All of lore.kernel.org
 help / color / mirror / Atom feed
* Iptables
@ 2004-09-28  5:07 Contact
  2004-09-28  5:25 ` Iptables Rob Sterenborg
                   ` (2 more replies)
  0 siblings, 3 replies; 73+ messages in thread
From: Contact @ 2004-09-28  5:07 UTC (permalink / raw)
  To: netfilter

Hi,

I'm new to iptables and having a problem grasping the concept as well as the
syntax. I have read a lot of sites on this but just not getting it. First -
running rules. From what I can gather I need to have an rc.firewall file
with the various rules and such in it - and have this started at boot. Am I
close?  Second - the syntax. I want to be able to allow my local LAN full
access to the Linux box (Slackware 10). I also have a website which I want
to allow everyone - except for a few domains and IP's, SSH which I want to
allow only certain IP's or domains, and Samba which I want to allow only my
local LAN. This is where I'm really confused putting this all together. If
someone could explain this in plain english - or put me on to a really easy
iptables for dummies type site, it would be appreciated.

This box is behind attached to a Linksys router and does not act as a NAT.
It is just a simple little setup on a p166.

Thanks





^ permalink raw reply	[flat|nested] 73+ messages in thread
* Re: IPTables
@ 2012-04-14 12:20 nullv
  0 siblings, 0 replies; 73+ messages in thread
From: nullv @ 2012-04-14 12:20 UTC (permalink / raw)
  To: Amos Jeffries; +Cc: Ethy H. Brito, netfilter-owner, Al Grant, netfilter

Sorry I meant non-routable. Routers on the internet are meant to ignore those addresses. 10.x/8 192.168.x/16 172.16.x/20
------Original Message------
From: Amos Jeffries
To: nullv@gmx.com
Cc: Ethy H. Brito
Cc: netfilter-owner@vger.kernel.org
Cc: Al Grant
Cc: netfilter
Subject: Re: IPTables
Sent: Apr 14, 2012 11:35 AM

On 14/04/2012 11:54 a.m., nullv@gmx.com wrote:
> It can't be. it's a link-local address

The difference between IPv4 and IPv6. IPv4 has no link-local limitation 
outside of 127.0.0.0/8 built into the hardware, it *can* leak into the 
WAN if you configure things non-standard.

AYJ

> ------Original Message------
> From: Ethy H. Brito
>
> On Wed, 11 Apr 2012 15:03:46 +1200
> Al Grant wrote:
>
>> Hiya All,
>>
>> I am after a little guidance please on the following problem:
>>
>> My topology is as follows:
>>
>> inet----router 192.168.1.254-------wlan0 192.168.1.71&&  eth0
>> 192.168.70.121------ip camera 192.168.70.140:80
>>
>> Note:
>>
>> (1) eth0 and wlan0 are on a PC running Ubuntu.
>>
>> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
>>
>> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
>>
>> Now what I need to do is to be able to access the IP camera from the
>> inet.
>>
>> So I have tried adding IPTables:
>>
>> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
>> 5555 -j DNAT --to 192.168.70.140:80
>>
>> Now this should allow me to access the camera by pointing a web
>> browser to the real world public ip on port 5555, however I get page
>> cannot be displayed.
> Hi
>
> just to be sure: 192.168.1.71 is NOT your "real world public ip", is it?
>
> Ethy
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> N‹§²æìr¸›yúèšØb²X¬¶Ç§vØ^–)Þº{.nÇ+‰·§z×â–׫Š{ayº\x1dʇڙë,j\a­¢f£¢·hš‹àz¹\x1e®w¥¢¸\f¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾\a«‘êçzZ+ƒùšŽŠÝ¢j"ú!tml=



^ permalink raw reply	[flat|nested] 73+ messages in thread
* Re: IPTables
@ 2012-04-13 23:54 nullv
  2012-04-14  9:35 ` IPTables Amos Jeffries
  0 siblings, 1 reply; 73+ messages in thread
From: nullv @ 2012-04-13 23:54 UTC (permalink / raw)
  To: Ethy H. Brito, netfilter-owner, Al Grant; +Cc: netfilter

It can't be. it's a link-local address
------Original Message------
From: Ethy H. Brito
Sender: netfilter-owner@vger.kernel.org
To: Al Grant
Cc: netfilter
Subject: Re: IPTables
Sent: Apr 11, 2012 5:45 AM

On Wed, 11 Apr 2012 15:03:46 +1200
Al Grant <bigal.nz@gmail.com> wrote:

> Hiya All,
> 
> I am after a little guidance please on the following problem:
> 
> My topology is as follows:
> 
> inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
> 192.168.70.121------ip camera 192.168.70.140:80
> 
> Note:
> 
> (1) eth0 and wlan0 are on a PC running Ubuntu.
> 
> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
> 
> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
> 
> Now what I need to do is to be able to access the IP camera from the
> inet.
> 
> So I have tried adding IPTables:
> 
> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
> 5555 -j DNAT --to 192.168.70.140:80
> 
> Now this should allow me to access the camera by pointing a web
> browser to the real world public ip on port 5555, however I get page
> cannot be displayed.

