* allow range syntax - perplexed
@ 2004-06-15 17:00 Jonathan Villa
2004-06-15 17:19 ` Cedric Blancher
` (2 more replies)
0 siblings, 3 replies; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 17:00 UTC (permalink / raw)
To: netfilter
To my understanding the following will allow any address in the x.x.x.0
block access
$IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
It of course is not working...
my temporary solution : looping through 1-254
not very nice when I need to show someone the current rules.
-confused
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 17:00 allow range syntax - perplexed Jonathan Villa
@ 2004-06-15 17:19 ` Cedric Blancher
2004-06-15 17:47 ` Jonathan Villa
2004-06-15 17:52 ` Jonathan Villa
2004-06-15 17:58 ` allow range syntax - perplexed John A. Sullivan III
2004-06-15 18:52 ` Antony Stone
2 siblings, 2 replies; 22+ messages in thread
From: Cedric Blancher @ 2004-06-15 17:19 UTC (permalink / raw)
To: Jonathan Villa; +Cc: netfilter
Le mar 15/06/2004 à 19:00, Jonathan Villa a écrit :
> my temporary solution : looping through 1-254
As someone pointed out yesterday, you can use iprange match from POM :
http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-iprange
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 17:19 ` Cedric Blancher
@ 2004-06-15 17:47 ` Jonathan Villa
2004-06-15 17:52 ` Jonathan Villa
1 sibling, 0 replies; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 17:47 UTC (permalink / raw)
To: netfilter
> Le mar 15/06/2004 à 19:00, Jonathan Villa a écrit :
>> my temporary solution : looping through 1-254
>
> As someone pointed out yesterday, you can use iprange match from POM :
>
> http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-iprange
>
thanks, I saw that post. However I just started working with iptables and
have never patched it. I've just updated when new RPMS became available.
I guess I'll look into it.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 17:19 ` Cedric Blancher
2004-06-15 17:47 ` Jonathan Villa
@ 2004-06-15 17:52 ` Jonathan Villa
2004-06-16 13:31 ` Relay to DNS Server ? Akao
1 sibling, 1 reply; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 17:52 UTC (permalink / raw)
To: netfilter
> Le mar 15/06/2004 à 19:00, Jonathan Villa a écrit :
>> my temporary solution : looping through 1-254
>
> As someone pointed out yesterday, you can use iprange match from POM :
>
> http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-iprange
>
> --
I've just read that using POM is not considered safe by the dev team.
http://www.lowth.com/howto/add-iptables-modules.php
This is for a running system that needs to stay up right now. Any other
options?
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 17:00 allow range syntax - perplexed Jonathan Villa
2004-06-15 17:19 ` Cedric Blancher
@ 2004-06-15 17:58 ` John A. Sullivan III
2004-06-15 18:41 ` Jonathan Villa
2004-06-15 18:52 ` Antony Stone
2 siblings, 1 reply; 22+ messages in thread
From: John A. Sullivan III @ 2004-06-15 17:58 UTC (permalink / raw)
To: Jonathan Villa; +Cc: netfilter
On Tue, 2004-06-15 at 13:00, Jonathan Villa wrote:
> To my understanding the following will allow any address in the x.x.x.0
> block access
>
> $IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
>
> It of course is not working...
>
> my temporary solution : looping through 1-254
>
> not very nice when I need to show someone the current rules.
>
> -confused
I'm not doing exactly what you are doing but I do use full subnets for
both source and destination and it works fine for me. What do you see
that makes you believe it is not working? - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 17:58 ` allow range syntax - perplexed John A. Sullivan III
@ 2004-06-15 18:41 ` Jonathan Villa
2004-06-15 19:04 ` Antony Stone
2004-06-15 19:15 ` allow range syntax - perplexed John A. Sullivan III
0 siblings, 2 replies; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 18:41 UTC (permalink / raw)
To: netfilter
> I'm not doing exactly what you are doing but I do use full subnets for
> both source and destination and it works fine for me. What do you see
> that makes you believe it is not working? - John
> --
> John A. Sullivan III
> Chief Technology Officer
> Nexus Management
> +1 207-985-7880
> john.sullivan@nexusmgmt.com
> ---
> If you are interested in helping to develop a GPL enterprise class
> VPN/Firewall/Security device management console, please visit
> http://iscs.sourceforge.net
>
>
Access is denied.
