| |
| |
| |
|
Page: 1 2
Comments:
<0> hi all, is there a possibility to create iptables rules that timeout after a set amount of time and get automatically deleted?
<0> google is not willing to spit out anything usefull
<1> esden: you can have a look at time match
<1> esden: but it will not work as you straightforward as you said
<0> Regit: yes I found that already... I still have to delete the rules that did already timeout by hand
<1> esden: you can try the conntrack tool (and ***ociate lib) to destroy entry from conntrack
<0> good idea ... but I found that there should be a module called expire
<1> esden: I send a mail to netfilter-devel 2 days ago with the same request ;-)
<0> Regit: hehe ;)
<0> but see on this page: http://www.netfilter.org/patch-o-matic/pom-base.html
<0> Regit: there is an expire module listed
<0> as Testing ...
<1> esden: but it remove rules not entry from conntrack
<0> ahh ... ok
<1> (from description)
<2> ok, im at a friends house, need to quickly secure his linux box for only allowing connections to the webserver etc from 1 specific ip.. whats the easiest way to do that
<3> Err... explain more clearly what you're trying to do.
<3> Are you set up like Client->Router->(Internet), and want to make it so that only one particular Client can reach the 'net through the Router?
<2> no i only want the daemons running on the server, such as apache/mysql etc to accept connections from 1 specific ip
<3> Ah; that's straightforward then.
<4> hi folks, im setting up a firewall, and want to allow access to all ip's on our local network. ive never done subnet calculation stuff before, but want 192.168.0.1.-192.168.0.255 to have access, do i write that as 192.168.0.1/24 ?
<3> r0b: iptables -P INPUT DENY; iptables -P OUTPUT DENY; iptables -A INPUT --source the.cli.ent.ip -j ALLOW; iptables -A OUTPUT --dest the.cli.ent.ip -m conntrack --ctstate ESTABLISHED
<3> Ooops; let me try that again
<3> r0b: iptables -P INPUT DENY; iptables -P OUTPUT DENY; iptables -A INPUT --source the.cli.ent.ip -j ALLOW; iptables -A OUTPUT --dest the.cli.ent.ip -m conntrack --ctstate ESTABLISHED -j ACCEPT
<2> and that will allow me to connect to any port on the server?
<3> flp: That might work, but 192.168.0.0/24 would be the cannonical version :p.
<4> ai2097: thanks! :)
<3> r0b: Yes; whatever machine IP/hostname goes in "the.cli.ent.ip" will be able to initiate a connection through the firewall to the server.
<3> flp: Sure thing, but you had it pretty much right to begin with ;)
<2> ai2097, gave me bad policy name errors
<3> I'm sorry. DENY -> DROP.
<3> I always do that e_e
<3> My brain goes ALLOW/DENY, not ALLOW/DROP.
<2> how do i save those rules again?
<3> Well, that depends on your distribution. You essentially need a startup script that will restore the tables on boot, and save the tables on shutdown.
<2> hmm how do i remove the iptables u gave me?
<3> ***uming the policies started out in "ACCEPT" mode...
<3> And ***uming that the tables had nothing else in them...
<3> iptables -P INPUT ALLOW; iptables -P OUTPUT ALLOW; iptables -F INPUT; iptables -F OUTPUT
<3> Warning: that will completely empty the INPUT and OUTPUT tables of all rules.
<2> i had one line that worked, but wasnt sure how secure it was, when i applied the rule u gave me, i got dc and now i cant connect :(
<3> Are you the one client that was supposed to be allowed to connect?
<2> yea
<3> Hmm. I don't see why that set of rules wouldn't work.
<2> would it be maybe because of the previousl rule i had?
<3> Ah. I bet it was from the last one. Try this:
<3> r0b: iptables -P INPUT DENY; iptables -P OUTPUT DENY; iptables -A INPUT --source the.cli.ent.ip -j ALLOW; iptables -A OUTPUT --dest the.cli.ent.ip -j ACCEPT
<5> I'm trying to fend against ssh brute force attacks, which works, but I don't want to just drop packets, I want to hurt the attacker. Can I REJECT the packet in a way that slows him down/hurts his performance?
