help me

help me

[bash]

 Hello All,

I wanna dynamically block some ip's that load my router with --state NEW
packets (usually it's generated by very aggressive NetLook win
program). But there is a problem -m limit will block all my router's
user, and I wanna block just one ip :/

-- 
Biomechanica Artificial Sabotage Humanoid

Re: help me

[John A. Sullivan III]

On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
>  Hello All,
> 
> I wanna dynamically block some ip's that load my router with --state NEW
> packets (usually it's generated by very aggressive NetLook win
> program). But there is a problem -m limit will block all my router's
> user, and I wanna block just one ip :/
I'm not entirely sure of what you want to do.  Why can you not match
source? If you want, match the one IP and send all traffic for that IP
to a user defined chain, e.g., :
iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
iptables -A SpecialChain -j DOWHATEVERYOUWANT

If it is that you want to exempt certain addresses, send all the packets
to a user defined chain and return the exemptions, e.g., 

iptables -A FORWARD -j LimitChain
iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
RETURN
iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: help me

[bash]

On Tue, 28 Mar 2006 20:50:51 -0500
"John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:

> On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
> >  Hello All,
> > 
> > I wanna dynamically block some ip's that load my router with --state NEW
> > packets (usually it's generated by very aggressive NetLook win
> > program). But there is a problem -m limit will block all my router's
> > user, and I wanna block just one ip :/
> I'm not entirely sure of what you want to do.  Why can you not match
> source? If you want, match the one IP and send all traffic for that IP
> to a user defined chain, e.g., :
> iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
> iptables -A SpecialChain -j DOWHATEVERYOUWANT
> 
> If it is that you want to exempt certain addresses, send all the packets
> to a user defined chain and return the exemptions, e.g., 
> 
> iptables -A FORWARD -j LimitChain
> iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
> RETURN
> iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO

The problem is that I don't know IP of this machine.... And anyone in
my net can run NetLook program... So i want that - if some-one in my net
exceed limit then iptables will block this ip dynamically.... 

-- 
Biomechanica Artificial Sabotage Humanoid

Re: help me (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2006.03.28 22:29, bash - 0x62ash@gmail.com wrote:
> On Tue, 28 Mar 2006 20:50:51 -0500
> "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> 
> > On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
> > >  Hello All,
> > >
> > > I wanna dynamically block some ip's that load my router with --state NEW
> > > packets (usually it's generated by very aggressive NetLook win
> > > program). But there is a problem -m limit will block all my router's
> > > user, and I wanna block just one ip :/
> > I'm not entirely sure of what you want to do.  Why can you not match
> > source? If you want, match the one IP and send all traffic for that IP
> > to a user defined chain, e.g., :
> > iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
> > iptables -A SpecialChain -j DOWHATEVERYOUWANT
> >
> > If it is that you want to exempt certain addresses, send all the packets
> > to a user defined chain and return the exemptions, e.g.,
> >
> > iptables -A FORWARD -j LimitChain
> > iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
> > RETURN
> > iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
> 
> The problem is that I don't know IP of this machine.... And anyone in
> my net can run NetLook program... So i want that - if some-one in my net
> exceed limit then iptables will block this ip dynamically....

I am not an expert on this,
but for what it is worth:

Perhaps the rules used to detect
and limit brute force ssh attacks
could be adapted to your need.

Does NetLook have a predictable pattern?

You can find out about the ssh blocking rules
if you search the archives for 'brute force'.

Hope that helps.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: help me (nfcan: addressed to exclusive sender for this address)

[bash]

On Tue, 28 Mar 2006 23:22:26 -0500
Jim Laurino <nfcan.x.jimlaur@dfgh.net> wrote:

> I am not an expert on this,
> but for what it is worth:
> 
> Perhaps the rules used to detect
> and limit brute force ssh attacks
> could be adapted to your need.

You are talking about "recent" module... I don't know how I can use
it in my situation....
 
> Does NetLook have a predictable pattern?

Forget about NetLook...

My criteria for blocking is:
if rate of SYN packages from ONE source IP is greater then 3packets/sec
=> then block this IP

And i can't add rule "-m limit" per all source IP in my net,
because my net is big (~255^3)....

> You can find out about the ssh blocking rules
> if you search the archives for 'brute force'.
> 
> Hope that helps.



