Re: Iptables config

2002-04-21 Thread J C Lawrence 
On Sun, 21 Apr 2002 18:34:58 +0200 (CEST) 
Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> wrote:

>   http://www.linuxguruz.org/iptables/

I've found that shorewall (now apt-gettable) makes a very nice iptables
framework/wrapper.

-- 
J C Lawrence
-(*)Satan, oscillate my metallic sonatas. 
[EMAIL PROTECTED]   He lived as a devil, eh?  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-21 Thread J C Lawrence 

On Sun, 21 Apr 2002 18:34:58 +0200 (CEST) 
Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> wrote:

>   http://www.linuxguruz.org/iptables/

I've found that shorewall (now apt-gettable) makes a very nice iptables
framework/wrapper.

-- 
J C Lawrence
-(*)Satan, oscillate my metallic sonatas. 
[EMAIL PROTECTED]   He lived as a devil, eh?  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-21 Thread Cristian Ionescu-Idbohrn 
On Sun, 21 Apr 2002, Jussi Ekholm wrote:

[snip]

> Thank you, I'll take a look at them. But, I'd still need some help
> concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
> and eyed all related HOWTOs from LDP (actually, the Debian package
> doc-linux-html), but *still* I'm unable to really grasp the whole
> iptables syntax.

[snip]

If you're looking for example-scripts, take a look at these:

  http://www.linuxguruz.org/iptables/

There are loads of scripts there ;-)


Cheers,
Cristian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-21 Thread Cristian Ionescu-Idbohrn 

On Sun, 21 Apr 2002, Jussi Ekholm wrote:

[snip]

> Thank you, I'll take a look at them. But, I'd still need some help
> concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
> and eyed all related HOWTOs from LDP (actually, the Debian package
> doc-linux-html), but *still* I'm unable to really grasp the whole
> iptables syntax.

[snip]

If you're looking for example-scripts, take a look at these:

  http://www.linuxguruz.org/iptables/

There are loads of scripts there ;-)


Cheers,
Cristian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-21 Thread Jussi Ekholm 
Sami Dalouche <[EMAIL PROTECTED]> wrote:

> Here's a set of rules to replace ipmasq's ones..

Thank you, I'll take a look at them. But, I'd still need some help
concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
and eyed all related HOWTOs from LDP (actually, the Debian package
doc-linux-html), but *still* I'm unable to really grasp the whole
iptables syntax. The rules file I included to my original mail was
put together with a help of a "bit" more experienced friend, so
even that wasn't fully accomplished by me.

So -- I'd really need some help concerning the DROP. Some person
already pointed out, that I don't have any rule, which would DROP
unnecessary packages. The rule file I have, only opens three ports
and REJECTs everything else. But, I got the picture, that I should
also add DROPs there. Even after reading HOWTOs and iptables(8),
I just can't grasp the idea. Any input and help would be greatly
appreciated. 

> Have fun, rip ideas, do whatever you want, I release these files
> under the GPL ;-)

Hehe, I'll look into these and if I'm able to find the solution
to use DROP from your scripts, I will rip 'em. ;-) Thanks a lot,
I think these help a bit, at least. Still, most of the iptables
syntax is total hebrew for me... I guess my IQ isn't very high.
*sad grin*.

-- 
Jussi Ekholm <[EMAIL PROTECTED]> | registered Linux user #269376
http://erppimaa.cjb.net/~ekhowl/   | UIN (ICQ):156057281 
ekh @ IRCNet   | GnuPG Public Key ID:  1410081E


pgpJhX8tuldre.pgp
Description: PGP signature

Re: Iptables config

2002-04-21 Thread Jussi Ekholm 

Sami Dalouche <[EMAIL PROTECTED]> wrote:

> Here's a set of rules to replace ipmasq's ones..

Thank you, I'll take a look at them. But, I'd still need some help
concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
and eyed all related HOWTOs from LDP (actually, the Debian package
doc-linux-html), but *still* I'm unable to really grasp the whole
iptables syntax. The rules file I included to my original mail was
put together with a help of a "bit" more experienced friend, so
even that wasn't fully accomplished by me.

So -- I'd really need some help concerning the DROP. Some person
already pointed out, that I don't have any rule, which would DROP
unnecessary packages. The rule file I have, only opens three ports
and REJECTs everything else. But, I got the picture, that I should
also add DROPs there. Even after reading HOWTOs and iptables(8),
I just can't grasp the idea. Any input and help would be greatly
appreciated. 

> Have fun, rip ideas, do whatever you want, I release these files
> under the GPL ;-)

Hehe, I'll look into these and if I'm able to find the solution
to use DROP from your scripts, I will rip 'em. ;-) Thanks a lot,
I think these help a bit, at least. Still, most of the iptables
syntax is total hebrew for me... I guess my IQ isn't very high.
*sad grin*.

-- 
Jussi Ekholm <[EMAIL PROTECTED]> | registered Linux user #269376
http://erppimaa.cjb.net/~ekhowl/   | UIN (ICQ):156057281 
ekh @ IRCNet   | GnuPG Public Key ID:  1410081E



msg06435/pgp0.pgp
Description: PGP signature

Re: Iptables config

2002-04-18 Thread Rolf Kutz 
* Quoting Mathias Palm ([EMAIL PROTECTED]):

> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Sorry, I dont get that. The manpage says:
> 
> ...ESTABLISHED meaning that the
> packet is associated with a  connection  which  has
> seen  packets  in both directions...
>   
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?

That's for the FORWARD-Chain. In the INPUT-Chain,
you only have one Direction, so it sees
syn,ack-package and treats the connection
as established.

> ...RELATED  meaning  that  the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...

That's where the protocoll-helpers come into
place. The keep track of what's happening at the
protocol-level and see, when a data-connection is
requested. That also makes them potentially
more vulnerable to exploits.

> How does iptables find out, that a newly initiated connection is related 
> to another existing one? By process number, by vicinity in time or
> something other? 

In the FTP-case it sees the PORT-command inside
the ftp-connection. With other connections it uses
some sort of heuristics. You could also say it
kind of guesses.

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-18 Thread Rolf Kutz 

* Quoting Mathias Palm ([EMAIL PROTECTED]):

> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Sorry, I dont get that. The manpage says:
> 
> ...ESTABLISHED meaning that the
> packet is associated with a  connection  which  has
> seen  packets  in both directions...
>   
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?

That's for the FORWARD-Chain. In the INPUT-Chain,
you only have one Direction, so it sees
syn,ack-package and treats the connection
as established.

> ...RELATED  meaning  that  the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...

That's where the protocoll-helpers come into
place. The keep track of what's happening at the
protocol-level and see, when a data-connection is
requested. That also makes them potentially
more vulnerable to exploits.

> How does iptables find out, that a newly initiated connection is related 
> to another existing one? By process number, by vicinity in time or
> something other? 

In the FTP-case it sees the PORT-command inside
the ftp-connection. With other connections it uses
some sort of heuristics. You could also say it
kind of guesses.

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-18 Thread Martin Peikert 

Peter Cordes wrote:
> On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
>>First, you should set your policy to DROP. The way you configured your
>>filter with a policy set to ACCEPT would let all traffic pass through.
>
>  No it doesn't;  It would block new connections, because it rejects 
TCP SYN

> packets.  It doesn't do anything about UDP, though.

True. If I would be able to read I would have noticed that before you 
gave me that hint ;-)


GTi


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-18 Thread Martin Peikert 

Peter Cordes wrote:
 > On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
 >>First, you should set your policy to DROP. The way you configured your
 >>filter with a policy set to ACCEPT would let all traffic pass through.
 >
 >  No it doesn't;  It would block new connections, because it rejects 
TCP SYN
 > packets.  It doesn't do anything about UDP, though.

