oe
backup is for sissies
|
|