-- 
Biomechanica Artificial Sabotage Humanoid

RE: help me (nfcan: addressed to exclusive sender for this address)

[Rob Sterenborg]

>> I am not an expert on this,
>> but for what it is worth:
>> 
>> Perhaps the rules used to detect
>> and limit brute force ssh attacks
>> could be adapted to your need.
> 
> You are talking about "recent" module... I don't know how I can use
> it in my situation.... 
> 
>> Does NetLook have a predictable pattern?
> 
> Forget about NetLook...
> 
> My criteria for blocking is:
> if rate of SYN packages from ONE source IP is greater then
> 3packets/sec => then block this IP
> 
> And i can't add rule "-m limit" per all source IP in my net,
> because my net is big (~255^3)....

Wouldn't that look something like :

$ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
  -p tcp --syn -m limit --limit 3/sec -j ACCEPT

This would match NEW packets on your LAN interface with SYN set, coming
from any of your LAN IP's and not allowing more than 3 of these per
second. Of course, you'd also need a rule like this to allow the
complete connection :

$ipt -A [INPUT|FORWARD] -m state --state RELATED,ESTABLISHED -j ACCEPT

Or am I missing something ?


Gr,
Rob

Re: help me (nfcan: addressed to exclusive sender for this address)

[bash]

On Wed, 29 Mar 2006 20:28:53 +0200
"Rob Sterenborg" <rob@sterenborg.info> wrote:

> >> I am not an expert on this,
> >> but for what it is worth:
> >> 
> >> Perhaps the rules used to detect
> >> and limit brute force ssh attacks
> >> could be adapted to your need.
> > 
> > You are talking about "recent" module... I don't know how I can use
> > it in my situation.... 
> > 
> >> Does NetLook have a predictable pattern?
> > 
> > Forget about NetLook...
> > 
> > My criteria for blocking is:
> > if rate of SYN packages from ONE source IP is greater then
> > 3packets/sec => then block this IP
> > 
> > And i can't add rule "-m limit" per all source IP in my net,
> > because my net is big (~255^3)....
> 
> Wouldn't that look something like :
> 
> $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
>   -p tcp --syn -m limit --limit 3/sec -j ACCEPT

If just ONE host from my $LAN_NET will exceed this limit, then ALL
hosts in $LAN_NET will not able to start new session... and this is
bad. I want to limit 3/sec per host, not for all net....

> This would match NEW packets on your LAN interface with SYN set, coming
> from any of your LAN IP's and not allowing more than 3 of these per
> second. Of course, you'd also need a rule like this to allow the
> complete connection :
> 
> $ipt -A [INPUT|FORWARD] -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> Or am I missing something ?
> 
> 
> Gr,
> Rob
> 
> 


-- 
Biomechanica Artificial Sabotage Humanoid

RE: help me (nfcan: addressed to exclusive sender for this address)

[Rob Sterenborg]

>> $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
>>   -p tcp --syn -m limit --limit 3/sec -j ACCEPT
> 
> If just ONE host from my $LAN_NET will exceed this limit, then ALL
> hosts in $LAN_NET will not able to start new session... and this is
> bad. I want to limit 3/sec per host, not for all net....

Yes.. :-\
Maybe this post is of help then.
http://www.linux-noob.com/forums/index.php?showtopic=1829


Gr,
Rob

Re: help me (nfcan: addressed to exclusive sender for this address)

[bash]

On Thu, 30 Mar 2006 07:45:01 +0200
"Rob Sterenborg" <rob@sterenborg.info> wrote:

> >> $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
> >>   -p tcp --syn -m limit --limit 3/sec -j ACCEPT
> > 
> > If just ONE host from my $LAN_NET will exceed this limit, then ALL
> > hosts in $LAN_NET will not able to start new session... and this is
> > bad. I want to limit 3/sec per host, not for all net....
> 
> Yes.. :-\
> Maybe this post is of help then.
> http://www.linux-noob.com/forums/index.php?showtopic=1829

I saw it... "-m recent" has only 1 second sampling... i cant handle
situaton of 3/sec and etc.....

I found "-m dstlimit" module which is handy, *but* for my situation i
wanna the same but with limit the packet rate on a per SOURCE ip....
inverted dstlimit :)

Any ideads? :/

-- 
Biomechanica Artificial Sabotage Humanoid

help me

[umar draz]

hi dear members!

  i have one interface card in my linux machine <eth0>

  now i attache DSL modem with this interface now i
want block all incoming traffic.

but i want i can access every thing.

how i can do it

regards

Umar Draz

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: help me

[Christoph Georgi]

make the default policy of the incoming chain (input) drop, but allow 
established and related traffic, and allow all outgoing traffic by 
setting the default policy to allow for the output chain (although it's 
adviced to specify the outgoing traffic further..)

