* RE: Problems with DNS [not found] <HMEKJPOHJKKBIDHGBCMDIEGLCAAA.varyag18@mail.ru> @ 2003-09-06 12:49 ` Cedric Blancher 2003-09-08 12:51 ` Re[2]: " "Vladimir Potapov" 0 siblings, 1 reply; 7+ messages in thread From: Cedric Blancher @ 2003-09-06 12:49 UTC (permalink / raw) To: Владимир Потапов Cc: netfilter Le sam 06/09/2003 à 12:53, Владимир Потапов a écrit : > And which chain a need yo add to ruleset? Just rewrite your ruleset as follow : # nat table -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p tcp -j DNAT \ --to-destination 192.168.5.2 -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p udp -j DNAT \ --to-destination 192.168.5.2 -A POSTROUTING -t nat -o eth0 -j SNAT --to-source 121.1.1.1 # filter table -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ --state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ --state NEW -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ --state NEW -p tcp -m tcp --dport 53 --syn -j allow -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ --state NEW -p udp -m udp --dport 53 -j ACCEPT It should provide the same filtering functionnalities you wanted, plus returning packets accept through ESTABLISHED,RELATED rule. If you really want to restrict it to TCP and UDP only, just replace this rule with two more specific ones : -A FORWARD -m state --state ESTABLISHED,RELATED -p udp -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT I removed rules that seems redundant, in particular your TCP flags check rule that was replaced with --syn switch addition. I also restricted inbound DNS filtering to 192.168.5.2 only. Hope this helps. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re[2]: Problems with DNS 2003-09-06 12:49 ` Problems with DNS Cedric Blancher @ 2003-09-08 12:51 ` "Vladimir Potapov" 2003-09-08 13:44 ` Cedric Blancher 0 siblings, 1 reply; 7+ messages in thread From: "Vladimir Potapov" @ 2003-09-08 12:51 UTC (permalink / raw) To: "Cedric Blancher" ; +Cc: netfilter I cannot add this rules with --syn, because iptables tell me error : bad argument '--syn'. If write this rules without --syn argument , the iptables rules applying success.If I write rules with chain NEW but without --syn argument , are the my packet filter will be accept(or forward) new packet without --syn ? > Le sam 06/09/2003 ? 12:53, Владимир Потапов a ?crit : > > And which chain a need yo add to ruleset? > > Just rewrite your ruleset as follow : > > # nat table > -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p tcp -j DNAT \ > --to-destination 192.168.5.2 > -A PREROUTING -t nat -d 121.1.1.1 -i eth0 -p udp -j DNAT \ > --to-destination 192.168.5.2 > -A POSTROUTING -t nat -o eth0 -j SNAT --to-source 121.1.1.1 > > # filter table > -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ > --state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT > -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state \ > --state NEW -p udp -m udp --dport 53 -j ACCEPT > -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ > --state NEW -p tcp -m tcp --dport 53 --syn -j allow > -A FORWARD -s 192.168.5.0/255.255.255.0 -i eth1 -o eth0 -m state \ > --state NEW -p udp -m udp --dport 53 -j ACCEPT > > It should provide the same filtering functionnalities you wanted, plus > returning packets accept through ESTABLISHED,RELATED rule. If you really > want to restrict it to TCP and UDP only, just replace this rule with two > more specific ones : > > -A FORWARD -m state --state ESTABLISHED,RELATED -p udp -j ACCEPT > -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT > > I removed rules that seems redundant, in particular your TCP flags check > rule that was replaced with --syn switch addition. I also restricted > inbound DNS filtering to 192.168.5.2 only. > > Hope this helps. > > -- > http://www.netexit.com/~sid/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Re[2]: Problems with DNS 2003-09-08 12:51 ` Re[2]: " "Vladimir Potapov" @ 2003-09-08 13:44 ` Cedric Blancher 2003-09-08 15:13 ` Vladimir Potapov 2003-09-11 6:39 ` iptables ceases to work after night "Vladimir Potapov" 0 siblings, 2 replies; 7+ messages in thread From: Cedric Blancher @ 2003-09-08 13:44 UTC (permalink / raw) To: "Vladimir Potapov" ; +Cc: netfilter Le lun 08/09/2003 à 14:51, =?koi8-r?Q?=22?=Vladimir Potapov=?koi8-r?Q?=22=20?= a écrit : > I cannot add this rules with --syn, because iptables tell me error : > bad argument '--syn'. Strange... root@elendil:~# iptables --version iptables v1.2.8 root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state --state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT root@elendil:~# iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 192.168.5.2 state NEW tcp dpt:domain flags:SYN,RST,ACK/SYN Are you sure you specify TCP protocol with --syn, for --syn is only valid for TCP. If you specify another protocol, or no protocol at all, you'll get an error : root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state --state NEW --syn -j ACCEPT iptables v1.2.8: Unknown arg `--syn' Try `iptables -h' or 'iptables --help' for more information. > If write this rules without --syn argument , the iptables rules > applying success.If I write rules with chain NEW but without --syn > argument , are the my packet filter will be accept(or forward) new > packet without --syn ? If you don't specify --syn, both SYN and non SYN packets with state NEW will be accepted. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Re[2]: Problems with DNS 2003-09-08 13:44 ` Cedric Blancher @ 2003-09-08 15:13 ` Vladimir Potapov 2003-09-11 6:39 ` iptables ceases to work after night "Vladimir Potapov" 1 sibling, 0 replies; 7+ messages in thread From: Vladimir Potapov @ 2003-09-08 15:13 UTC (permalink / raw) To: Cedric Blancher; +Cc: netfilter I edit the /etc/sysconfig/iptables and iptables give my error. Now I add rules from console and they applying ok. Thank you. -----Original Message----- From: Cedric Blancher [mailto:blancher@cartel-securite.fr] Sent: Monday, September 08, 2003 5:45 PM To: Vladimir Potapov Cc: netfilter@lists.netfilter.org Subject: Re: Re[2]: Problems with DNS Le lun 08/09/2003 à 14:51, =?koi8-r?Q?