<5> Like, ACK the connection but then just do nothing...
<5> (without hurting MY system, of course...)
<3> horror_vacui: TARPIT
<5> ai2097: Won't compile for some reason... Yes, that would be the best.
<2> should i run that other line u had to clear all the rules first or?
<3> horror_vacui: MIRROR ;)?
<5> (Also, I don't think I'd go about patching production systems...)
<5> ai2097: Sounds interesting....
<3> horror_vacui: Until they start bouncing packets off you and at other servers :p
<3> r0b: Well, only if you're willing to clear out ALL the rules in those chains.
<5> ai2097: Hm, would be nice, but then I might appear as the attacker to someone else...
<2> urgh doesnt work anymore thanks fory trying to help, u got DENY and ALLOW wrong in that line before aswell :P
<3> That's my point: it's an optimal reflector, which is a Bad Thing.
<3> Ack!
<2> cant even get on the internet with the server!time for a reboot i think
<3> r0b: Actually, that's the deny policy at work.
<3> What the rules said were "don't allow incoming connections at all. Don't allow outgoing connections at all. If an incoming connection comes from your client, make an exception -- allow it. If a packet is destined for your client, make an exception -- allow it."
<5> ai2097: Too bad the TARPIT target isn't in the kernel tree... If it were more readily available it would make life much harder for so many a Baddie out there...
<3> horror_vacui: That it would, though I'm a bit ignorant as to what is "normally" installed -- Gentoo kind of pampers me :p
<5> ai2097: Come on - I'm a gentoo-ist myself, but REJECT isn't in gentoo-sources either.
<5> ai2097: Ah, crap, I mean TARPIT ain't in there...
<3> Yes, but it should be installed with the iptables util...?
<5> ai2097: Not that I knew of. I somehow hoped the gentoo blokes would have patched the kernel/the utils, so the first thing I did was to try it out. Nope.
<3> Really?
<5> ai2097: Yes. What sources do you use, anyway?
<3> I'll be damned...
<5> ai2097: There is an 'extensions' USE, but it didn't help. No kernel support.
<3> Hmm, I see at least one article claiming that Gentoo patches its kernel with the TARPIT target... and I could have sworn I've seen it in kernel config before, but it's nowhere to be found in my current kernel.
<3> (article is <http://www.securityfocus.com/infocus/1723>;)
<5> ai2097: Possibly in gentoo-hardened?
<3> That could be.
<5> ai2097: Wait a minute, I have a gentoo-hardened machine here somewhere...
<5> ai2097: Nay, it ain't in gentoo-hardened either.
<3> Hmm. You'd think you could just emerge ipt_tarpit or some such, and just build a kernel module to add the support...
<3> But alas, packages.gentoo.org says that "tarpit" doesn't show up in any package.
<5> ai2097: Well, the article is from 2003, perhaps gentoo _was_ patched then...
<3> Sigh. May as well dredge up the patch, make sure it applies cleanly, then file a bug against it...
<5> ai2097: The problem is, it's hidden in the patch-o-matic thing. I couldn't find a nice clean patch to try and apply...
<3> I see. And another problem is that, if you use connection tracking, the TARPIT target will keep those resources tied up. Unless there's some way to explicitly eject a connection from conntrack...?
<5> ai2097: The TARPIT comment says one shouldn't have conntrack loaded while using TARPIT... So I guess there is no better way to do this...
<5> ai2097: Otherwise they would have said it.
<3> Ah. You could do it in the raw table.
<5> Oh... Work's over...
<5> Have a nice weekend, all....
<3> Too late, I'm already there :p
<4> ai2097: thanks! :)
<4> byebye
<6> hi, what's a way to shape bandwidth.. i.e say this user is allowed to have max n connections to server, with each max 10mbit/s download
<6> *poke*
<7> read lartc.org
<7> there is a chapter about qos
<6> do i need anything special in kernel to use iproute2 ?