Hi

just to be sure: 192.168.1.71 is NOT your "real world public ip", is it?

Ethy
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 73+ messages in thread
* Re: IPTables
@ 2012-04-13 23:53 nullv
  0 siblings, 0 replies; 73+ messages in thread
From: nullv @ 2012-04-13 23:53 UTC (permalink / raw)
  To: Al Grant, netfilter-owner, netfilter

From note 2 your router is forwarding port 5555 to port  80 on the PCs' wlan0. But your rule on the pc again forwards from 5555 to the camera. But by now your dport would 80 not 5555. try correcting this or just adjust your router to forward straight to the camera
------Original Message------
From: Al Grant
Sender: netfilter-owner@vger.kernel.org
To: netfilter
Subject: IPTables
Sent: Apr 11, 2012 5:03 AM

Hiya All,



I am after a little guidance please on the following problem:



My topology is as follows:



inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
192.168.70.121------ip camera 192.168.70.140:80



Note:

(1) eth0 and wlan0 are on a PC running Ubuntu.

(2) Port 5555 on the router is forwarded to 80 on 192.168.1.71

(2) in sysctl I have set sysctl net.ipv4.ip_forward=1



Now what I need to do is to be able to access the IP camera from the inet.



So I have tried adding IPTables:

iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
5555 -j DNAT --to 192.168.70.140:80



Now this should allow me to access the camera by pointing a web
browser to the real world public ip on port 5555, however I get page
cannot be displayed.



I have verified that:

1. That camera is accessable from the Ubuntu computer via web browser and ping



Various people have suggsted I may need to modify conntrack and others
have suggested I may need a second rule.



Can anyone please help?



Thanks in advance

AL


--
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 73+ messages in thread
[parent not found: <047d7b10cb31c8716404bd5f56a7@google.com>]
* IPTables
@ 2012-04-11  3:03 Al Grant
  2012-04-11  3:45 ` IPTables Ethy H. Brito
  2012-04-11  6:33 ` IPTables John Lister
  0 siblings, 2 replies; 73+ messages in thread
From: Al Grant @ 2012-04-11  3:03 UTC (permalink / raw)
  To: netfilter

Hiya All,



I am after a little guidance please on the following problem:



My topology is as follows:



inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
192.168.70.121------ip camera 192.168.70.140:80



Note:

(1) eth0 and wlan0 are on a PC running Ubuntu.

(2) Port 5555 on the router is forwarded to 80 on 192.168.1.71

(2) in sysctl I have set sysctl net.ipv4.ip_forward=1



Now what I need to do is to be able to access the IP camera from the inet.



So I have tried adding IPTables:

iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
5555 -j DNAT --to 192.168.70.140:80



Now this should allow me to access the camera by pointing a web
browser to the real world public ip on port 5555, however I get page
cannot be displayed.



I have verified that:

1. That camera is accessable from the Ubuntu computer via web browser and ping



Various people have suggsted I may need to modify conntrack and others
have suggested I may need a second rule.



Can anyone please help?



Thanks in advance

AL


--
"Beat it punk!"
- Clint Eastwood

^ permalink raw reply	[flat|nested] 73+ messages in thread
[parent not found: <BANLkTi=G1ecs9wx+QgAcUphK2-jg60nbAw@mail.gmail.com>]
* iptables
@ 2009-04-27  8:05 Manu
  2009-04-29 20:32 ` iptables Jan Engelhardt
  0 siblings, 1 reply; 73+ messages in thread
From: Manu @ 2009-04-27  8:05 UTC (permalink / raw)
  To: Netfilter Developer Mailing List

Hi list,

if I use command:

#iptables -nvL -t mangle

I get:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
insmod: ip_tables.ko: no module by that name found
modprobe: failed to load module ip_tables
insmod: ip_tables.ko: no module by that name found
modprobe: failed to load module ip_tables
insmod: ip_tables.ko: no module by that name found
modprobe: failed to load module ip_tables
insmod: ip_tables.ko: no module by that name found
modprobe: failed to load module ip_tables
    0     0 MARK       all  --  *      *       10.0.20.2            
0.0.0.0/0           MARK set 0x14


Everything works fine, but I get this error message?
My kernel is built with every point of iptables stuff included, not as 
module.
This error occurs only if I did an entry with MARK target, and it 
depends on iptables-version.
with iptables v.1.2.9 there is no error displayed.


iptables: v1.4.3.2
kernel: 2.6.23.9

Manu

^ permalink raw reply	[flat|nested] 73+ messages in thread
* Can't set up transparent proxy on XO laptop
@ 2008-01-13 18:53 P Zemlja
  2008-01-13 22:44 ` G.W. Haywood
  0 siblings, 1 reply; 73+ messages in thread
From: P Zemlja @ 2008-01-13 18:53 UTC (permalink / raw)
  To: netfilter

