* I cant flush rules
@ 2005-03-06 19:41 Rakotomandimby (R12y) Mihamina
2005-03-07 11:15 ` Jörg Harmuth
0 siblings, 1 reply; 3+ messages in thread
From: Rakotomandimby (R12y) Mihamina @ 2005-03-06 19:41 UTC (permalink / raw)
To: netfilter
Hello,
I have one big problem with my iptables 1.2.11 on a Debian testing box.
Though I explicitely drop, some connections can be done.
The iptables-save output is also strange.
http://www.etud-orleans.fr/Members/mihamina/divers/rules.txt/file_view
And here is the output of iptables-save:
http://www.etud-orleans.fr/Members/mihamina/divers/ipt-save.txt/file_view
As you see, although I tried to flush, ...
The critical thing is I'm running a test daemon listening on port 8000,
and it can be accessed though I told to DROP by default...
What did I do wrong ?
--
ASPO Infogérance http://aspo.rktmb.org/activites/infogerance
Unofficial FAQ fcolc http://faq.fcolc.eu.org/
LUG sur Orléans et alentours (France).
Tél : 02 34 08 26 04 / 06 33 26 13 14
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: I cant flush rules
2005-03-06 19:41 I cant flush rules Rakotomandimby (R12y) Mihamina
@ 2005-03-07 11:15 ` Jörg Harmuth
2005-03-07 11:43 ` Rakotomandimby (R12y) Mihamina
0 siblings, 1 reply; 3+ messages in thread
From: Jörg Harmuth @ 2005-03-07 11:15 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
your port 8000 - and all others - can be accessed, because you allowed
it. First:
iptables -A INPUT -s 195.140.140.100 -j ACCEPT
you accept all connections from this box: Second:
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
you allow 5 connections per second from everywhere, including the
internet. This is the second rule and as ACCEPT is a terminating
target, chain traversing stops right here. So your services are all
available to the whole world.
You can remove the second rule or do it more specifically, e.g. with
interfaces or ports like this:
iptables -A INPUT -p tcp -i ethn -m limit ... # if you have at least 2
interfaces
or
iptables -A INPUT -p tcp --dport 8000 -m limit ...
In the last rule you should specify addresses, that may connect to
port 8000. You can also combine it like this:
iptables -A INPUT -p tcp -i ethn --dport 8000 -s SOME_ADDRESS -m limit
....
HTH
Jörg
Rakotomandimby (R12y) Mihamina schrieb:
| Hello, I have one big problem with my iptables 1.2.11 on a Debian
| testing box. Though I explicitely drop, some connections can be
| done. The iptables-save output is also strange.
|
| http://www.etud-orleans.fr/Members/mihamina/divers/rules.txt/file_view
|
|
| And here is the output of iptables-save:
|
http://www.etud-orleans.fr/Members/mihamina/divers/ipt-save.txt/file_view
|
|
| As you see, although I tried to flush, ...
|
| The critical thing is I'm running a test daemon listening on port
| 8000, and it can be accessed though I told to DROP by default...
|
| What did I do wrong ?
- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach
Tel.: (+49) 22 26 87 18 12
Fax: (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web: http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.
This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCLDfqt9fkjiZ7IE8RAvHKAJ9Yr3pag9qVc6bMkaI4+ygYYSBVtACgnT2L
EJ4zynj5SFWXYi9fx4uHVoA=
=OF65
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: I cant flush rules
2005-03-07 11:15 ` Jörg Harmuth
@ 2005-03-07 11:43 ` Rakotomandimby (R12y) Mihamina
0 siblings, 0 replies; 3+ messages in thread
From: Rakotomandimby (R12y) Mihamina @ 2005-03-07 11:43 UTC (permalink / raw)
To: netfilter
On Mon, 2005-03-07 at 12:15 +0100, Jörg Harmuth wrote:
> Hi,
Hi
> your port 8000 - and all others - can be accessed, because you allowed
> it. First:
>
> iptables -A INPUT -s 195.140.140.100 -j ACCEPT
I need to allow that machine.
> you accept all connections from this box: Second:
>
> iptables -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
> you allow 5 connections per second from everywhere, including the
> internet. This is the second rule and as ACCEPT is a terminating
> target, chain traversing stops right here. So your services are all
> available to the whole world.
Oooooooh yes! that was my mistake.
> You can remove the second rule or do it more specifically, e.g. with
> interfaces or ports like this:
I choose to remove it.
> In the last rule you should specify addresses, that may connect to
> port 8000. You can also combine it like this:
> iptables -A INPUT -p tcp -i ethn --dport 8000 -s SOME_ADDRESS -m limit
No. It's an Icecast server behind (Web Radio, broadcasting music). All
the world needs to acces from that port.
It really helped. Thank you.
--
ASPO Infogérance http://aspo.rktmb.org/activites/infogerance
Unofficial FAQ fcolc http://faq.fcolc.eu.org/
LUG sur Orléans et alentours (France).
Tél : 02 34 08 26 04 / 06 33 26 13 14
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-03-07 11:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-06 19:41 I cant flush rules Rakotomandimby (R12y) Mihamina
2005-03-07 11:15 ` Jörg Harmuth
2005-03-07 11:43 ` Rakotomandimby (R12y) Mihamina
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.