# drops all traffic
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# allow established an related incoming traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


christoph


umar draz wrote:
> hi dear members!
> 
>   i have one interface card in my linux machine <eth0>
> 
>   now i attache DSL modem with this interface now i
> want block all incoming traffic.
> 
> but i want i can access every thing.
> 
> how i can do it
> 
> regards
> 
> Umar Draz
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> 

-- 


Christoph Georgi
-----------------------------
email.  christoph.georgi@web.de
fon.	+64 (0)9 815 8259

registered linux user #380268
ubuntu 5.04 (ubuntu.com)

Re: help me

[/dev/rob0]

On Monday 04 July 2005 05:47, Christoph Georgi wrote:
> make the default policy of the incoming chain (input) drop, but allow
> established and related traffic, and allow all outgoing traffic by
> setting the default policy to allow for the output chain (although
> it's adviced to specify the outgoing traffic further..)

Why, and by whom, is that advised?

> umar draz wrote:
> > [snip]
> > how i can do it

All this is clearly described in the Packet Filtering HOWTO. Or you can 
use one of many ready-made scripts without bothering to learn how 
firewalls work.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: Help Me

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 3346 bytes --]

My advice:
 
1. Download a new kernel source (don't use RedHat's source)
2. Place it in /usr/src/linux-2.4.xx  and then use    ln -s /usr/src/linux.2.4.xx /usr/src/linux
3. Compile iptables against the new kernel (make clean && make)
 
It's easier when you have fresh source code and easier when it's time to patch other stuff in..

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: Pham Dinh Hieu [mailto:pdhieu@saigontel.com]
Sent: Tuesday, June 10, 2003 4:31 PM
To: netfilter@lists.samba.org
Subject: Help Me


Dear All,
I want to install iptables-1.2.7a but I have a trouble as compile it.
The system displays the following message 
 
[ root@fw iptables-1.2.7a]# make KERNEL_DIR=/home/test/linux-2.4.17
Making dependencies: please wait...
Extensions found:
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\"  -fPIC -o\
extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\"  -fPIC -o\
extensions/libipt_conntrack_sh.o -c extensions/libipt_conntrack.c
In file included from extensions/libipt_conntrack.c:15:
include/linux/netfilter_ipv4/ipt_conntrack.h:28: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
extensions/libipt_conntrack.c: In function `parse_status':
extensions/libipt_conntrack.c:103: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:103: (Each undeclared identifier is reported only once
extensions/libipt_conntrack.c:103: for each function it appears in.)
extensions/libipt_conntrack.c:105: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:107: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `parse':
extensions/libipt_conntrack.c:202: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:259: `IP_CT_DIR_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `print_status':
extensions/libipt_conntrack.c:364: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:368: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:372: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `matchinfo_print':
extensions/libipt_conntrack.c:420: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:440: `IP_CT_DIR_REPLY' undeclared (first use in this function)
make: *** [extensions/libipt_conntrack_sh.o] Error 1

 
Please help me to install iptables on Redhat Linux 7.3 or 8.0 
Thanks.
 
Best Regards
 
DunHill

[-- Attachment #2: Type: text/html, Size: 7421 bytes --]

Help Me

[Pham Dinh Hieu]

[-- Attachment #1: Type: text/plain, Size: 2498 bytes --]

Dear All,
I want to install iptables-1.2.7a but I have a trouble as compile it.
The system displays the following message 

[root@fw iptables-1.2.7a]# make KERNEL_DIR=/home/test/linux-2.4.17
Making dependencies: please wait...
Extensions found:
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\"  -fPIC -o\
extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\"  -fPIC -o\
extensions/libipt_conntrack_sh.o -c extensions/libipt_conntrack.c
In file included from extensions/libipt_conntrack.c:15:
include/linux/netfilter_ipv4/ipt_conntrack.h:28: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
extensions/libipt_conntrack.c: In function `parse_status':
extensions/libipt_conntrack.c:103: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:103: (Each undeclared identifier is reported only once
extensions/libipt_conntrack.c:103: for each function it appears in.)
extensions/libipt_conntrack.c:105: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:107: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `parse':
extensions/libipt_conntrack.c:202: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:259: `IP_CT_DIR_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `print_status':
extensions/libipt_conntrack.c:364: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:368: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:372: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `matchinfo_print':
extensions/libipt_conntrack.c:420: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:440: `IP_CT_DIR_REPLY' undeclared (first use in this function)
make: *** [extensions/libipt_conntrack_sh.o] Error 1


Please help me to install iptables on Redhat Linux 7.3 or 8.0 
Thanks.

Best Regards

DunHill

[-- Attachment #2: Type: text/html, Size: 3377 bytes --]