| |
| |
| |
|
Comments:
<0> danieldg: In your portknocking example, does the ssh port stay open for 5 minutes only, even if the knocker has successfully connected with ssh?
<1> LiamH: yes, but the currently established connection stays open because of the --state rule
<0> ah, I see thanks
<0> Hmm it's not working.
<1> do you see stuff showing up in /proc/net/ipt_recent/SSHGO ?
<0> yes, SSHGO is there
<1> you're testing from another IP; is that IP in there?
<0> no just SSHGO
<1> cat the file
<0> cat: SSGO: No such file or directory
<0> oops
<0> it's empty
<1> make sure the trigger rule isn't getting blocked
<0> the trigger rule has no target, is that right?
<1> yes
<1> it should still match and have counters in iptables -vL
<0> it is showing up in iptables -L -n but with no target
<1> that's right
<0> I ***ume it is getting blocked -- isn't that the idea?
<1> well, you have to have the trigger rule be hit to unblock the port
<1> so the port 12345 packets must be able to hit that rule
<0> right
<0> Is there a way to log that hit, to make sure it's happening? -j LOG for instance?
<1> look at it in iptables -vL
<1> the counters should be nonzero if it's getting hit
<1> or sure, use -j LOG
<0> pkts 0 bytes 0
<1> ok, it's not getting hit
<0> Could the problem be that I log it (and thus drop it) before the rule gets hit?
<1> yes
<1> move that trigger rule higher up in your ruleset. Since it has no target, it can be anywhere
<0> I'm trying to recall how rules are ordered - if I just put it higher in the script, it will come first in the sequence?
<1> yes
<0> Ugh, no dice. It does not show up in the log at all - either as dropped or as secret knock accepted.
<1> I can take a look at your rules, if you want - pastebin the output of iptables-save
<0> -m tcp means what?
<1> load the --dport match; it is needed so that the port is checked before the recent module
<2> I have the following rules on a router: http://rafb.net/paste/results/Go6bUD85.html
<2> When I ssh to the external address from inside it connects to the router. How can I make it connect to the internal machine instead?
<3> hi
<3> I want to get patch-o-matc from cvs. I am reading the netfilter extensions howto. But when I want to log in to the cvs server it says "connection refused"
<3> I use the p***word: cvs
<3> just like they say
<4> GutterPunk, the cvs has been discontinued.. the howto is outdated
<4> GutterPunk, netfilter uses svn nowadays.. http://svn.netfilter.org/
<5> i discovered the hard way that setting certain ports to accept and then INPUT to drop is not the way to go about hand-building a firewall
<5> what i?
<5> er what is?
<1> that is correct, you just need to add a rule to allow outgoing connections back in
<6> netcrusher88: Rusty's Packet Filtering HOWTO at netfilter.org has a "really quick" guide.
<5> okay, thanks
<5> i think i have a good handle on it, maybe
<5> heh should have read the man page farther, i didn't get to the state filter
<6> The man page is good, but a HOWTO is a better introduction.
<5> okay
<5> and, do iptables persist after reboot?
<1> no; use iptables-save and iptables-restore in an init script
<1> or just write a script to apply the iptables rules
<6> Most distros provide some means of doing that. Check the distro docs.
<5> okay
<5> and are all of the match types bundled with iptables, i.e. ipp2p?
<5> okay, so, is:
<1> some of them need a kernel patch
<5> P***word:
<5> oops
<5> so, anyway, accept packets to 21,22,80,5900 and by state ESTABLISHED,RELATED , is that a decentish filter?
<5> rather, if i type iptables -P INPUT DROP
<5> will it work
<1> it should
<5> okay
<5> here goes
<5> does it work?
<1> you're still here
<5> ya, and given i just saw that message
<5> joy
<5> er 5900 is VNC right?
<1> yes
<1> I'd tunnel VNC over SSH instead of leaving it open
<5> you've been a great help
<5> ya, i should do that
<5> given that most of the computers on campus are PC's, they have PuTTY makes it really easy anyway
<5> would i then need to set it to accept all from my local IP then?
<1> iptables -A INPUT -i lo -j ACCEPT
<5> thanks
<5> er now DNS resolution fails
<7> hi
<5> huh, the iptables config described above breaks outgoing SSH for some reason
<7> I am using a combination of PREROUTING + FORWARD rule to make some file transfer services available to my LAN pc, but since I have more than one LAN pc I just wanted to know if --to accepts an IP range
<7> also if -d accepts it
<1> netcrusher88: do you have any other rules other than the ACCEPTs? also, what is the state rule you used?
<5> ESTABLISHED,RELATED
<5> allowed incoming
<1> Javi: -d will accept any CIDR range or netmask; --to-destination will only accept a range (and that might be disabled now, don't remember)
<1> netcrusher88: you could add a -j LOG rule to the end and see what is being dropped
<5> okay
<5> i'll mess with this later i think
<5> i just flushed my rules, it isn't really critical to lock this box down that tight
<5> i think i'll just use it to block ip's doing obvious crack attempts
<7> danieldg --to-destination seems to accept a range right now, or at least it didn't complain
<1> Javi: right; I think what was disabled was multiple --to-destination arguments
<8> yes, multiple ranges was disabled
<1> Javi: the problem is that will be a round-robin forward
<7> ohh...
<5> try -m mports maybe
Return to
#netfilter
or
Go to some related
logs:
nmm on ubuntu
nick tahoes wiki
#debian
johncc
python urllib2 httplib set_debuglevel
linux pe16 scx-4216F
IceTransSocketUNIXConnect
ubuntu unix abi
#math
usplash ubuntu-server
|
|