I have more information now.
Here is the background:
A machine running MySQL is to be locked down for access only to a select
group of people working from home and people at the office, hence the
xx.xx.xx.0
I've noticed that the script works fine for anyone who is not on the
network but for those who are, well the rules block access to them all the
time.
I have something similar to the following
ALLOWIPS="array of ip addresses"
for ip in $ALLOWIPS;
do
$IPTABLES -A INPUT -p tcp --dport 3306 -s $ip -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -s $ip -j ACCEPT
done
then I had the rules from my original post
$IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
the ips in the loop are fine, but then ips on the same network were being
blocked regardless of my rules. That is why I thought that it was the
syntax...
I have added 5 ips which are on the same network as the server to the
array ALLOWIPS and they get denied access while the other ips are granted
access.
so then I tried taking them out of the loop and doing them individually,
still no access.
Could it be because they are on the block? Do I need to specify that the
interface is -i eth0 or something instead of specifying -s ip
example
use:
$IPTABLES -A INPUT -p tcp --dport 3306 -i eth0 -j ACCEPT
vs
$IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
but then my question is, I only have one nic, so won't everything that is
not from lo come from eth0?
-very confused
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 17:00 allow range syntax - perplexed Jonathan Villa
2004-06-15 17:19 ` Cedric Blancher
2004-06-15 17:58 ` allow range syntax - perplexed John A. Sullivan III
@ 2004-06-15 18:52 ` Antony Stone
2004-06-15 19:24 ` Jonathan Villa
2 siblings, 1 reply; 22+ messages in thread
From: Antony Stone @ 2004-06-15 18:52 UTC (permalink / raw)
To: netfilter
On Tuesday 15 June 2004 6:00 pm, Jonathan Villa wrote:
> To my understanding the following will allow any address in the x.x.x.0
> block access
>
> $IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
I agree - the above rules should allow any IP within the xxx.xxx.xx.0/24 Class
C range access the firewall on port 22, 80 or 3306.
> It of course is not working...
Huh? Why "of course"? Come to that, why isn't it working? I use that
sort of netmask notation all the time...
> my temporary solution : looping through 1-254
Ugh!
Show us the rest of your INPUT and OUTPUT ruleset, and tell us how you are
testing the system (and where from).
The output from "iptables -L -nvx" would be useful, as it shows us the rules
in the correct order, which interfaces they apply to, and the packet / byte
counts so we can see how many times particular rules have been matched.
Feel free to munge IP addresses if you want to hide things from the list
archives :)
Regards,
Antony.
--
People who use Microsoft software should be certified.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 18:41 ` Jonathan Villa
@ 2004-06-15 19:04 ` Antony Stone
2004-06-15 19:27 ` Jonathan Villa
2004-06-16 8:47 ` blocking all traffic in port 137/137 david
2004-06-15 19:15 ` allow range syntax - perplexed John A. Sullivan III
1 sibling, 2 replies; 22+ messages in thread
From: Antony Stone @ 2004-06-15 19:04 UTC (permalink / raw)
To: netfilter
On Tuesday 15 June 2004 7:41 pm, Jonathan Villa wrote:
> I have more information now.
>
> Here is the background:
> A machine running MySQL is to be locked down for access only to a select
> group of people working from home and people at the office, hence the
> xx.xx.xx.0
Is the MySQL machine on the same subnet as the office people trying to access
it, or is there a firewall in between, with the MySQL on a DMZ network?
If it's the latter, are you sure your office machines aren't being masqueraded
in some way by the firewall when they try to access the MySQL server, so that
it sees an address on the firewall instead of the real address of the
clients?
> I've noticed that the script works fine for anyone who is not on the
> network but for those who are, well the rules block access to them all the
> time.
I suggest you add a LOGging rule at the bottom of the INPUT chain and see what
source address the packets which are not being ACCEPTed are coming from.
Regards,
Antony.
--
This email is intended for the use of the individual addressee(s) named above
and may contain information that is confidential, privileged or unsuitable
for overly sensitive persons with low self-esteem, no sense of humour, or
irrational religious beliefs.
