Newbie Question

Newbie Question

[William L. Childers]

All,

	I have a network with 4 computers behind the firewall.  Three of these
are workstations.  The firewall works fine for these.  Here is the fun
part.  

One of the computers is a server with the Windows 2000 Operating System
installed.  It is running IIS, and a mail server.  The SMTP portion of
IIS is configured to send email out on port 1125.  I have DNAT working
for the WEB server and SMTP.  There is, however, an issue with one of
the applications that is running on the web server.  It will not send
email out on port 1125.  The rules that I am trying to get to work are:
## Outgoing SNAT Port 1125 only
$IPTABLES -A PREROUTING -t nat -i $INTERNALIF -p tcp --sport 1125 -j
SNAT --to $MYADDR

$IPTABLES -A FORWARD -i $INTERNALIF -p tcp -d 192.168.0.4 --sport 1125
-j ACCEPT

$INTERNALIF is the Private Interface
$MYADDR is the Public IP Address

192.168.0.4 is the Private IP of the IIS Server 

Thank you in advance for any assistance that you may be able to provide.

Bill

Newbie Question

[Louie]

Hello all!

Hope that everyone had a good weekend. I
was wondering does anyone know a site
that has simple explains on iptables
like "Iptables for bumbies"

Thank you,

Louie

Newbie question

[Glen Spidal]

[-- Attachment #1.1: Type: text/plain, Size: 210 bytes --]

What IPTables commands do I need to issue in a script to allow port 25 and
110 (email) to work.  See attached PDF file.

Glen Spidal
Hillsboro Oregon USA
PH: 503-681-9786  FX: 503-615-2936
www.cybercorpinc.com

[-- Attachment #1.2: Type: text/html, Size: 926 bytes --]

[-- Attachment #2: fhlsnet.pdf --]
[-- Type: application/pdf, Size: 19864 bytes --]

Re: Newbie question

[Bart]

[-- Attachment #1: Type: text/plain, Size: 1439 bytes --]


Glen Spidal wrote:

> What IPTables commands do I need to issue in a script to allow port 25 
> and 110 (email) to work.  See attached PDF file.

Can't you set up the Windows 2000 Pro as a client, and use Linux as the 
main router ?

Otherwise you need to do:

1) add destination(192.168.254.X)-gateway(192.168.0.47) route for each 
client PC on the windows PC,  
since the client IP's are dynamic, this is impractical.
OR
2) enable MASQUERADING on the linuxbox
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


In both cases enable ip_forwarding on the linuxbox.
echo "1" > /proc/sys/net/ipv4/ip_forward

This offcourse doesn't matter for http if you use a proxy, but anything 
else 
won't work without one of the two mentioned above.

Then you can add some rules like:
  iptables -P forward drop

  iptables -A forward -i eth0 -o eth1 -sport 25 -m state --state 
ESTABLISHED -j ACCEPT
  iptables -A forward -i eth1 -o eth0 -dport 25 -j ACCEPT

  iptables -A forward -i eth0 -o eth1 -sport 110 -m state --state 
ESTABLISHED -j ACCEPT
  iptables -A forward -i eth1 -o eth0 -dport 110 -j ACCEPT


The ip of eth0 (192.168.254.250) is the same as the dhcp-server 
(192.168.254.250) which
doesn't make sense (to me).

( eth0 = connected to windows, eth1 connect to switch )

HTH
greetz
B.Mermuys


>  
> Glen Spidal
> Hillsboro Oregon USA
> PH: 503-681-9786  FX: 503-615-2936 
> www.cybercorpinc.com <http://www.cybercorpinc.com/>
>  



[-- Attachment #2: Type: text/html, Size: 2555 bytes --]

newbie question

[regina]

Hi,
> I am newbie in iptables and linux. I would like to get packets , 
> modify it and send it again. To modify the packet (i.e. insert error) 
> , is there any programming software in netfilter? or any 
> recommendation? Or should I use C++ and if I use C++ where should I 
> save the program so I can use it with iptables? Thank you.
>
> Sincerely,
> Regina R

Re: newbie question

[Maciej Soltysiak]

