iptables

iptables

[Paulo Andre]

I have a Exchange server that needs to send mail out, the firewall
(iptables) is set up as follows:

iptables -A FORWARD -s (mail srv) -p tcp --dport 25 -j ACCEPT

The mail server comes back with a "Host unreachable" error, and nslookup and
traceroute takes me to the destination fine. Anyone have any ideas...???

Re: iptables

[Antony Stone]

On Monday 10 June 2002 3:06 pm, Paulo Andre wrote:

> I have a Exchange server

You have our sympathies...

> that needs to send mail out, the firewall
> (iptables) is set up as follows:
>
> iptables -A FORWARD -s (mail srv) -p tcp --dport 25 -j ACCEPT
>
> The mail server comes back with a "Host unreachable" error, and nslookup
> and traceroute takes me to the destination fine. Anyone have any
> ideas...???

Try putting a rule at the start of your FORWARD chain:

iptables -I FORWARD -s (mail srv) -j LOG --log-prefix "Exchg Svr"

And see if it's doing something strange....

 

Antony

Re: iptables

[Matthew Hellman]

try telnetting from the exchange server to a mail server on the Internet.

----- Original Message -----
From: "Paulo Andre" <PAndre@autopage.altech.co.za>
To: "Netfilter (E-mail)" <netfilter@lists.samba.org>
Sent: Monday, June 10, 2002 9:06 AM
Subject: iptables


> I have a Exchange server that needs to send mail out, the firewall
> (iptables) is set up as follows:
>
> iptables -A FORWARD -s (mail srv) -p tcp --dport 25 -j ACCEPT
>
> The mail server comes back with a "Host unreachable" error, and nslookup
and
> traceroute takes me to the destination fine. Anyone have any ideas...???
>
>
>
>

Re: iptables

[Matthew Hellman]

oops. Make sure you use port 25 though:

c:\> telnet mailserver.domain.com 25

----- Original Message -----
From: "Matthew Hellman" <mhellman@raccoon.com>
To: "Paulo Andre" <PAndre@autopage.altech.co.za>; "Netfilter (E-mail)"
<netfilter@lists.samba.org>
Sent: Monday, June 10, 2002 9:23 PM
Subject: Re: iptables


> try telnetting from the exchange server to a mail server on the Internet.
>
> ----- Original Message -----
> From: "Paulo Andre" <PAndre@autopage.altech.co.za>
> To: "Netfilter (E-mail)" <netfilter@lists.samba.org>
> Sent: Monday, June 10, 2002 9:06 AM
> Subject: iptables
>
>
> > I have a Exchange server that needs to send mail out, the firewall
> > (iptables) is set up as follows:
> >
> > iptables -A FORWARD -s (mail srv) -p tcp --dport 25 -j ACCEPT
> >
> > The mail server comes back with a "Host unreachable" error, and nslookup
> and
> > traceroute takes me to the destination fine. Anyone have any ideas...???
> >
> >
> >
> >
>

Iptables

[Paulo Andre]

I use iptables-1.2.6a, and ulog.
Has anyone written a script that will go through the log files and filter
out stats that management require (eg. daily no. of port scans, telnet/ssh
attempts etc.)

Thanks

Paulo 

iptables

[luigicart]

Hi I'm Luigi.When I digit a whichever iptables command the shell say:
/lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o :init_module:
Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters,
including invalid IO orIRQ parameters
/lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/Kernel/net/ipv4/netfilter/ip_tables.o
failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o :insmod ip_tables
failed
iptables v1.2.3: can't initialize iptables table 'filter' :iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Why???????
Thak you very much
Luigi

Re: iptables

[Antony Stone]

On Friday 28 June 2002 2:28 pm, luigicart@tin.it wrote:

> Hi I'm Luigi.When I digit a whichever iptables command the shell say:
> /lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o :init_module:
> Device or resource busy
> Hint: insmod errors can be caused by incorrect module parameters,
> including invalid IO orIRQ parameters
> /lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o: insmod
> /lib/modules/Kernel/net/ipv4/netfilter/ip_tables.o failed
> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o :insmod
> ip_tables failed
> iptables v1.2.3: can't initialize iptables table 'filter' :iptables who?
> (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

You could try compiling all your netfilter stuff into the kernel instead of 
loading it as modules - that's the way I always do it.

 

Antony.

Re: iptables

[Tom Eastep]

On Fri, 28 Jun 2002, luigicart@tin.it wrote:

> Hi I'm Luigi.When I digit a whichever iptables command the shell say:
> /lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o :init_module:
> Device or resource busy
> Hint: insmod errors can be caused by incorrect module parameters,
> including invalid IO orIRQ parameters
> /lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/Kernel/net/ipv4/netfilter/ip_tables.o
> failed
> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o :insmod ip_tables
> failed
> iptables v1.2.3: can't initialize iptables table 'filter' :iptables who?
> (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> 
> Why???????

See http://www.shorewall.net/FAQ.htm#faq8

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

RE: iptables

[Joe Patterson]

do an lsmod and see if ipchains is loaded.  My bet is that you're on a stock
RH box. Those load up ipchains whether you want them to or not.  If I'm
right, a command like `rmmod ipchains` should clear it up until the next
reboot, and `chkconfig ipchains off` and/or `chkconfig ipchains --del
ipchains`  should keep the problem from coming back.

-Joe

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of luigicart@tin.it
> Sent: Friday, June 28, 2002 9:29 AM
> To: netfilter@samba.org
> Subject: iptables
>
>
> Hi I'm Luigi.When I digit a whichever iptables command the shell say:
> /lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o :init_module:
> Device or resource busy
> Hint: insmod errors can be caused by incorrect module parameters,
> including invalid IO orIRQ parameters
> /lib/modules/2.4.7-10/net/ipv4/netfilter/ip_tables.o: insmod
> /lib/modules/Kernel/net/ipv4/netfilter/ip_tables.o
> failed
> /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o
> :insmod ip_tables
> failed
> iptables v1.2.3: can't initialize iptables table 'filter' :iptables who?
> (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
> Why???????
> Thak you very much
> Luigi
>
>
>
>
>
>

IPtables

[Jet]

Can anyone pls verify that whether iptables is vulnerable to the following
bugtraq ID?

http://www.securityfocus.com/bid/6534

Base on my testing (1.2.7a), it is vulnerable too.

 - Jet
Security Analyst

email: jchan@trusecure.com

iptables

[VASIF MUSAOGULLARI]

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

 
I have a problem with firewall settings - timeout. 
We installed Suse 7.3 for ppc onto a Logical Partition of an IBM iSeries
machine. 
 
Everything is fine. It is the firewall of the system. 
But, it disconnects the clients if they are idle for 12 minutes. I guess
default timeout is set to 12 minutes. 
How can I increase the timeout time? 
What should I add to the iptables definitions ?  
Or is there any other way to increase this timeout time ? 
 
I need your urgent response please... 
Thanks in advance, 
-vas

[-- Attachment #2: Type: text/html, Size: 5026 bytes --]

Re: iptables

[Erdal Mutlu]

On Sun, 19 Jan 2003, VASIF MUSAOGULLARI wrote:

>
> I have a problem with firewall settings - timeout.
> We installed Suse 7.3 for ppc onto a Logical Partition of an IBM iSeries
> machine.
>
> Everything is fine. It is the firewall of the system.
> But, it disconnects the clients if they are idle for 12 minutes. I guess
> default timeout is set to 12 minutes.
> How can I increase the timeout time?
> What should I add to the iptables definitions ?
> Or is there any other way to increase this timeout time ?
>
> I need your urgent response please...
> Thanks in advance,
> -vas

Hello,

which version of iptables and kernel are you using?.
What kind of connections are disconnected?

