Re: iptables question

[Pascal Hambourg]

Le 14/11/2016 à 00:48, deloptes a écrit :

Pascal Hambourg wrote:


Well then, all I can suggest is to run a packet capture and try to see
what's going on.


I guess  you mean on the firewall?


Yes.

Re: iptables question

[deloptes]

Henning Follmann wrote:

> Last time I chime in here.
> I understand growth and chaos, believe me. However sometimes we need a
> nudge or a kick in the but to clean up. Maybe this is your call..

It is kicking me and calling me since some time but I can not do this before
next summer. I have to sit there with RS232 cable to be able to do the
testing and repair if something fails. Perhaps I have luck and I can do it
earlier, but not very likely.

> Simplicity is a beautiful thing my friend

yes indeed - as I mentioned I did not write this and I don'T know why the
guy who wrote it, did it that way.

regards

Re: iptables question

[Henning Follmann]

On Mon, Nov 14, 2016 at 12:45:20AM +0100, deloptes wrote:
> Henning wrote:
> 
> > And usually there is no reason for two separate rfc1918 address ranges.
> > Pick one matching your address space needs and design subnets.
> > There is only one single reason for nat: you have more hosts than routable
> > ip addresses. I guess 10.0.0.0 meets even the biggest organizations.
> 
> Thank you for the line of argumentation. As usual if something works for 10y
> it undergoes a lot of changes. So the reason for not using 10.0.0.0
> internally is that it is historically that way. Some years ago the firewall
> was connected to the public network directly. The new provider gave me the
> modem and it uses automatically 10.0.0.0, which I can not influence. I just
> did the DMZ - this was the time I tried to rewrite the firewall rules, but
> I found out I need to read again a lot about iptables and more important it
> would mean I would need to experiment and jeopardize the network.
> The setup is useful in the way that the whole wireless network is outside
> the firewall in the 10.0.0.0/24 range. All that I need for operating works
> perfectly. Now the only problem is that I can not access anything else on
> the 10.0.0.0 network except the modem.
> 
> thanks again
> 
> 

Last time I chime in here.
I understand growth and chaos, believe me. However sometimes we need a
nudge or a kick in the but to clean up. Maybe this is your call.
Simplicity is a beautiful thing my friend.


-H

-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: iptables question

[deloptes]

deloptes wrote:

> Igor Cicimov wrote:
> 
>> Run tcpdump and check whats happening
> 
> That is strange - I will look into this direction - let me know if you
> have any ideas
> 
> regards
> 
> 
> tcpdump -vvv dst 10.0.0.7
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 08:07:11.591763 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
> tell 10.0.0.1, length 28
> 08:07:12.591729 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
> tell 10.0.0.1, length 28
> 08:07:13.591686 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
> tell 10.0.0.1, length 28
> 08:07:14.595695 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
> tell 10.0.0.1, length 28
> 08:07:15.595632 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
> tell 10.0.0.1, length 28
> 08:07:16.595620 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
> tell 10.0.0.1, length 28
> 
> 
> 
> tcpdump -vvv dst 10.0.0.138
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 08:04:55.765744 IP (tos 0x0, ttl 63, id 26002, offset 0, flags [DF], proto
> TCP (6), length 60)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [S], cksum 0xc2c6 (correct),
> seq
> 2408995280, win 29200, options [mss 1460,sackOK,TS val 223296578 ecr
> 0,nop,wscale 7], length 0
> 08:04:55.767594 IP (tos 0x0, ttl 63, id 26003, offset 0, flags [DF], proto
> TCP (6), length 40)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x242c (correct),
> seq
> 2408995281, ack 3147433360, win 229, length 0
> 08:04:55.772423 IP (tos 0x0, ttl 63, id 44890, offset 0, flags [none],
> proto UDP (17), length 69)
> 10.0.0.1.24455 > 10.0.0.138.domain: [udp sum ok] 7454+ PTR?
> 138.0.0.10.in-addr.arpa. (41)
> 08:04:55.774778 IP (tos 0x0, ttl 63, id 26004, offset 0, flags [DF], proto
> TCP (6), length 79)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xfb15 (correct),
> seq
> 0:39, ack 1, win 229, length 39
> 08:04:55.787360 IP (tos 0x0, ttl 63, id 26005, offset 0, flags [DF], proto
> TCP (6), length 40)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x23eb (correct),
> seq
> 39, ack 27, win 229, length 0
> 08:04:55.789504 IP (tos 0x0, ttl 63, id 26006, offset 0, flags [DF], proto
> TCP (6), length 1500)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x7c86 (correct),
> seq
> 39:1499, ack 27, win 229, length 1460
> 08:04:55.789680 IP (tos 0x0, ttl 63, id 26007, offset 0, flags [DF], proto
> TCP (6), length 228)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x46dd (correct),
> seq
> 1499:1687, ack 27, win 229, length 188
> 08:04:55.791326 IP (tos 0x0, ttl 63, id 26008, offset 0, flags [DF], proto
> TCP (6), length 312)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xb0d6 (correct),
> seq
> 1687:1959, ack 339, win 237, length 272
> 08:04:55.796226 IP (tos 0x0, ttl 63, id 44893, offset 0, flags [none],
> proto UDP (17), length 67)
> 10.0.0.1.63625 > 10.0.0.138.domain: [udp sum ok] 17121+ PTR?
> 1.0.0.10.in-addr.arpa. (39)
> 08:04:58.223139 IP (tos 0x0, ttl 63, id 26009, offset 0, flags [DF], proto
> TCP (6), length 56)
> 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x0ea9 (correct),
> seq
> 1959:1975, ack 915, win 246, length 16