> Hi,
> > I am newbie in iptables and linux. I would like to get packets ,
> > modify it and send it again. To modify the packet (i.e. insert error)
> > , is there any programming software in netfilter? or any
> > recommendation? Or should I use C++ and if I use C++ where should I
> > save the program so I can use it with iptables? Thank you.
Direct your question to the devel list.
netfilter-devel@lists.samba.org


regards,
Maciej

Newbie question

[Shankar; Hari]

Hello,

I'm trying to use IPTables in User Mode Linux. I've configured UML to
use IPTables replacing IPChains. But when I start up UML, and try to play
around with IPTables, I get the message,

iptables v1.2.4: can't initialize iptables table `filter': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

The UML version that I'm running is 2.4.19.

What could I be doing wrong? I'd very much appreciate any help!

Thanks,
Hari

Re: Newbie question

[Joel Newkirk]

On Sunday 16 February 2003 02:04 am, Shankar; Hari wrote:
> Hello,
>
> I'm trying to use IPTables in User Mode Linux. I've configured UML to
> use IPTables replacing IPChains. But when I start up UML, and try to
> play around with IPTables, I get the message,
>
> iptables v1.2.4: can't initialize iptables table `filter': Table does
> not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
> The UML version that I'm running is 2.4.19.
>
> What could I be doing wrong? I'd very much appreciate any help!

Sorry to sound like a smartass, but did you try insmod?  :^)

"/sbin/insmod ip_tables" or "/sbin/modprobe ip_tables" will load the 
iptables module, including the default table - filter.  (insmod inserts 
the module into the running kernel, modprobe looks for it already 
loaded, and calls insmod if it's not found)  If you get a message that 
insmod or modprobe can't be found, try "whereis insmod" to find the 
correct path on your distro.  (I'm not familiar with how UML is laid 
out)  I'll assume that with a 2.4.19 kernel that the ip_tables module is 
available.  

The module has to be loaded (or compiled into the kernel) in order for 
the iptables userland command to function, so you really want it started 
when the system starts.  You can try "serviceconf", which is usually 
available, or "ksysv" if you have KDE installed, which gives you a 
nicer, more detailed interface.  If it runs, check to see if "iptables" 
is listed, probably not selected to run.  Select it to start during 
startup, and next time the module will be inserted automatically, and 
basic rules will be set.  (Very basic, like no rules at all and ACCEPT 
policy on all chains...!)

Serviceconf will let you control startup for the runlevel you are 
currently in.  Ksysv lets you control ALL runlevels in a single view: 3 
is a console startup (you have text interface for login, whether or not 
you load xwindows later) and 5 is xwindows startup, where you have 
graphical interface for login.  Best bet is to start it in both anyway.  
Don't muck with other runlevels until you know what they do, and know 
what SysV-Init accomplishes in them.

The nice thing with ksysv is it lets you control the sequence of 
startups, IE to ensure that a custom firewall script is started AFTER 
the iptables startup takes place - serviceconf doesn't offer this, IIRC, 
you have to manually change the link names in /etc/rc.d/rc5.d for 
example.

Finally (but actually first and foremost) you should get iptables v1.2.7a 
installed, but you'll need to be comfortable with compiling and 
installing to do so.  If you're not, then just work with what you have 
for now and get familiar and comfortable first - but be aware that the 
answer to a support question will sometimes be "install 1.2.7a then 
ask".

j

Re: Newbie question

[Shankar; Hari]

Hi Joel,

Thanks a lot! Apparently I hadn't loaded the iptable_filter.o module while
configuring uml, and loading it seemed to do the trick! And I will make
sure to upgrade to iptables 1.2.7a too!

Thanks,
Hari

> Finally (but actually first and foremost) you should get iptables v1.2.7a 
> installed, but you'll need to be comfortable with compiling and 
> installing to do so.  If you're not, then just work with what you have 
> for now and get familiar and comfortable first - but be aware that the 
> answer to a support question will sometimes be "install 1.2.7a then 
> ask".
> 
> j
> 
> 
> 

Newbie Question

[Jeffrey Corbit]

I'm running POPTOP on a linux 2.4.18 kernel.  Have been having some
connection problems and questions to the poptop mailing list have suggested
that I need to install the Netfilter Helper PPTP files.  I have successfully
downloaded these files to my linux server and they now reside in
/root/netfilter-extensions... folder.  My question is what do I do with them
now.  I can't find any documentation a to how to apply these files to my
current configuration.