If you have received this email in error, you are required to shred it
immediately, add some nutmeg, three egg whites and a dessertspoonful of
caster sugar. Whisk until soft peaks form, then place in a warm oven for 40
minutes. Remove promptly and let stand for 2 hours before adding some
decorative kiwi fruit and cream. Then notify me immediately by return email
and eat the original message.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 18:41 ` Jonathan Villa
2004-06-15 19:04 ` Antony Stone
@ 2004-06-15 19:15 ` John A. Sullivan III
2004-06-15 19:30 ` Jonathan Villa
1 sibling, 1 reply; 22+ messages in thread
From: John A. Sullivan III @ 2004-06-15 19:15 UTC (permalink / raw)
To: Jonathan Villa; +Cc: netfilter
On Tue, 2004-06-15 at 14:41, Jonathan Villa wrote:
> > I'm not doing exactly what you are doing but I do use full subnets for
> > both source and destination and it works fine for me. What do you see
> > that makes you believe it is not working? - John
> > --
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan@nexusmgmt.com
> > ---
> > If you are interested in helping to develop a GPL enterprise class
> > VPN/Firewall/Security device management console, please visit
> > http://iscs.sourceforge.net
> >
> >
>
> Access is denied.
>
> I have more information now.
>
> Here is the background:
> A machine running MySQL is to be locked down for access only to a select
> group of people working from home and people at the office, hence the
> xx.xx.xx.0
>
> I've noticed that the script works fine for anyone who is not on the
> network but for those who are, well the rules block access to them all the
> time.
>
> I have something similar to the following
>
> ALLOWIPS="array of ip addresses"
>
> for ip in $ALLOWIPS;
> do
> $IPTABLES -A INPUT -p tcp --dport 3306 -s $ip -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 80 -s $ip -j ACCEPT
> done
>
> then I had the rules from my original post
>
> $IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
>
> the ips in the loop are fine, but then ips on the same network were being
> blocked regardless of my rules. That is why I thought that it was the
> syntax...
>
> I have added 5 ips which are on the same network as the server to the
> array ALLOWIPS and they get denied access while the other ips are granted
> access.
>
> so then I tried taking them out of the loop and doing them individually,
> still no access.
>
> Could it be because they are on the block? Do I need to specify that the
> interface is -i eth0 or something instead of specifying -s ip
>
> example
>
> use:
>
>
> $IPTABLES -A INPUT -p tcp --dport 3306 -i eth0 -j ACCEPT
>
> vs
>
>
> $IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
>
>
> but then my question is, I only have one nic, so won't everything that is
> not from lo come from eth0?
>
> -very confused
Hmmm . . . that is very confusing. It should work which makes me think
something else is going on. I would suggest it is time to do a little
tracing to find out where the problem really is.
I would suggest that the first order of business be ensure that the
packets are making it to the MySQL server. One could enable all traffic
and see if you are still denied (if so, a good sign that the packets
never make it there in the first place) or, if that is impractical or
you really want to be sure, put a protocol analyzer on the line (e.g.,
http://www.ethereal.com). If the server is on a switch, you can either
insert a hub, use port mirroring or use ettercap
(http://ettercap.sourceforge.net) to insert yourself into the packet
stream. If you do not see the packets arriving, we know the problem is
somewhere else in the network.
If the packets arrive at the MySQL server, then I would start placing
log rules at various points in the iptables rules set to see where the
packets are dropped. If they are not dropped before the ACCEPT rule,
then see if they are still in the chain after the ACCEPT rule (in which
case something is wrong with the match portion of the rule). If not,
they have been ACCEPTED and are either being DROPped or mangled in
another POSTROUTING chain or, more likely, there is an application layer
problem.
Regarding interface versus subnet, it depends on which you fear most!
The interface allows you to add new subnets and they will all be allowed
based upon port regardless of IP. If that kind of free access scares
you, then restrict it to specific addresses and subnets (which seems
like it is what you want to do anyway). The downside there is that you
must change the rules for any subnets or addresses you later add. If
that kind of maintenance scares you, go back to allowing everything from
the allowed ports on the interface.
Hope this helps - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 18:52 ` Antony Stone
@ 2004-06-15 19:24 ` Jonathan Villa
2004-06-15 19:55 ` Antony Stone
0 siblings, 1 reply; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 19:24 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 11654 bytes --]
> On Tuesday 15 June 2004 6:00 pm, Jonathan Villa wrote:
>
>> To my understanding the following will allow any address in the x.x.x.0
>> block access
>>
>> $IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
>> $IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
>> $IPTABLES -A INPUT -p tcp --dport 80 -s xxx.xxx.xx.0/24 -j ACCEPT
>
> I agree - the above rules should allow any IP within the xxx.xxx.xx.0/24
> Class
> C range access the firewall on port 22, 80 or 3306.
