(no subject)

(no subject)

[Amresh Kumar]

Hi
I am new to iptables i have a problem in adding iptable rule i am adding ip 
table rule

  iptables -A OUTPUT -p tcp -m iprange --src-range 10.0.0.1-10.0.0.20 -m 
iprange  --dst-range 61.12.43.1-61.12.43.20 -j ACCEPT
But i am getting following error
Bad argument `61.12.43.1-61.12.43.20'
Try `iptables -h' or 'iptables --help' for more information.
Actuall i am trying to drop  destination iprange 61.12.43.1-61.12.43.20 to 
source ip range 10.0.0.1-10.0.0.20 .

Is their any other rule  that i can add. plz help me

Thanks and regard..

_________________________________________________________________
Register with e-bay. 
http://pages.ebay.in/msnindia/msn_quad_shopwingold_sept.html Win gold, 
watches and more!

Re: (no subject)

[Vinod Chandran]

Remove the second instance of -m iprange.

Regards,
Vinod C

Amresh Kumar wrote:

> Hi
> I am new to iptables i have a problem in adding iptable rule i am 
> adding ip table rule
>
>  iptables -A OUTPUT -p tcp -m iprange --src-range 10.0.0.1-10.0.0.20 
> -m iprange  --dst-range 61.12.43.1-61.12.43.20 -j ACCEPT
> But i am getting following error
> Bad argument `61.12.43.1-61.12.43.20'
> Try `iptables -h' or 'iptables --help' for more information.
> Actuall i am trying to drop  destination iprange 
> 61.12.43.1-61.12.43.20 to source ip range 10.0.0.1-10.0.0.20 .
>
> Is their any other rule  that i can add. plz help me
>
> Thanks and regard..
>
> _________________________________________________________________
> Register with e-bay. 
> http://pages.ebay.in/msnindia/msn_quad_shopwingold_sept.html Win gold, 
> watches and more!
>
>

Re: (no subject)

[Rob Sterenborg]

On Thu, October 6, 2005 10:11, Amresh Kumar wrote:
> Hi
> I am new to iptables i have a problem in adding iptable rule i am
> adding ip
> table rule
>
>   iptables -A OUTPUT -p tcp -m iprange --src-range 10.0.0.1-10.0.0.20
> -m
> iprange  --dst-range 61.12.43.1-61.12.43.20 -j ACCEPT
> But i am getting following error
> Bad argument `61.12.43.1-61.12.43.20'
> Try `iptables -h' or 'iptables --help' for more information.
> Actuall i am trying to drop  destination iprange
> 61.12.43.1-61.12.43.20 to
> source ip range 10.0.0.1-10.0.0.20 .

You probably don't have Netfilter "range" support in/for your kernel
or the modules is not loaded (osmething like ipt_range ?). If you
don't have it, you may have to patch (Patch-O-Matic) and compile a new
kernel.


Gr,
Rob

[No subject]

[Giovane]

http://alexanderlattagardens.co.uk/gdjxy/mevffylewqfsthznvp.hfkvrosf

Re: (no subject)

[pedro noticioso]

[-- Attachment #1.1: Type: text/plain, Size: 66 bytes --]

http://www.directbuypromotions.com/tmp/lifeblog.php?rgmqnob231xpeb

[-- Attachment #1.2: Type: text/html, Size: 305 bytes --]

[-- Attachment #2: Type: text/plain, Size: 238 bytes --]

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

[-- Attachment #3: Type: text/plain, Size: 164 bytes --]

_______________________________________________
Mondo-devel mailing list
Mondo-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mondo-devel

(no subject)

[Tarak Ranjan]

http://www.troywitt.com/galleries/themes/hybrid/inbex.html

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

RE: (no subject)

[Tim Edwards]

> -----Original Message-----
> From: Bernd Petrovitsch [mailto:bernd@firmix.at]
> Sent: 21 November 2006 10:54
> To: Tim Edwards
> Cc: netfilter@lists.netfilter.org
> Subject: RE: (no subject)
> 
> On Tue, 2006-11-21 at 10:44 +0000, Tim Edwards wrote:
> >
> > -----Original Message-----
> > From: Bernd Petrovitsch [mailto:bernd@firmix.at]
> > Sent: 21 November 2006 10:13
> > To: Tim Edwards
> > Cc: netfilter@lists.netfilter.org
> > Subject: Re: (no subject)
> >
> > > Yes. Just insert such a rule into the OUTPUT chain.
> >
> > Ok I have the following rules but it still isn't cutting off
existing
> > connections:
> 
> Yup.
> 
> > #!/bin/bash
> >
> > # First clear all rules (and set the policy to DROP on the default
> > chains)
> > iptables -F
> > # Second delete all the extra (user-defined) chains
> > iptables -X
> > # Set polcy on the default chains
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > # allow anything over loopback
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> > # Allow incoming ssh and http/s connections
> > iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j
> > ACCEPT
> > iptables -A INPUT -j LOG --log-prefix="INPUT REJECT"
--log-level=info
> > iptables -A INPUT -j REJECT
> > # Allow already established ssh and http/s connections back out
through
> > the firewall
> > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
> 
> This allows all existing connections. If the above comment should be
> correct, you probably forgot here something.
> 
> > iptables -A OUTPUT -j LOG --log-prefix="OUTPUT REJECT"
--log-level=info
> > iptables -A OUTPUT -j REJECT
> > iptables -A FORWARD -j LOG --log-prefix="FORWARD REJECT"
> > --log-level=info
> > iptables -A FORWARD -j REJECT

Good point, that line was definitely wrong. What I'm trying to do this
block all traffic, including active connections, except incoming ssh and
http/s connections. From testing I've found the above does block all
traffic while allowing ssh and http/s in, but doesn't cutoff existing
connections.

I've tried this line instead of the one above but now all traffic,
including incoming ssh and http/s, seems to be blocked:
iptables -A OUTPUT -m tcp -m multiport --sports 22,80,443 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

Any suggestions?

Thanks

Tim
This email and any attachment may contain confidential, privileged information for the sole use of the intended recipient. If you are not the intended recipient, do not disclose, reproduce, disseminate or otherwise use this communication. If you received this communication in error, please immediately notify the sender via email and delete the communication from your system.

RE: (no subject)

[Tim Edwards]

-----Original Message-----
From: Bernd Petrovitsch [mailto:bernd@firmix.at] 
Sent: 21 November 2006 10:13
To: Tim Edwards
Cc: netfilter@lists.netfilter.org
Subject: Re: (no subject)

> Yes. Just insert such a rule into the OUTPUT chain.

Ok I have the following rules but it still isn't cutting off existing
connections:

#!/bin/bash

# First clear all rules (and set the policy to DROP on the default
chains)
iptables -F
# Second delete all the extra (user-defined) chains
iptables -X
# Set polcy on the default chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allow anything over loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming ssh and http/s connections
iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j
ACCEPT
iptables -A INPUT -j LOG --log-prefix="INPUT REJECT" --log-level=info
iptables -A INPUT -j REJECT
# Allow already established ssh and http/s connections back out through
the firewall
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix="OUTPUT REJECT" --log-level=info
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j LOG --log-prefix="FORWARD REJECT"
--log-level=info
iptables -A FORWARD -j REJECT


This email and any attachment may contain confidential, privileged information for the sole use of the intended recipient. If you are not the intended recipient, do not disclose, reproduce, disseminate or otherwise use this communication. If you received this communication in error, please immediately notify the sender via email and delete the communication from your system.

RE: (no subject)

[Bernd Petrovitsch]

On Tue, 2006-11-21 at 10:44 +0000, Tim Edwards wrote:
> 
> -----Original Message-----
> From: Bernd Petrovitsch [mailto:bernd@firmix.at] 
> Sent: 21 November 2006 10:13
> To: Tim Edwards
> Cc: netfilter@lists.netfilter.org
> Subject: Re: (no subject)
> 
> > Yes. Just insert such a rule into the OUTPUT chain.
> 
> Ok I have the following rules but it still isn't cutting off existing
> connections:

Yup.

> #!/bin/bash
> 
> # First clear all rules (and set the policy to DROP on the default
> chains)
> iptables -F
> # Second delete all the extra (user-defined) chains
> iptables -X
> # Set polcy on the default chains
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> # allow anything over loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # Allow incoming ssh and http/s connections
> iptables -A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j
> ACCEPT
> iptables -A INPUT -j LOG --log-prefix="INPUT REJECT" --log-level=info
> iptables -A INPUT -j REJECT
> # Allow already established ssh and http/s connections back out through
> the firewall
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

This allows all existing connections. If the above comment should be
correct, you probably forgot here something.

> iptables -A OUTPUT -j LOG --log-prefix="OUTPUT REJECT" --log-level=info
> iptables -A OUTPUT -j REJECT
> iptables -A FORWARD -j LOG --log-prefix="FORWARD REJECT"
> --log-level=info
> iptables -A FORWARD -j REJECT

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

(no subject)

[Tim Edwards]

Hi,

I don't know if this makes much sense with the way iptables works.
Anyway I'm trying to instantly stop all outgoing traffic from a machine,
even from processes that are currently running and may have connections
active.

Is this possible with iptables? 

Thanks 

Tim Edwards

This email and any attachment may contain confidential, privileged information for the sole use of the intended recipient. If you are not the intended recipient, do not disclose, reproduce, disseminate or otherwise use this communication. If you received this communication in error, please immediately notify the sender via email and delete the communication from your system.

Re: (no subject)

[Bernd Petrovitsch]

On Tue, 2006-11-21 at 09:25 +0000, Tim Edwards wrote:
> Hi,
> 
> I don't know if this makes much sense with the way iptables works.
> Anyway I'm trying to instantly stop all outgoing traffic from a machine,
> even from processes that are currently running and may have connections
> active.
> 
> Is this possible with iptables? 

Yes. Just insert such a rule into the OUTPUT chain.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

(no subject)

[Kaleb D. Tuimala]

I am new to Linux. I am using Open Suse 10.0. Currently iptables 1.3.3 is
installed. I want to patch that up to 1.3.6. The problem I am having is
that I have no idea how to install the incremental patches from iptables
1.3.3 - 1.3.6. How do I successfully do this? If anyone could give me
detailed instructions on how to use the patches I would greatly appreciate
it.

-- Kaleb

(no subject)

[Thomas Sandquist]

Hello,

I'm trying to find out if the ipt_random module can be compiled in to the
2.6 kernels? A few years ago (back in the day of kernel 2.4) I patched and
compiled this module in to the kernel and used it in a load balancing
script (shotgunning cable modems). I'm interested in doing this with a new
box running FC5 (currently kernel 2.6.18) but have found very little
information on it. I finally figured out how to get POM again (I think I
got the right version anyways... it's now POM-NG however the release date
was in 2004) and found the random source there but the info note says it
only works on kernels below 2.6.0. Do I just have too old of a version of
the POM package or is the random module really only available in the 2.4
kernel? If it's not available in the 2.6 kernel are their any alternative
modules that I should be looking in to (perhaps the nth module although I
haven't really read up on it yet)? Any help would be appreciated. It was
great shotgunning cable modems with this setup a few years ago and it
would be even cooler if I could get this working on a more modern distro
(I am open to other distro's other than Fedora if someone knows of one
that might be better for my routing purposes).

Thanks,
Thomas Sandquist

(no subject)

[richard]

Hi. 

 Recently I'm developing a firewall router with linux 2.4(and I can only
use 2.4 for some reasons). But there are more resources about the linux 2.6
netfilter. Do you think I should port the netfilter frameworke from linux
2.6 to linux 2.4 to have more support? :) (I think it's a bad idea). 

richard

(no subject)

[gary douglas]

Try to build a clean box with Fedora Core 4 and IPTables with  
connlimits. I keep running into errors.

I clean install Fedora Core 4. Download iptables 1.3.5, patch-o-matic  
20060710, and linux kernel 2.6.17.3. Create a link from /usr/src/ 
linux to the linux kernel directory.

cd into patch o matic and enter the following:
export KERNEL_DIR=/usr/src/linux

export IPTABLES_DIR=~/iptables-1.3.5

./runme connlimit


I have to force this as connlimit, if I do a y I get the following  
error:

unable to find ladd slot in src /tmp/pom-29493/net/ipv4/netfilter/ 
Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/ 
Makefile.ladd)

than I cd over to iptables folder and run the make command. I get the  
following error at this time:

cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/ - 
DIPTABLES_VERSION=\"1.3.5\"  -D_UNKNOWN_KERNEL_POINTER_SIZE -fPIC -o  
extensions/libipt_CLUSTERIP_sh.o -c extensions/libipt_CLUSTERIP.c
In file included from /usr/src/linux/include/linux/config.h:6,
                  from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                  from /usr/src/linux/include/linux/netfilter_ipv4/ 
ip_tables.h:26,
                  from include/libiptc/libiptc.h:6,
                  from include/iptables.h:5,
                  from extensions/libipt_CLUSTERIP.c:18:
/usr/include/linux/autoconf.h:1:2: error: #error Invalid kernel  
header included in userspace
make: *** [extensions/libipt_CLUSTERIP_sh.o] Error 1


Any suggestion on correcting this problem are welcome.

Thank you
Gary Douglas

RE: (no subject)

[Rob Sterenborg]

> Try to build a clean box with Fedora Core 4 and IPTables with 
> connlimits. I keep running into errors.
> 
> I clean install Fedora Core 4. Download iptables 1.3.5, 
> patch-o-matic 20060710, and linux kernel 2.6.17.3. Create a 
> link from /usr/src/ linux to the linux kernel directory.
> 
> cd into patch o matic and enter the following:
> export KERNEL_DIR=/usr/src/linux
> 
> export IPTABLES_DIR=~/iptables-1.3.5
> 
> ./runme connlimit
> 
> 
> I have to force this as connlimit, if I do a y I get the following
> error:
> 
> unable to find ladd slot in src /tmp/pom-29493/net/ipv4/netfilter/
> Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/
> Makefile.ladd)

And thus your kernel-/iptables-source isn't patched.

I had the same error and patched the kernel manually.
Look in POM in patchlets/connlimit directory and you'll find what you
need. The directory layout is just like you find it in the kernel
source.
Add the content of Makefile.ladd to the appropriate Makefile and that of
Kconfig.ladd to the appropriate Kconfig. Copy the .c and .h files into
the appropriate directories.
Start "make menuconfig" and the new options should show up and compile.


Gr,
Rob

(no subject)

[Mark L. Wise]

Hello all!

I am struggling with what I think is an iptables issue...

I have the following Net-to-Net VPN set up between to FC4 boxes:

192.168.20.0/24-->192.168.20.2(gw)-->$PUBLICIP1 ...
$PUBLICIP2<--192.168.30.100(gw)<--192.168.30.0/24

With no firewall rules (iptables) entered, I can ping from 192.168.20.70 to
192.168.30.33 without any problem.  However, I cannot get to outside
internet addresses.  If I add:

iptables -t nat -A POSTROUTING --dst ! 192.168.30.0/24 -j SNAT --to-source
$PUBLICIP1

to the 192.168.20.2(gw) machine's iptables, I can get out of the firewall to
the internet from the 192.168.20.0/24 net, BUT MY VPN TRAFFIC DOES NOT REACH
THE OTHER SIDE.

So it seems that I can either have my VPN traffic between the nets OR be
able to get to the internet (WWW, etc.) but I cannot have both.

Anyone have any ideas???

Mark L. Wise, President
Alpha II Service, Inc.
1312 Epworth Ave
Reynoldsburg, Ohio 43068-2116
614 868-5033 (Phone)
614 868-1060 (Fax)

(no subject)

[Nicolas Turro]

Hi, I am trying to patch my Fedora core 4 kernel/iptable in order to include the 'random' filter (I am trying to implement 
http://linux.com.lb/wiki/index.pl?node=Load%20Balancing%20Across%20Multiple%20Links )


However I encounter some difficulties:

Patch-o-matic works against my kernel source tree, but won't recognize linux-libc-headers as a valid KERNEL_DIR.

 Iptable won't compile against the kernel source tree: I get a bunch of 
#error including kernel header in userspace; use the glibc headers instead!
(However in this case, make print-extensions finds IPv4:random )

And if I use the unpatched linux-libc-headers, it won't compile libipt_random.so (make print-extensions only shows: IPv4:recent)


So I don't know how to proceed.
Any tips?

Please respond to me explicitly since I'm not subscribed to this mail list. Thx in advance

N. Turro

Re: (no subject)

[Amitabh Kant]

Try instaling glic kernel headers. If you have yum working on your
system, "yum install glibc-kernheaders.i386" should install the
required headers.

Amitabh

difference between syn and NEW

[Subramanian]

hi,

I read in the iptables manual [in the Appendix B.
Common problems and questions ]that the NEW state
match may accept any packet marked as NEW whether it
has syn bit set or not.

 it says "If you use state NEW, packets with the SYN
bit unset will get through your firewall"

so in short it means anything marked NEW is passed
thru irrespective of whether syn is set or not OR
maybe any other bit is set

My question is if i am having a single firewall with
deny all policy and wanting to accept only new
connections for ip's or services like ssh,smtp etc
what shld be my rule -

a) iptables with --syn   OR
b) iptables with --syn + NEW OR ONLY
c) iptables with NEW

what is the recommended rule for a restrictive
firewall?

I guess option a) is the best one. But it shld not
lead to a lot of connection drops as NEW allows timed
out connections if the connection is not closed.

Please suggest the best practice.

Secondly if i want to limit ssh connections for syn
flood protection what is the recomended limit and
limit-burst values.

thirdly if i want to limit ping for ping flood
protection what is the recomended limit and
limit-burst values.

Please suggest the best practice.

Thanks & Regards,
sub  

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

(no subject)

[Bernd Lippert]

(no subject)

[James Strickland]

testing account

(no subject)

[netfilter]

Hi,

I've been trying to apply Patrick McHardy's netfilter+ipsec patches to
my 
2.6.12-5 (from kernel.org) using patch-o-matic.  When I try to apply any
of 
the four patches I receive the following message:

patchlets/ipsec-01-output-hooks has dependency on nf_reset, but nf_reset
is 
not known

I've probably missed something obvious, but I've hit a dead end, any
help 
would be appreciated.  

Cheers,
Chris
-- 
  Chris Notley
  chris@notley.org

Re: (no subject)

[Daniel Lopes]

netfilter@notleyc.fastmail.fm schrieb:
> Hi,
> 
> I've been trying to apply Patrick McHardy's netfilter+ipsec patches to
> my 
> 2.6.12-5 (from kernel.org) using patch-o-matic.  When I try to apply any
> of 
> the four patches I receive the following message:
> 
> patchlets/ipsec-01-output-hooks has dependency on nf_reset, but nf_reset
> is 
> not known
> 
> I've probably missed something obvious, but I've hit a dead end, any
> help 
> would be appreciated.  
> 
> Cheers,
> Chris

I've read somewhere deleting the dependency in the info file should let 
apply the patch cleanly. The other hooks for example hook number x 
depend on the hook x-1. So if the 01 hook applies cleanly the others 
should do aswell.

Re: (no subject)

[Chris Notley]

On Thu, 25 Aug 2005 00:40:26 +0200, "Daniel Lopes" <lopsch@lopsch.com>
said:
> netfilter@notleyc.fastmail.fm schrieb:
> > Hi,
> > 
> > I've been trying to apply Patrick McHardy's netfilter+ipsec patches to
> > my 
> > 2.6.12-5 (from kernel.org) using patch-o-matic.  When I try to apply any
> > of 
> > the four patches I receive the following message:
> > 
> > patchlets/ipsec-01-output-hooks has dependency on nf_reset, but nf_reset
> > is 
> > not known
> > 
> > I've probably missed something obvious, but I've hit a dead end, any
> > help 
> > would be appreciated.  
> > 
> > Cheers,
> > Chris
> 
> I've read somewhere deleting the dependency in the info file should let 
> apply the patch cleanly. The other hooks for example hook number x 
> depend on the hook x-1. So if the 01 hook applies cleanly the others 
> should do aswell.
> 
Thanks Daniel, that did the trick!

Cheers,
Chris

(no subject)

[Brent Clark]

Hi List

I seem to have a problem whereby if I type the following commonds, I get 
the following output


gate:~# netstat-nat
Proto NATed Address                  Foreign Address                State
gate:~#

or when I use conntrack-viewer.pl

gate:~# conntrack-viewer.pl
Active Connections according to /proc/net/ip_conntrack
Proto   Source Address           Remote Address           Service 
State       Masq  Name Resolution
Use of uninitialized value in getservbyport at 
/usr/sbin/conntrack-viewer.pl line 114.
Use of uninitialized value in getservbyport at 
/usr/sbin/conntrack-viewer.pl line 115.
Use of uninitialized value in length at /usr/sbin/conntrack-viewer.pl 
line 128.


if I use  iptstate (this seems to work)
                                                              IPTables - 
State Top
Version: 1.3          Sort: SrcIP           s to change sorting
Source                                                 Destination 
                                       Proto   State        TTL
192.168.111.10,1114                                    192.168.111.11,53 
                                      udp                    0:01:33
192.168.111.10,1118                                    192.168.111.11,53 
                                      udp                    0:01:06
192.168.111.11,51146 
213.133.106.29,35520                                   tcp 
ESTABLISHED   98:43:17

I had a brief look at the /dev/net/ip_conntrack, and all seems fine there.

If anyone has any tips or advice, it would be most appreciated.

Kind Regards
Brent Clark

(no subject)

[faton kurteshi]

Hi
Does anybody know, why I'm getting this warning error or whatever
ip_conntrack_rtsp.c: help_out: ip_conntrack_expect_related failed (-17)
and what can be the consequences, should I use any patch or something else
I'm using gentoo with kernel version 2.4.26-gentoo-r13.

(no subject)

[bright true]

Hello , 
 How can i set the Max number of allowed tcp connections from the same ip 
address ???
 if the current ip has more than the allowed number of connections the 
server will drop or reject the new connections 
 untill it gets an empty space to connect 
 if there's any rule i can set for this (please provide me with the way to 
remove the rule also)
 Thank you

Re: (no subject)

[Jason Opperisano]

On Sat, May 21, 2005 at 06:08:59AM +0300, bright true wrote:
> Hello , 
>  How can i set the Max number of allowed tcp connections from the same ip 
> address ???
>  if the current ip has more than the allowed number of connections the 
> server will drop or reject the new connections 
>  untill it gets an empty space to connect 
>  if there's any rule i can set for this (please provide me with the way to 
> remove the rule also)

the way to do this correctly is to apply the connlimit patch from PoM,
and use a rule like (using SMTP as an example and 4 conns):

  iptables -A [INPUT|FORWARD] -p tcp --syn --dport 25 \
    -m connlimit --connlimit-above 4 -j REJECT

this will result in any individual IP being allowed to make up to 4
simultaneous connections.

you delete rules by replacing the '-A' with a '-D'

-j

--
"Peter: Brothers and sisters fighting is as natural as a white mans
 dialog in a Spike Lee movie."
        --Family Guy

Re: (no subject)

[bright true]

Hello , 

Thanks for your reply , but can you give me the link of the patch i have to 
apply 

Thank You

On 5/21/05, Jason Opperisano <opie@817west.com> wrote:
> 
> On Sat, May 21, 2005 at 06:08:59AM +0300, bright true wrote:
> > Hello ,
> > How can i set the Max number of allowed tcp connections from the same ip
> > address ???
> > if the current ip has more than the allowed number of connections the
> > server will drop or reject the new connections
> > untill it gets an empty space to connect
> > if there's any rule i can set for this (please provide me with the way 
> to
> > remove the rule also)
> 
> the way to do this correctly is to apply the connlimit patch from PoM,
> and use a rule like (using SMTP as an example and 4 conns):
> 
> iptables -A [INPUT|FORWARD] -p tcp --syn --dport 25 \
> -m connlimit --connlimit-above 4 -j REJECT
> 
> this will result in any individual IP being allowed to make up to 4
> simultaneous connections.
> 
> you delete rules by replacing the '-A' with a '-D'
> 
> -j
> 
> --
> "Peter: Brothers and sisters fighting is as natural as a white mans
> dialog in a Spike Lee movie."
> --Family Guy
> 
>

Re: (no subject)

[Jason Opperisano]

On Sat, May 21, 2005 at 01:18:15AM -0400, bright true wrote:
> Hello , 
> 
> Thanks for your reply , but can you give me the link of the patch i have to 
> apply 

grab the latest snapshot of PoM available from:

  http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

for example:

  http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050520.tar.bz2

you need to have both the source of your running kernel available and
the source of your iptables version available and following the
instructions in the PoM README file.  basic recipe:

  - apply patches from PoM
  - recompile kernel
  - recompile iptables
  - reboot & enjoy

-j

--
"Brian: Excuse me, would you like to taste my smoked meat log?"
        --Family Guy

Re: (no subject)

[bright true]

Hello , 

i want to ask you , i there any way to accomplish the whole thing with out 
the need of re-compiling the Kernel 

and iptables actually i've a VPS and i don't have my own server and can't 
compile the Kernel for one VPS only 

Thanks alot 
Bye

On 5/21/05, Jason Opperisano <opie@817west.com> wrote:
> 
> On Sat, May 21, 2005 at 01:18:15AM -0400, bright true wrote:
> > Hello ,
> >
> > Thanks for your reply , but can you give me the link of the patch i have 
> to
> > apply
> 
> grab the latest snapshot of PoM available from:
> 
> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
> 
> for example:
> 
> 
> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050520.tar.bz2
> 
> you need to have both the source of your running kernel available and
> the source of your iptables version available and following the
> instructions in the PoM README file. basic recipe:
> 
> - apply patches from PoM
> - recompile kernel
> - recompile iptables
> - reboot & enjoy
> 
> -j
> 
> --
> "Brian: Excuse me, would you like to taste my smoked meat log?"
> --Family Guy
> 
>

(no subject)

[Pmishra]

Hi Team,
My requirement is Use SingleIP and different port with different web based
application .
Requirement :-
1.Access all the request from client with PORT 80.
2.Check the socket filter or net filet and forward different port as per
hint send by client.
Is it possible in Linux ?

Please give me some some technical procedure and help me understand 

Thanks
Pradeep

The information contained in this electronic mail transmission may be
privileged and confidential, and therefore, protected from disclosure. If
you have received this communication in error, please notify us immediately
by replying to this message and deleting it from your computer without
copying or disclosing it.

Re: (no subject)

[Michael Tautschnig]

> Hi Team,
> My requirement is Use SingleIP and different port with different web based
> application .
> Requirement :-
> 1.Access all the request from client with PORT 80.
> 2.Check the socket filter or net filet and forward different port as per
> hint send by client.
> Is it possible in Linux ?

Well, what is the "hint", sent by the client?

Thanks,
Michael

Re: (no subject)

[Daniel Lopes]

Pmishra@in.safenet-inc.com schrieb:
> Hi Team,
> My requirement is Use SingleIP and different port with different web based
> application .
> Requirement :-
> 1.Access all the request from client with PORT 80.
> 2.Check the socket filter or net filet and forward different port as per
> hint send by client.
> Is it possible in Linux ?
> 
> Please give me some some technical procedure and help me understand 
> 
> Thanks
> Pradeep
> 
> The information contained in this electronic mail transmission may be
> privileged and confidential, and therefore, protected from disclosure. If
> you have received this communication in error, please notify us immediately
> by replying to this message and deleting it from your computer without
> copying or disclosing it.
> 
> 
> 
If you have only one webserver serving more than one domain, it´s usual 
to use the Apache and it´s named virtual hosting capabilities, as it is 
used by alot of hosting providers. Then the Apache looks at the client 
header and serves the request from the DocumentRoot of the domain requested.

(no subject)

[Michael Thompson]

Every once in a while while I am running a script from cron, it outputs 
this:

iptables: Resource temporarily unavailable

what is that about? Could it be that two processes are trying to access 
IPTables?

Re: (no subject)

[Michael Thompson]

Michael Thompson wrote:
> Every once in a while while I am running a script from cron, it outputs 
> this:
> 
> iptables: Resource temporarily unavailable
> 
> what is that about? Could it be that two processes are trying to access 
> IPTables?
> 
> 

It has also spat out the error of

iptables: Module is wrong version

And
modprobe: Can't locate module ip_tables

Although less frequently than Resource unavailable.

(no subject)

[Dean Anderson]

I'm trying to build openWRT (www.openwrt.org) using a new kernel from 
linksys.  The kernel claims that it is 2.4.20, but it seems to have some 
modifications, preventing netfilter from applying patches.

I want to run iptables 1.2.11, and need (of course) the matching kernel
modules.  Is there is "complete file" (ie non-patch) distribution of the
netfilter kernel modules?  I couldn't find one on the ftp.netfilter.org 
site, nor on the website.

Thanks

		--Dean

#ignore whitespace in patches
/mnt1/openWRT.20050205/buildroot/build_mipsel/staging_dir/bin/sed -i -e 
"s,\-p1,\-l \-p1," 
/mnt1/openWRT.20050205/buildroot/build_mipsel/patch-o-matic-ng-20050206/runme
touch 
/mnt1/openWRT.20050205/buildroot/build_mipsel/patch-o-matic-ng-20050206/.unpacked
/mnt1/openWRT.20050205/buildroot/sources/patch-kernel.sh 
/mnt1/openWRT.20050205/buildroot/build_mipsel/WRT54G_3_01_3_0922/release/src/linux/linux 
/mnt1/openWRT.20050205/buildroot/sources/openwrt/kernel/netfilter/patches

Applying 
/mnt1/openWRT.20050205/buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch 
using plaintext: 
patching file include/linux/netfilter_ipv4/ip_conntrack.h
Hunk #1 FAILED at 45.
Hunk #2 FAILED at 77.
Hunk #3 succeeded at 261 (offset 3 lines).
2 out of 3 hunks FAILED -- saving rejects to file 
include/linux/netfilter_ipv4/ip_conntrack.h.rej
patching file include/linux/netfilter_ipv4/ip_conntrack_h323.h
patching file include/linux/netfilter_ipv4/ip_conntrack_mms.h
patching file include/linux/netfilter_ipv4/ip_conntrack_pptp.h
patching file include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file 
include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h.rej
patching file include/linux/netfilter_ipv4/ip_conntrack_tftp.h
patching file include/linux/netfilter_ipv4/ip_conntrack_tuple.h
patching file include/linux/netfilter_ipv4/ip_nat_pptp.h
patching file include/linux/netfilter_ipv4/ip_pool.h
patching file include/linux/netfilter_ipv4/ipt_pool.h
patching file net/ipv4/netfilter/Config.in
Hunk #1 FAILED at 7.
Hunk #2 succeeded at 18 (offset 1 line).
Hunk #4 FAILED at 56.
Hunk #5 succeeded at 75 (offset 8 lines).
2 out of 6 hunks FAILED -- saving rejects to file 
net/ipv4/netfilter/Config.in.rej
patching file net/ipv4/netfilter/Makefile
Hunk #1 FAILED at 31.
Hunk #2 succeeded at 63 (offset 5 lines).
Hunk #4 succeeded at 94 (offset 5 lines).
1 out of 4 hunks FAILED -- saving rejects to file 
net/ipv4/netfilter/Makefile.rej
patching file net/ipv4/netfilter/ip_conntrack_core.c
patching file net/ipv4/netfilter/ip_conntrack_ftp.c
patching file net/ipv4/netfilter/ip_conntrack_h323.c
patching file net/ipv4/netfilter/ip_conntrack_mms.c
patching file net/ipv4/netfilter/ip_conntrack_pptp.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file 
net/ipv4/netfilter/ip_conntrack_pptp.c.rej
patching file net/ipv4/netfilter/ip_conntrack_pptp_priv.h
patching file net/ipv4/netfilter/ip_conntrack_proto_gre.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file 
net/ipv4/netfilter/ip_conntrack_proto_gre.c.rej
patching file net/ipv4/netfilter/ip_conntrack_proto_tcp.c
Hunk #3 FAILED at 186.
Hunk #4 succeeded at 210 (offset 7 lines).
1 out of 4 hunks FAILED -- saving rejects to file 
net/ipv4/netfilter/ip_conntrack_proto_tcp.c.rej
patching file net/ipv4/netfilter/ip_conntrack_proto_udp.c
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
patching file net/ipv4/netfilter/ip_conntrack_tftp.c
patching file net/ipv4/netfilter/ip_nat_core.c
patching file net/ipv4/netfilter/ip_nat_h323.c
patching file net/ipv4/netfilter/ip_nat_helper.c
Hunk #8 FAILED at 208.
1 out of 8 hunks FAILED -- saving rejects to file 
net/ipv4/netfilter/ip_nat_helper.c.rej
patching file net/ipv4/netfilter/ip_nat_mms.c
patching file net/ipv4/netfilter/ip_nat_pptp.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file 
net/ipv4/netfilter/ip_nat_pptp.c.rej
patching file net/ipv4/netfilter/ip_nat_proto_gre.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file 
net/ipv4/netfilter/ip_nat_proto_gre.c.rej
patching file net/ipv4/netfilter/ip_nat_standalone.c
patching file net/ipv4/netfilter/ip_nat_tftp.c
patching file net/ipv4/netfilter/ip_pool.c
patching file net/ipv4/netfilter/ip_tables.c
patching file net/ipv4/netfilter/ipchains_core.c
patching file net/ipv4/netfilter/ipfwadm_core.c
patching file net/ipv4/netfilter/ipt_ECN.c
patching file net/ipv4/netfilter/ipt_LOG.c
patching file net/ipv4/netfilter/ipt_REJECT.c
patching file net/ipv4/netfilter/ipt_ULOG.c
patching file net/ipv4/netfilter/ipt_multiport.c
patching file net/ipv4/netfilter/ipt_pool.c
patching file net/ipv6/mcast.c
patching file include/linux/ppp-comp.h
Patch failed!  Please fix 
/mnt1/openWRT.20050205/buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch!
make: *** 
[/mnt1/openWRT.20050205/buildroot/build_mipsel/WRT54G_3_01_3_0922/release/src/linux/linux/.nf-patched] 
Error 1


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

Re: (no subject)

[Dean Anderson]

Ok, I fixed the openwrt problem. Turned out they had some of their own 
netfilter patches. I turned those off, and used only the patch-o-matic-ng
patchs, and things worked.

These patches were distributed by openwrt to be applied against the 
linksys kernel:  The first one is pretty substantial.

wc 100-revert_netfilter.patch 
   5834   22128  179845 100-revert_netfilter.patch
wc 110-conntrack_setting.patch 
     20      67     715 110-conntrack_setting.patch

I'm not sure what the openwrt folks and/or linksys was thinking with
these...  They worked on earlier versions of the linksys kernel... I
suspect a distribution/versioning problem caused by the netfilter group.  
There is very little documentation on the netfilter site about how the
netfilter kernel modules should get updated. 

Clearly, someone was very confused with these patches. It might be that
linksys was confused earlier, and the openwrt folks were taking that out
with their patches. Or maybe it is the other way around.  I don't know. It
sure left me confused, and wondering wtf.

Seems like there should be a better way to distribute kernel modules.  I 
didn't intend to become a netfilter internals expert.