Thanks for any help you can give!

Jeff

RE: Newbie Question

[Aldo S. Lagana]

last time I installed PopTop, I had to install pptp support in netfilter
through the Patch-o-Matic (not sure it's still valid).  But I only
needed that to allow multiple outbound PPTP connections from inside a
NAT'd LAN (that is, I was NATing PPTP connections)

To simply connect to PoPToP, you need to make sure your rules are
correct in netfilter for allowing the protocol 47, port 1723, etc. to be
forwarded. Remember if you're running poptop on a netfilter server, the
INPUT and OUTPUT chains are important as is the FORWARD chain (all in
the Filter table)



> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Jeffrey Corbit
> Sent: Monday, February 24, 2003 11:23 AM
> To: netfilter@lists.netfilter.org
> Subject: Newbie Question
> 
> 
> I'm running POPTOP on a linux 2.4.18 kernel.  Have been 
> having some connection problems and questions to the poptop 
> mailing list have suggested that I need to install the 
> Netfilter Helper PPTP files.  I have successfully downloaded 
> these files to my linux server and they now reside in 
> /root/netfilter-extensions... folder.  My question is what do 
> I do with them now.  I can't find any documentation a to how 
> to apply these files to my current configuration.
> 
> Thanks for any help you can give!
> 
> Jeff
> 
> 

newbie question

[Scott Melnyk]

Hello, I hope this is not to simple to post. I have not quite got
IPTABLEs use down.

I am looking at setting up local firewalls on  a cluster of machines
(almost 100 linux boxes running RH 7.3 and 8.0).  The login nodes for
the cluster have extensive hardware based firewalling rules.  

On the rest of the cluster I would like to set IPTABLEs to accept
everything within the subnet and drop the anything from and outside
address.

My thought for setting the rules on each machine is by pushing out and
running a bash script.
Is it possible to simply set up a firewall with something as simple as:


#!/bin/bash
#

service iptables stop

iptables -F

iptables -A INPUT -m limit -j LOG
iptables -A OUTPUT -m limit -j LOG


iptables -A INPUT -s 130.xxx.xxx.128/25  ACCEPT
#rule here to drop all non 130.xxx.xxx.128/25

iptables -P FORWARD DROP
iptables -P INPUT DROP

service iptables save


We have a subnet of 130.xxx.xxx.128/255.255.255.128  
How can I define a mandatory drop of everything not in
130.xxx.xxx.128/255.255.255.128? 

Finally what risks am I taking by doing this?  Other than if someone
hacks into one of the login nodes, I realize this would then give them
access to the rest of the cluster.

All thoughts, advice and suggestions very welcome.  Thank you in
advance.

Sincerely,
Scott Melnyk

Re: newbie question

[Joel Newkirk]

On Monday 24 March 2003 10:54 am, Scott Melnyk wrote:
> Hello, I hope this is not to simple to post. I have not quite got
> IPTABLEs use down.
>
> I am looking at setting up local firewalls on  a cluster of machines
> (almost 100 linux boxes running RH 7.3 and 8.0).  The login nodes for
> the cluster have extensive hardware based firewalling rules.
>
> On the rest of the cluster I would like to set IPTABLEs to accept
> everything within the subnet and drop the anything from and outside
> address.
>
> My thought for setting the rules on each machine is by pushing out and
> running a bash script.
> Is it possible to simply set up a firewall with something as simple
> as:
>
>
> #!/bin/bash
> #
>
> service iptables stop
>
> iptables -F
>
> iptables -A INPUT -m limit -j LOG
> iptables -A OUTPUT -m limit -j LOG

Are you sure this is what you want?  It will log 5 entries the first 
hour, then 3/hour after that.  (presuming you have at least that many to 
log)