Thanks in advance for looking over this.
I'm trying to set up internet filtering on an OLPC XO
laptop and I'm stuck at the point of 
configuring iptables. I have squid and dansguardian
installed. I've seen this command used 
by many people on the internet, but it just doesn't
work for me.
-----------
bash-3.2# /sbin/iptables -t nat -A OUTPUT -p tcp
--dport 80 -m owner --uid-owner squid -j ACCEPT
iptables: No chain/target/match by that name

-----------
But, if I leave off the user specification it works:
-----------
bash-3.2# /sbin/iptables -t nat -A OUTPUT -p tcp
--dport 80 -j ACCEPT
bash-3.2# /sbin/iptables -t nat -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target	prot	opt	source		destination
ACCEPT	tcp	--	anywhere	anywhere	tcp dpt:http

-----------
The user squid does exist, and if I mutate the name
iptables complains:
-----------
bash-3.2# /sbin/iptables -t nat -A OUTPUT -p tcp
--dport 80 -m owner --uid-owner sqxuid -j ACCEPT
iptables v1.3.8: Bad OWNER UID value 'sqxuid'
Try 'iptables -h' or 'iptables --help' for more
information.

-----------
If I try with user root instead, it doesn't work
either:
-----------
bash-3.2# /sbin/iptables -t nat -A OUTPUT -p tcp
--dport 80 -m owner --uid-owner root -j ACCEPT
iptables: No chain/target/match by that name

-----------
If I try the numeric id of the user squid it doesn't
work:
-----------
bash-3.2# /sbin/iptables -t nat -A OUTPUT -p tcp
--dport 80 -m owner --uid-owner 23 -j ACCEPT
iptables: No chain/target/match by that name

-----------
Although I noticed that I can stick any number in
there and get the same error.
Any help is greatly appreciated.


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


^ permalink raw reply	[flat|nested] 73+ messages in thread
* Re: IPTABLES
@ 2006-10-19  5:08 tarak
  0 siblings, 0 replies; 73+ messages in thread
From: tarak @ 2006-10-19  5:08 UTC (permalink / raw)
  To: netfilter




hello experts,

              i have a problem in iptables, i want to customize the
firewall. through iptable i want run a shell script which will keep an
watch
on each and every ip addresses in my organization, that how much amount
of
data downloading and uploading from those ip addresses...... seperately..
is
this possible to do,,,, if so please tell me how to do...

thanks in advance

Regards,
Tarak Ranjan



^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2005-06-19  2:17 s s
  0 siblings, 0 replies; 73+ messages in thread
From: s s @ 2005-06-19  2:17 UTC (permalink / raw)
  To: netfilter

i tried to queue up the incoming packets on my tcp port 80 so that i can process it using libipq. I tried to run the example program from libipq man page but i get the error sa
 
cannot find reference to ipq_create_handle()
''            ''              ''      ipq_read()
''            ''              ''        ipq_destroy_handle()
...............
................
...................
.............
   
can anyone help me with this

		
---------------------------------
Yahoo! Sports
 Rekindle the Rivalries. Sign up for Fantasy Football

^ permalink raw reply	[flat|nested] 73+ messages in thread
* Iptables
@ 2005-05-19 17:45 Chadley Wilson
  2005-05-19 19:33 ` Iptables Jason Opperisano
  0 siblings, 1 reply; 73+ messages in thread
From: Chadley Wilson @ 2005-05-19 17:45 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 1371 bytes --]

Greetings,

Sort of still a newbie with iptables! I ve been at it for a while, but 
struggle to understand when things don't work when I think they are right.

OK heres the problem:

I have a dns server configure, master zone int network, slave is external dns 
box.

Dhcp server only internal.

Iptables must do the following:
allow one int ip (me) to the external int face for everything. (the external 
interface is actually our other internal network which has the gateway to the 
internet)

when I set my default policy to drop, my DNS and windows file sharing from the 
ext network doesn't work. My mail and internet still work. I have removed the 
broken lines and set my policy back to ACCEPT. But I would feel much safer if 
it were drop and only allow services that I choose. As it is now, I can 
access the net, mail and windows file shares, the dns for the FTP server is 
working and all is bliss.
How do I make this more secure?

etel is our gateway
my router has 6 cards in it. 5 are bond0 1 eth0 int and ext respectively.  

Attached is my iptables file, 

Please could some one show me what is wrong I can't figure it out.