		--Dean

On Sun, 6 Feb 2005, Dean Anderson wrote:

> I'm trying to build openWRT (www.openwrt.org) using a new kernel from 
> linksys.  The kernel claims that it is 2.4.20, but it seems to have some 
> modifications, preventing netfilter from applying patches.
> 
> I want to run iptables 1.2.11, and need (of course) the matching kernel
> modules.  Is there is "complete file" (ie non-patch) distribution of the
> netfilter kernel modules?  I couldn't find one on the ftp.netfilter.org 
> site, nor on the website.
> 
> Thanks
> 
> 		--Dean
> 
> #ignore whitespace in patches
> /mnt1/openWRT.20050205/buildroot/build_mipsel/staging_dir/bin/sed -i -e 
> "s,\-p1,\-l \-p1," 
> /mnt1/openWRT.20050205/buildroot/build_mipsel/patch-o-matic-ng-20050206/runme
> touch 
> /mnt1/openWRT.20050205/buildroot/build_mipsel/patch-o-matic-ng-20050206/.unpacked
> /mnt1/openWRT.20050205/buildroot/sources/patch-kernel.sh 
> /mnt1/openWRT.20050205/buildroot/build_mipsel/WRT54G_3_01_3_0922/release/src/linux/linux 
> /mnt1/openWRT.20050205/buildroot/sources/openwrt/kernel/netfilter/patches
> 
> Applying 
> /mnt1/openWRT.20050205/buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch 
> using plaintext: 
> patching file include/linux/netfilter_ipv4/ip_conntrack.h
> Hunk #1 FAILED at 45.
> Hunk #2 FAILED at 77.
> Hunk #3 succeeded at 261 (offset 3 lines).
> 2 out of 3 hunks FAILED -- saving rejects to file 
> include/linux/netfilter_ipv4/ip_conntrack.h.rej
> patching file include/linux/netfilter_ipv4/ip_conntrack_h323.h
> patching file include/linux/netfilter_ipv4/ip_conntrack_mms.h
> patching file include/linux/netfilter_ipv4/ip_conntrack_pptp.h
> patching file include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
> Reversed (or previously applied) patch detected!  Assume -R? [n] 
> Apply anyway? [n] 
> Skipping patch.
> 1 out of 1 hunk ignored -- saving rejects to file 
> include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h.rej
> patching file include/linux/netfilter_ipv4/ip_conntrack_tftp.h
> patching file include/linux/netfilter_ipv4/ip_conntrack_tuple.h
> patching file include/linux/netfilter_ipv4/ip_nat_pptp.h
> patching file include/linux/netfilter_ipv4/ip_pool.h
> patching file include/linux/netfilter_ipv4/ipt_pool.h
> patching file net/ipv4/netfilter/Config.in
> Hunk #1 FAILED at 7.
> Hunk #2 succeeded at 18 (offset 1 line).
> Hunk #4 FAILED at 56.
> Hunk #5 succeeded at 75 (offset 8 lines).
> 2 out of 6 hunks FAILED -- saving rejects to file 
> net/ipv4/netfilter/Config.in.rej
> patching file net/ipv4/netfilter/Makefile
> Hunk #1 FAILED at 31.
> Hunk #2 succeeded at 63 (offset 5 lines).
> Hunk #4 succeeded at 94 (offset 5 lines).
> 1 out of 4 hunks FAILED -- saving rejects to file 
> net/ipv4/netfilter/Makefile.rej
> patching file net/ipv4/netfilter/ip_conntrack_core.c
> patching file net/ipv4/netfilter/ip_conntrack_ftp.c
> patching file net/ipv4/netfilter/ip_conntrack_h323.c
> patching file net/ipv4/netfilter/ip_conntrack_mms.c
> patching file net/ipv4/netfilter/ip_conntrack_pptp.c
> Reversed (or previously applied) patch detected!  Assume -R? [n] 
> Apply anyway? [n] 
> Skipping patch.
> 1 out of 1 hunk ignored -- saving rejects to file 
> net/ipv4/netfilter/ip_conntrack_pptp.c.rej
> patching file net/ipv4/netfilter/ip_conntrack_pptp_priv.h
> patching file net/ipv4/netfilter/ip_conntrack_proto_gre.c
> Reversed (or previously applied) patch detected!  Assume -R? [n] 
> Apply anyway? [n] 
> Skipping patch.
> 1 out of 1 hunk ignored -- saving rejects to file 
> net/ipv4/netfilter/ip_conntrack_proto_gre.c.rej
> patching file net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> Hunk #3 FAILED at 186.
> Hunk #4 succeeded at 210 (offset 7 lines).
> 1 out of 4 hunks FAILED -- saving rejects to file 
> net/ipv4/netfilter/ip_conntrack_proto_tcp.c.rej
> patching file net/ipv4/netfilter/ip_conntrack_proto_udp.c
> patching file net/ipv4/netfilter/ip_conntrack_standalone.c
> patching file net/ipv4/netfilter/ip_conntrack_tftp.c
> patching file net/ipv4/netfilter/ip_nat_core.c
> patching file net/ipv4/netfilter/ip_nat_h323.c
> patching file net/ipv4/netfilter/ip_nat_helper.c
> Hunk #8 FAILED at 208.
> 1 out of 8 hunks FAILED -- saving rejects to file 
> net/ipv4/netfilter/ip_nat_helper.c.rej
> patching file net/ipv4/netfilter/ip_nat_mms.c
> patching file net/ipv4/netfilter/ip_nat_pptp.c
> Reversed (or previously applied) patch detected!  Assume -R? [n] 
> Apply anyway? [n] 
> Skipping patch.
> 1 out of 1 hunk ignored -- saving rejects to file 
> net/ipv4/netfilter/ip_nat_pptp.c.rej
> patching file net/ipv4/netfilter/ip_nat_proto_gre.c
> Reversed (or previously applied) patch detected!  Assume -R? [n] 
> Apply anyway? [n] 
> Skipping patch.
> 1 out of 1 hunk ignored -- saving rejects to file 
> net/ipv4/netfilter/ip_nat_proto_gre.c.rej
> patching file net/ipv4/netfilter/ip_nat_standalone.c
> patching file net/ipv4/netfilter/ip_nat_tftp.c
> patching file net/ipv4/netfilter/ip_pool.c
> patching file net/ipv4/netfilter/ip_tables.c
> patching file net/ipv4/netfilter/ipchains_core.c
> patching file net/ipv4/netfilter/ipfwadm_core.c
> patching file net/ipv4/netfilter/ipt_ECN.c
> patching file net/ipv4/netfilter/ipt_LOG.c
> patching file net/ipv4/netfilter/ipt_REJECT.c
> patching file net/ipv4/netfilter/ipt_ULOG.c
> patching file net/ipv4/netfilter/ipt_multiport.c
> patching file net/ipv4/netfilter/ipt_pool.c
> patching file net/ipv6/mcast.c
> patching file include/linux/ppp-comp.h
> Patch failed!  Please fix 
> /mnt1/openWRT.20050205/buildroot/sources/openwrt/kernel/netfilter/patches/100-revert_netfilter.patch!
> make: *** 
> [/mnt1/openWRT.20050205/buildroot/build_mipsel/WRT54G_3_01_3_0922/release/src/linux/linux/.nf-patched] 
> Error 1
> 
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

Re: (no subject)

[Samuel Jean]

On Mon, February 7, 2005 12:24 am, Dean Anderson said:
> Ok, I fixed the openwrt problem. Turned out they had some of their own
> netfilter patches. I turned those off, and used only the patch-o-matic-ng
> patchs, and things worked.

Official package means clean patches (not always true).

>
> These patches were distributed by openwrt to be applied against the
> linksys kernel:  The first one is pretty substantial.
>
> wc 100-revert_netfilter.patch
>    5834   22128  179845 100-revert_netfilter.patch
> wc 110-conntrack_setting.patch
>      20      67     715 110-conntrack_setting.patch

Those are not from patch-o-matic, aren't they ?

Those are patches i've never heard of. They aren't part of netfilter
(I guess) and obviously no warranty they will apply cleanly.

Some official patches don't, so I guess it's normal 3rd party's one don't
too.

>
> I'm not sure what the openwrt folks and/or linksys was thinking with
> these...  They worked on earlier versions of the linksys kernel... I
> suspect a distribution/versioning problem caused by the netfilter group.

Because of the constant evolution with netfilter, the only things they care
are :

o Keep compatibility with iptables userspace
o Keep in-kernel modules synced with new netfilter behaviour.
o And once this is done, some start syncing Patch-O-Matic patches,
  which aren't official to Linux but official to Netfilter.

There's no precaution to keep compatibility with 3rd parties.

> There is very little documentation on the netfilter site about how the
> netfilter kernel modules should get updated.

Official netfilter kernel modules are part of the linux kernel itself.
That means, no kernel update, no netfilter update.

If you are talking about 'unofficial' patches, then patching your kernel
source is done with Patch-O-Matic.

>
> Clearly, someone was very confused with these patches. It might be that
> linksys was confused earlier, and the openwrt folks were taking that out
> with their patches. Or maybe it is the other way around.  I don't know. It
> sure left me confused, and wondering wtf.

I'm wondering wtf too about those patches. What are they, why are they...

>
> Seems like there should be a better way to distribute kernel modules.  I
> didn't intend to become a netfilter internals expert.

Again, Netfilter Linux kernel modules are distributed with Linux kernel.
KIM, netfilter is a total part of the Linux kernel.

>
> 		--Dean
>

Have a good day,
Samuel

Re: (no subject)

[Dean Anderson]

On Mon, 7 Feb 2005, Samuel Jean wrote:
> > These patches were distributed by openwrt to be applied against the
> > linksys kernel:  The first one is pretty substantial.
> >
> > wc 100-revert_netfilter.patch
> >    5834   22128  179845 100-revert_netfilter.patch
> > wc 110-conntrack_setting.patch
> >      20      67     715 110-conntrack_setting.patch
> 
> Those are not from patch-o-matic, aren't they ?
> 
> Those are patches i've never heard of. They aren't part of netfilter
> (I guess) and obviously no warranty they will apply cleanly.

They aren't "official" patches. They look like the results of a previous
application of patch-o-matic.  After they were applied, further "official"
patches from patch-o-matic failed.

So, that was the cause for my question, where do I get "clean file" 
versions of netfilter. Patches are relative to something.

> >
> > I'm not sure what the openwrt folks and/or linksys was thinking with
> > these...  They worked on earlier versions of the linksys kernel... I
> > suspect a distribution/versioning problem caused by the netfilter group.
> 
> Because of the constant evolution with netfilter, the only things they care
> are :
> 
> o Keep compatibility with iptables userspace
> o Keep in-kernel modules synced with new netfilter behaviour.
> o And once this is done, some start syncing Patch-O-Matic patches,
>   which aren't official to Linux but official to Netfilter.
> 
> There's no precaution to keep compatibility with 3rd parties.

There doesn't appear to be any third party modifications except for 
previous applications of netfilter patches by those parties.

Neither openwrt nor linksys have any apparent interest in modifying 
netfilter. They just wanted to turn on some "extra" netfilter patches. 
After that, things are busted and there isn't any way to fix them.

Thats why you need to produce the kernel modules as complete files that 
are __copied__ and compiled.  Patches are insufficent.

> > There is very little documentation on the netfilter site about how the
> > netfilter kernel modules should get updated.
> 
> Official netfilter kernel modules are part of the linux kernel itself.
> That means, no kernel update, no netfilter update.

Thats just insane. Why have loadable modules or a kernel hooks interface 
if you are going to tie tightly to kernel versions?

> Again, Netfilter Linux kernel modules are distributed with Linux kernel.
> KIM, netfilter is a total part of the Linux kernel.

This needs to change then. Either that, or the kernel needs to start
including iptables source code as well, and it also needs to be __well__
documented that the iptables version can't be changed---it is tied to the
kernel version.

Probably this is the source of the confusion.

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

(no subject)

[mohammad Mahbubur rahman]

Hi,
I am working on an Adhoc network running kernel AODV
version 2.1 (on Redhat linux kernel 2.4.20). The AODV
is running fine. Now I am trying to queue some packets
onto the user space for modification using libipq
library. But incase of running the libipq example
program, i have to load the ip_queue module by
modprobe ip_queue first. When i load this module and
running the example program, the machines are hanged.
Can anyone please tell me why??

Can anyone pls suggest me how i can get some packets
onto the user space for modification incase of ad hoc
network???

Mahbub



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: (no subject)

[Tobias DiPasquale]

On Wed, 26 Jan 2005 07:58:23 -0800 (PST), mohammad Mahbubur rahman
<mahbub71@yahoo.com> wrote:
> Hi,
> I am working on an Adhoc network running kernel AODV
> version 2.1 (on Redhat linux kernel 2.4.20). The AODV
> is running fine. Now I am trying to queue some packets
> onto the user space for modification using libipq
> library. But incase of running the libipq example
> program, i have to load the ip_queue module by
> modprobe ip_queue first. When i load this module and
> running the example program, the machines are hanged.
> Can anyone please tell me why??
> 
> Can anyone pls suggest me how i can get some packets
> onto the user space for modification incase of ad hoc
> network???

AFAIK, the current Linux implementation of AODV uses ip_queue.
Therefore, due to the limitations of ip_queue, you can't then use
anything else that would use ip_queue while you're running that. Where
did you get your implementation? Is it this one:

http://user.it.uu.se/~henrikl/aodv/

or this one?:

http://w3.antd.nist.gov/wctg/aodv_kernel/

If its the latter, disregard all of the above.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

(no subject)

[Filip Moritz]

Hi everyone.

Didn't post here yet, but I hope someone will enlighten my sorrow:
I'm afraid to observe incoming packets being answered by a local process,
though dropped by iptables.

On a firewall between our workstations and servers i run dhcrelay, for
obvious reasons. Unfortunately the devices, dhcrelay answers broadcasts vs
asks the server on, are not configurable seperately. So it also answers dhcp
request broadcasts on the server network. As i use netbooting from time to
time to install or maintain servers, this actually happens. So I added a
rule to avoid broadcast packets from the servers' network to reach the
firewall machine:

# iptables -I INPUT -i ! eth0 -s 0.0.0.0 -j DROP
# iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  !eth0  any     0.0.0.0              anywhere
[ ... more rules ]

When now doing DHCP requests [*] from the server's network, I get replies
not only from my DHCP servers [+], but also from the firewall's internal
interface [x]:

# tcpdump -i eth1 host 0.0.0.0 or 255.255.255.255
[*]	16:29:38.415090 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from <pxe client's hw-addr>
[+]	16:29:38.415840 IP <server5's ip>.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[+]	16:29:38.415846 IP <server4's ip>.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[x]	16:29:38.415913 IP 192.168.10.1.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[x]	16:29:38.416245 IP 192.168.10.1.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[*]	16:29:46.434416 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from <pxe client's hw-addr>
[+]	16:29:46.434781 IP <server5's ip>.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[x]	16:29:46.435218 IP 192.168.10.1.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[*]	16:29:54.453295 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from <pxe client's hw-addr>
[x]	16:29:54.463872 IP 192.168.10.1.bootps > 255.255.255.255.bootpc:
BOOTP/DHCP, Reply
[ ... three more times all the same ]


...although the same nine (3x3) request packets seem to have been dropped:

# iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    9  5184 DROP       all  --  !eth0  any     0.0.0.0              anywhere
[ ... more rules ]


To be sure, I tried several times. When dhcrelay is not running, voila, no
more replies from 192.168.10.1.


on the other hand,

# iptables -I OUTPUT -o ! eth0 -d 255.255.255.255 -j DROP

doesn't match any of those dhcp replies:

# iptables -L OUTPUT -v
Chain OUTPUT (policy DROP 18 packets, 1232 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  any    !eth0   anywhere
255.255.255.255


So is this any sane?


Environment:
Our firewall is separating two subnets: 192.168.10.0/24 (workstations) on
eth0 and  192.168.10.0/28 (servers) on eth1. For traffic from workstations
to servers being sent to the firewall, arp-cacheing is turned on for eth0.
The other direction is done by having manually set up a more narrow netmask
(the /28) on the servers and the firewall's eth1 (192.168.10.1) as default
gateway. This generally works pretty fine.


appreciating any thoughts,
g., fil

(no subject)

[Zacky Ho]

Dear all,
I have problem on configuring iptables in my home. I
used a linux box as gateway & firewall which installed
RedHat 9. There are two IP interfaces: One connects to
ISP (222.xxx.xxx.xxx) while another connects to
internal hub and shared with other private PC
(192.168.123.254). My Web server is Apache running on
W2K (192.168.123.222) and using 1080 as web access
port. My rc.firewall.txt has configured as follows.
Any mistakes on it? Please advise. Thanks in advance!
Zacky Ho.

#!/bin/sh
set -x
#
# rc.firewall - Initial SIMPLE IP Firewall script for
Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson
<bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute
it and/or modify
# it under the terms of the GNU General Public License
as published by
# the Free Software Foundation; version 2 of the
License.
#
# This program is distributed in the hope that it will
be useful,
# but WITHOUT ANY WARRANTY; without even the implied
warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General
Public License
# along with this program or from the site that you
downloaded it
# from; if not, write to the Free Software Foundation,
Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

#INET_IP="61.10.148.25"
INET_IP="222.166.46.146"
INET_IFACE="eth1"
#INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to
only use the first 24
# bits of the 32 bit IP address. the same as netmask
255.255.255.0
#

LAN_IP="192.168.123.254"
LAN_IP_RANGE="192.168.123.0/24"
LAN_IFACE="eth0"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#
iptables -F
iptables -X

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT   -j LOG --log-level DEBUG \
--log-prefix "DEBUG-INPUT:        "
$IPTABLES -A OUTPUT  -j LOG --log-level DEBUG \
--log-prefix "DEBUG_OUTPUT        "
$IPTABLES -A FORWARD -j LOG --log-level DEBUG \
--log-prefix "DEBUG-FORWARD:      "

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to
traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags
SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
--state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
--state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
## added 20040403 from Thomas
$IPTABLES -A allowed -p TCP -j LOG --log-prefix
"FW-DroppedAllow:"
## added 20040403 from Thomas

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j
allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j
allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j
allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j
allowed
#apache
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j
allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8888 -j
allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1080 -j
allowed
### added 2004 12 28
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 139 -j
allowed
###
# 
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1580 -j
allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j
allowed
# winmx
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6699
-j allowed
# MTS
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5080 -j
allowed
## added 2003 08 25
$IPTABLES -A tcp_packets -p TCP -j LOG --log-prefix
"FW-DroppedTCP: "
## added 2003 08 25


#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port
53 -j ACCEPT
#if [ $DHCP == "yes" ] ; then
# $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER
--sport 67 \
# --dport 68 -j ACCEPT
#fi

#$IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 20 -j
ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 21 -j
ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 22 -j
ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 23 -j
ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 4000 -j ACCEPT
# winmx
#$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 6257
-j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port
6257 -j ACCEPT
# MTS
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 500 -j
ACCEPT
#
#### added 2004 12 28 
#$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 139 -j
ACCEPT
###

#
# In Microsoft Networks you will be swamped by
broadcasts. These lines 
# will prevent them from showing up in the logs.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d
$INET_BROADCAST \
--destination-port 135:139 -j DROP
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
--destination-port 135:139 -j LOG --log-prefix
"FW-Dropped:    "
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
--destination-port 135:139 -j DROP

## added 2003 08 25
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
-j LOG --log-prefix "Dropped: "
## added 2003 08 25

#
# If we get DHCP requests from the Outside of our
network, our logs will 
# be swamped as well. This rule will block them from
getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d
255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8
-j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -i $INET_IFACE
--icmp-type 8 -j LOG \
--log-prefix "FW-DroppedEchoRep:  "
$IPTABLES -A icmp_packets -p ICMP -i $INET_IFACE
--icmp-type 8 -j DROP
$IPTABLES -A icmp_packets -p ICMP -i $LAN_IFACE -s
$LAN_IP_RANGE -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type
11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#
## Added 20040403 from Thomas
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s
$LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
## Added 20040403 from Thomas
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s
$LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j
ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j
ACCEPT

#
# Special rule for DHCP requests from LAN, which are
not caught properly
# otherwise. 
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67
--sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j
tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j
udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j
icmp_packets

#
# If you have a Microsoft Network on the outside of
your firewall, you may 
# also get flooded by Multicasts. We drop them so we
do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j
DROP

#
# Log weird packets that don't match the above.
#
## Added 20040403 from Thomas
$IPTABLES -A INPUT -m limit --limit 3/minute
--limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet
died:"
## Added 20040403 from Thomas
#$IPTABLES -A INPUT -m limit --limit 3/minute
--limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "IPT INPUT packet
died:" 


#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#
## Added 20040403 from Thomas
$IPTABLES -A FORWARD -i $LAN_IFACE -p UDP  \
--destination-port 135:139 -j LOG --log-prefix
"FW-Dropped_135-139: "
$IPTABLES -A FORWARD -i $LAN_IFACE -p UDP  \
--destination-port 135:139 -j DROP
## Added 20040403 from Thomas

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute
--limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet
died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute
--limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet
died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain Added on 20041226 by zacky
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
-d 222.166.46.146 --dport 1080 -j DNAT \
--to-destination 192.168.123.222:1080
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -d
192.168.123.222 --dport 1080 -j ACCEPT

#
# Enable simple IP Forwarding and Network Address
Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT
--to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#




		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

Re: (no subject)

[Jason Opperisano]

On Wed, 2004-12-29 at 04:01, Zacky Ho wrote:
> #
> # allowed chain
> #
> 
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> $IPTABLES -A allowed -p TCP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A allowed -p TCP -j DROP
> ## added 20040403 from Thomas
> $IPTABLES -A allowed -p TCP -j LOG --log-prefix
> "FW-DroppedAllow:"
> ## added 20040403 from Thomas

your LOG rule needs to come *before* the DROP rule in order for it to
ever log anything.

> #
> # TCP rules
> #
> 
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j
> allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j
> allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j
> allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j
> allowed
> #apache
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j
> allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8888 -j
> allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1080 -j
> allowed
> ### added 2004 12 28
> #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 139 -j
> allowed
> ###
> # 
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1580 -j
> allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j
> allowed
> # winmx
> #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6699
> -j allowed
> # MTS
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5080 -j
> allowed
> ## added 2003 08 25
> $IPTABLES -A tcp_packets -p TCP -j LOG --log-prefix
> "FW-DroppedTCP: "
> ## added 2003 08 25

um--you're jumping to "tcp_packets" from INPUT.  do you really run *all*
these services on your firewall?  and do you really want *all* these
services exposed to the Internet?  i sure hope not.  and port 80 is in
there twice.

> #
> # UDP ports
> #
> 
> $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port
> 53 -j ACCEPT
> #if [ $DHCP == "yes" ] ; then
> # $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER
> --sport 67 \
> # --dport 68 -j ACCEPT
> #fi
> 
> #$IPTABLES -A udp_packets -p UDP -s 0/0
> --destination-port 53 -j ACCEPT
> #$IPTABLES -A udp_packets -p UDP -s 0/0
> --destination-port 123 -j ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 20 -j
> ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 21 -j
> ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 22 -j
> ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 23 -j
> ACCEPT

um--what UDP services are ports 20-23?

<snip>

> #
> # 4.1.5 FORWARD chain
> #
> 
> #
> # Bad TCP packets we don't want
> #
> ## Added 20040403 from Thomas
> $IPTABLES -A FORWARD -i $LAN_IFACE -p UDP  \
> --destination-port 135:139 -j LOG --log-prefix
> "FW-Dropped_135-139: "
> $IPTABLES -A FORWARD -i $LAN_IFACE -p UDP  \
> --destination-port 135:139 -j DROP
> ## Added 20040403 from Thomas
> 
> $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
> 
> #
> # Accept the packets we actually want to forward
> #
> 
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT

somewhere in here you want:

  $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p tcp --syn \
    -d 192.168.123.222 --dport 1080 -j ACCEPT

> #
> # Log weird packets that don't match the above.
> #
> 
> $IPTABLES -A FORWARD -m limit --limit 3/minute
> --limit-burst 3 -j LOG \
> --log-level DEBUG --log-prefix "IPT FORWARD packet
> died: "
> 
> #
> # 4.1.6 OUTPUT chain
> #
> 
> #
> # Bad TCP packets we don't want.
> #
> 
> $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
> 
> #
> # Special OUTPUT rules to decide which IP's to allow.
> #
> 
> $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> 
> #
> # Log weird packets that don't match the above.
> #
> 
> $IPTABLES -A OUTPUT -m limit --limit 3/minute
> --limit-burst 3 -j LOG \
> --log-level DEBUG --log-prefix "IPT OUTPUT packet
> died: "
> 
> ######
> # 4.2 nat table
> #
> 
> #
> # 4.2.1 Set policies
> #
> 
> #
> # 4.2.2 Create user specified chains
> #
> 
> #
> # 4.2.3 Create content in user specified chains
> #
> 
> #
> # 4.2.4 PREROUTING chain
> #
> 
> #
> # 4.2.5 POSTROUTING chain Added on 20041226 by zacky
> #
> $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
> -d 222.166.46.146 --dport 1080 -j DNAT \
> --to-destination 192.168.123.222:1080

are the requests from the Internet coming in on port 80 or port 1080?

are people typing:

  http://222.166.46.146/
  -or-
  http://222.166.46.146:1080/

to get to your website?  if it's the first--your rule should be:

  $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
    -d 222.166.46.146 --dport 80 -j DNAT \
    --to-destination 192.168.123.222:1080

> $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -d
> 192.168.123.222 --dport 1080 -j ACCEPT

first--this rule doesn't make any sense.  packets will not arrive
inbound on $LAN_IFACE with a dst ip of 192.168.123.222; as machines on
192.168.123.0/24 will talk to 192.168.123.222 directly, not through the
gateway.

second, you want to put a FORWARD rule for you web server up above where
i specified, as your script is virtually impossible to read through
logically as it is--this is not helping.

third, this rule ends up *after* your rule that says "IPT FORWARD packet
died: " which makes that log entry very misleading.

-j

--
"Please do not offer my god a peanut"
	--The Simpsons

Re: (no subject)

[Zacky Ho]

Hi Jason,
Thanks a lot!
Since the script is provided by my friend, there are
some modification in the script. First is I use port
1080 for web access. Second is I will check with my
friend about TCP/UDP port. Third is I will modify the
log format for easy watching. Many thanks for your
advice! One more thing will need your supprt......

I Would like to introduce the detail about setting
Firewall at home. There is a Linux Box runnning RedHat
9 as a gateway/firewall. There are 2 network cards
installed in it. One is connected to ISP via cable
modem, which gets IP 222.166.46.146. Another network
card is connected to a switch and has static IP
192.168.123.254. I have register a domain name
"zackyho.no-ip.com" from no-ip.com. Using its provided
windows client update program, I see the real IP
reported back is "61.xxx.xxx.xxx". 
My Web server which runs Apache is installed in W2K
box which has static IP 192.168.123.222 and also
connect to the switch. I would like to provide
external access as http://zackyho.no-ip.com. Is there
any missing/mistakes in the script "rc.fireall.txt"
Please kindly adivse. Thanks in advance!
 
--- Jason Opperisano <opie@817west.com> wrote:

> On Wed, 2004-12-29 at 04:01, Zacky Ho wrote:
> > #
> > # allowed chain
> > #
> > 
> > $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> > $IPTABLES -A allowed -p TCP -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A allowed -p TCP -j DROP
> > ## added 20040403 from Thomas
> > $IPTABLES -A allowed -p TCP -j LOG --log-prefix
> > "FW-DroppedAllow:"
> > ## added 20040403 from Thomas
> 
> your LOG rule needs to come *before* the DROP rule
> in order for it to
> ever log anything.
> 
> > #
> > # TCP rules
> > #
> > 
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21
> -j
> > allowed
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22
> -j
> > allowed
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80
> -j
> > allowed
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113
> -j
> > allowed
> > #apache
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80
> -j
> > allowed
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
> 8888 -j
> > allowed
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
> 1080 -j
> > allowed
> > ### added 2004 12 28
> > #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
> 139 -j
> > allowed
> > ###
> > # 
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
> 1580 -j
> > allowed
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113
> -j
> > allowed
> > # winmx
> > #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
> 6699
> > -j allowed
> > # MTS
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
> 5080 -j
> > allowed
> > ## added 2003 08 25
> > $IPTABLES -A tcp_packets -p TCP -j LOG
> --log-prefix
> > "FW-DroppedTCP: "
> > ## added 2003 08 25
> 
> um--you're jumping to "tcp_packets" from INPUT.  do
> you really run *all*
> these services on your firewall?  and do you really
> want *all* these
> services exposed to the Internet?  i sure hope not. 
> and port 80 is in
> there twice.
> 
> > #
> > # UDP ports
> > #
> > 
> > $IPTABLES -A udp_packets -p UDP -s 0/0
> --source-port
> > 53 -j ACCEPT
> > #if [ $DHCP == "yes" ] ; then
> > # $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER
> > --sport 67 \
> > # --dport 68 -j ACCEPT
> > #fi
> > 
> > #$IPTABLES -A udp_packets -p UDP -s 0/0
> > --destination-port 53 -j ACCEPT
> > #$IPTABLES -A udp_packets -p UDP -s 0/0
> > --destination-port 123 -j ACCEPT
> > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 20
> -j
> > ACCEPT
> > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 21
> -j
> > ACCEPT
> > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 22
> -j
> > ACCEPT
> > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 23
> -j
> > ACCEPT
> 
> um--what UDP services are ports 20-23?
> 
> <snip>
> 
> > #
> > # 4.1.5 FORWARD chain
> > #
> > 
> > #
> > # Bad TCP packets we don't want
> > #
> > ## Added 20040403 from Thomas
> > $IPTABLES -A FORWARD -i $LAN_IFACE -p UDP  \
> > --destination-port 135:139 -j LOG --log-prefix
> > "FW-Dropped_135-139: "
> > $IPTABLES -A FORWARD -i $LAN_IFACE -p UDP  \
> > --destination-port 135:139 -j DROP
> > ## Added 20040403 from Thomas
> > 
> > $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
> > 
> > #
> > # Accept the packets we actually want to forward
> > #
> > 
> > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> 
> somewhere in here you want:
> 
>   $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE
> -p tcp --syn \
>     -d 192.168.123.222 --dport 1080 -j ACCEPT
> 
> > #
> > # Log weird packets that don't match the above.
> > #
> > 
> > $IPTABLES -A FORWARD -m limit --limit 3/minute
> > --limit-burst 3 -j LOG \
> > --log-level DEBUG --log-prefix "IPT FORWARD packet
> > died: "
> > 
> > #
> > # 4.1.6 OUTPUT chain
> > #
> > 
> > #
> > # Bad TCP packets we don't want.
> > #
> > 
> > $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
> > 
> > #
> > # Special OUTPUT rules to decide which IP's to
> allow.
> > #
> > 
> > $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> > 
> > #
> > # Log weird packets that don't match the above.
> > #
> > 
> > $IPTABLES -A OUTPUT -m limit --limit 3/minute
> > --limit-burst 3 -j LOG \
> > --log-level DEBUG --log-prefix "IPT OUTPUT packet
> > died: "
> > 
> > ######
> > # 4.2 nat table
> > #
> > 
> > #
> > # 4.2.1 Set policies
> > #
> > 
> > #
> > # 4.2.2 Create user specified chains
> > #
> > 
> > #
> > # 4.2.3 Create content in user specified chains
> > #
> > 
> > #
> > # 4.2.4 PREROUTING chain
> > #
> > 
> > #
> 
=== message truncated ===



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250

(no subject)

[Andreas Grabner]

Hi
I have 2 connections to the Internet. The default route points to ISP1 but
my mails are comming from (to IP of) ISP2. My rules to DNAT SMTP Traffic
to an internel machine does not work (it did with only one ISP).

I think it has something todo with the routing but i dont know how to solve.

Here are my rules:
$IPTABLES -t nat -A POSTROUTING -o $EXTIFINODE -j SNAT --to $EXTIPINODE
$IPTABLES -t nat -A POSTROUTING -o $EXTIFPOST -j SNAT --to $EXTIPPOST
# for mailserver
$IPTABLES -t nat -A POSTROUTING -o $EXTIFINODE -s 192.168.100.2 -j SNAT
--to $EXTIPINODE$IPTABLES -t nat -A POSTROUTING -o $EXTIFPOST -s
192.168.100.2 -j SNAT--to $EXTIPPOST$IPTABLES -t nat -A PREROUTING -i $EXTIFINODE -d
$EXTIPINODE -s$UNIVERSE
-p tcp --dport 25 -j DNAT --to 192.168.100.2$IPTABLES -t nat -A PREROUTING -i
$EXTIFPOST -d $EXTIPPOST -s $UNIVERSE -p
tcp --dport 25 -j DNAT --to 192.168.100.2

thanks for any help
Andreas Grabner

(no subject)

[Oleg A. Arkhanglelsky]

Hello all,

I'm still wondering is it ip_conntrack_proto_gre related problem?
This PC is used as PPTP-server (up to 80-100 concurrent connections) and
as NAT-server. There is of course some natted GRE-connections also.
All connections is from (and to) untrusted users.

Here is a output of ksymoops:
ksymoops 2.4.9 on i686 2.4.27.  Options used
     -V (default)
     -k /proc/ksyms (default)
     -l /proc/modules (default)
     -o /lib/modules/2.4.27/ (default)
     -m /usr/src/linux/System.map (default)

Warning: You did not tell me where to find symbol information.  I will
assume that the log matches the kernel and modules that are running
right now and I'll use the default options above for symbol resolution.
If the current kernel and/or modules do not match the log, you can get
more accurate output by telling me the kernel version and where to find
map, modules, ksyms etc.  ksymoops -h explains the options.