>
>> It of course is not working...
>
> Huh? Why "of course"? Come to that, why isn't it working? I use that
> sort of netmask notation all the time...
I didn't meant "of course" in a bad way, I meant it in reference to my bad
luck.
>> my temporary solution : looping through 1-254
>
> Ugh!
yes, very much.
> Show us the rest of your INPUT and OUTPUT ruleset, and tell us how you are
> testing the system (and where from).
>
> The output from "iptables -L -nvx" would be useful, as it shows us the
> rules
> in the correct order, which interfaces they apply to, and the packet /
> byte
> counts so we can see how many times particular rules have been matched.
>
> Feel free to munge IP addresses if you want to hide things from the list
> archives :)
>
here is the output for iptables -L -nvx. I've also attached a txt file in
case you want to see a cleaner output
One thing to keep in mind, since we are trying to use the machine, I had
to open up some ports to everyone :( until the issue is resolved.
Chain INPUT (policy ACCEPT 2403 packets, 206290 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
23171 1256484 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
1 137 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 127.0.0.1
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 127.0.0.1
0.0.0.0/0 tcp dpt:3306
28 1512 ACCEPT tcp -- * * 127.0.0.1
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:80
99 4512 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3306
1 52 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.x.xxx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xxx.x
0.0.0.0/0 tcp dpt:22
6442 564926 LOG all -- !lo * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
8334 748621 DROP all -- !lo * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 69219 packets, 67312095 bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
here's my script
#!/bin/bash
#
# Allow only access to MySQL, HTTP, and SSH
#
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the
firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#list of ips allowed to access the server
ALLOWIPS="127.0.0.1 etc... etc..."
for ip in $ALLOWIPS;
do
$IPTABLES -A INPUT -p tcp --dport 22 -s $ip -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -s $ip -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -s $ip -j ACCEPT
done
#$IPTABLES -A INPUT -p tcp --dport 22 -s xxx.xxx.xx.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3306 -s xxx.xxx.xx.0/24 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 80 -s xxx.XXX.XX.0/24 -j ACCEPT
#do not modify. Allows JV access from office, home, and from remote
server for the weekends JVIPS="more ips"
for jvip in $JVIPS;
do
$IPTABLES -A INPUT -p tcp --dport 22 -s $jvip -j ACCEPT
done
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
#drop anything else that does not come from the localhost interface
$IPTABLES -A INPUT -i ! lo -j DROP
#save rules
/etc/init.d/iptables save
[-- Attachment #2: out.txt --]
[-- Type: text/plain, Size: 8426 bytes --]
Chain INPUT (policy ACCEPT 2403 packets, 206290 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
23171 1256484 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
1 137 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:3306
28 1512 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xx.xxx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * xxx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:80
99 4512 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.x.xxx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xx.xxx 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * xx.xxx.xxx.x 0.0.0.0/0 tcp dpt:22
6442 564926 LOG all -- !lo * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
8334 748621 DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 69219 packets, 67312095 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 19:04 ` Antony Stone
@ 2004-06-15 19:27 ` Jonathan Villa
2004-06-16 8:47 ` blocking all traffic in port 137/137 david
1 sibling, 0 replies; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 19:27 UTC (permalink / raw)
To: netfilter
> On Tuesday 15 June 2004 7:41 pm, Jonathan Villa wrote:
>
>> I have more information now.
>>
>> Here is the background:
>> A machine running MySQL is to be locked down for access only to a select
>> group of people working from home and people at the office, hence the
>> xx.xx.xx.0
>
> Is the MySQL machine on the same subnet as the office people trying to
> access
> it, or is there a firewall in between, with the MySQL on a DMZ network?
Sad to say, but there is no firewall. Machines are open to the world,
hence the xxx.xxx.xxx.xxx everywhere.
> If it's the latter, are you sure your office machines aren't being
> masqueraded
> in some way by the firewall when they try to access the MySQL server, so
> that
> it sees an address on the firewall instead of the real address of the
> clients?
>
>> I've noticed that the script works fine for anyone who is not on the
>> network but for those who are, well the rules block access to them all
>> the
>> time.