-- 
Chadley Wilson
Redhat Certified Technician 
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================

[-- Attachment #2: iptables --]
[-- Type: text/plain, Size: 3183 bytes --]

########    Firewall Setup     ##################
########      Config           ##################
#set -x
ipt="/usr/sbin/iptables"
ext="eth0"
int="bond0"
lo="127.0.0.1"
chad="192.168.2.5"
etel="196.25.100.28"
#################################################


#################################################
####                                         ####
####               BASIC SETUP               ####
####                                         ####
#################################################



#Enable IP Forwarding
echo "1" >> /proc/sys/net/ipv4/ip_forward


#Clear All Tables
${ipt} -t filter -F
${ipt} -t nat -F


##  Allow all from local interfaces [localhost]
${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT


##  Allow all prerouting
${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT


##  Allow all forwarding
${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state RELATED,ESTABLISHED -j ACCEPT
${ipt} -t filter -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT


##  Allow pings 
${ipt} -t filter -A INPUT -p icmp -j ACCEPT


##  Keep established connections on all interfaces
${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

##  Accept www from internet {ext}
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT


#################################################
####                                         ####
####                RULES                    ####
####                                         ####
#################################################





##  Masquerade {chad} outgoing to internet
${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT


##  Accept SSH from {etel}
${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j ACCEPT


##  Accept ssh from all internal
${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT

## Accept telnet
${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT


##  Accept incoming SMTP
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT


##  Accept external POP3
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT


##  Allow mail from ext to int
${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT


##  Allow DNS updates
${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT


## Accept all from local interfaces
${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
${ipt} -t filter -A INPUT -i ${int} -j ACCEPT


## Drop all the rest, incoming , and forward between interfaces
#${ipt} -t filter -A INPUT -j DROP
#${ipt} -t filter -A FORWARD -j DROP

### END OF FIREWALL ###

^ permalink raw reply	[flat|nested] 73+ messages in thread
* Iptables
@ 2005-05-18 21:04 Limbert Fuentes Quiroga
  0 siblings, 0 replies; 73+ messages in thread
From: Limbert Fuentes Quiroga @ 2005-05-18 21:04 UTC (permalink / raw)
  To: netfilter@lists.netfilter.org

[-- Attachment #1: Type: TEXT/PLAIN, Size: 449 bytes --]

Dear All

  
Please they could help me to configure my firewall server to block the whole
ports of the interface that this connected one to internet (except the ports 25
and 53 that it is forwarded to DMZ server), also to block the users of my net
LAN so that alone they can enter to internet to transparent proxy (SQUID) that
this installed in my DMZ server.  
I attach the file with the configurations of my firewall server.

Thank's and regard's

[-- Attachment #2: Firewall-DMZ.doc --]
[-- Type: APPLICATION/msword, Size: 37376 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2005-01-31 11:31 Alabama
  2005-01-31 12:02 ` iptables John A. Sullivan III
       [not found] ` <5.2.0.9.0.20050131135158.02a9dec0@poczta.interia.pl>
  0 siblings, 2 replies; 73+ messages in thread
From: Alabama @ 2005-01-31 11:31 UTC (permalink / raw)
  To: netfilter

Dear All,
I have linux router with 3 NIC cards.
One is an internet interface. Second is my LAN network and third is public 
addresses network.
I am using iptables. My LAN network works perfectly filtering packets. I 
have problems with my public addresses network- I would like this network 
to work without any filtering and just can't do it.
Could give me advice how to pass by iptables or how to set up iptables to 
route traffic to public addresses without any filtering?
Best regards
Andy 


----------------------------------------------------------------------
Najlepsze auto, najlepsze moto... >>> http://link.interia.pl/f1841



^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2005-01-31 11:16 Andrzej
  0 siblings, 0 replies; 73+ messages in thread
From: Andrzej @ 2005-01-31 11:16 UTC (permalink / raw)
  To: netfilter

Dear All,
I have linux router with 3 NIC cards.
One is an internet interface. Second is my LAN network and third is public 
addresses network.
I am using iptables. My LAN network works perfectly filtering packets. I 
have problems with my public addresses network- I would like this network 
to work without any filtering and just can't do it.
Could give me advice how to pass by iptables or how to set up iptables to 
route traffic to public addresses without any filtering?
Best regards
Andy



^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2004-11-29 14:58 MANJUNATH
  0 siblings, 0 replies; 73+ messages in thread
From: MANJUNATH @ 2004-11-29 14:58 UTC (permalink / raw)
  To: netdev





I am new to linux kernal source,I understand that iptables MASQUERADE
chain inturn makes use of NF_IP_POST_ROUTING HOOK to change src addr, src port
of the outgoing packets.

Is NF_IP_PRE_ROUTING HOOK is used to map public address of the incoming
packets to the local private address ?


Regards
Manjunath

^ permalink raw reply	[flat|nested] 73+ messages in thread
* Iptables
@ 2004-06-19 23:02 Xiaofang Chen
  2004-06-21 18:26 ` Iptables Ian Pratt
  0 siblings, 1 reply; 73+ messages in thread
From: Xiaofang Chen @ 2004-06-19 23:02 UTC (permalink / raw)
  To: xen-devel

[-- Attachment #1: Type: text/plain, Size: 261 bytes --]

Hi,

>From the paper "Isolation of Shared Network Resouces in XenoServers", it seems that Xen support 
IPTABLES for each guest OS and dom0. Can someone tell me how to use it in Xen? That is, how to 
set those rules for each guest OS? 