True. If I would be able to read I would have noticed that before you 
gave me that hint ;-)

GTi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Peter Cordes 
On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote:
> ...
> 
> > 
> >  I use the connection-tracking support, so I can drop everything except
> > traffic related to a connection I opened.  This is what I use (NAT stuff
> > omitted):
> > 
> > iptables -t filter -P FORWARD ACCEPT
> > iptables -t filter -P INPUT DROP
> > iptables -t filter -P OUTPUT ACCEPT
> > 
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> > 
> > iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from 
> > the big bad Internet
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Sorry, I dont get that. The manpage says:
> 
> ...ESTABLISHED meaning that the
> packet is associated with a  connection  which  has
> seen  packets  in both directions...
>   
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?

 Hmm, maybe the docs are wrong.  --state ESTABLISHED,RELATED is the magic
incantation recommended by the packet-filtering HOWTO.
(file://localhost/usr/share/doc/iptables/html/packet-filtering-HOWTO-5.html)
All I know for sure is that it works.

> Another question: (from the manpage):
> ...RELATED  meaning  that  the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...
> 
> How does iptables find out, that a newly initiated connection is related 
> to another existing one? By process number, by vicinity in time or
> something other? 

 It finds out by looking at the traffic in the connection.  The
ip_conntrack_ftp module has code that understands the FTP protocol, so it
can see when and FTP command which will use a new port is sent.  I hope they
have some kind of optimization, like only looking at port 21 traffic, to
avoid the overhead of trying to parse every TCP stream as FTP commands, but
I don't know.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Peter Cordes 

On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote:
> ...
> 
> > 
> >  I use the connection-tracking support, so I can drop everything except
> > traffic related to a connection I opened.  This is what I use (NAT stuff
> > omitted):
> > 
> > iptables -t filter -P FORWARD ACCEPT
> > iptables -t filter -P INPUT DROP
> > iptables -t filter -P OUTPUT ACCEPT
> > 
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> > 
> > iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from the big 
>bad Internet
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Sorry, I dont get that. The manpage says:
> 
> ...ESTABLISHED meaning that the
> packet is associated with a  connection  which  has
> seen  packets  in both directions...
>   
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?

 Hmm, maybe the docs are wrong.  --state ESTABLISHED,RELATED is the magic
incantation recommended by the packet-filtering HOWTO.
(file://localhost/usr/share/doc/iptables/html/packet-filtering-HOWTO-5.html)
All I know for sure is that it works.

> Another question: (from the manpage):
> ...RELATED  meaning  that  the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...
> 
> How does iptables find out, that a newly initiated connection is related 
> to another existing one? By process number, by vicinity in time or
> something other? 

 It finds out by looking at the traffic in the connection.  The
ip_conntrack_ftp module has code that understands the FTP protocol, so it
can see when and FTP command which will use a new port is sent.  I hope they
have some kind of optimization, like only looking at port 21 traffic, to
avoid the overhead of trying to parse every TCP stream as FTP commands, but
I don't know.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Mathias Palm 
...

> 
>  I use the connection-tracking support, so I can drop everything except
> traffic related to a connection I opened.  This is what I use (NAT stuff
> omitted):
> 
>   iptables -t filter -P FORWARD ACCEPT
>   iptables -t filter -P INPUT DROP
>   iptables -t filter -P OUTPUT ACCEPT
> 
>   modprobe ip_conntrack
>   modprobe ip_conntrack_ftp
> 
>   iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from 
> the big bad Internet
>   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Sorry, I dont get that. The manpage says:

...ESTABLISHED meaning that the
packet is associated with a  connection  which  has
seen  packets  in both directions...
  
But if I initiate a connection, it shouldn't have seen packages in both
directions, should it? What am I missing?

Another question: (from the manpage):
...RELATED  meaning  that  the packet is starting a new connection,
but is associated with an existing connection, such
as an FTP data transfer, or an ICMP error...

How does iptables find out, that a newly initiated connection is related 
to another existing one? By process number, by vicinity in time or
something other? 

All the best
Mathias


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Peter Cordes 
On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
> Jussi Ekholm wrote:
> >I was just wondering, if some experienced iptables users could give me,
> >at least some, opinions about my iptables rules. It is supposed to close
> >all the other ports, but leave 1050,  and 8080 open. Here's the
> >file created by iptables-save.
> >
> >--snip--
> >
> ># Generated by iptables-save v1.2.3 on Mon Dec 17 15:18:04 2001
> >*filter
> >:INPUT ACCEPT [18453:2703999]
> >:FORWARD ACCEPT [0:0]
> >:OUTPUT ACCEPT [255753:190461092]
> >:external - [0:0]
> >-A INPUT -i eth0 -j external 
> >-A external -p tcp -m tcp --dport 1050 -j ACCEPT 
> >-A external -p tcp -m tcp --dport  -j ACCEPT 
> >-A external -p tcp -m tcp --dport 8080 -j ACCEPT 
> >-A external -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT 
> >--reject-with icmp-port-unreachable -A external -j ACCEPT 
> >COMMIT
> ># Completed on Mon Dec 17 15:18:04 2001
> >
> >--snip--
> >
> >I'd like some input on this; how to make it better, how to possibly make
> >it log and just what should I modify in it to gain as great security as
> >possible? I know, that there's HOWTO's for these, and I've read those,
> >of course. But now I'd want to ask first-hand opinion about my iptables
> >rule file. Is it secure, or what should I do in order to make it more
> >secure?
> >

 I use the connection-tracking support, so I can drop everything except
traffic related to a connection I opened.  This is what I use (NAT stuff
omitted):

iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT

modprobe ip_conntrack
modprobe ip_conntrack_ftp

iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from 
the big bad Internet
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# this is the important rule that allows outgoing connections to work even
# though the policy is DROP

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT # incoming ssh from 
Internet
iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset
 
> First, you should set your policy to DROP. The way you configured your 
> filter with a policy set to ACCEPT would let all traffic pass through.

 No it doesn't;  It would block new connections, because it rejects TCP SYN
packets.  It doesn't do anything about UDP, though.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Mathias Palm 

...

> 
>  I use the connection-tracking support, so I can drop everything except
> traffic related to a connection I opened.  This is what I use (NAT stuff
> omitted):
> 
>   iptables -t filter -P FORWARD ACCEPT
>   iptables -t filter -P INPUT DROP
>   iptables -t filter -P OUTPUT ACCEPT
> 
>   modprobe ip_conntrack
>   modprobe ip_conntrack_ftp
> 
>   iptables -A INPUT -i ! eth0 -j ACCEPT  # accept everything except from the big 
>bad Internet
>   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Sorry, I dont get that. The manpage says:

...ESTABLISHED meaning that the
packet is associated with a  connection  which  has
seen  packets  in both directions...
  
But if I initiate a connection, it shouldn't have seen packages in both
directions, should it? What am I missing?

Another question: (from the manpage):
...RELATED  meaning  that  the packet is starting a new connection,
but is associated with an existing connection, such
as an FTP data transfer, or an ICMP error...

How does iptables find out, that a newly initiated connection is related 
to another existing one? By process number, by vicinity in time or
something other? 

All the best
Mathias


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Martin Peikert 

Jussi Ekholm wrote:

Michal Melewski <[EMAIL PROTECTED]> wrote:



Lars Roland Kristiansen wrote:


I am no iptables guro, i just want to close all exept from
ssh(port 22), pop3(port 110) and imap(port143). Is there and 
easy way to do this. 


Sure it is easy...



I was just wondering, if some experienced iptables users could give me,
at least some, opinions about my iptables rules. It is supposed to close
all the other ports, but leave 1050,  and 8080 open. Here's the
file created by iptables-save.