> iptables -A INPUT -s 130.xxx.xxx.128/25  ACCEPT
> #rule here to drop all non 130.xxx.xxx.128/25

Two things here - first, the DROP policy below will drop anything not 
already accepted, so you don't need and explicit DROP.  Second, you can 
specify this DROP (if you really want it) with
iptables -A INPUT -s ! 130.x.x.128/25 -j DROP

> iptables -P FORWARD DROP
> iptables -P INPUT DROP
>
> service iptables save
>
>
> We have a subnet of 130.xxx.xxx.128/255.255.255.128
> How can I define a mandatory drop of everything not in
> 130.xxx.xxx.128/255.255.255.128?

Just the DROP policy is all that is needed, so long as you specify the 
source IP in ACCEPT rules.

> Finally what risks am I taking by doing this?  Other than if someone
> hacks into one of the login nodes, I realize this would then give them
> access to the rest of the cluster.

The only risk I see is of someone spoofing one of your IPs.  If all 
communications will take place with specific ports or protocols, you can 
tighten the ACCEPT rule to only allow that in.  But as you have it, the 
only thing that these boxes would accept communications from would be 
their own subnet, and if you doun't have unnecessary services running 
you shouldn't have much to worry about.

j

Newbie Question...

[Carlos Cajina]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

Hi, I'm Carlos from Nicaragua but currently living in Mexico... I just signed up to this list and already have one question in mind: Is it possible to specify a particular IP address range when creating filtering rules? If so... where can I find the info that talks about it?

Best regards!!!!

[-- Attachment #2: Type: text/html, Size: 711 bytes --]

Re: Newbie Question...

[Joel Newkirk]

On Wednesday 26 March 2003 12:37 pm, Carlos Cajina wrote:
> Hi, I'm Carlos from Nicaragua but currently living in Mexico... I just
> signed up to this list and already have one question in mind: Is it
> possible to specify a particular IP address range when creating
> filtering rules? If so... where can I find the info that talks about
> it?

Yes.  For example, to match a single source IP use "-s a.b.c.d", while to 
match a range of IPs you have to be able to match with a mask, like "-s 
a.b.c.d/24" or "-s a.b.c.d/255.255.255.0" to match a.b.c. and anything 
for d.  Destinations are matched with "-d a.b.c.d/m" the same way.  

If you need to match an 'odd' range of IPs, that cannot be fitted to a 
single ip/mask test, then it is usually necessary to use multiple rules.  
IE, if you need to match 192.168.0.4-192.168.0.6, then you can match .4 
and .5 with 192.168.0.4/31, but .6 will need a separate rule.  (unless 
you don't mind catching .7 as well, in which case a mask for 30 bits 
instead of 31 would work for all 4 IPs)

http://iptables-tutorial.frozentux.net is the best tutorial around for 
iptables.

j

> Best regards!!!!

Re: Newbie question

[Arvanitis Kostas]

On Friday 10 October 2003 17:29, Fabio Ribeiro wrote:
> Dear All,
>
> 	What does mean this kind of error "No Such Object available on this
> agent"
> 	Using "snmptranslate -IR memBuffer" I got a the right answer ie:
> .1.3.6.1.4.1.2021.4.14
>
> 	Sample:
> 	$ snmpget -c localhost -v 2c 127.0.0.1 .1.3.6.1.4.1.2021.4.14
> 	$ enterprises.ucdavis.memory.memBuffer = No Such Object available on
> this agent
>
> 	In fact I'm not being able to get informations on
> .1.3.6.1.4.1.2021.4.x (ie: memory)
>

This means you have not enabled the appropriate MIB module in the agent 
before compiling the agent. Running
# ./configure --help
from the top level directory in the agent's source code distribution 
will show you how to include specific modules, as well as which modules 
are available, and a lot of other possible options.

To the list: Isn't there a FAQ about this? There should be one, listing 
the modules included in the agent as compiled by default.

-- 
A: No. See http://www.netmeister.org/news/learn2quote.html
Q: Should I include quotations after my reply ?

newbie question

[M. Ahmad Ijaz]

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

hi,

I just wanna know few things , i have installed red hat 9, iptable is installed.