Best regards.
Erdal Mutlu
System Administrator

Du-Pont-Strasse 1
D-61352 Bad Homburg
Tel.: +49 6172 484 - 447
Fax: +49 6172 484 - 5447
email: emutlu@fonts.de
http://www.linotypelibrary.com
http://www.fonts.de

iptables

[Guss]

hi,

on my operating system SuSe 8.0 I could not find the entries:
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/proc/sys/net/ipv4/icmp_destunreach_rate
/proc/sys/net/ipv4/icmp_echoreply_rate
/proc/sys/net/ipv4/icmp_paramprob_rate
/proc/sys/net/ipv4/icmp_timeexeceed_rate
so I got by the first Test of my beginner script error-messages. Can't find
it
And the error message: $IPTABLES -P unknown

The script is from the book 'Das Firewallbuch' from SuSe (germany).

Thanks for help!

W. Guss



________________________________________________
Message sent using Publikom-Mail  - webmail public preview -

iptables

[Star Fire]

dear group,

I'm quite new to iptables and using 1.2.6a. We have a linux box opend to the 
net and behind that is a ISA server doing the proxying for the users. We 
have implemented incident reporting on it and continuously getting alerts 
that there are port scan attempts to the internal ISA server. I have enabled 
established and related traffic through my firewal. Can you please tell me 
how this happens.

Question number 2 is..can someone put my linux server external ip address as 
a gteway address and do a portscan to our internal ISA server which has a 
192.168 range IP. If so how can i stop this through IPTABLES?.

Thanks for your time.

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

IPTABLES

[lfps]

Tenho um manual que saquei da Net sobre iptables e fiquei muito satisfeito por
encontrar algo em português, pois é quase tudo em inglês, e eu infelizmente não
sou muito bom em inglês.
Queria pedir-lhes se têm conhecimento de algum site ou então mais algum manual
que fale de firewalls em Linux, pois estou a estagiar e tenho de pesquisar sobre
firewalls, sendo talvez umas das boas opções o IPTABLES. Peço que me ajude!!!
O manual a que tive acesso foi o "Linux 2.4 Packet Filtering HOWTO (Revision
1.19 2001/05/26)"

PS: Escolhi o Linux, porque me disseram que seria o melhor em segurança!


Obrigado desde já, esperando por uma resposta!

----------------------------------------------------------
Este e-mail foi enviado através do serviço Teotonio Webmail(http://webmail.ipv.pt)

iptables

[Wan System S.R.L.]

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]

I have installed a Red Hat 8.0 iptables 1.27a to make NAT. I have 2 net cards    
The computers of the internal net have MS Windows XP.  the www doesn't have any problem. When they try to make ftp it leaves the following error:    
200 ASCII tastes bad, dude.
500 Illegal PORT command.
500 Unknow command.

Please some tip 

thank

wansys 

[-- Attachment #2: Type: text/html, Size: 1073 bytes --]

Re: iptables

[Pedro C. Arias]

[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

Add ip_conntrack_ftp, ip_nat_ftp modules.

Saludos
Pedro 
Rosario - Argentina.


  ----- Original Message ----- 
  From: Wan System S.R.L. 
  To: netfilter@lists.netfilter.org 
  Sent: Monday, May 26, 2003 10:34 AM
  Subject: iptables 


  I have installed a Red Hat 8.0 iptables 1.27a to make NAT. I have 2 net cards    
  The computers of the internal net have MS Windows XP.  the www doesn't have any problem. When they try to make ftp it leaves the following error:    
  200 ASCII tastes bad, dude.
  500 Illegal PORT command.
  500 Unknow command.

  Please some tip 

  thank

  wansys 

[-- Attachment #2: Type: text/html, Size: 2260 bytes --]

Iptables

[jean-francois fleury]

[-- Attachment #1: Type: text/html, Size: 1449 bytes --]

Re: Iptables

[Jeffrey Laramie]

jean-francois fleury wrote:

>
> Im new with Iptables but iv been working on it since the last month to 
> built up rule set.
> I have a linux box with 3 int
>
> Eth0 = $EXT (connected to ppp0, ADSL provider)
>
> Eth1 = $DMZ (only a web server for now)
> Eth2 = $INT (my main computer(net surf) and one for IDS, 
> tcpdumb,backup, etc)
>
> Basicly, i know im not the only one with this kind of setup, im sure 
> ;) . First i want
> to access my web server from the $INT to $DMZ to manage it, i want to 
> access
> internet $INT to $EXT (it can be $PPP0) and few other thing such as 
> SSH from
> inside and outside, give full access inside ($INT and in my $DMZ) to my
> IDS. and like everyone else, good rules. What i would like its a setup 
> rules
> already made for this kind of network, that work but i can personolize 
> it. Is
> there someone with this kind of rules so i can start with something ?
>

Take a look here:  http://iptables-tutorial.frozentux.net/

This is an excellent tutorial and has several examples including one 
similar to your configuration.

> If you want my actual rules i can send it. Thanks
>
> PS : sorry for my english but i write basicly in french.
>

Your English is better than my French :-)

Jeff

Iptables

[Ivan Zagvozkine]

[-- Attachment #1: Type: text/plain, Size: 636 bytes --]

Hi All,

I do not know much about iptables, and have question for you to ask.

I have a network setup:

Red Hat 9.0 ( two interfaces eth0 connected to Internet and eth1 connected to LAN, but LAN has public Addreses)

eth0 - internet - public address
eth1- LAN - public addresses

I would like to allow all outbount trafic, and not allow inbound, the client behind firewall needs to use VPN and internet browsing, so that why we need to have public addresses.

Could any one tell me what the simple firewall script do I need to apply on Red Hat 9.0 to achieve it.


Regards



Ivan Zagvozkine
izagvozkin@yahoo.com.au

[-- Attachment #2: Type: text/html, Size: 1895 bytes --]

iptables

[mustafa hassan]

hi all
plz solve my problem bcuz i have to complete my
assignment
i m having a problem that when i make transparent
redirection with following command
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
80 -j REDIRECT --to-port 80
i m getting an error message from squid as follow
when i try to access suppose
http://www.face-pic.com/dawson48
the squid gives me an error
----------------------------------------------------------------------------------------------------------------
While trying to retrieve the URL: /dawsoon48 

The following error was encountered: 

Invalid URL 
Some aspect of the requested URL is incorrect.
Possible problems: 

Missing or incorrect access protocol (should be
`http://'' or similar) 
Missing hostname 
Illegal double-escape in the URL-Path 
Illegal character in hostname; underscores are not
allowed 
-------------------------------------------------------------------------------------------------------------------------
it automatically eliminates the portion
http://www.face-pic.com
while if i set my browser to proxy then i dont get
this error instaed everything works fine
plz help me out

=====
Mustafa Hassan Malik
(Khadim Hussain)

Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) 





__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools

iptables

[Alejandro Cabrera Obed]

Iptables

[Contact]

Hi,

I'm new to iptables and having a problem grasping the concept as well as the
syntax. I have read a lot of sites on this but just not getting it. First -
running rules. From what I can gather I need to have an rc.firewall file
with the various rules and such in it - and have this started at boot. Am I
close?  Second - the syntax. I want to be able to allow my local LAN full
access to the Linux box (Slackware 10). I also have a website which I want
to allow everyone - except for a few domains and IP's, SSH which I want to
allow only certain IP's or domains, and Samba which I want to allow only my
local LAN. This is where I'm really confused putting this all together. If
someone could explain this in plain english - or put me on to a really easy
iptables for dummies type site, it would be appreciated.

This box is behind attached to a Linksys router and does not act as a NAT.
It is just a simple little setup on a p166.

Thanks

RE: Iptables

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
> Hi,
> 
> I'm new to iptables and having a problem grasping the concept as well
> as the syntax. I have read a lot of sites on this but just not
> getting it. First - running rules. From what I can gather I need to
> have an rc.firewall file with the various rules and such in it - and

The filename depends on your system and/or what you define to be a
startup script.

> have this started at boot. Am I close?  Second - the syntax. I want
> to be able to allow my local LAN full access to the Linux box
> (Slackware 10). I also have a website which I want to allow everyone

Ah. Slack. Yes, if you put a rc.firewall file in /etc/rc.d and do a
"chmod 700 rc.firewall" there, it will start at boot (if I read rc.inet2
correctly).

> - except for a few domains and IP's, SSH which I want to allow only
> certain IP's or domains, and Samba which I want to allow only my
> local LAN. This is where I'm really confused putting this all
> together. If someone could explain this in plain english - or put me
> on to a really easy iptables for dummies type site, it would be
> appreciated.  
> 
> This box is behind attached to a Linksys router and does not act as a
> NAT. It is just a simple little setup on a p166.

Okay. You want to close your box as much as possible :
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT # because in the beginning it will cause \
                          # you headaches if you DROP this

Next, allow related and established connections :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow full access from LAN :
iptables -A INPUT -i <if_lan> -s <net_lan> -j ACCEPT

Allow access to website (running on the firewall box I assume) :
iptables -A INPUT -i <if_inet> -s <ip_to_deny> -p tcp --dport 80 \
         -j DROP
...Repeat for any disallowed host...
iptables -A INPUT -i <if_inet> -p tcp --dport 80 -j ACCEPT

Allow access to SSH :
iptables -A INPUT -i <if_inet> -s <ip_allowed_host> -p tcp \
         --dport 22 -j ACCEPT
...Repeat for any allowed host...

You already opened up your box for your LAN. That includes Samba so you
don't need a rule for this.

Do you also want internet access for your LAN clients ?
iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> \
         -j ACCEPT
iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> \
         -j SNAT --to-source <ip_inet>


A good reading site includes Oskar's :
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


Gr,
Rob

RE: Iptables

[Contact]

This helps a bit, but still way out of my league - there is a lot of stuff
to remember. In the many sites, including the one you list below, they talk
of various configurations before ever getting to the rules - is this
necessary?

i.e.

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

Then a bunch of modules are loaded....

Are <if_lan>, <net_lan> and <if_inet> reserved commands or do I need to put
something in here. I am assuming these are variables and tie in with the
above - not sure though.

Note: All the other LAN clients have access to the internet via the Linksys
router as does the Linux box. The router is my gateway....

One last thing. Is there a way to block an entire domain i.e. domain.com or
an entire IP block i.e 24.168.1.0/24.

Thanks

> -----Original Message-----
> From: Rob Sterenborg [mailto:rob@sterenborg.info] 
> Sent: September 28, 2004 1:25 AM
> To: 'Contact'; netfilter@lists.netfilter.org.
> Subject: RE: Iptables 
> 
> netfilter-bounces@lists.netfilter.org wrote:
> > Hi,
> > 
> > I'm new to iptables and having a problem grasping the 
> concept as well 
> > as the syntax. I have read a lot of sites on this but just 
> not getting 
> > it. First - running rules. From what I can gather I need to have an 
> > rc.firewall file with the various rules and such in it - and
> 
> The filename depends on your system and/or what you define to 
> be a startup script.
> 
> > have this started at boot. Am I close?  Second - the 
> syntax. I want to 
> > be able to allow my local LAN full access to the Linux box 
> (Slackware 
> > 10). I also have a website which I want to allow everyone
> 
> Ah. Slack. Yes, if you put a rc.firewall file in /etc/rc.d 
> and do a "chmod 700 rc.firewall" there, it will start at boot 
> (if I read rc.inet2 correctly).
> 
> > - except for a few domains and IP's, SSH which I want to allow only 
> > certain IP's or domains, and Samba which I want to allow 
> only my local 
> > LAN. This is where I'm really confused putting this all 
> together. If 
> > someone could explain this in plain english - or put me on 
> to a really 
> > easy iptables for dummies type site, it would be appreciated.
> > 
> > This box is behind attached to a Linksys router and does 
> not act as a 
> > NAT. It is just a simple little setup on a p166.
> 
> Okay. You want to close your box as much as possible :
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT # because in the beginning it will cause \
>                           # you headaches if you DROP this
> 
> Next, allow related and established connections :
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j 
> ACCEPT iptables -A FORWARD -m state --state 
> RELATED,ESTABLISHED -j ACCEPT
> 
> Allow full access from LAN :
> iptables -A INPUT -i <if_lan> -s <net_lan> -j ACCEPT
> 
> Allow access to website (running on the firewall box I assume) :
> iptables -A INPUT -i <if_inet> -s <ip_to_deny> -p tcp --dport 80 \
>          -j DROP
> ...Repeat for any disallowed host...
> iptables -A INPUT -i <if_inet> -p tcp --dport 80 -j ACCEPT
> 
> Allow access to SSH :
> iptables -A INPUT -i <if_inet> -s <ip_allowed_host> -p tcp \
>          --dport 22 -j ACCEPT
> ...Repeat for any allowed host...
> 
> You already opened up your box for your LAN. That includes 
> Samba so you don't need a rule for this.
> 
> Do you also want internet access for your LAN clients ?
> iptables -A FORWARD -i <if_lan> -o <if_inet> -s <net_lan> \
>          -j ACCEPT
> iptables -t nat -A POSTROUTING -o <if_inet> -s <net_lan> \
>          -j SNAT --to-source <ip_inet>
> 
> 
> A good reading site includes Oskar's :
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> 
> 
> Gr,
> Rob
> 
> 

Re: Iptables

[John A. Sullivan III]

On Tue, 2004-09-28 at 01:07, Contact wrote:
> Hi,
> 
> I'm new to iptables and having a problem grasping the concept as well as the
> syntax. I have read a lot of sites on this but just not getting it. First -
> running rules. From what I can gather I need to have an rc.firewall file
> with the various rules and such in it - and have this started at boot. Am I
> close?  Second - the syntax. I want to be able to allow my local LAN full
> access to the Linux box (Slackware 10). I also have a website which I want
> to allow everyone - except for a few domains and IP's, SSH which I want to
> allow only certain IP's or domains, and Samba which I want to allow only my
> local LAN. This is where I'm really confused putting this all together. If
> someone could explain this in plain english - or put me on to a really easy
> iptables for dummies type site, it would be appreciated.
> 
> This box is behind attached to a Linksys router and does not act as a NAT.
> It is just a simple little setup on a p166.
> 
> Thanks
> 
I found Oskar Andreasson's tutorial most helpful
(http://iptables-tutorial.frozentux.net/iptables-tutorial.html).  You
can also find some slightly dated slide show training sessions at
http://iscs.sourceforge.net Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

RE: Iptables

[Jason Opperisano]

On Tue, 2004-09-28 at 04:19, Contact wrote:
> This helps a bit, but still way out of my league - there is a lot of stuff
> to remember. In the many sites, including the one you list below, they talk
> of various configurations before ever getting to the rules - is this
> necessary?
> 
> i.e.
> 
> INET_IP="194.236.50.155"
> INET_IFACE="eth0"
> INET_BROADCAST="194.236.50.255"
> 
> LAN_IP="192.168.0.2"
> LAN_IP_RANGE="192.168.0.0/16"
> LAN_IFACE="eth1"

necessary, no.  but it is a standard scripting practice that makes your
life easier.  would you rather specify "eth0" 50 times in your script,
and then have to change it 50 times when something hardware-wise
changes?  or just change one thing that says "INET_IF=eth0"

> Then a bunch of modules are loaded....

almost all modules are loaded automatically as needed by the kernel. 
you should explicitly load "helper" modules that you expect to need;
i.e., 

        modprobe ip_conntrack_ftp
        modprobe ip_nat_ftp

> Are <if_lan>, <net_lan> and <if_inet> reserved commands or do I need to put
> something in here. I am assuming these are variables and tie in with the
> above - not sure though.

there are no such reserved words/commands with respect to iptables.  it
simply does what you tell it to.

> Note: All the other LAN clients have access to the internet via the Linksys
> router as does the Linux box. The router is my gateway....
> 
> One last thing. Is there a way to block an entire domain i.e. domain.com or
> an entire IP block i.e 24.168.1.0/24.

domain--no, not really.

IP block--yes:

        -s 24.168.1.0/24
        -d 24.168.1.0/24

> Thanks

no prob.  i know it's already been recommended once, but you ready
should hit this up and down:

  http://iptables-tutorial.frozentux.net/iptables-tutorial.html

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Iptables

[Aleksandar Milivojevic]

Contact wrote:
> This helps a bit, but still way out of my league - there is a lot of stuff
> to remember. In the many sites, including the one you list below, they talk
> of various configurations before ever getting to the rules - is this
> necessary?
> 
> i.e.
> 
> INET_IP="194.236.50.155"
> INET_IFACE="eth0"
> INET_BROADCAST="194.236.50.255"

Those are variables in shell script.  Basically they are there to make 
your life easier when you need to modify something.  These two will do 
the same:

iptables -A INPUT -i eth0 .....

INET_IFACE="eth0"
iptables -A INPUT -i "$INET_IFACE" .....

> Then a bunch of modules are loaded....

Most of them you don't need to load by hand (they'll get loaded 
automatically).  There are few exceptions, such as ip_nat_ftp module 
that needs to be loaded explicitly (if you need it, that is).

> Are <if_lan>, <net_lan> and <if_inet> reserved commands or do I need to put
> something in here. I am assuming these are variables and tie in with the
> above - not sure though.

Those are the places in Rob's examples where you need to fill in your 
data.  For example you would chage <if_inet> to eth0 or "$INET_IFACE".

> One last thing. Is there a way to block an entire domain i.e. domain.com or
> an entire IP block i.e 24.168.1.0/24.

You can block only by IP address (host or network).  You can't block by 
domain name (which would be an useless feature even if it was possible, 
lurking people into false sense of security).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Iptables

[Jose Maria Lopez]

El mar, 28 de 09 de 2004 a las 07:07, Contact escribió:
> Hi,
> 
> I'm new to iptables and having a problem grasping the concept as well as the
> syntax. I have read a lot of sites on this but just not getting it. First -
> running rules. From what I can gather I need to have an rc.firewall file
> with the various rules and such in it - and have this started at boot. Am I
> close?  Second - the syntax. I want to be able to allow my local LAN full
> access to the Linux box (Slackware 10). I also have a website which I want
> to allow everyone - except for a few domains and IP's, SSH which I want to
> allow only certain IP's or domains, and Samba which I want to allow only my
> local LAN. This is where I'm really confused putting this all together. If
> someone could explain this in plain english - or put me on to a really easy
> iptables for dummies type site, it would be appreciated.
> 
> This box is behind attached to a Linksys router and does not act as a NAT.
> It is just a simple little setup on a p166.
> 
> Thanks
> 

Read the Iptables Tutorial from
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
it explains everything you want to do and more.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

iptables

[Andrzej]

Dear All,
I have linux router with 3 NIC cards.
One is an internet interface. Second is my LAN network and third is public 
addresses network.
I am using iptables. My LAN network works perfectly filtering packets. I 
have problems with my public addresses network- I would like this network 
to work without any filtering and just can't do it.
Could give me advice how to pass by iptables or how to set up iptables to 
route traffic to public addresses without any filtering?
Best regards
Andy

iptables

[Alabama]

Dear All,
I have linux router with 3 NIC cards.
One is an internet interface. Second is my LAN network and third is public 
addresses network.
I am using iptables. My LAN network works perfectly filtering packets. I 
have problems with my public addresses network- I would like this network 
to work without any filtering and just can't do it.
Could give me advice how to pass by iptables or how to set up iptables to 
route traffic to public addresses without any filtering?
Best regards
Andy 


----------------------------------------------------------------------
Najlepsze auto, najlepsze moto... >>> http://link.interia.pl/f1841

Re: iptables

[John A. Sullivan III]

Alabama wrote:
> Dear All,
> I have linux router with 3 NIC cards.
> One is an internet interface. Second is my LAN network and third is 
> public addresses network.
> I am using iptables. My LAN network works perfectly filtering packets. I 
> have problems with my public addresses network- I would like this 
> network to work without any filtering and just can't do it.
> Could give me advice how to pass by iptables or how to set up iptables 
> to route traffic to public addresses without any filtering?
> Best regards
> Andy
> 
> ----------------------------------------------------------------------
> Najlepsze auto, najlepsze moto... >>> http://link.interia.pl/f1841
> 
> 
> 
I do not know the details of your installation so there may be a good
reason for you to do this but I would normally never recommend no
filtering even, perhaps especially, to a DMZ.

In any event, you can probably regulate the traffic using the
interfaces, e.g.,

iptables -I FORWARD 1 -i eth0 -o eth2 -j ACCEPT
iptables -I FORWARD 1 -i eth2 -o eth0 -j ACCEPT

That's what comes to mind off the top of my head.  Good luck and, unless
you have a really good reason, I would not recommend doing this.  If the
problem is just the complexity of managing changing security on the DMZ,
consider a GUI front end like fwbuilder (http://www.fwbuilder.org) or,
for large and highly complex environments ISCS
(http://iscs.sourceforge.net) when it is ready - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: iptables

[John A. Sullivan III]

Which interfaces are used for you public and DMZ networks? Are you using 
DNAT for your DMZ servers? If so, have you remembered to bind the 
addresses for those servers using iproute2? If you are unfamiliar with 
doing this, there are some slide shows in the training section of 
http://iscs.sourceforge.net that deal with iptables and iproute2 - John

Alabama wrote:
> Hello
> I am afraid it does not work. Output works perfectly but I can not to 
> use none of input services e.g. ftp, www etc.
> Under public addresse a I have my clients and do not want to block them 
> any ports and services
> Best regards
> Andy
> At 06:48 05-01-31 -0500, you wrote:
> 
>> Alabama wrote:
>>
>>> Dear All,
>>> I have linux router with 3 NIC cards.
>>> One is an internet interface. Second is my LAN network and third is 
>>> public addresses network.
>>> I am using iptables. My LAN network works perfectly filtering 
>>> packets. I have problems with my public addresses network- I would 
>>> like this network to work without any filtering and just can't do it.
>>> Could give me advice how to pass by iptables or how to set up 
>>> iptables to route traffic to public addresses without any filtering?
>>> Best regards
>>> Andy
>>> ----------------------------------------------------------------------
>>> Najlepsze auto, najlepsze moto... >>> http://link.interia.pl/f1841
>>>
>> I do not know the details of your installation so there may be a good 
>> reason for you to do this but I would normally never recommend no 
>> filtering even, perhaps especially, to a DMZ.
>>
>> In any event, you can probably regulate the traffic using the 
>> interfaces, e.g.,
>>
>> iptables -I FORWARD 1 -i eth0 -o eth2 -j ACCEPT
>> iptables -I FORWARD 1 -i eth2 -o eth0 -j ACCEPT
>>
>> That's what comes to mind off the top of my head.  Good luck and, 
>> unless you have a really good reason, I would not recommend doing 
>> this.  If the problem is just the complexity of managing changing 
>> security on the DMZ, consider a GUI front end like fwbuilder 
>> (http://www.fwbuilder.org) or, for large and highly complex 
>> environments ISCS (http://iscs.sourceforge.net) when it is ready - John
>>
>> -- 
>> John A. Sullivan III
>> Open Source Development Corporation
>> +1 207-985-7880
>> jsullivan@opensourcedevel.com
>>
>> Financially sustainable open source development
>> http://www.opensourcedevel.com
> 
> 
> 
> ----------------------------------------------------------------------
> Najlepsze auto, najlepsze moto... >>> http://link.interia.pl/f1841
> 
> 


-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Iptables

[Limbert Fuentes Quiroga]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 449 bytes --]

Dear All

  
Please they could help me to configure my firewall server to block the whole
ports of the interface that this connected one to internet (except the ports 25
and 53 that it is forwarded to DMZ server), also to block the users of my net
LAN so that alone they can enter to internet to transparent proxy (SQUID) that
this installed in my DMZ server.  
I attach the file with the configurations of my firewall server.