--snip--

# Generated by iptables-save v1.2.3 on Mon Dec 17 15:18:04 2001
*filter
:INPUT ACCEPT [18453:2703999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [255753:190461092]
:external - [0:0]
-A INPUT -i eth0 -j external 
-A external -p tcp -m tcp --dport 1050 -j ACCEPT 
-A external -p tcp -m tcp --dport  -j ACCEPT 
-A external -p tcp -m tcp --dport 8080 -j ACCEPT 
-A external -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable 
-A external -j ACCEPT 
COMMIT

# Completed on Mon Dec 17 15:18:04 2001

--snip--

I'd like some input on this; how to make it better, how to possibly make
it log and just what should I modify in it to gain as great security as
possible? I know, that there's HOWTO's for these, and I've read those,
of course. But now I'd want to ask first-hand opinion about my iptables
rule file. Is it secure, or what should I do in order to make it more
secure?



First, you should set your policy to DROP. The way you configured your 
filter with a policy set to ACCEPT would let all traffic pass through.


As last rule in every chain I would log the rest. Then take a look at 
your log files and decide what you want to drop/reject without logging.

HTH
GTi


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-17 Thread Sami Dalouche 
Here's a set of rules to replace ipmasq's ones..
when I created these rules, I wasn't aware of the great job done by
shorewall's developpers, so I wrote
rules to replace ipmasq's ones. (instead of write conf. files for shorewall,
which would have been
way more useful...)

Have fun, rip ideas, do whatever you want, I release these files under the
GPL ;-)

Sam

PS: for your information, after executing this script,
iptables -L | wc -l
reports 165 lines ;-)

The rules are sorted into 10 different tables...

- Original Message -
From: "Jussi Ekholm" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, April 17, 2002 11:45 AM
Subject: Re: Iptables config




rules-v0.1.tar.bz2
Description: Binary data

Re: Iptables config

2002-04-17 Thread Jussi Ekholm 
Michal Melewski <[EMAIL PROTECTED]> wrote:

> Lars Roland Kristiansen wrote:
>> I am no iptables guro, i just want to close all exept from
>> ssh(port 22), pop3(port 110) and imap(port143). Is there and 
>> easy way to do this. 
>
> Sure it is easy...

I was just wondering, if some experienced iptables users could give me,
at least some, opinions about my iptables rules. It is supposed to close
all the other ports, but leave 1050,  and 8080 open. Here's the
file created by iptables-save.

--snip--

# Generated by iptables-save v1.2.3 on Mon Dec 17 15:18:04 2001
*filter
:INPUT ACCEPT [18453:2703999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [255753:190461092]
:external - [0:0]
-A INPUT -i eth0 -j external 
-A external -p tcp -m tcp --dport 1050 -j ACCEPT 
-A external -p tcp -m tcp --dport  -j ACCEPT 
-A external -p tcp -m tcp --dport 8080 -j ACCEPT 
-A external -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with 
icmp-port-unreachable 
-A external -j ACCEPT 
COMMIT
# Completed on Mon Dec 17 15:18:04 2001

--snip--

I'd like some input on this; how to make it better, how to possibly make
it log and just what should I modify in it to gain as great security as
possible? I know, that there's HOWTO's for these, and I've read those,
of course. But now I'd want to ask first-hand opinion about my iptables
rule file. Is it secure, or what should I do in order to make it more
secure?

-- 
Jussi Ekholm <[EMAIL PROTECTED]> | registered Linux user #269376
http://erppimaa.cjb.net/~ekhowl/   | UIN (ICQ):156057281 
ekh @ IRCNet   | GnuPG Public Key ID:  1410081E


pgpjac92nkGQX.pgp
Description: PGP signature

Re: Iptables config - new

2002-04-15 Thread Peter Cordes 
On Mon, Apr 15, 2002 at 07:58:00PM +0200, Mathias Palm wrote:
> ...
> Looking at all these, people might say more about smtp-packages going
> astry

 s/package/packet/g

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config - new

2002-04-15 Thread Peter Cordes 

On Mon, Apr 15, 2002 at 07:58:00PM +0200, Mathias Palm wrote:
> ...
> Looking at all these, people might say more about smtp-packages going
> astry

 s/package/packet/g

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-15 Thread Mathias Palm 
I'd say it might very well work correctly, but the table nat is not
made for package filtering but for address translation
(nat--network address translation) which is used for masquerading and
portforwarding. If you only want a filtering firewall you might very well
save yourself the effort to compile the nat modules and so on.

It might become a problem, when you have a more complicated firewall setup, 
where
you want to reject every package aiming at the firewall, but snat or masq an
internal network. You can read about this (at least to understand the
principles) in the Firewall- and Masquerading-HOWTOS which are part of debian. 

It is problably the same question why nobody uses vi to read postscript
documents when gs is available. It might work, but it is cumbersome. (Sorry
if I get polemic.)

Mathias

On Sun, Apr 14, 2002 at 09:11:55AM +0200, Marcin Bednarz wrote:
> 
> Hello.
> 
> I wrote :
> 
> >
> > # change of politics to drop
> > iptables -t nat -P PREROUTING DROP
> > iptables -t nat -P POSTROUTING DROP
> >
> > #add ssh serwer (allow incoming)
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 
> > -j ACCEPT
> >
> > #add pop3 and imap
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 
> > 110 -j ACCEPT
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 
> > 143 -j ACCEPT
> >
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 
> > 110 -j ACCEPT
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 
> > 143 -j ACCEPT
> >
> > iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
> >
> > # are you want to alow ping you machine ? (I dont know if postfix require 
> > it)
> > iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> > iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT
> 
> and ...
> #SMTP
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  
> -j ACCEPT
> 
> 
> Why it is not correct ?
> Why you use filter table, not nat ?
> I am beginner so please help me if I don't understand anything.
> 
> Jakub S.
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config - new

2002-04-15 Thread Mathias Palm 
As mentioned in some other mail, always use iptables -F IMPUT first to
avoid piling up rules like in your case. You defined three rules and
there shouldn't be more (its not a windows maschine after all).

A couple more questions. What is your net set up: Are 192.168.2.2 and
xxx.yyy.zzz.com (the ip it resolves to, that is) different adaptors,
possibly xxx.yyy.zzz.com is eth0 and the other one eth1? All your
packages apply only for packages coming into eth0, except
the default rule. So I would assume, the from internal network coming
smtp connection is not coming through eth0 but is the one which got
accepted in the default policy line?

> Chain INPUT (policy ACCEPT 1 packets, 102 bytes)

I dont still cannot say where the missing smtp packages are. Try to use

iptables -nvL (keeps iptables from reverse resolving ip addresses and
port numbers)

just to make sure, smtp means port 25.

As your last line put a rule in which logs all packages which does't get
effected by any of the rules, and monitor your adaptor using

tcpdump -i eth0

Finally check the other rulesets in iptables, e.g. nat (by iptables -t
nat -vnL) or just dump everything to the console using iptables-save.

Looking at all these, people might say more about smtp-packages going
astry

Mathias



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-15 Thread Mathias Palm 

I'd say it might very well work correctly, but the table nat is not
made for package filtering but for address translation
(nat--network address translation) which is used for masquerading and
portforwarding. If you only want a filtering firewall you might very well
save yourself the effort to compile the nat modules and so on.

It might become a problem, when you have a more complicated firewall setup, where
you want to reject every package aiming at the firewall, but snat or masq an
internal network. You can read about this (at least to understand the
principles) in the Firewall- and Masquerading-HOWTOS which are part of debian. 

It is problably the same question why nobody uses vi to read postscript
documents when gs is available. It might work, but it is cumbersome. (Sorry
if I get polemic.)

