Many Thanks Stil, thats answerd 90 % of the questions' I'll alter the bastille-netfilter script as you suggested TIA richard
On Sun, 2002-01-06 at 11:54, Stilgherrian wrote: > Assuming that the question relates to this posting: > > http://www.geocrawler.com/archives/3/2489/2001/12/0/7433332/ > > On Sun, Jan 06, 2002 at 10:50:38AM +0000, richard wrote: > > Hi > > will this work > > /sbin/iptables -A INPUT -p 93 -i eth1 -j ACCEPT > > This command ACCEPTs all IP protocol 93 traffic (yes, that's IPIP) > which comes in on interface eth1. Hwoever, in the context of an > addition to /sbin/bastille-netfilter, it sits where it's labelled > "custom rules", and I'd be tempted to write it as: > > ${IPTABLES} -A PUB_IN -p ipip -i eth1 -j ACCEPT > > Adding it to PUB_IN rather than INPUT seems to be to be a better > fit with Bastille's logic. > > Whether this is sufficient for your specific task I couldn't tell you. > I'm not personally familiar with the details of IPIP. And unfortunately > I couldn't quite follow your description of your network. > > >From there on in, assuming that IPIP is decoded properly, yes, should > just be coming out of tunl0 or bpq0 or whatever interfaces you've set > up. Add rules to allow traffic between networks as appropriate. These > go in the spot commented "If you have networks that route traffic..." > > An example might be to just let everything run transparently between an > encrypted link and the internal network. > > ${IPTABLES} -A FORWARD -i tunl0 -d 44.131.90.0/24 -j ACCEPT > ${IPTABLES} -A FORWARD -i eth0 -o tunl0 -j ACCEPT > > (This is assuming that eth0 is the physical interface of the "internal" > network, and that tunl0 is on eth1, your "outside" interface. The > destination shown is meant to be an "internal" network. And it assumes > you *do* want to let everything through like this.) > > If you haven't already done so, turn on packet logging for what's > being blocked (set LOG_FAILURES="Y") and add rules to let thru what's > being blocked. > > I realize I've gone fast thru that. Email me directly if you get > stuck on the details. Or if you think I've got something wrong, also > tell me. I'm skimming through this one and I have well have made a > mistake. > > > > I have been asking for help on both lists for 2 weeks , it seems that > > unless your face fits , its a very private club > > It's also about how and when you ask. The guys with the real clue on > bastille-linux-discuss have been busy getting a new release locked down, > and then a bunch of the world closed down for a holiday season. Unless > a question is pretty clear about the set-up, what's been put where > exactly, and what information has been gathered so far, it'll all look > too hard and no-one will bother. > > Not so much "private club" but "small pool of people to draw upon", > none of whom get paid to do this. > > > > bg Richard > > system now hacked as I cant put a firewall up without destroying the ip > > tunnel,. > > Strange that after I put my inet address as an example of what I was > > trying to do , I had 2 people ftp'd in and played > > Doesn't seem strange to me, actually. Seems like *exactly* the sort of > thing to expect. Using a real address in the examples, especially when > it's being publically identified as a vulnerable set-uo, is just asking > for trouble. Sorry, but the world's a nasty place. > > Stil > > > -- > : Stilgherrian, Director of Operations, prussia.net > : Internet infrastructure services focussing on the essentials > : http://www.prussia.net/ > : ARBN BN97858688, ABN 15 148 757 893 > > _______________________________________________ > bastille-linux-discuss mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com