Thanks.

Xiaofang

[-- Attachment #2: Type: text/html, Size: 936 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2004-05-27 17:51 Alejandro Cabrera Obed
  0 siblings, 0 replies; 73+ messages in thread
From: Alejandro Cabrera Obed @ 2004-05-27 17:51 UTC (permalink / raw)
  To: Netfilter lista (iptables)




^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2004-02-27  2:23 mustafa hassan
  0 siblings, 0 replies; 73+ messages in thread
From: mustafa hassan @ 2004-02-27  2:23 UTC (permalink / raw)
  To: netfilter

hi all
plz solve my problem bcuz i have to complete my
assignment
i m having a problem that when i make transparent
redirection with following command
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
80 -j REDIRECT --to-port 80
i m getting an error message from squid as follow
when i try to access suppose
http://www.face-pic.com/dawson48
the squid gives me an error
----------------------------------------------------------------------------------------------------------------
While trying to retrieve the URL: /dawsoon48 

The following error was encountered: 

Invalid URL 
Some aspect of the requested URL is incorrect.
Possible problems: 

Missing or incorrect access protocol (should be
`http://'' or similar) 
Missing hostname 
Illegal double-escape in the URL-Path 
Illegal character in hostname; underscores are not
allowed 
-------------------------------------------------------------------------------------------------------------------------
it automatically eliminates the portion
http://www.face-pic.com
while if i set my browser to proxy then i dont get
this error instaed everything works fine
plz help me out

=====
Mustafa Hassan Malik
(Khadim Hussain)

Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) 





__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools


^ permalink raw reply	[flat|nested] 73+ messages in thread
[parent not found: <20040205052840.10884.25667.Mailman@netfilter-sponsored-by.noris.net>]
* Iptables
@ 2004-01-31  8:39 Ivan Zagvozkine
  0 siblings, 0 replies; 73+ messages in thread
From: Ivan Zagvozkine @ 2004-01-31  8:39 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 636 bytes --]

Hi All,

I do not know much about iptables, and have question for you to ask.

I have a network setup:

Red Hat 9.0 ( two interfaces eth0 connected to Internet and eth1 connected to LAN, but LAN has public Addreses)

eth0 - internet - public address
eth1- LAN - public addresses

I would like to allow all outbount trafic, and not allow inbound, the client behind firewall needs to use VPN and internet browsing, so that why we need to have public addresses.

Could any one tell me what the simple firewall script do I need to apply on Red Hat 9.0 to achieve it.


Regards



Ivan Zagvozkine
izagvozkin@yahoo.com.au

[-- Attachment #2: Type: text/html, Size: 1895 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* Iptables
@ 2004-01-28 11:12 jean-francois fleury
  2004-01-28 13:25 ` Iptables Jeffrey Laramie
  0 siblings, 1 reply; 73+ messages in thread
From: jean-francois fleury @ 2004-01-28 11:12 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/html, Size: 1449 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2004-01-16 22:36 Wilmar jose  wagner
  2004-01-22 22:33 ` iptables Pablo Neira
  0 siblings, 1 reply; 73+ messages in thread
From: Wilmar jose  wagner @ 2004-01-16 22:36 UTC (permalink / raw)
  To: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 166 bytes --]

I migrate from iptables 1.2.7 to 1.2.9 and after the MASQUERADE     is no more accepted

My syntax is:

iptables -t nat -A POSTROURING -o ppp0 -j MASQUERADE



[-- Attachment #2: Type: text/html, Size: 738 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2003-05-26 13:34 Wan System S.R.L.
  2003-05-26 15:27 ` iptables Pedro C. Arias
  0 siblings, 1 reply; 73+ messages in thread
From: Wan System S.R.L. @ 2003-05-26 13:34 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]

I have installed a Red Hat 8.0 iptables 1.27a to make NAT. I have 2 net cards    
The computers of the internal net have MS Windows XP.  the www doesn't have any problem. When they try to make ftp it leaves the following error:    
200 ASCII tastes bad, dude.
500 Illegal PORT command.
500 Unknow command.

Please some tip 

thank

wansys 

[-- Attachment #2: Type: text/html, Size: 1073 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* IPTABLES
@ 2003-04-28 18:29 lfps
  0 siblings, 0 replies; 73+ messages in thread
From: lfps @ 2003-04-28 18:29 UTC (permalink / raw)
  To: netfilter

Tenho um manual que saquei da Net sobre iptables e fiquei muito satisfeito por
encontrar algo em português, pois é quase tudo em inglês, e eu infelizmente não
sou muito bom em inglês.
Queria pedir-lhes se têm conhecimento de algum site ou então mais algum manual
que fale de firewalls em Linux, pois estou a estagiar e tenho de pesquisar sobre
firewalls, sendo talvez umas das boas opções o IPTABLES. Peço que me ajude!!!
O manual a que tive acesso foi o "Linux 2.4 Packet Filtering HOWTO (Revision
1.19 2001/05/26)"

PS: Escolhi o Linux, porque me disseram que seria o melhor em segurança!