Mathias

On Sun, Apr 14, 2002 at 09:11:55AM +0200, Marcin Bednarz wrote:
> 
> Hello.
> 
> I wrote :
> 
> >
> > # change of politics to drop
> > iptables -t nat -P PREROUTING DROP
> > iptables -t nat -P POSTROUTING DROP
> >
> > #add ssh serwer (allow incoming)
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j 
>ACCEPT
> >
> > #add pop3 and imap
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 -j 
>ACCEPT
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 -j 
>ACCEPT
> >
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 -j 
>ACCEPT
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 -j 
>ACCEPT
> >
> > iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
> >
> > # are you want to alow ping you machine ? (I dont know if postfix require it)
> > iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> > iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT
> 
> and ...
> #SMTP
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  -j 
>ACCEPT
> 
> 
> Why it is not correct ?
> Why you use filter table, not nat ?
> I am beginner so please help me if I don't understand anything.
> 
> Jakub S.
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config - new

2002-04-15 Thread Mathias Palm 

As mentioned in some other mail, always use iptables -F IMPUT first to
avoid piling up rules like in your case. You defined three rules and
there shouldn't be more (its not a windows maschine after all).

A couple more questions. What is your net set up: Are 192.168.2.2 and
xxx.yyy.zzz.com (the ip it resolves to, that is) different adaptors,
possibly xxx.yyy.zzz.com is eth0 and the other one eth1? All your
packages apply only for packages coming into eth0, except
the default rule. So I would assume, the from internal network coming
smtp connection is not coming through eth0 but is the one which got
accepted in the default policy line?

> Chain INPUT (policy ACCEPT 1 packets, 102 bytes)

I dont still cannot say where the missing smtp packages are. Try to use

iptables -nvL (keeps iptables from reverse resolving ip addresses and
port numbers)

just to make sure, smtp means port 25.

As your last line put a rule in which logs all packages which does't get
effected by any of the rules, and monitor your adaptor using

tcpdump -i eth0

Finally check the other rulesets in iptables, e.g. nat (by iptables -t
nat -vnL) or just dump everything to the console using iptables-save.

Looking at all these, people might say more about smtp-packages going
astry

Mathias



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Iptables config

2002-04-15 Thread VERBEEK, Francois 
Simple and easy does the trick when working with such scripts.
it's the result of an iptables-save 

# Generated by iptables-save v1.2.5 on Mon Apr  8 18:10:23 2002
*filter
#
#DEFAULT POLICIES
#

:INPUT DROP 
:FORWARD DROP
:OUTPUT DROP 

#
# INPUT and OUTPUT chains are only used when packets are going to be treated by 
your machine (i.e. does not apply to forwarded packets)
#
#
#The following lines makes the con_track module to be loaded. 
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Only SSH connection from management machines allowed to get in, you may want 
to replace ssh by any service running on your machine, 
# and $internal_mgt by the machines you allow to speak to those services
#
-A INPUT -s $internal_mgt -p tcp -m tcp --dport 22 -j ACCEPT
#
#Note : there are nothing against spoofing or so in here... not a so good idea.
#
#Some silent drops  (there are plenty of broadcast-multicast which would fill 
in the logs if let to themselves...)
#
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -d $lanbcst -j DROP
-A INPUT -d 224.0.0.0/3-j DROP
#and let's log the rest
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG
#nothing going out except connections established
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

-Original Message-
From:   Marcin Bednarz [SMTP:[EMAIL PROTECTED]
Sent:   dimanche 14 avril 2002 09:15
To: Lars Roland Kristiansen
Cc: 
Subject:    Re: Iptables config


Hello.

I wrote :

>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp 
--destination-port 22 -j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp 
--destination-port 110 -j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp 
--destination-port 143 -j ACCEPT
>
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp 
--destination-port 110 -j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp 
--destination-port 143 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
>
> # are you want to alow ping you machine ? (I dont know if postfix 
require it)
> iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT

and ...
#SMTP
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp 
--destination-port 25  -j ACCEPT


Why it is not correct ?
Why you use filter table, not nat ?
I am beginner so please help me if I don't understand anything.

Jakub S.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Iptables config

2002-04-15 Thread VERBEEK, Francois 

Simple and easy does the trick when working with such scripts.
it's the result of an iptables-save 

# Generated by iptables-save v1.2.5 on Mon Apr  8 18:10:23 2002
*filter
#
#DEFAULT POLICIES
#

:INPUT DROP 
:FORWARD DROP
:OUTPUT DROP 

#
# INPUT and OUTPUT chains are only used when packets are going to be treated by your 
machine (i.e. does not apply to forwarded packets)
#
#
#The following lines makes the con_track module to be loaded. 
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Only SSH connection from management machines allowed to get in, you may want to 
replace ssh by any service running on your machine, 
# and $internal_mgt by the machines you allow to speak to those services
#
-A INPUT -s $internal_mgt -p tcp -m tcp --dport 22 -j ACCEPT
#
#Note : there are nothing against spoofing or so in here... not a so good idea.
#
#Some silent drops  (there are plenty of broadcast-multicast which would fill in the 
logs if let to themselves...)
#
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -d $lanbcst -j DROP
-A INPUT -d 224.0.0.0/3-j DROP
#and let's log the rest
-A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG
#nothing going out except connections established
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

-Original Message-
From:   Marcin Bednarz [SMTP:[EMAIL PROTECTED]]
Sent:   dimanche 14 avril 2002 09:15
To: Lars Roland Kristiansen
Cc: 
Subject:    Re: Iptables config


Hello.

I wrote :

>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 
-j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 
-j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 
-j ACCEPT
>
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 
-j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 
-j ACCEPT
>
> iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
>
> # are you want to alow ping you machine ? (I dont know if postfix require it)
> iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT

and ...
#SMTP
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  
-j ACCEPT


Why it is not correct ?
Why you use filter table, not nat ?
I am beginner so please help me if I don't understand anything.

Jakub S.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config - new

2002-04-14 Thread Peter Cordes 
On Sun, Apr 14, 2002 at 12:28:16PM +0200, Lars Roland Kristiansen wrote:
> When using the folowing rules
> 
> -
> iptables -P INPUT ACCEPT
> 
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j 
> ACCEPT
> -
> 
> 
> 
> i get this output from iptables -vL.

 Looks like you've appended the same rules multiple times.  Use
iptables -F
to flush all the rules from all chains, then run your "firewall script" or
whatever you've cooked up :)

 Also, this is only the filter table.  If you have any rules in the NAT
table (contains PRE and POSTROUTING, and OUTPUT chains) , they could be
having an effect.

> -
> Chain INPUT (policy ACCEPT 1 packets, 102 bytes)
>  pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:auth reject-with icmp-port-unreachable
> 0 0 REJECT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:auth reject-with icmp-port-unreachable
> 0 0 REJECT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:auth reject-with icmp-port-unreachable
>12   488 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
>  1027 85784 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source
> destination
> 
> Chain OUTPUT (policy ACCEPT 10804 packets, 584K bytes)
>  pkts bytes target prot opt in out source
> destination 
> -
> 
> 
> And now i cant telnet to port 25 from antoher machine but i can from the
> local one. Like this
> 
> ---
> localmachine$ telnet 192.168.2.2 25
> Trying 192.168.2.2...
> Connected to 192.168.2.2.
> Escape character is '^]'.
> 220 xxx.yyy.zzz.com ESMTP Postfix (Debian/GNU)
> ---
> 
> ---
> remotemachine$ telnet xxx.yyy.zzz.com 25
> 421 xxx.yyy.zzz.com Sorry, unable to contact destination SMTP daemon.
> ---

 Have you used tcpdump while you tried this?  I bet it's waiting for an
ident (aka auth) request, since you reject the auth port with ICMP
port-unreachable, not TCP reset.  As Laurent mentioned, this web site

Re: Iptables config - new

2002-04-14 Thread Peter Cordes 

On Sun, Apr 14, 2002 at 12:28:16PM +0200, Lars Roland Kristiansen wrote:
> When using the folowing rules
> 
> -
> iptables -P INPUT ACCEPT
> 
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j 
> ACCEPT
> -
> 
> 
> 
> i get this output from iptables -vL.

 Looks like you've appended the same rules multiple times.  Use
iptables -F
to flush all the rules from all chains, then run your "firewall script" or
whatever you've cooked up :)

 Also, this is only the filter table.  If you have any rules in the NAT
table (contains PRE and POSTROUTING, and OUTPUT chains) , they could be
having an effect.

> -
> Chain INPUT (policy ACCEPT 1 packets, 102 bytes)
>  pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:auth reject-with icmp-port-unreachable
> 0 0 REJECT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:auth reject-with icmp-port-unreachable
> 0 0 REJECT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:auth reject-with icmp-port-unreachable
>12   488 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
>  1027 85784 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:pop3
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:ssh
> 0 0 ACCEPT tcp  --  eth0   any anywhere
> anywhere   tcp dpt:smtp
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target prot opt in out source
> destination
> 
> Chain OUTPUT (policy ACCEPT 10804 packets, 584K bytes)
>  pkts bytes target prot opt in out source
> destination 
> -
> 
> 
> And now i cant telnet to port 25 from antoher machine but i can from the
> local one. Like this
> 
> ---
> localmachine$ telnet 192.168.2.2 25
> Trying 192.168.2.2...
> Connected to 192.168.2.2.
> Escape character is '^]'.
> 220 xxx.yyy.zzz.com ESMTP Postfix (Debian/GNU)
> ---
> 
> ---
> remotemachine$ telnet xxx.yyy.zzz.com 25
> 421 xxx.yyy.zzz.com Sorry, unable to contact destination SMTP daemon.
> ---

 Have you used tcpdump while you tried this?  I bet it's waiting for an
ident (aka auth) request, since you reject the auth port with ICMP
port-unreachable, not TCP reset.  As Laurent mentioned, this web site

Re: Iptables config - new

2002-04-14 Thread Lars Roland Kristiansen 
When using the folowing rules

-
iptables -P INPUT ACCEPT

iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j 
ACCEPT
-



i get this output from iptables -vL.
-
Chain INPUT (policy ACCEPT 1 packets, 102 bytes)
 pkts bytes target prot opt in out source
destination
0 0 REJECT tcp  --  eth0   any anywhere
anywhere   tcp dpt:auth reject-with icmp-port-unreachable
0 0 REJECT tcp  --  eth0   any anywhere
anywhere   tcp dpt:auth reject-with icmp-port-unreachable
0 0 REJECT tcp  --  eth0   any anywhere
anywhere   tcp dpt:auth reject-with icmp-port-unreachable
   12   488 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
 1027 85784 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 10804 packets, 584K bytes)
 pkts bytes target prot opt in out source
destination 
-


And now i cant telnet to port 25 from antoher machine but i can from the
local one. Like this

---
localmachine$ telnet 192.168.2.2 25
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
220 xxx.yyy.zzz.com ESMTP Postfix (Debian/GNU)
---

---
remotemachine$ telnet xxx.yyy.zzz.com 25
421 xxx.yyy.zzz.com Sorry, unable to contact destination SMTP daemon.
---

if i issue the comand "/etc/init.d/iptables clear" witch set all policies
to ACCEPT i get the folowing out put from iptables -vL.


-
Chain INPUT (policy ACCEPT 6 packets, 384 bytes)
 pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 3 packets, 360 bytes)
 pkts bytes target prot opt in out source
destination
--

And know i can telnet to port 25 from another machine. An important note
is that this problem is only with port 25, i can telnet to port 110 and 22
all the time.

Can anyone please enligthen me on this problem as it is a bit wired.

thanks for all

Re: Iptables config - new

2002-04-14 Thread Lars Roland Kristiansen 

When using the folowing rules

-
iptables -P INPUT ACCEPT

iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j 
ACCEPT
-



i get this output from iptables -vL.
-
Chain INPUT (policy ACCEPT 1 packets, 102 bytes)
 pkts bytes target prot opt in out source
destination
0 0 REJECT tcp  --  eth0   any anywhere
anywhere   tcp dpt:auth reject-with icmp-port-unreachable
0 0 REJECT tcp  --  eth0   any anywhere
anywhere   tcp dpt:auth reject-with icmp-port-unreachable
0 0 REJECT tcp  --  eth0   any anywhere
anywhere   tcp dpt:auth reject-with icmp-port-unreachable
   12   488 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
 1027 85784 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:pop3
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:ssh
0 0 ACCEPT tcp  --  eth0   any anywhere
anywhere   tcp dpt:smtp

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 10804 packets, 584K bytes)
 pkts bytes target prot opt in out source
destination 
-


And now i cant telnet to port 25 from antoher machine but i can from the
local one. Like this

---
localmachine$ telnet 192.168.2.2 25
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
220 xxx.yyy.zzz.com ESMTP Postfix (Debian/GNU)
---

---
remotemachine$ telnet xxx.yyy.zzz.com 25
421 xxx.yyy.zzz.com Sorry, unable to contact destination SMTP daemon.
---

if i issue the comand "/etc/init.d/iptables clear" witch set all policies
to ACCEPT i get the folowing out put from iptables -vL.


-
Chain INPUT (policy ACCEPT 6 packets, 384 bytes)
 pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 3 packets, 360 bytes)
 pkts bytes target prot opt in out source
destination
--

And know i can telnet to port 25 from another machine. An important note
is that this problem is only with port 25, i can telnet to port 110 and 22
all the time.

Can anyone please enligthen me on this problem as it is a bit wired.

thanks for all

Re: Iptables config

2002-04-14 Thread Marcin Bednarz 

Hello.

I wrote :

>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 
> -j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 
> -j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 
> -j ACCEPT
>
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 
> -j ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 
> -j ACCEPT
>
> iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
>
> # are you want to alow ping you machine ? (I dont know if postfix require it)
> iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT

and ...
#SMTP
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  -j 
ACCEPT


Why it is not correct ?
Why you use filter table, not nat ?
I am beginner so please help me if I don't understand anything.

Jakub S.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-14 Thread Hubert Chan 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> "Peter" == Peter Cordes <[EMAIL PROTECTED]> writes:

Peter>  If you set INPUT policy to DROP, doesn't that drop everything,
Peter> not just incoming SYN packets?  If you want to be able to
Peter> establish any connections from the machine to anywhere else,
Peter> e.g. for an apt-get update (downloading stuff with ftp or http),
Peter> you need to allow that with iptables.  The rule you gave will let
Peter> the replies to your SYN be dropped.  I'm just learning iptables,
Peter> and I haven't figured out the connection tracking stuff yet.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

should do the trick.  If you use ftp, you should load the
ip_conntrack_ftp module, or use passive mode.  (FTP needs some special
handling since it sends the data over a different port.)  You may also
want to accept incoming icmp packets:

iptables -A INPUT -p icmp -j ACCEPT

- -- 
Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD  6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8uQ7nZRhU33H9o38RAtfcAJ9Sh+qiUGv8aLjac2dbgRfrXjsudgCgzc6t
EmCaBsCXbtEz3/PNwoJQ6I0=
=HdB+
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-13 Thread Marcin Bednarz 


Hello.

I wrote :

>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 -j 
>ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 -j 
>ACCEPT
>
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 -j 
>ACCEPT
> iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 -j 
>ACCEPT
>
> iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
>
> # are you want to alow ping you machine ? (I dont know if postfix require it)
> iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT

and ...
#SMTP
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  -j ACCEPT


Why it is not correct ?
Why you use filter table, not nat ?
I am beginner so please help me if I don't understand anything.

