| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> yes
<1> omg
<1> o_O
<1> of course its dont work here
<1> my network is accept
<1> :P
<1> its work danieldg
<1> very thanks
<1> i need some beer now
<1> SkramX, are u alive?
<2> socram: yes...
<2> Why?
<3> hello
<3> : iptables -I IPUT -p tcp -s 1.2.3.4 -j acccept
<3> how can i make that to be on a specfic port only ?
<0> add --dport 12345
<3> after "-p tcp " right ?
<0> yes
<3> thank you
<4> hi all
<4> danieldg, whats your website url?
<0> http://daniel.6dns.org/info/iptables/
<4> thanks
<1> hi danieldg
<0> hi
<1> danieldg, One server here is under attack, how i block the port and dont send a ACK that the port is blocked?
<0> running on a router? iptables -I FORWARD -d server -p tcp --dport port -j DROP
<1> yeah.
<1> danieldg, this rule dont send a return a ACK to attacker?
<0> no, it just drops the connection
<1> and the ataccker will try send pkgs forever right?
<5> Bico_Fino: depends on the attact
<5> attack
<5> you mean portscanners?
<5> or DDoS ?
<1> the two
<5> portscanners usually have timeouts
<1> a part of log of snort
<1> 01/31-09:57:01.591216 [**] [1:1417:9] SNMP request udp [**] [Cl***ification: Attempted Information Leak] [Priority: 2] {UDP} 204.11.239.31:1178 -> 38.117.23.120:161
<1> 01/31-09:57:09.259547 [**] [1:402:7] ICMP Destination Unreachable Port Unreachable [**] [Cl***ification: Misc activity] [Priority: 3] {ICMP} 80.252.136.66 -> 38.117.23.214
<5> and DDoS still kills your connection even if you dont answer with ACK
<1> the problem is the connection. :?
<5> yes
<1> much traffic
<5> because even if you dont answer packets they are still routed to your ip
<1> hm. its true
<5> DDoS should be blocked much before your ip
<5> your ISP should filter DDoS packets
<5> but thats hard
<1> ;)
<1> how can i stop this
<1> 01/31-10:00:55.790163 [**] [1:1417:9] SNMP request udp [**] [Cl***ification: Attempted Information Leak] [Priority: 2] {UDP} 204.11.239.31:1178 -> 38.117.23.120:161
<5> iptables -A INPUT -p udp -j DROP
<5> if you dont need udp connections :)
<6> :)
<6> I was going to say pull the plug, about equally useful :)
<6> Snort might still see things before the -j DROP, however.
<6> Depends how you're running it.
<5> grep snmp /etc/services
<5> and block those ports if you dont need them
<6> um, no.
<6> The standard sensible approach is to allow only ports you need and drop/reject the rest.
<6> and use a RELATED,ESTABLISHED -j ACCEPT rule for reply traffic.
<1> hm
<1> ok
<7> [Cl***ification: Misc activity] [Priority: 3] <-- I thought that priority wasn't such important
<1> thanks dererk
<7> Actually, I don't know :-\
<7> Maybe it is, but seems not to with that point
<8> can i block access to sites using iptables?
<8> for example, i dont want anyone on my local network to access the site www.a.com
<8> can i block it using the url in iptables?
<0> no, but you can block the IP of a.com
<7> You may block access of web service
<7> but not especified sites
<5> you can use squid to block sites
<7> you may use a proxy instead
<5> and use transparent proxying
<8> trasparent proxy with squid? hmm
<6> *If* the undesired site is on a static IP or set of IP's, yes, iptables can block it, otherwise see all the comments above.
<6> The example I give in reply to these questions is "dig www.nasa.gov" ... look, the IP addresses change every 2 minutes.
<6> Would be very difficult to try to block that in iptables, trivial in squid.
<9> would it make sense at all ? after all there many freely available anonymzer that would be very easily bypas the block
<5> hmm
<5> athlon: how would you block it ?
<5> if its content / url based
<5> https is a way thou
<5> but i presume blocking lets say porn sites in squid stops 95% of the people
<10> I would tell them to go ahead and knock themselves out with the warez / porn sites :-)
<5> i think there should be a button in keyboard which could be used for stabbing people in the face
<5> then just tail -f /var/log/squid/access.log and finger to button
<6> I do run squid/dansguardian filtering at several sites, but I'm secretly cheering for the bad guys. :)
<7> Well as I think it's done, I want to have you serious opinion for this easy-to-read and simple firewall iptables-based http://dererk.com.ar/firewalling/Iptables-based-firewall
<7> Thanks in advance for reading it!
<5> im reading it soon
<5> and judging you as a person after that
<5> if [ ! -e $FTP ]; then $IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to $FTP:21 ;fi
<5> shouldnt you open 20 also?
<7> why 20?
<0> isn't 20 caught by RELATED?
<5> danieldg: hes not probing any modules at least
<5> so i ***ume hes got compiled them in
<5> im not sure if its caught
<5> i presume so
<5> or is it?
<7> Humm, I thought that if you add a rule which use an unloaded module, it loads it, isn't that truth?
<6> dererk: there are many MANY scripts out there, but the best way to learn is with the HOWTO's like /topic and Rusty's Unreliable Guides.
<5> no
<0> yes for some modules. Except you need to load some of the conntrack modules
<0> like ip_conntrack_ftp and ip_nat_ftp
<7> rob0, I'm trying to do it in an easy why, I found a lot of scripts
<7> but they are too difficult to understand
<7> and, you know what happens then
<7> More problems are in there
<7> danieldg, I think I don't use conntrack modules
<7> danieldg, Could you take a loot to it please, I really would appreciate that :)
<7> I'm trying to do it easy to read, and keep being useful/complete
<0> I looked at it, looks fine to me
<7> Nothing to mention about that?
<0> the syn-flood is too far down to do any good
<7> What you mean? It's useless?
<0> actually, I misread that
<0> it's fine
<7> Oh, cool then
<7> Is there something you would add it?
<7> To performe it
<0> not really, just as a general script
<7> Which aspects should I take in account to make it more powerful? :)
<0> depends on what you want it to do
<7> I want to make the best firewall iptables-based I could do, without being difficult to understand
<5> i want the worl peace and lost of candy
<7> :-S
<5> lost = lot
<7> rza, It's just a hope :)
<5> you fat bastard
<6> indeed :(
<5> is there a guy named sarah?
<11> None that I know
<5> ok, youre a girl
<6> Actually I use the candy in a unique way. I bribe a local restaurant manager who is a friend.
<6> We bring candy bars worth maybe 1/4 the cost of the meal, and eat for free :)
<11> hah
<6> Manager hands out candy to the employees and they all love it :)
<11> Neat =)
<1> i need beers
Return to
#iptables
or
Go to some related
logs:
#perl
os.nice python
#openzaurus
#perl
ivman hal cannot mount volume
opera usr/share/ malformatted
#php
#linux
perl, not recognized as an internal command
could not load OpenGL subsystem quake3 ubuntu
|
|