My wife turned off the wireless

08:59:06.127029 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28
08:59:06.202411 IP (tos 0x0, ttl 63, id 50126, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x5a12 (correct), seq
3855619686, win 29200, options [mss 1460,sackOK,TS val 226547112 ecr
0,nop,wscale 7], length 0
08:59:07.172012 IP (tos 0x0, ttl 63, id 50127, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x55fa (correct), seq
3855619686, win 29200, options [mss 1460,sackOK,TS val 226548160 ecr
0,nop,wscale 7], length 0
08:59:09.219907 IP (tos 0x0, ttl 63, id 50128, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x4dfa (correct), seq
3855619686, win 29200, options [mss 1460,sackOK,TS val 226550208 ecr
0,nop,wscale 7], length 0
08:59:13.251697 IP (tos 0x0, ttl 63, id 50129, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x3e3a (correct), seq
3855619686, win 29200, options [mss 1460,sackOK,TS val 226554240 ecr
0,nop,wscale 7], length 0
08:59:21.571248 IP (tos 0x0, ttl 63, id 50130, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x1dba (correct), seq
3855619686, win 29200, options [mss 1460,sackOK,TS val 226562560 ecr
0,nop,wscale 7], length 0
08:59:37.954393 IP (tos 0x0, ttl 63, id 50131, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0xddb9 (correct), seq
3855619686, win 29200, options [mss 1460,sackOK,TS val 226578944 ecr
0,nop,wscale 7], 

Re: iptables question

[deloptes]

Igor Cicimov wrote:

> Run tcpdump and check whats happening

That is strange - I will look into this direction - let me know if you have
any ideas

regards


tcpdump -vvv dst 10.0.0.7
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
08:07:11.591763 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28
08:07:12.591729 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28
08:07:13.591686 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28
08:07:14.595695 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28
08:07:15.595632 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28
08:07:16.595620 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696
tell 10.0.0.1, length 28



tcpdump -vvv dst 10.0.0.138
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
08:04:55.765744 IP (tos 0x0, ttl 63, id 26002, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [S], cksum 0xc2c6 (correct), seq
2408995280, win 29200, options [mss 1460,sackOK,TS val 223296578 ecr
0,nop,wscale 7], length 0
08:04:55.767594 IP (tos 0x0, ttl 63, id 26003, offset 0, flags [DF], proto
TCP (6), length 40)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x242c (correct), seq
2408995281, ack 3147433360, win 229, length 0
08:04:55.772423 IP (tos 0x0, ttl 63, id 44890, offset 0, flags [none], proto
UDP (17), length 69)
10.0.0.1.24455 > 10.0.0.138.domain: [udp sum ok] 7454+ PTR?
138.0.0.10.in-addr.arpa. (41)
08:04:55.774778 IP (tos 0x0, ttl 63, id 26004, offset 0, flags [DF], proto
TCP (6), length 79)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xfb15 (correct), seq
0:39, ack 1, win 229, length 39
08:04:55.787360 IP (tos 0x0, ttl 63, id 26005, offset 0, flags [DF], proto
TCP (6), length 40)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x23eb (correct), seq
39, ack 27, win 229, length 0
08:04:55.789504 IP (tos 0x0, ttl 63, id 26006, offset 0, flags [DF], proto
TCP (6), length 1500)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x7c86 (correct), seq
39:1499, ack 27, win 229, length 1460
08:04:55.789680 IP (tos 0x0, ttl 63, id 26007, offset 0, flags [DF], proto
TCP (6), length 228)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x46dd (correct), seq
1499:1687, ack 27, win 229, length 188
08:04:55.791326 IP (tos 0x0, ttl 63, id 26008, offset 0, flags [DF], proto
TCP (6), length 312)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xb0d6 (correct), seq
1687:1959, ack 339, win 237, length 272
08:04:55.796226 IP (tos 0x0, ttl 63, id 44893, offset 0, flags [none], proto
UDP (17), length 67)
10.0.0.1.63625 > 10.0.0.138.domain: [udp sum ok] 17121+ PTR?
1.0.0.10.in-addr.arpa. (39)
08:04:58.223139 IP (tos 0x0, ttl 63, id 26009, offset 0, flags [DF], proto
TCP (6), length 56)
10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x0ea9 (correct), seq
1959:1975, ack 915, win 246, length 16

Re: iptables question

[Igor Cicimov]

On 13 Nov 2016 11:20 am, "deloptes"  wrote:
>
> Joe wrote:
>
> > On Sat, 12 Nov 2016 22:15:45 +0100
> > deloptes  wrote:
> >
> >> Hi,
> >> I need some help and I'll appreciate it.
> >>
> >> I have a firewall with iptables behind the modem.
> >> on this firewall I have
> >> eth0 with ip 10..1 to the modem ip: 10..12
> >> eth1 with ip 192..1 to the intranet
> >>
> >> iptables is doing SNAT from 192..1 to 10..1
> >>
> >> I wonder how I can ssh from 192..NN to 10..NN
> >> What magic should I apply to make it happen?
> >>
> >> Thanks in advance
> >>
> >>
> >
> > Can we take it that this does not work now? If that is the case, are
> > you sure that iptables is preventing it? There are other possible
> > reasons for a new ssh link not to work.
> >
>
> Yes, it is not working and yes it might be a different issue. So here is
> some additional information, if you wish.
>
> >From one computer ip 10..6 I can ssh to 10..7 and vv.
> I also see that iptables forwards to the output, but in the output nothing
> happens. So it is either in the output chain, or the back route blocks.
>
> > A typical simple iptables script will allow what you want to do to
> > happen already, so there must either be some iptables restriction in
> > place now, or there is some other reason for ssh not working. Are you
> > able to connect to the modem web configuration page from the 192.
> > network?
> >
>
> Yes I forgot to mention that I can connect from 192..NN to the modem ip
via
> ssh lets say 10..200.
>
> On the modem there is also firewall. I tried disableing it but it did not
> help.
>
> And you can bet there is restriction - basically it is pretty tight and is
> opened only what is needed to intranet and basically all to modem net
>
> > The SNAT should not be an issue, it can handle all protocols
> > transparently, and ssh uses the same tcp protocol as http.
> >
> > If there are iptables restrictions on outgoing protocols, you need to
> > find the rule permitting tcp/80 to be forwarded, copy it and replace 80
> > with 22. Once this is working, we can restrict the destination to the
> > 10. network, as presumably any existing port 80 rule allows connection
> > to anywhere and you may not want that for ssh.
>
> there is nothing regarding the output - no rules based on ports
>
> thanks
>

Run tcpdump and check whats happening

Re: iptables question

[Igor Cicimov]

On 14 Nov 2016 12:50 am, "Pascal Hambourg"  wrote:
>
> Le 13/11/2016 à 13:37, Joe a écrit :
>>>
>>>
>>> PPTP rather falls into the "complex protocols" described below.
>>
>>
>> Exactly so. You wouldn't believe how many routers of ten years ago or
>> so didn't handle it properly, at least with their initial firmware. But
>
>
> Why wouldn't I ? Knowing how NAT is tricky, I am not surprised at all
that the handling of "non standard" protocols (read : other than a single
TCP or UDP connection) by many NAT systems is broken.
>
>
>> it still doesn't need any additional NAT rules in iptables, the single
>> SNAT rule handles it, as well as tcp, udp etc. Other rules are needed
>> for correct *operation*, but not for NAT.
>
>
> Proper NAT handling of a non standard protocol requires proper connection
tracking, and both require additionnal conntrack/NAT helper modules.
> A security change in the conntrack/NAT helper management of recent
kernels requires additionnal iptables rule to explicitly attach a helper to
a connection. See the CT target.
>
> Without this, only simples cases may be handled correctly, when no more
than one host behind the NAT communicates with the same outside host.
Please read below.
>
>
>> Yes, I'm aware that NAT stops
>> plain IPSec working, as the endpoint IP addresses are involved in the
>> encryption. That isn't an iptables rule issue, and our single SNAT
>> rule will forward Protocol 47 and 50 just as easily as Protocol 6.
>
>
> Not as easily. IPSec protocols don't have ports, so SNAT cannot handle
communications from several hosts behind the NAT device to the same host
outside. The same applies to GRE without specific GRE handler support.
>
> Typical failure scenario :
>
> 1) Hosts A and B are behind the NAT router D and want to communicate with
outside host C.
>
> 2) Host A sends a packet to host C through NAT router D. D changes the
source address to its own and forwards the packet to C.
>
> 3) Host B sends a packet to host C through NAT router D. D changes the
source address to its own and forwards the packet to C.
>
> 4) Host C sends a reply packet to NAT router D. Problem : there is
nothing in the packet to tell D if it belongs to the connection initiated
by A or B and if it must forward the packet to A or B. Communication
failure. Actually netfilter conntrack detects the clash at stage 2) when B
sends the initial packet to C, and discards the packet.
>
One can use NAT-T in that case.

> With protocols such as TCP or UDP, the conntrack/NAT can use source and
destination ports to associate a packet with a known connection. But GRE or
IPSec don't have ports. GRE packets have some kind of connection ID, but
the standard netfilter NAT does not use it. So to avoid the failure in the
above scenario, you must use the GRE conntrack/NAT helper modules. However
there is no luck with IPSec.
>
>
>>> What is the "small-p sense" ?
>>
>>
>> In the sense of 'a defined system for data transfer', as opposed to the
>> Internet Protocols of tcp, udp, gre etc. http is spoken of as a
>> 'protocol', small-p, although it is a tiny subset of the tcp Internet
>> Protocol.
>
>
> I guess you mean "application layer protocol" such as HTTP or SSH as
opposed to "network layer protocol" such as IP or ICMP and "transport layer
protocol" such as TCP or UDP. I had never read this expression before.
>

Re: iptables question

[deloptes]

Pascal Hambourg wrote:

> Well then, all I can suggest is to run a packet capture and try to see
> what's going on.

I guess  you mean on the firewall? I am not even sure I can install tcpdump
there, but I will try and ask again for help here for sure

thanks

Re: iptables question

[deloptes]

Henning wrote:

> And usually there is no reason for two separate rfc1918 address ranges.
> Pick one matching your address space needs and design subnets.
> There is only one single reason for nat: you have more hosts than routable
> ip addresses. I guess 10.0.0.0 meets even the biggest organizations.

Thank you for the line of argumentation. As usual if something works for 10y
it undergoes a lot of changes. So the reason for not using 10.0.0.0
internally is that it is historically that way. Some years ago the firewall
was connected to the public network directly. The new provider gave me the
modem and it uses automatically 10.0.0.0, which I can not influence. I just
did the DMZ - this was the time I tried to rewrite the firewall rules, but
I found out I need to read again a lot about iptables and more important it
would mean I would need to experiment and jeopardize the network.
The setup is useful in the way that the whole wireless network is outside
the firewall in the 10.0.0.0/24 range. All that I need for operating works
perfectly. Now the only problem is that I can not access anything else on
the 10.0.0.0 network except the modem.

thanks again

Re: iptables question

[Henning]

> On Nov 13, 2016, at 5:19 PM, Pascal Hambourg  wrote:
> 
>> Le 13/11/2016 à 22:27, Henning a écrit :
>> I followed this thread and i wonder if there is a sane reason why you do nat 
>> inside your network. Why don't you just route between different subnets i.e. 
>>  10.0.1.0/24 and 10.0.2.0/24
> 
> Probably because the modem and hosts in 10.0.0.0/24 don't know about 
> 192.168.40.0/24.
> 

And usually there is no reason for two separate rfc1918 address ranges.
Pick one matching your address space needs and design subnets.
There is only one single reason for nat: you have more hosts than routable ip 
addresses. I guess 10.0.0.0 meets even the biggest organizations.

-H

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 21:43, deloptes a écrit :

Pascal Hambourg wrote:


replace 10.0.0.1/32 with 10.0.0.0/24 it does not work


You should double check that.


I checked replaced 10.0.0.1/32 with 10.0.0.0/24.


Just insert this rule and check whether it changes anything :

iptables -I FORWARD -j ACCEPT

If SSH works then the ruleset is faulty and I'll have to double-check
it. If SSH does not work, then the cause is elsewhere.

You can remove the rule with

iptables -D FORWARD -j ACCEPT


it does not work


Well then, all I can suggest is to run a packet capture and try to see 
what's going on.

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 22:27, Henning a écrit :

I followed this thread and i wonder if there is a sane reason why you do nat 
inside your network. Why don't you just route between different subnets i.e.  
10.0.1.0/24 and 10.0.2.0/24


Probably because the modem and hosts in 10.0.0.0/24 don't know about 
192.168.40.0/24.

Re: iptables question

[Henning]

I followed this thread and i wonder if there is a sane reason why you do nat 
inside your network. Why don't you just route between different subnets i.e.  
10.0.1.0/24 and 10.0.2.0/24
you still can have a firewall between those subnets

-H

Re: iptables question

[deloptes]

Pascal Hambourg wrote:

>> replace 10.0.0.1/32 with 10.0.0.0/24 it does not work
> 
> You should double check that.
> 

I checked replaced 10.0.0.1/32 with 10.0.0.0/24.

>>> This ruleset does not need improvements but a total rewrite.
>>
>> Yes I was thinking the same, I'll put it on the TODO. I even tried once
>> with fw builder - it couldn't even import properly, because import and
>> export produced not working firewall.
> 
> Just insert this rule and check whether it changes anything :
> 
> iptables -I FORWARD -j ACCEPT
> 
> If SSH works then the ruleset is faulty and I'll have to double-check
> it. If SSH does not work, then the cause is elsewhere.
> 
> You can remove the rule with
> 
> iptables -D FORWARD -j ACCEPT

it does not work

regards

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 20:40, deloptes a écrit :

Pascal Hambourg wrote:


Did you check the routing table on the firewall and the targets ? Do
they have a route to all the 10.0.0.0/24 range ?


the one I posted is on the firewall - firewall is the one I am trying to
modify.


The one you posted ? I didn't see a routing table in any of your posts.


I am not sure that I have a rule to all the 10.0.0.0/24 range, but even if I
replace 10.0.0.1/32 with 10.0.0.0/24 it does not work


You should double check that.


This ruleset does not need improvements but a total rewrite.


Yes I was thinking the same, I'll put it on the TODO. I even tried once with
fw builder - it couldn't even import properly, because import and export
produced not working firewall.


Just insert this rule and check whether it changes anything :

iptables -I FORWARD -j ACCEPT

If SSH works then the ruleset is faulty and I'll have to double-check 
it. If SSH does not work, then the cause is elsewhere.


You can remove the rule with

iptables -D FORWARD -j ACCEPT

Re: iptables question

[deloptes]

Pascal Hambourg wrote:

> Le 13/11/2016 à 16:05, deloptes a écrit :
>>
>> These are the rules - a friend created this like 10y ago. I added few
>> rules to forward ports from outside to the intranet and to be able to
>> handle VPN.
>> You can ignore  192.168.60.1 on eth2 - not used.
> 
> IMO, this ruleset is totally insane.
> 

Haha, yes for me it is also hard to understand it all ... but as I said in
the past 10y it did a good work.

> However, after clearing out all irrelevant rules, I see nothing in what
> is left which may block connections from 192.168.40.0/24 on eth1 to
> anywhere through the firewall :
> 
> *nat
> :PREROUTING ACCEPT [26000:2533530]
> :POSTROUTING ACCEPT [87:4966]
> :OUTPUT ACCEPT [28:2038]
> -A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :ifilter - [0:0]
> :ofilter - [0:0]
> -A INPUT -j ifilter
> -A FORWARD -j ifilter
> -A FORWARD -j ofilter
> -A OUTPUT -j ofilter
> -A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A ifilter -i eth1 -m state --state NEW -j ACCEPT
> 
> What happens exactly when your try to connect ? What is the command,
> what is the reply ? Did you make a packet capture on eth0 ?
> 

I do ssh user@10...6 and nothing happens - connection time out after ~1min

> Did you check the routing table on the firewall and the targets ? Do
> they have a route to all the 10.0.0.0/24 range ?
> 

the one I posted is on the firewall - firewall is the one I am trying to
modify.
I am not sure that I have a rule to all the 10.0.0.0/24 range, but even if I
replace 10.0.0.1/32 with 10.0.0.0/24 it does not work

>> Another important information perhaps is that the modem is configured to
>> have a DMZ with 10.0.0.1.
> 
> I don't think this is relevant. The modem is not involved.
> 

The modem is a wireless modem so the cable goes to the firewall 10..1 and
via the wlan I have 10..6 etc. So IMO it is involved, but I do not have
root on it - I have only the admin iface and there I see firewall is active
and setup in normal mode (you have easy and hard - translated from the
local language)

>> Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192 do not
>> have any firewalls - they are mobile phones.
>>
>> I will really appreciate your help - perhaps reviewing the rules and
>> suggesting improvements as well.
> 
> This ruleset does not need improvements but a total rewrite.