<6> ah wait, says there
<6> thx
<8> MI
<9> hello
<9> I'm wondering if someone might be able to help me.... I'm trying to use iptables to forward a port from a workstation inside my network to my server so I can get to it via an stunnel
<10> KoruptidPryde: i want something similar, for now i fail, following http://www.hackorama.com/network/portfwd.shtml
<9> mmc, I've gotten as far as having my kernel configured and the file I need set up.... but as far as if the config I have is anything near correct... no idea
<11> DNAT the desired port in nat / PREROUTING. ACCEPT that traffic in filter / FORWARD.
<11> If that doesn't make sense, look into various iptables frontends like shorewall.
<12> hi there... i'm trying to setup an internet gateway, i have a pc with two lans, eth0 (192.168.0.20 for internal lan) and eth2 (10.0.0.1 for hooking with internet gateway 10.0.0.15). I've setup ip forwarding and want to continue to insert a nat rule, but from the windows box i cant ping the gateway machine, which is not the case from the internet gateway? Can anyone tell me why?
<12> did anyone read my post above?
<9> rob0, I believe I have it doing exactly that..... but it doesn't show up in an nmap and the traffic is still going nowhere
<11> p0ts, probably routing.
<11> KoruptidPryde: probably the order of your rules.
<9> rob0, can I private them to you and you can tell me what I have wrong?
<9> rob0, http://pastebin.com/525998
<11> you can pastebin your iptables-save
<9> rob0, http://pastebin.com/526009
<11> KoruptidPryde: same subnet DNAT, means the replies are going to go direct to the originator from the DNAT machine, so the originator is confused.
<11> The /topic tutorial has a section about same subnet DNAT, IIRC.
<11> Normally you would do the port forward from the external router.
<13> Does anyone have a patch for REJECT to support icmp-fragmentation-needed rejects?
<9> rob0, I need a lan to lan forward..... is there an easy adjustment to my commands I can make?
<13> I see that some work was done to add that to trunk, but it seems to have been rolled back.
<9> rob0, I'd try that graphical utility you suggested except that the server is a headless box
<11> Once again KoruptidPryde, see /topic, "having NAT issues?" To do same subnet NAT you must do both SNAT and DNAT. And what graphical utility did I suggest?
<14> I'm not sure if this is the right place to ask, but... I have a proxy server running on port x, and I need all connects trying to reach port y on a remote host to be redirected to x... I know iptables can do that, but the proxy relies on the original host:port info... is there any way to send this data first or extract it at the proxy ?
<9> rob0, might not have been you.... shorewall
<11> shorewall is not graphical, it is merely a way to have configuration files which control your iptables rules.
<11> (I do not use shorewall BTW.)
<11> werneck: DNAT preserves the original IP, to the DNAT --to-destination host.
<14> rob0: ok... thanks
<9> rob0, does this look closer?...http://pastebin.com/526061
<11> --to-source 192.168.1.1:3389, drop the :3389, ensure IP forwarding is enabled in the kernel (/proc/sys/net/ipv4/ip_forward).
<14> rob0: ok... redirection works with DNAT, I get the connection at the proxy, but I can't figure out how to extract the original IP from the connection... getsockname() gives the proxy addr... do you have any idea ?
<9> rob0, i did what you just said and the port went from being filtered to not showing up at all
<11> werneck: nope, sorry.
<11> KoruptidPryde: I have been wrong before! :)
<9> rob0, I'm trying to verify that I have IP_Forwarding built into the kernel.... but I can't find the option in make menuconfig
<11> cat /proc/sys/net/ipv4/ip_forward
<11> echo 1 > /proc/sys/net/ipv4/ip_forward
<9> 1
<15> hi all
<15> sombody can help me with layer7 ?
<15> i have applied the patch on kernel, and on iptables, i have compile
<15> all is ok
<15> but, when i use layer7 to generate logs i dont have any messages
<15> somebody have a idea about this ?
<15> why ?
Return to
#iptables
or
Go to some related
logs:
XTightvncserver
disable or modularize DRM in the kernel config
#qemu
#ubuntu
remote desktop process rdp
ETHTOOL_OPTS+auto
TheGladiator rom
/etc/motd debian etch
#lisp
#css
|
|