Jakub S.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-13 Thread Peter Cordes 
On Fri, Apr 12, 2002 at 11:37:09AM +0200, Michal Melewski wrote:
> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> > Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i just
> > want to close all exept from ssh(port 22), pop3(port 110) and 
> > imap(port143). Is there and easy way to do this. 
> 
> Sure it is easy...
> iptables -P INPUT DROP
> iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP
   
   ACCEPT

 If you set INPUT policy to DROP, doesn't that drop everything, not just
incoming SYN packets?  If you want to be able to establish any connections
from the machine to anywhere else, e.g. for an apt-get update (downloading
stuff with ftp or http), you need to allow that with iptables.  The rule you
gave will let the replies to your SYN be dropped.  I'm just learning
iptables, and I haven't figured out the connection tracking stuff yet.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-13 Thread Hubert Chan 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> "Peter" == Peter Cordes <[EMAIL PROTECTED]> writes:

Peter>  If you set INPUT policy to DROP, doesn't that drop everything,
Peter> not just incoming SYN packets?  If you want to be able to
Peter> establish any connections from the machine to anywhere else,
Peter> e.g. for an apt-get update (downloading stuff with ftp or http),
Peter> you need to allow that with iptables.  The rule you gave will let
Peter> the replies to your SYN be dropped.  I'm just learning iptables,
Peter> and I haven't figured out the connection tracking stuff yet.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

should do the trick.  If you use ftp, you should load the
ip_conntrack_ftp module, or use passive mode.  (FTP needs some special
handling since it sends the data over a different port.)  You may also
want to accept incoming icmp packets:

iptables -A INPUT -p icmp -j ACCEPT

- -- 
Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD  6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8uQ7nZRhU33H9o38RAtfcAJ9Sh+qiUGv8aLjac2dbgRfrXjsudgCgzc6t
EmCaBsCXbtEz3/PNwoJQ6I0=
=HdB+
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-13 Thread Peter Cordes 

On Fri, Apr 12, 2002 at 11:37:09AM +0200, Michal Melewski wrote:
> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> > Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i just
> > want to close all exept from ssh(port 22), pop3(port 110) and 
> > imap(port143). Is there and easy way to do this. 
> 
> Sure it is easy...
> iptables -P INPUT DROP
> iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP
   
   ACCEPT

 If you set INPUT policy to DROP, doesn't that drop everything, not just
incoming SYN packets?  If you want to be able to establish any connections
from the machine to anywhere else, e.g. for an apt-get update (downloading
stuff with ftp or http), you need to allow that with iptables.  The rule you
gave will let the replies to your SYN be dropped.  I'm just learning
iptables, and I haven't figured out the connection tracking stuff yet.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Albrecht Frank 



Here is where i am now - if i dont run iptables it all works - for some
reason closing all the ports and setting the deafult policy to deny dosent
seam to work (if i then after set smtp, pop3 ssh to allow). But setting
the default policy to allow and then useing nmap to detect what ports that
are open and then closing them via iptables seam to work ok. (but only if
use another script than /etc/init.d/iptables) ???




Hi all there,
perhaps it helps, if you'd have a look at ipmasq? (debian package)

Greetings
Albrecht



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Albrecht Frank 

> 
>>Here is where i am now - if i dont run iptables it all works - for some
>>reason closing all the ports and setting the deafult policy to deny dosent
>>seam to work (if i then after set smtp, pop3 ssh to allow). But setting
>>the default policy to allow and then useing nmap to detect what ports that
>>are open and then closing them via iptables seam to work ok. (but only if
>>use another script than /etc/init.d/iptables) ???
>>


Hi all there,
perhaps it helps, if you'd have a look at ipmasq? (debian package)

Greetings
Albrecht



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Mathias Palm 
On Fri, Apr 12, 2002 at 04:05:54PM +0200, Lars Roland Kristiansen wrote:
> Here is where i am now - if i dont run iptables it all works - for some
> reason closing all the ports and setting the deafult policy to deny dosent
> seam to work (if i then after set smtp, pop3 ssh to allow). But setting
> the default policy to allow and then useing nmap to detect what ports that
> are open and then closing them via iptables seam to work ok. (but only if
> use another script than /etc/init.d/iptables) ???
> 

Type iptables -vL to find out, what your configuration is. If I
understand right, iptables seems to be configurated differently when
doing it by hand then when doing it by script.

Sent the output to the list if still not succesfull.
 
Set the default policy to drop, and open the ports as you need them.
The last line in the configuration is something like

iptables -A INPUT -p tcp -j LOG 

Every packet, which doesn't get accepted is logged (to the console I
believe).

Log all the packets on the interface in question using 
tcpdump -i interface (also read the manpages for further information).
 
> 
> thanks for the help
> 

You are welcome
Mathias

> ___
> Mvh./Yours sincerely
> 
> Lars 
> 
> 
> Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
> Stu. Sci. Math/Computer science | TLF(home):39670663 
> Copenhagen University - | Home address: Emdrupvej 175 
> Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
> Url: www.math.ku.dk |
> 
> 
>"Politics is for the moment, equations are forever"
> - Albert Einstein
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Henrique Pedroni Neto 
Sorry! 
I cannot see this :) 
Normally we use the smtp protocol not imap!

Thanks.

> True, but the necessary ports are 22, 110 and 143. Port 25 is for smtp 
> which Lars didn't want to open.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Lars Roland Kristiansen 
Here is where i am now - if i dont run iptables it all works - for some
reason closing all the ports and setting the deafult policy to deny dosent
seam to work (if i then after set smtp, pop3 ssh to allow). But setting
the default policy to allow and then useing nmap to detect what ports that
are open and then closing them via iptables seam to work ok. (but only if
use another script than /etc/init.d/iptables) ???


thanks for the help

___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
Stu. Sci. Math/Computer science | TLF(home):39670663 
Copenhagen University - | Home address: Emdrupvej 175 
Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
Url: www.math.ku.dk |


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Michal Melewski 
> well, it's better to replace DROP by ACCEPT in this last line if you want to
> accept the packets ;)
Damm ;)
Sure you are right; sorry , my fault.
I was a bit sleepy while writing this


-- 
Michael "carstein" Melewski  |  "One day, he said, in a taped segment   
[EMAIL PROTECTED]|   that suggested chemical interrogation,
mobile: 502 545 913  |   everything had gone gray."
gpg: carstein.c.pl/carstein.txt  |   -- Corto , 'Neuromancer'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Martin Peikert 

Henrique Pedroni Neto wrote:

Hi - i have just installed an mailserver with postfix and wu-imap/pop3
now i just want to have iptables running. I am no iptables guro, i just
want to close all exept from ssh(port 22), pop3(port 110) and
imap(port143). Is there and easy way to do this. 



iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i $dev -j
ACCEPT

Just one line ;)


True, but the necessary ports are 22, 110 and 143. Port 25 is for smtp 
which Lars didn't want to open.


GTi


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Luis Gómez Miralles 
El vie, 12-04-2002 a las 13:25, Lars Roland Kristiansen escribió:
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
> # POP#
> iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT
> 
> I can connect to the server using ssh and pop3 but SMTP doest seam to
> be allowed ?
> 
> 
> i get "cant conect to smtp service" when trying to mail 

Maybe smtp is working through inetd and so it could be filtered via tcp
wrappers as well. I'd recommend that you take a look at hosts.allow and
hosts.deny (in /etc).

Also, your "cant connect to smtp service" message is not very helpful. I
think it could be better that you do telnet smtp_host 25 and post the
output, sure it will help more :-)

Regards

-- 
Luis Gómez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
[EMAIL PROTECTED]

PGP Public Key available at http://www.infoemergencias.com/lgomez.asc


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Henrique Pedroni Neto 
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this. 

>Sure it is easy...
>iptables -P INPUT DROP
>iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP

>where dev is your interface , and port is your port (last rule have to be
>written thre times , each one for every port)

It's not necessary to write this line three times, try to use this:

iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i $dev -j
ACCEPT

Just one line ;)
[]'s
Henrique



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Mathias Palm 

On Fri, Apr 12, 2002 at 04:05:54PM +0200, Lars Roland Kristiansen wrote:
> Here is where i am now - if i dont run iptables it all works - for some
> reason closing all the ports and setting the deafult policy to deny dosent
> seam to work (if i then after set smtp, pop3 ssh to allow). But setting
> the default policy to allow and then useing nmap to detect what ports that
> are open and then closing them via iptables seam to work ok. (but only if
> use another script than /etc/init.d/iptables) ???
> 

Type iptables -vL to find out, what your configuration is. If I
understand right, iptables seems to be configurated differently when
doing it by hand then when doing it by script.

Sent the output to the list if still not succesfull.
 
Set the default policy to drop, and open the ports as you need them.
The last line in the configuration is something like

iptables -A INPUT -p tcp -j LOG 

Every packet, which doesn't get accepted is logged (to the console I
believe).

Log all the packets on the interface in question using 
tcpdump -i interface (also read the manpages for further information).
 
> 
> thanks for the help
> 

You are welcome
Mathias

> ___
> Mvh./Yours sincerely
> 
> Lars 
> 
> 
> Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
> Stu. Sci. Math/Computer science | TLF(home):39670663 
> Copenhagen University - | Home address: Emdrupvej 175 
> Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
> Url: www.math.ku.dk |
> 
> 
>"Politics is for the moment, equations are forever"
> - Albert Einstein
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Tim Haynes 
Laurent Luyckx <[EMAIL PROTECTED]> writes:

[snip]
> > i get "cant conect to smtp service" when trying to mail 
> 
> try by rejecting port 113 requests with :
> 
> iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT

If you're going to use -j REJECT for a TCP packet, you really ought to use
`--reject-with tcp-reset' as well. 

See  for more.

~Tim
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Laurent Luyckx 
En réponse à Lars Roland Kristiansen <[EMAIL PROTECTED]>:

> Thanks for the quick respons
> 
> I have put this in my /etc/default/iptables file 
> 
> # Deny ALL
> iptables -P INPUT DROP
> 
> # Allow these sevices
> 
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
> # POP#
> iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT
> 
> I can connect to the server using ssh and pop3 but SMTP doest seam to
> be allowed ?
> 
> 
> i get "cant conect to smtp service" when trying to mail 

try by rejecting port 113 requests with :

iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT



-
This mail sent through Tiscalinet Webmail (http://webmail.tiscalinet.be)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Iptables config

2002-04-12 Thread Bart-Jan Vrielink 
On Fri, 2002-04-12 at 13:27, VERBEEK, Francois wrote:
> BTW if you plan to use --dport you need rather a line like
> 
> iptables -A INPUT -p tcp -s 0/0 -m tcp --dport 22 -i $dev -j ACCEPT

-m tcp is not needed. See manpage:

MATCH EXTENSIONS
   iptables can use extended packet matching modules.  These are loaded in  
two  ways:  implicitly,  when  -p  or
   --protocol is specified, or with the -m or --match options, followed by 
the matching module name; after these,
   various extra command line options become available, depending  on  the  
specific  module.   You  can  specify
   multiple  extended  match  modules  in one line, and you can use the -h 
or --help options after the module has
   been specified to receive help specific to that module.

So the tcp extension is already implicitly loaded by using -p tcp.

-- 
Tot ziens,

Bart-Jan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Henrique Pedroni Neto 

Sorry! 
I cannot see this :) 
Normally we use the smtp protocol not imap!

Thanks.

> True, but the necessary ports are 22, 110 and 143. Port 25 is for smtp 
> which Lars didn't want to open.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Lars Roland Kristiansen 

Here is where i am now - if i dont run iptables it all works - for some
reason closing all the ports and setting the deafult policy to deny dosent
seam to work (if i then after set smtp, pop3 ssh to allow). But setting
the default policy to allow and then useing nmap to detect what ports that
are open and then closing them via iptables seam to work ok. (but only if
use another script than /etc/init.d/iptables) ???


thanks for the help

___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
Stu. Sci. Math/Computer science | TLF(home):39670663 
Copenhagen University - | Home address: Emdrupvej 175 
Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
Url: www.math.ku.dk |


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Michal Melewski 

> well, it's better to replace DROP by ACCEPT in this last line if you want to
> accept the packets ;)
Damm ;)
Sure you are right; sorry , my fault.
I was a bit sleepy while writing this


-- 
Michael "carstein" Melewski  |  "One day, he said, in a taped segment   
[EMAIL PROTECTED] |   that suggested chemical interrogation,
mobile: 502 545 913  |   everything had gone gray."
gpg: carstein.c.pl/carstein.txt  |   -- Corto , 'Neuromancer'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Martin Peikert 

Henrique Pedroni Neto wrote:
>>Hi - i have just installed an mailserver with postfix and wu-imap/pop3
>>now i just want to have iptables running. I am no iptables guro, i just
>>want to close all exept from ssh(port 22), pop3(port 110) and
>>imap(port143). Is there and easy way to do this. 

> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i $dev -j
> ACCEPT
> 
> Just one line ;)

True, but the necessary ports are 22, 110 and 143. Port 25 is for smtp 
which Lars didn't want to open.

GTi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Luis Gómez Miralles 

El vie, 12-04-2002 a las 13:25, Lars Roland Kristiansen escribió:
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
> # POP#
> iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT
> 
> I can connect to the server using ssh and pop3 but SMTP doest seam to
> be allowed ?
> 
> 
> i get "cant conect to smtp service" when trying to mail 

Maybe smtp is working through inetd and so it could be filtered via tcp
wrappers as well. I'd recommend that you take a look at hosts.allow and
hosts.deny (in /etc).

Also, your "cant connect to smtp service" message is not very helpful. I
think it could be better that you do telnet smtp_host 25 and post the
output, sure it will help more :-)

Regards

-- 
Luis Gómez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
[EMAIL PROTECTED]

PGP Public Key available at http://www.infoemergencias.com/lgomez.asc


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Iptables config

2002-04-12 Thread VERBEEK, Francois 
BTW if you plan to use --dport you need rather a line like

iptables -A INPUT -p tcp -s 0/0 -m tcp --dport 22 -i $dev -j ACCEPT

François 

-Original Message-
From:   Michal Melewski [SMTP:[EMAIL PROTECTED]
Sent:   vendredi 12 avril 2002 11:37
To: debian-security@lists.debian.org
Subject:Re: Iptables config

 << File: SMIME.txt >> 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Lars Roland Kristiansen 
Thanks for the quick respons

I have put this in my /etc/default/iptables file 

# Deny ALL
iptables -P INPUT DROP

# Allow these sevices

# SMTP
iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
# SSH
iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
# POP#
iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT

I can connect to the server using ssh and pop3 but SMTP doest seam to
be allowed ?


i get "cant conect to smtp service" when trying to mail 

___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
Stu. Sci. Math/Computer science | TLF(home):39670663 
Copenhagen University - | Home address: Emdrupvej 175 
Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
Url: www.math.ku.dk |


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Henrique Pedroni Neto 

> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this. 

>Sure it is easy...
>iptables -P INPUT DROP
>iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP

>where dev is your interface , and port is your port (last rule have to be
>written thre times , each one for every port)

It's not necessary to write this line three times, try to use this:

iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i $dev -j
ACCEPT

Just one line ;)
[]'s
Henrique



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Tim Haynes 

Laurent Luyckx <[EMAIL PROTECTED]> writes:

[snip]
> > i get "cant conect to smtp service" when trying to mail 
> 
> try by rejecting port 113 requests with :
> 
> iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT

If you're going to use -j REJECT for a TCP packet, you really ought to use
`--reject-with tcp-reset' as well. 

See  for more.

~Tim
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Laurent Luyckx 

En réponse à Lars Roland Kristiansen <[EMAIL PROTECTED]>:

> Thanks for the quick respons
> 
> I have put this in my /etc/default/iptables file 
> 
> # Deny ALL
> iptables -P INPUT DROP
> 
> # Allow these sevices
> 
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
> # POP#
> iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT
> 
> I can connect to the server using ssh and pop3 but SMTP doest seam to
> be allowed ?
> 
> 
> i get "cant conect to smtp service" when trying to mail 

try by rejecting port 113 requests with :

iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT



-
This mail sent through Tiscalinet Webmail (http://webmail.tiscalinet.be)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Iptables config

2002-04-12 Thread Bart-Jan Vrielink 

On Fri, 2002-04-12 at 13:27, VERBEEK, Francois wrote:
> BTW if you plan to use --dport you need rather a line like
> 
> iptables -A INPUT -p tcp -s 0/0 -m tcp --dport 22 -i $dev -j ACCEPT

-m tcp is not needed. See manpage:

MATCH EXTENSIONS
   iptables can use extended packet matching modules.  These are loaded in  two  
ways:  implicitly,  when  -p  or
   --protocol is specified, or with the -m or --match options, followed by the 
matching module name; after these,
   various extra command line options become available, depending  on  the  
specific  module.   You  can  specify
   multiple  extended  match  modules  in one line, and you can use the -h or 
--help options after the module has
   been specified to receive help specific to that module.