Yes I was thinking the same, I'll put it on the TODO. I even tried once with
fw builder - it couldn't even import properly, because import and export
produced not working firewall.
IT is a bit complicated. However I think the ruleset is not that bad as
testing from outside shows the network 192.168... is well protected

thanks

regards

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 16:05, deloptes a écrit :


These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore  192.168.60.1 on eth2 - not used.


IMO, this ruleset is totally insane.

However, after clearing out all irrelevant rules, I see nothing in what 
is left which may block connections from 192.168.40.0/24 on eth1 to 
anywhere through the firewall :


*nat
:PREROUTING ACCEPT [26000:2533530]
:POSTROUTING ACCEPT [87:4966]
:OUTPUT ACCEPT [28:2038]
-A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ifilter - [0:0]
:ofilter - [0:0]
-A INPUT -j ifilter
-A FORWARD -j ifilter
-A FORWARD -j ofilter
-A OUTPUT -j ofilter
-A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ifilter -i eth1 -m state --state NEW -j ACCEPT

What happens exactly when your try to connect ? What is the command, 
what is the reply ? Did you make a packet capture on eth0 ?


Did you check the routing table on the firewall and the targets ? Do 
they have a route to all the 10.0.0.0/24 range ?



Another important information perhaps is that the modem is configured to
have a DMZ with 10.0.0.1.


I don't think this is relevant. The modem is not involved.


Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192 do not
have any firewalls - they are mobile phones.

I will really appreciate your help - perhaps reviewing the rules and
suggesting improvements as well.


This ruleset does not need improvements but a total rewrite.

Re: iptables question

[deloptes]

Michael Milliman wrote:

> Again, posting the exact ruleset would be helpful.

These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore  192.168.60.1 on eth2 - not used.

Another important information perhaps is that the modem is configured to
have a DMZ with 10.0.0.1.

Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192 do not
have any firewalls - they are mobile phones.

I will really appreciate your help - perhaps reviewing the rules and
suggesting improvements as well.

thank you in advance

regards
# Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016
*nat
:PREROUTING ACCEPT [26000:2533530]
:POSTROUTING ACCEPT [87:4966]
:OUTPUT ACCEPT [28:2038]
-A PREROUTING -s 127.0.0.0/8 -j ACCEPT
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination 192.168.40.40:80
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT 
--to-destination 192.168.40.40:443
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 2 -j DNAT 
--to-destination 192.168.40.40:2
-A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 64371 -j DNAT 
--to-destination 192.168.40.40:11371
-A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
-A POSTROUTING -s 192.168.60.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -s 127.0.0.0/8 -o eth1 -j ACCEPT
-A POSTROUTING -s 127.0.0.0/8 -o eth2 -j ACCEPT
COMMIT
# Completed on Sun Nov 13 15:57:01 2016
# Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016
*mangle
:PREROUTING ACCEPT [234697:66952234]
:INPUT ACCEPT [12588:1180664]
:FORWARD ACCEPT [222077:65769320]
:OUTPUT ACCEPT [11465:1137886]
:POSTROUTING ACCEPT [233484:66847418]
COMMIT
# Completed on Sun Nov 13 15:57:01 2016
# Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ifilter - [0:0]
:ofilter - [0:0]
-A INPUT -j ifilter
-A FORWARD -j ifilter
-A FORWARD -j ofilter
-A OUTPUT -j ofilter
-A ifilter -i lo -j ACCEPT
-A ifilter -s 127.0.0.0/8 -i eth1 -j ACCEPT
-A ifilter -s 127.0.0.0/8 -i eth2 -j ACCEPT
-A ifilter -s 127.0.0.0/8 ! -i lo -m limit --limit 3/min -j LOG --log-prefix " 
-- BLOCK ( int -> lo) -- "
-A ifilter -s 127.0.0.0/8 ! -i lo -j DROP
-A ifilter -s 0.0.0.0/8 -i eth0 -j DROP
-A ifilter -s 127.0.0.0/8 -i eth0 -j DROP
-A ifilter -s 224.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 224.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 224.0.0.0/8 -j DROP
-A ifilter -s 225.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 225.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 225.0.0.0/8 -j DROP
-A ifilter -s 226.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 226.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 226.0.0.0/8 -j DROP
-A ifilter -s 227.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 227.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 227.0.0.0/8 -j DROP
-A ifilter -s 228.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 228.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 228.0.0.0/8 -j DROP
-A ifilter -s 229.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 229.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 229.0.0.0/8 -j DROP
-A ifilter -s 230.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 230.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 230.0.0.0/8 -j DROP
-A ifilter -s 231.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 231.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 231.0.0.0/8 -j DROP
-A ifilter -s 232.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 232.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 232.0.0.0/8 -j DROP
-A ifilter -s 233.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 233.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 233.0.0.0/8 -j DROP
-A ifilter -s 234.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 234.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 234.0.0.0/8 -j DROP
-A ifilter -s 235.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 235.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 235.0.0.0/8 -j DROP
-A ifilter -s 236.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 236.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 236.0.0.0/8 -j DROP
-A ifilter -s 237.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 237.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 237.0.0.0/8 -j DROP
-A ifilter -s 238.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 238.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 238.0.0.0/8 -j DROP
-A ifilter -s 239.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 239.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 239.0.0.0/8 -j DROP
-A ifilter -s 240.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 240.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 240.0.0.0/8 -j DROP
-A ifilter -s 241.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 241.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 241.0.0.0/8 -j DROP
-A ifilter -s 242.0.0.0/8 -p udp -m udp -j DROP
-A ifilter -s 242.0.0.0/8 -p tcp -m tcp -j DROP
-A ifilter -s 242.0.0.0/8 -j DROP
-A ifilter -s 243.0.0.0/8 -p udp -m udp -j DROP
-A ifilter 

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 13:37, Joe a écrit :


PPTP rather falls into the "complex protocols" described below.