Obrigado desde já, esperando por uma resposta!

----------------------------------------------------------
Este e-mail foi enviado através do serviço Teotonio Webmail(http://webmail.ipv.pt)



^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2003-04-23  5:17 Star Fire
  0 siblings, 0 replies; 73+ messages in thread
From: Star Fire @ 2003-04-23  5:17 UTC (permalink / raw)
  To: netfilter





dear group,

I'm quite new to iptables and using 1.2.6a. We have a linux box opend to the 
net and behind that is a ISA server doing the proxying for the users. We 
have implemented incident reporting on it and continuously getting alerts 
that there are port scan attempts to the internal ISA server. I have enabled 
established and related traffic through my firewal. Can you please tell me 
how this happens.

Question number 2 is..can someone put my linux server external ip address as 
a gteway address and do a portscan to our internal ISA server which has a 
192.168 range IP. If so how can i stop this through IPTABLES?.

Thanks for your time.

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2003-02-27 18:04 Guss
  0 siblings, 0 replies; 73+ messages in thread
From: Guss @ 2003-02-27 18:04 UTC (permalink / raw)
  To: netfilter

hi,

on my operating system SuSe 8.0 I could not find the entries:
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/proc/sys/net/ipv4/icmp_destunreach_rate
/proc/sys/net/ipv4/icmp_echoreply_rate
/proc/sys/net/ipv4/icmp_paramprob_rate
/proc/sys/net/ipv4/icmp_timeexeceed_rate
so I got by the first Test of my beginner script error-messages. Can't find
it
And the error message: $IPTABLES -P unknown

The script is from the book 'Das Firewallbuch' from SuSe (germany).

Thanks for help!

W. Guss



________________________________________________
Message sent using Publikom-Mail  - webmail public preview -



^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2003-01-19 17:30 VASIF MUSAOGULLARI
  2003-01-21 11:42 ` iptables Erdal Mutlu
  0 siblings, 1 reply; 73+ messages in thread
From: VASIF MUSAOGULLARI @ 2003-01-19 17:30 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

 
I have a problem with firewall settings - timeout. 
We installed Suse 7.3 for ppc onto a Logical Partition of an IBM iSeries
machine. 
 
Everything is fine. It is the firewall of the system. 
But, it disconnects the clients if they are idle for 12 minutes. I guess
default timeout is set to 12 minutes. 
How can I increase the timeout time? 
What should I add to the iptables definitions ?  
Or is there any other way to increase this timeout time ? 
 
I need your urgent response please... 
Thanks in advance, 
-vas

[-- Attachment #2: Type: text/html, Size: 5026 bytes --]

^ permalink raw reply	[flat|nested] 73+ messages in thread
* IPtables
@ 2003-01-17  9:20 Jet
  0 siblings, 0 replies; 73+ messages in thread
From: Jet @ 2003-01-17  9:20 UTC (permalink / raw)
  To: netfilter@lists

Can anyone pls verify that whether iptables is vulnerable to the following
bugtraq ID?

http://www.securityfocus.com/bid/6534

Base on my testing (1.2.7a), it is vulnerable too.

 - Jet
Security Analyst

email: jchan@trusecure.com




^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2002-11-18 22:30 Alexandre Carlos
  0 siblings, 0 replies; 73+ messages in thread
From: Alexandre Carlos @ 2002-11-18 22:30 UTC (permalink / raw)
  To: netfilter-devel

Hi all

My experimental backbone is the following:

           67.91  4.2     4.3   1.3   1.1    10.1
             --------        ------       --------
 67.90- | ingress |----| core |----| egrees |-----10.2
             --------         -----        --------


I´m using IPTABLES version 1.2.4-dscp do set up the tos value of the
packets. I´m creating the following rule on the ingress and the egress
hosts.

iptables -A PREROUTING -t mangle -p icmp -j FTOS --set-ftos 0x28 or
iptables -A FORWARD -t mangle -p icmp -j FTOS --set-ftos 0x28

But when i try do ping from 67.90 to 10.2

The chechshum of the ip on the reply message is incorrect, so the packet is
droped on core hosts.

I would like to know, how can i avoid dropping the packet and still using
the same version of iptables and rules

Alex

^ permalink raw reply	[flat|nested] 73+ messages in thread
* IPtables
@ 2002-10-17 23:25 Alexandre Carlos
  0 siblings, 0 replies; 73+ messages in thread
From: Alexandre Carlos @ 2002-10-17 23:25 UTC (permalink / raw)
  To: netfilter-devel

I have the following network


            B
          /  |  \
A1--A  |    C--C1
          \  |    /
             D

I wanto A1 to ping C1 through the following path a-b-c,
so i created the following rule in the nat table of iptable

iptable -t nat -A PREROUTING -s 10.1.1.0/24 -d 192.168.67.0/24 -p icmp -j
DNAT --to-destination 192.168.3.1

The network 10.1.1.0 representes A1, the network 192.168.67.0 C1 and the
address 192.168.3.1 is the interface that the packet shoulkd reach B.

But when i start the ping i can´t capture the packet using the sniffer and
when a turn down all the interfaces of B and D the ping don´t stop.

Can anyone help me please.

Regards,

Alex

^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2002-06-28 13:28 luigicart
  2002-06-28 13:45 ` iptables Antony Stone
                   ` (2 more replies)
  0 siblings, 3 replies; 73+ messages in thread
From: luigicart @ 2002-06-28 13:28 UTC (permalink / raw)
  To: netfilter

Hi I'm Luigi.When I digit a whichever iptables command the shell say:
/lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o :init_module:
Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters,
including invalid IO orIRQ parameters
/lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/Kernel/net/ipv4/netfilter/ip_tables.o
failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o :insmod ip_tables
failed
iptables v1.2.3: can't initialize iptables table 'filter' :iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Why???????
Thak you very much
Luigi





^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2002-06-18 21:06 Russell Coker
  2002-06-20 12:44 ` iptables Stephen Smalley
  0 siblings, 1 reply; 73+ messages in thread
From: Russell Coker @ 2002-06-18 21:06 UTC (permalink / raw)
  To: SE Linux

It appears that when netfilter reject rules cause an ICMP message, that 
message has an unlabelled source type...

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 73+ messages in thread
* Iptables
@ 2002-06-13  9:03 Paulo Andre
  0 siblings, 0 replies; 73+ messages in thread
From: Paulo Andre @ 2002-06-13  9:03 UTC (permalink / raw)
  To: Netfilter (E-mail)

I use iptables-1.2.6a, and ulog.
Has anyone written a script that will go through the log files and filter
out stats that management require (eg. daily no. of port scans, telnet/ssh
attempts etc.)

Thanks

Paulo 





^ permalink raw reply	[flat|nested] 73+ messages in thread
* Re: iptables
@ 2002-06-11  2:24 Matthew Hellman
  0 siblings, 0 replies; 73+ messages in thread
From: Matthew Hellman @ 2002-06-11  2:24 UTC (permalink / raw)
  To: Paulo Andre, Netfilter (E-mail)

oops. Make sure you use port 25 though:

c:\> telnet mailserver.domain.com 25

----- Original Message -----
From: "Matthew Hellman" <mhellman@raccoon.com>
To: "Paulo Andre" <PAndre@autopage.altech.co.za>; "Netfilter (E-mail)"
<netfilter@lists.samba.org>
Sent: Monday, June 10, 2002 9:23 PM
Subject: Re: iptables


> try telnetting from the exchange server to a mail server on the Internet.
>
> ----- Original Message -----
> From: "Paulo Andre" <PAndre@autopage.altech.co.za>
> To: "Netfilter (E-mail)" <netfilter@lists.samba.org>
> Sent: Monday, June 10, 2002 9:06 AM
> Subject: iptables
>
>
> > I have a Exchange server that needs to send mail out, the firewall
> > (iptables) is set up as follows:
> >
> > iptables -A FORWARD -s (mail srv) -p tcp --dport 25 -j ACCEPT
> >
> > The mail server comes back with a "Host unreachable" error, and nslookup
> and
> > traceroute takes me to the destination fine. Anyone have any ideas...???
> >
> >
> >
> >
>




^ permalink raw reply	[flat|nested] 73+ messages in thread
* iptables
@ 2002-06-10 14:06 Paulo Andre
  2002-06-10 19:27 ` iptables Antony Stone
  2002-06-11  2:23 ` iptables Matthew Hellman
  0 siblings, 2 replies; 73+ messages in thread
From: Paulo Andre @ 2002-06-10 14:06 UTC (permalink / raw)
  To: Netfilter (E-mail)

I have a Exchange server that needs to send mail out, the firewall
(iptables) is set up as follows:

iptables -A FORWARD -s (mail srv) -p tcp --dport 25 -j ACCEPT

The mail server comes back with a "Host unreachable" error, and nslookup and
traceroute takes me to the destination fine. Anyone have any ideas...???