So the tcp extension is already implicitly loaded by using -p tcp.

-- 
Tot ziens,

Bart-Jan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Laurent Luyckx 
En réponse à Michal Melewski <[EMAIL PROTECTED]>:

> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen
> wrote:
> > Hi - i have just installed an mailserver with postfix and
> wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i
> just
> > want to close all exept from ssh(port 22), pop3(port 110) and 
> > imap(port143). Is there and easy way to do this. 
> 
> Sure it is easy...
> iptables -P INPUT DROP
> iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP
well, it's better to replace DROP by ACCEPT in this last line if you want to
accept the packets ;)

> where dev is your interface , and port is your port (last rule have to
> be
> written thre times , each one for every port)
> 
> This is the easiest way ,(i'm not saying the best :) )
> 
> 
> > 
> > ___
> > Mvh./Yours sincerely
> > 
> > Lars 
> > 
> 
> -- 
> Michael "carstein" Melewski|  "One day, he said, in a taped segment   
> [EMAIL PROTECTED]  |   that suggested chemical
> interrogation,
> mobile:   502 545 913  |   everything had gone gray."
> gpg: carstein.c.pl/carstein.txt|   -- Corto , 'Neuromancer'
> 


-
This mail sent through Tiscalinet Webmail (http://webmail.tiscalinet.be)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Marcin Bednarz 

Hello
I will try to help you.

> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this. 


# change of politics to drop
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP

#add ssh serwer (allow incoming)
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j 
ACCEPT

#add pop3 and imap
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 -j 
ACCEPT
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 -j 
ACCEPT

iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 -j 
ACCEPT
iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 -j 
ACCEPT

iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT

# are you want to alow ping you machine ? (I dont know if postfix require it)
iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT



I think that is all.
Jakub Staszek



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Michal Melewski 
On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and 
> imap(port143). Is there and easy way to do this. 

Sure it is easy...
iptables -P INPUT DROP
iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP

where dev is your interface , and port is your port (last rule have to be
written thre times , each one for every port)

This is the easiest way ,(i'm not saying the best :) )


> 
> ___
> Mvh./Yours sincerely
> 
> Lars 
> 

-- 
Michael "carstein" Melewski  |  "One day, he said, in a taped segment   
[EMAIL PROTECTED]|   that suggested chemical interrogation,
mobile: 502 545 913  |   everything had gone gray."
gpg: carstein.c.pl/carstein.txt  |   -- Corto , 'Neuromancer'


pgpUX6VEhB7N8.pgp
Description: PGP signature

Iptables config

2002-04-12 Thread Lars Roland Kristiansen 
Hi - i have just installed an mailserver with postfix and wu-imap/pop3
now i just want to have iptables running. I am no iptables guro, i just
want to close all exept from ssh(port 22), pop3(port 110) and 
imap(port143). Is there and easy way to do this. 

___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
Stu. Sci. Math/Computer science | TLF(home):39670663 
Copenhagen University - | Home address: Emdrupvej 175 
Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
Url: www.math.ku.dk |


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Iptables config

2002-04-12 Thread VERBEEK, Francois 

BTW if you plan to use --dport you need rather a line like

iptables -A INPUT -p tcp -s 0/0 -m tcp --dport 22 -i $dev -j ACCEPT

François 

-Original Message-
From:   Michal Melewski [SMTP:[EMAIL PROTECTED]]
Sent:   vendredi 12 avril 2002 11:37
To: [EMAIL PROTECTED]
Subject:Re: Iptables config

 << File: SMIME.txt >> 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Lars Roland Kristiansen 

Thanks for the quick respons

I have put this in my /etc/default/iptables file 

# Deny ALL
iptables -P INPUT DROP

# Allow these sevices

# SMTP
iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
# SSH
iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
# POP#
iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT

I can connect to the server using ssh and pop3 but SMTP doest seam to
be allowed ?


i get "cant conect to smtp service" when trying to mail 

___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
Stu. Sci. Math/Computer science | TLF(home):39670663 
Copenhagen University - | Home address: Emdrupvej 175 
Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
Url: www.math.ku.dk |


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Laurent Luyckx 

En réponse à Michal Melewski <[EMAIL PROTECTED]>:

> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen
> wrote:
> > Hi - i have just installed an mailserver with postfix and
> wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i
> just
> > want to close all exept from ssh(port 22), pop3(port 110) and 
> > imap(port143). Is there and easy way to do this. 
> 
> Sure it is easy...
> iptables -P INPUT DROP
> iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP
well, it's better to replace DROP by ACCEPT in this last line if you want to
accept the packets ;)

> where dev is your interface , and port is your port (last rule have to
> be
> written thre times , each one for every port)
> 
> This is the easiest way ,(i'm not saying the best :) )
> 
> 
> > 
> > ___
> > Mvh./Yours sincerely
> > 
> > Lars 
> > 
> 
> -- 
> Michael "carstein" Melewski|  "One day, he said, in a taped segment   
> [EMAIL PROTECTED]   |   that suggested chemical
> interrogation,
> mobile:   502 545 913  |   everything had gone gray."
> gpg: carstein.c.pl/carstein.txt|   -- Corto , 'Neuromancer'
> 


-
This mail sent through Tiscalinet Webmail (http://webmail.tiscalinet.be)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Marcin Bednarz 


Hello
I will try to help you.

> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this. 


# change of politics to drop
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP

#add ssh serwer (allow incoming)
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j ACCEPT

#add pop3 and imap
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 -j ACCEPT
iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 -j ACCEPT

iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 -j ACCEPT
iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 -j ACCEPT

iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT

# are you want to alow ping you machine ? (I dont know if postfix require it)
iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT



I think that is all.
Jakub Staszek



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Iptables config

2002-04-12 Thread Michal Melewski 

On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and 
> imap(port143). Is there and easy way to do this. 

Sure it is easy...
iptables -P INPUT DROP
iptables -I INPUT -p tcp -s 0/0 --dport $port -i $dev -j DROP

where dev is your interface , and port is your port (last rule have to be
written thre times , each one for every port)

This is the easiest way ,(i'm not saying the best :) )


> 
> ___
> Mvh./Yours sincerely
> 
> Lars 
> 

-- 
Michael "carstein" Melewski  |  "One day, he said, in a taped segment   
[EMAIL PROTECTED] |   that suggested chemical interrogation,
mobile: 502 545 913  |   everything had gone gray."
gpg: carstein.c.pl/carstein.txt  |   -- Corto , 'Neuromancer'



msg06325/pgp0.pgp
Description: PGP signature

Iptables config

2002-04-12 Thread Lars Roland Kristiansen 

Hi - i have just installed an mailserver with postfix and wu-imap/pop3
now i just want to have iptables running. I am no iptables guro, i just
want to close all exept from ssh(port 22), pop3(port 110) and 
imap(port143). Is there and easy way to do this. 

___
Mvh./Yours sincerely

Lars 


Lars Roland Kristiansen | Email:[EMAIL PROTECTED] 
Stu. Sci. Math/Computer science | TLF(home):39670663 
Copenhagen University - | Home address: Emdrupvej 175 
Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
Url: www.math.ku.dk |


   "Politics is for the moment, equations are forever"
- Albert Einstein



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]