Now the thing is, i didnt know at first that i have to load the modules, i was getting the message

iptables: No chain/target/match by that name

so after couple of searches i did find some help and i manage to apply few commands i.e.

modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p icmp --icmp-type 8 -j DROP 


all the above commands are accepted at command prompt, but when i try to use this command

iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 where xxx is any IP and yyy is the subnet mask, it returns me the same message i.e. 
iptables: No chain/target/match by that name

So it also give the same message with POSTROUTING.


also i dont wana load the modules and the commands each time the system starts, so when i type the commands i used iptables-save command to save tat, also is there ne possibility where i can store the command and execute when system startsup

[-- Attachment #2: Type: text/html, Size: 1962 bytes --]

Re: newbie question

[Antony Stone]

On Thursday 08 April 2004 12:57 pm, M. Ahmad Ijaz wrote:

> when i try to use this command
>
> iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp
> --dport 80 -j REDIRECT --to-ports 8080
>
> where xxx is any IP and yyy is the subnet mask, it returns me the same
> message i.e. iptables: No chain/target/match by that name
>
> So it also give the same message with POSTROUTING.

You need a "-t nat" in there, to tell it the rule is going into the nat table 
of the PREROUTING chain, not the filter table (which is the default, but does 
not exist in PREROUTING).

Regards,

Antony.

-- 
People who use Microsoft software should be certified.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: newbie question

[Frank Gruellich]

* M. Ahmad Ijaz <ahmad@netlogicbroadband.com>  8. Apr 04:
> hi,

Hello,

> modprobe ip_tables
> modprobe ip_conntrack
> modprobe iptable_nat
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> 
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A INPUT -p icmp --icmp-type 8 -j DROP 
> 
> iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> 
> where xxx is any IP and yyy is the subnet mask, it returns me the same
> message i.e.  iptables: No chain/target/match by that name

Try

# iptables -t nat -A PREROUTING ...

Rules go into the filter table by default, if not specified otherwise,
but filter has not {PRE,POST}ROUTING.

> also i dont wana load the modules and the commands each time the
> system starts, so when i type the commands i used iptables-save
> command to save tat, also is there ne possibility where i can store
> the command and execute when system startsup

As a script somewhere in /etc/init.d/ and a symlink in
/etc/rc.$defaultrunlevel/.

HTH,
 regards, Frank.
-- 
Sigmentation fault

Re: newbie question

[M. Ahmad Ijaz]

do i know where to put that "-t nat"
 iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m
tcp --dport 80 -j REDIRECT --to-ports 8080

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, April 08, 2004 5:02 PM
Subject: Re: newbie question


> On Thursday 08 April 2004 12:57 pm, M. Ahmad Ijaz wrote:
>
> > when i try to use this command
> >
> > iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp
> > --dport 80 -j REDIRECT --to-ports 8080
> >
> > where xxx is any IP and yyy is the subnet mask, it returns me the same
> > message i.e. iptables: No chain/target/match by that name
> >
> > So it also give the same message with POSTROUTING.
>
> You need a "-t nat" in there, to tell it the rule is going into the nat
table
> of the PREROUTING chain, not the filter table (which is the default, but
does
> not exist in PREROUTING).
>
> Regards,
>
> Antony.
>
> -- 
> People who use Microsoft software should be certified.
>
>                                                      Please reply to the
list;
>                                                            please don't CC
me.
>

Re: newbie question

[Jeffrey Laramie]

Hey Antony,

I just wanted to take a minute to say 'Thanks' for all the time you put in 
answering questions on this list. You probably help 10-15 people a day and 
while many thank you for your help, I want to say thanks for those of us who 
just listen in. I know that at least once a week I read one of your postings 
and think 'hmmm, I didn't know that'. Those postings get printed and added to 
my netfilter reference folder. You are a valuable asset to the list and I 
appreciate your effort. Thanks from all of us.

Jeff

Re: newbie question

[Antony Stone]

On Thursday 08 April 2004 1:32 pm, M. Ahmad Ijaz wrote:

> do i know where to put that "-t nat"
>  iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m
> tcp --dport 80 -j REDIRECT --to-ports 8080

I don't know - do you?   I'll assume that you don't, since you've asked us...