>
> I suggest you add a LOGging rule at the bottom of the INPUT chain and see
> what
> source address the packets which are not being ACCEPTed are coming from.
Good point. Since I am fairly new to iptables, I usually carry my book
with me, unfortunately, I don't have it today. But I will implement lots
of logging to help once I figure out how to :)
> Regards,
>
> Antony.
>
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 19:15 ` allow range syntax - perplexed John A. Sullivan III
@ 2004-06-15 19:30 ` Jonathan Villa
0 siblings, 0 replies; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 19:30 UTC (permalink / raw)
To: netfilter
> Hmmm . . . that is very confusing. It should work which makes me think
> something else is going on. I would suggest it is time to do a little
> tracing to find out where the problem really is.
>
> I would suggest that the first order of business be ensure that the
> packets are making it to the MySQL server. One could enable all traffic
> and see if you are still denied (if so, a good sign that the packets
> never make it there in the first place) or, if that is impractical or
> you really want to be sure, put a protocol analyzer on the line (e.g.,
> http://www.ethereal.com). If the server is on a switch, you can either
> insert a hub, use port mirroring or use ettercap
> (http://ettercap.sourceforge.net) to insert yourself into the packet
> stream. If you do not see the packets arriving, we know the problem is
> somewhere else in the network.
>
> If the packets arrive at the MySQL server, then I would start placing
> log rules at various points in the iptables rules set to see where the
> packets are dropped. If they are not dropped before the ACCEPT rule,
> then see if they are still in the chain after the ACCEPT rule (in which
> case something is wrong with the match portion of the rule). If not,
> they have been ACCEPTED and are either being DROPped or mangled in
> another POSTROUTING chain or, more likely, there is an application layer
> problem.
>
> Regarding interface versus subnet, it depends on which you fear most!
> The interface allows you to add new subnets and they will all be allowed
> based upon port regardless of IP. If that kind of free access scares
> you, then restrict it to specific addresses and subnets (which seems
> like it is what you want to do anyway). The downside there is that you
> must change the rules for any subnets or addresses you later add. If
> that kind of maintenance scares you, go back to allowing everything from
> the allowed ports on the interface.
Packets are making it to the server just fine for ip addresses not on the
same network. For example, I am 3 hours away and can access the machine
via port 80, 3306, and 22. When I create the rules for ips on the same
network, they can't even access port 80 for phpMyAdmin. But once I remove
the ip check and allow access for the whole world, they are fine.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 19:24 ` Jonathan Villa
@ 2004-06-15 19:55 ` Antony Stone
2004-06-15 20:40 ` Jonathan Villa
0 siblings, 1 reply; 22+ messages in thread
From: Antony Stone @ 2004-06-15 19:55 UTC (permalink / raw)
To: netfilter
On Tuesday 15 June 2004 8:24 pm, Jonathan Villa wrote:
> > The output from "iptables -L -nvx" would be useful, as it shows us the
> > rules
> > in the correct order, which interfaces they apply to, and the packet /
> > byte
> > counts so we can see how many times particular rules have been matched.
>
> here is the output for iptables -L -nvx. I've also attached a txt file in
> case you want to see a cleaner output
Nice. The .txt file was much easier to read :)
The first thing I notice about the ruleset you have posted is that none of the
rules which included your network range matched any packets at all.
Therefore that doesn't tell us much about what source address/es the packets
you are having problems with are coming from.
Maybe the timing was just unfortunate, but I can't see any TCP port 3306
packets at all. Therefore I think a LOG rule would be a good idea, to try
and track down where the packets are coming from, which your
carefully-crafted -s xxx.xxx.xx.0/24 rules aren't apparently matching.
Try something like the following:
iptables -A INPUT -p tcp --dport 3306 -j LOG
The -A will ensure that the rule comes after all your other rules (which are
supposed to ACCEPT the packets one way or another). However, I notice you
have a default ACCEPT policy (ugh) and a final rule which DROPs all
non-loopback packets. I suggest you change this to a default DROP policy
and a final rule which ACCEPTs all the loopback packets. Then the rule
above will become the final rule in your chain, guaranteeing that you LOG any
packets destined for MySQL just before they get (unfortunately) DROPped.
Regards,
Antony.
--
There are two possible outcomes:
If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.
