From: "terry l. ridder" <artisticforge@gmail.com>
To: /dev/rob0 <rob0@gmx.co.uk>
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables leaking blocked ip addresses.
Date: Tue, 21 Jun 2005 09:36:34 -0500 [thread overview]
Message-ID: <49bf7d705062107362321dee6@mail.gmail.com> (raw)
In-Reply-To: <200506210717.47018.rob0@gmx.co.uk>
hello;
reply below.
On 6/21/05, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Monday 20 June 2005 15:47, terry l. ridder wrote:
> > > In the meantime I bet a few external nmap's of your IP would
> > > give you some unpleasant surprises.
you made the above comment did you not?
you implied that my network was not secured.
> >
> > you lose the bet.
> > since you did not have the courage to post the results of an nmap of
> > my network, i will.
> >
> > please see http://uuoc.com/?id=953 for the results of an external
> > nmap of my network, 204.238.34.0/24.
>
> Lack of courage, lack of interest, lack of will to be your unpaid
> security analyst, whatever. It's remarkable that you found that nmap
> acceptable, neither unpleasant nor surprising.
>
i see, yet you make unfounded statements which i quote below:
> > > In the meantime I bet a few external nmap's of your IP would
> > > give you some unpleasant surprises.
>
> You certainly have won your arguments! People point to specific
> documented examples of why you're wrong, and you insist otherwise.
> Indeed I am convinced: writing to you is a waste of my time. Your
> arguments have been very persuasive in that regard.
>
you should really read the Iptables Tutorial 1.1.19 written by
Oskar Andreasson located at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
since you may not read it, i will quote a few parts.
<begin quote>
6.2. Tables
The nat table is used mainly for Network Address Translation. "NAT"ed
packets get
their IP addresses altered, according to our rules. Packets in a stream only
traverse this table once. We assume that the first packet of a stream
is allowed.
The rest of the packets in the same stream are automatically "NAT"ed or
Masqueraded etc, and will be subject to the same actions as the first packet.
These will, in other words, not go through this table again, but will
nevertheless be
treated like the first packet in the stream.
<end quote>
did you catch that last sentence? since the the first packet in the stream is
dropped the rest of the packets in the same stream are also dropped.
<begin quote>
This is the main reason why you should not do any filtering in this
table, which we
will discuss at greater length further on. The PREROUTING chain is
used to alter
packets as soon as they get in to the firewall. The OUTPUT chain is used for
altering locally generated packets (i.e., on the firewall) before they
get to the
routing decision. Finally we have the POSTROUTING chain which is used to alter
packets just as they are about to leave the firewall.
<end quote>
7.2.10. PREROUTING chain of the nat table
The PREROUTING chain should not be used for any filtering since, among
other things, this chain is only traversed by the first packet in a
stream. The PREROUTING chain should be used for network address
translation only, unless you really know what you are doing.
--
terry l. ridder ><>
next prev parent reply other threads:[~2005-06-21 14:36 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-20 15:34 iptables leaking blocked ip addresses terry l. ridder
2005-06-20 15:48 ` Jan Engelhardt
2005-06-20 16:01 ` terry l. ridder
2005-06-20 15:55 ` /dev/rob0
2005-06-20 16:00 ` /dev/rob0
2005-06-20 16:17 ` terry l. ridder
2005-06-20 16:59 ` /dev/rob0
2005-06-20 17:20 ` terry l. ridder
2005-06-20 18:29 ` /dev/rob0
2005-06-20 19:36 ` terry l. ridder
2005-06-20 20:19 ` /dev/rob0
2005-06-21 12:57 ` Jan Engelhardt
2005-06-21 13:10 ` Jozsef Kadlecsik
2005-06-21 13:13 ` Jan Engelhardt
2005-06-21 13:39 ` Jozsef Kadlecsik
2005-06-21 18:05 ` Jan Engelhardt
2005-06-22 7:10 ` Jozsef Kadlecsik
2005-06-22 12:55 ` Jan Engelhardt
2005-06-22 13:16 ` Jozsef Kadlecsik
2005-06-20 20:47 ` terry l. ridder
2005-06-21 12:17 ` /dev/rob0
2005-06-21 14:36 ` terry l. ridder [this message]
2005-06-21 14:57 ` Joakim Axelsson
2005-06-20 18:50 ` Jan Engelhardt
2005-06-20 19:12 ` /dev/rob0
2005-06-20 19:30 ` Sven-Haegar Koch
2005-06-20 20:07 ` /dev/rob0
2005-06-20 20:23 ` terry l. ridder
2005-06-20 22:29 ` Sven-Haegar Koch
2005-06-20 23:04 ` terry l. ridder
2005-06-20 20:39 ` terry l. ridder
2005-06-21 7:11 ` Jozsef Kadlecsik
2005-06-21 7:21 ` terry l. ridder
2005-06-21 7:56 ` Jozsef Kadlecsik
2005-06-21 8:24 ` terry l. ridder
2005-06-21 9:36 ` Feizhou
2005-06-21 9:40 ` Jozsef Kadlecsik
2005-06-21 14:31 ` Cedric Blancher
2005-06-21 16:52 ` Feizhou
2005-06-21 3:24 ` Alistair Tonner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49bf7d705062107362321dee6@mail.gmail.com \
--to=artisticforge@gmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=rob0@gmx.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.