Thank's and regard's

[-- Attachment #2: Firewall-DMZ.doc --]
[-- Type: APPLICATION/msword, Size: 37376 bytes --]

Iptables

[Chadley Wilson]

[-- Attachment #1: Type: text/plain, Size: 1371 bytes --]

Greetings,

Sort of still a newbie with iptables! I ve been at it for a while, but 
struggle to understand when things don't work when I think they are right.

OK heres the problem:

I have a dns server configure, master zone int network, slave is external dns 
box.

Dhcp server only internal.

Iptables must do the following:
allow one int ip (me) to the external int face for everything. (the external 
interface is actually our other internal network which has the gateway to the 
internet)

when I set my default policy to drop, my DNS and windows file sharing from the 
ext network doesn't work. My mail and internet still work. I have removed the 
broken lines and set my policy back to ACCEPT. But I would feel much safer if 
it were drop and only allow services that I choose. As it is now, I can 
access the net, mail and windows file shares, the dns for the FTP server is 
working and all is bliss.
How do I make this more secure?

etel is our gateway
my router has 6 cards in it. 5 are bond0 1 eth0 int and ext respectively.  

Attached is my iptables file, 

Please could some one show me what is wrong I can't figure it out.


-- 
Chadley Wilson
Redhat Certified Technician 
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================

[-- Attachment #2: iptables --]
[-- Type: text/plain, Size: 3183 bytes --]

########    Firewall Setup     ##################
########      Config           ##################
#set -x
ipt="/usr/sbin/iptables"
ext="eth0"
int="bond0"
lo="127.0.0.1"
chad="192.168.2.5"
etel="196.25.100.28"
#################################################


#################################################
####                                         ####
####               BASIC SETUP               ####
####                                         ####
#################################################



#Enable IP Forwarding
echo "1" >> /proc/sys/net/ipv4/ip_forward


#Clear All Tables
${ipt} -t filter -F
${ipt} -t nat -F


##  Allow all from local interfaces [localhost]
${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT


##  Allow all prerouting
${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT


##  Allow all forwarding
${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state RELATED,ESTABLISHED -j ACCEPT
${ipt} -t filter -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT


##  Allow pings 
${ipt} -t filter -A INPUT -p icmp -j ACCEPT


##  Keep established connections on all interfaces
${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

##  Accept www from internet {ext}
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT


#################################################
####                                         ####
####                RULES                    ####
####                                         ####
#################################################





##  Masquerade {chad} outgoing to internet
${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT


##  Accept SSH from {etel}
${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j ACCEPT


##  Accept ssh from all internal
${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT

## Accept telnet
${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT


##  Accept incoming SMTP
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT


##  Accept external POP3
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT


##  Allow mail from ext to int
${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT


##  Allow DNS updates
${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT


## Accept all from local interfaces
${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
${ipt} -t filter -A INPUT -i ${int} -j ACCEPT


## Drop all the rest, incoming , and forward between interfaces
#${ipt} -t filter -A INPUT -j DROP
#${ipt} -t filter -A FORWARD -j DROP

### END OF FIREWALL ###

Re: Iptables

[Jason Opperisano]

On Thu, May 19, 2005 at 07:45:22PM +0200, Chadley Wilson wrote:
> Greetings,
> 
> Sort of still a newbie with iptables! I ve been at it for a while, but 
> struggle to understand when things don't work when I think they are right.
> 
> OK heres the problem:
> 
> I have a dns server configure, master zone int network, slave is external dns 
> box.
> 
> Dhcp server only internal.
> 
> Iptables must do the following:
> allow one int ip (me) to the external int face for everything. (the external 
> interface is actually our other internal network which has the gateway to the 
> internet)
> 
> when I set my default policy to drop, my DNS and windows file sharing from the 
> ext network doesn't work. My mail and internet still work. I have removed the 
> broken lines and set my policy back to ACCEPT. But I would feel much safer if 
> it were drop and only allow services that I choose. As it is now, I can 
> access the net, mail and windows file shares, the dns for the FTP server is 
> working and all is bliss.
> How do I make this more secure?
> 
> etel is our gateway
> my router has 6 cards in it. 5 are bond0 1 eth0 int and ext respectively.  
> 
> Attached is my iptables file, 
> 
> Please could some one show me what is wrong I can't figure it out.

> ########    Firewall Setup     ##################
> ########      Config           ##################
> #set -x
> ipt="/usr/sbin/iptables"
> ext="eth0"
> int="bond0"
> lo="127.0.0.1"
> chad="192.168.2.5"
> etel="196.25.100.28"
> #################################################
> 
> #################################################
> ####                                         ####
> ####               BASIC SETUP               ####
> ####                                         ####
> #################################################
> 
> #Enable IP Forwarding
> echo "1" >> /proc/sys/net/ipv4/ip_forward
> 
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F

there's also a mangle table...

  iptables -t mangle -F

> ##  Allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT
> 
> 
> ##  Allow all prerouting
> ${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
> ${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT

um--what exactly are you trying to accomplish with these?

> ##  Allow all forwarding
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state RELATED,ESTABLISHED -j ACCEPT
> ${ipt} -t filter -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT

how about just:

  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

> ##  Allow pings 
> ${ipt} -t filter -A INPUT -p icmp -j ACCEPT
> 
> ##  Keep established connections on all interfaces
> ${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

we just did this above...

> ${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> ##  Accept www from internet {ext}
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT

you run a web server on your firewall?

> #################################################
> ####                                         ####
> ####                RULES                    ####
> ####                                         ####
> #################################################
> 
> ##  Masquerade {chad} outgoing to internet
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT
> 
> ##  Accept SSH from {etel}
> ${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j ACCEPT
> 
> ##  Accept ssh from all internal
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT
> 
> ## Accept telnet
> ${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
> ${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT

1) telnet only uses TCP, not UDP.
2) telnet?  c'mon, what is this?  1997?

> ##  Accept incoming SMTP
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT
> 
> ##  Accept external POP3
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT

you run SMTP and POP3 servers on your firewall too?  i'm sensing a
pattern here...

> ##  Allow mail from ext to int
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT

um--we've already ACCEPTed all ESTABLISHED,RELATED packets in
FORWARD--so it's redundant to keep using them in rules.  so we need to
create rules that allow packets that are NEW.  if you're trying to allow
$chad to connect to 196.25.100.21 on SMTP and POP3--those should be
dport, not sport:

  iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
    -d 196.25.100.21 --dport 25 -j ACCEPT

  iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
    -d 196.25.100.21 --dport 110 -j ACCEPT

from the text of you message, you want to allow $chad out on any
service, though--right?  then how about:

  iptables -A FORWARD -i $int -o $ext -p tcp -s $chad -j ACCEPT

(which you already have in here if we scroll back up a bit)

> ##  Allow DNS updates
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT

the DNS server runs on the firewall too, eh?  how's about:

  iptables -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -A INPUT -p udp --dport 53 -j ACCEPT

(you need TCP for zone transfers, and UDP for regular name resolution
requests)

> ## Accept all from local interfaces
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT

a rule so nice, we need it twice?

> ## Drop all the rest, incoming , and forward between interfaces
> #${ipt} -t filter -A INPUT -j DROP
> #${ipt} -t filter -A FORWARD -j DROP

-j

--
"Peter: Hey, Brian. If cops are pigs, does that make you a Snausage?
 Brian: Clever, Peter. Did you stay up all night writing that?
 Peter: No, I got to bed around two, two-thirty."
        --Family Guy

Re: Iptables

[Chadley Wilson]

On Thursday 19 May 2005 21:33, Jason Opperisano wrote:

> > ########    Firewall Setup     ##################
> > ########      Config           ##################
> > #set -x
> > ipt="/usr/sbin/iptables"
> > ext="eth0"
> > int="bond0"
> > lo="127.0.0.1"
> > chad="192.168.2.5"
> > etel="196.25.100.28"
> > #################################################
> >
> > #################################################
> > ####                                         ####
> > ####               BASIC SETUP               ####
> > ####                                         ####
> > #################################################
> >
> > #Enable IP Forwarding
> > echo "1" >> /proc/sys/net/ipv4/ip_forward
> >
> > #Clear All Tables
> > ${ipt} -t filter -F
> > ${ipt} -t nat -F
>
> there's also a mangle table...

How would the mangle table work for me?
Well actually what does mangle do in english, I have read the man pages and 
some docs I found on google and tldp, but I don't quite grasp the idea.

>   iptables -t mangle -F
>
> > ##  Allow all from local interfaces [localhost]
> > ${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT
> >
> >
> > ##  Allow all prerouting
> > ${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
> > ${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT
>
> um--what exactly are you trying to accomplish with these?
I think it had some thing to do with setting the default policy to drop! and 
having no access to any services, I never really worked out if this was the 
cause.

>
> > ##  Allow all forwarding
> > ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state
> > RELATED,ESTABLISHED -j ACCEPT ${ipt} -t filter -A FORWARD -i ${ext} -o
> > ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> how about just:
Cool, it take it this achieves the same goal?

>   iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> > ##  Allow pings
> > ${ipt} -t filter -A INPUT -p icmp -j ACCEPT
> >
> > ##  Keep established connections on all interfaces
> > ${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j
> > ACCEPT
>
> we just did this above...

> > ${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > ##  Accept www from internet {ext}
> > ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT
>
> you run a web server on your firewall?

Uh no I ctually run an FTP server, I thought I needed to open port 80 to 
access the internet. (as I said before I am a newbie, still wet behind the 
ears :) )

> > #################################################
> > ####                                         ####
> > ####                RULES                    ####
> > ####                                         ####
> > #################################################
> >
> > ##  Masquerade {chad} outgoing to internet
> > ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
> > ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT
> >
> > ##  Accept SSH from {etel}
> > ${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j
> > ACCEPT
> >
> > ##  Accept ssh from all internal
> > ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT
> >
> > ## Accept telnet
> > ${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
> > ${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT
>
> 1) telnet only uses TCP, not UDP.
> 2) telnet?  c'mon, what is this?  1997?
>
Our SCO-Unix box has not got ssh and it is linked nationwide to 500 dial-up  
and dial-in sites all of which were setup in "1997" :} by someone else. So we 
have to be able to telnet in and out of it. Offen I have files on my server, 
which I need to access from a remote site via the SCO box using telnet. :( 

> > ##  Accept incoming SMTP
> > ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT
> >
> > ##  Accept external POP3
> > ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT
>
> you run SMTP and POP3 servers on your firewall too?  i'm sensing a
> pattern here...
No but I need to able to receive mail from my mail box on the ${ext} 
interface!
I take it this is wrong hey! 

>
> > ##  Allow mail from ext to int
> > ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d
> > 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j
> > ACCEPT ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d
> > 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j
> > ACCEPT
>
> um--we've already ACCEPTed all ESTABLISHED,RELATED packets in
> FORWARD--so it's redundant to keep using them in rules.  so we need to
> create rules that allow packets that are NEW.  if you're trying to allow
> $chad to connect to 196.25.100.21 on SMTP and POP3--those should be
> dport, not sport:
>
OK! I see the logic.
This is a new trick for me, Thanks
I haven't read about -d <ip_addr> before!
>   iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
>     -d 196.25.100.21 --dport 25 -j ACCEPT
>
>   iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
>     -d 196.25.100.21 --dport 110 -j ACCEPT
>
> from the text of you message, you want to allow $chad out on any
> service, though--right?  then how about:
>

>   iptables -A FORWARD -i $int -o $ext -p tcp -s $chad -j ACCEPT
>
> (which you already have in here if we scroll back up a bit)
>
> > ##  Allow DNS updates
> > ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
> > ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT
>
> the DNS server runs on the firewall too, eh?  how's about:
>
Yes the firewall is a DNS and DHCP server too. (I only have linux PC so I make 
it work). 
Current with the default policy accept on the 196.25.100.0 network we can 
resolve the ftp url i.e ftp://ns.teq/
if I take out the ${ext} rule it doen't work.

>   iptables -A INPUT -p tcp --dport 53 -j ACCEPT
>   iptables -A INPUT -p udp --dport 53 -j ACCEPT

> (you need TCP for zone transfers, and UDP for regular name resolution
> requests)
OK, 
>
> > ## Accept all from local interfaces
> > ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
> > ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
>
> a rule so nice, we need it twice?
>
Oops thats a mistake :)

> > ## Drop all the rest, incoming , and forward between interfaces
> > #${ipt} -t filter -A INPUT -j DROP
> > #${ipt} -t filter -A FORWARD -j DROP
>
> -j
>
Thanks Jason,

I have learn't quite a bit from this, I shall save this mail for future use. 
By the way, this is my first attempt at my own firewall, mostly an effort to 
learn and understand. I always used the Redhat default or Susefirewall2. But 
am not confident that they do the job right, also I never really understood 
how to customise them. Hence build your own, Ha hA, not s easy when you 
haven't got the knowledge, but I am sure I will get there.

Thanks again,


-- 
Chadley Wilson
Redhat Certified Technician 
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================

Re: Iptables

[Jason Opperisano]

On Thu, May 19, 2005 at 10:13:26PM +0200, Chadley Wilson wrote:
> I have learn't quite a bit from this, I shall save this mail for future use. 
> By the way, this is my first attempt at my own firewall, mostly an effort to 
> learn and understand. I always used the Redhat default or Susefirewall2. But 
> am not confident that they do the job right, also I never really understood 
> how to customise them. Hence build your own, Ha hA, not s easy when you 
> haven't got the knowledge, but I am sure I will get there.

might i suggest a reading of Oskar's tutorial:

  http://iptables-tutorial.frozentux.net/iptables-tutorial.html

-j

--
"Peter: Oh, and sorry about that comment earlier. I have that disease
 that makes you swear involuntarily. Sonofabitch. Sonofabitch.
 Sonofabitch. See?"
        --Family Guy

Re: Iptables

[Chadley Wilson]

On Thursday 19 May 2005 23:43, Jason Opperisano wrote:
> On Thu, May 19, 2005 at 10:13:26PM +0200, Chadley Wilson wrote:
> > I have learn't quite a bit from this, I shall save this mail for future
> > use. By the way, this is my first attempt at my own firewall, mostly an
> > effort to learn and understand. I always used the Redhat default or
> > Susefirewall2. But am not confident that they do the job right, also I
> > never really understood how to customise them. Hence build your own, Ha
> > hA, not s easy when you haven't got the knowledge, but I am sure I will
> > get there.
>
> might i suggest a reading of Oskar's tutorial:
>
>   http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
> -j
>
> --
> "Peter: Oh, and sorry about that comment earlier. I have that disease
>  that makes you swear involuntarily. Sonofabitch. Sonofabitch.
>  Sonofabitch. See?"
>         --Family Guy

Would it be safe to set the OUTPUT default policy to ACCEPT?
Every time I set it to DROP I get locked out, I suppose it has to do with the 
fact that I have no rules for the OUTPUT chain.


-- 
Chadley Wilson
Redhat Certified Technician 
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================

Re: Iptables

[Jason Opperisano]

On Fri, May 20, 2005 at 07:38:57AM +0200, Chadley Wilson wrote:
> Would it be safe to set the OUTPUT default policy to ACCEPT?
> Every time I set it to DROP I get locked out, I suppose it has to do with the 
> fact that I have no rules for the OUTPUT chain.

well, if you're not going to add any rules to OUTPUT, then--yeah, leave
it at ACCEPT.  the OUTPUT policy as ACCEPT or DROP is really more of an
idealogical debate than anything else.  personally, i set mine to DROP
and only allow the traffic that is absolutely necessary to save me from
myself (i.e. don't tempt the fw admin to use the fw as a shell
account).  things i deem necessary to allow out:

  DNS
  NTP
  FTP/HTTP to update server IP's
  ICMP

this is all politic, i don't intend any decree by the statements made
here.