=22?=Vladimir Potapov=?koi8-r?Q?=22=20?= a écrit : > I cannot add this rules with --syn, because iptables tell me error : > bad argument '--syn'. Strange... root@elendil:~# iptables --version iptables v1.2.8 root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state --state NEW -p tcp -m tcp --dport 53 --syn -j ACCEPT root@elendil:~# iptables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 192.168.5.2 state NEW tcp dpt:domain flags:SYN,RST,ACK/SYN Are you sure you specify TCP protocol with --syn, for --syn is only valid for TCP. If you specify another protocol, or no protocol at all, you'll get an error : root@elendil:~# iptables -A FORWARD -d 192.168.5.2/255.255.255.255 -i eth0 -o eth1 -m state --state NEW --syn -j ACCEPT iptables v1.2.8: Unknown arg `--syn' Try `iptables -h' or 'iptables --help' for more information. > If write this rules without --syn argument , the iptables rules > applying success.If I write rules with chain NEW but without --syn > argument , are the my packet filter will be accept(or forward) new > packet without --syn ? If you don't specify --syn, both SYN and non SYN packets with state NEW will be accepted. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE ^ permalink raw reply [flat|nested] 7+ messages in thread
* iptables ceases to work after night 2003-09-08 13:44 ` Cedric Blancher 2003-09-08 15:13 ` Vladimir Potapov @ 2003-09-11 6:39 ` "Vladimir Potapov" 2003-09-11 10:55 ` Pascal Vilarem 2003-09-11 11:17 ` Pascal Vilarem 1 sibling, 2 replies; 7+ messages in thread From: "Vladimir Potapov" @ 2003-09-11 6:39 UTC (permalink / raw) To: "Cedric Blancher" ; +Cc: netfilter Yesterday at evening my packet filter with iptables worked fine.Today at morning , I see that he don't forwarding packet from DMZ to local and back.And this thing I see every morning.After I reboot my machine it's work fine.I think that my 3com cards have some bugs.In log there no entries about this . My rules is: #Allow from local to DMZ and back -A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables ceases to work after night 2003-09-11 6:39 ` iptables ceases to work after night "Vladimir Potapov" @ 2003-09-11 10:55 ` Pascal Vilarem 2003-09-11 11:17 ` Pascal Vilarem 1 sibling, 0 replies; 7+ messages in thread From: Pascal Vilarem @ 2003-09-11 10:55 UTC (permalink / raw) To: netfilter what does iptables-save returns on the morning ? is it different from what it returns when forwarding is ok ? if you find differences... there is something to find that alter netfilter config (a firewall script ? something like an iptables-restore script ?) if you don't find differences : check to see if resetting netfiler and giving again the config is enough... if yes... i'd suggest to update netfilter an perhaps the kernel... stop netfilter and check if something can go through your netcard... if no... i'd suggest to check the driver of the netcard... and perhaps the netcard itself. hope this can help, Pascal Vladimir Potapov wrote: >Yesterday at evening my packet filter with iptables worked fine.Today at morning , I see that he don't forwarding packet from DMZ to local and back.And this thing I see every morning.After I reboot my machine it's work fine.I think that my 3com cards have some bugs.In log there no entries about this . My rules is: > > >#Allow from local to DMZ and back > > >-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A FORWARD -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > > > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: iptables ceases to work after night 2003-09-11 6:39 ` iptables ceases to work after night "Vladimir Potapov" 2003-09-11 10:55 ` Pascal Vilarem @ 2003-09-11 11:17 ` Pascal Vilarem 1 sibling, 0 replies; 7+ messages in thread From: Pascal Vilarem @ 2003-09-11 11:17 UTC (permalink / raw) To: netfilter what does iptables-save returns on the morning ? is it different from what it returns when forwarding is ok ? if you find differences... there is something to find that alters netfilter config (a firewall script ? something like an iptables-restore script ?) if you don't find differences : check if the ip_forward parameter is still 1 (maybe there's something that switch it off by night ?) stop netfilter and check if something can go through your netcard... if no... i'd suggest to check the driver of the netcard... and perhaps the netcard itself. if yes forget this point check to see if resetting netfiler and giving again the config is enough... -> maybe there's a memory problem that drives your netfilter version to crash check the known bugs related to your kernel version and your netfilter version... you'd maybe have to compile a new kernel... hope this can help, Pascal Vladimir Potapov wrote: >Yesterday at evening my packet filter with iptables worked fine.Today at morning , I see that he don't forwarding packet from DMZ to local and back.And this thing I see every morning.After I reboot my machine it's work fine.I think that my 3com cards have some bugs.In log there no entries about this . My rules is: > > >#Allow from local to DMZ and back > > >-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -o eth2 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A FORWARD -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > >-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.5.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT > > > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-09-11 11:17 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <HMEKJPOHJKKBIDHGBCMDIEGLCAAA.varyag18@mail.ru>
2003-09-06 12:49 ` Problems with DNS Cedric Blancher
2003-09-08 12:51 ` Re[2]: " "Vladimir Potapov"
2003-09-08 13:44 ` Cedric Blancher
2003-09-08 15:13 ` Vladimir Potapov
2003-09-11 6:39 ` iptables ceases to work after night "Vladimir Potapov"
2003-09-11 10:55 ` Pascal Vilarem
2003-09-11 11:17 ` Pascal Vilarem
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox