IpTables question...

IpTables question...

[Curca Claudiu]

I'm using RedHat Linux 8.0 on an PIII - Coppermine 750 MHz. I used Iptables 
for NAT  networking at my home (5 PC's + 1 Server).
The server is used as a gateway and dns server. My question is:

Is there any way I could limit the transfer rate of the inside computers to 
the internet?
For example I want 192.168.3.5 to have a limit of 5 KB/s transfer rate.

Please help me!!

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail

Re: IpTables question...

[Joel Newkirk]

On Monday 03 February 2003 01:47 am, Curca Claudiu wrote:
> I'm using RedHat Linux 8.0 on an PIII - Coppermine 750 MHz. I used
> Iptables for NAT  networking at my home (5 PC's + 1 Server).
> The server is used as a gateway and dns server. My question is:
>
> Is there any way I could limit the transfer rate of the inside
> computers to the internet?
> For example I want 192.168.3.5 to have a limit of 5 KB/s transfer
> rate.
>
> Please help me!!

You need to establish a Queueing Discipline.  Your best choice would 
probably be Hierarchical Token Bucket.  See 
http://lartc.org/howto/lartc.qdisc.classful.html#AEN1050 in the Linux 
Advanced Routing and Traffic Control how-to for details on HTB, (and the 
full how-to for all the info...) and the section following it entitled 
"Classifying packets with filters" which explains how to specify a 
filter that matches specific IPs, or use the 'fwmark' match to let you 
set a mark in an iptables mangle-table PREROUTING chain and queue 
traffic based on the marks.

j

iptables question

[Glenn Hancock]

[-- Attachment #1: Type: text/plain, Size: 1396 bytes --]

I have my rules setup the way I would guess they should be based on 5
tutorials, 1 book and the man pages.  However, I still can't seem to get
the thing to do what I want.  Could someone please help me?

I will make this very simple:
1)  I want to allow all incoming requests to port 80
2) I want to allow all outgoing requests .... period.

I want to drop all other incoming requests not addressed to port 80.

Thats it.  I've been fighting with this all day and still can't get it
to act right.  If you like I can send my current iptables file but its
basically the same as the earlier one I sent.

P.S.  I'm sorry if someone has already answered my question.  I was
having a little trouble with my email before...  As long as you reply to
the list group I should get any further emails without a problem.

Thanks,

-- 
Glenn Hancock
SofTek Software International, Inc.
813 Pavilion Court
T: 678-583-5720
I: ghancock@softeksoftware.com
www.softeksoftware.com
www.Spambite.com
NOTE: My email address is currently protected by Spambite. If
you send me an email, you will be asked to validate your email
address on the Spambite network AND re-send you original email
to me. Or, you can pro-actively register your email address on
the Spambite network by visiting the website:
www.spambite.com
When visiting the website, please feel free to look around to
learn about this exciting new technology.

[-- Attachment #2: Type: text/html, Size: 1816 bytes --]

Re: iptables question

[Glenn Hancock]

[-- Attachment #1: Type: text/plain, Size: 2533 bytes --]

Chris,

Thanks to you and to the other gentleman.  That fixed me and seems to be
working perfectly.

Thanks,

Glenn

On Thu, 2003-08-14 at 06:17, Chris Wilson wrote:

> Hi Glenn,
> 
> > I have my rules setup the way I would guess they should be based on 5
> > tutorials, 1 book and the man pages.  However, I still can't seem to get
> > the thing to do what I want.  Could someone please help me?
> > 
> > I will make this very simple:
> > 1)  I want to allow all incoming requests to port 80
> > 2) I want to allow all outgoing requests .... period.
> > 
> > I want to drop all other incoming requests not addressed to port 80.
> 
> Did you see Rob Sterenborg's response to your previous post? The ruleset 
> which you sent didn't appear to be complete. You also don't mention if the 
> machine you're running the firewall on is the same one that's running the 
> web server, and that you're trying to make outgoing requests from. 
> Assuming that it is, the following rules should work:
> 
>   iptables -F
>   iptables -P INPUT DROP
>   iptables -P OUTPUT ACCEPT
>   iptables -P FORWARD DROP
>   iptables -A INPUT -m state --state established -j ACCEPT
>   iptables -A INPUT -i lo -j ACCEPT
>   iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> 
> If, on the other hand, you have another network behind your Linux box, and 
> machines on that network need to get through the Linux box to the 
> Internet, then you will need the following additional rules:
> 
>   iptables -A FORWARD -i <internal-interface> -o <external-interface> \
> 	-j ACCEPT
>   iptables -A FORWARD -m state --state established -j ACCEPT
> 
> and if the internal machines have private IP addresses:
> 
>   iptables -t nat -A POSTROUTING -o <external-interface> -j MASQUERADE
> 
> By the way, I don't like my first impression of your challenge-response
> spam filter. You might want to try SpamAssassin, it's much less intrusive 
> to people trying to e-mail you.
> 
> Cheers, Chris.