- Enrico Fermi
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: allow range syntax - perplexed
2004-06-15 19:55 ` Antony Stone
@ 2004-06-15 20:40 ` Jonathan Villa
0 siblings, 0 replies; 22+ messages in thread
From: Jonathan Villa @ 2004-06-15 20:40 UTC (permalink / raw)
To: netfilter
> On Tuesday 15 June 2004 8:24 pm, Jonathan Villa wrote:
>
>> > The output from "iptables -L -nvx" would be useful, as it shows us the
>> > rules
>> > in the correct order, which interfaces they apply to, and the packet /
>> > byte
>> > counts so we can see how many times particular rules have been
>> matched.
>>
>> here is the output for iptables -L -nvx. I've also attached a txt file
>> in
>> case you want to see a cleaner output
>
> Nice. The .txt file was much easier to read :)
>
> The first thing I notice about the ruleset you have posted is that none of
> the
> rules which included your network range matched any packets at all.
My serious bad!!!! I am so overworked that I was staring at the ip
addresses and never realized that I was using xx1. rather than xx3 which
is the correct one. It now works as expected.
>
> Therefore that doesn't tell us much about what source address/es the
> packets
> you are having problems with are coming from.
>
> Maybe the timing was just unfortunate, but I can't see any TCP port 3306
> packets at all. Therefore I think a LOG rule would be a good idea, to
> try
> and track down where the packets are coming from, which your
> carefully-crafted -s xxx.xxx.xx.0/24 rules aren't apparently matching.
>
> Try something like the following:
>
> iptables -A INPUT -p tcp --dport 3306 -j LOG
thanks, this will help
>
> The -A will ensure that the rule comes after all your other rules (which
> are
> supposed to ACCEPT the packets one way or another). However, I notice
> you
> have a default ACCEPT policy (ugh)
I agree. When I planned the rules, it was set to DROP however with the
"issue" I was having, I changed it.
and a final rule which DROPs all
> non-loopback packets. I suggest you change this to a default DROP policy
> and a final rule which ACCEPTs all the loopback packets. Then the rule
> above will become the final rule in your chain, guaranteeing that you LOG
> any
> packets destined for MySQL just before they get (unfortunately) DROPped.
>
One quick question regarding logging. Where does it get logged to? I
check /var/log/messages and see lots of traffic being logged at a rapid
rate. I've read that syslog takes care logging, but I would prefer to
have a separate log.
Again, my original issue was a silly mistake. Sorry for wasting anyone's
time.
^ permalink raw reply [flat|nested] 22+ messages in thread
* blocking all traffic in port 137/137
2004-06-15 19:04 ` Antony Stone
2004-06-15 19:27 ` Jonathan Villa
@ 2004-06-16 8:47 ` david
2004-06-16 8:52 ` Antony Stone
2004-06-16 9:00 ` Frank Gruellich
1 sibling, 2 replies; 22+ messages in thread
From: david @ 2004-06-16 8:47 UTC (permalink / raw)
To: netfilter
Dear all,
When i look at "IPTRAF", i see lot of broadcast traffic that using port 137
and 138, how to make rules that can block all traffic in port 137 and 138, i
already try to use this rules but its no works...
iptables -A INPUT -p tcp --dport 137 DROP
iptables -A OUTPUT -p tcp --dport 137 DROP
iptables -A INPUT -p udp --dport 137 DROP
iptables -A OUTPUT -p udp --dport 137 DROP
iptables -A INPUT -p tcp --dport 138 DROP
iptables -A OUTPUT -p tcp --dport 138 DROP
iptables -A INPUT -p udp --dport 138 DROP
iptables -A OUTPUT -p udp --dport 138 DROP
iptables -A INPUT -p icmp DROP
Thank's
David Kandou
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: blocking all traffic in port 137/137
2004-06-16 8:47 ` blocking all traffic in port 137/137 david
@ 2004-06-16 8:52 ` Antony Stone
2004-06-16 9:00 ` Frank Gruellich
1 sibling, 0 replies; 22+ messages in thread
From: Antony Stone @ 2004-06-16 8:52 UTC (permalink / raw)
To: netfilter
On Wednesday 16 June 2004 9:47 am, david wrote:
> Dear all,
> When i look at "IPTRAF", i see lot of broadcast traffic that using port 137
> and 138,
You must have Windows machines on your network, then - that's how Microsoft
networking works - using broadcasts on the local subnet.