Warning (compare_maps): ksyms_base symbol IO_APIC_get_PCI_irq_vector_R__ver_IO_APIC_get_PCI_irq_vector not found in System.map.  Ignoring ksyms_base entry
*pde = 00000000
Oops: 0002
CPU:    0
EIP:    0010:[<e0a232b8>]  Not tained
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 10282
eax: d4a47bf8   ebx: d99f1180     ecx: cefd1480       edx: 00000000
esi: d526e080   edi: 00000000     ebp: 00000046       esp: c02a7f04
ds: 0018        es: 0018       ss: 0018
Process swapper (pid: 0, stackpage=c02a7000)
Stack:  e09f3939 d526e080 e09f3e16 d99f1180 e09f3d04 d526e080 e09f3920 fffffffe
        e09f3e79 d526e080 d526e080 c012048b d526e080 dffeb200 c02a7f3c c02a7f3c
        00000000 c02c7a80 fffffffe 00000046 c011cc42 c011cb56 00000000 00000001
Call Trace:     [<e09f3939>] [<e09f3e16>] [<e09f3d04>] [<e09f3e20>] [<e0ef3e79>]
    [<c012048b>] [<c011cc42>] [<c011cb56>] [<c011c995>] [<c01089da>] [<c01052c0>]
    [<c010ade8>] [<c01052c0>] [<c01052e3>] [<c0105372>] [<c0105000>]
Code: 89 02 c7 41 04 00 00 00 00 c7 01 00 00 00 00 8b 83 80 00 00


>>EIP; e0a232b8 <[ip_conntrack_proto_gre]ip_ct_gre_keymap_destroy+88/c0>   <=====

>>eax; d4a47bf8 <_end+14742374/206247dc>
>>ebx; d99f1180 <_end+196eb8fc/206247dc>
>>ecx; cefd1480 <_end+eccbbfc/206247dc>
>>esi; d526e080 <_end+14f687fc/206247dc>
>>esp; c02a7f04 <init_task_union+1f04/2000>

Trace; e09f3939 <[ip_conntrack]ip_ct_find_proto+19/40>
Trace; e09f3e16 <[ip_conntrack]destroy_conntrack+106/110>
Trace; e09f3d04 <[ip_conntrack]clean_from_lists+54/60>
Trace; e09f3e20 <[ip_conntrack]death_by_timeout+0/60>
Trace; e0ef3e79 <END_OF_CODE+2e35d6/????>
Trace; c012048b <timer_bh+17b/3a0>
Trace; c011cc42 <bh_action+22/40>
Trace; c011cb56 <tasklet_hi_action+46/70>
Trace; c011c995 <do_softirq+95/a0>
Trace; c01089da <do_IRQ+9a/a0>
Trace; c01052c0 <default_idle+0/40>
Trace; c010ade8 <call_do_IRQ+5/d>
Trace; c01052c0 <default_idle+0/40>
Trace; c01052e3 <default_idle+23/40>
Trace; c0105372 <cpu_idle+52/70>
Trace; c0105000 <_stext+0/0>

Code;  e0a232b8 <[ip_conntrack_proto_gre]ip_ct_gre_keymap_destroy+88/c0>
00000000 <_EIP>:
Code;  e0a232b8 <[ip_conntrack_proto_gre]ip_ct_gre_keymap_destroy+88/c0>   <=====
   0:   89 02                     mov    %eax,(%edx)   <=====
Code;  e0a232ba <[ip_conntrack_proto_gre]ip_ct_gre_keymap_destroy+8a/c0>
   2:   c7 41 04 00 00 00 00      movl   $0x0,0x4(%ecx)
Code;  e0a232c1 <[ip_conntrack_proto_gre]ip_ct_gre_keymap_destroy+91/c0>
   9:   c7 01 00 00 00 00         movl   $0x0,(%ecx)
Code;  e0a232c7 <[ip_conntrack_proto_gre]ip_ct_gre_keymap_destroy+97/c0>
   f:   8b 83 80 00 00 00         mov    0x80(%ebx),%eax


2 warnings issued.  Results may not be reliable.
--

Loaded modules:
bsd_comp                4216   0  (autoclean)
ppp_deflate             3320  11  (autoclean)
zlib_inflate           18596   0  (autoclean) [ppp_deflate]
zlib_deflate           18936   0  (autoclean) [ppp_deflate]
ppp_async               6624  91  (autoclean)
ppp_generic            16964 273  (autoclean) [bsd_comp ppp_deflate ppp_async]
slhc                    4768  14  (autoclean) [ppp_generic]
ipt_MASQUERADE          1336   2  (autoclean)
ipt_limit                920   1  (autoclean)
ipt_string              1724   1  (autoclean)
ipt_ULOG                4612   2  (autoclean)
ipt_LOG                 3936   3  (autoclean)
iptable_filter          1772   1  (autoclean)
ipt_MARK                 792   1  (autoclean)
iptable_mangle          2200   1  (autoclean)
ip_nat_proto_gre        2180   0  (unused)
ip_conntrack_pptp       7281   1  (autoclean)
ip_nat_pptp             4620   0  (unused)
ip_conntrack_proto_gre    3829   0  [ip_conntrack_pptp ip_nat_pptp]
ip_conntrack_ftp        4112   1  (autoclean)
ip_nat_ftp              3024   0  (unused)
iptable_nat            17646   4  [ipt_MASQUERADE ip_nat_proto_gre ip_nat_pptp ip_nat_ftp]
ip_tables              12416  11  [ipt_MASQUERADE ipt_limit ipt_string ipt_ULOG ipt_LOG iptable_filter ipt_MARK iptable_mangle iptable_nat]
ip_conntrack           20484   3  [ipt_MASQUERADE ip_conntrack_pptp ip_nat_pptp ip_conntrack_proto_gre ip_conntrack_ftp ip_nat_ftp iptable_nat]
dummy                    984   0  (unused)
e1000                  74992   3
e100                   32556   1

Any help would be greatly appreciated.

-- 
wbr, Oleg.

(no subject)

[Yen Tran]

Hi all,

patch-o-matic-ng-20040621.tar.gz:

h323-conntrack-nat, mms-conntrack-nat require kernel < 2.6. Are the code for
2.6 coming soon?

I message "h323-conntrack-nat does not match your source trees, skipping..."
I assume it's because I don't meed the above requirement because my kernel
verion is 2.6.8.

 

Thanks,

--Yen

(no subject)

[Michael Barry]

[-- Attachment #1: Type: text/plain, Size: 2223 bytes --]

I have a bunch of public IP addresses, for example, in the range
192.168.1.100-192.168.1.104. 

I have a 5 computers on my internal network statically defined from
192.168.0.100-192.168.0.104. 

I am trying to create a rule where each computer will always map to the
same public ip address. For example I did: iptables -t nat -s
192.168.0.100 -j SNAT --to-source 192.168.1.100. 

The problem is if I try to do a ping from 192.168.0.100 it correctly
gets translated to 192.168.1.100 and the ping goes out, but when the
reply comes back there is an ARP request for WHO-HAS 192.168.1.100, and
since no-one technically holds this address no reply is ever sent, and
the ping reply gets dropped. Does anyone know a solution to this
problem?

Thanks for your time,
-- 
---------------------------------------
Michael Barry <mbarry@cs.umass.edu>


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.5 (GNU/Linux)

mQGiBD+g+0URBADCYQfUXqlCotTnSbprbyOResgLUTYxERMj50z3+16SeELpKOFT
IlfUhWrKcBoQlIyt8jBL/raN8sc8uVAklIDXmcmBzwhTlZu8mwb63GfTstqDSeBO
mdPQlWd4RlKUABinHymFL16XFjGBWdqDsimP0sLVtxygljtOrrTLDLMdPwCg5Sho
AmvLz/9XrgH4Og2BI2w4GO0D/20S3/oTZoAe0Uu9H7qUmsphg1Rk5cqn2zg5Fd7h
2KaNZjtntgd/2nK9eb1zlwcYEI++TxWJiEFMqSa0+Vr8zj8yDINhRLzIFTkNGkI9
0aJNVmZ9Vm6hEeDTTZ91d+pnzRLwbGPyu7xvddlSsn9uILI8KrIp/7gPKqfo5c8z
rXCJBACu/SkTyrXxlEz5L0BmvMyiKwPZGsfqvPp3ZRhKfSZvx7TFa2UvlGN5jQJD
qIDP1DH0foOQV1oX/tngBLwLFaIsTfO7brYcKX+uT0k/Q1vT2aBmHAQA4xduG2dg
eXJyBLwYtM1sKTNQj5fnmKZtHE1Vij2uAGUowmKOSuiEOf6/D7QjTWljaGFlbCBC
YXJyeSA8bWJhcnJ5QGNzLnVtYXNzLmVkdT6IXgQTEQIAHgUCP6D7RQIbAwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRDZGaOeesLyC/F+AKClFpol8BoIm8yDxBiMmCWd
K/pZawCfQb8oetmw5lIyHMVelC7ir+wasb+5AQ0EP6D7RxAEAKuLODeCFV+aVi7z
2qdE1oYNrH+AitdiB36W/SkLEb8YlXZ/cGFBl4gPspdA93mLyjrlLg5xp+kXVeAU
DbaYLl9pz4wtmz3GqnyqQdgAPW3XjEv5Dkau+RzKAmlze87x2mw8Zn0ffvcalRFm
+fAEDOvaZquVVljYxgkktI2G6MIPAAQNBACQ4LvuAH+LKbn5NYis+ifEHA4QYPBH
jtPe2Rb4keAp4azr6Qy1iJTuF/6+G8qCyraoqjk5wlMC7c8gjxCNkXA2VEX0+bXt
pb85nrQlL0udf8V2ffukxlXOmFo43j85jljzLLk535P/lCXrbiDnW4W5/+8Qpn/z
aDpqDeLSAX/+a4hJBBgRAgAJBQI/oPtHAhsMAAoJENkZo556wvILN3gAn3/x2PNm
O1mycJQtyUpCFRXEp8EWAKDPxWTPlx5Ii9DaWadahV4b9LRe4A==
=qjmb
-----END PGP PUBLIC KEY BLOCK-----

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: (no subject)

[Aleksandar Milivojevic]

Michael Barry wrote:
> I have a bunch of public IP addresses, for example, in the range
> 192.168.1.100-192.168.1.104. 
> 
> I have a 5 computers on my internal network statically defined from
> 192.168.0.100-192.168.0.104. 
> 
> I am trying to create a rule where each computer will always map to the
> same public ip address. For example I did: iptables -t nat -s
> 192.168.0.100 -j SNAT --to-source 192.168.1.100. 

I'd guess there was also "-A POSTROUTING" in above command?

> The problem is if I try to do a ping from 192.168.0.100 it correctly
> gets translated to 192.168.1.100 and the ping goes out, but when the
> reply comes back there is an ARP request for WHO-HAS 192.168.1.100, and
> since no-one technically holds this address no reply is ever sent, and
> the ping reply gets dropped. Does anyone know a solution to this
> problem?

This part is strange.  The reply should have been translated 
automatically back to your private range.  I'm not sure if connection 
tracking module is required for SNAT.  It might be.  Try doing "lsmod | 
grep ip" and see if it shows up (you might also send output to mailing 
list, might help somebody to help you).  It is usually automatically 
loaded (even when you don't expect it), but if it isn't, try loading it 
with "modprobe ip_conntrack".

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: (no subject)

[George Alexandru Dragoi]

http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-SAME


On Tue, 21 Sep 2004 09:38:52 -0500, Aleksandar Milivojevic
<amilivojevic@pbl.ca> wrote:
> Michael Barry wrote:
> > I have a bunch of public IP addresses, for example, in the range
> > 192.168.1.100-192.168.1.104.
> >
> > I have a 5 computers on my internal network statically defined from
> > 192.168.0.100-192.168.0.104.
> >
> > I am trying to create a rule where each computer will always map to the
> > same public ip address. For example I did: iptables -t nat -s
> > 192.168.0.100 -j SNAT --to-source 192.168.1.100.
> 
> I'd guess there was also "-A POSTROUTING" in above command?
> 
> > The problem is if I try to do a ping from 192.168.0.100 it correctly
> > gets translated to 192.168.1.100 and the ping goes out, but when the
> > reply comes back there is an ARP request for WHO-HAS 192.168.1.100, and
> > since no-one technically holds this address no reply is ever sent, and
> > the ping reply gets dropped. Does anyone know a solution to this
> > problem?
> 
> This part is strange.  The reply should have been translated
> automatically back to your private range.  I'm not sure if connection
> tracking module is required for SNAT.  It might be.  Try doing "lsmod |
> grep ip" and see if it shows up (you might also send output to mailing
> list, might help somebody to help you).  It is usually automatically
> loaded (even when you don't expect it), but if it isn't, try loading it
> with "modprobe ip_conntrack".
> 
> --
> Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
> Systems Administrator                           1499 Buffalo Place
> Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
> 
> 



-- 
Bla bla

Re: (no subject)

[Jason Opperisano]

On Tue, 2004-09-21 at 12:43, George Alexandru Dragoi wrote:
> http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-SAME
> 
> 

did you mean:

http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-NETMAP

and the OP's problem was one of ARP--not NAT.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: (no subject)

[George Alexandru Dragoi]

I think he miss some -o $iface in his rule. Otherwise to much stuff
get SNAT-ed :)
And yea, i was thinking on NETMAP. If adding the correct -o wont work,
then the output of route -n and your nat rules might help.


On Tue, 21 Sep 2004 13:27:45 -0400, Jason Opperisano <opie@817west.com> wrote:
> On Tue, 2004-09-21 at 12:43, George Alexandru Dragoi wrote:
> > http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-SAME
> >
> >
> 
> did you mean:
> 
> http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-NETMAP
> 
> and the OP's problem was one of ARP--not NAT.
> 
> -j
> 
> --
> Jason Opperisano <opie@817west.com>
> 
> 



-- 
Bla bla

(no subject)

[Newbie]

Hi,
 
I am not an expert in the whole packet filtering thing (hence my nickname), but I have heard previously, that it is possible to send a 'fake packet'. By this, I mean that lets say the packet header is a TCP packet, whereas the body content is something nasty. Does IP tables filter this sort of packet, or would it be more down to the IDS such as snort?

Thanks

Antony

Re: (no subject)

[Jose Maria Lopez]

El sáb, 04 de 09 de 2004 a las 11:12, Newbie escribió:
> Hi,
>  
> I am not an expert in the whole packet filtering thing (hence my nickname), but I have heard previously, that it is possible to send a 'fake packet'. By this, I mean that lets say the packet header is a TCP packet, whereas the body content is something nasty. Does IP tables filter this sort of packet, or would it be more down to the IDS such as snort?
> 
> Thanks
> 
> Antony

Iptables rules usually don't inspect the content of the packet, and even
when using 'string' or something similar the inspection is very basic,
besides the body data can be coded in many ways (HTTP is an example)
that can fool 'string'. You need an IDS that reassembles the sessions
and inspects them to see if the content of the packet is really
'nasty'.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

(no subject)

[security]

(no subject)

[Ehrhardt René]

Hi,

i´m running a debian sarge beta 4 box with iptables 1.2.10,
I have to install the pptp-conntrack-nat patch. 
I have the newest CVS build of pom

Now my problem:


./runme extra/pptp-conntrack-nat.patch

Testing... pptp-conntrack-nat.patch NOT APPLIED (1 missing files)
The extra/pptp-conntrack-nat patch:
   Author: Harald Welte <laforge@netfilter.org>
   Status: Beta
...
...
...
Testing patch extra/pptp-conntrack-nat.patch...
Warning - no help text file could be found in either
/usr/src/linux/net/ipv4/netfilter/Config.help
or /usr/src/linux/Documentation/Configure.help
grep: /usr/src/linux/net/ipv4/netfilter/Config.in: Datei oder Verzeichnis nicht gefunden
Could not find place to slot in Config.in line

What does this mean?? 
Is there any way to get this thing working?

Could anybody help me??

(no subject)

[Brent Clark]

http://www.phys.ncku.edu.tw/~htsu/humor/fry_egg.html

Sorry, I could not resist

--Brent

RE: (no subject)

[IZEM Farid]

Thanks Anthony for you help,

Don't worry about the rule in my firewall, in each one,
Source and destination are checked both in FORWARD and PREROUTING chain.
Everything is clear for me and I will terminate the customisation 
Of my firewall next week because I'm in my holidays for three days.

Thanks for all,

Best regards,

Farid IZEM
Ingénieur Système Unix
Société ABX Logistics France
48-50, route principale du port
92232 Gennevilliers
Tél. : 01-41-47-61-78
Email : farid.izem@abxlogistics.fr


> Anthony,
>
> Ok, I understand what you explain and I will test as soon as possible.
> I always setup netfilter by adding rules to INPUT, OUTPUT, DNAT, .. chain.
> But in this way, netfilter is very difficult to maintain.
> In fact, my firewall has 2 networks interfaces and it's doing SNAT and
> DNAT. SNAT and DNAT is properly working but difficult to administrate.
> As it is already in production environnement, I have to plan when modificat
>
> In your opinion, which solution is better:
>
> 	Create DNAT rules like
> 		Iptables -A PREROUTING -d 192.19.93.100 -j DNAT
> 				--to-destination 92.92.1.100
> 		Iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 172.19.92.100
> 				-d 92.92.1.100 --dport 23 -j ACCEPT
>
> 	Or
> 		Iptables -A PREROUTING -s 172.19.92.100 -d 192.19.93.100
> 				--dport 23 - j DNAT --to-destination 92.92.1.100:23

You have omitted to list the FORWARDing rule which is needed with the second 
example of the PREROUTING rule:

iptables -A FORWARD -i eth0 -o eth1 -d 92.92.1.100 -j ACCEPT

(Following the style you have outlined with the differences between the two 
PREROUTING rules).

In other words, you always need a PREROUTING rule, and a FORWARD rule, for 
packets to get through the firewall and reach the intended machine.

As for my opinion as to which is better - I prefer the one which is easier 
(for you) to understand.   Firewall maintenance is more important in almost 
all cases than ultimate efficiency of a ruleset, achieved by shaving a test 
here and there off the rules in case it takes up another CPU cycle or two.

In general that means I favour fully explicit rules - both for clarity and 
security.   If you only intend to allow packets to TCP, port 23 (although I 
cannot imagine why you want to allow anything at all to that particular 
port....) and you want those packets to be allowed only from a specific IP 
address, going through the firewall in one particular direction, then make 
this clear in both the rules which are needed:

iptables -A PREROUTING -t nat -p tcp --dport 23 -i eth0 -s 172.19.92.100 -d 
192.19.93.100 -j DNAT --to 92.92.1.100
iptables -A FORWARD -p tcp --dport 23 -i eth0 -o eth1 -s 172.19.92.100 -d 
92.92.1.100 -j ACCEPT

If you find the duplication of information less clear, then simply it so that 
you are happy with the rules (and they still provide the security you 
require).   So long as you don't completely omit the source address (for 
example), so that packets get accepted from anywhere, then you should use the 
rules you will find easiest to understand in three months' time....

Regards,

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

RE: (no subject)

[IZEM Farid]

Anthony,

Ok, I understand what you explain and I will test as soon as possible.
I always setup netfilter by adding rules to INPUT, OUTPUT, DNAT, .. chain.
But in this way, netfilter is very difficult to maintain.
In fact, my firewall has 2 networks interfaces and it's doing SNAT and DNAT.
SNAT and DNAT is properly working but difficult to administrate. 
As it is already in production environnement, I have to plan when modificat

In your opinion, which solution is better: 

	Create DNAT rules like 
		Iptables -A PREROUTING -d 192.19.93.100 -j DNAT 
				--to-destination 92.92.1.100
		Iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 172.19.92.100 
				-d 92.92.1.100 --dport 23 -j ACCEPT

	Or 
		Iptables -A PREROUTING -s 172.19.92.100 -d 192.19.93.100
				--dport 23 - j DNAT --to-destination 92.92.1.100:23

	
Thanks Anthony for you help.



Farid IZEM
Ingénieur Système Unix
Société ABX Logistics France
48-50, route principale du port
92232 Gennevilliers
Tél. : 01-41-47-61-78
Email : farid.izem@abxlogistics.fr

-----Message d'origine-----
De : netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] De la part de Antony Stone
Envoyé : mercredi 30 juin 2004 16:19
À : netfilter@lists.netfilter.org
Objet : Re: (no subject)

On Wednesday 30 June 2004 2:33 pm, IZEM Farid wrote:

> Hi all,
>
> I'm trying to customize my iptables rules.
> Let us imagine we have three hosts which users have to access:
> 	HOST1
> 	HOST2
> 	HOST3
>
> Is this configuration correct?
> 	Iptables -N HOST1_RULESETS
> 	Iptables -N HOST2_RULESETS
> 	Iptables -N HOST3_RULESETS
>
> In each new chain, I will add rules to accept connections to some services
> like telnet, ssh, IBM Client Access. And after, I will do this thing:
> 	Iptables -A FORWARD -i eth0 -o eth1 -j HOST1_RULESETS
> 	Iptables -A FORWARD -i eth0 -o eth1 -j HOST2_RULESETS
> 	Iptables -A FORWARD -i eth0  -o eth1 -j HOST3_RULESETS
>
> In fact, what I'm looking for is that I can organized my rules by hosts
> instead of adding all rules to all hosts in FORWARD chain ?
>
> With the configuration, I describe, will all rules in the HOSTX_RULESETS
> being check ?
>
> I think, it's correct but I'm not totally sure.

Yes, that looks fine to me - the only thing you need to remember is that the 
first rule which matches, with an ACCEPT, DROP or REJECT target, will 
determine the fate of the packet.

Organising rules into user-defined chains like this is fine with netfilter, if 
it makes it easier for you to work with.

The only thing I would suggest changing about what you've written above is 
that if the chain HOST1_RULESETS is supposed to be for packets going only to 
HOST1, then your FORWARD rule jumping to that chain should only do so for 
packets going to HOST1 (similarly for HOST2, HOST3 etc).

iptables -A FORWARD -i eth0 -o eth1 -d $HOST1 -j HOST1_RULESETS

That ensures that packets for HOST2, which cannot possibly match any of the 
rules in HOST1_RULESETS, don't have to traverse all the way through the rules 
before then getting a chance at HOST2_RULESETS.

PS: Don't forget a general rule allowing for the reply packets :)

Regards,

Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Antony Stone]

On Wednesday 30 June 2004 9:15 pm, IZEM Farid wrote:

> Anthony,
>
> Ok, I understand what you explain and I will test as soon as possible.
> I always setup netfilter by adding rules to INPUT, OUTPUT, DNAT, .. chain.
> But in this way, netfilter is very difficult to maintain.
> In fact, my firewall has 2 networks interfaces and it's doing SNAT and
> DNAT. SNAT and DNAT is properly working but difficult to administrate.
> As it is already in production environnement, I have to plan when modificat
>
> In your opinion, which solution is better:
>
> 	Create DNAT rules like
> 		Iptables -A PREROUTING -d 192.19.93.100 -j DNAT
> 				--to-destination 92.92.1.100
> 		Iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 172.19.92.100
> 				-d 92.92.1.100 --dport 23 -j ACCEPT
>
> 	Or
> 		Iptables -A PREROUTING -s 172.19.92.100 -d 192.19.93.100
> 				--dport 23 - j DNAT --to-destination 92.92.1.100:23

You have omitted to list the FORWARDing rule which is needed with the second 
example of the PREROUTING rule:

iptables -A FORWARD -i eth0 -o eth1 -d 92.92.1.100 -j ACCEPT

(Following the style you have outlined with the differences between the two 
PREROUTING rules).

In other words, you always need a PREROUTING rule, and a FORWARD rule, for 
packets to get through the firewall and reach the intended machine.

As for my opinion as to which is better - I prefer the one which is easier 
(for you) to understand.   Firewall maintenance is more important in almost 
all cases than ultimate efficiency of a ruleset, achieved by shaving a test 
here and there off the rules in case it takes up another CPU cycle or two.

In general that means I favour fully explicit rules - both for clarity and 
security.   If you only intend to allow packets to TCP, port 23 (although I 
cannot imagine why you want to allow anything at all to that particular 
port....) and you want those packets to be allowed only from a specific IP 
address, going through the firewall in one particular direction, then make 
this clear in both the rules which are needed:

iptables -A PREROUTING -t nat -p tcp --dport 23 -i eth0 -s 172.19.92.100 -d 
192.19.93.100 -j DNAT --to 92.92.1.100
iptables -A FORWARD -p tcp --dport 23 -i eth0 -o eth1 -s 172.19.92.100 -d 
92.92.1.100 -j ACCEPT

If you find the duplication of information less clear, then simply it so that 
you are happy with the rules (and they still provide the security you 
require).   So long as you don't completely omit the source address (for 
example), so that packets get accepted from anywhere, then you should use the 
rules you will find easiest to understand in three months' time....

Regards,

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

(no subject)

[IZEM Farid]

Hi all,

I'm trying to customize my iptables rules.
Let us imagine we have three hosts which users have to access: 
	HOST1
	HOST2
	HOST3

Is this configuration correct?
	Iptables -N HOST1_RULESETS
	Iptables -N HOST2_RULESETS
	Iptables -N HOST3_RULESETS
	
In each new chain, I will add rules to accept connections to some services like telnet, ssh, IBM Client Access.
And after, I will do this thing:
	Iptables -A FORWARD -i eth0 -o eth1 -j HOST1_RULESETS
	Iptables -A FORWARD -i eth0 -o eth1 -j HOST2_RULESETS
	Iptables -A FORWARD -i eth0  -o eth1 -j HOST3_RULESETS

In fact, what I'm looking for is that I can organized my rules by hosts instead of adding all rules to all hosts in FORWARD chain ?

With the configuration, I describe, will all rules in the HOSTX_RULESETS being check ?

I think, it's correct but I'm not totally sure.

Thanks for you help,

Best regards,	
 
Farid IZEM
Ingénieur Système Unix
Société ABX Logistics France
48-50, route principale du port
92232 Gennevilliers
Tél. : 01-41-47-61-78
Email : farid.izem@abxlogistics.fr

Re: (no subject)

[Antony Stone]

On Wednesday 30 June 2004 2:33 pm, IZEM Farid wrote:

> Hi all,
>
> I'm trying to customize my iptables rules.
> Let us imagine we have three hosts which users have to access:
> 	HOST1
> 	HOST2
> 	HOST3
>
> Is this configuration correct?
> 	Iptables -N HOST1_RULESETS
> 	Iptables -N HOST2_RULESETS
> 	Iptables -N HOST3_RULESETS
>
> In each new chain, I will add rules to accept connections to some services
> like telnet, ssh, IBM Client Access. And after, I will do this thing:
> 	Iptables -A FORWARD -i eth0 -o eth1 -j HOST1_RULESETS
> 	Iptables -A FORWARD -i eth0 -o eth1 -j HOST2_RULESETS
> 	Iptables -A FORWARD -i eth0  -o eth1 -j HOST3_RULESETS
>
> In fact, what I'm looking for is that I can organized my rules by hosts
> instead of adding all rules to all hosts in FORWARD chain ?
>
> With the configuration, I describe, will all rules in the HOSTX_RULESETS
> being check ?
>
> I think, it's correct but I'm not totally sure.

Yes, that looks fine to me - the only thing you need to remember is that the 
first rule which matches, with an ACCEPT, DROP or REJECT target, will 
determine the fate of the packet.

Organising rules into user-defined chains like this is fine with netfilter, if 
it makes it easier for you to work with.

The only thing I would suggest changing about what you've written above is 
that if the chain HOST1_RULESETS is supposed to be for packets going only to 
HOST1, then your FORWARD rule jumping to that chain should only do so for 
packets going to HOST1 (similarly for HOST2, HOST3 etc).

iptables -A FORWARD -i eth0 -o eth1 -d $HOST1 -j HOST1_RULESETS

That ensures that packets for HOST2, which cannot possibly match any of the 
rules in HOST1_RULESETS, don't have to traverse all the way through the rules 
before then getting a chance at HOST2_RULESETS.

PS: Don't forget a general rule allowing for the reply packets :)

Regards,

Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

                                                     Please reply to the list;
                                                           please don't CC me.

RE: (no subject)

[Richard Gutery]

Thanks Anthony that fixed it up. Actually, looking at your suggestion makes sense.

btw: is there a 'Good' iptables tutorial site around. I've looked at lots of sites but nothing that really jumped out and made good sense.

Again, thanks.

rg

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Tuesday, June 29, 2004 8:09 AM
To: netfilter@lists.netfilter.org
Subject: Re: (no subject)


On Tuesday 29 June 2004 2:49 pm, Richard Gutery wrote:

> Stop macro:
> $IPT -N LD
> $IPT -A LD -j LOG
> $IPT -A LD -j DROP

That has me really confused.   I was expecting you to say that $STOP expanded 
to the word DROP, or some other valid target for the -j option on the 
netfilter command line.

> $STOP=LD (LD = Log and Drop)

I don;t quite see how you can use this after -j on an iptables rule, 
however...

> $IPT = /sbin/iptables
>
> I need to totally block all packets to and from this address 64.246.26.185.
> So BLOCK means BLOCK.
>
> We OpenBSD users usually mean blocking as dropping the silly thing on the
> floor. No ifs, ands or buts. Just gone...

Oh, I understood what you meant by "block" - I wasn't sure which packets you 
wanted to block, though, since it wasn't clear whether we were talking about 
source or destination addresses, and forwarding through the firewall or going 
to/from it directly.

> As for the limiting, I simply copied a rule that was already in a
> firestarter script. So if I need to change the rule, I would be more than
> willing. Am I to assume that this is a bad rule?

Well, it certainly won't BLOCK (using your definition above) - it will rate 
limit - which means that some packets will still come through.

I suggest the following:

iptables -I INPUT -s 64.246.26.185 -j DROP
iptables -I OUTPUT -d 64.246.26.185 -j DROP
iptables -I FORWARD -s 64.246.26.185 -j DROP
iptables -I FORWARD -d 64.246.26.185 -j DROP

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Antony Stone]

On Tuesday 29 June 2004 3:25 pm, Richard Gutery wrote:

> Thanks Anthony that fixed it up. Actually, looking at your suggestion makes
> sense.
>
> btw: is there a 'Good' iptables tutorial site around. I've looked at lots
> of sites but nothing that really jumped out and made good sense.

http://iptables-tutorial.frozentux.net is generally regarded as the best one.

Regards,

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

                                                     Please reply to the list;
                                                           please don't CC me.

RE: (no subject)

[Richard Gutery]

Stop macro:
$IPT -N LD
$IPT -A LD -j LOG
$IPT -A LD -j DROP

$STOP=LD (LD = Log and Drop)

$IPT = /sbin/iptables

I need to totally block all packets to and from this address 64.246.26.185. So BLOCK means BLOCK.

We OpenBSD users usually mean blocking as dropping the silly thing on the floor. No ifs, ands or buts. Just gone...

As for the limiting, I simply copied a rule that was already in a firestarter script. So if I need to change the rule, I would be more than willing. Am I to assume that this is a bad rule?

tx for the assist.

rg

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Tuesday, June 29, 2004 7:31 AM
To: netfilter@lists.netfilter.org
Subject: Re: (no subject)


On Tuesday 29 June 2004 2:19 pm, Richard Gutery wrote:

>  I am form the Microsoft and OpenBSD world and have recently begun using
> RH7.3 for my firewall.
>
> I need to block an Internet Address.

What do you mean by "block"?

1. Stop packets from that address getting in to your firewall?
2. Stop packets from that address going through your firewall?
3. Stop packets to that address coming from your firewall?
4. Stop packets to that address going through your firewall?
5. Some combination of the above?

> I have theses two rules in my iptables file:
>
> $IPT -t filter -A INPUT  -p tcp -s 0/0 -d 64.246.26.185  --dport 80 -m
> limit --limit 2/minute -j $STOP
> $IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0  --dport 80 -m limit
> --limit 2/minute -j $STOP
>
> $STOP and $IPT are macro substitutions that works for everything else,
> so I know that's not the problem.

What does the $STOP macro expand to?

Also, the above rules are rate limiting rules - they will prevent packets 
flowing more quickly than you specify - that is not at all the same thing as 
blocking packets completely.

Tell us more precisely what you want to do (see above) and we can probably 
advise on how to do it.

Regards,

Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Feizhou]

Richard Gutery wrote:
> Stop macro:
> $IPT -N LD
> $IPT -A LD -j LOG
> $IPT -A LD -j DROP
> 
> $STOP=LD (LD = Log and Drop)
> 
> $IPT = /sbin/iptables
> 
> I need to totally block all packets to and from this address 64.246.26.185. So BLOCK means BLOCK.
> 
> We OpenBSD users usually mean blocking as dropping the silly thing on the floor. No ifs, ands or buts. Just gone...
> 
> As for the limiting, I simply copied a rule that was already in a firestarter script. So if I need to change the rule, I would be more than willing. Am I to assume that this is a bad rule?
> 

You want to totally block but you also want to log and limitly at that?

Re: (no subject)

[Antony Stone]

On Tuesday 29 June 2004 2:49 pm, Richard Gutery wrote:

> Stop macro:
> $IPT -N LD
> $IPT -A LD -j LOG
> $IPT -A LD -j DROP

That has me really confused.   I was expecting you to say that $STOP expanded 
to the word DROP, or some other valid target for the -j option on the 
netfilter command line.

> $STOP=LD (LD = Log and Drop)

I don;t quite see how you can use this after -j on an iptables rule, 
however...

> $IPT = /sbin/iptables
>
> I need to totally block all packets to and from this address 64.246.26.185.
> So BLOCK means BLOCK.
>
> We OpenBSD users usually mean blocking as dropping the silly thing on the
> floor. No ifs, ands or buts. Just gone...

Oh, I understood what you meant by "block" - I wasn't sure which packets you 
wanted to block, though, since it wasn't clear whether we were talking about 
source or destination addresses, and forwarding through the firewall or going 
to/from it directly.

> As for the limiting, I simply copied a rule that was already in a
> firestarter script. So if I need to change the rule, I would be more than
> willing. Am I to assume that this is a bad rule?

Well, it certainly won't BLOCK (using your definition above) - it will rate 
limit - which means that some packets will still come through.

I suggest the following:

iptables -I INPUT -s 64.246.26.185 -j DROP
iptables -I OUTPUT -d 64.246.26.185 -j DROP
iptables -I FORWARD -s 64.246.26.185 -j DROP
iptables -I FORWARD -d 64.246.26.185 -j DROP

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Antony Stone]

On Tuesday 29 June 2004 3:08 pm, Antony Stone wrote:

> On Tuesday 29 June 2004 2:49 pm, Richard Gutery wrote:
> > Stop macro:
> > $IPT -N LD
> > $IPT -A LD -j LOG
> > $IPT -A LD -j DROP
>
> That has me really confused.   I was expecting you to say that $STOP
> expanded to the word DROP, or some other valid target for the -j option on
> the netfilter command line.
>
> > $STOP=LD (LD = Log and Drop)
>
> I don't quite see how you can use this after -j on an iptables rule,
> however...

Okay, having thought about it a little more I do now see that this should 
work:

LD is a user-defined chain which simply LOGs, then DROPs, everything entering 
it, and therefore "-j $STOP" is the same as "-j LD".

I got confused by thinking you meant that the $STOP macro expanded to three 
lines (!) - now I see that's not quite what you meant....

Regards,

Antony.

-- 
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: (no subject)

[listuser]

HiHo!

If you still want to log, try to change you LD to this:

Stop macro:
$IPT -N LD
$IPT -A LD -m limit --limit 2/minute -j LOG
$IPT -A LD -j DROP

This will drop everything put into LD, but log only a few.
Be aware that quite a lot packets will be dropped silently.
I assume you used the limit to prevent your log from flodding

Actually i would prefer Antony's version. Just drop 'em, without
logging :)

ciao
  markus 

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> Sent: Dienstag, 29. Juni 2004 16:09
> To: netfilter@lists.netfilter.org
> Subject: Re: (no subject)
> 
> 
> On Tuesday 29 June 2004 2:49 pm, Richard Gutery wrote:
> 
> > Stop macro:
> > $IPT -N LD
> > $IPT -A LD -j LOG
> > $IPT -A LD -j DROP
> 
> That has me really confused.   I was expecting you to say that $STOP expanded 
> to the word DROP, or some other valid target for the -j option on the 
> netfilter command line.
> 
> > $STOP=LD (LD = Log and Drop)
> 
> I don;t quite see how you can use this after -j on an iptables rule, 
> however...
> 
> > $IPT = /sbin/iptables
> >
> > I need to totally block all packets to and from this address 64.246.26.185.
> > So BLOCK means BLOCK.
> >
> > We OpenBSD users usually mean blocking as dropping the silly thing on the
> > floor. No ifs, ands or buts. Just gone...
> 
> Oh, I understood what you meant by "block" - I wasn't sure which packets you 
> wanted to block, though, since it wasn't clear whether we were talking about 
> source or destination addresses, and forwarding through the firewall or going 
> to/from it directly.
> 
> > As for the limiting, I simply copied a rule that was already in a
> > firestarter script. So if I need to change the rule, I would be more than
> > willing. Am I to assume that this is a bad rule?
> 
> Well, it certainly won't BLOCK (using your definition above) - it will rate 
> limit - which means that some packets will still come through.
> 
> I suggest the following:
> 
> iptables -I INPUT -s 64.246.26.185 -j DROP
> iptables -I OUTPUT -d 64.246.26.185 -j DROP
> iptables -I FORWARD -s 64.246.26.185 -j DROP
> iptables -I FORWARD -d 64.246.26.185 -j DROP
> 
> Regards,
> 
> Antony.
> 
> -- 
> In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
> the mechanics are German, the lovers are French, the entertainment is 
> American, and everything is organised by the Swiss.
> 
> In Hell, the police are German, the chefs are British, the beer is American, 
> the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
> and everything is organised by the Italians.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
> 
> 

Re: (no subject)

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]


Hi Antony, hi Richard,

On Tue, Jun 29, 2004 at 03:08:45PM +0100, Antony Stone told us:
> On Tuesday 29 June 2004 2:49 pm, Richard Gutery wrote:
> 
> > Stop macro:
> > $IPT -N LD
> > $IPT -A LD -j LOG
> > $IPT -A LD -j DROP
> 
> That has me really confused.   I was expecting you to say that $STOP expanded 
> to the word DROP, or some other valid target for the -j option on the 
> netfilter command line.