Exactly so. You wouldn't believe how many routers of ten years ago or
so didn't handle it properly, at least with their initial firmware. But


Why wouldn't I ? Knowing how NAT is tricky, I am not surprised at all 
that the handling of "non standard" protocols (read : other than a 
single TCP or UDP connection) by many NAT systems is broken.



it still doesn't need any additional NAT rules in iptables, the single
SNAT rule handles it, as well as tcp, udp etc. Other rules are needed
for correct *operation*, but not for NAT.


Proper NAT handling of a non standard protocol requires proper 
connection tracking, and both require additionnal conntrack/NAT helper 
modules.
A security change in the conntrack/NAT helper management of recent 
kernels requires additionnal iptables rule to explicitly attach a helper 
to a connection. See the CT target.


Without this, only simples cases may be handled correctly, when no more 
than one host behind the NAT communicates with the same outside host. 
Please read below.



Yes, I'm aware that NAT stops
plain IPSec working, as the endpoint IP addresses are involved in the
encryption. That isn't an iptables rule issue, and our single SNAT
rule will forward Protocol 47 and 50 just as easily as Protocol 6.


Not as easily. IPSec protocols don't have ports, so SNAT cannot handle 
communications from several hosts behind the NAT device to the same host 
outside. The same applies to GRE without specific GRE handler support.


Typical failure scenario :

1) Hosts A and B are behind the NAT router D and want to communicate 
with outside host C.


2) Host A sends a packet to host C through NAT router D. D changes the 
source address to its own and forwards the packet to C.


3) Host B sends a packet to host C through NAT router D. D changes the 
source address to its own and forwards the packet to C.


4) Host C sends a reply packet to NAT router D. Problem : there is 
nothing in the packet to tell D if it belongs to the connection 
initiated by A or B and if it must forward the packet to A or B. 
Communication failure. Actually netfilter conntrack detects the clash at 
stage 2) when B sends the initial packet to C, and discards the packet.


With protocols such as TCP or UDP, the conntrack/NAT can use source and 
destination ports to associate a packet with a known connection. But GRE 
or IPSec don't have ports. GRE packets have some kind of connection ID, 
but the standard netfilter NAT does not use it. So to avoid the failure 
in the above scenario, you must use the GRE conntrack/NAT helper 
modules. However there is no luck with IPSec.



What is the "small-p sense" ?


In the sense of 'a defined system for data transfer', as opposed to the
Internet Protocols of tcp, udp, gre etc. http is spoken of as a
'protocol', small-p, although it is a tiny subset of the tcp Internet
Protocol.


I guess you mean "application layer protocol" such as HTTP or SSH as 
opposed to "network layer protocol" such as IP or ICMP and "transport 
layer protocol" such as TCP or UDP. I had never read this expression before.

Re: iptables question

[Joe]

On Sun, 13 Nov 2016 11:29:48 +0100
Pascal Hambourg  wrote:

> Le 13/11/2016 à 11:09, Joe a écrit :
> > Pascal Hambourg  wrote:
> >  
> >> Le 12/11/2016 à 23:32, Joe a écrit :  
> >>>
> >>> The SNAT should not be an issue, it can handle all protocols
> >>> transparently  
> >>
> >> No it cannot. NAT is not possible with some IP protocols. Plain
> >> IPSec (without NAT-T encapsulation) is the first one that comes in
> >> mind.  
> >
> > I used to have a fair bit to do with PPTP through three or four
> > NATs,  
> 
> PPTP rather falls into the "complex protocols" described below.

Exactly so. You wouldn't believe how many routers of ten years ago or
so didn't handle it properly, at least with their initial firmware. But
it still doesn't need any additional NAT rules in iptables, the single
SNAT rule handles it, as well as tcp, udp etc. Other rules are needed
for correct *operation*, but not for NAT. Yes, I'm aware that NAT stops
plain IPSec working, as the endpoint IP addresses are involved in the
encryption. That isn't an iptables rule issue, and our single SNAT
rule will forward Protocol 47 and 50 just as easily as Protocol 6.

> 
> >> Also many complex protocols such as FTP or SIP (nothing exotic
> >> here) require special support and this is not transparent as it
> >> requires messing with the payload, not only with the packet
> >> headers. Use of encryption with these protocoles may come in the
> >> way and defeat NAT handling.  
> >
> > Is ssh really a more difficult protocol to handle than http?  
> 
> No. SSH relies on a single TCP connection, like TCP and other
> "simple" protocols. I reacted to you writing "NAT can handle *all*
> protocols *transparently*".
> 
> > I'm using 'protocol' in
> > the small-p sense, not referring specifically to Internet
> > Protocols.  
> 
> What is the "small-p sense" ?
> 

In the sense of 'a defined system for data transfer', as opposed to the
Internet Protocols of tcp, udp, gre etc. http is spoken of as a
'protocol', small-p, although it is a tiny subset of the tcp Internet
Protocol. Many people used to confuse tcp port 47 with IP 47, to the
extent that some router firmware would forward IP 47 if asked for
tcp/47, which only perpetuated the confusion.

-- 
Joe

Re: iptables question

[Michael Milliman]

On 11/12/2016 06:19 PM, deloptes wrote:

Joe wrote:


On Sat, 12 Nov 2016 22:15:45 +0100
deloptes  wrote:


Hi,
I need some help and I'll appreciate it.

