| |
| |
| |
|
Comments:
<0> hi
<0> is it posible with iptables do something like this ( if i get more that 5 syn packet from some IP in 10 sec set drop rule for that ip in next 1 hour)
<1> yes, using the recent module and the limit module
<0> recent module ?
<0> what is name of that module ?
<1> "recent"
<1> oh - ipt_recent
<0> thanks danieldg
<2> there's also the iplimit patch
<0> iplimit ?
<0> hmm thanks, i'll look at that also
<2> I don't see it in pom-ng anymore...
<2> but http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.5
<0> yes , i'm just looking at that
<0> i want to set some kind of crawling protection
<3> has anyone tried to forward all port 80 and port 443 trafic to a websense box?
<3> redirect doesn't seem to work.
<1> what rules are you trying?
<2> redirect isn't for forwarding to another machine
<2> you need DNAT for that
<3> I tried with PREROUTING with DNAT and POSTROUTING with SNAT
<3> that didn't seem to work either
<3> the box both systems are on the local lan
<3> that being the PC's and the websense box
<1> how were you testing? LAN <-> LAN is harder than inet -> lan
<3> what should be happening is the PC wants to goto the internet port 80 or 443 and the traffic should be sent to the websense box and filter or allow the traffic. Then the websense box will make the request and send the traffic back to the machine.
<1> network diagram?
<3> I try to forward the traffic and do tcpdump on the firewall/router and the traffic doesn't seem to get p***ed to the websense box.
<3> no I don't have a diagram it is a small network 5 computers and a websense box connected to a switch connected to eth1 on the linux box eth0 connected to a t1.
<1> ok, that's good enough
<3> I allow rules to allow websense to the internet that works, but doesn't seem to SNAT, DNAT to the box
<1> you'd have to do both DNAT to the websense, and SNAT to the router's IP
<1> and websense wouldn't be able to log/filter by source IP
<3> iptables -A PREROUTING -i eth1 -s ! 192.168.1.70 -p tcp --dport 80 -j DNAT --to 192.168.1.70
<3> iptables -A POSTROUTING -i eth1 -s 192.168.1.0/24 -d 192.168.1.70 -j DNAT --to 192.168.1.70
<3> I don't think my second line is correct
<1> no, second line needs to be -j SNAT --to-source 192.168.1.1
<1> where 192.168.1.1 is the iptables box
<3> sorry it was SNAT
<3> I will give it a try.
<3> is REDIRECT only for localhost ports?
<1> yes
<3> ah that explains it
<3> thanks
<4> anyone here have some nice graphics to explain chains/tables?
<5> helloall, is it possible to specify multiple match? (e.g -m multiport -m iprange) ?
<5> got it, it's possible :-)
<4> What chain does _all_ traffic go through, forward, right?
<6> no
<4> :-/
<4> What are the chains out there
<4> that I can insert into and append to?
<4> iptables will still iptable an interface, even if it isn't up, right?
<4> hi
<4> rza, So I have to filter at OUTPUT, and FORWARD, right?
<6> chains are PREROUTING, POSTROUTING, INPUT, OUTPUT and FORWARD
<6> iptables -L && iptables -L -t nat
<4> I am not doing any NAT/DNAT/SNAT, so I won't have the table of NAT, right?
<7> RE
<8> hola?
<8> someone alive?
<1> mooed: did you have a question, or just wanting to know?
<8> its possible to redirect a external port to a machine inside the LAN without doing nat? i mean using -A FORWARD
<8> im trying iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 61234 -d 198.162.2.51 --dport 110 -j ACCEPT
<1> mooed: are you doing NAT? what's your network setup look like?
<1> mooed: that IP looks like you are doing NAT
<8> i want to forward incoming connections to port 61234 to my pop3 server inside LAN
<1> ok, then you just add a DNAT rule
<8> something like this? iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 61234 -j REDIRECT --to 198.162.2.51:110
<1> use DNAT. REDIRECT is only for localhost
<8> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 61234 -j DNAT --to 198.162.2.51:110
<8> something like this
<1> yes
<8> ok, but the problem is that when i make iptables -L -n i dont see the rule
<8> because i dont do NAT
<1> iptables -t nat -vL
<8> ok one sec
<8> 0 0 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:61234 to:198.162.2.51:110
<8> seems good
<9> What rule do you use for icmp limiting and logging? I use -p icmp -m limit --limit ... -j LOG
<9> Is there any better solution? I would like to be able to say I want to log everything over this -m limit --limit statement and drop them after the logging, too. Any solutions or examples?
Return to
#iptables
or
Go to some related
logs:
#ubuntu
1px diffrent on i.e
python kill subprocess
Application tries to create a window, but no driver could be loaded.
Make sure t
#ubuntu
KUBUNTU compile 2.6.15.4
#awk
reverse vnc suse
#ai
sudo apt-get install -f
|
|