I think you got a little bit confused by this, just like me. I think
the creation and filling of the custom chain is done at first and then
STOP is given the value LD so that in the later rules it expands to 

iptables ..... -j LD


> Well, it certainly won't BLOCK (using your definition above) - it will rate 
> limit - which means that some packets will still come through.
> 
> I suggest the following:
> 
> iptables -I INPUT -s 64.246.26.185 -j DROP
> iptables -I OUTPUT -d 64.246.26.185 -j DROP
> iptables -I FORWARD -s 64.246.26.185 -j DROP
> iptables -I FORWARD -d 64.246.26.185 -j DROP

Yep, this would do a better job...

BTW, and, sorry, a little OT, but is there an award for the best
email sigs?? If there is, I think Antony would have good chances
to win it :-))


Sven

-- 
Linux zion 2.6.7 #1 Thu Jun 17 10:44:26 CEST 2004 i686 athlon i386 GNU/Linux
 16:29:04  up 3 days, 21:19,  4 users,  load average: 1.00, 1.00, 1.00

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

(no subject)

[Richard Gutery]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]

 I am form the Microsoft and OpenBSD world and have recently begun using RH7.3 for my firewall. 
 
I need to block an Internet Address. 
 
In OpenBSD I would use -> 'block out quick on ethx ...' 
 
I have theses two rules in my iptables file: 
 
$IPT -t filter -A INPUT  -p tcp -s 0/0 -d 64.246.26.185  --dport 80 -m limit --limit 2/minute -j $STOP 
$IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0  --dport 80 -m limit --limit 2/minute -j $STOP 
 
$STOP and $IPT are macro substitutions that works for everything else, 
so I know that's not the problem. 
 
What am I missing?
 
RG

[-- Attachment #2: Type: text/html, Size: 1947 bytes --]

Re: (no subject)

[Antony Stone]

On Tuesday 29 June 2004 2:19 pm, Richard Gutery wrote:

>  I am form the Microsoft and OpenBSD world and have recently begun using
> RH7.3 for my firewall.
>
> I need to block an Internet Address.

What do you mean by "block"?

1. Stop packets from that address getting in to your firewall?
2. Stop packets from that address going through your firewall?
3. Stop packets to that address coming from your firewall?
4. Stop packets to that address going through your firewall?
5. Some combination of the above?

> I have theses two rules in my iptables file:
>
> $IPT -t filter -A INPUT  -p tcp -s 0/0 -d 64.246.26.185  --dport 80 -m
> limit --limit 2/minute -j $STOP
> $IPT -t filter -A OUTPUT -p tcp -s 64.246.26.185 -d 0/0  --dport 80 -m limit
> --limit 2/minute -j $STOP
>
> $STOP and $IPT are macro substitutions that works for everything else,
> so I know that's not the problem.

What does the $STOP macro expand to?

Also, the above rules are rate limiting rules - they will prevent packets 
flowing more quickly than you specify - that is not at all the same thing as 
blocking packets completely.

Tell us more precisely what you want to do (see above) and we can probably 
advise on how to do it.

Regards,

Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

                                                     Please reply to the list;
                                                           please don't CC me.

(no subject)

[Dharmendra T.]

Hi Mani,
 
 Hope some Messaging and Conferencing tool is running! You have to check
on your machine is there anything running on that port, It is very
dangerous if some process opening a port and you are unaware of it.

 Make sure everything in your system is ok.

        I did not see any error in ifconfig.


Regards
Dharmendra T.


On Mon, 2004-06-21 at 11:58, Manikandan wrote:
> Hi friends,
> 
>         I am running RedHat linux 9 with iptables 1.2.7a. This box
acts as a
> gateway/firewall for my network. I am seeing lots of packets getting
dropped
> as well as ifconfig reports error.
> 
> [root@javagreen RPMS]# tail /var/log/messages/
> 
> Jun 21 11:50:50 javagreen kernel: IN=eth0 OUT=
> MAC=00:09:6b:19:b4:24:00:0e:83:f6:19:9f:08:00 SRC=64.0.96.12
> DST=202.138.202.218 LEN=84 TOS=0x00 PREC=0x00 TTL=45 ID=17638
PROTO=ICMP
> TYPE=8 CODE=0 ID=20225 SEQ=61833
> Jun 21 11:50:50 javagreen kernel: IN=eth0 OUT=
> MAC=00:09:6b:19:b4:24:00:0e:83:f6:19:9f:08:00 SRC=64.0.96.12
> DST=202.138.202.218 LEN=84 TOS=0x00 PREC=0x00 TTL=45 ID=17638
PROTO=ICMP
> TYPE=8 CODE=0 ID=20225 SEQ=61833
> Jun 21 11:50:50 javagreen kernel: IN=eth0 OUT=
> MAC=00:09:6b:19:b4:24:00:0e:83:f6:19:9f:08:00 SRC=210.224.186.4
> DST=202.138.202.218 LEN=84 TOS=0x00 PREC=0x00 TTL=42 ID=0 DF
PROTO=ICMP
> TYPE=8 CODE=0 ID=52234 SEQ=19095
> Jun 21 11:50:50 javagreen kernel: IN=eth0 OUT=
> MAC=00:09:6b:19:b4:24:00:0e:83:f6:19:9f:08:00 SRC=210.224.186.4
> DST=202.138.202.218 LEN=84 TOS=0x00 PREC=0x00 TTL=42 ID=0 DF
PROTO=ICMP
> TYPE=8 CODE=0 ID=52234 SEQ=19095
> Jun 21 11:50:54 javagreen named[3251]: client 1
-- 
Dharmendra T.
Linux Security and Admin,
www.nsecure.net

This message is intended for the addressee only. It may contain
privileged or confidential information. If you have received
 this message in error, please notify the sender and destroy the message
immediately. Unauthorised use or reproduction of 
this message is strictly prohibited.

(no subject)

[Ivan]

Hi,
I am looking for a solution to block streaming media using iptables.
I have found that some of my users are listening to radio stations using 
internet, which has pumped up the
internet bill significantly, and of course put a choke on my internet links.
Does anyone know of a solution for blocking just the streaming media 
traffic from any web site, while still allowing
the access to the website it self?

Thanks,

Ivan

RE: (no subject)

[Markus Zeilinger]

 Hi!

Do not know whether there is a patch available via patch-o-matic for such
things. But I think a http proxy should handle such things? Cause you have
to do application level filtering and that's a duty of a http proxy I would
say!

Cheers,
Markus

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ivan
Sent: Monday, May 31, 2004 1:19 PM
To: netfilter@lists.netfilter.org
Subject: (no subject)

Hi,
I am looking for a solution to block streaming media using iptables.
I have found that some of my users are listening to radio stations using 
internet, which has pumped up the
internet bill significantly, and of course put a choke on my internet links.
Does anyone know of a solution for blocking just the streaming media 
traffic from any web site, while still allowing
the access to the website it self?

Thanks,

Ivan

Re: (no subject)

[Krishna Prasanth]

Hi!
   How about blocking Stream connections, which are mostly RTP, RTSP(Real 
Audio uses this)??
   In this case VoIP traffic may not work(in case if you have).
   I think even other Applications like (winamp) uses similar traffic which 
we can
   block using iptables.

   Pls correct me if i'm wrong somewhere.

regards
-prasanth
On Mon, 31 May 2004 13:39:21 +0200, Markus Zeilinger 
<mz@sea.uni-linz.ac.at> wrote:

>  Hi!
>
> Do not know whether there is a patch available via patch-o-matic for such
> things. But I think a http proxy should handle such things? Cause you 
> have
> to do application level filtering and that's a duty of a http proxy I 
> would
> say!
>
> Cheers,
> Markus
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ivan
> Sent: Monday, May 31, 2004 1:19 PM
> To: netfilter@lists.netfilter.org
> Subject: (no subject)
>
> Hi,
> I am looking for a solution to block streaming media using iptables.
> I have found that some of my users are listening to radio stations using
> internet, which has pumped up the
> internet bill significantly, and of course put a choke on my internet 
> links.
> Does anyone know of a solution for blocking just the streaming media
> traffic from any web site, while still allowing
> the access to the website it self?
>
> Thanks,
>
> Ivan
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

RE: (no subject)

[Mark E. Donaldson]

Take a look at the H323 patch and see if it suits your needs:
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-5.h
tml#ss5.3 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ivan
Sent: Monday, May 31, 2004 4:19 AM
To: netfilter@lists.netfilter.org
Subject: (no subject)

Hi,
I am looking for a solution to block streaming media using iptables.
I have found that some of my users are listening to radio stations using
internet, which has pumped up the internet bill significantly, and of course
put a choke on my internet links.
Does anyone know of a solution for blocking just the streaming media traffic
from any web site, while still allowing the access to the website it self?

Thanks,

Ivan



########################################################
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

postmaster@bandwidthco.com
MailScanner at bandwidthco.com is for your absolute protection.
########################################################



########################################################
This message has been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.

postmaster@bandwidthco.com
MailScanner at bandwidthco.com is for your absolute protection.
########################################################

<no subject>

[Frank Pieczynski]

Hello, 
for load tests of a application, which requires a own IP address for each 
User, and have to support hundred of thousand ... millons of users, I try to 
simulate the users and handle the ip issues with netfilter. I'd like to 
avoid promiscous mode and virtual interfaces. 
 
Every Linux test box handle for examle 65.000 users. 
The test application fakes during sending the source ip, so for the app 
server it looks ok. 
On the app server some additional routing entries route the packets to the 
users according to the range of user ip's to the specific Linux test box. So 
netfilter should forward these incoming packets to the local test 
application: 
iptables -t nat -A PREROUTING -i eth0 -p udp --dst 10.132.0.0/16 \ 
-j REDIRECT --to-port 5000 
and the test app can ask for the original destination using getsockopt() - 
like squid.                                                                                                                                      
but I don't see the answers in the PREROUTING queue? 
They are visible with ethereal on eth0, but also a plain logging rule:                                                                                
iptables -t nat -A PREROUTING -j LOG Prerouting 
doesn't show the incoming packets??? 
BUT they are listed in the mangle table (but here I cannot use the REDIRECT 
target). 
 
A very interesting thing: 
If I modify the route showing to a different Linux box and use there a DNAT 
rule instead of REDIRECT, then it works as expected. Of course this has the 
disadvantage, that the information about the original destination IP is 
lost, so why it doesn't work on the local system? 
Does the use of the spoof during send create some implicite rules, so that 
later answers to that are not visible in the PREROUTING queue? 
Any tipps would be nice. 
 
Thanks 
Frank    
 -- 
For every complex problem there is a solution 
which is simple, neat and -- wrong. 
 
_____________________________________________________________________
Endlich SMS mit Bildern versenden! Das Bild selbst ist dabei gratis,
Sie bezahlen lediglich den Versand. http://freemail.web.de/?mc=021195

(no subject)

[zze-KHOURY Jad FTRD/DMI/CAE]

[-- Attachment #1: Type: text/plain, Size: 529 bytes --]

Hi,
 I'm having some problems finding how to log ONLY iptable log messages
to another file other than messages. So I made some changes in the
"sylsog.conf" file by adding: kern.warning /var/log/firewall since the
Default log level entry is" warning". But I still reveive some message
other than the packets, from the kernel itself!
 how can I limit the input messages to only Netfilter packets?
What should I change in the syslog.conf file If I don't want to receive
Netfilter messages in this file?
 

regards
Jad 

[-- Attachment #2: Type: text/html, Size: 1155 bytes --]

RE: (no subject)

[Mark E. Donaldson]

[-- Attachment #1: Type: text/plain, Size: 1828 bytes --]

 

  _____  

From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of zze-KHOURY Jad
FTRD/DMI/CAE
Sent: Friday, April 30, 2004 1:33 AM
To: netfilter@lists.netfilter.org
Subject: (no subject)



Hi, 
 I'm having some problems finding how to log ONLY iptable log messages to
another file other than messages. So I made some changes in the
"sylsog.conf" file by adding: kern.warning /var/log/firewall since the
Default log level entry is" warning". But I still reveive some message other
than the packets, from the kernel itself!

 how can I limit the input messages to only Netfilter packets? 
What should I change in the syslog.conf file If I don't want to receive
Netfilter messages in this file? 
  

regards 
Jad  

 

           To isolate firewall log messages into a separate or dedicated
file. By default, netfilter logs to the kern.info syslog facility. This
places all the firewall log messages into /var/log/messages along with all
other kernel messages. This behavior is not exceedingly friendly for
firewall log parsing and analysis. However, since the Linux kernel logs very
little by default at the “debug” level, there is an easy solution. Follow
these steps:

 

§         Set logging level to “debug” in the firewall script:

 

LOG_LEVEL="debug"

 

§         Place the LOG_LEVEL variable in rule sets for all packets to be
logged:

 

-j LOG --log-level $LOG_LEVEL

 

§         Tell syslog to log only kernel.debug messages to the firewall log
file:

 

kern.=debug
/var/log/iptables/iptables.log

 

§         Tell syslog not to place firewall messages into /var/log/messages:

 

*.*;kern.!=debug        /var/log/messages

 

§         Restart syslog: ./etc/init.d/syslog restart

 


[-- Attachment #2: Type: text/html, Size: 9750 bytes --]

(no subject)

[James]

[-- Attachment #1: Type: text/plain, Size: 452 bytes --]

Hi,

 

I was wondering if anybody could tell me how to setup a rule that forwards
all packets from a particular IP, regardless of the ports, on to another
machine?

 

I was also wondering if it is possible to forward an entire IP range, or the
DNS using wildcards? For example forwarding all connections from *.aol.com
regardless of the port onto a specific IP? If this is possible, could
anybody tell me how I would go about it?

 

Thanks,

James


[-- Attachment #2: Type: text/html, Size: 2435 bytes --]

Re: (no subject)

[Rob Sterenborg]

> I was wondering if anybody could tell me how to setup a rule that
> forwards all packets from a particular IP, regardless of the ports,
> on to another machine?

You mean to DNAT connections to a server behind the firewall ?

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISED -j ACCEPT
iptables -A FORWARD -d <dest_ip> -j ACCEPT
iptables -t nat -A PREROUTING -s <src_ip_range> -j DNAT <dest_ip>
echo 1 > /proc/sys/net/ipv4/ip_forward

For <src_ip_range>, see below.

> I was also wondering if it is possible to forward an entire IP range,
> or the DNS using wildcards? For example forwarding all connections
> from *.aol.com regardless of the port onto a specific IP? If this is
> possible, could anybody tell me how I would go about it?

Using a range is possible :
- use subnets like /24 or 255.255.255.0
- use the iprange patch from POM. You will have to patch your kernel for
that to work.
See http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-iprange

You cannot use wildcard domain lookups in iptables rules so you'd have to
find out which ip ranges you want to match yourself.


Gr,
Rob

RE: (no subject)

[__ Radien__]

>Sure, but what I meant was that "gateway" just means a machine in the middle 
>of a communications path.   It could be a circuit level gateway, it could be 
>an application layer gateway, it could be a network layer gateway.

Sure, Thx. Can u take some example of existing Circuit Level Gateways? 

Regards,

__Radien__

Re: (no subject)

[Antony Stone]

On Thursday 08 April 2004 2:12 pm, __ Radien__ wrote:

> >Sure, but what I meant was that "gateway" just means a machine in the
> > middle of a communications path.   It could be a circuit level gateway,
> > it could be an application layer gateway, it could be a network layer
> > gateway.
>
> Sure, Thx. Can u take some example of existing Circuit Level Gateways?

Socks is the usually-quoted example.

Regards,

Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

                                                     Please reply to the list;
                                                           please don't CC me.

(no subject)

[__ Radien__]

Thx Antony
But: 

>Circuit level filtering means packet filtering - what netfilter does - in 
>other words you filter packets based on where they've come from and where 
>they're going to (IP addresses), and on *assumptions* about what the TCP/UDP 
>port numbers mean, rather than based on anything that's actually inside the body of the packets (data).

  I read it's sth more than packet filtering, and it work on session
layer. Working on session layer is a little hard for me to underestand.
I'm looking for some example.

  I guess ESTABLISHED state option of iptables make it work on such
level, but I'm not sure.


>Application level filtering means proxies - software which can understand 
>protocols like http, smtp, pop3, ftp, irc.... and look at the data and 
>commands which are being transferred between machines, then base the 
>filtering decisions on that (as well as IP addresses and hostnames).


>Gateway simply refers to a machine which is in the path between your network 
>and the outside world - can mean anything from a simple router with no 
>filtering capabilities to a multi-protocol proxy server with intrusion detection.

Thx but, I meant "Circuit Level gateway" not a simple gateway I mean
IP(or network level).

>Netfilter (iptables) is a stateful packet filter, and therefore operates at 
>layers 3/4 of the OSI model - the network layers.   It does not meaningfully 
>operate at layer 7 - the application layer.

But I think matching RELATED state of ftp data connection means working
on layer 7.

>If you want realistic application layer filtering on a linux system you need 
>proxy applications like sendmail/exim/apache/squid/frox.   Netfilter won't do 
>it for you.

So u mean there's no such matching module or action in Netfilter.

Regards
__Radien__

Re: (no subject)

[Antony Stone]

On Thursday 08 April 2004 10:43 am, __ Radien__ wrote:

> Thx Antony
>
> But:
> > Circuit level filtering means packet filtering - what netfilter does - in
> > other words you filter packets based on where they've come from and where
> > they're going to (IP addresses), and on *assumptions* about what the
> > TCP/UDP port numbers mean, rather than based on anything that's actually
> > inside the body of the packets (data).
>
>   I read it's sth more than packet filtering, and it work on session
> layer. Working on session layer is a little hard for me to underestand.
> I'm looking for some example.

I don't blame you for being confused.   The session layer (and the 
presentation layer) of the OSI model are very hard to explain what they're 
for.   I have never heard of circuit level filtering applying at the session 
layer.   My understanding is that circuit level filters work at the network 
layers 3/4 of the OSI model.   The session layer is layer 5.

> > Gateway simply refers to a machine which is in the path between your
> > network and the outside world - can mean anything from a simple router
> > with no filtering capabilities to a multi-protocol proxy server with
> > intrusion detection.
>
> Thx but, I meant "Circuit Level gateway" not a simple gateway I mean
> IP(or network level).

Sure, but what I meant was that "gateway" just means a machine in the middle 
of a communications path.   It could be a circuit level gateway, it could be 
an application layer gateway, it could be a network layer gateway.

> > Netfilter (iptables) is a stateful packet filter, and therefore operates
> > at layers 3/4 of the OSI model - the network layers.   It does not
> > meaningfully operate at layer 7 - the application layer.
>
> But I think matching RELATED state of ftp data connection means working
> on layer 7.

You are correct - netfilter has some very limited and very specific 
understandings of what happens at layer 7.   This does not make it an 
application layer filtering system.

> > If you want realistic application layer filtering on a linux system you
> > need proxy applications like sendmail/exim/apache/squid/frox.   Netfilter
> > won't do it for you.
>
> So you mean there's no such matching module or action in Netfilter.

About the closest you can get with netfilter is the "string" match, but that 
is not very useful if you compare it what can be done with a proper proxy.

Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

(no subject)

[Anthony de Almeida Lopes]

[-- Attachment #1: Type: text/plain, Size: 302 bytes --]

Hi, I would like to add a certain rule to my firewall, but I have a
dynamic IP, I'm wondering if there is some way I can work with this
the line is as follows:

iptables -A INPUT -p tcp -d <MyDynamicIP> --tcp-flags SYN,FIN SYN,FIN -j
DROP

Thanks for any information you can provide.

--tony

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: (no subject)

[Tomasz Korycki]

At 07:46 2004-02-21, Anthony de Almeida Lopes wrote:
>Hi, I would like to add a certain rule to my firewall, but I have a
>dynamic IP, I'm wondering if there is some way I can work with this
>the line is as follows:
>
>iptables -A INPUT -p tcp -d <MyDynamicIP> --tcp-flags SYN,FIN SYN,FIN -j
>DROP

OTOMH:
iptables -A INPUT -p tcp -d `ip ad sh dev <external interface, like 
eth1>|grep inet|awk '{print $2}'|cut -d / -f 1` --tcp-flags SYN,FIN SYN,FIN 
-j DROP

I may be wrong on the "ip" output, You may need to change $2

Re: (no subject)

[Daniel Chemko]

No, but if you have a dynamic IP on the firewall, you can use the -i 
<dynamic_ip_network_interface> instead to do the same thing.

Anthony de Almeida Lopes wrote:

>Hi, I would like to add a certain rule to my firewall, but I have a
>dynamic IP, I'm wondering if there is some way I can work with this
>the line is as follows:
>
>iptables -A INPUT -p tcp -d <MyDynamicIP> --tcp-flags SYN,FIN SYN,FIN -j
>DROP
>
>Thanks for any information you can provide.
>
>--tony
>  
>

Re: (no subject)

[Alexis]

A fast way to do this is with a script and something like this (could
be a lot of other options and ways to do this)

MY_IP=`ifconfig eth0 | grep "inet addr" | cut -d':' -f2 | cut -d' '
-f1`

and then
iptables -A INPUT -p tcp -d $MY_IP --tcp-flags SYN,FIN SYN,FIN -j DROP

of course, you need to change eth0 to the interface that you need to
obtain an ip address.

If this interface is related to an ppp interface it could be easy, in
a file called ip-up in /etc/ppp you could set your script with the
following vars

# When the ppp link comes up, this script is called with the following
# parameters
#       $1      the interface name used by pppd (e.g. ppp3)
#       $2      the tty device name
#       $3      the tty device speed
#       $4      the local IP address for the interface
#       $5      the remote IP address
#       $6      the parameter specified by the 'ipparam' option to pppd


pppd executes this script when it comes up

so you can use $1 where i put $MY_IP in the iptables command.

then, if you need to change some parameters when the ppp connection
cames down, just set it in ip-down

and thats it




Hello Anthony,

Saturday, February 21, 2004, 9:46:59 AM, you wrote:

AdAL> Hi, I would like to add a certain rule to my firewall, but I have a
AdAL> dynamic IP, I'm wondering if there is some way I can work with this
AdAL> the line is as follows:

AdAL> iptables -A INPUT -p tcp -d <MyDynamicIP> --tcp-flags SYN,FIN SYN,FIN -j
AdAL> DROP

AdAL> Thanks for any information you can provide.

AdAL> --tony


-- 
Best regards,
 Alexis                            mailto:alexis@attla.net.ar

Re: (no subject)

[c0ldbyte]

How about a faster way to do that, that is static to any interface that
pops up, "iptables -A INPUT -i ! lo --tcp-flags SYN,FIN SYN,FIN -j DROP"
that will protect every interface that is not lo(Loop Back).

On Sat, 21 Feb 2004 19:49:22 -0300
Alexis <alexis@attla.net.ar> wrote:

> A fast way to do this is with a script and something like this (could
> be a lot of other options and ways to do this)
> 
> MY_IP=`ifconfig eth0 | grep "inet addr" | cut -d':' -f2 | cut -d' '
> -f1`
> 
> and then
> iptables -A INPUT -p tcp -d $MY_IP --tcp-flags SYN,FIN SYN,FIN -j DROP
> 
> of course, you need to change eth0 to the interface that you need to
> obtain an ip address.
> 
> If this interface is related to an ppp interface it could be easy, in
> a file called ip-up in /etc/ppp you could set your script with the
> following vars
> 
> # When the ppp link comes up, this script is called with the following
> # parameters
> #       $1      the interface name used by pppd (e.g. ppp3)
> #       $2      the tty device name
> #       $3      the tty device speed
> #       $4      the local IP address for the interface
> #       $5      the remote IP address
> #       $6      the parameter specified by the 'ipparam' option to pppd
> 
> 
> pppd executes this script when it comes up
> 
> so you can use $1 where i put $MY_IP in the iptables command.
> 
> then, if you need to change some parameters when the ppp connection
> cames down, just set it in ip-down
> 
> and thats it
> 
> 
> 
> 
> Hello Anthony,
> 
> Saturday, February 21, 2004, 9:46:59 AM, you wrote:
> 
> AdAL> Hi, I would like to add a certain rule to my firewall, but I have a
> AdAL> dynamic IP, I'm wondering if there is some way I can work with this
> AdAL> the line is as follows:
> 
> AdAL> iptables -A INPUT -p tcp -d <MyDynamicIP> --tcp-flags SYN,FIN SYN,FIN -j
> AdAL> DROP
> 
> AdAL> Thanks for any information you can provide.
> 
> AdAL> --tony
> 
> 
> -- 
> Best regards,
>  Alexis                            mailto:alexis@attla.net.ar
> 
> 
> 


-- 
        This e-mail may be privileged and/or confidential, and the sender
does not waive any related rights and obligations. Any distribution, use
or copying of this e-mail or the information it contains by other than an
intended recipient is unauthorized. If you received this e-mail in error,
please advise me (by return e-mail or otherwise) immediately.

Re: (no subject)

[Anthony de Almeida Lopes]

Thanks, that's also a good idea. I'll try that too :)


On Sat, 2004-02-21 at 19:23, c0ldbyte wrote:
> How about a faster way to do that, that is static to any interface that
> pops up, "iptables -A INPUT -i ! lo --tcp-flags SYN,FIN SYN,FIN -j DROP"
> that will protect every interface that is not lo(Loop Back).
> 
> On Sat, 21 Feb 2004 19:49:22 -0300
> Alexis <alexis@attla.net.ar> wrote:
> 
> > A fast way to do this is with a script and something like this (could
> > be a lot of other options and ways to do this)
> > 
> > MY_IP=`ifconfig eth0 | grep "inet addr" | cut -d':' -f2 | cut -d' '
> > -f1`
> > 
> > and then
> > iptables -A INPUT -p tcp -d $MY_IP --tcp-flags SYN,FIN SYN,FIN -j DROP
> > 
> > of course, you need to change eth0 to the interface that you need to
> > obtain an ip address.
> > 
> > If this interface is related to an ppp interface it could be easy, in
> > a file called ip-up in /etc/ppp you could set your script with the
> > following vars
> > 
> > # When the ppp link comes up, this script is called with the following
> > # parameters
> > #       $1      the interface name used by pppd (e.g. ppp3)
> > #       $2      the tty device name
> > #       $3      the tty device speed
> > #       $4      the local IP address for the interface
> > #       $5      the remote IP address
> > #       $6      the parameter specified by the 'ipparam' option to pppd
> > 
> > 
> > pppd executes this script when it comes up
> > 
> > so you can use $1 where i put $MY_IP in the iptables command.
> > 
> > then, if you need to change some parameters when the ppp connection
> > cames down, just set it in ip-down
> > 
> > and thats it
> > 
> > 
> > 
> > 
> > Hello Anthony,
> > 
> > Saturday, February 21, 2004, 9:46:59 AM, you wrote:
> > 
> > AdAL> Hi, I would like to add a certain rule to my firewall, but I have a
> > AdAL> dynamic IP, I'm wondering if there is some way I can work with this
> > AdAL> the line is as follows:
> > 
> > AdAL> iptables -A INPUT -p tcp -d <MyDynamicIP> --tcp-flags SYN,FIN SYN,FIN -j
> > AdAL> DROP
> > 
> > AdAL> Thanks for any information you can provide.
> > 
> > AdAL> --tony
> > 
> > 
> > -- 
> > Best regards,
> >  Alexis                            mailto:alexis@attla.net.ar
> > 
> > 
> > 
-- 
---------------------------------------------------------------
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html

(no subject)

[rruegner]

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

Hi,Iptabletistas and all Filter Gurus up to the Delta Quadrant

My Question:
i patched kernel 2.6.3 with pom-ng from todays ftp,
i aplied the pptp patch without failure but i cant
find it in the config to switch it on as a module
i tried searching the list with google but
got no results what else may added to make the module compile, may someone enlight me?
Best Regards   

[-- Attachment #2: Type: text/html, Size: 1115 bytes --]

(no subject)

[Michael Gale]

-- 
Hand over the Slackware CD's and back AWAY from the computer, your geek
rights have been revoked !!!

Michael Gale
Slackware user :)
Bluesuperman.com 

(no subject)

[Sven-Åke Larsson]

Hi all.

I'm totally new to this list and I really tried to find an answer to my
question in the archives but with no success, so I'm sorry if I'm repeating
the history.

Yesterday I installed a new machine to create a better firewall than the one
I have today and to get some better logging functionality. A couple of
pieces are taken from other scipts I found and it does log stuff as I
thought. The strange thing is that for example port 53 and 111 appers to be
open when I do a port scan even though everything should be dropped as
default. But when I added the line "$IPTABLES -A INPUT -p tcp -m tcp --syn
-j DROP" to the script everything except wanted ports are open, as I wanted.
The last line should take care of everything, but it doesn't seem to work.

So the question is, how come? I used the Redhat security tool to create a
very-secure-machine script and the same thing happens.
I also surprisingly found out that in RH9 deny doesn't work?!


Best Regards,
Sven


Scrip start -------------------------

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

IPTABLES="/sbin/iptables"

OUTSIDE=eth0
OUTSIDE_IP=my.to.inet.adress
INSIDE=eth2
INSIDE_IP=to.local.network.adress

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# My new rules
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix
TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix
Firewalled:
$IPTABLES -A firewalled -j DROP

# Source NAT
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to $OUTSIDE_IP

# Flag kombinations that shouldn't exist are dropped.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags

# Accept ICMP's
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled

$IPTABLES -A INPUT -p tcp -m tcp --dport 22  --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 25  --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 80  --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

# Temporarly solution to get rid of 53 and 111
# Without this one the will show up as open?!
$IPTABLES -A INPUT -p tcp -m tcp --syn -j DROP


# Localhost and inside machines are trustworthy
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT

# Accept established
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $OUTSIDE -o $INSIDE -m state --state
RELATED,ESTABLISHED -j ACCEPT

# Silently drop any SMB traffic.
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
$IPTABLES -A INPUT -p udp --sport 138 --dport 138 -j silent
$IPTABLES -A INPUT -p udp --sport 139 --dport 139 -j silent
$IPTABLES -A INPUT -p udp --sport 445 --dport 445 -j silent

# Last case killer, log and drop.
$IPTABLES -A INPUT -j firewalled

------------------------- Script End

Re: (no subject)

[Ranjeet Shetye]

On Wed, 2004-01-21 at 09:06, Sven-Åke Larsson wrote:
> Hi all.
> 
> I'm totally new to this list and I really tried to find an answer to my
> question in the archives but with no success, so I'm sorry if I'm repeating
> the history.
> 
> Yesterday I installed a new machine to create a better firewall than the one
> I have today and to get some better logging functionality. A couple of
> pieces are taken from other scipts I found and it does log stuff as I
> thought. The strange thing is that for example port 53 and 111 appers to be
> open when I do a port scan even though everything should be dropped as
> default. But when I added the line "$IPTABLES -A INPUT -p tcp -m tcp --syn
> -j DROP" to the script everything except wanted ports are open, as I wanted.
> The last line should take care of everything, but it doesn't seem to work.
> 
> So the question is, how come? I used the Redhat security tool to create a
> very-secure-machine script and the same thing happens.
> I also surprisingly found out that in RH9 deny doesn't work?!
> 
> 
> Best Regards,
> Sven
> 
> 
> Scrip start -------------------------
> 
> #!/bin/sh
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> 
> IPTABLES="/sbin/iptables"
> 
> OUTSIDE=eth0
> OUTSIDE_IP=my.to.inet.adress
> INSIDE=eth2
> INSIDE_IP=to.local.network.adress
> 
> $IPTABLES -F
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
> 
> # My new rules
> $IPTABLES -N silent
> $IPTABLES -A silent -j DROP
> 
> $IPTABLES -N tcpflags
> $IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix
> TCPflags:
> $IPTABLES -A tcpflags -j DROP
> 
> $IPTABLES -N firewalled
> $IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix
> Firewalled:
> $IPTABLES -A firewalled -j DROP
> 
> # Source NAT
> $IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to $OUTSIDE_IP
> 
> # Flag kombinations that shouldn't exist are dropped.
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
> $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
> $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
> $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
> 
> # Accept ICMP's
> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j firewalled
> 
> $IPTABLES -A INPUT -p tcp -m tcp --dport 22  --syn -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m tcp --dport 25  --syn -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m tcp --dport 80  --syn -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
> 
> # Temporarly solution to get rid of 53 and 111
> # Without this one the will show up as open?!
> $IPTABLES -A INPUT -p tcp -m tcp --syn -j DROP
> 
> 
> # Localhost and inside machines are trustworthy
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A INPUT -i $INSIDE -j ACCEPT
> $IPTABLES -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
> 
> # Accept established
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -i $OUTSIDE -o $INSIDE -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> 
> # Silently drop any SMB traffic.
> $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
> $IPTABLES -A INPUT -p udp --sport 138 --dport 138 -j silent
> $IPTABLES -A INPUT -p udp --sport 139 --dport 139 -j silent
> $IPTABLES -A INPUT -p udp --sport 445 --dport 445 -j silent
> 
> # Last case killer, log and drop.
> $IPTABLES -A INPUT -j firewalled
> 
> ------------------------- Script End

The port 53 is used for DNS and is typically a UDP port being used. Your
rule is a TCP rule. EVERY layer 4 protocol like TCP or UDP has a port
number. You've only DROPped the TCP ports.

also, how are you testing ? as in what makes you say that port 53 is
"open" ?

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.

(no subject)

[Krystian]

yes. me too :(

its a pity its not build in to the kernel :(

did anybody manage to run it on 2.6?

Re: (no subject)

[Antony Stone]

On Sunday 18 January 2004 7:51 pm, Krystian wrote:

> yes. me too :(
>
> its a pity its not build in to the kernel :(
>
> did anybody manage to run it on 2.6?

What are you talking about?

Antony.

-- 
Documentation is like sex.
When it's good, it's very very good.
When it's bad, it's still better than nothing.

                                                     Please reply to the list;
                                                           please don't CC me.

(no subject)

[Minh Cao]

(no subject)

[zynkx]

                                _______________
				| gateway 1   |
				|192.168.0.253|
				|81.84.40.XX  |
				_______________
			_______________|
			|              |
		_______________        |
		|DHCP SERVER  |	       |	
	
		|192.168.0.1  |        |       
		|_____________|	       |
				       |
				________________
				|GATEWAY2      |
				|192.168.0.253 |
				|192.168.100.254
				|______________|
					|
					|
		
	_________________________________
			|		|	
	|			
		_______________    _______________  
______________
		|192.168.100.1 |   |192.168.100.2|  
|192.168.100.3|  _______________    ______________
_______________


hi all:


i have this lan i am supposed to use dhcrelay on 
gateway 2 so the 192.168.100.0/24 machines can get an 
ip address. i have the input and output chain of the 
gateway 2 to drop.

my question is:

do those request require input and output to accept? i 
don't really think so because those packer are not for 
gateway 2 but are to be routed to 192.168.100.0/24 
machines... 

what do you guys think of this??

tanx ;))))
unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

(no subject)

[zynkx]

yahoo and hotmail ip ranges? does anyone knows this ip 
ranges? need to allow them in my smtp prerouting 
rulez  :))

danke !




unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[Antony Stone]

On Wednesday 26 November 2003 1:37 pm, zynkx wrote:

> yahoo and hotmail ip ranges? does anyone knows this ip
> ranges? need to allow them in my smtp prerouting
> rulez  :))

If you're doing smtp, why not filter on the domain names yahoo.com and 
hotmail.com in your MTA?