-- 
Glenn Hancock
SofTek Software International, Inc.
813 Pavilion Court
T: 678-583-5720
I: ghancock@softeksoftware.com
www.softeksoftware.com
www.Spambite.com
NOTE: My email address is currently protected by Spambite. If
you send me an email, you will be asked to validate your email
address on the Spambite network AND re-send you original email
to me. Or, you can pro-actively register your email address on
the Spambite network by visiting the website:
www.spambite.com
When visiting the website, please feel free to look around to
learn about this exciting new technology.

[-- Attachment #2: Type: text/html, Size: 2946 bytes --]

Re: iptables question

[Chris Wilson]

Hi Glenn,

> I have my rules setup the way I would guess they should be based on 5
> tutorials, 1 book and the man pages.  However, I still can't seem to get
> the thing to do what I want.  Could someone please help me?
> 
> I will make this very simple:
> 1)  I want to allow all incoming requests to port 80
> 2) I want to allow all outgoing requests .... period.
> 
> I want to drop all other incoming requests not addressed to port 80.

Did you see Rob Sterenborg's response to your previous post? The ruleset 
which you sent didn't appear to be complete. You also don't mention if the 
machine you're running the firewall on is the same one that's running the 
web server, and that you're trying to make outgoing requests from. 
Assuming that it is, the following rules should work:

  iptables -F
  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD DROP
  iptables -A INPUT -m state --state established -j ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -p tcp --dport 80 -j ACCEPT

If, on the other hand, you have another network behind your Linux box, and 
machines on that network need to get through the Linux box to the 
Internet, then you will need the following additional rules:

  iptables -A FORWARD -i <internal-interface> -o <external-interface> \
	-j ACCEPT
  iptables -A FORWARD -m state --state established -j ACCEPT

and if the internal machines have private IP addresses:

  iptables -t nat -A POSTROUTING -o <external-interface> -j MASQUERADE

By the way, I don't like my first impression of your challenge-response
spam filter. You might want to try SpamAssassin, it's much less intrusive 
to people trying to e-mail you.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: iptables question

[Ralf Spenneberg]

Am Mit, 2003-08-13 um 22.49 schrieb Glenn Hancock:
> I have my rules setup the way I would guess they should be based on 5
> tutorials, 1 book and the man pages.  However, I still can't seem to
> get the thing to do what I want.  Could someone please help me?
> 
> I will make this very simple:
Is this for a local machine?
> 1)  I want to allow all incoming requests to port 80
# Allow new connections to port 80
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
> 2) I want to allow all outgoing requests .... period.
# Allow outgoing connections
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow all packets belonging to established connections come back
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> 
> 
> I want to drop all other incoming requests not addressed to port 80.
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

iptables Question

[Elitesyntax]

#!/bin/sh
#
# The location of the IPTables binary file on your
system.
IPT="/sbin/iptables"

# The Internet interface. For ADSL or Dialup users,
this should be "ppp0".
# For a cable modem connection, this will probably be
"eth0".
INT="eth0"

# Out with the old stuff.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# Use this for NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID
-j DROP

# Port forwarding looks like this.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25
-j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53
-j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53
-j DNAT --to 192.168.0.50
# These two redirect a block of ports, in both udp and
tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport
2300:2400 -j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport
2300:2400 -j DNAT --to 192.168.0.50

# This rule will accept connections from local
machines.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j
ACCEPT

# Drop bad packets.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j
DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL
SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j
DROP

# Drop icmp, but only after letting certain types
through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit
1/second -j ACCEPT
$IPT -A INPUT -p icmp -j DROP




Is there a way i can make this script more stable?I
have not got done with this script just yet.

=====
You are entering the lands of packets, brute force and misuse of trust.This is a dark land. Full of problems and choices. Be carefull when you use your knowledge. Be also carefull with your tools and weapons. Never underestimate your enemy.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

iptables question.

[John Black]

I'm trying to install a gateway/router with Red Hat 9 kernel 2.4.24 and the stock
iptables 1.2.7, with full NAT compiled into the kernel. I have read the howto
at netfilter.org, even have the same line of code.  But it sill will not change
the source address.

here is the line of code and the result of the command <iptables -t nat -L -n>


iptables -t nat -A POSTROUTING  -o eth0 -j SNAT --to Ext_ip
target prot opt source     destination 
SNAT   all  --  0.0.0.0/0  0.0.0.0/0   to:Ext_ip

thanks
John 













http://www.arbbs.net/

Re: iptables question.

[Antony Stone]

On Tuesday 17 February 2004 3:52 pm, John Black wrote:

> I'm trying to install a gateway/router with Red Hat 9 kernel 2.4.24 and the
> stock iptables 1.2.7, with full NAT compiled into the kernel.