> how to make rules that can block all traffic in port 137 and 138,
Why bother? It's broadcast traffic - it's not going anywhere (through a
router), and if your firewall doesn't listen on those ports, nothing's going
to happen anyway.
Regards,
Antony.
--
"The future is already here. It's just not evenly distributed yet."
- William Gibson
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: blocking all traffic in port 137/137
2004-06-16 8:47 ` blocking all traffic in port 137/137 david
2004-06-16 8:52 ` Antony Stone
@ 2004-06-16 9:00 ` Frank Gruellich
1 sibling, 0 replies; 22+ messages in thread
From: Frank Gruellich @ 2004-06-16 9:00 UTC (permalink / raw)
To: netfilter
* david <david@suarapembaruan.co.id> 16. Jun 04:
> Dear all,
Hi,
> When i look at "IPTRAF", i see lot of broadcast traffic that using port 137
> and 138, how to make rules that can block all traffic in port 137 and 138, i
> already try to use this rules but its no works...
Additional to Antonys statement the OUTPUT-rules should be even more
useless. Are you runnig netbios at a linux-box?
> iptables -A INPUT -p tcp --dport 137 DROP
> iptables -A INPUT -p udp --dport 137 DROP
> iptables -A INPUT -p tcp --dport 138 DROP
> iptables -A INPUT -p udp --dport 138 DROP
> iptables -A INPUT -p icmp DROP
And ICMP is _not_ bad. Don't DROP it.
HTH,
regards, Frank.
--
Sigmentation fault
^ permalink raw reply [flat|nested] 22+ messages in thread
* Relay to DNS Server ?
2004-06-15 17:52 ` Jonathan Villa
@ 2004-06-16 13:31 ` Akao
2004-06-16 13:53 ` Patrick Leslie Polzer
0 siblings, 1 reply; 22+ messages in thread
From: Akao @ 2004-06-16 13:31 UTC (permalink / raw)
To: netfilter
Hello
I have set up a netfilter box as a gateway.
The network lookis like this:
subnet ---- eth1 - Netfilter box - eth0 --- modem/router --- FAI
The forwarding/masquerading is working fine, subnet boxes can ping
external ip like.
But they can' t resolve domain names, because there isn' t any DNS
server in the subnet.
I d like to use DNS Servers of the ISP, or another DNS Server I would
set up OUTSIDE the subnet.
The netfilter box has the ISP DNS servers in resolv.conf and its gateway
is the router.It resolves domains names without problems.
Is it possible to use netfilter rules to "relay" clients DNS requests ?
Sorry but I m new to netfilter.
Thanks in advance.
Regards
Axel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: Relay to DNS Server ?
2004-06-16 13:31 ` Relay to DNS Server ? Akao
@ 2004-06-16 13:53 ` Patrick Leslie Polzer
2004-06-16 17:30 ` Antony Stone
0 siblings, 1 reply; 22+ messages in thread
From: Patrick Leslie Polzer @ 2004-06-16 13:53 UTC (permalink / raw)
To: netfilter
On Wed, 16 Jun 2004 15:31:37 +0200
Akao <technique@akao.fr> wrote:
> Is it possible to use netfilter rules to "relay" clients DNS requests ?
Masquerading does that, but you must allow packets to port 53 tcp/udp to
pass through to your ISP's DNS servers and their related packets back.
Leslie
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: Relay to DNS Server ?
2004-06-16 13:53 ` Patrick Leslie Polzer
@ 2004-06-16 17:30 ` Antony Stone
2004-06-16 17:44 ` Mark Anacker
0 siblings, 1 reply; 22+ messages in thread
From: Antony Stone @ 2004-06-16 17:30 UTC (permalink / raw)
To: netfilter
On Wednesday 16 June 2004 2:53 pm, Patrick Leslie Polzer wrote:
> On Wed, 16 Jun 2004 15:31:37 +0200
>
> Akao <technique@akao.fr> wrote:
> > Is it possible to use netfilter rules to "relay" clients DNS requests ?
>
> Masquerading does that, but you must allow packets to port 53 tcp/udp to
> pass through to your ISP's DNS servers and their related packets back.
This is a completely correct and accurate answer to your question, however I
think you would get much better performance for very little effort if you set
up a simple caching-only name server somewhere on your network (possibly even
on the firewall itself, but don't tell anyone I suggested that :)
Regards,
Antony.
--
"640 kilobytes (of RAM) should be enough for anybody."