> danke !

Bitte.

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[zynkx]

hi antony and tanx for writting ;))

i'm doing stmp indeed, but i need to allow traffic, 
not to block it ;)))

i happen to have qmail! i am aware something near that 
could done but i  guess that would a qmail mailling 
list matter!!!!! ;)))

if not just give me a hint on how could i filter 
incoming mail on qmail.

i know that to allow outgoing mail all i need to do id 
to fill up rcpthosts. i'm not informe about how to 
filter incoming mail coming to qmail.

if could give me a hint i would appreciate it ;))

you may mail to this address directly so we won't 
bother here!!


thanx again :)))


[][][][]
[][][]



Cópia Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Wednesday 26 November 2003 1:37 pm, zynkx
> wrote:
>
> > yahoo and hotmail ip ranges? does anyone
> knows this ip
> > ranges? need to allow them in my smtp
> prerouting
> > rulez  :))
>
> If you're doing smtp, why not filter on the
> domain names yahoo.com and
> hotmail.com in your MTA?
>
> > danke !
>
> Bitte.
>
> Antony.
>
> --
> Behind the counter a boy with a shaven head
> stared vacantly into space,
> a dozen spikes of microsoft protruding from the
> socket behind his ear.
>
>  - William Gibson, Neuromancer (1984)
>
>                                                
>      Please reply to the list;
>                                                
>            please don't CC me.
>
>
> 



unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[Jeffrey Laramie]

zynkx wrote:

>yahoo and hotmail ip ranges? does anyone knows this ip 
>ranges? need to allow them in my smtp prerouting 
>rulez  :))
>
>  
>

I don't know the answer and I'd be surprised if anyone else here does. 
You can probably get that info from http://www.iana.org/ but it may be 
easier to contact Yahoo and Hotmail and ask them directly. Out of 
curiosity, why are you filtering smtp in your PREROUTING chain? Are you 
DNATing mail based on the sender's domain?

Jeff

Re: (no subject)

[zynkx]

Cópia Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>:

> zynkx wrote:
>
> >yahoo and hotmail ip ranges? does anyone knows
> this ip
> >ranges? need to allow them in my smtp
> prerouting
> >rulez  :))
> >
> >
> >
>
> I don't know the answer and I'd be surprised if
> anyone else here does.
> You can probably get that info from
> http://www.iana.org/ but it may be
> easier to contact Yahoo and Hotmail and ask
> them directly. Out of
> curiosity, why are you filtering smtp in your
> PREROUTING chain? Are you
> DNATing mail based on the sender's domain?
>
> Jeff
>
>
>
> 

hi jeff!

you're right...! here's what it's gonna be and sorry 
for my lack of clarity ;))  [][] **

i have an smtp running, and i just made a ruleset so i 
can only allow portuguese traffic incoming. i now 
would need the list of ip ranges from yahoo and 
hotmail so i can allow them in my forward chain, since 
i already made the por forwarding in my prerouting 
chain! since i put forward chain on DROP, i now need 
to allow the ip ranges i need to have the hotmail keep 
on coming! i'm doing fine with the portuguese MX's :)

all i need id to allow those two. 

just thought anyone here might know that

again i apologise for not being clear enough


:)))

[][][] * * *

unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[zynkx]

Cópia Jeffrey Laramie <JALaramie@Loudoun-Fairfax.com>:

> zynkx wrote:
>
> >yahoo and hotmail ip ranges? does anyone knows
> this ip
> >ranges? need to allow them in my smtp
> prerouting
> >rulez  :))
> >
> >
> >
>
> I don't know the answer and I'd be surprised if
> anyone else here does.
> You can probably get that info from
> http://www.iana.org/ but it may be
> easier to contact Yahoo and Hotmail and ask
> them directly. Out of
> curiosity, why are you filtering smtp in your
> PREROUTING chain? Are you
> DNATing mail based on the sender's domain?
>
> Jeff
>
>
>
> 

hi jeff!

you're right...! here's what it's gonna be and sorry 
for my lack of clarity ;))  [][] **

i have an smtp running, and i just made a ruleset so i 
can only allow portuguese traffic incoming. i now 
would need the list of ip ranges from yahoo and 
hotmail so i can allow them in my forward chain, since 
i already made the por forwarding in my prerouting 
chain! since i put forward chain on DROP, i now need 
to allow the ip ranges i need to have the hotmail keep 
on coming! i'm doing fine with the portuguese MX's :)

all i need id to allow those two. 

just thought anyone here might know that

again i apologise for not being clear enough


:)))

[][][] * * *

unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[Ramin Dousti]

mx1.mail.yahoo.com.     1800    A       64.156.215.5
mx1.mail.yahoo.com.     1800    A       64.156.215.6
mx1.mail.yahoo.com.     1800    A       64.157.4.78
mx1.mail.yahoo.com.     1800    A       64.157.4.79
mx1.mail.yahoo.com.     1800    A       64.156.215.7
mx2.mail.yahoo.com.     1800    A       64.156.215.5
mx2.mail.yahoo.com.     1800    A       64.156.215.6
mx2.mail.yahoo.com.     1800    A       64.157.4.78
mx4.mail.yahoo.com.     1800    A       66.218.86.254
mx4.mail.yahoo.com.     1800    A       66.218.86.253
mx4.mail.yahoo.com.     1800    A       216.136.129.5

mx1.hotmail.com.        3600    A       64.4.50.99
mx1.hotmail.com.        3600    A       65.54.252.99
mx1.hotmail.com.        3600    A       65.54.166.99
mx2.hotmail.com.        3600    A       65.54.166.230
mx2.hotmail.com.        3600    A       65.54.254.145
mx2.hotmail.com.        3600    A       65.54.252.230
mx3.hotmail.com.        3600    A       65.54.167.5
mx3.hotmail.com.        3600    A       64.4.50.239
mx3.hotmail.com.        3600    A       65.54.253.99
mx4.hotmail.com.        3600    A       65.54.167.230
mx4.hotmail.com.        3600    A       65.54.254.151
mx4.hotmail.com.        3600    A       65.54.253.230


I don't know what you're asking but these are the mx records
for yahoo and hotmail. Like the following which is the mx for
megamail.pt

mx.vodafone.pt. 86400   A       212.18.167.163


Ramin

On Wed, Nov 26, 2003 at 01:37:26PM +0000, zynkx wrote:

> yahoo and hotmail ip ranges? does anyone knows this ip 
> ranges? need to allow them in my smtp prerouting 
> rulez  :))
> 
> danke !

Re: (no subject)

[Antony Stone]

On Wednesday 26 November 2003 3:10 pm, Ramin Dousti wrote:

{MX DNS records snipped}
>
> I don't know what you're asking but these are the mx records
> for yahoo and hotmail. Like the following which is the mx for
> megamail.pt
>
> mx.vodafone.pt. 86400   A       212.18.167.163

I suspect (although one can never be sure) that this person is not looking for 
the IPs of the inbound mail servers for Yahoo & Hotmail, but wants to know 
from which IPs mail from those domains will be sent.

I guess this simply because of the word "prerouting" in the question - it 
implies to me packets coming in to the netfilter machine, rather than those 
leaving it and going to the MX systems.

Any further information from zynkx would be useful :)

Antony.

> On Wed, Nov 26, 2003 at 01:37:26PM +0000, zynkx wrote:
> > yahoo and hotmail ip ranges? does anyone knows this ip
> > ranges? need to allow them in my smtp prerouting
> > rulez  :))
> >
> > danke !

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Ramin Dousti]

On Wed, Nov 26, 2003 at 02:17:22PM +0000, Antony Stone wrote:

> I suspect (although one can never be sure) that this person is not looking for 
> the IPs of the inbound mail servers for Yahoo & Hotmail, but wants to know 
> from which IPs mail from those domains will be sent.
> 
> I guess this simply because of the word "prerouting" in the question - it 
> implies to me packets coming in to the netfilter machine, rather than those 
> leaving it and going to the MX systems.

Yes. Your explanation sounds logical and I just examined the incoming emails
from yahoo and they seem to come from webXXXXX.mail.yahoo.com. And, hey, they
run qmail (another victory for qmail).

Ramin

> 
> Any further information from zynkx would be useful :)
> 
> Antony.

Re: (no subject)

[zynkx]

hi again Antony:

you just said it all. no use for me to add not even 
one line to what you just wrotte :))

now if anyone has got those masks i would appreciate 
it :))

tanx again and sorry for this mess ;)))



 [][][][]




Cópia Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Wednesday 26 November 2003 3:10 pm, Ramin
> Dousti wrote:
>
> {MX DNS records snipped}
> >
> > I don't know what you're asking but these are
> the mx records
> > for yahoo and hotmail. Like the following
> which is the mx for
> > megamail.pt
> >
> > mx.vodafone.pt. 86400   A      
> 212.18.167.163
>
> I suspect (although one can never be sure) that
> this person is not looking for
> the IPs of the inbound mail servers for Yahoo &
> Hotmail, but wants to know
> from which IPs mail from those domains will be
> sent.
>
> I guess this simply because of the word
> "prerouting" in the question - it
> implies to me packets coming in to the
> netfilter machine, rather than those
> leaving it and going to the MX systems.
>
> Any further information from zynkx would be
> useful :)
>
> Antony.
>
> > On Wed, Nov 26, 2003 at 01:37:26PM +0000,
> zynkx wrote:
> > > yahoo and hotmail ip ranges? does anyone
> knows this ip
> > > ranges? need to allow them in my smtp
> prerouting
> > > rulez  :))
> > >
> > > danke !
>
> --
> Anyone that's normal doesn't really achieve
> much.
>
>  - Mark Blair, Australian rocket engineer
>
>                                                
>      Please reply to the list;
>                                                
>            please don't CC me.
>
>
> 



unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[Jeffrey Laramie]

zynkx wrote:

>hi again Antony:
>
>you just said it all. no use for me to add not even 
>one line to what you just wrotte :))
>
>now if anyone has got those masks i would appreciate 
>it :))
>
>tanx again and sorry for this mess ;)))
>  
>

zynkx:

If your mail server is running qmail, then your best bet is to read the 
qmail documentation and learn how to apply filters for the mail server. 
If you do use iptables, you will need to create a FORWARD rule to allow 
mail from each of the smtp servers that Ramin listed. Since any message 
from a Yahoo or Hotmail account will be sent from one of those servers 
you don't *have* to know every ip range that they've been assigned. The 
only problem doing it this way is if they change smtp server IPs you'll 
need to change your rules. I would do this with qmail if I were you.

Antony:

It sounds like you have the "We're behind schedule and you got to get 
this done before the holidays blues!"

Jeff

Re: (no subject)

[Antony Stone]

On Wednesday 26 November 2003 9:31 pm, Jeffrey Laramie wrote:

> zynkx wrote:
> >hi again Antony:
> >
> >you just said it all. no use for me to add not even
> >one line to what you just wrotte :))
> >
> >now if anyone has got those masks i would appreciate
> >it :))
> >
> >tanx again and sorry for this mess ;)))
>
> zynkx:
>
> If your mail server is running qmail, then your best bet is to read the
> qmail documentation and learn how to apply filters for the mail server.
> If you do use iptables, you will need to create a FORWARD rule to allow
> mail from each of the smtp servers that Ramin listed. Since any message
> from a Yahoo or Hotmail account will be sent from one of those servers
> you don't *have* to know every ip range that they've been assigned. The
> only problem doing it this way is if they change smtp server IPs you'll
> need to change your rules. I would do this with qmail if I were you.

I agree, and zynkx, I can't tell you how to do this with qmail because I'm a 
sendmail person.   Do what Jeff suggests and look at the qmail documentation, 
and if it's not clear ask on a qmail list.

I really think you should not try doing this by IP address because those may 
change and you won't find out until things start going wrong.

> Antony:
>
> It sounds like you have the "We're behind schedule and you got to get
> this done before the holidays blues!"

Not quite - the satellite link got installed very suddenly (phone call Friday, 
two men and a long ladder on Monday...) and we now have a month to evaluate 
it and see if it's a suitable replacement for the leased line - so I have to 
get as much of it working as possible so people can test it properly.

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[zynkx]

hi Ramin and tanx for your trouble ;))

what i am looking for is the adresses from hotmail and 
yahoo from wich smtp connections may come from :)

i have a smtp running and i need to allow traffic 
coming from these two, (hotmail and yahoo).

i would need to know from where hotmail and yahoo send 
their mail, so i could make a ruleset accepting 
connections from those ips :))

tanx  ;)))



Cópia Ramin Dousti <ramin@cannon.eng.us.uu.net>:


> mx1.mail.yahoo.com.     1800    A      
> 64.156.215.5
> mx1.mail.yahoo.com.     1800    A      
> 64.156.215.6
> mx1.mail.yahoo.com.     1800    A      
> 64.157.4.78
> mx1.mail.yahoo.com.     1800    A      
> 64.157.4.79
> mx1.mail.yahoo.com.     1800    A      
> 64.156.215.7
> mx2.mail.yahoo.com.     1800    A      
> 64.156.215.5
> mx2.mail.yahoo.com.     1800    A      
> 64.156.215.6
> mx2.mail.yahoo.com.     1800    A      
> 64.157.4.78
> mx4.mail.yahoo.com.     1800    A      
> 66.218.86.254
> mx4.mail.yahoo.com.     1800    A      
> 66.218.86.253
> mx4.mail.yahoo.com.     1800    A      
> 216.136.129.5
>
> mx1.hotmail.com.        3600    A      
> 64.4.50.99
> mx1.hotmail.com.        3600    A      
> 65.54.252.99
> mx1.hotmail.com.        3600    A      
> 65.54.166.99
> mx2.hotmail.com.        3600    A      
> 65.54.166.230
> mx2.hotmail.com.        3600    A      
> 65.54.254.145
> mx2.hotmail.com.        3600    A      
> 65.54.252.230
> mx3.hotmail.com.        3600    A      
> 65.54.167.5
> mx3.hotmail.com.        3600    A      
> 64.4.50.239
> mx3.hotmail.com.        3600    A      
> 65.54.253.99
> mx4.hotmail.com.        3600    A      
> 65.54.167.230
> mx4.hotmail.com.        3600    A      
> 65.54.254.151
> mx4.hotmail.com.        3600    A      
> 65.54.253.230
>
>
> I don't know what you're asking but these are
> the mx records
> for yahoo and hotmail. Like the following which
> is the mx for
> megamail.pt
>
> mx.vodafone.pt. 86400   A       212.18.167.163
>
>
> Ramin
>
> On Wed, Nov 26, 2003 at 01:37:26PM +0000, zynkx
> wrote:
>
> > yahoo and hotmail ip ranges? does anyone
> knows this ip
> > ranges? need to allow them in my smtp
> prerouting
> > rulez  :))
> >
> > danke !
>
> 



unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[Antony Stone]

On Wednesday 26 November 2003 8:38 pm, zynkx wrote:

> hi Ramin and tanx for your trouble ;))
>
> what i am looking for is the adresses from hotmail and
> yahoo from wich smtp connections may come from :)
>
> i have a smtp running and i need to allow traffic
> coming from these two, (hotmail and yahoo).

I'm not quite sure why you want to accept email only from Hotmail and Yahoo, 
and from nowhere else (a lot of people I know do the exact opposite!), 
however I still think an easier solution to your erquirement is to accept all 
email through your firewall, and then accept only mail from Hotmail / Yahoo 
on your mail server - because that can select based on the sender's address, 
without needing to know the IPs of their mail servers (which may change one 
day without you knowing).

Antony.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[zynkx]

antony: 

the only reason why i am doing this is because i am 
blocking all incoming connectios to my box except 
portuguese connections. i manage to get all the 
portuguese ip ranges, put the forward chain to drop 
and a accepted all the sources i want to get 
connections from. this way i will only be accepting 
connetions from portugal, since that the ammount of 
users i administrate is not enough for that machine to 
be opened to the whole world. 

there are in fact lots of users expecting mail to come 
from those 2 most known smtps, so this forces me to 
accept connectiosn from those domains :))

the way i see it, filtering with qmail doesn´t make 
any sense, because what i want is not to filter but to 
accept :)))

please call back to earth if this thoughts are not 
quite right :))) i will be greatfull

thank you very much for your time and for your 
words ;))

ZyNkz

Cópia Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Wednesday 26 November 2003 8:38 pm, zynkx
> wrote:
>
> > hi Ramin and tanx for your trouble ;))
> >
> > what i am looking for is the adresses from
> hotmail and
> > yahoo from wich smtp connections may come
> from :)
> >
> > i have a smtp running and i need to allow
> traffic
> > coming from these two, (hotmail and yahoo).
>
> I'm not quite sure why you want to accept email
> only from Hotmail and Yahoo,
> and from nowhere else (a lot of people I know
> do the exact opposite!),
> however I still think an easier solution to
> your erquirement is to accept all
> email through your firewall, and then accept
> only mail from Hotmail / Yahoo
> on your mail server - because that can select
> based on the sender's address,
> without needing to know the IPs of their mail
> servers (which may change one
> day without you knowing).
>
> Antony.
>
> --
> If at first you don't succeed, destroy all the
> evidence that you tried.
>
>                                                
>      Please reply to the list;
>                                                
>            please don't CC me.
>
>
> 



unix is user friendly. it's just selective when 
choosing 
friends.

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

Re: (no subject)

[Antony Stone]

On Wednesday 26 November 2003 10:41 pm, zynkx wrote:

> antony:
>
> the only reason why i am doing this is because i am
> blocking all incoming connectios to my box except
> portuguese connections. i manage to get all the
> portuguese ip ranges, put the forward chain to drop
> and a accepted all the sources i want to get
> connections from. this way i will only be accepting
> connetions from portugal, since that the ammount of
> users i administrate is not enough for that machine to
> be opened to the whole world.

Explain to me why you only want to allow connections from Portuguese IPs?

What is the problem with "that machine being opened to the world"?

1. What services are you providing anyway?

2. What is the limiting factor in not wanting just anyone from anywhere to be 
able to connect?   Is the machine severely under-powered, so it couldn't cope 
with the load, or do you have a very slow Internet link, and you don't want 
it saturated...?

Maybe you know what you're doing and blocking by country IP range is the right 
solution to your problem, but where email is concerned I would never choose 
that way of doing it.

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Jeffrey Laramie]

[-- Attachment #1: Type: text/html, Size: 1955 bytes --]

Re: (no subject)

[Joel Newkirk]

zynkx - AFAIK most if not all of yahoo's mailservers are in
66.218.78.0/23 ip block.  Hotmail I don't know, though.

On Wed, 2003-11-26 at 15:48, Antony Stone wrote:
> On Wednesday 26 November 2003 8:38 pm, zynkx wrote:

> > i have a smtp running and i need to allow traffic
> > coming from these two, (hotmail and yahoo).
> 
> I'm not quite sure why you want to accept email only from Hotmail and Yahoo, 
> and from nowhere else (a lot of people I know do the exact opposite!), 
> however I still think an easier solution to your erquirement is to accept all 
> email through your firewall, and then accept only mail from Hotmail / Yahoo 
> on your mail server - because that can select based on the sender's address, 
> without needing to know the IPs of their mail servers (which may change one 
> day without you knowing).
> 
> Antony.

Ah, but the point is that while lots of spam claims to be from
*@yahoo.com, if it comes to us from a known yahoo IP then we at least
know it's a legitimate source address.  The problem regarding yahoo and
spam is NOT that yahoo is the source of so much spam, but that so much
spam forges a yahoo.com source.  The 'ideal' filter would reject any
email claiming a yahoo sender that doesn't come from a yahoo mailserver.

Examining the source IP of incoming '-p tcp --dport 25 -m state --state
NEW' packets can be quite handy.  I'm not locking down as hard as zynkx
is, and I've taken a different approach, but I can appreciate what he's
trying to do.

On the director node of our mailcluster I have 3 ULOG target rules -
incoming SMTP, incoming POP3, and filtered SMTP (after a chain of DROP
rules have done their job).  I've been writing a script that analyzes
these logs and auto-generates DROP rules based on the reverse DNS
records (dig -x a.b.c.d +short) for the top [cutoff#] sources, IF the
record matches specific patterns, (like regexp "pcp.{5,30}comcast\.net",
which are all comcast cable modems, or no DNS record) and IF there are
more than [threshold#] new SMTP connections within a given time-frame
from that source IP.

Now, just based on the ~3000 source IP's currently in the DROP list, our
daily dose of spam claiming to be from yahoo.com has dropped from 60% of
the server's traffic, to 20%.  Not too damn shabby so far, and I'm
creating new rules as I observe patterns in the blockscript's log of
what it does NOT block.  (logs IP, reverse DNS, and decision)

This would have been a pointless exercise a few years ago, but now with
such treats as SoBig and Fizzer out in the world, that's changed.  (for
any not aware, SoBig functions as a spam relay, and Fizzer as a mini web
host for spammer sites, on infected machines)

j

Re: (no subject)

[Antony Stone]

On Wednesday 26 November 2003 10:45 pm, Joel Newkirk wrote:

> On Wed, 2003-11-26 at 15:48, Antony Stone wrote:
> >
> > I'm not quite sure why you want to accept email only from Hotmail and
> > Yahoo, and from nowhere else (a lot of people I know do the exact
> > opposite!), however I still think an easier solution to your erquirement
> > is to accept all email through your firewall, and then accept only mail
> > from Hotmail / Yahoo on your mail server - because that can select based
> > on the sender's address, without needing to know the IPs of their mail
> > servers (which may change one day without you knowing).
>
> Ah, but the point is that while lots of spam claims to be from
> *@yahoo.com, if it comes to us from a known yahoo IP then we at least
> know it's a legitimate source address.  The problem regarding yahoo and
> spam is NOT that yahoo is the source of so much spam, but that so much
> spam forges a yahoo.com source.  The 'ideal' filter would reject any
> email claiming a yahoo sender that doesn't come from a yahoo mailserver.

I agree with this completely, however I didn't get the impression from the 
original posting that this was the reason for wanting to do it in this case?

Even if this was the overall goal, I would still recommend filtering email on 
the MTA (qmail in this case) rather than with netfilter.

Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

Re: (no subject)

[Joel Newkirk]

On Wed, 2003-11-26 at 17:53, Antony Stone wrote:
> On Wednesday 26 November 2003 10:45 pm, Joel Newkirk wrote:
> 
> > On Wed, 2003-11-26 at 15:48, Antony Stone wrote:
> > >
> > > I'm not quite sure why you want to accept email only from Hotmail and
> > > Yahoo, and from nowhere else (a lot of people I know do the exact
> > > opposite!), however I still think an easier solution to your erquirement
> > > is to accept all email through your firewall, and then accept only mail
> > > from Hotmail / Yahoo on your mail server - because that can select based
> > > on the sender's address, without needing to know the IPs of their mail
> > > servers (which may change one day without you knowing).
> >
> > Ah, but the point is that while lots of spam claims to be from
> > *@yahoo.com, if it comes to us from a known yahoo IP then we at least
> > know it's a legitimate source address.  The problem regarding yahoo and
> > spam is NOT that yahoo is the source of so much spam, but that so much
> > spam forges a yahoo.com source.  The 'ideal' filter would reject any
> > email claiming a yahoo sender that doesn't come from a yahoo mailserver.
> 
> I agree with this completely, however I didn't get the impression from the 
> original posting that this was the reason for wanting to do it in this case?

True - he apparently is comfortable with the idea that any email not
from Portugal, Hotmail, or Yahoo, isn't getting in.  I work for an ISP,
so obviously that approach would be invalid (and impossible) for us, but
we're finding that using an iptables chain to DROP selected incoming
SMTP connections right at the director has dramatically reduced the load
on the qmail nodes in the cluster.  Disregarding the obvious logistics,
catching this same incoming spam with content filtering takes a hell of
a lot more resources than "iptables -A BLOCKS -s 68.34.253.111 -j DROP".

> Even if this was the overall goal, I would still recommend filtering email on 
> the MTA (qmail in this case) rather than with netfilter.

For the most part I agree, except that some filters (like RBLs, or the
autoblock I'm working on) in front of the mta and any content filtering 
can be kept at (or damned close to) 0% false-positives, while
significantly reducing resource demands.

> Antony.

j

Re: (no subject)

[Jeffrey Laramie]

[-- Attachment #1: Type: text/html, Size: 2978 bytes --]

(no subject)

[skydive]

hi rob and tanx in advance for all your effort! it was 
realy nice of you!


  ->  iptables -A INPUT -m state --state 
RELATED,ESTABLISHED -j ACCEPT

if i understand this correctly, this rule is what it 
takes to accept all related connections that are 
caught and just related with any kind of connection 
(correct me if i'm wrong.. :) )... it doesn´t matter 
from where it comes or where it goes. just being 
related is enough for the rule to catch and accept, in 
this case, the related traffic that came from the 
www.hotmail.com connection... ;)) without the need to 
specify the --dport or --sport.

hotmail.com was just an exemple! many urls will follow 
since i'll be accepting almost all kind os urls except 
those of porno ones, ftp ones... and all those kind of 
thing that can distract one from his work !! ;)) 
(hehe!!)

about the output chain... i had it to accept, so i 
assume i don't need those rules about the output 
chain... is that correct..!? :))

thank you very much, for your time and for your 
words ;)

really apreciate it!




skydive!

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

RE: (no subject)

[Rob Sterenborg]

>   ->  iptables -A INPUT -m state --state 
> RELATED,ESTABLISHED -j ACCEPT
> 
> if i understand this correctly, this rule is what it 
> takes to accept all related connections that are 
> caught and just related with any kind of connection 

When a connection is made, the first packet that is seen in a connection
has state NEW. All other packet in that connection have state
ESTABLISHED.
If an application (like ftp) is opens other ports (like 20/tcp) then
those packets have state RELATED.
For a more detailed description :
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#USERLANDST
ATES

If you write a rule like :
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <if_lan> -s <ip_admin> -p tcp --dport 22 -j ACCEPT
Only the initial packet coming in on the LAN nic, having your admin IP,
destined for the ssh port matches. The rest is handled by ESTABLISHED.

You can see this if you have the rules working for some time and then
issue a : iptables -nvL
Here you can see the byte counters for each chain and you'll see that
the RELATED,ESTABLISED rules are by far the biggest compared to the
other rules.

> (correct me if i'm wrong.. :) )... it doesn´t matter 
> from where it comes or where it goes. just being 
> related is enough for the rule to catch and accept, in 

Yep.

> this case, the related traffic that came from the 
> www.hotmail.com connection... ;)) without the need to 
> specify the --dport or --sport.

Mostly you don't know what ports to accept and it's quite safe to do
this.
You can add additional options to the rule to restrict packet flow, but
this rule can be used.

> hotmail.com was just an exemple! many urls will follow 

I didn't specify any Hotmail specific rules ;o).
It should work for (virtually ?) any website.

> since i'll be accepting almost all kind os urls except 
> those of porno ones, ftp ones... and all those kind of 
> thing that can distract one from his work !! ;)) 
> (hehe!!)

If you use Squid, use a content filter like SquidGuard for that. I think
that'll be easier and afaik there are regularly updated blocklists for
SquidGuard.

You could restrict access to ftp servers running on port 21 (which
catches most) with :
iptables -A OUTPUT -o <if_inet> -p tcp --dport 21 -j REJECT
--reject-with tcp-reset
However, this way you will not be able to access any ftp server unless
you use NAT which uses the FORWARD chain.

> about the output chain... i had it to accept, so i 
> assume i don't need those rules about the output 
> chain... is that correct..!? :))

Having it set to ACCEPT and no rule to tell it to DROP, REJECT or
whatever, it should let any packet go out.


Gr,
Rob

(no subject)

[skydive]

hi all again

my first question related wiht "http access - fixing 
DNAT port forwarding access from internal networks" 
was answered successfully, since it is working fine, 
thanks to all that could help ;)

now i happen to have a proxy server running on the 
same machine as the web server, and i would like to 
block incoming traffic to my web server from addresses
wich are not portuguese. i already got a list of the 
ip ranges and net masks of all autonomous systems 
located in portugal. i first tried to accept all those 
ip ranges, and then droped all other incoming. what 
happens is that proxy will accept connections only 
from those ip ranges i accepted initialy ( the 
postuguese ones). Let´s say i'm trying to connect to 
hotmail.com. i won't work since that ip range is not 
being accepted.

is there a way to accept connections related with 
previous conections made to this machine to por 3128 
(squid default port)?

i want to accept conections that even if they do not 
match with ipranges i'm accepting, they're related 
with a previous connection made to the proxy server, 
related with proxy port whatever it'll be ;))


i'm aware this can not be this easy... but still 
believe there is a way out :))


[][]

thank you all
skydive!

-------------------------------------------------
Email Enviado utilizando o serviço MegaMail

RE: (no subject)

[Rob Sterenborg]

> now i happen to have a proxy server running on the 
> same machine as the web server, and i would like to 
> block incoming traffic to my web server from addresses
> wich are not portuguese. i already got a list of the 
> 
> ip ranges and net masks of all autonomous systems 
> located in portugal. i first tried to accept all those 
> ip ranges, and then droped all other incoming. what 
> happens is that proxy will accept connections only 
> from those ip ranges i accepted initialy ( the 
> postuguese ones). Let´s say i'm trying to connect to 
> hotmail.com. i won't work since that ip range is not 
> being accepted.

If I understand this correctly... :

If you don't want to accept IP's that are not from Portugal then you
should put the block in the INPUT chain only.
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s <ip/mask> -j ACCEPT
...
iptables -A INPUT -s <ip/mask> -j ACCEPT
Accept everything that has a rule ; drop the rest.
The RELATED,ESTABLISHED rule catches everything you need in addition to
the initial connection.


If you want Squid to connect to hotmail.com for you, it generates
outgoing traffic -> it needs an OUTPUT rule to let it do that.
When you set the default policy of the OUTPUT chain to DROP, it can
cause unexpected results if you don't accept packets coming back from
the server. If set to ACCEPT, you shouldn't need a rule for the OUTPUT
chain to accept.
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3128 -j ACCEPT

> is there a way to accept connections related with 
> previous conections made to this machine to por 3128 
> (squid default port)?

See above.

> i want to accept conections that even if they do not 
> match with ipranges i'm accepting, they're related 
> with a previous connection made to the proxy server, 
> related with proxy port whatever it'll be ;))

The connections are 2 way :
1. from webbrowser to proxy and vv (initital conn. is INPUT)
2. from proxy to webserver and vv (initial conn. is OUTPUT)
You have to write rules for the initial connection, and catch the rest
with "RELATED,ESTABLISHED".

> i'm aware this can not be this easy... but still 
> believe there is a way out :))

Of course ;-)


Gr,
Rob

(no subject)

[Nikolai Dahlem]

Hi,

I'm trying to conntrack/nat a udp-based protocol with a server listening on
port x. My problem is, that the conntrack-helper sees all incoming and
outgoing packets of the control connection, while the nat-helper is only
called for outgoing packets. Due to the nature of the protocol I need
IP_NAT_HELPER_F_ALWAYS to mangle the contents of both outgoing and incoming
packets (even when there are no expected connections).

The scenario is the following:

PC1 -> MASQ -> server

The conntrack module gets a packet from PC1 (src port x, dst port x) and
parses the protocol.
The nat_module mangles the packet content and the packet is send of to the
server with the source address of MASQ (src port x, dst port x).
The conntrack_module receives a packet from Server (src port: high, dst port
x) and parses the protocol.
The nat_module isn't called.

I reqister my modules with the following tuples:

nat_module:
hlpr->tuple.dst.protonum = IPPROTO_UDP;
hlpr->tuple.src.u.udp.port = port x;
hlpr->mask.src.u.udp.port = 0xFFFF;
hlpr->mask.dst.protonum = 0xFFFF;
hlpr->flags = IP_NAT_HELPER_F_ALWAYS;

conntrack_module:
hlpr->tuple.src.u.udp.port = port x;
hlpr->tuple.dst.protonum = IPPROTO_UDP;
hlpr->mask.src.u.udp.port = 0xFFFF;
hlpr->mask.dst.protonum = 0xFFFF;


/proc/net/ip_conntrack lists both connections (answer&reply) as unreplied.
Can someone explain to me why the reply is seen as a new connection ?


regards

Nikolai Dahlem

(no subject)

[Kilson Arruda]

I have a Transparent Proxy like this

$IPTABLES -t nat -A PREROUTING -p tcp
--dport 80 ! -d $DIRECT_IP -m mac --mac-source $MAC -j REDIRECT --to-port
3128

Question: can I use more then one "! -d", or multiple IPs to don't REDIRECT
the port 80 for more then one IP?
If yes, how can I do this?

--
Kilson Arruda
Linux User # 228238



________________________________________________
www.onwave.com.br - Internet e Conectividade

Re: (no subject)

[Alistair Tonner]

On September 10, 2003 12:02 pm, Kilson Arruda wrote:

	See Ramin Dousti's correction to your notation.
	
	next point -- exclusions require a separate user chain to stack 
	exclusions.

	Create new chain, send all packets destined for the redirection port to 	
	this chain, 
	then in this chain, RETURN the packets you DONT want redirected, and
	at the end of this chain, redirect everything.... 

	you can't stack exclusions since the first exclusion will grab the targets
	of all successor exclusions.


> I have a Transparent Proxy like this
>
> $IPTABLES -t nat -A PREROUTING -p tcp
> --dport 80 ! -d $DIRECT_IP -m mac --mac-source $MAC -j REDIRECT --to-port
> 3128
>
> Question: can I use more then one "! -d", or multiple IPs to don't REDIRECT
> the port 80 for more then one IP?
> If yes, how can I do this?
>
> --
> Kilson Arruda
> Linux User # 228238
>
>
>
> ________________________________________________
> www.onwave.com.br - Internet e Conectividade

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

(no subject)

[Bryan Schmidt]

Hey all,

    I have got a problem that has been driving me crazy.  I can not get the 
following Iptable filter to work.

iptables -A TEST -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP drop] 
" --log-level=info

I get an "iptables: Invalid argument"

I have narrowed the problem down to "-m limit --limit 1/s".  I have the 
ipt_limit module loaded.

What am I missing.  I know the limit modules is loading because I have got a 
limit error
trying different commands.


iptables -A LnD -p tcp -m limit --limit second -j LOG
iptables v1.2.7a: bad rate `second'
Try `iptables -h' or 'iptables --help' for more information.

Thanks in advance
Bryan

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus

printing the owner cmd and uid in iptables logs

[xavier renaut]

Hi, 

i'd like to print the owner cmd and uid in my logs,
so that i'll be able to track more easily  software
on my box....

is there a way to do it with stock iptables ?

(-j LOG prints a lot of things, but not the owner cmd/uid)

do i need a better logging alternative (ulog ?) ?


thanks


-- 
xavier renaut, 514 906 1212 x226  

(no subject)

[Support technique morex]

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

unsubscribe
  ----- Original Message ----- 
  From: xavier renaut 
  To: netfilter 
  Sent: Wednesday, July 16, 2003 5:03 PM
  Subject: printing the owner cmd and uid in iptables logs



  Hi, 

  i'd like to print the owner cmd and uid in my logs,
  so that i'll be able to track more easily  software
  on my box....

  is there a way to do it with stock iptables ?