My preference is to place it after the chain name:

iptables -A PREROUTING -t nat -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m
tcp --dport 80 -j REDIRECT --to-ports 8080

However other people sometimes place it before.

Regards,

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: newbie question

[ro0ot]

iptables -t nat -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080


M. Ahmad Ijaz wrote:

>do i know where to put that "-t nat"
> iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m
>tcp --dport 80 -j REDIRECT --to-ports 8080
>
>----- Original Message ----- 
>From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
>To: <netfilter@lists.netfilter.org>
>Sent: Thursday, April 08, 2004 5:02 PM
>Subject: Re: newbie question
>
>
>  
>
>>On Thursday 08 April 2004 12:57 pm, M. Ahmad Ijaz wrote:
>>
>>    
>>
>>>when i try to use this command
>>>
>>>iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp
>>>--dport 80 -j REDIRECT --to-ports 8080
>>>
>>>where xxx is any IP and yyy is the subnet mask, it returns me the same
>>>message i.e. iptables: No chain/target/match by that name
>>>
>>>So it also give the same message with POSTROUTING.
>>>      
>>>
>>You need a "-t nat" in there, to tell it the rule is going into the nat
>>    
>>
>table
>  
>
>>of the PREROUTING chain, not the filter table (which is the default, but
>>    
>>
>does
>  
>
>>not exist in PREROUTING).
>>
>>Regards,
>>
>>Antony.
>>
>>-- 
>>People who use Microsoft software should be certified.
>>
>>                                                     Please reply to the
>>    
>>
>list;
>  
>
>>                                                           please don't CC
>>    
>>
>me.
>  
>
>
>
>
>  
>

Re: newbie question

[Antony Stone]

On Thursday 08 April 2004 1:32 pm, Jeffrey Laramie wrote:

> Hey Antony,
>
> I just wanted to take a minute to say 'Thanks' for all the time you put in
> answering questions on this list. You probably help 10-15 people a day and
> while many thank you for your help, I want to say thanks for those of us
> who just listen in.

Hey, thanks, it's nice to remember that there's a lot more people on this list 
than just those who post (questions or answers).

> I know that at least once a week I read one of your
> postings and think 'hmmm, I didn't know that'.

Good - in that case I'm doing a useful job :)   If I were posting replies 
which people thought "yes, I knew that - why didn't the questioner just look 
it up in a tutorial somewhere", then I'd probably just start saying "RTFM" or 
posting hyperlinks instead of explaining my answers.

> Those postings get printed and added to my netfilter reference folder. You
> are a valuable asset to the list and I appreciate your effort. Thanks from
> all of us.

Thank you.   I regard netfilter as a great system, and it's just my way of 
putting something back into Open Source.

Regards,

Antony.

-- 
G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? 
w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? 
!X- !R K--?

Re: newbie question

[Alexis]

[-- Attachment #1: Type: text/plain, Size: 1469 bytes --]

you must specify the table.

with -t modif
  ----- Original Message ----- 
  From: M. Ahmad Ijaz 
  To: netfilter@lists.netfilter.org 
  Sent: Thursday, April 08, 2004 8:57 AM
  Subject: newbie question


  hi,

  I just wanna know few things , i have installed red hat 9, iptable is installed.

  Now the thing is, i didnt know at first that i have to load the modules, i was getting the message

  iptables: No chain/target/match by that name

  so after couple of searches i did find some help and i manage to apply few commands i.e.

  modprobe ip_tables
  modprobe ip_conntrack
  modprobe iptable_nat
  modprobe ip_conntrack_ftp
  modprobe ip_nat_ftp

  iptables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD DROP
  iptables -A INPUT -p icmp --icmp-type 8 -j DROP 


  all the above commands are accepted at command prompt, but when i try to use this command

  iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 where xxx is any IP and yyy is the subnet mask, it returns me the same message i.e. 
  iptables: No chain/target/match by that name

  So it also give the same message with POSTROUTING.