I have a firewall with iptables behind the modem.
on this firewall I have
 eth0 with ip 10..1 to the modem ip: 10..12
 eth1 with ip 192..1 to the intranet

iptables is doing SNAT from 192..1 to 10..1

I wonder how I can ssh from 192..NN to 10..NN
What magic should I apply to make it happen?

Thanks in advance



Can we take it that this does not work now? If that is the case, are
you sure that iptables is preventing it? There are other possible
reasons for a new ssh link not to work.


Yes, it is not working and yes it might be a different issue. So here is
some additional information, if you wish.

>From one computer ip 10..6 I can ssh to 10..7 and vv.
I also see that iptables forwards to the output, but in the output nothing
happens. So it is either in the output chain, or the back route blocks.


A typical simple iptables script will allow what you want to do to
happen already, so there must either be some iptables restriction in
place now, or there is some other reason for ssh not working. Are you
able to connect to the modem web configuration page from the 192.
network?


Yes I forgot to mention that I can connect from 192..NN to the modem ip via
ssh lets say 10..200.
Ok, this confuses me a little.  I thought the modem was 10..12? 
Nevertheless, it sounds like you have the ability to connect to 
_something_ on the 10. network.  Therefore, I would suspect the settings 
on the 10. machine that you are not able to communicate with.  Also, the 
192. machine could be blocking (on the input chain) all communications 
from 10. except from the specific ip address of the modem.  One of the 
other respondents indicated that posting a (sanitized) copy of your 
ruleset would help, this is indeed the case.

On the modem there is also firewall. I tried disableing it but it did not
help.
The firewall on the modem should not affect the communications between 
192. and 10. from what I understand of your setup.  You have a firewall 
machine with two NICs one on the 192. network and one on the 10. 
network.  The modem is on the 10. network along with some other machines 
(presumably with a switch or router) and the firewall is acting as a 
bridge between the 192. and the 10.


And you can bet there is restriction - basically it is pretty tight and is
opened only what is needed to intranet and basically all to modem net


The SNAT should not be an issue, it can handle all protocols
transparently, and ssh uses the same tcp protocol as http.

If there are iptables restrictions on outgoing protocols, you need to
find the rule permitting tcp/80 to be forwarded, copy it and replace 80
with 22. Once this is working, we can restrict the destination to the
10. network, as presumably any existing port 80 rule allows connection
to anywhere and you may not want that for ssh.

there is nothing regarding the output - no rules based on ports

thanks

Again, posting the exact ruleset would be helpful.

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 11:09, Joe a écrit :

Pascal Hambourg  wrote:


Le 12/11/2016 à 23:32, Joe a écrit :


The SNAT should not be an issue, it can handle all protocols
transparently


No it cannot. NAT is not possible with some IP protocols. Plain IPSec
(without NAT-T encapsulation) is the first one that comes in mind.


I used to have a fair bit to do with PPTP through three or four NATs,


PPTP rather falls into the "complex protocols" described below.


Also many complex protocols such as FTP or SIP (nothing exotic here)
require special support and this is not transparent as it requires
messing with the payload, not only with the packet headers. Use of
encryption with these protocoles may come in the way and defeat NAT
handling.


Is ssh really a more difficult protocol to handle than http?


No. SSH relies on a single TCP connection, like TCP and other "simple" 
protocols. I reacted to you writing "NAT can handle *all* protocols 
*transparently*".



I'm using 'protocol' in
the small-p sense, not referring specifically to Internet Protocols.


What is the "small-p sense" ?

Re: iptables question

[Joe]

On Sun, 13 Nov 2016 10:35:29 +0100
Pascal Hambourg  wrote:

> Le 12/11/2016 à 23:32, Joe a écrit :
> >
> > The SNAT should not be an issue, it can handle all protocols
> > transparently  
> 
> No it cannot. NAT is not possible with some IP protocols. Plain IPSec 
> (without NAT-T encapsulation) is the first one that comes in mind.

I used to have a fair bit to do with PPTP through three or four NATs,
which sometimes involved guessing what Windows equivalents of conntrack
were up to.

> 
> Also many complex protocols such as FTP or SIP (nothing exotic here) 
> require special support and this is not transparent as it requires 
> messing with the payload, not only with the packet headers. Use of 
> encryption with these protocoles may come in the way and defeat NAT 
> handling.

Is ssh really a more difficult protocol to handle than http? In the
context of this question, I would suggest not. I'm using 'protocol' in
the small-p sense, not referring specifically to Internet Protocols.

-- 
Joe

Re: iptables question

[Pascal Hambourg]

Le 13/11/2016 à 01:19, deloptes a écrit :


Yes, it is not working


How is it not working ? What do you do and what happens ?


From one computer ip 10..6 I can ssh to 10..7 and vv.


That does not concern the firewall between the modem and the LAN.


I also see that iptables forwards to the output, but in the output nothing
happens.


This does not make any sense. Iptables does not forward anything. It 
just accepts, drops or mangles packets.



Yes I forgot to mention that I can connect from 192..NN to the modem ip via
ssh lets say 10..200.


Huh ? What are these addresses ? The source, the destination ?

It would be much simple if you provided the output of iptables-save so 
we can see your ruleset.

Re: iptables question

[Pascal Hambourg]

Le 12/11/2016 à 23:32, Joe a écrit :


The SNAT should not be an issue, it can handle all protocols
transparently


No it cannot. NAT is not possible with some IP protocols. Plain IPSec 
(without NAT-T encapsulation) is the first one that comes in mind.


Also many complex protocols such as FTP or SIP (nothing exotic here) 
require special support and this is not transparent as it requires 
messing with the payload, not only with the packet headers. Use of 
encryption with these protocoles may come in the way and defeat NAT 
handling.