  (-j LOG prints a lot of things, but not the owner cmd/uid)

  do i need a better logging alternative (ulog ?) ?


  thanks


  -- 
  xavier renaut, 514 906 1212 x226  

[-- Attachment #2: Type: text/html, Size: 1535 bytes --]

RE: (no subject)

[George Vieira]

Errrrr...yeah, of course there needs to be changes/restarts.
You need to do alot of reading as patching is not like Windoze Service Packs. ;)

http://www.netfilter.org/documentation/pomlist/pom-extra.html#h323-conntrack-nat
http://www.netfilter.org/documentation/FAQ/netfilter-faq-1.html#ss1.5

This information is available on the www.netfilter.org site under documentation and How-To's and/or FAQs..

Thanks,
____________________________________________
George Vieira
 

-----Original Message-----
From: gold gold [mailto:mr_gold55@hotmail.com]
Sent: Monday, June 30, 2003 8:25 AM
To: George Vieira; netfilter@lists.netfilter.org
Subject: RE: (no subject)


Well, where do I get that "H323" patch from? and how do I install it please? 
Also, do I need to any other steps after I install that H323 patch? (like 
restarting iptables, or anything like that?).

Thanks again.

RE: (no subject)

[gold gold]

Well, where do I get that "H323" patch from? and how do I install it please? 
Also, do I need to any other steps after I install that H323 patch? (like 
restarting iptables, or anything like that?).

Thanks again.


>From: "George Vieira" <georgev@citadelcomputer.com.au>
>To: "gold gold" <mr_gold55@hotmail.com>,<netfilter@lists.netfilter.org>
>Subject: RE: (no subject)
>Date: Mon, 30 Jun 2003 08:07:22 +1000
>MIME-Version: 1.0
>Received: from mc7-f22.law1.hotmail.com ([65.54.253.29]) by 
>mc7-s1.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sun, 29 Jun 
>2003 15:07:31 -0700
>Received: from kashyyyk.netfilter.org ([62.128.28.62]) by 
>mc7-f22.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sun, 29 Jun 
>2003 15:07:28 -0700
>Received: from kashyyyk ([127.0.0.1])by kashyyyk.netfilter.org with esmtp 
>(Exim 4.20 #1 (Debian))id 19WkJE-0006kz-LG; Mon, 30 Jun 2003 00:06:08 +0200
>Received: from saccess-01-121.magna.com.au ([203.111.79.121] 
>helo=citadelcomputer.com.au)by kashyyyk.netfilter.org with esmtp (Exim 4.20 
>#1 (Debian))id 19WkIZ-0006kY-DTfor <netfilter@lists.netfilter.org>; Mon, 30 
>Jun 2003 00:05:27 +0200
>X-Message-Info: wCrlMA1YA+jz0bnTWff2CC2u6sdadwmq
>content-class: urn:content-classes:message
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>Message-ID: 
><09B04A55822EFF4DA48D2E0BB2941D4A15BE86@wardrive.citadelcomputer.com.au>
>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: (no subject)
>Thread-Index: AcM9aOPFQDZiR2DOQFeiscPbA+kSzQBIdCuQ
>X-Spam-Score: 0.0 (/)
>Sender: netfilter-admin@lists.netfilter.org
>Errors-To: netfilter-admin@lists.netfilter.org
>X-BeenThere: netfilter@lists.netfilter.org
>X-Mailman-Version: 2.0.11
>Precedence: bulk
>List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
>List-Post: <mailto:netfilter@lists.netfilter.org>
>List-Subscribe: 
><https://lists.netfilter.org/mailman/listinfo/netfilter>,<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
>List-Id: General discussion and user questions 
><netfilter.lists.netfilter.org>
>List-Unsubscribe: 
><https://lists.netfilter.org/mailman/listinfo/netfilter>,<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
>List-Archive: <https://lists.netfilter.org/pipermail/netfilter/>
>Return-Path: netfilter-admin@lists.netfilter.org
>X-OriginalArrivalTime: 29 Jun 2003 22:07:29.0615 (UTC) 
>FILETIME=[D4FB3DF0:01C33E8A]
>
>MSN uses netmeeting. You need the Netmeeting H323 protocol patch from the 
>patch-o-matic patches..
>
>Thanks,
>____________________________________________
>George Vieira
>Systems Manager
>georgev@citadelcomputer.com.au
>
>Citadel Computer Systems Pty Ltd
>http://www.citadelcomputer.com.au
>
>
>-----Original Message-----
>From: gold gold [mailto:mr_gold55@hotmail.com]
>Sent: Saturday, June 28, 2003 9:23 PM
>To: netfilter@lists.netfilter.org
>Subject: (no subject)
>
>
>Hello,
>
>      How the hell do I allow my masqueraded Windows PC to use MSN's Audio
>conversation? I've tried port-forwarding for 6901 (which is the audio port
>for MSN according to some web page), but I still can't use that Audio
>stuff... please help, thank you.
>

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

RE: (no subject)

[George Vieira]

MSN uses netmeeting. You need the Netmeeting H323 protocol patch from the patch-o-matic patches..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: gold gold [mailto:mr_gold55@hotmail.com]
Sent: Saturday, June 28, 2003 9:23 PM
To: netfilter@lists.netfilter.org
Subject: (no subject)


Hello,

     How the hell do I allow my masqueraded Windows PC to use MSN's Audio 
conversation? I've tried port-forwarding for 6901 (which is the audio port 
for MSN according to some web page), but I still can't use that Audio 
stuff... please help, thank you.

Re: (no subject)

[gold gold]

Hello,

     I'm already using MSN v6, Microsoft released it (officially) recently.


>From: Cyberdude Murli <murli_laptop@yahoo.com>
>To: gold gold <mr_gold55@hotmail.com>, netfilter@lists.netfilter.org
>Subject: Re: (no subject)
>Date: Sat, 28 Jun 2003 12:06:12 -0700 (PDT)
>MIME-Version: 1.0
>Received: from mc1-f12.law16.hotmail.com ([65.54.236.19]) by 
>mc1-s9.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sat, 28 Jun 
>2003 12:12:07 -0700
>Received: from kashyyyk.netfilter.org ([62.128.28.62]) by 
>mc1-f12.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sat, 28 
>Jun 2003 12:11:33 -0700
>Received: from kashyyyk ([127.0.0.1])by kashyyyk.netfilter.org with esmtp 
>(Exim 4.20 #1 (Debian))id 19WL2S-0002pC-Dj; Sat, 28 Jun 2003 21:07:08 +0200
>Received: from web13302.mail.yahoo.com ([216.136.175.38])by 
>kashyyyk.netfilter.org with smtp (Exim 4.20 #1 (Debian))id 
>19WL1b-0002nv-Oyfor <netfilter@lists.netfilter.org>; Sat, 28 Jun 2003 
>21:06:15 +0200
>Received: from [64.86.49.17] by web13302.mail.yahoo.com via HTTP; Sat, 28 
>Jun 2003 12:06:12 PDT
>X-Message-Info: MxAodtZPLiQ6HPHOc8rBiXjgUFkT69DC
>Message-ID: <20030628190612.41388.qmail@web13302.mail.yahoo.com>
>In-Reply-To: <BAY1-F5kjgJKVApwOLZ00016087@hotmail.com>
>X-Spam-Score: -4.8 (----)
>Sender: netfilter-admin@lists.netfilter.org
>Errors-To: netfilter-admin@lists.netfilter.org
>X-BeenThere: netfilter@lists.netfilter.org
>X-Mailman-Version: 2.0.11
>Precedence: bulk
>List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
>List-Post: <mailto:netfilter@lists.netfilter.org>
>List-Subscribe: 
><https://lists.netfilter.org/mailman/listinfo/netfilter>,<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
>List-Id: General discussion and user questions 
><netfilter.lists.netfilter.org>
>List-Unsubscribe: 
><https://lists.netfilter.org/mailman/listinfo/netfilter>,<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
>List-Archive: <https://lists.netfilter.org/pipermail/netfilter/>
>Return-Path: netfilter-admin@lists.netfilter.org
>X-OriginalArrivalTime: 28 Jun 2003 19:11:33.0568 (UTC) 
>FILETIME=[16AC8C00:01C33DA9]
>
From what I know it's not athat simple. You need to have a upnp compliant 
>proxy in your network.
>
>I suggest you wait for the new MSN v6 that is coming out soon. Beta is 
>already out. M$ has for once fixed this problem after finding the 10m odd 
>security issues with the upnp protocol. With MSN v6 you don't have to do 
>any port forwarding, it will just work.
>
>Regards,
>
>Murli
>
>gold gold <mr_gold55@hotmail.com> wrote:
>Hello,
>
>How the hell do I allow my masqueraded Windows PC to use MSN's Audio
>conversation? I've tried port-forwarding for 6901 (which is the audio port
>for MSN according to some web page), but I still can't use that Audio
>stuff... please help, thank you.
>
>_________________________________________________________________
>The new MSN 8: advanced junk mail protection and 2 months FREE*
>http://join.msn.com/?page=features/junkmail
>
>
>
>---------------------------------
>Do you Yahoo!?
>SBC Yahoo! DSL - Now only $29.95 per month!

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

(no subject)

[gold gold]

Hello,

     How the hell do I allow my masqueraded Windows PC to use MSN's Audio 
conversation? I've tried port-forwarding for 6901 (which is the audio port 
for MSN according to some web page), but I still can't use that Audio 
stuff... please help, thank you.

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail

Re: (no subject)

[Cyberdude Murli]

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

From what I know it's not athat simple. You need to have a upnp compliant proxy in your network.
 
I suggest you wait for the new MSN v6 that is coming out soon. Beta is already out. M$ has for once fixed this problem after finding the 10m odd security issues with the upnp protocol. With MSN v6 you don't have to do any port forwarding, it will just work.
 
Regards,
 
Murli

gold gold <mr_gold55@hotmail.com> wrote:
Hello,

How the hell do I allow my masqueraded Windows PC to use MSN's Audio 
conversation? I've tried port-forwarding for 6901 (which is the audio port 
for MSN according to some web page), but I still can't use that Audio 
stuff... please help, thank you.

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail



---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!

[-- Attachment #2: Type: text/html, Size: 1288 bytes --]

(no subject)

[Thorsten Gutsche]

***********************
No virus was detected in the attachment no filename

Your mail has been scanned by InterScan MSS.
***********************



unsubscribe

**********************************************
         IMSSS scanned eMail!
**********************************************

(no subject)

[Aris Santillan]

[-- Attachment #1: Type: text/plain, Size: 101 bytes --]

hi 

is there a sample firewall script written
in bash / iptables?


can you give me samples?

[-- Attachment #2: Type: text/html, Size: 579 bytes --]

Re: (no subject)

[hare ram]

[-- Attachment #1: Type: text/plain, Size: 332 bytes --]

check www.linuxguruz.org

lot of examples are there

hare
  ----- Original Message ----- 
  From: Aris Santillan 
  To: netfilter (E-mail) 
  Sent: Tuesday, May 20, 2003 3:32 PM
  Subject: (no subject)


  hi 

  is there a sample firewall script written 
  in bash / iptables? 



  can you give me samples? 


[-- Attachment #2: Type: text/html, Size: 1656 bytes --]

(no subject)

[Leon Stankowski]

(no subject)

[mdew]

-- 
mdew <mdew@mdew.dyndns.org>

(no subject)

[Корсун Игорь Вячеславович]

Привет netfilter,

   I am a new user of IPtables.
   Pleas tel me about use -c option of IPTABLES

-- 
Всего хорошего,
 Игорь                          mailto:imrir@ukr.net
                                mailto:workspace@ukr.net
суббота  29 марта 2003 г. 11:05:51

(no subject)

[Bryan Schmidt]

I am getting the following message when trying to use iptable (iptable -L)
"iptables v1.2.6a: can't initialize iptables table `filter': iptables who? 
(do yo
u need to insmod?)
Perhaps iptables or your kernel needs to be upgraded."

It seems that I can't access any of the tables (filter,nat, or mangle).  
Does the kernel need to be modified?  How do I go about this? I am running 
Debain 3.0r1 on an UtraII.

Thanks,

Bryan Schmidt, MCSE, MCP + Internet
Area101, Inc.
MIS Director





_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

Re: (no subject)

[M]

----- Original Message -----
From: "Bryan Schmidt" <absolut_bryan@hotmail.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, March 28, 2003 2:31 AM
Subject: (no subject)


> I am getting the following message when trying to use iptable (iptable -L)
> "iptables v1.2.6a: can't initialize iptables table `filter': iptables who?
> (do yo
> u need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded."
>
> It seems that I can't access any of the tables (filter,nat, or mangle).
> Does the kernel need to be modified?  How do I go about this? I am running
> Debain 3.0r1 on an UtraII.
>
> Thanks,
>
> Bryan Schmidt, MCSE, MCP + Internet
> Area101, Inc.
> MIS Director
>

Often this is that ipchains is loaded in memory. Remove ipchains from memory
with 'rmmod' command. Load the ip_tables module with 'insmod' or modprobe.

In Red Hat it would be...
# chkconfig ipchains off
# chkconfig iptables on
# rmmod ipchains
# insmod ip_tables

/Klitnan

(no subject)

[GBV]

I have an internal server 192.168.0.69, running ISS and an IRC server.

How can I using iptables, make this host avaiable in internet, preserving
the IRC daemon?

my external interface is eth0
and internal is eth1

iss is using port 80
irc is using 6669, 7000

thks

(no subject)

[William Beattie]

Hello,

I have a fairly complicated network which I have to maintain connectivity
with 20 different customers over private line or frame relay and 14 remote
offices using frame relay.  Most of the customers use 10.x.x.x or
192.168.x.x subnets.  In order to not conflict with the customer networks I
am using all public IP addresses locally and at my remotes. (Ya, Ya, I know)

Now I have a mandate from our corporate IT to migrate/RE-IP my entire
network to 10.x.x.x.  

Right away with the 10.x.x.x subnets I have been assigned for this office I
immediately conflict with at least one customer circuit.

IPTABLES looks like the way to go but I need some helpful suggestions.  

I need to do source and destination nat because we connect to machines on
their side and they connect to machines on our side.  

I need to restrict incoming internet traffic on this firewall to basically 5
IP addresses or so and restrict outgoing internet access to a list of sites
for my general population and full internet ports 80, 443, 20:21, 23 for a
select group.


I am looking for suggestions, sample scripts and anything else you have.

I know RTFM, I did and it just doesn't look like the out of the box
configuration will do.

Please send files or attachments to wbeattie@fnis.com




Sincerely,

William Beattie -- Network Engineer
Microsoft Certified Systems Engineer

FNIS Real Estate Tax Service, Monrovia, CA
(626) 351-5060 ext 214  Fax: 626-351-6181
Cell Phone (626) 625-4973 DC # 124*27588*1
Text Message 6266254973@messaging.nextel.com

MSN IM: williambeattie@msn.com

PS Please only send me PLAIN TEXT EMAIL

(no subject)

[Deks Vazquez]

i want know how i can stop any request of arp-spoofing to my router with 
iptables.

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger:  
http://messenger.microsoft.com/es

Re: (no subject)

[Willi Dyck]

On Tue, Feb 25, 2003 at 09:21:55PM +0100, Deks Vazquez wrote:
> i want know how i can stop any request of arp-spoofing to my router with 
> iptables.

With iptables I don't think so. But there is a kernel patch to resist
ARP spoofing. Check google for it.

-- 
NT is the OS of the future. The main engine is the 16-bit Subsystem
(also called MS-DOS Subsystem). Above that, there is the windoze 95/98
16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a
*real* 32-bit system.

(no subject)

[john doe]

anyone knows about good papers/links regarding comparison studies between 
iptables/netfilter and commercial firewalls?

Thanks.






_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

(no subject)

[Tiziano Müller]

Hi there...


I have to do a firewall with DMZ (nat) as follows:

                            (DMZ)
Internet ------ Firewall 1 --------- Firewall 2 ------ LAN
                              |-- WWW
                              |-- Mail
                              |-- DNS

We have 16 extern IP\'s, so, every Server in the DMZ has
to be mapped to a real IP.

I did the follow:

ifconfig eth1:1:0 add 1.2.3.4 (= real IP for the WWW-Server)
and
iptables -t nat -A PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.0.0.4
(= IP of the WWW-Server in the DMZ)
iptables -t nat -A POSTROUTING -s 10.0.0.4 -j SNAT --to-source 1.2.3.4

so, ping and SSH works, but nothing else.
has anyone an idea?

thanks in advance

(no subject)

[PAUL FABRICIO VILLACRESES LEON]

Hi,
I want to do both bridging and firewalling with linux. I've some questions
about it:
1 - When I start up bridging, I see that all my linux terminals are
outputing the bridge trafic and I am not able to see my command prompt! so
how can I prevent it from doing so?

This is because you enable debbug iptables went you compliled you kernel

2 - Can I use all of the benefits of Iptables in a bridging firewall?

Yes but bot all iptables's extension.

thanks,
afshin

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

(no subject)

[Simone Sestini]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

test

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Simone Sestini [ SS971-RIPE ]

Plug IT s.p.a. - Technical Office
Via Galileo Ferraris 216
52100 Arezzo

Titles:
System and Network Administrator
Data Transmission Manager

Fax             +39 199 440088
E-mail  simone.sestini@plugit.net
Web             http://www.plugit.it

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[-- Attachment #2: Type: text/html, Size: 1045 bytes --]

(no subject)

[Blesson Paul]

Hi all
         Is IPTables are only supported by linux. Which of the OS's support 
IPTables
regards
Blesson Paul

Blesson Paul,
Software Engineer,
Integrated Computing Environments Ltd,
Cochin Special Economic Zone,
Cochin - 682 030, India.
Tel: +91-484-2413 083(O),  +91-484-2413 096(O)
       +91-481-2380 893(R)

Re: (no subject)

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1219 bytes --]

AFAIK most *nix's support it... Solaris does.

On Fri, 2003-01-24 at 12:18, Blesson Paul wrote:
> Hi all
>          Is IPTables are only supported by linux. Which of the OS's support 
> IPTables
> regards
> Blesson Paul
> 
> Blesson Paul,
> Software Engineer,
> Integrated Computing Environments Ltd,
> Cochin Special Economic Zone,
> Cochin - 682 030, India.
> Tel: +91-484-2413 083(O),  +91-484-2413 096(O)
>        +91-481-2380 893(R)
> 
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: (no subject)

[Ranjeet Shetye]

On Fri, 2003-01-24 at 13:06, Raymond Leach wrote:
> AFAIK most *nix's support it... Solaris does.
> 
> On Fri, 2003-01-24 at 12:18, Blesson Paul wrote:
> > Hi all
> >          Is IPTables are only supported by linux. Which of the OS's support 
> > IPTables
> > regards
> > Blesson Paul
> > 
> > Blesson Paul,

I was under the impresssion that you need to be using the kernel-space
NetFilter mechanism to be able to use the user-space IPTables utilities,
and that NetFilter is present only in Linux 2.4+ kernels. I was not
aware that it has been ported to the Solaris OS. Unless you are talking
on Linux OS running on Sun hardware.

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/

The views, opinions, and judgements expressed in this message are solely
those of
the author. The message contents have not been reviewed or approved by
Zultys.

Re: (no subject)

[Fabrice MARIE]

On Friday 24 January 2003 20:06, Raymond Leach wrote:
> AFAIK most *nix's support it... Solaris does.

Hello,

well, if solaris does support iptables, I'm sure there
is going to be plenty of people interested, if you could
please post us a link, as well as on the developer mailing
list ? ;-)

[the coreteam said they would not bother to port it to solaris,
 which many people agree with.. including me. It would be a LOT
 of work, and it's probably not worth the time. If you want
 netfilter, linux kernel 2.4.x coming 2.4.6 are the way to go :)]

> On Fri, 2003-01-24 at 12:18, Blesson Paul wrote:
> > Hi all
> >          Is IPTables are only supported by linux. Which of the OS's
> > support IPTables
> > regards
> > Blesson Paul

Have a nice day,

Fabrice.
--
Fabrice MARIE

"Silly hacker, root is for administrators"
       -Unknown

(no subject)

[Blesson Paul]

Test Mail

Blesson Paul,
Software Engineer,
Integrated Computing Environments Ltd,
Cochin Special Economic Zone,
Cochin - 682 030, India.
Tel: +91-484-2413 083(O),  +91-484-2413 096(O)
       +91-481-2380 893(R)

(no subject)

[Simpson, Doug]

Here is my rc.firewall that I generated using FW Builder.
I want to add these lines - 
iptables -t nat -A POSTROUTING -p tcp --dport 110 -o eth0 -s $INTERNAL_IP -j
SNAT --to $external_ip
iptables -t nat -A POSTROUTING -p tcp --dport 23 -o eth0 -s $INTERNAL_IP -j
SNAT --to $EXTERNAL_IP
Where can I put these in the script and do I need to follow the same pattern
as the script?
Thank you
Doug
##############################################
#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v1.0.7- 
#
#  Generated Fri Nov 22 17:45:36 2002 CST by root
#
#
#
#
check() {
  if test ! -x "$1"; then
    echo "$1 not found or is not executable"
    exit 1
  fi
}

log() {
  if test -x "$LOGGER"; then
    logger -p info "$1"
  fi
}

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"

check $MODPROBE
check $IPTABLES
check $IP

cd /etc || exit 1

log "Activating firewall script generated Fri Nov 22 17:45:36 2002 CST by
root"


INTERFACES="eth0 eth1 lo "
for i in $INTERFACES ; do
  $IP link show "$i" > /dev/null 2>&1 || {
    echo Interface $i does not exist
    exit 1
  }
done


MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do 
  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz"
]; then 
    $MODPROBE -k ${module} ||  exit 1 
  fi 
done


FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"


$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_0
$IPTABLES -A INPUT -i eth0 -p udp --source-port 500 -m state --state NEW -j
eth0_In_RULE_0 
$IPTABLES -A FORWARD -i eth0 -p udp --source-port 500 -m state --state NEW
-j eth0_In_RULE_0 
$IPTABLES -A eth0_In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_0 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_0
$IPTABLES -A OUTPUT -o eth0 -p udp --source-port 500 -m state --state NEW -j
eth0_Out_RULE_0 
$IPTABLES -A FORWARD -o eth0 -p udp --source-port 500 -m state --state NEW
-j eth0_Out_RULE_0 
$IPTABLES -A eth0_Out_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_0 -j ACCEPT 
# 
# Rule 1(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_1
$IPTABLES -A INPUT -i eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_In_RULE_1 
$IPTABLES -A FORWARD -i eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_In_RULE_1 
$IPTABLES -A eth0_In_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_1 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_1
$IPTABLES -A OUTPUT -o eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_Out_RULE_1 
$IPTABLES -A FORWARD -o eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_Out_RULE_1 
$IPTABLES -A eth0_Out_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_1 -j ACCEPT 
# 
# Rule 2(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_2
$IPTABLES -A INPUT -i eth0 -p 50 -m state --state NEW -j eth0_In_RULE_2 
$IPTABLES -A FORWARD -i eth0 -p 50 -m state --state NEW -j eth0_In_RULE_2 
$IPTABLES -A eth0_In_RULE_2  -j LOG  --log-level info --log-prefix "RULE 2
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_2 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_2
$IPTABLES -A OUTPUT -o eth0 -p 50 -m state --state NEW -j eth0_Out_RULE_2 
$IPTABLES -A FORWARD -o eth0 -p 50 -m state --state NEW -j eth0_Out_RULE_2 
$IPTABLES -A eth0_Out_RULE_2  -j LOG  --log-level info --log-prefix "RULE 2
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_2 -j ACCEPT 
# 
# Rule 3(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_3
$IPTABLES -A INPUT -i eth0 -p 51 -m state --state NEW -j eth0_In_RULE_3 
$IPTABLES -A FORWARD -i eth0 -p 51 -m state --state NEW -j eth0_In_RULE_3 
$IPTABLES -A eth0_In_RULE_3  -j LOG  --log-level info --log-prefix "RULE 3
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_3 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_3
$IPTABLES -A OUTPUT -o eth0 -p 51 -m state --state NEW -j eth0_Out_RULE_3 
$IPTABLES -A FORWARD -o eth0 -p 51 -m state --state NEW -j eth0_Out_RULE_3 
$IPTABLES -A eth0_Out_RULE_3  -j LOG  --log-level info --log-prefix "RULE 3
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_3 -j ACCEPT 
# 
# Rule 4(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_4
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 110 -m state --state NEW -j
eth0_In_RULE_4 
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 110 -m state --state NEW
-j eth0_In_RULE_4 
$IPTABLES -A eth0_In_RULE_4  -j LOG  --log-level info --log-prefix "RULE 4
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_4 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_4
$IPTABLES -A OUTPUT -o eth0 -p tcp --source-port 110 -m state --state NEW -j
eth0_Out_RULE_4 
$IPTABLES -A FORWARD -o eth0 -p tcp --source-port 110 -m state --state NEW
-j eth0_Out_RULE_4 
$IPTABLES -A eth0_Out_RULE_4  -j LOG  --log-level info --log-prefix "RULE 4
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_4 -j ACCEPT 
# 
# Rule 5(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_5
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_In_RULE_5 
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_In_RULE_5 
$IPTABLES -A eth0_In_RULE_5  -j LOG  --log-level info --log-prefix "RULE 5
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_5 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_5
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_Out_RULE_5 
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_Out_RULE_5 
$IPTABLES -A eth0_Out_RULE_5  -j LOG  --log-level info --log-prefix "RULE 5
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_5 -j ACCEPT 
# 
# Rule 6(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_6
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 80 -m state --state NEW
-j eth0_In_RULE_6 
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_In_RULE_6 
$IPTABLES -A eth0_In_RULE_6  -j LOG  --log-level info --log-prefix "RULE 6
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_6 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_6
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_Out_RULE_6 
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_Out_RULE_6 
$IPTABLES -A eth0_Out_RULE_6  -j LOG  --log-level info --log-prefix "RULE 6
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_6 -j ACCEPT 
# 
# Rule 7(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_7
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 25 --destination-port 25 -m
state --state NEW -j eth0_In_RULE_7 
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 25 --destination-port 25
-m state --state NEW -j eth0_In_RULE_7 
$IPTABLES -A eth0_In_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_7 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_7
$IPTABLES -A OUTPUT -o eth0 -p tcp --source-port 25 --destination-port 25 -m
state --state NEW -j eth0_Out_RULE_7 
$IPTABLES -A FORWARD -o eth0 -p tcp --source-port 25 --destination-port 25
-m state --state NEW -j eth0_Out_RULE_7 
$IPTABLES -A eth0_Out_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_7 -j ACCEPT 
# 
# Rule 8(eth0)
# 
# 
# 
$IPTABLES -N eth0_Out_RULE_8
$IPTABLES -A OUTPUT -o eth0  -s 192.168.1.1 -m state --state NEW -j
eth0_Out_RULE_8 
$IPTABLES -A eth0_Out_RULE_8  -j LOG  --log-level info --log-prefix "RULE 8
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_8 -j ACCEPT 
# 
# Rule 9(eth0)
# 
# 
# 
$IPTABLES -N eth0_Out_RULE_9
$IPTABLES -A FORWARD -o eth0  -s 192.168.1.0/24 -m state --state NEW -j
eth0_Out_RULE_9 
$IPTABLES -A eth0_Out_RULE_9  -j LOG  --log-level info --log-prefix "RULE 9
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_9 -j ACCEPT 
# 
# Rule 10(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_10
$IPTABLES -A INPUT -i eth0 -j eth0_In_RULE_10 
$IPTABLES -A FORWARD -i eth0 -j eth0_In_RULE_10 
$IPTABLES -A eth0_In_RULE_10  -j LOG  --log-level info --log-prefix "RULE 10
-- DROP " 
$IPTABLES -A eth0_In_RULE_10 -j DROP 
# 
# Rule 0(eth1)
# 
# 
# 
$IPTABLES -N eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -m state --state NEW -j eth1_In_RULE_0 
$IPTABLES -A FORWARD -i eth1 -m state --state NEW -j eth1_In_RULE_0 
$IPTABLES -A eth1_In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth1_In_RULE_0 -j ACCEPT 
$IPTABLES -N eth1_Out_RULE_0
$IPTABLES -A OUTPUT -o eth1 -m state --state NEW -j eth1_Out_RULE_0 
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -j eth1_Out_RULE_0 
$IPTABLES -A eth1_Out_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth1_Out_RULE_0 -j ACCEPT 
# 
# Rule 1(eth1)
# 
# 
# 
$IPTABLES -N eth1_In_RULE_1
$IPTABLES -A INPUT -i eth1 -p tcp --destination-port 23 -j eth1_In_RULE_1 
$IPTABLES -A FORWARD -i eth1 -p tcp --destination-port 23 -j eth1_In_RULE_1 
$IPTABLES -A eth1_In_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1
-- DROP " 
$IPTABLES -A eth1_In_RULE_1 -j DROP 
# 
# Rule 0(lo)
# 
# allow everything on loopback
# 
$IPTABLES -A INPUT -i lo -j ACCEPT 
$IPTABLES -A FORWARD -i lo -j ACCEPT 
$IPTABLES -A OUTPUT -o lo -j ACCEPT 
$IPTABLES -A FORWARD -o lo -j ACCEPT 
# 
# Rule 0(global)
# 
# 'catch all' rule
# 
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -j RULE_0 
$IPTABLES -A INPUT -j RULE_0 
$IPTABLES -A FORWARD -j RULE_0 
$IPTABLES -A RULE_0 -j LOG  --log-level info --log-prefix "RULE 0 -- ACCEPT
" 
$IPTABLES -A RULE_0 -j ACCEPT 
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

(no subject)

[Durgaprasada Kalluraya]

Hi,

I have configured our firewall using IPtables. The configuration of the 
firewall is as follows...
Firewall host has 3 interfaces one for DMZ, one for LAN and one for external 
world(internet). All of our servers have a
static IP address. Our FTP server is wu-ftpd

Now there is no problem in accessing our DNS, WEB, SMTP and IMAP servers 
from outside. But the FTP server is
showing some strange problem. When our client tries to do a 'ls' in FTP 
session it is shows the following error message.

ftp> ls
200 PORT command successful.
425 Can't build data connection: Connection timed out.
ftp> bye

But if I try the same thing from outside using a dialup connection all works 
fine for me!!!!

when some one tries do a 'ls' from internal LAN on our FTP server then the 
following message is displayed.
ftp> ls
500 Illegal PORT Command
425 Can't build data connection: Connection timed out.
ftp>

Our rules related to FTP server are...

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state 
ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_FTP_IP 
--dport ftp -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_FTP_IP 
--dport ftp-data -j
allowed
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FTP_IP --dport ftp 
-j DNAT --to-destination
$DMZ_FTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FTP_IP --dport 
ftp-data -j DNAT
--to-destination $DMZ_FTP_IP
$IPTABLES -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -j SNAT --to-source 
$DMZ_NAT

where
DMZ_FTP_IP is IP address of ftp server in DMZ
DMZ_IP is global IP address of ftp server.
INET_IFACE is Internet interface on firewall
DMZ_IFACE is DMZ interface on firewall.
LAN_IP_RANGE is Lan ip range.

Can anyone help me?

Thanks and Regards
Durgaprasada

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Re: (no subject)

[Marcello Scacchetti]

Hi,
try to load following kernel modules:
ip_conntrack.o
ip_conntrack_ftp.o
ip_nat_ftp.o
This should solve your problems.

Marcello

Il gio, 2002-12-19 alle 08:33, Durgaprasada Kalluraya ha scritto:
> Hi,
> 
> I have configured our firewall using IPtables. The configuration of the 
> firewall is as follows...
> Firewall host has 3 interfaces one for DMZ, one for LAN and one for external 
> world(internet). All of our servers have a
> static IP address. Our FTP server is wu-ftpd
> 
> Now there is no problem in accessing our DNS, WEB, SMTP and IMAP servers 
> from outside. But the FTP server is
> showing some strange problem. When our client tries to do a 'ls' in FTP 
> session it is shows the following error message.
> 
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: Connection timed out.
> ftp> bye
> 
> But if I try the same thing from outside using a dialup connection all works 
> fine for me!!!!
> 
> when some one tries do a 'ls' from internal LAN on our FTP server then the 
> following message is displayed.
> ftp> ls
> 500 Illegal PORT Command
> 425 Can't build data connection: Connection timed out.
> ftp>
> 
> Our rules related to FTP server are...
> 
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> 
> $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state 
> ESTABLISHED,RELATED -j
> ACCEPT
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_FTP_IP 
> --dport ftp -j allowed
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_FTP_IP 
> --dport ftp-data -j
> allowed
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FTP_IP --dport ftp 
> -j DNAT --to-destination
> $DMZ_FTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FTP_IP --dport 
> ftp-data -j DNAT
> --to-destination $DMZ_FTP_IP
> $IPTABLES -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -j SNAT --to-source 
> $DMZ_NAT
> 
> where
> DMZ_FTP_IP is IP address of ftp server in DMZ
> DMZ_IP is global IP address of ftp server.
> INET_IFACE is Internet interface on firewall
> DMZ_IFACE is DMZ interface on firewall.
> LAN_IP_RANGE is Lan ip range.
> 
> Can anyone help me?
> 
> Thanks and Regards
> Durgaprasada
> 
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online 
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-- 
Marcello Scacchetti <marcello.scacchetti@nextrem.it>

RE: (no subject)

[Ranjeet Shetye]

Hi Durgaprasada,

You will need to use "modprobe" or "insmod" to load the modules &
"lsmod" if you want to verify that the modules have been loaded.

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
771 Vaqueros Avenue
Sunnyvale  CA  94085
USA
Ranjeet.Shetye@Zultys.com
http://www.zultys.com/

 


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Marcello Scacchetti
> Sent: Monday, December 23, 2002 8:21 AM
> To: Durgaprasada Kalluraya
> Cc: netfilter@lists.netfilter.org
> Subject: Re: (no subject)
> 
> 
> Hi,
> try to load following kernel modules:
> ip_conntrack.o
> ip_conntrack_ftp.o
> ip_nat_ftp.o
> This should solve your problems.
> 
> Marcello
> 
> Il gio, 2002-12-19 alle 08:33, Durgaprasada Kalluraya ha scritto:
> > Hi,
> > 
> > I have configured our firewall using IPtables. The configuration of 
> > the
> > firewall is as follows...
> > Firewall host has 3 interfaces one for DMZ, one for LAN and 
> one for external 
> > world(internet). All of our servers have a
> > static IP address. Our FTP server is wu-ftpd
> > 
> > Now there is no problem in accessing our DNS, WEB, SMTP and IMAP 
> > servers
> > from outside. But the FTP server is
> > showing some strange problem. When our client tries to do a 
> 'ls' in FTP 
> > session it is shows the following error message.
> > 
> > ftp> ls
> > 200 PORT command successful.
> > 425 Can't build data connection: Connection timed out.
> > ftp> bye
> > 
> > But if I try the same thing from outside using a dialup 
> connection all 
> > works
> > fine for me!!!!
> > 
> > when some one tries do a 'ls' from internal LAN on our FTP 
> server then 
> > the
> > following message is displayed.
> > ftp> ls
> > 500 Illegal PORT Command
> > 425 Can't build data connection: Connection timed out.
> > ftp>
> > 
> > Our rules related to FTP server are...
> > 
> > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > 
> > $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -m state --state 
> NEW,ESTABLISHED,RELATED -j ACCEPT
> > 
> > 
> > $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
> > ESTABLISHED,RELATED -j
> > ACCEPT
> > $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d 
> $DMZ_FTP_IP 
> > --dport ftp -j allowed
> > $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d 
> $DMZ_FTP_IP 
> > --dport ftp-data -j
> > allowed
> > $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d 
> $FTP_IP --dport ftp 
> > -j DNAT --to-destination
> > $DMZ_FTP_IP
> > $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d 
> $FTP_IP --dport 
> > ftp-data -j DNAT
> > --to-destination $DMZ_FTP_IP
> > $IPTABLES -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -j 
> SNAT --to-source 
> > $DMZ_NAT
> > 
> > where
> > DMZ_FTP_IP is IP address of ftp server in DMZ
> > DMZ_IP is global IP address of ftp server.
> > INET_IFACE is Internet interface on firewall
> > DMZ_IFACE is DMZ interface on firewall.
> > LAN_IP_RANGE is Lan ip range.
> > 
> > Can anyone help me?
> > 
> > Thanks and Regards
> > Durgaprasada
> > 
> > _________________________________________________________________
> > Protect your PC - get McAfee.com VirusScan Online
> > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> -- 
> Marcello Scacchetti <marcello.scacchetti@nextrem.it>
> 

Re: (no subject)

[Narendra Prabhu. B]

Hi Durgaprasad,

This same thing had happended with me.... As per my understanding goes
you are doing an active ftp transfer..... Try doing the following in your
ftp client.....

bash#ftp
ftp>open <host>
..
..(authentication stuff)
..
..(after successful authentication)

ftp>passive
..
ftp>


This makes the transfer mode in passive mode.