-j

--
"Lois: What's going on?
 Stewie: We're playing house.
 Lois: The boy is all tied up.
 Stewie: Roman Polanski's house."
        --Family Guy

RE: Iptables

[Rob Sterenborg]

> Would it be safe to set the OUTPUT default policy to ACCEPT?
> Every time I set it to DROP I get locked out, I suppose it
> has to do with the fact that I have no rules for the OUTPUT chain.

A lot of people set OUTPUT policy to ACCEPT.
You can always do something like :

$ipt -P OUTPUT DROP
$ipt -A OUTPUT -p tcp --sport 1024: -j ACCEPT
$ipt -A OUTPUT -p udp --sport 1024: -j ACCEPT
$ipt -A OUTPUT -p icmp -j ACCEPT

This way a program cannot pretend to something like a web- or
mailserver. If you check "/proc/sys/net/ipv4/ip_local_port_range" you
see the local portrange (sport) your box will use. You can use this
range in your rules. E.g. you could  use "32768:61000" (if that is your
range) instead of "1024:".


Gr,
Rob

RE: Iptables

[Rob Sterenborg]

>> Would it be safe to set the OUTPUT default policy to ACCEPT?
>> Every time I set it to DROP I get locked out, I suppose it
>> has to do with the fact that I have no rules for the OUTPUT chain.
> 
> A lot of people set OUTPUT policy to ACCEPT.
> You can always do something like :

Forgot an important rule.. :

> $ipt -P OUTPUT DROP

$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

> $ipt -A OUTPUT -p tcp --sport 1024: -j ACCEPT
<...>


Gr,
Rob

iptables

[s s]

i tried to queue up the incoming packets on my tcp port 80 so that i can process it using libipq. I tried to run the example program from libipq man page but i get the error sa
 
cannot find reference to ipq_create_handle()
''            ''              ''      ipq_read()
''            ''              ''        ipq_destroy_handle()
...............
................
...................
.............
   
can anyone help me with this

		
---------------------------------
Yahoo! Sports
 Rekindle the Rivalries. Sign up for Fantasy Football

Re: IPTABLES

[tarak]

hello experts,

              i have a problem in iptables, i want to customize the
firewall. through iptable i want run a shell script which will keep an
watch
on each and every ip addresses in my organization, that how much amount
of
data downloading and uploading from those ip addresses...... seperately..
is
this possible to do,,,, if so please tell me how to do...

thanks in advance

Regards,
Tarak Ranjan

iptables

[sa]

i am planning to setup an internet gateway machine (for my LAN having
private LAN IP address scheme) with proxy server so that all web traffic
goes through it.
plus need to allow internal LAN machine, some limited ports to access
outside the LAN (e.g POP3, DNS, SMTP, FTP etc).

how should i setup iptables to accomplish this?

probably NAT and/or forwading need to implemented, but in which sequence? or
am i mixing them?

Re: iptables

[G.W. Haywood]

Hi there,

On Mon, 14 Jan 2008 sa@streaming-networks.com wrote:

> i am planning to setup an internet gateway machine (for my LAN having
> private LAN IP address scheme) with proxy server so that all web traffic
> goes through it.
> plus need to allow internal LAN machine, some limited ports to access
> outside the LAN (e.g POP3, DNS, SMTP, FTP etc).

http://marc.info/?l=ipcop-user&m=120022492902810&w=2

--

73,
Ged.

Re: iptables

[sa]

thanks, but i was looking for something to do with iptables settings
directly


----- Original Message ----- 
From: "G.W. Haywood" <ged@jubileegroup.co.uk>
To: <netfilter@vger.kernel.org>
Sent: Monday, January 14, 2008 2:17 PM
Subject: Re: iptables


> Hi there,
>
> On Mon, 14 Jan 2008 sa@streaming-networks.com wrote:
>
> > i am planning to setup an internet gateway machine (for my LAN having
> > private LAN IP address scheme) with proxy server so that all web traffic
> > goes through it.
> > plus need to allow internal LAN machine, some limited ports to access
> > outside the LAN (e.g POP3, DNS, SMTP, FTP etc).
>
> http://marc.info/?l=ipcop-user&m=120022492902810&w=2
>
> --
>
> 73,
> Ged.
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables

[G.W. Haywood]

Hello again,

On Tue, 15 Jan 2008 sa@streaming-networks.com wrote:

> thanks, but i was looking for something to do with iptables settings
> directly

My feeling is that working with iptables directly isn't your best
option, but if you insist:

http://iptables-tutorial.frozentux.net/

--

73,
Ged.

IPTables

[Al Grant]

Hiya All,



I am after a little guidance please on the following problem:



My topology is as follows:



inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
192.168.70.121------ip camera 192.168.70.140:80



Note:

(1) eth0 and wlan0 are on a PC running Ubuntu.

(2) Port 5555 on the router is forwarded to 80 on 192.168.1.71

(2) in sysctl I have set sysctl net.ipv4.ip_forward=1



Now what I need to do is to be able to access the IP camera from the inet.



So I have tried adding IPTables:

iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
5555 -j DNAT --to 192.168.70.140:80



Now this should allow me to access the camera by pointing a web
browser to the real world public ip on port 5555, however I get page
cannot be displayed.



I have verified that:

1. That camera is accessable from the Ubuntu computer via web browser and ping



Various people have suggsted I may need to modify conntrack and others
have suggested I may need a second rule.



Can anyone please help?



Thanks in advance

AL


--
"Beat it punk!"
- Clint Eastwood

Re: IPTables

[Ethy H. Brito]

On Wed, 11 Apr 2012 15:03:46 +1200
Al Grant <bigal.nz@gmail.com> wrote:

> Hiya All,
> 
> I am after a little guidance please on the following problem:
> 
> My topology is as follows:
> 
> inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
> 192.168.70.121------ip camera 192.168.70.140:80
> 
> Note:
> 
> (1) eth0 and wlan0 are on a PC running Ubuntu.
> 
> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
> 
> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
> 
> Now what I need to do is to be able to access the IP camera from the
> inet.
> 
> So I have tried adding IPTables:
> 
> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
> 5555 -j DNAT --to 192.168.70.140:80
> 
> Now this should allow me to access the camera by pointing a web
> browser to the real world public ip on port 5555, however I get page
> cannot be displayed.

Hi

just to be sure: 192.168.1.71 is NOT your "real world public ip", is it?

Ethy

Re: IPTables

[John Lister]

You say your router forwards port 5555 to port 80 on the pc, if that is 
the case, then you need a rule to map port 80 on 192.168.1.71 to 
192.168.70.140. Something like

iptables -t nat -A PREROUTING -i wlan0  -d 192.168.1.71 --dport 80 -j 
DNAT --to 192.168.70.140

make sure that your FORWARD rule allows it through. You also probably 
need to add this depending on your routing tables

iptables -t nat -A POSTROUTING -i wlan0 -d 192.168.70.140 --dport 80 -j 
SNAT --to 192.168.1.71

to handle the reverse case and route the packets back out.

I'm half asleep so i'd test these fully first :)

John

-- 
www.pricegoblin.co.uk


On 11/04/2012 04:03, Al Grant wrote:
> Hiya All,
>
>
>
> I am after a little guidance please on the following problem:
>
>
>
> My topology is as follows:
>
>
>
> inet----router 192.168.1.254-------wlan0 192.168.1.71&&  eth0
> 192.168.70.121------ip camera 192.168.70.140:80
>
>
>
> Note:
>
> (1) eth0 and wlan0 are on a PC running Ubuntu.
>
> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
>
> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
>
>
>
> Now what I need to do is to be able to access the IP camera from the inet.
>
>
>
> So I have tried adding IPTables:
>
> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
> 5555 -j DNAT --to 192.168.70.140:80
>
>
>
> Now this should allow me to access the camera by pointing a web
> browser to the real world public ip on port 5555, however I get page
> cannot be displayed.
>
>
>
> I have verified that:
>
> 1. That camera is accessable from the Ubuntu computer via web browser and ping
>
>
>
> Various people have suggsted I may need to modify conntrack and others
> have suggested I may need a second rule.
>
>
>
> Can anyone please help?
>
>
>
> Thanks in advance
>
> AL
>
>
> --
> "Beat it punk!"
> - Clint Eastwood
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPTables

[Ethy H. Brito]

On Wed, 11 Apr 2012 05:30:49 +0000
BigAl.NZ@gmail.com wrote:

> As an update. When I try to connect I ran tcptrack on wlan0 and it
> shows the incoming connection with:
> 
> Client Server State Idle Speed
> 118.92.xx.55:58674 192.168.1.71:80 RESET 1s 0 b/s
> 118.92.xx.55:58673 192.168.1.71:80 RESET 1s 0 b/s
> 118.92.xx.55:58676 192.168.1.71:80 RESET 1s 0 b/s
> 
> Does this seem normal?

it does. But it seems something before Ubuntu is not right.

If I got it right, you should see something like this:

118.92.xx.55:58674 192.168.1.71:5555 ...(forward to port 5555 and not 80.
this way the iptables DNAT rule won't match)

I think your redirections at the router (192.168.1.254) is not doing what
you intended it to do.

> If I monitor eth0 I see no traffic, so the fault must be in my rule  
> somewhere?

You see no traffic because 192.168.1.7 thought it was a connection to itself
at port 80 and RESETed it.

Ethy

Re: IPTables

[nullv]

From note 2 your router is forwarding port 5555 to port  80 on the PCs' wlan0. But your rule on the pc again forwards from 5555 to the camera. But by now your dport would 80 not 5555. try correcting this or just adjust your router to forward straight to the camera
------Original Message------
From: Al Grant
Sender: netfilter-owner@vger.kernel.org
To: netfilter
Subject: IPTables
Sent: Apr 11, 2012 5:03 AM

Hiya All,



I am after a little guidance please on the following problem:



My topology is as follows:



inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
192.168.70.121------ip camera 192.168.70.140:80



Note:

(1) eth0 and wlan0 are on a PC running Ubuntu.

(2) Port 5555 on the router is forwarded to 80 on 192.168.1.71

(2) in sysctl I have set sysctl net.ipv4.ip_forward=1



Now what I need to do is to be able to access the IP camera from the inet.



So I have tried adding IPTables:

iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
5555 -j DNAT --to 192.168.70.140:80



Now this should allow me to access the camera by pointing a web
browser to the real world public ip on port 5555, however I get page
cannot be displayed.



I have verified that:

1. That camera is accessable from the Ubuntu computer via web browser and ping



Various people have suggsted I may need to modify conntrack and others
have suggested I may need a second rule.



Can anyone please help?



Thanks in advance

AL


--
"Beat it punk!"
- Clint Eastwood
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPTables

[nullv]

It can't be. it's a link-local address
------Original Message------
From: Ethy H. Brito
Sender: netfilter-owner@vger.kernel.org
To: Al Grant
Cc: netfilter
Subject: Re: IPTables
Sent: Apr 11, 2012 5:45 AM

On Wed, 11 Apr 2012 15:03:46 +1200
Al Grant <bigal.nz@gmail.com> wrote:

> Hiya All,
> 
> I am after a little guidance please on the following problem:
> 
> My topology is as follows:
> 
> inet----router 192.168.1.254-------wlan0 192.168.1.71 && eth0
> 192.168.70.121------ip camera 192.168.70.140:80
> 
> Note:
> 
> (1) eth0 and wlan0 are on a PC running Ubuntu.
> 
> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
> 
> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
> 
> Now what I need to do is to be able to access the IP camera from the
> inet.
> 
> So I have tried adding IPTables:
> 
> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
> 5555 -j DNAT --to 192.168.70.140:80
> 
> Now this should allow me to access the camera by pointing a web
> browser to the real world public ip on port 5555, however I get page
> cannot be displayed.

Hi

just to be sure: 192.168.1.71 is NOT your "real world public ip", is it?

Ethy
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: IPTables

[Amos Jeffries]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1254"; format="flowed", Size: 1696 bytes --]

On 14/04/2012 11:54 a.m., nullv@gmx.com wrote:
> It can't be. it's a link-local address

The difference between IPv4 and IPv6. IPv4 has no link-local limitation 
outside of 127.0.0.0/8 built into the hardware, it *can* leak into the 
WAN if you configure things non-standard.

AYJ

> ------Original Message------
> From: Ethy H. Brito
>
> On Wed, 11 Apr 2012 15:03:46 +1200
> Al Grant wrote:
>
>> Hiya All,
>>
>> I am after a little guidance please on the following problem:
>>
>> My topology is as follows:
>>
>> inet----router 192.168.1.254-------wlan0 192.168.1.71&&  eth0
>> 192.168.70.121------ip camera 192.168.70.140:80
>>
>> Note:
>>
>> (1) eth0 and wlan0 are on a PC running Ubuntu.
>>
>> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
>>
>> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
>>
>> Now what I need to do is to be able to access the IP camera from the
>> inet.
>>
>> So I have tried adding IPTables:
>>
>> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
>> 5555 -j DNAT --to 192.168.70.140:80
>>
>> Now this should allow me to access the camera by pointing a web
>> browser to the real world public ip on port 5555, however I get page
>> cannot be displayed.
> Hi
>
> just to be sure: 192.168.1.71 is NOT your "real world public ip", is it?
>
> Ethy
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> N‹§²æìr¸›yúèšØb²X¬¶Ç§vØ^–)Þº{.nÇ+‰·§z×â–׫Š{ayº\x1dʇڙë,j\a­¢f£¢·hš‹àz¹\x1e®w¥¢¸\f¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾\a«‘êçzZ+ƒùšŽŠÝ¢j"ú!tml=

Re: IPTables

[nullv]

Sorry I meant non-routable. Routers on the internet are meant to ignore those addresses. 10.x/8 192.168.x/16 172.16.x/20
------Original Message------
From: Amos Jeffries
To: nullv@gmx.com
Cc: Ethy H. Brito
Cc: netfilter-owner@vger.kernel.org
Cc: Al Grant
Cc: netfilter
Subject: Re: IPTables
Sent: Apr 14, 2012 11:35 AM

On 14/04/2012 11:54 a.m., nullv@gmx.com wrote:
> It can't be. it's a link-local address

The difference between IPv4 and IPv6. IPv4 has no link-local limitation 
outside of 127.0.0.0/8 built into the hardware, it *can* leak into the 
WAN if you configure things non-standard.

AYJ

> ------Original Message------
> From: Ethy H. Brito
>
> On Wed, 11 Apr 2012 15:03:46 +1200
> Al Grant wrote:
>
>> Hiya All,
>>
>> I am after a little guidance please on the following problem:
>>
>> My topology is as follows:
>>
>> inet----router 192.168.1.254-------wlan0 192.168.1.71&&  eth0
>> 192.168.70.121------ip camera 192.168.70.140:80
>>
>> Note:
>>
>> (1) eth0 and wlan0 are on a PC running Ubuntu.
>>
>> (2) Port 5555 on the router is forwarded to 80 on 192.168.1.71
>>
>> (2) in sysctl I have set sysctl net.ipv4.ip_forward=1
>>
>> Now what I need to do is to be able to access the IP camera from the
>> inet.
>>
>> So I have tried adding IPTables:
>>
>> iptables -t nat -A PREROUTING -i wlan0 -d 192.168.1.71 -p tcp --dport
>> 5555 -j DNAT --to 192.168.70.140:80
>>
>> Now this should allow me to access the camera by pointing a web
>> browser to the real world public ip on port 5555, however I get page
>> cannot be displayed.
> Hi
>
> just to be sure: 192.168.1.71 is NOT your "real world public ip", is it?
>
> Ethy
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> N‹§²æìr¸›yúèšØb²X¬¶Ç§vØ^–)Þº{.nÇ+‰·§z×â–׫Š{ayº\x1dʇڙë,j\a­¢f£¢·hš‹àz¹\x1e®w¥¢¸\f¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾\a«‘êçzZ+ƒùšŽŠÝ¢j"ú!tml=