^ permalink raw reply	[flat|nested] 73+ messages in thread
end of thread, other threads:[~2012-04-14 12:20 UTC | newest]

Thread overview: 73+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-28  5:07 Iptables Contact
2004-09-28  5:25 ` Iptables Rob Sterenborg
2004-09-28  8:19   ` Iptables Contact
2004-09-28 14:04     ` Iptables Jason Opperisano
2004-09-28 14:09     ` Iptables Aleksandar Milivojevic
2004-09-28 10:36 ` Iptables John A. Sullivan III
2004-09-28 14:27 ` Iptables Jose Maria Lopez
  -- strict thread matches above, loose matches on Subject: below --
2012-04-14 12:20 IPTables nullv
2012-04-13 23:54 IPTables nullv
2012-04-14  9:35 ` IPTables Amos Jeffries
2012-04-13 23:53 IPTables nullv
     [not found] <047d7b10cb31c8716404bd5f56a7@google.com>
     [not found] ` <e89a8ff2474fc99c5604bd608a88@google.com>
2012-04-11 13:06   ` IPTables Ethy H. Brito
2012-04-11  3:03 IPTables Al Grant
2012-04-11  3:45 ` IPTables Ethy H. Brito
2012-04-11  6:33 ` IPTables John Lister
     [not found] <BANLkTi=G1ecs9wx+QgAcUphK2-jg60nbAw@mail.gmail.com>
2011-06-02 11:47 ` Iptables Pablo Neira Ayuso
2009-04-27  8:05 iptables Manu
2009-04-29 20:32 ` iptables Jan Engelhardt
2009-05-05 13:38   ` iptables Patrick McHardy
2009-05-05 19:26     ` iptables Jan Engelhardt
2009-05-06  7:53       ` iptables Manu
2008-01-13 18:53 Can't set up transparent proxy on XO laptop P Zemlja
2008-01-13 22:44 ` G.W. Haywood
2008-01-14  7:45   ` iptables sa
2008-01-14  9:17     ` iptables G.W. Haywood
2008-01-15 13:12       ` iptables sa
2008-01-15 14:54         ` iptables G.W. Haywood
2006-10-19  5:08 IPTABLES tarak
2005-06-19  2:17 iptables s s
2005-05-19 17:45 Iptables Chadley Wilson
2005-05-19 19:33 ` Iptables Jason Opperisano
2005-05-19 20:13   ` Iptables Chadley Wilson
2005-05-19 21:43     ` Iptables Jason Opperisano
2005-05-20  5:38       ` Iptables Chadley Wilson
2005-05-20  5:50         ` Iptables Jason Opperisano
2005-05-20  6:04         ` Iptables Rob Sterenborg
2005-05-20  6:26           ` Iptables Rob Sterenborg
2005-05-18 21:04 Iptables Limbert Fuentes Quiroga
2005-01-31 11:31 iptables Alabama
2005-01-31 12:02 ` iptables John A. Sullivan III
     [not found] ` <5.2.0.9.0.20050131135158.02a9dec0@poczta.interia.pl>
2005-01-31 13:18   ` iptables John A. Sullivan III
2005-01-31 11:16 iptables Andrzej
2004-11-29 14:58 iptables MANJUNATH
2004-06-19 23:02 Iptables Xiaofang Chen
2004-06-21 18:26 ` Iptables Ian Pratt
2004-05-27 17:51 iptables Alejandro Cabrera Obed
2004-02-27  2:23 iptables mustafa hassan
     [not found] <20040205052840.10884.25667.Mailman@netfilter-sponsored-by.noris.net>
2004-02-09  4:48 ` iptables VeNoMouS
2004-02-14 20:17   ` iptables Harald Welte
2004-01-31  8:39 Iptables Ivan Zagvozkine
2004-01-28 11:12 Iptables jean-francois fleury
2004-01-28 13:25 ` Iptables Jeffrey Laramie
2004-01-16 22:36 iptables Wilmar jose  wagner
2004-01-22 22:33 ` iptables Pablo Neira
2003-05-26 13:34 iptables Wan System S.R.L.
2003-05-26 15:27 ` iptables Pedro C. Arias
2003-04-28 18:29 IPTABLES lfps
2003-04-23  5:17 iptables Star Fire
2003-02-27 18:04 iptables Guss
2003-01-19 17:30 iptables VASIF MUSAOGULLARI
2003-01-21 11:42 ` iptables Erdal Mutlu
2003-01-17  9:20 IPtables Jet
2002-11-18 22:30 iptables Alexandre Carlos
2002-10-17 23:25 IPtables Alexandre Carlos
2002-06-28 13:28 iptables luigicart
2002-06-28 13:45 ` iptables Antony Stone
2002-06-28 13:48 ` iptables Tom Eastep
2002-06-28 14:00 ` iptables Joe Patterson
2002-06-18 21:06 iptables Russell Coker
2002-06-20 12:44 ` iptables Stephen Smalley
2002-06-13  9:03 Iptables Paulo Andre
2002-06-11  2:24 iptables Matthew Hellman
2002-06-10 14:06 iptables Paulo Andre
2002-06-10 19:27 ` iptables Antony Stone
2002-06-11  2:23 ` iptables Matthew Hellman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.