- Bill Gates
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: Relay to DNS Server ?
2004-06-16 17:30 ` Antony Stone
@ 2004-06-16 17:44 ` Mark Anacker
2004-06-17 7:11 ` Akao
0 siblings, 1 reply; 22+ messages in thread
From: Mark Anacker @ 2004-06-16 17:44 UTC (permalink / raw)
To: netfilter
Antony Stone wrote:
> On Wednesday 16 June 2004 2:53 pm, Patrick Leslie Polzer wrote:
>
>
>>On Wed, 16 Jun 2004 15:31:37 +0200
>>
>>Akao <technique@akao.fr> wrote:
>>
>>>Is it possible to use netfilter rules to "relay" clients DNS requests ?
>>
>>Masquerading does that, but you must allow packets to port 53 tcp/udp to
>>pass through to your ISP's DNS servers and their related packets back.
>
>
> This is a completely correct and accurate answer to your question, however I
> think you would get much better performance for very little effort if you set
> up a simple caching-only name server somewhere on your network (possibly even
> on the firewall itself, but don't tell anyone I suggested that :)
>
> Regards,
>
> Antony.
>
You might want to run a DNS cache like dnsmasq on the firewall box, then
use a REDIRECT or DNAT rule to grab client's requests and force them
into the cache. That way, the client's don't have to change their DNS
server list, and you get the benefits of caching.
--
Mark Anacker
Chameleon Technology, Inc.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: Relay to DNS Server ?
2004-06-16 17:44 ` Mark Anacker
@ 2004-06-17 7:11 ` Akao
0 siblings, 0 replies; 22+ messages in thread
From: Akao @ 2004-06-17 7:11 UTC (permalink / raw)
To: netfilter
Mark Anacker wrote:
> Antony Stone wrote:
>
>> On Wednesday 16 June 2004 2:53 pm, Patrick Leslie Polzer wrote:
>>
>>
>>> On Wed, 16 Jun 2004 15:31:37 +0200
>>>
>>> Akao <technique@akao.fr> wrote:
>>>
>>>> Is it possible to use netfilter rules to "relay" clients DNS
>>>> requests ?
>>>
>>>
>>> Masquerading does that, but you must allow packets to port 53
>>> tcp/udp to
>>> pass through to your ISP's DNS servers and their related packets back.
>>
>>
>>
>> This is a completely correct and accurate answer to your question,
>> however I think you would get much better performance for very little
>> effort if you set up a simple caching-only name server somewhere on
>> your network (possibly even on the firewall itself, but don't tell
>> anyone I suggested that :)
>>
>> Regards,
>>
>> Antony.
>>
>
> You might want to run a DNS cache like dnsmasq on the firewall box,
> then use a REDIRECT or DNAT rule to grab client's requests and force
> them into the cache. That way, the client's don't have to change
> their DNS server list, and you get the benefits of caching.
>
Ok, thanks for your answers.
I managed to complete clients DNS requests with masquerading. I will
look for a dns cache as you adviced me.
Thanks again for your answers.
Axel
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2004-06-17 7:11 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-15 17:00 allow range syntax - perplexed Jonathan Villa
2004-06-15 17:19 ` Cedric Blancher
2004-06-15 17:47 ` Jonathan Villa
2004-06-15 17:52 ` Jonathan Villa
2004-06-16 13:31 ` Relay to DNS Server ? Akao
2004-06-16 13:53 ` Patrick Leslie Polzer
2004-06-16 17:30 ` Antony Stone
2004-06-16 17:44 ` Mark Anacker
2004-06-17 7:11 ` Akao
2004-06-15 17:58 ` allow range syntax - perplexed John A. Sullivan III
2004-06-15 18:41 ` Jonathan Villa
2004-06-15 19:04 ` Antony Stone
2004-06-15 19:27 ` Jonathan Villa
2004-06-16 8:47 ` blocking all traffic in port 137/137 david
2004-06-16 8:52 ` Antony Stone
2004-06-16 9:00 ` Frank Gruellich
2004-06-15 19:15 ` allow range syntax - perplexed John A. Sullivan III
2004-06-15 19:30 ` Jonathan Villa
2004-06-15 18:52 ` Antony Stone
2004-06-15 19:24 ` Jonathan Villa
2004-06-15 19:55 ` Antony Stone
2004-06-15 20:40 ` Jonathan Villa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.