  also i dont wana load the modules and the commands each time the system starts, so when i type the commands i used iptables-save command to save tat, also is there ne possibility where i can store the command and execute when system startsup

[-- Attachment #2: Type: text/html, Size: 2990 bytes --]

Re: newbie question

[M. Ahmad Ijaz]

thanks for ur reply n the 1st portion is solved, its now working

I typed all the commands on root and afterwards used

iptables-save

command to commit, but when i restarted the system and used this command

iptables -L

it shows no rules. So how to accomplish this. Also quite frankly i didnt get
it

> As a script somewhere in /etc/init.d/ and a symlink in
> /etc/rc.$defaultrunlevel/.


can you please tell me how to do it , as i m new to it.

Regards.
Aejaz



----- Original Message ----- 
From: "Frank Gruellich" <frank@home.manuelm.org>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, April 08, 2004 5:09 PM
Subject: Re: newbie question


> * M. Ahmad Ijaz <ahmad@netlogicbroadband.com>  8. Apr 04:
> > hi,
>
> Hello,
>
> > modprobe ip_tables
> > modprobe ip_conntrack
> > modprobe iptable_nat
> > modprobe ip_conntrack_ftp
> > modprobe ip_nat_ftp
> >
> > iptables -P INPUT ACCEPT
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> > iptables -A INPUT -p icmp --icmp-type 8 -j DROP
> >
> > iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m
tcp --dport 80 -j REDIRECT --to-ports 8080
> >
> > where xxx is any IP and yyy is the subnet mask, it returns me the same
> > message i.e.  iptables: No chain/target/match by that name
>
> Try
>
> # iptables -t nat -A PREROUTING ...
>
> Rules go into the filter table by default, if not specified otherwise,
> but filter has not {PRE,POST}ROUTING.
>
> > also i dont wana load the modules and the commands each time the
> > system starts, so when i type the commands i used iptables-save
> > command to save tat, also is there ne possibility where i can store
> > the command and execute when system startsup
>
> As a script somewhere in /etc/init.d/ and a symlink in
> /etc/rc.$defaultrunlevel/.
>
> HTH,
>  regards, Frank.
> -- 
> Sigmentation fault
>

Newbie Question

[mafioso1823]

I am trying to use this piece of code that i found in my rc.firewall script
but it doesn't seem to want to take it can anyone tell me why or how i can
get this to work?

#The Mangle portion of the ruleset. Here is where unwanted packet types get
dropped.
#This helps in making port scans against your server a bit more time
consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

Re: Newbie Question

[John A. Sullivan III]

On Tue, 2004-06-08 at 00:16, mafioso1823@contourmediagroup.com wrote:
> I am trying to use this piece of code that i found in my rc.firewall script
> but it doesn't seem to want to take it can anyone tell me why or how i can
> get this to work?
> 
> #The Mangle portion of the ruleset. Here is where unwanted packet types get
> dropped.
> #This helps in making port scans against your server a bit more time
> consuming and difficult, but not impossible.
> *mangle
> :PREROUTING ACCEPT [444:43563]
> :INPUT ACCEPT [444:43563]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [402:144198]
> :POSTROUTING ACCEPT [402:144198]
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
Hmm . . . loaded fine for me -- I assume the word wrapping on the long
lines was caused by your e-mail editor does not exist in your file.
What happens when you try to load it?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

newbie question

[Gergely Buday]

Dear All,

I have a basic question: I need to enable a cvs server to telnet back
to port 2401 as described at

http://forums.fedoraforum.org/archive/index.php/t-37342.html

---
> $ cvs login
> Logging in to :pserver:rob@<hostname>:2401/home/repository
> CVS password:
> cvs [login aborted]: connect to <hostname>(<IP address>):2401
> failed: No route to host
>
> i've verified that the network is up, that i can ssh into the
> server, that xinetd is running, that cvspserver is on, that the
> CVS repo is unchanged from what it was before the re-install,
> etc. i'm not sure what else i might be checking.

You should be able to telnet into your server from a remote system
on port 2401 to your pserver box. If not, perhaps you haven't
opened up your iptables firewall for access to this port?
---

how can I do that with iptables temporarily?

- Gergely