If I were you, I'd get rid of bastille altogether and install something like gShield, its faster to setup, can do more interesting and useful stuff, and does it in an orderly and logical manner.
Bastille was great a while back, but I think its crossing the line into bloatware now, and who really wants a GUI like that anyway?? a simple config file is better anyday.. rgds frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of richard Sent: Sunday, 6 January 2002 8:13 PM To: Stilgherrian Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [expert] Re: [Bastille-linux-discuss] iptables and ipip tunnels Many Thanks Stil, thats answerd 90 % of the questions' I'll alter the bastille-netfilter script as you suggested TIA richard On Sun, 2002-01-06 at 11:54, Stilgherrian wrote: > Assuming that the question relates to this posting: > > http://www.geocrawler.com/archives/3/2489/2001/12/0/7433332/ > > On Sun, Jan 06, 2002 at 10:50:38AM +0000, richard wrote: > > Hi > > will this work > > /sbin/iptables -A INPUT -p 93 -i eth1 -j ACCEPT > > This command ACCEPTs all IP protocol 93 traffic (yes, that's IPIP) > which comes in on interface eth1. Hwoever, in the context of an > addition to /sbin/bastille-netfilter, it sits where it's labelled > "custom rules", and I'd be tempted to write it as: > > ${IPTABLES} -A PUB_IN -p ipip -i eth1 -j ACCEPT > > Adding it to PUB_IN rather than INPUT seems to be to be a better > fit with Bastille's logic. > > Whether this is sufficient for your specific task I couldn't tell you. > I'm not personally familiar with the details of IPIP. And unfortunately > I couldn't quite follow your description of your network. > > >From there on in, assuming that IPIP is decoded properly, yes, should > just be coming out of tunl0 or bpq0 or whatever interfaces you've set > up. Add rules to allow traffic between networks as appropriate. These > go in the spot commented "If you have networks that route traffic..." > > An example might be to just let everything run transparently between an > encrypted link and the internal network. > > ${IPTABLES} -A FORWARD -i tunl0 -d 44.131.90.0/24 -j ACCEPT > ${IPTABLES} -A FORWARD -i eth0 -o tunl0 -j ACCEPT > > (This is assuming that eth0 is the physical interface of the "internal" > network, and that tunl0 is on eth1, your "outside" interface. The > destination shown is meant to be an "internal" network. And it assumes > you *do* want to let everything through like this.) > > If you haven't already done so, turn on packet logging for what's > being blocked (set LOG_FAILURES="Y") and add rules to let thru what's > being blocked. > > I realize I've gone fast thru that. Email me directly if you get > stuck on the details. Or if you think I've got something wrong, also > tell me. I'm skimming through this one and I have well have made a > mistake. > > > > I have been asking for help on both lists for 2 weeks , it seems that > > unless your face fits , its a very private club > > It's also about how and when you ask. The guys with the real clue on > bastille-linux-discuss have been busy getting a new release locked down, > and then a bunch of the world closed down for a holiday season. Unless > a question is pretty clear about the set-up, what's been put where > exactly, and what information has been gathered so far, it'll all look > too hard and no-one will bother. > > Not so much "private club" but "small pool of people to draw upon", > none of whom get paid to do this. > > > > bg Richard > > system now hacked as I cant put a firewall up without destroying the ip > > tunnel,. > > Strange that after I put my inet address as an example of what I was > > trying to do , I had 2 people ftp'd in and played > > Doesn't seem strange to me, actually. Seems like *exactly* the sort of > thing to expect. Using a real address in the examples, especially when > it's being publically identified as a vulnerable set-uo, is just asking > for trouble. Sorry, but the world's a nasty place. > > Stil > > > -- > : Stilgherrian, Director of Operations, prussia.net > : Internet infrastructure services focussing on the essentials > : http://www.prussia.net/ > : ARBN BN97858688, ABN 15 148 757 893 > > _______________________________________________ > bastille-linux-discuss mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