Is this a standard RH combination - you've just installed some RPMs etc, or 
have you built some part of it yourself (in which case the problem may well 
be that you didn't buid the ither part as well)?

"netfilter" is the kernel part of the code, and "iptables" is the user part.   
Both must match (be the same version) on a system in order to work correctly.

> I have read
> the howto at netfilter.org, even have the same line of code.  But it sill
> will not change the source address.
>
> here is the line of code and the result of the command
> iptables -t nat -L -n
>
> iptables -t nat -A POSTROUTING  -o eth0 -j SNAT --to Ext_ip
> target prot opt source     destination
> SNAT   all  --  0.0.0.0/0  0.0.0.0/0   to:Ext_ip

A better command would be "iptables -L -nvx" because the v option tells us 
which interfaces the rule applies to, and in this case that's important.

By the way, how are you testing the rule and coming to the conclusion that the 
source address is not being changed?

Regards,

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

                                                     Please reply to the list;
                                                           please don't CC me.

iptables question

[shardul Adhikari]

Hi all,
This is my first post, hope i make my self clear,
I have two locations 
location a and b , both are having independent internet connectivity ,
and there is a interconnectivity between location a and b,
i have squid proxy server at both the locations. Now if the internet
connectivity is down at location a then i can put the iptables rule to
redirect http traffic to location b proxy server and vice versa ,
What i want is to automate this process . if any body of you has come
across any program or script , which checks the conectivity of
respective location  and accordingly put iptables entry  and remove it
if the connectivity comes back.

Thanks in advance

iptables question

[bossk]

I have a problem with some dropped packets which shouldn't been dropped when I 
enable the following three rules

1. iptables -A allowed -p TCP --syn -j ACCEPT
2. iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
3. iptables -A allowed -p TCP -j DROP

I see in conntrack that the connection exists
tcp      6 431999 ESTABLISHED src=10.3.4.14 dst=10.3.4.2 sport=42884 
dport=3128 packets=1140 bytes=59440 src=10.3.4.2 dst=10.3.4.14 sport=3128 
dport=42884 packets=1475 bytes=1681482 [ASSURED] mark=0 secmark=0 use=1

Regarding rule 2.  the connections is ESTABLISHED and no packets should be 
dropped.

But in the drop log it looks quite different
IN= OUT=eth0 SRC=10.3.4.14 DST=10.3.4.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 
ID=20094 DF PROTO=TCP SPT=42884 DPT=3128 WINDOW=4 RES=0x00 ACK URGP=0

What I also see is that the dropped packets have the PSH ACK Flags set, but 
this shouldn't be a problem or? Because right now I don't know what the 
problem is.

It would be great if somebody could enlighten me.

Thanks,
bossk

Re: iptables question

[Jan Engelhardt]

On Mar 11 2008 15:20, bossk wrote:
>
>1. iptables -A allowed -p TCP --syn -j ACCEPT
>2. iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
>3. iptables -A allowed -p TCP -j DROP
>
>Regarding rule 2.  the connections is ESTABLISHED and no packets should be 
>dropped.
>
>But in the drop log it looks quite different
>IN= OUT=eth0 SRC=10.3.4.14 DST=10.3.4.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 
>ID=20094 DF PROTO=TCP SPT=42884 DPT=3128 WINDOW=4 RES=0x00 ACK URGP=0

Well then this packet did not belong to a known connection,
was forged, or anything like that.

That is why I would also combine -p tcp --syn with additionally
-m conntrack --ctstate NEW.
Needless to say that RELATED will never be considered because
you already allow all connections with --syn.

Re: iptables question

[Justin Piszcz]

On Tue, 11 Mar 2008, Jan Engelhardt wrote:

>
> On Mar 11 2008 15:20, bossk wrote:
>>
>> 1. iptables -A allowed -p TCP --syn -j ACCEPT
>> 2. iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
>> 3. iptables -A allowed -p TCP -j DROP
>>
>> Regarding rule 2.  the connections is ESTABLISHED and no packets should be
>> dropped.
>>
>> But in the drop log it looks quite different
>> IN= OUT=eth0 SRC=10.3.4.14 DST=10.3.4.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64
>> ID=20094 DF PROTO=TCP SPT=42884 DPT=3128 WINDOW=4 RES=0x00 ACK URGP=0
>
> Well then this packet did not belong to a known connection,
> was forged, or anything like that.
>
> That is why I would also combine -p tcp --syn with additionally
> -m conntrack --ctstate NEW.
> Needless to say that RELATED will never be considered because
> you already allow all connections with --syn.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

The default is DROP for me so then I shall add the traversal for 
ESTABLISHED,RELATED for output as well..  Looks like I need to do some 
testing, thanks.

Justin.