| |
| |
| |
|
Page: 1 2
Comments:
<0> syslog is UDP
<0> I do what you're trying to do, using openvpn.
<1> rob0: Interestingly, the connection to localhost:514 is TCP over here....
<2> is there ipsec support in openvpn ?
<0> no, openvpn is SSL.
<2> ok, that must be the reason ive never used it
<1> rob0: ...and this remote logging works here, only stopped working after adding OUTPUT rules, and I couldn't figure it out.
<0> I rarely use OUTPUT rules anyway. What's the point?
<0> -P OUTPUT ACCEPT
<1> My colleagues have an attack of extensive paranoia. They insist that if we don't have OUTPUT rules, we're standing with our arse gaping open and waiting for crackers to come.
<0> All you can possibly do with OUTPUT rules is to slightly inconvenience an attacker who's already in. To me, that's not worth the agony of having to figure out how to make things work right.
<0> I try not to allow security decisions to be made by incompetents. TRY. :)
<0> Paranoia is fine. But paranoia without understanding is likely to reduce your overall security.
<1> rob0: No use trying. So now we have port filtering on the routers, we have INPUT rules on every machine, and are going to have OUTPUT rules as well. I don't know how we're to troubleshoot anything when the pinch comes.
<1> rob0: ...but OUTPUT filtering isn't going to hurt security, it will just make things much more complicated. I can live with that (I hope).
<3> rob0: I find OUTPUT filtering is good for preventing accidental data leaks. For example... not letting myself connect to IMs when I'm not at home :p.
<4> oke then how can i make with iptables like any connections to a specifi range of ports to be send to a single port only
<4> someone here?
<5> I have a server listening on eth0 with realworld IP (1.1.1.1) and it has two nics internal (eth1 and eth2). I want connections from 2.2.2.2 to 1.1.1.1 to be routed to eth1 and connections from 3.3.3.3 to 1.1.1.1 to be routed on eth2.. finaly i want all other connections to 1.1.1.1 to be handeled localy by the server itself. How hould i do that ?
<1> Can I influence what gets logged when using -m recent and LOG to block bruteforce attacks?
<6> need a server to nat a pool of valid ip's to my clients dinamycally. where can i get more info on how to do this?
<7> socram: read the manual about SNAT
<7> henk: read the topic. Should be no problem
<1> Yes, RTFM SNAT. Or is it rather DNAT what you need?
<7> horror_vacui: Do you want to log or block ?
<1> Woody^working: I do both, but before I block, I log - I want to know who the baddie is. But it's a bit much, it logs the MAC as well, for instance...
<7> horror_vacui: no socram needs SNAT
<7> horror_vacui: set the log-level down a bit
<1> I tried various --log-level options, with nil as result....
<6> need my clients to connect to the internet with a valid ip...
<7> horror_vacui: there will be no macs from internet
<7> socram: yes, so if you have more than one public ip, use snat.
<5> Woody^working, hmm i'm reading documentation on it. but i dont think ik need snat or dnat ? i need to just drop the packet on a different interface based on source address. I cannot find exactly where to look can you point me somewhat in the right direction ?
<6> clients(internal IP) -> myserver(valid IP-NAT) -> internet(with valid ip) this is what i'm looking for
<7> horror_vacui: Give me your log rule.
<1> Woody^working: Well, he logs it anyway. And there is a mac logged - just tried it out from home.
<1> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "blocked bruteforce ssh: "
<7> socram: iptables -t nat -A POSTROUTING -o <device> -j SNAT 123.123.123.123
<7> horror_vacui: Try logging after you did the recent rule. Mine works there.
<7> henk: tryed redirection ?
<5> Woody^working, doesn;t that do just ports ? i need interfaces
<7> henk: it changes the destination address.
<5> Woody^working, i need it to be the same address i just need to drop it on a different interface.
<7> then use dnat
<7> well, maybe no.
<7> yeah it would work too.
<7> but it changes the destination address too.
