| |
| |
| |
|
Page: 1 2 3 4 5
Comments:
<0> can anyone please have a look here and tell me if thius is right
<0> i try to make a rule to deal with ICMP requests. that drop all ping requests except from my own server.
<1> papaz, that should be easy enough.
<0> well did you have a look at that link ?
<0> -A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT here should i replace 127.0.0.1 with my real ip or just leave it ?
<0> rob0 http://pastebin.com/527920
<2> papaz: Why don't you just drop the complete icmp stuff ?
<2> Or create a chain for eth0_icmp and do something like
<2> for 1 5 7 8; do $IPT -A ..... -i <foo> -j DROP; done
<2> for 2 3 4 6; do $IPT -A ..... -i <foo> -j ACCEPT; done
<2> Create only a global icmp-restriction chain or create one for each network device
<0> why 15 7 8 drop and 2 3 4 6 accept ?
<2> I just picked some random numbers for some types. Feel free to change them
<0> ahh
<0> :)
<2> lo == 127.0.0.1 should not be filter/restricted at all ^^
<0> hmm
<0> http://pastebin.com/527954
<0> its this better ?
<2> Use http://rafb.net/paste/ instead of pastebin. It is easier readable.
<0> http://rafb.net/paste/results/FUBlu920.html
<2> Why do you use -p icmp if you just match them afterwards ?
<2> Rule 2 is not nessusary at all
<2> Use
<2> $IPTABLES -A INPUT -i lo -j ACCEPT
<2> $IPTABLES -A OUTPUT -o lo -j ACCEPT
<2> Use this: http://rafb.net/paste/results/6IDQji35.html
<0> right done
<2> The more rules the more you get confused, till you have a _good_ system behind how you write your script.
<0> iptables-restore: line 101 failed
<0> hmm
<2> Oh, you restore ?
<2> Just start the script completely new
<2> But make sure you have all the rest of the rules in the script too
<0> yes i have them
<2> Well add /sbin/iptables or something like that before the -A statement for my rules and start the script new.
<0> well how would i start the script new ?
<0> its just a text file actually not a script
<2> /etc/init.d/firewall start :-)
<2> It does not depend on what a file type it is.
<0> orr thats what u mean
<0> :))
<2> It is called binfmt_misc, but you can eather use #!/bin/bash on the first line in the script or you just call it with "bash /foo/firewall.sh start"
<2> If you use "bash /foo/firewall.sh" methode, you start a subshell, if you use ". /foo/firewall.sh" you start it in the current. Doesn't matter any, but you have to run the script as root or a previliged user in any case.
<0> primary_firewall: line 102: COMMIT: command not found
<0> aint working man there is something wrong on that script
<3> why are you converting it to a script?
<2> papaz: Post your script
<0> http://rafb.net/paste/results/eyBDON82.html
<0> my last lines
<2> danieldg: Propably because I told him to :-/
<0> ok i will paste you the wholse script
<3> ah, ok. just wondering
<0> no i didnt convert it
<0> its a text file
<2> papaz: It is calle a regular file :-)
<0> http://rafb.net/paste/results/feq55Q32.html
<0> my whole rules
<2> wtf ? What distri is this ?
<0> since i change the lines you told me aint working no more :)
<0> fedora 4
<0> why
<0> whats wrong with it ?
<2> Well I never wrote a script for Fedora
<2> Of course it won't work
<2> I thought you knew what I was talking about :-)
<0> i do a bit man
<3> the script looks good to me as-is
<0> yes
<2> I told you to create your own chains and just push all the icmp stuff to icmp_packets
<0> but it gives me a error trying to reset iptables
<2> daniel: He didn't create icmp_packets
<2> Yes he did, sorry
<3> papaz: sorry if you said this before, but what error are you getting?
<0> iptables-restore v1.3.0: no command specified
<0> Error occurred at line: 102
<2> I never "reset" my netfilters. maybe you shouldn't do that too
<3> what command? iptables-restore<that-file?
<2> Well line 101 looks weird. I don't understand Fedoras stuff somethimes, this is one of them
<2> Try to comment it out.
<0> iptables-restore < /root/primary_firewall
<3> that's part of the iptables-save format
<2> Oh, it is ? Ok
<0> iptables-restore < /root/primary_firewall
<0> should work
<0> and no i cannot comment it out
<3> what have you changed since it last worked?
<2> papaz: Yes, daniel told me it belongs there.
<0> danieldg tha last 4 lines
<2> papaz: Yes, take my stuff out. I only write complete firewalls without restoring. Maybe there is a syntax mistake there
<3> ah
<3> make them -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEP
<3> the -p icmp is important
<2> ^^ Maybe for restoring
<3> # iptables -A INPUT -m icmp --icmp-type 0 -j ACCEPT
<3> iptables: Unknown error 4294967295
<2> Does "icmp_echo_ignore_all" have "icmp_echo_ignore_broadcast" blocked also if I set the first to 1 ?
<3> so it's always important
<2> Hm, well maybe it does.
<0> i missed up now
<2> I didn't look it up, just wrote it down :-/
<0> nothing works :(
<3> any idea why my iptables binary doesn't tell me the errors?
<2> papaz: Sorry, for the wrong info
<3> papaz: does it restore correctly?
<0> no
<0> i cannot reset it anymore
<3> why not?
<0> well you tell me
<3> same error?
<3> you added -p icmp to all 4 lines?
<0> no man
<0> listen
<0> i try to start all over again now
<0> http://rafb.net/paste/results/YMRvaY78.html
<3> right
<0> my reset script
<0> ok ?
<3> yes
<0> iptables-restore < /root/firewall_reset
<0> iptables-restore v1.3.0: no command specified
<0> Error occurred at line: 20
<0> Try `iptables-restore -h' or 'iptables-restore --help' for more information
<0> what can i do then ?
<0> reinstall iptables will fix this ?
<3> it might
<0> what if not ?
<0> what else i can try ?
<3> maybe try using a newer version, compiling if needed? I think a reinstall should help
<2> Write a regular script and run that without that strange Fedora stuff
<0> its got nothing to do with fedora man
<3> http://daniel.6dns.org/info/iptables/mkscript
<2> Doesn't look much different from what you see there
<3> that will convert your ruleset to a shell script
<2> papaz: Well for me that code somehow looks strange and I would recomend to use the way lots of people do.
<0> ok
<0> brb
<2> So if I set "icmp_echo_ignore_all" to 1, does it ignore brodcast "icmp_echo_ignore_broadcast" as well ?
<3> that sounds logical to me, but I don't know
<2> That is what I thought. I just use both, doesn't make lots of difference by only one rule
<2> What is "icmp_ignore_bogus_error_responses
<2> " all about ?
<4> how do i limit the number of available connections by ip address?
<4> i`m using ubuntu 5.04
<2> /sbin/iptables -A INPUT -i eth0 -p tcp --syn -m connlimit connlimit-above n -j REJECT
<2> Set n to your number of connections +1 to be allowed
<2> And change chains if nessusary
<4> ie. i want to limit the number of connections to the ip 10.194.29.18 to 100
<4> how should i do that
Return to
#iptables
or
Go to some related
logs:
#ldap
pearl+CPAN perlmodinstall
MVGA-NVG25GA bios
httpdse
ubuntu mount remote shares
#css
mysql order by rand too slow
coderlab
torrents nacionais
xrender will not compile with fluxbox
|
|