Hope this works... and let us know the respective results(desired or not).


Bye,
Narendra.

In the middle of difficulty..... lies Opportunity. (Albert Einstein)
--------------------------------------------------------------------
Narendra Prabhu. B             Free Software at its product-ive best.
DeepRoot Linux                             http://www.deeproot.co.in
                ---- Server Appliances ----
             ---- Linux Support and Services ----
-------------------------------------------------------------------

On Thu, 19 Dec 2002, Durgaprasada Kalluraya wrote:
>
>
> Hi,
>
> I have configured our firewall using IPtables. The configuration of the
> firewall is as follows...
> Firewall host has 3 interfaces one for DMZ, one for LAN and one for external
> world(internet). All of our servers have a
> static IP address. Our FTP server is wu-ftpd
>
> Now there is no problem in accessing our DNS, WEB, SMTP and IMAP servers
> from outside. But the FTP server is
> showing some strange problem. When our client tries to do a 'ls' in FTP
> session it is shows the following error message.
>
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: Connection timed out.
> ftp> bye
>
> But if I try the same thing from outside using a dialup connection all works
> fine for me!!!!
>
> when some one tries do a 'ls' from internal LAN on our FTP server then the
> following message is displayed.
> ftp> ls
> 500 Illegal PORT Command
> 425 Can't build data connection: Connection timed out.
> ftp>
>
> Our rules related to FTP server are...
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
>
> $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
> ESTABLISHED,RELATED -j
> ACCEPT
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_FTP_IP
> --dport ftp -j allowed
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_FTP_IP
> --dport ftp-data -j
> allowed
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FTP_IP --dport ftp
> -j DNAT --to-destination
> $DMZ_FTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $FTP_IP --dport
> ftp-data -j DNAT
> --to-destination $DMZ_FTP_IP
> $IPTABLES -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -j SNAT --to-source
> $DMZ_NAT
>
> where
> DMZ_FTP_IP is IP address of ftp server in DMZ
> DMZ_IP is global IP address of ftp server.
> INET_IFACE is Internet interface on firewall
> DMZ_IFACE is DMZ interface on firewall.
> LAN_IP_RANGE is Lan ip range.
>
> Can anyone help me?
>
> Thanks and Regards
> Durgaprasada
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>

Re: (no subject)

[Joel Newkirk]

On Thursday 19 December 2002 02:33 am, Durgaprasada Kalluraya wrote:

> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: Connection timed out.
> ftp> bye
>
> But if I try the same thing from outside using a dialup connection all
> works fine for me!!!!

Is your dialup still going through the firewall, or is it direct to the 
server?  Is it passive or active ftp?  Regardless of these, I suspect 
that the problem is that you need to add:
modprobe ip_conntrack_ftp
so that the "RELATED" state recognizes and NAT functions handle both 
passive and active FTP.  The data connection is a separate pair of 
ports, negotiated by the server and client but embedded in a packet 
instead of its header during negotiation, so netfilter won't normally 
deal with them.  The helper ip_conntrack_ftp exists specifically for 
this purpose, since it knows to examine the actual packet data of FTP 
conrtol transactions looking for this and dealing with it correctly.

> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

> $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
> ESTABLISHED,RELATED -j
> ACCEPT

This is redundant and will never match a packet, since you accept EST/REL 
for ANY interface, ip, and port in the rule before it.

> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d
> $DMZ_FTP_IP --dport ftp -j allowed
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d
> $DMZ_FTP_IP --dport ftp-data -j
> allowed

I presume you have a user-defined chain named "allowed"...

j

(no subject)

[Rob Sterenborg]

> But, when I set the server to listen to port 2121...:
> 
> [] ftpd listens on 2121

I think this might help you :

loadmodule ip_conntrack_ftp ports=2112
loadmodule ip_nat_ftp ports=2121


Rob

2.5 kernel and patch-o-matic

[laurent.ml]

Hi,

I'm trying to use netfilter/patch-o-matic on 2.5 kernel tree.
I can't get patches to be applied.
I've tried with the cvs patch-o-matic runme and the patch-o-matic_2.5 one.
That's the kind of error I get:

Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] Y
Testing patch base/REJECT.patch.ipv6...
Warning - no help text file could be found in either
/usr/src/linux-2.5/../c62c99fc67edd58b0e489365f0396b196d35894ae90feca146dd16320f5b08b4/net/ipv6/netfilter/Config.help
or /usr/src/linux-2.5/../c62c99fc67edd58b0e489365f0396b196d35894ae90feca146dd16320f5b08b4/Documentation/Configure.help
fgrep: /usr/src/linux-2.5/../c62c99fc67edd58b0e489365f0396b196d35894ae90feca146dd16320f5b08b4/net/ipv6/netfilter/Config.in: No such file or directory
Could not find place to slot in Config.in line
TEST FAILED: patch NOT applied.

I've tried a runme patch from netfilter-devel mailing list, but it does not solve the problem.
Could you give me some advice or tell me where to find a working 2.5 runme ?

Thanks in advance

-- 
Laurent

(no subject)

[Aaron Clausen]

On Mon, 9 Dec 2002 laurent.ml@linuxfr.org wrote:

>
> Hi,
>
> I'm trying to use netfilter/patch-o-matic on 2.5 kernel tree.
> I can't get patches to be applied.
> I've tried with the cvs patch-o-matic runme and the patch-o-matic_2.5 one.
> That's the kind of error I get:
>
> Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] Y
> Testing patch base/REJECT.patch.ipv6...
> Warning - no help text file could be found in either
> /usr/src/linux-2.5/../c62c99fc67edd58b0e489365f0396b196d35894ae90feca146dd16320f5b08b4/net/ipv6/netfilter/Config.help
> or /usr/src/linux-2.5/../c62c99fc67edd58b0e489365f0396b196d35894ae90feca146dd16320f5b08b4/Documentation/Configure.help
> fgrep: /usr/src/linux-2.5/../c62c99fc67edd58b0e489365f0396b196d35894ae90feca146dd16320f5b08b4/net/ipv6/netfilter/Config.in: No such file or directory
> Could not find place to slot in Config.in line
> TEST FAILED: patch NOT applied.
>
> I've tried a runme patch from netfilter-devel mailing list, but it does not solve the problem.
> Could you give me some advice or tell me where to find a working 2.5 runme ?

I'll give you my experience.  I tried patching both 2.4.5 and 2.4.9, and was
able to put in only a few iptables features, and none that I wanted.  At
the end of the day, I finally through in the towel, downloaded the vanilla
2.4.19 kernel, and managed to get all the patches I wanted to work.  I would
still like to hear if anybody out there has successfully patched some of the
later kernels.

-- 
Aaron Clausen

(no subject)

[Naleendra]

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

Hi,

	This is just sort of a basic question. I was running linux  kernel
2.4.18-3 w/ iptables 1.2.6a. But unfortunately my disk crashed. The only
backup I had was my ruleset. Now when I  install 1.2.7a on the same kernel
version the whole installation goes smoothly ( as long as I keep certain
patches out of the patch-o-matic base installation, especially ipv6 patches
as higher kernel patches). Yet when I have the new kernel running, & I query
for Iptables version it says 1.2.5x. Where am I going wrong? Doesn't IPT
1.2.7a wark with kernel 2.4.18-3?

 naleendra

[-- Attachment #2: Type: text/html, Size: 1025 bytes --]

Re: (no subject)

[Arnt Karlsen]

On Sat, 23 Nov 2002 18:32:41 +0600, 
Naleendra@dms.lanka.net wrote in message 
<A590F7F751E6D6118C0800104B0DF37304CDE2@MAILGATE>:

> Hi,
> 
> This is just sort of a basic question. I was running linux 
> kernel 2.4.18-3 w/ iptables 1.2.6a. But unfortunately my disk crashed.

..Red Hat's 2.4.18-3?  http://rhn.redhat.com/errata/rh73-errata.html

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

(no subject)

[Manikandan.P]

Hi all,

 In my n/w iam using iptables firewall in my gateway and now the problem
is iam able to use that machine as a default gateway for all the
windows machines in my network but i cannot even ping the
gateway/firewall from linux machine.
 the strange thing is if i ping a client linux machine from the firewall
it pings and from then onwards i can ping/use the gateway to browse the
net even from a linux machine.
 every time if i want to use that g/w from a linux  machine i had to
ping the client machine from the firewall to enable it.
 iam using iptables 1.2.5/Redhat Linux 7.3
 

 can any body help me out to resolve this strange problem

Manikandan P.
 
-- 
 # get Subject header, but remove initial "Subject: " portion
 sed '/^Subject: */!d; s///;q'

Re: (no subject)

[hare ram]

hi

can you just type 
iptables -nL -t nat
and paste here, or
just do iptable -F and check and u able to ping ?

hare
----- Original Message ----- 
From: "Manikandan.P" <linuxmani@myrealbox.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, November 08, 2002 8:22 PM
Subject: (no subject)


> Hi all,
> 
>  In my n/w iam using iptables firewall in my gateway and now the problem
> is iam able to use that machine as a default gateway for all the
> windows machines in my network but i cannot even ping the
> gateway/firewall from linux machine.
>  the strange thing is if i ping a client linux machine from the firewall
> it pings and from then onwards i can ping/use the gateway to browse the
> net even from a linux machine.
>  every time if i want to use that g/w from a linux  machine i had to
> ping the client machine from the firewall to enable it.
>  iam using iptables 1.2.5/Redhat Linux 7.3
>  
> 
>  can any body help me out to resolve this strange problem
> 
> Manikandan P.
>  
> -- 
>  # get Subject header, but remove initial "Subject: " portion
>  sed '/^Subject: */!d; s///;q'
> 
> 

(no subject)

[Chris Born]

I'm trying to setup a Hotline server on an internal NATed machine and I'm 
having problems with getting clients to download. Here's what I have so far:

$EXTIF = "eth1"
$INTIF = "eth0"
$IPTABLES = /sbin/iptables
$EXTIP = 12.252.56.159

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 5500:5503 -m state 
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF --dport 5549 -m state --state 
NEW,ESTABLISHED,RELATED
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 5500:5003 -j DNAT 
--to $RAGABLE:5500:5503
$IPTABLES -A PREROUTING -t nat --dport 5549 -j SNAT --to $EXTIP

According to the Hotline server documentation, incoming connection requests 
come in on ports 5500 - 5503 while outgoing download connections are on 
port 5549. People are able to connect to the server just fine, but are 
unable to download so I'm wondering what rules I need to let the download 
through.

-Chris Born

(no subject)

[hard__ware]

sorry i could not help,

maybee what your going to need to do is have some very basic rules in your
iptables firewall that

just count packets ,  with the iptables option for doing just that ,, e.g.

although we might already be allowing the flow of this Traffic, it does hurt
to add a rule

that like counted all TCP packets or in this case all packets From squid to
the LAN

$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -p tcp --sport 3128 -c 0
0 -j ACCEPT

this works great for me, because i have a script that every 2 hours it logs
& rests all my traffic.

and also one in my ip-down.local for when my modem gets disconnected ...
hope thus helps :D

(no subject)

[hard__ware]

Hello,

Talora Wrote:

>I've just downloaded, compiled and installed kernel 2.4.19 from
>kernel.org on a RedHat 7.3 system. I've reviewed the options selected
>for compilation, but I couldn't find out why rules using "-m unclean"
>return the following:
>
 >      iptables: no chain/target/match by that name
>
>Any sugestions, please?

ok heres a few for ya , :D

did you try to insmod / lsmod to make sure this module was even loaded
before
trying to load it through iptables ...

if not do an 'lsmod' to make sure you have the module loaded, if it isnt
loaded
try using something like this to see what errors it gives us back ...

insmod ipt_unclean

or depmod -a

did that give any errors ?

actually do a slocate on your system for the file does it exist ?

tell us how you go

bye :D

Hard__warE

RE: (no subject)

[Eugene Joubert]

[-- Attachment #1: Type: text/plain, Size: 640 bytes --]

Saki,
 
Don't understand what you need done?

-----Original Message-----
From: saki [mailto:saki@sunsilk.econet-cyber.com] 
Sent: 20 August 2002 10:56 PM
To: netfilter@lists.samba.org
Subject: (no subject)


hello  i have internet cafe with 50 client and 1 server with 16 public
address
client1, client2, client3, client4  exit to ip.public.no.1  
client5, client6, client7, client8  exit to ip.public.no.2  
client9, client10, client11, client12  exit to ip.public.no.3
........
........
client ip address 192.168.1.1 - 192.168.1.50
public ip address 202.47.12.30 - 202.47.12.45
 
any one can help ?
i have installed redhat7.2 for server


[-- Attachment #2: Type: text/html, Size: 1629 bytes --]

Re: (no subject)

[Antony Stone]

On Monday 09 September 2002 12:47 pm, Eugene Joubert wrote:

> Saki,
>
> Don't understand what you need done?

He wants to spread the source address of his outgoing packets across the 16 
external IPs he has, so instead of masquerading all 50 internal machines 
behind one IP, he wants to masquerade four of them behind IP1, another four 
behind IP2, another four behind IP3....

I must admit I'm not entirely sure why Saki should want to do this - after 
all, masquerading 50 machines behind one IP address is not a problem at all, 
however I have already replied to the post showing how it can be done.

Antony.

> -----Original Message-----
> From: saki [mailto:saki@sunsilk.econet-cyber.com]
> Sent: 20 August 2002 10:56 PM
> To: netfilter@lists.samba.org
> Subject: (no subject)
>
> hello  i have internet cafe with 50 client and 1 server with 16 public
> address
> client1, client2, client3, client4  exit to ip.public.no.1
> client5, client6, client7, client8  exit to ip.public.no.2
> client9, client10, client11, client12  exit to ip.public.no.3
> ........
> ........
> client ip address 192.168.1.1 - 192.168.1.50
> public ip address 202.47.12.30 - 202.47.12.45
>
> any one can help ?
> i have installed redhat7.2 for server

-- 

Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

(no subject)

[saki]

[-- Attachment #1: Type: text/plain, Size: 441 bytes --]

hello  i have internet cafe with 50 client and 1 server with 16 public address
client1, client2, client3, client4  exit to ip.public.no.1  
client5, client6, client7, client8  exit to ip.public.no.2  
client9, client10, client11, client12  exit to ip.public.no.3
........
........
client ip address 192.168.1.1 - 192.168.1.50
public ip address 202.47.12.30 - 202.47.12.45

any one can help ?
i have installed redhat7.2 for server

[-- Attachment #2: Type: text/html, Size: 866 bytes --]

Re: (no subject)

[Robert Botha]

Do you need it to map like that..or do you just want to do load
balancing over the 16 ips ?
If you just need load balancing, then this command will do:

iptables -t nat -I POSTROUTING -s 192.168.1.0/26 \
 -j SNAT --to 202.47.12.30-202.47.12.45


oh.. /26 is 64ips..but it's the closest to 50 you can get in one line

Are you using a class C netmask? if so..then just use /24 :)

-Robert.

On Wed, Aug 21, 2002 at 03:56:06AM +0700, saki wrote:
> hello  i have internet cafe with 50 client and 1 server with 16 public address
> client1, client2, client3, client4  exit to ip.public.no.1  
> client5, client6, client7, client8  exit to ip.public.no.2  
> client9, client10, client11, client12  exit to ip.public.no.3
> ........
> ........
> client ip address 192.168.1.1 - 192.168.1.50
> public ip address 202.47.12.30 - 202.47.12.45
> 
> any one can help ?
> i have installed redhat7.2 for server

-- 
Robert Botha
jabber: flash@vitalclan.co.za

RE: (no subject)

[Ferry van Steen]

Ok, I never tried this but you could try these....
Also .30 and .45 can’t be used. They’re the network and broadcast
respectively

Assuming eth0 is local net, ppp0 internet interface. Also, I don't allow
the firewall/nat box to go onto the internet. If you want that you'll
have to make lines for it. This is EXTREMELY!! basic.

iptables -F
iptables -t nat -F

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -s 127.0.0.1/8  -d 127.0.0.1/8 -i lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1/8 -d 127.0.0.1/8 -o lo -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/24 -d 0/0 -i eth0 -o ppp+ -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.1.0/24 -i ppp+ -o eth0 -m state
--state RELATED,ESTABLISHED -j ACCEPT

iptables -A POSTROUTING -s 192.168.1.1 -o ippp+ -j SNAT --to-source
202.47.12.31
iptables -A POSTROUTING -s 192.168.1.2 -o ippp+ -j SNAT --to-source
202.47.12.31
iptables -A POSTROUTING -s 192.168.1.3 -o ippp+ -j SNAT --to-source
202.47.12.31
iptables -A POSTROUTING -s 192.168.1.4 -o ippp+ -j SNAT --to-source
202.47.12.31 
iptables -A POSTROUTING -s 192.168.1.5 -o ippp+ -j SNAT --to-source
202.47.12.32
iptables -A POSTROUTING -s 192.168.1.6 -o ippp+ -j SNAT --to-source
202.47.12.32
iptables -A POSTROUTING -s 192.168.1.7 -o ippp+ -j SNAT --to-source
202.47.12.32
iptables -A POSTROUTING -s 192.168.1.8 -o ippp+ -j SNAT --to-source
202.47.12.32
iptables -A POSTROUTING -s 192.168.1.9 -o ippp+ -j SNAT --to-source
202.47.12.33
iptables -A POSTROUTING -s 192.168.1.10 -o ippp+ -j SNAT --to-source
202.47.12.33
iptables -A POSTROUTING -s 192.168.1.11 -o ippp+ -j SNAT --to-source
202.47.12.33
iptables -A POSTROUTING -s 192.168.1.12 -o ippp+ -j SNAT --to-source
202.47.12.33
iptables -A POSTROUTING -s 192.168.1.13 -o ippp+ -j SNAT --to-source
202.47.12.34
iptables -A POSTROUTING -s 192.168.1.14 -o ippp+ -j SNAT --to-source
202.47.12.34
iptables -A POSTROUTING -s 192.168.1.15 -o ippp+ -j SNAT --to-source
202.47.12.34
iptables -A POSTROUTING -s 192.168.1.16 -o ippp+ -j SNAT --to-source
202.47.12.34
iptables -A POSTROUTING -s 192.168.1.17 -o ippp+ -j SNAT --to-source
202.47.12.35
iptables -A POSTROUTING -s 192.168.1.18 -o ippp+ -j SNAT --to-source
202.47.12.35
iptables -A POSTROUTING -s 192.168.1.19 -o ippp+ -j SNAT --to-source
202.47.12.35
iptables -A POSTROUTING -s 192.168.1.20 -o ippp+ -j SNAT --to-source
202.47.12.35
iptables -A POSTROUTING -s 192.168.1.21 -o ippp+ -j SNAT --to-source
202.47.12.36
iptables -A POSTROUTING -s 192.168.1.22 -o ippp+ -j SNAT --to-source
202.47.12.36
iptables -A POSTROUTING -s 192.168.1.23 -o ippp+ -j SNAT --to-source
202.47.12.36
iptables -A POSTROUTING -s 192.168.1.24 -o ippp+ -j SNAT --to-source
202.47.12.36
iptables -A POSTROUTING -s 192.168.1.25 -o ippp+ -j SNAT --to-source
202.47.12.37
iptables -A POSTROUTING -s 192.168.1.26 -o ippp+ -j SNAT --to-source
202.47.12.37
iptables -A POSTROUTING -s 192.168.1.27 -o ippp+ -j SNAT --to-source
202.47.12.37
iptables -A POSTROUTING -s 192.168.1.28 -o ippp+ -j SNAT --to-source
202.47.12.37
iptables -A POSTROUTING -s 192.168.1.29 -o ippp+ -j SNAT --to-source
202.47.12.38
iptables -A POSTROUTING -s 192.168.1.30 -o ippp+ -j SNAT --to-source
202.47.12.38
iptables -A POSTROUTING -s 192.168.1.31 -o ippp+ -j SNAT --to-source
202.47.12.38
iptables -A POSTROUTING -s 192.168.1.32 -o ippp+ -j SNAT --to-source
202.47.12.38
iptables -A POSTROUTING -s 192.168.1.33 -o ippp+ -j SNAT --to-source
202.47.12.39
iptables -A POSTROUTING -s 192.168.1.34 -o ippp+ -j SNAT --to-source
202.47.12.39
iptables -A POSTROUTING -s 192.168.1.35 -o ippp+ -j SNAT --to-source
202.47.12.39
iptables -A POSTROUTING -s 192.168.1.36 -o ippp+ -j SNAT --to-source
202.47.12.39
iptables -A POSTROUTING -s 192.168.1.37 -o ippp+ -j SNAT --to-source
202.47.12.40
iptables -A POSTROUTING -s 192.168.1.38 -o ippp+ -j SNAT --to-source
202.47.12.40
iptables -A POSTROUTING -s 192.168.1.39 -o ippp+ -j SNAT --to-source
202.47.12.40
iptables -A POSTROUTING -s 192.168.1.40 -o ippp+ -j SNAT --to-source
202.47.12.40
iptables -A POSTROUTING -s 192.168.1.41 -o ippp+ -j SNAT --to-source
202.47.12.41
iptables -A POSTROUTING -s 192.168.1.42 -o ippp+ -j SNAT --to-source
202.47.12.41
iptables -A POSTROUTING -s 192.168.1.43 -o ippp+ -j SNAT --to-source
202.47.12.41
iptables -A POSTROUTING -s 192.168.1.44 -o ippp+ -j SNAT --to-source
202.47.12.41
iptables -A POSTROUTING -s 192.168.1.45 -o ippp+ -j SNAT --to-source
202.47.12.42
iptables -A POSTROUTING -s 192.168.1.46 -o ippp+ -j SNAT --to-source
202.47.12.42
iptables -A POSTROUTING -s 192.168.1.47 -o ippp+ -j SNAT --to-source
202.47.12.42
iptables -A POSTROUTING -s 192.168.1.48 -o ippp+ -j SNAT --to-source
202.47.12.42
iptables -A POSTROUTING -s 192.168.1.49 -o ippp+ -j SNAT --to-source
202.47.12.43
iptables -A POSTROUTING -s 192.168.1.50 -o ippp+ -j SNAT --to-source
202.47.12.43

And 6 future hosts left to connect...

Met vriendelijke groet,

Ferry van Steen
InfoPart Automatisering B.V.
Beeksestraat 24
4841 GC Prinsenbeek
Tel: 076 - 5 44 04 11
Fax: 076 - 5 41 83 51
Mobiel: 06 - 28 46 47 45
E-Mail (zaak): ferry.van.steen@infopart.nl
E-Mail (prive): freaky@bananateam.nl
MSN Messenger: freaky@freaky2000.dyndns.org
ICQ (UIN (zelden gebruikt)): 191458

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of saki
Sent: dinsdag 20 augustus 2002 22:56
To: netfilter@lists.samba.org
Subject: (no subject)

hello  i have internet cafe with 50 client and 1 server with 16 public
address
client1, client2, client3, client4  exit to ip.public.no.1  
client5, client6, client7, client8  exit to ip.public.no.2  
client9, client10, client11, client12  exit to ip.public.no.3
........
........
client ip address 192.168.1.1 - 192.168.1.50
public ip address 202.47.12.30 - 202.47.12.45
 
any one can help ?
i have installed redhat7.2 for server

Re: (no subject)

[Anders Fugmann]

saki wrote:
> hello  i have internet cafe with 50 client and 1 server with 16 public 
> address
> client1, client2, client3, client4  exit to ip.public.no.1 
> client5, client6, client7, client8  exit to ip.public.no.2 
> client9, client10, client11, client12  exit to ip.public.no.3
> ........
> ........
> client ip address 192.168.1.1 - 192.168.1.50
> public ip address 202.47.12.30 - 202.47.12.45
<sarcasm>
Facinating.
</sarcasm>

>  
> any one can help ?
<sarcasm>
Yes, but the question is will they and how.
</sarcasm>

Please state a full description of your problem, and especially what 
steps you have takes in order to solve it. All we got is some vague 
description of your networking setup, and Linux distribution.

-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

(no subject)

[Niall Murphy]

another logging question......for linux RH 7.2
my logs are mailed to root on a daily basis where and how can i change it so
logs such as /var/log/messages are mailed to me on an hourly basis????

thanx in advance
niall

Re: (no subject)

[Jan Humme]

On Wednesday 10 July 2002 12:37, Niall Murphy wrote:
> another logging question......for linux RH 7.2
> my logs are mailed to root on a daily basis where and how can i change it
> so logs such as /var/log/messages are mailed to me on an hourly basis????

Perhaps this question should be in another mailing list, but check the system 
crontab files /etc/crontab, /etc/cron.daily, /etc/cron.hourly etc.

You may want to move stuff from one file to another.

Jan Humme.

(no subject)

[Niall Murphy]

hi, 
i have a question on remote logging im using RH 7.2 and i would like to send
a copy of the logs to a machine on my lan from the firewall
can anyone tell me what line of code i need in my  etc/syslog.conf directory
will
*.*            @<ip address work>

thanx in advance
niall

Re: (no subject)

[Antony Stone]

On Thursday 28 June 2001 8:43 pm, Forrest Beck wrote:

> Your right.
>
> I guess that I was learning NAT and just didn't think to not use it.
>
> What my overall goal is:
>
> Eth1=Wireless AP's
> Eth0=LAN
>
> I have the eth0 set to 192.168.252.240 and eth1 set to 192.168.252.241.

Hmmm.   I thought a bridge was supposed to have the same address on both 
interfaces.   Still, I've never set one up myself, so maybe there's more than 
one way to do it.

Just so long as you don't have those addresses on a router.....

 

Antony.

Re: (no subject)

[Patrick Schaaf]

Hi Antony,

> Hmmm.   I thought a bridge was supposed to have the same address on both 
> interfaces.   Still, I've never set one up myself, so maybe there's more than 
> one way to do it.

A bridge, by its nature, has no IP addresses at all. The original poster
is asking about a pure router.

And you are right on spot with your observation about the ability of a
malicious user to fake her MAC address at will. And one nice thing about
most wireless networks is that I can just listen to the air for some time
to learn what MAC/IP combination it is that I should fake after it became
silent...

I have heard that there are security measures implementable on the
wireless side. There is no chance to do it on a router outside the
wireless cloud.

best regards
  Patrick

Re: (no subject)

[Antony Stone]

On Friday 28 June 2002 9:02 pm, Patrick Schaaf wrote:

> Hi Antony,
>
> > Hmmm.   I thought a bridge was supposed to have the same address on both
> > interfaces.   Still, I've never set one up myself, so maybe there's more
> > than one way to do it.
>
> A bridge, by its nature, has no IP addresses at all. The original poster
> is asking about a pure router.

Ugh.   In that case I recommend using IPs from two *different* network ranges 
on the two sides of the machine !

> And you are right on spot with your observation about the ability of a
> malicious user to fake her MAC address at will. And one nice thing about
> most wireless networks is that I can just listen to the air for some time
> to learn what MAC/IP combination it is that I should fake after it became
> silent...

Indeed.   There may be anti-sniffing measures available for wired networks, 
but I know of nothing which can detect / defeat sniffing on wireless.

 

Antony.

Re: (no subject)

[Antony Stone]

On Thursday 28 June 2001 8:00 pm, Forrest Beck wrote:

> I don't have any rules set.  I don't really care about what comes
> through... I guess I should say, all I need is the linux box to act as a
> bridge with NAT and DHCP.

Ugh !   Not the way I'd choose to run it, but still.....

Just out of interest, if you're running the Linux box as a bridge with DHCP, 
why are you doing NAT ?

> The reason I can't use DHCP to filter by MAC address, is anyone could
> find out the IP of the machine and then use whatever IP address they
> want.....

If they can find out the IP address of your router they can find the MAC 
address of a client, and then forge that MAC address from their own machine 
(if they connect using a different Access Point, they can probably even get 
this to work whilst the 'real' client is still connected somewhere else on 
your wireless network !)

> I also know that netfilter will add rules by MAC address (although I say
> I haven't quite learned that rule set yet :) ) but I have about 150 MAC
> Addr's to load.

You think netfilter can *learn* MAC addresses and then make up rules 
automatically for them ?   It's a new one on me if it can.....

 

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Friday, June 28, 2002 2:36 PM
> To: netfilter@lists.samba.org
> Subject: Re: (no subject)
>
> On Thursday 28 June 2001 7:26 pm, Forrest Beck wrote:
> > I have a question that I hope someone can help me with...
> >
> > I am running a RH7.3 installed machine as a IP Masquerade firewall
> > between my LAN and my wireless LAN.  I have my switch with all of my
> > wireless Access Points on eth1, and my LAN connection on eth0.
> >
> > With this set I have made a bash script that executes the following:
> >
> > iptables -F
> > iptables -t nat -F
> > iptables -t mangle -F
> > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.252.251
>
> #(Ip
>
> >       of eth0)
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCPET iptables -p
> > INPUT DROP
>
> Where are your FORWARDing rules ?   Are you restricting anything going
> to/from the wireless clients ???
>
> > Now after all that it works great!  A wireless client connects to the
> > Access Point, gets a correct ip from DHCP (the linux firewall), and
> > then browses the web.  Web pages, mounting drives, everything works
> > great....
>
> > My problem is this...
> >
> > I want to know if it is possible to create a list of MAC addresses
> > that
> > netfilter(iptables) can verify against to decide if it should allow a
> > client to be routed.  So when the clients starts there computer up,
> > they
> > get an ip, begin browsing, and the server looks at the packet and
> > verifies if the packet should be dropped or accepted according to MAC
> > address.
> >
> > If anyone has a idea, I'd love to hear from them...  Or even a better
> > solution to reach my goal.  either- or.
>
> There is a mac address match in netfilter, yes, but why not just do it
> in your DHCP server (which is on the same machine anyway) ?
>
> You can put a list of MAC/IP addresses in your dhcpd.conf file and run
> it in a similar way to a bootp server.
>
>
>
> Antony.

(no subject)

[caroline kenny]

Hello users,

I am using the iptables-1.2.5 package and I was wondering if anyone out 
there can tell me if it is possible to perform some action if a firewall 
rule is hit.
For example, I have a rule set up to deny sending traffic from my box to a 
certain destination. If I attempt to send traffic to this destination, the 
rule will drop the traffic. But i was wondering is there any way a script 
can be run when this trffic is rejected...I havent seen this done anywhere 
and I really dont think that its possible but I said that I would just check 
it out.

Thanks for the help!
Caroline

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Re: (no subject)

[Ramin Alidousti]

On Wed, Jun 26, 2002 at 09:11:08AM +0100, caroline kenny wrote:

> 
> 
> Hello users,
> 
> I am using the iptables-1.2.5 package and I was wondering if anyone out 
> there can tell me if it is possible to perform some action if a firewall 
> rule is hit.
> For example, I have a rule set up to deny sending traffic from my box to a 
> certain destination. If I attempt to send traffic to this destination, the 
> rule will drop the traffic. But i was wondering is there any way a script 
> can be run when this trffic is rejected...I havent seen this done anywhere 
> and I really dont think that its possible but I said that I would just 
> check it out.

You can use ulog to send the packet to the user space where you can do
anything including launching a script based on a certain packet.

You also can use the LOG functionality and scan the log file and trigger
a script upon the detection of a certain log entry...

Ramin

> 
> Thanks for the help!
> Caroline
> 
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> 

RE: (no subject)

[Preston Wade]

If they are different ports could you not just redirect connections for the
destination ports to the correct box?

Thanks,
Preston

> -----Original Message-----
> From:	"Antony Stone" <Antony@Soft-Solutions.co.uk>@INTERNET@HHC 
> Sent:	Thursday, June 20, 2002 8:55 AM
> To:	netfilter
> Subject:	Re: (no subject)
> 
>  <<...>> 
> On Thursday 20 June 2002 2:47 pm, Niall Murphy wrote:
> 
> > hi all,
> > I be very gratefully for any help..
> > my firewall has 2 nic's the external one's ip 194.125.213....  but
> behind
> > the firewall I have a proxy server and an email server with ip's
> > 192.0.0.106 and 192.0.0.253. I know I need to use DNAT and SNAT to send
> > internet packets to them but i do not know how to add aliases to  the
> eth0
> > so that i can route packets to my firewall and then DNAT them on...
> > does any one know how to use this "ip add address" command   ( maybe
> even a
> > example or two)
> 
> http://defiant.coinet.com/iproute2/quickie-ip.html
> 
> 
> 
> Antony.
> 
> 

Re: (no subject)

[Antony Stone]

On Thursday 20 June 2002 3:09 pm, Preston Wade wrote:

> If they are different ports could you not just redirect connections for the
> destination ports to the correct box?

You certainly could do this, however I assume that Niall wants to have a 
separate IP address for each of his firewall, web server & mail server.

Of course, there's no reason that has to be the case, though...

Antony.

> > On Thursday 20 June 2002 2:47 pm, Niall Murphy wrote:
> > > hi all,
> > > I be very gratefully for any help..
> > > my firewall has 2 nic's the external one's ip 194.125.213....  but
> > > behind
> > > the firewall I have a proxy server and an email server with ip's
> > > 192.0.0.106 and 192.0.0.253. I know I need to use DNAT and SNAT to send
> > > internet packets to them but i do not know how to add aliases to  the
> > > eth0
> > > so that i can route packets to my firewall and then DNAT them on...
> > > does any one know how to use this "ip add address" command   ( maybe
> > > even a
> > > example or two)
> >
> > http://defiant.coinet.com/iproute2/quickie-ip.html

(no subject)

[Niall Murphy]

hi all,
I be very gratefully for any help..
my firewall has 2 nic's the external one's ip 194.125.213....  but behind
the firewall I have a proxy server and an email server with ip's 192.0.0.106
and 192.0.0.253. I know I need to use DNAT and SNAT to send internet packets
to them but i do not know how to add aliases to  the eth0 so that i can
route packets to my firewall and then DNAT them on...
does any one know how to use this "ip add address" command   ( maybe even a
example or two)
thanx for all your help
niall 

Re: (no subject)

[Antony Stone]

On Thursday 20 June 2002 2:47 pm, Niall Murphy wrote:

> hi all,
> I be very gratefully for any help..
> my firewall has 2 nic's the external one's ip 194.125.213....  but behind
> the firewall I have a proxy server and an email server with ip's
> 192.0.0.106 and 192.0.0.253. I know I need to use DNAT and SNAT to send
> internet packets to them but i do not know how to add aliases to  the eth0
> so that i can route packets to my firewall and then DNAT them on...
> does any one know how to use this "ip add address" command   ( maybe even a
> example or two)

http://defiant.coinet.com/iproute2/quickie-ip.html

 

Antony.