<5> I think i need to use iptables to MARK a connection, and use that to tell route what table to use
<7> That is how I would do it. Use u32 filter, then you don't even need some iptable hacks.
<8> anyone know how i can see how many hits a rule has?
<9> iptables -vL
<8> k
<8> ty
<1> What happens if there's a name as -s or -d in the rules, and it's a round-robin - like for instance, security.debian.org. Will this rule work for all IP's, and will it work if certain IP's change?
<1> I can't really find much about this in the RTFMs...
<9> it will look up the rule at the time of insertion, and insert using the IPs
<10> is it the iptables binary that does the lookup or the module/kernel?
<10> (or the libs)
<9> iptables binary, I think
<1> danieldg: So that means that if IP's change, one has to at least reload the rules?
<9> yes
<11> how i specific a destiny port
<11> --port-d oe what ? :P
<9> --dport
<11> and source port ?
<9> --sport
<11> :)
<11> alwaya that wanna clock some service that is tryubg ti connect to my
<11> me
<11> must use --dport ...
<11> ?
<11> stupid question
<11> what mean '-j' ?
<12> This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a
<12> user-defined chain (other than the one this rule is in)
<12> man iptables
<13> according to MY MANPAGES it means jump
<12> : )
<13> Percotz: maybe you want norton firewall
<13> and isa server
<11> one question
<11> each time i wish FORWARD ..
<11> i must do iptable -p FORWARD ACCEPT ?
<14> Percotz: create some rules to allow the forwarded packets you want
<11> but what i sai is wrong or fine ?
<14> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
<12> Percotz read -------->> www.netfilter.org how tos , i think is a good idea
<11> ok
<11> thanks for the help
<14> iptables -A FORWARD -i $INT_IF -o $EXT_IF -j ACCEPT
<14> Percotz: The tutorial in /topic is a good read; what I just posted will allow all outgoing FORWARD packets and responses to them
<13> pfff
<13> what a moron
<14> Now, now, be nice... :-)
<13> i dont like people who dont know how man pages work :/
<14> hehe
<12> aburrido TUx
<12> ?
<15> hello
<15> i need to allow an ip adress into iptables
<15> hello, anyone knows how to allow a certain ip into iptables
<15> allow that ip on all ports
<9> are you going to stay more than one minute this time?
<9> iptables -A INPUT -s ip -j ACCEPT
<16> What rule should I add to fix this issue? When I try to connect to my own public address from any host, what I actually get is a reply from the router. Can this be solved using iptables?
<16> So, for example, if I try to load http://190.48.40.28, what I get is the router's web interface instead of what it forwards to the rest of the world.
<16> s/any host/any host inside my LAN/
<16> Sorry for that.
<15> yes thank you danieldg
<17> i'm looking at kernel setup in the tutorial
<17> where are these options located?
<17> it states which modules to build or what options to compile into the kernel
<17> but where do i find em all
<9> which options, which kernel?
<17> 2.6.15
<17> stuff in 5.2 in the tutorial listed in the topic
<17> config packet, config netfilter, config ip nf conntrack, etc
<9> Networking/Networking Options/Network packet filtering
<9> I'd make everything in there as a module if possible
<17> what about options under tcp/ip networking like ip multicasting, advanced router, etc?
<9> you can search in make menuconfig; type /NAME
<17> under all the IP options in networking/networking options, do i need anything there?
<9> I don't think so
<9> I'd enable IP: advanced router and such
<17> ok but you'd enable everything under network packet filtering as module? just have M for every option?
<9> yes, then you can use them if you need to without rebooting
<17> ok
<18> http://www.youtube.com/watch?v=UADizYtTrAI&feature=Views&page=1&t=t&f=b
Return to
#iptables
or
Go to some related
logs:
#kde
#mysql
ubuntu hdparam
xmms-timidity
fluxbox+keyboard pc105+mod4
#ai
#css
ipw2100: eth1: Failed to start the firmware
wifi-radar sudo NOPASSWD
centos heartbeat2
|
|