On Thu, Sep 18, 2003 at 12:33:01AM +0000, Bob Crandell wrote:
> How would you change:
> > iptables -A sort -j LOG --log-level info
> to limit the log size?
iptables -A sort -m limit -j LOG --log-level info
This uses the defaults 3/hour for an average rate and 5 for a burst.
See the man page for other possibilities, such as the one below:
iptables -A sort -m limit --limit 10/hour --limit-burst 10 -j LOG --log-level info
> I've some hints from each of the respondants and built an iptable
> script. There is supposed to be only 3 or 4 ports open on this box.
> Can some of you guys with the know how check 216.239.175.248 and see
> what's open? I just heard that there are going to be some ComCast
> uses banging on it and now I'm scared.
Don't think locally. Anyone with an ip address can bang on it. I'm
running a scan now. Either the machine is off or it's not responding to
icmp.
> While reading through the man page, I saw a way to restrict access by MAC address.
> Can someone post an example?
I wouldn't do this, as it won't work well for being an internet server.
iptables -A FORWARD -s $intfw -m mac --mac-source XX:XX:XX:XX:XX:XX \
-d ! $intnet -j ACCEPT
Forward anything coming from a specific internal ip (like an internal
firewall), with mac address <xx> and going to somewhere other than the
internal network.
> So my original requirement to allow some networks and some IP
> addresses now includes some MAC addresses. I'm assuming they would be
> added to the end of the list in the sort rule. Yes? No?
Who provided this requirement? Why? Is matching by ip not sufficient? There are
only special cases where I would use this module.
> Should I post the iptables script I have so far?
The scan is done. Either the machine is down or the firewall is too
tight because there are no services available and I can't even get a
fingerprint.
$ sudo nmap -sS -v -O -P0 216.239.175.248
Starting nmap 3.27 ( www.insecure.org/nmap/ ) at 2003-09-18 09:56 PDT
Host 216.239.175.248 appears to be up ... good.
Initiating SYN Stealth Scan against 216.239.175.248 at 09:56
The SYN Stealth Scan took 492 seconds to scan 1623 ports.
Warning: OS detection will be MUCH less reliable because we did not
find at least 1 open and 1 closed TCP port
All 1623 scanned ports on 216.239.175.248 are: filtered
Too many fingerprints match this host for me to give an accurate OS
guess
TCP/IP fingerprint:
SInfo(V=3.27%P=i686-pc-linux-gnu%D=9/18%Time=3F69E5C6%O=-1%C=-1)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 506.213 seconds
So you probably should post your ruleset since it isn't working as you
had planned.
Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to your
(541) 914-8417 business
[EMAIL PROTECTED] www.AdaptableIT.com
_______________________________________________
EuG-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