(no subject)

[James Mello]

I've set up the following iptables chains on my box,  but I'm getting
denies that I'm not expecting. Below is a copy of the config as well as
the deny log that I'm seeing.

# Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [199:15749]
:LOGDENY - [0:0]
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
-A INPUT -p tcp -j LOGDENY
-A INPUT -p udp -j LOGDENY
-A LOGDENY -p udp -m udp --dport 137:139 -j DROP
-A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
-A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
-A LOGDENY -j DROP
COMMIT
# Completed on Mon Jun 17 11:11:02 2002

root# ssh localhost
root# tail -f /var/log/messages

Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0


What confuses me the most is the fact that I'm getting denied on the
SYN/ACK rather than on the initial connection. Can someone please shed
some light on this?

Re: (no subject)

[Antony Stone]

On Monday 17 June 2002 7:54 pm, James Mello wrote:

> I've set up the following iptables chains on my box,  but I'm getting
> denies that I'm not expecting. Below is a copy of the config as well as
> the deny log that I'm seeing.
>
> # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002
> *filter
>
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [199:15749]
> :LOGDENY - [0:0]
>
> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> -A INPUT -p tcp -j LOGDENY
> -A INPUT -p udp -j LOGDENY
> -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> -A LOGDENY -j DROP
> COMMIT
> # Completed on Mon Jun 17 11:11:02 2002
>
> root# ssh localhost
> root# tail -f /var/log/messages
>
> Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
> DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
>
>
> What confuses me the most is the fact that I'm getting denied on the
> SYN/ACK rather than on the initial connection. Can someone please shed
> some light on this?

You have a rule accepting TCP packets *to* destination port 22, but no rule 
to allow the replies back again *from* port 22.

The log entry shows a destination port of 32783 - that's not allowed in by 
your ruleset.

 

Antony.

Re: (no subject)

[Ramin Alidousti]

What you're missing is:

-A OUTPUT -m state --state ESTABLISHED -j ACCEPT

so the SYN,ACK and all the replies from your box would bve
allowed to be sent out to the client.

I'd advise you to have RELATED in the rule as well.

Ramin

On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:

> I've set up the following iptables chains on my box,  but I'm getting
> denies that I'm not expecting. Below is a copy of the config as well as
> the deny log that I'm seeing.
> 
> # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [199:15749]
> :LOGDENY - [0:0]
> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> -A INPUT -p tcp -j LOGDENY
> -A INPUT -p udp -j LOGDENY
> -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> -A LOGDENY -j DROP
> COMMIT
> # Completed on Mon Jun 17 11:11:02 2002
> 
> root# ssh localhost
> root# tail -f /var/log/messages
> 
> Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
> DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> 
> 
> What confuses me the most is the fact that I'm getting denied on the
> SYN/ACK rather than on the initial connection. Can someone please shed
> some light on this?
> 

Re: (no subject)

[Antony Stone]

On Monday 17 June 2002 8:10 pm, Ramin Alidousti wrote:

> What you're missing is:
>
> -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
>
> so the SYN,ACK and all the replies from your box would bve
> allowed to be sent out to the client.

Um, no - the default policy on the OUTPUT chain is ACCEPT, so there's no 
problem with the packets getting *out* of the machine - they're just not 
being allowed back *in* again in the INPUT chain....

Antony.

> I'd advise you to have RELATED in the rule as well.
>
> Ramin
>
> On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:
> > I've set up the following iptables chains on my box,  but I'm getting
> > denies that I'm not expecting. Below is a copy of the config as well as
> > the deny log that I'm seeing.
> >
> > # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002
> > *filter
> >
> > :INPUT DROP [0:0]
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [199:15749]
> > :LOGDENY - [0:0]
> >
> > -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> > -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> > -A INPUT -p tcp -j LOGDENY
> > -A INPUT -p udp -j LOGDENY
> > -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> > -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> > -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> > -A LOGDENY -j DROP
> > COMMIT
> > # Completed on Mon Jun 17 11:11:02 2002
> >
> > root# ssh localhost
> > root# tail -f /var/log/messages
> >
> > Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT=
> > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> > DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
> > DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> >
> >
> > What confuses me the most is the fact that I'm getting denied on the
> > SYN/ACK rather than on the initial connection. Can someone please shed
> > some light on this?

Re: (no subject)

[Ramin Alidousti]

On Mon, Jun 17, 2002 at 08:17:10PM +0100, Antony Stone wrote:

> On Monday 17 June 2002 8:10 pm, Ramin Alidousti wrote:
> 
> > What you're missing is:
> >
> > -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
> >
> > so the SYN,ACK and all the replies from your box would bve
> > allowed to be sent out to the client.
> 
> Um, no - the default policy on the OUTPUT chain is ACCEPT, so there's no 
> problem with the packets getting *out* of the machine - they're just not 
> being allowed back *in* again in the INPUT chain....

Correct. Scanned through the rules and the log too fast...
Still, I'd recommend to have "-m state --state ESTABLISHED,RELATED"
for all the predefined chains in the filter table. One should enforce
the security on "NEW". Much less headache that way...

Ramin

> 
> Antony.
> 
> > I'd advise you to have RELATED in the rule as well.
> >
> > Ramin
> >
> > On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:
> > > I've set up the following iptables chains on my box,  but I'm getting
> > > denies that I'm not expecting. Below is a copy of the config as well as
> > > the deny log that I'm seeing.
> > >
> > > # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002
> > > *filter
> > >
> > > :INPUT DROP [0:0]
> > > :FORWARD DROP [0:0]
> > > :OUTPUT ACCEPT [199:15749]
> > > :LOGDENY - [0:0]
> > >
> > > -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> > > -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> > > -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> > > -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> > > -A INPUT -p tcp -j LOGDENY
> > > -A INPUT -p udp -j LOGDENY
> > > -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> > > -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> > > -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> > > -A LOGDENY -j DROP
> > > COMMIT
> > > # Completed on Mon Jun 17 11:11:02 2002
> > >
> > > root# ssh localhost
> > > root# tail -f /var/log/messages
> > >
> > > Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT=
> > > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> > > DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
> > > DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> > >
> > >
> > > What confuses me the most is the fact that I'm getting denied on the
> > > SYN/ACK rather than on the initial connection. Can someone please shed
> > > some light on this?

Re: (no subject)

[Antony Stone]

On Monday 17 June 2002 8:30 pm, Ramin Alidousti wrote:

> I'd recommend to have "-m state --state ESTABLISHED,RELATED"
> for all the predefined chains in the filter table. One should enforce
> the security on "NEW". Much less headache that way...

Yup.   I agree.

 

Antony.

RE: (no subject)

[James Mello]

I forgot to mail this to the entire list... Sorry...

At any rate, I suspect that this is not the issue as I'm able to connect
to SSH from a remote server, but NOT the localhost ;) Sorry for not
including this critical piece of info!

	-- Cheers
	-- James

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Ramin Alidousti
Sent: Monday, June 17, 2002 12:11 PM
To: James Mello
Cc: netfilter@lists.samba.org
Subject: Re: (no subject)


What you're missing is:

-A OUTPUT -m state --state ESTABLISHED -j ACCEPT

so the SYN,ACK and all the replies from your box would bve allowed to be
sent out to the client.

I'd advise you to have RELATED in the rule as well.

Ramin

On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:

> I've set up the following iptables chains on my box,  but I'm getting 
> denies that I'm not expecting. Below is a copy of the config as well 
> as the deny log that I'm seeing.
> 
> # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002 
> *filter :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [199:15749]
> :LOGDENY - [0:0]
> -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> -A INPUT -p tcp -j LOGDENY
> -A INPUT -p udp -j LOGDENY
> -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> -A LOGDENY -j DROP
> COMMIT
> # Completed on Mon Jun 17 11:11:02 2002
> 
> root# ssh localhost
> root# tail -f /var/log/messages
> 
> Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT= 
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
> DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
> SPT=22 DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> 
> 
> What confuses me the most is the fact that I'm getting denied on the 
> SYN/ACK rather than on the initial connection. Can someone please shed

> some light on this?
> 

Re: (no subject)

[Antony Stone]

On Monday 17 June 2002 8:47 pm, James Mello wrote:

> I forgot to mail this to the entire list... Sorry...
>
> At any rate, I suspect that this is not the issue as I'm able to connect
> to SSH from a remote server, but NOT the localhost ;) Sorry for not
> including this critical piece of info!

What happens if you include the following rule ?

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Does it solve the problem ?

 
Antony.


> On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:
> > I've set up the following iptables chains on my box,  but I'm getting
> > denies that I'm not expecting. Below is a copy of the config as well
> > as the deny log that I'm seeing.
> >
> > # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002
> > *filter :INPUT DROP [0:0]
> >
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [199:15749]
> > :LOGDENY - [0:0]
> >
> > -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> > -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> > -A INPUT -p tcp -j LOGDENY
> > -A INPUT -p udp -j LOGDENY
> > -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> > -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> > -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> > -A LOGDENY -j DROP
> > COMMIT
> > # Completed on Mon Jun 17 11:11:02 2002
> >
> > root# ssh localhost
> > root# tail -f /var/log/messages
> >
> > Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT=
> > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> > DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> > SPT=22 DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> >
> >
> > What confuses me the most is the fact that I'm getting denied on the
> > SYN/ACK rather than on the initial connection. Can someone please shed
> >
> > some light on this?

RE: (no subject)

[James Mello]

Hrm... This did fix the problem, but I'm still not sure why the heck
connections other than those from localhost did work. Any ideas?

	-- Cheers
	-- James

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Monday, June 17, 2002 12:56 PM
To: netfilter@lists.samba.org
Subject: Re: (no subject)


On Monday 17 June 2002 8:47 pm, James Mello wrote:

> I forgot to mail this to the entire list... Sorry...
>
> At any rate, I suspect that this is not the issue as I'm able to 
> connect to SSH from a remote server, but NOT the localhost ;) Sorry 
> for not including this critical piece of info!

What happens if you include the following rule ?

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Does it solve the problem ?

 
Antony.


> On Mon, Jun 17, 2002 at 11:54:18AM -0700, James Mello wrote:
> > I've set up the following iptables chains on my box,  but I'm 
> > getting denies that I'm not expecting. Below is a copy of the config

> > as well as the deny log that I'm seeing.
> >
> > # Generated by iptables-save v1.2.3 on Mon Jun 17 11:11:02 2002 
> > *filter :INPUT DROP [0:0]
> >
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [199:15749]
> > :LOGDENY - [0:0]
> >
> > -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> > -A INPUT -i eth0 -p udp -m udp --sport 67:68 -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 67:68 -j ACCEPT
> > -A INPUT -p tcp -j LOGDENY
> > -A INPUT -p udp -j LOGDENY
> > -A LOGDENY -p udp -m udp --dport 137:139 -j DROP
> > -A LOGDENY -p tcp -m tcp --dport 137:139 -j DROP
> > -A LOGDENY -j LOG --log-prefix "IPTABLES DENY "
> > -A LOGDENY -j DROP
> > COMMIT
> > # Completed on Mon Jun 17 11:11:02 2002
> >
> > root# ssh localhost
> > root# tail -f /var/log/messages
> >
> > Jun 17 11:51:54 localhost kernel: IPTABLES DENY IN=lo OUT= 
> > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
> > DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
> > SPT=22 DPT=32783 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> >
> >
> > What confuses me the most is the fact that I'm getting denied on the

> > SYN/ACK rather than on the initial connection. Can someone please 
> > shed
> >
> > some light on this?

Re: (no subject)

[Antony Stone]

On Monday 17 June 2002 9:05 pm, James Mello wrote:

> Hrm... This did fix the problem, but I'm still not sure why the heck
> connections other than those from localhost did work. Any ideas?

Yes.   Your original ruleset allowed packets into the INPUT chain if they 
were to destination port 22, and allowed all packets out of the OUTPUT chain.

A remote client connecting by SSH will connect to port 22 through the INPUT 
chain (allowed) and the reply packets go out of the OUTPUT chain (allowed).   
All further packets in the session continue coming in on port 22 (allowed) 
and going out through the OUTPUT chain (allowed).   Therefore the remote 
client works.

The local client, though, connects to port 22 (allowed) and then the server 
tries to reply to the client (also on the local machine) on port 32783 (or 
whatever), and this has to go out through the OUTPUT chain and back in again 
on the INPUT chain - which was not allowed, therefore the local connection 
failed.

 

Antony.

RE: (no subject)

[Joe Patterson]

A little bit of expansion on this:

Without the ESTABLISHED rule in the input chain, that server would not have
been able to make any connection to *any* server, including, but not limited
to, itself.  So if you were to try to ssh from that box to anywhere else (or
telnet, or ftp, or web browse, or pretty much anything), it would fail.

-Joe

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Antony Stone
> Sent: Monday, June 17, 2002 4:21 PM
> To: netfilter@lists.samba.org
> Subject: Re: (no subject)
>
>
> On Monday 17 June 2002 9:05 pm, James Mello wrote:
>
> > Hrm... This did fix the problem, but I'm still not sure why the heck
> > connections other than those from localhost did work. Any ideas?
>
> Yes.   Your original ruleset allowed packets into the INPUT chain if they
> were to destination port 22, and allowed all packets out of the
> OUTPUT chain.
>
> A remote client connecting by SSH will connect to port 22 through
> the INPUT
> chain (allowed) and the reply packets go out of the OUTPUT chain
> (allowed).
> All further packets in the session continue coming in on port 22
> (allowed)
> and going out through the OUTPUT chain (allowed).   Therefore the remote
> client works.
>
> The local client, though, connects to port 22 (allowed) and then
> the server
> tries to reply to the client (also on the local machine) on port
> 32783 (or
> whatever), and this has to go out through the OUTPUT chain and
> back in again
> on the INPUT chain - which was not allowed, therefore the local
> connection
> failed.
>
>
>
> Antony.
>
>
>

nat problem.

[umar]

Hi, 
 
Trying out  a very simple configuration of a firewall here, but having some problems.
The firewall  has two NIC's and have enabled ip forwarding. 

I want the internal machines to connect to the internet,  So have enabled NAT : 
Runing squid - transparent proxy on port 3232. Clients have been onfigured to connect to internet directly. 
eth0 is my external interface.
 
Following are the nat rules conigured on the firewall
 
iptables -t nat -A PREROUTING -i eth0  -p tcp --dport 80 -j REDIRECT --to-port 3232
 
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x ( public IP of the other netwrok card )

I can ping to the gateway ( private IP ) and the other network card havng the public IP , but nothing beyond that, Why ?? 
And my clients are also not able to connect to the internet ?? 
I have tried removing the first rule and disabling squid, so that clients could connect to the intenet directly. 
That also failed, and the result is the same. All the default poilicies of all rules are set to ACCEPT.

Runing rh 7.2 with 2.4.7-10 kernel.

Please help. 

Warm Regards, 
Kumar. 

(no subject)

[skmail]

Hi all-

I'm trying to patch a stock 2.4.18 kernel with a few extras from the
current patch-o-matic.  The only one that seems to have trouble so far
(kernel compile in progress) is the string match support.  Here is the
output of my kernel compile.  Can somebody help?  TIA

gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_limit  -c -o ipt_limit.o ipt_limit.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   -DKBUILD_BASENAME=ipt_mac  
-c -o ipt_mac.o ipt_mac.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_multiport  -c -o ipt_multiport.o ipt_multiport.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_time  -c -o ipt_time.o ipt_time.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_state  -c -o ipt_state.o ipt_state.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_iplimit  -c -o ipt_iplimit.o ipt_iplimit.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_unclean  -c -o ipt_unclean.o ipt_unclean.c
gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common 
-pipe -mpreferred-stack-boundary=2 -march=i486   
-DKBUILD_BASENAME=ipt_string  -c -o ipt_string.o ipt_string.c
ipt_string.c:80:72: macro "max" passed 3 arguments, but takes just 2
ipt_string.c: In function `search_sublinear':
ipt_string.c:53: warning: subscript has type `char'
ipt_string.c:78: warning: subscript has type `char'
ipt_string.c:80: `max' undeclared (first use in this function)
ipt_string.c:80: (Each undeclared identifier is reported only once
ipt_string.c:80: for each function it appears in.)
make[3]: *** [ipt_string.o] Error 1
make[3]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux/net/ipv4/netfilter'
make[1]: *** [_subdir_ipv4/netfilter] Error 2
make[1]: Leaving directory `/usr/src/linux/net'
make: *** [_dir_net] Error 2

(no subject)

[g38]

This being my first firewall, I would like those of you who are more experienced and have the time to take a look and point the mistakes I did (and perhaps some improvements would be appreciated)

The box is intended to act as a www and mail server and to masquerade an internal network with private ip's

The rules I'm not sure of are commented (and I have some questions for the masquerade, but I'll RTFM on this one - still I must ask if I did the masq rules correctly in the firewall below)

thanks a lot,
petre


#!/bin/sh

IPEXT="193.xxx.xxx.xxx"
IPT="/usr/sbin/iptables"


echo "Cleaning ..."
for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done

echo "Initial rules ..."
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

#loopback
$IPT -A INPUT -i lo -p all -j ACCEPT
$IPT -A OUTPUT -o lo -p all -j ACCEPT

echo -e "\nMASQUERADING ...\n"
echo "Masquerading 192.168.20.0/24"
# set up masquerading for everything not destined to the localnets
$IPT -t nat -A POSTROUTING -s  192.168.20.0/24 -o eth1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -d  192.168.20.0/24 -o eth1 -j MASQUERADE

$IPT -A FORWARD -s 192.168.20.0/24 -j ACCEPT
$IPT -A FORWARD -d 192.168.20.0/24 -j ACCEPT


#echo "FWD: Allow all connections OUT and only existing and related ones IN"
#$IPT -A FORWARD -i eth0 -s 192.168.20.0/24 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -i eth1 -o eth0 -d 192.168.20.0/24 -j ACCEPT
#$IPT -A FORWARD -i eth0 -s 192.168.10.5 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -i eth1 -o eth0 -d 192.168.10.5 -j ACCEPT
$IPT -A FORWARD -j LOG
$IPT -A FORWARD -j DROP

echo -e "- Enabling SNAT (MASQUERADE) funtionality on eth0"
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -e "\nDone.\n"

###

echo "no snmpd access from the exterior"
$IPT -A INPUT -p udp -s 0/0 --dport 161 -j DROP

#cut all which appears to be loopback talking to eth's
$IPT -A INPUT -p all -s localhost  -i eth+ -j DROP

#cut all syn's except those for incoming http & ssh & smtp & pop3
#$IPT -A INPUT -i eth0 -p tcp --syn --destination-port 80 -j ACCEPT
#$IPT -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j ACCEPT
#$IPT -A INPUT -i eth0 -p tcp --syn --destination-port 25 -j ACCEPT
#$IPT -A INPUT -i eth0 -p tcp --syn --destination-port 110 -j ACCEPT
#$IPT -A INPUT -p tcp --tcp-flags ALL SYN -j DROP

echo "Syn flood protection..."
$IPT -N DoS
$IPT -A INPUT -j DoS
$IPT -A DoS -p icmp --icmp-type echo-request \
        -m limit --limit 10/s -j RETURN
$IPT -A DoS -p icmp --icmp-type echo-request \
        -m limit -j LOG --log-level warn \
                --log-prefix "DoS (PING)" \
                --log-tcp-options \
                --log-ip-options
$IPT -A DoS -p icmp --icmp-type echo-request -j REJECT

#cut access from private addresses to eth1
$IPT -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

echo "cut ssh except from trusted hosts"
echo "allow from"
echo "          - 1"
$IPT -A INPUT -i eth0 -p tcp -s 193.xxx.xxx.x -d $IPEXT --dport 22 -j ACCEPT
echo "          - 1"
$IPT -A INPUT -i eth0 -p tcp -s 193.xxx.xxx.xxx -d $IPEXT --dport 22 -j ACCEPT
echo "          - 3"
$IPT -A INPUT -i eth0 -p tcp -s 193.xxx.xxx.xxx -d $IPEXT --dport 22 -j ACCEPT
echo "          - 4"
$IPT -A INPUT -i eth0 -p tcp -s 193.xxx.xxx.xx -d $IPEXT --dport 22 -j ACCEPT
echo "cut all"
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j DROP

Re: (no subject)

[Antony Stone]

On Saturday 08 June 2002 1:01 pm, g38@rdsbv.ro wrote:

> echo "Cleaning ..."
> for i in filter nat mangle
> do
> $IPT -t $i -F
> $IPT -t $i -X
> done

-F is a good idea, but you can't do -X (delete chain) on the built-in chains; 
only user-defined ones.

> echo "Initial rules ..."
> $IPT -P INPUT ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -P FORWARD DROP

I would recommend setting default policy on your INPUT chain to DROP as well, 
and then allow in only what you want...

> $IPT -t nat -A POSTROUTING -s  192.168.20.0/24 -o eth1 -j MASQUERADE
> $IPT -t nat -A POSTROUTING -d  192.168.20.0/24 -o eth1 -j MASQUERADE

No, you only want the first one of these rules.    I'm assuming that eth1 is 
your external interface.

> echo -e "- Enabling SNAT (MASQUERADE) funtionality on eth0"
> $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Maybe I'm wrong in thinking that eth1 is your external interface ?   Please 
can you tell us what eth0and eth1 are connected to (and where networks 
192.168.20.0 and 192.168.10.0 are connected ?


The rest looks pretty good to me.


Antony.

Re: (no subject)

[g38]

eth0 - connects to the internet
eth1 - internal network with private ip addresses
eth2 - internal network with routable ip's

What I want to do - eth0 has a routable ip and masquerades the internal network which enters eth1 (or eth2, I haven't plug in the cable yet :D); eth0:1 will route the network with valid ineternet ip addresses which enters eth2 to the internet (speaking of which, I assume I must input rules for eth0:1's ip address too, but in the iptables syntax is it allowed to refer to the alias as eth0:1 or I must use only its ip?)

thanks,

petre

please enlighten me on the masquerading rules

Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Saturday 08 June 2002 1:01 pm, g38@rdsbv.ro wrote:
> 
> > echo "Cleaning ..."
> > for i in filter nat mangle
> > do
> > $IPT -t $i -F
> > $IPT -t $i -X
> > done
> 
> -F is a good idea, but you can't do -X (delete chain) on the built-in chains;
> 
> only user-defined ones.
> 
> > echo "Initial rules ..."
> > $IPT -P INPUT ACCEPT
> > $IPT -P OUTPUT ACCEPT
> > $IPT -P FORWARD DROP
> 
> I would recommend setting default policy on your INPUT chain to DROP as well,
> 
> and then allow in only what you want...
> 
> > $IPT -t nat -A POSTROUTING -s  192.168.20.0/24 -o eth1 -j MASQUERADE
> > $IPT -t nat -A POSTROUTING -d  192.168.20.0/24 -o eth1 -j MASQUERADE
> 
> No, you only want the first one of these rules.    I'm assuming that eth1 is
> 
> your external interface.
> 
> > echo -e "- Enabling SNAT (MASQUERADE) funtionality on eth0"
> > $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> Maybe I'm wrong in thinking that eth1 is your external interface ?   Please
> 
> can you tell us what eth0and eth1 are connected to (and where networks 
> 192.168.20.0 and 192.168.10.0 are connected ?
> 
> 
> The rest looks pretty good to me.
> 
> 
> Antony.
> 

Re: (no subject)

[Antony Stone]

On Saturday 08 June 2002 3:54 pm, g38@rdsbv.ro wrote:

> eth0 - connects to the internet
> eth1 - internal network with private ip addresses
> eth2 - internal network with routable ip's

Okay - I understand that.   I very much hope you mean that you have a public 
IP on eth0, and your ISP has given you another batch of IP addresses to go on 
the machines on eth2, and the ISP is routing these to you via the address on 
eth0 ?

It would not be a good setup if you were trying to put a public IP on eth0 
which is from the same subnet as the routable IPs on eth2.   It's possible to 
do this, but a lot more technically challenging...

> What I want to do - eth0 has a routable ip and masquerades the internal
> network which enters eth1

Okay, no problem.

> (or eth2, I haven't plug in the cable yet :D);

Don't understand.   If eth2 has routable IPs (by which I assume you mean IP 
addresses which have been assigned to you, not ones from the ranges 10.x.y.z, 
172.16.a.b, 192.168.c.d), then why would you want to masquerade them behind 
eth0 ?

> eth0:1 will route the network with valid internet ip addresses which
> enters eth2 to the internet

No, I do not understand what you mean by this.   What are you trying to use 
eth0:1 for ?

> (speaking of which, I assume I must input rules
> for eth0:1's ip address too, but in the iptables syntax is it allowed to
> refer to the alias as eth0:1 or I must use only its ip?)

You cannot use the name "eth0:1" in netfilter rules.   It doesn't like the 
colon.   You can, however, use "eth0", which is the real interface these 
packets are coming in on, and/or you can use the destination IP address, 
which will identify where they were headed.

So iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT will allow SSH 
packets which are sent to the address you've put on eth0:1 (it will also 
allow packets sent to the address you've put on eth0, eth0:2, etc...)

iptables -A INPUT -i eth0 -d a.b.c.d -p tcp --dport 22 -j ACCEPT will allow 
SSH packets coming in on eth0, eth:1, eth0:2 etc provided the destination 
address is a.b.c.d

Hope this explains how you can work with eth0:1 and netfilter rules.

Give us some more detail on the actual addresses you intend to put on eth0, 
eth1 and eth2, and the subnets attached to these interfaces (you can 
obfuscate any public IPs you've been given so long as it's still possible to 
tell one subnet from the others), and we might be able to help some more.

.

Antony.

Re: (no subject)

[g38]

eth0 - 193.231.237.x
eth1 - used to route 80.96.x.0/24
eth2 - used to masquerade 192.168.10.0/24

theoretically that would be the ip setup; however, I have another 193.231.237.x2 ip which I'd like to use especially because the two 193.231.237.x`s ips are in different cbq classes

Quoting Antony Stone <Antony@Soft-Solutions.co.uk>:

> On Saturday 08 June 2002 3:54 pm, g38@rdsbv.ro wrote:
> 
> > eth0 - connects to the internet
> > eth1 - internal network with private ip addresses
> > eth2 - internal network with routable ip's
> 
> Okay - I understand that.   I very much hope you mean that you have a public
> 
> IP on eth0, and your ISP has given you another batch of IP addresses to go on
> 
> the machines on eth2, and the ISP is routing these to you via the address on
> 
> eth0 ?

yes

> It would not be a good setup if you were trying to put a public IP on eth0 
> which is from the same subnet as the routable IPs on eth2.   It's possible to
> 
> do this, but a lot more technically challenging...

3 eth`s for 3 different subnets

> > What I want to do - eth0 has a routable ip and masquerades the internal
> > network which enters eth1
> 
> Okay, no problem.

good :-)

> > (or eth2, I haven't plug in the cable yet :D);
> 
> Don't understand.   If eth2 has routable IPs (by which I assume you mean IP
> 
> addresses which have been assigned to you, not ones from the ranges 10.x.y.z,
> 
> 172.16.a.b, 192.168.c.d), then why would you want to masquerade them behind
> 
> eth0 ?
> 
> > eth0:1 will route the network with valid internet ip addresses which
> > enters eth2 to the internet
> 
> No, I do not understand what you mean by this.   What are you trying to use
> 
> eth0:1 for ?

eth0 - 193.231.237.x routes the subnet 80.69.x.0/24 which enters the router via eth1
eth0:1 would route 192.168.10.0/24 which enters the router via eth2
basically that's the idea which I have in mind ... why an alias on eth0 ? ip`s for the eth0 are in different cbq classes at my ISP

> > (speaking of which, I assume I must input rules
> > for eth0:1's ip address too, but in the iptables syntax is it allowed to
> > refer to the alias as eth0:1 or I must use only its ip?)
> 
> You cannot use the name "eth0:1" in netfilter rules.   It doesn't like the 
> colon.   You can, however, use "eth0", which is the real interface these 
> packets are coming in on, and/or you can use the destination IP address, 
> which will identify where they were headed.
> 
> So iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT will allow SSH 
> packets which are sent to the address you've put on eth0:1 (it will also 
> allow packets sent to the address you've put on eth0, eth0:2, etc...)
> 
> iptables -A INPUT -i eth0 -d a.b.c.d -p tcp --dport 22 -j ACCEPT will allow
> 
> SSH packets coming in on eth0, eth:1, eth0:2 etc provided the destination 
> address is a.b.c.d
> 
> Hope this explains how you can work with eth0:1 and netfilter rules.
> 
> Give us some more detail on the actual addresses you intend to put on eth0,
> 
> eth1 and eth2, and the subnets attached to these interfaces (you can 
> obfuscate any public IPs you've been given so long as it's still possible to
> 
> tell one subnet from the others), and we might be able to help some more.
> 
> .
> 
> Antony.
> 

how to monitor the connection on NAT...

[jacob]

[-- Attachment #1: Type: text/plain, Size: 234 bytes --]

hi all,
i use iptables to implement the nat in my network envirement,
i can use "netstat" to monitor the connection of the nat box, 
but how do i monitor the masqueraded connections on the nat box ?

Thanks in advance.
jacob


[-- Attachment #2: Type: text/html, Size: 773 bytes --]

(no subject)

[Matt Walkowiak]

[-- Attachment #1: Type: text/plain, Size: 973 bytes --]

I was wondering if something exists that can do what I want for netfilter.

In the WatchGuard land, there is a very neat program called HostWatch.  It has two columns: One for Outside and one for Inside.  Then, it draws a line from one column to the other for each connection.  It also refreshes itself about once every second.

Let's say you have a web server on the inside of your firewall, and 10 people are currently hitting it.  HostWatch would show 10 lines (each from a seperate IP addy, resolved if it can find it) drawn to the one ip addy of the web server.

The nice thing about HostWatch is you can see exactly what is happening now.

Now, I generally dont run any kind of X-windows system on my Linux boxes, so it would be nice to get a "text based" version of what I'm looking for, however, if a nice program existed that needed X to run, I'd seriously consider installing X windows.

Anyway, thanks in advance for your responces!

Matt Walkowiak

[-- Attachment #2: Type: text/html, Size: 1898 bytes --]

Re: (no subject)

[Jack Bowling]

** Reply to message from Matt Walkowiak <matt@inetdvd.com> on Wed, 05 Jun 2002 23:24:25 -0500


> I was wondering if something exists that can do what I want for netfilter.
> 
> In the WatchGuard land, there is a very neat program called HostWatch.  It has two columns: One for Outside and one for Inside.  Then, it draws a line from one column to the other for each connection.  It also refreshes itself about once every second.
> 
> Let's say you have a web server on the inside of your firewall, and 10 people are currently hitting it.  HostWatch would show 10 lines (each from a seperate IP addy, resolved if it can find it) drawn to the one ip addy of the web server.
> 
> The nice thing about HostWatch is you can see exactly what is happening now.
> 
> Now, I generally dont run any kind of X-windows system on my Linux boxes, so it would be nice to get a "text based" version of what I'm looking for, however, if a nice program existed that needed X to run, I'd seriously consider installing X windows.
> 
> Anyway, thanks in advance for your responces!

Hey, Matt. Go to http://freshmeat.net and do a search for IPTSTATE. It is a top-like text based app that will monitor your connection state.

jb

-- 
Jack Bowling
mailto: jbinpg@shaw.ca

(no subject)

[Jaume Ambatlle Pena]

Hi,

I've a problem with iptables, I don't know what happens in my PC but 
firewall logs are being printed in tty instead off in /var/log/messages*
Anybody could help me with this?? Thanks

---------------------------------------------------------------------------------------------------------------------
Jaume Ambatlle Pena

Ocurra lo que ocurra, aún en el día más borrascoso las horas y el tiempo pasan.
(Shakespeare, William)
---------------------------------------------------------------------------------------------------------------------

Re: (no subject)

[Antony Stone]

On Saturday 01 June 2002 7:33 pm, Jaume Ambatlle Pena wrote:

> Hi,
>
> I've a problem with iptables, I don't know what happens in my PC but
> firewall logs are being printed in tty instead off in /var/log/messages*
> Anybody could help me with this?? Thanks

What did you specify for --log-level in the rule with -j LOG ?

Antony.

(no subject)

[Forrest Beck]

[-- Attachment #1: Type: text/plain, Size: 1418 bytes --]

I have a question that I hope someone can help me with...
 
I am running a RH7.3 installed machine as a IP Masquerade firewall
between my LAN and my wireless LAN.  I have my switch with all of my
wireless Access Points on eth1, and my LAN connection on eth0.
 
With this set I have made a bash script that executes the following:
 
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.252.251 #(Ip
      of eth0)
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCPET iptables -p
INPUT DROP
 
 
Now after all that it works great!  A wireless client connects to the
Access Point, gets a correct ip from DHCP (the linux firewall), and then
browses the web.  Web pages, mounting drives, everything works great....
 
My problem is this...
 
I want to know if it is possible to create a list of MAC addresses that
netfilter(iptables) can verify against to decide if it should allow a
client to be routed.  So when the clients starts there computer up, they
get an ip, begin browsing, and the server looks at the packet and
verifies if the packet should be dropped or accepted according to MAC
address.
 
If anyone has a idea, I'd love to hear from them...  Or even a better
solution to reach my goal.  either- or.
 
 
Thanks a mil!
 
Forrest Beck
 
 
 
 

[-- Attachment #2: Type: text/html, Size: 12330 bytes --]

Re: (no subject)

[Antony Stone]

On Thursday 28 June 2001 7:26 pm, Forrest Beck wrote:

> I have a question that I hope someone can help me with...
>
> I am running a RH7.3 installed machine as a IP Masquerade firewall
> between my LAN and my wireless LAN.  I have my switch with all of my
> wireless Access Points on eth1, and my LAN connection on eth0.
>
> With this set I have made a bash script that executes the following:
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.252.251 #(Ip
>       of eth0)
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCPET iptables -p
> INPUT DROP

Where are your FORWARDing rules ?   Are you restricting anything going 
to/from the wireless clients ???

> Now after all that it works great!  A wireless client connects to the
> Access Point, gets a correct ip from DHCP (the linux firewall), and then
> browses the web.  Web pages, mounting drives, everything works great....
>
> My problem is this...
>
> I want to know if it is possible to create a list of MAC addresses that
> netfilter(iptables) can verify against to decide if it should allow a
> client to be routed.  So when the clients starts there computer up, they
> get an ip, begin browsing, and the server looks at the packet and
> verifies if the packet should be dropped or accepted according to MAC
> address.
>
> If anyone has a idea, I'd love to hear from them...  Or even a better
> solution to reach my goal.  either- or.

There is a mac address match in netfilter, yes, but why not just do it in 
your DHCP server (which is on the same machine anyway) ?

You can put a list of MAC/IP addresses in your dhcpd.conf file and run it in 
a similar way to a bootp server.

 

Antony.

(no subject)

[蔡志峰]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

I want to log all messages in a special file ,such as the file /var/log/iptable,not in default file,
I have read Iptables'tutorial ,it says that "All messages are logged through the kernel facility. In other words, setting kern.=info /var/log/iptables in your syslog.conf file and then letting all your LOG messages in iptables use log level info, would make all messages appear in the /var/log/iptables file.",but at the same time, there may be other messages here as well from other parts of the kernel that uses the info priority.
how can I only log all iptables message in my special file?

[-- Attachment #2: Type: text/html, Size: 842 bytes --]