Re: iptables question

[deloptes]

Joe wrote:

> On Sat, 12 Nov 2016 22:15:45 +0100
> deloptes  wrote:
> 
>> Hi,
>> I need some help and I'll appreciate it.
>> 
>> I have a firewall with iptables behind the modem.
>> on this firewall I have
>> eth0 with ip 10..1 to the modem ip: 10..12
>> eth1 with ip 192..1 to the intranet
>> 
>> iptables is doing SNAT from 192..1 to 10..1
>> 
>> I wonder how I can ssh from 192..NN to 10..NN
>> What magic should I apply to make it happen?
>> 
>> Thanks in advance
>> 
>> 
> 
> Can we take it that this does not work now? If that is the case, are
> you sure that iptables is preventing it? There are other possible
> reasons for a new ssh link not to work.
> 

Yes, it is not working and yes it might be a different issue. So here is
some additional information, if you wish.

>From one computer ip 10..6 I can ssh to 10..7 and vv.
I also see that iptables forwards to the output, but in the output nothing
happens. So it is either in the output chain, or the back route blocks.

> A typical simple iptables script will allow what you want to do to
> happen already, so there must either be some iptables restriction in
> place now, or there is some other reason for ssh not working. Are you
> able to connect to the modem web configuration page from the 192.
> network?
> 

Yes I forgot to mention that I can connect from 192..NN to the modem ip via
ssh lets say 10..200.

On the modem there is also firewall. I tried disableing it but it did not
help.

And you can bet there is restriction - basically it is pretty tight and is
opened only what is needed to intranet and basically all to modem net

> The SNAT should not be an issue, it can handle all protocols
> transparently, and ssh uses the same tcp protocol as http.
> 
> If there are iptables restrictions on outgoing protocols, you need to
> find the rule permitting tcp/80 to be forwarded, copy it and replace 80
> with 22. Once this is working, we can restrict the destination to the
> 10. network, as presumably any existing port 80 rule allows connection
> to anywhere and you may not want that for ssh.

there is nothing regarding the output - no rules based on ports

thanks

Re: iptables question

[Joe]

On Sat, 12 Nov 2016 22:15:45 +0100
deloptes  wrote:

> Hi,
> I need some help and I'll appreciate it.
> 
> I have a firewall with iptables behind the modem.
> on this firewall I have 
> eth0 with ip 10..1 to the modem ip: 10..12
> eth1 with ip 192..1 to the intranet
> 
> iptables is doing SNAT from 192..1 to 10..1
> 
> I wonder how I can ssh from 192..NN to 10..NN
> What magic should I apply to make it happen?
> 
> Thanks in advance
> 
> 

Can we take it that this does not work now? If that is the case, are
you sure that iptables is preventing it? There are other possible
reasons for a new ssh link not to work.

A typical simple iptables script will allow what you want to do to
happen already, so there must either be some iptables restriction in
place now, or there is some other reason for ssh not working. Are you
able to connect to the modem web configuration page from the 192.
network?

The SNAT should not be an issue, it can handle all protocols
transparently, and ssh uses the same tcp protocol as http.

If there are iptables restrictions on outgoing protocols, you need to
find the rule permitting tcp/80 to be forwarded, copy it and replace 80
with 22. Once this is working, we can restrict the destination to the
10. network, as presumably any existing port 80 rule allows connection
to anywhere and you may not want that for ssh.

-- 
Joe

iptables question

[deloptes]

Hi,
I need some help and I'll appreciate it.

I have a firewall with iptables behind the modem.
on this firewall I have 
eth0 with ip 10..1 to the modem ip: 10..12
eth1 with ip 192..1 to the intranet

iptables is doing SNAT from 192..1 to 10..1

I wonder how I can ssh from 192..NN to 10..NN
What magic should I apply to make it happen?

Thanks in advance

Re: IPTables question

[Erwan David]

Le 09/11/2013 23:06, Shawn Wilson a écrit :
 Redhat has something called firewalld which generates rules based on zones. I 
 don't use it because using dbus to help manage rules scares me. But it's 
 there and could be what you want. 


I use fwbuilder which helps to define elaborated rules ;
there is also shorewall which uses zones, both generates the ryules
either as shell script or itptables-save/restore configuration.
Both are available in debian.



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/527f5a88.80...@rail.eu.org

Re: IPTables question

[Shawn Wilson]

Erwan David er...@rail.eu.org wrote:
Le 09/11/2013 23:06, Shawn Wilson a écrit :
 Redhat has something called firewalld which generates rules based on
zones. I don't use it because using dbus to help manage rules scares
me. But it's there and could be what you want. 


I use fwbuilder which helps to define elaborated rules ;
there is also shorewall which uses zones, both generates the ryules
either as shell script or itptables-save/restore configuration.
Both are available in debian.

Just FYI, a shell script will be slower than iptables-save since the later only 
makes one call while the former makes one call per ipt command. 

I looked at shorewall and didn't know it had zones - that's cool (since I don't 
like xml that firewalld uses). I've now got a 2k line perl script that does 
almost everything we need but I'll take another look at shorewall (for ideas if 
nothing else). 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/3da3a425-3862-4156-9116-1ebc3d3b3...@email.android.com

IPTables question

[Bill.M]

Hi folks,

In IPTables one can specify multiple addresses, and multiple ports, but 
is there anyway to specify multiple interfaces.


For example,  -m multiport --destination-port 22,25,80

Or-s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10

But is there anyway to specify both eth0 and wlan0 as equally valid 
interfaces on my laptop depending on whether it's in my dock or on the 
road?


For example, -i wlan0,eth0 or -o wlan0,eth0
Is something like these possible?

It would save quite a bit of work in having to write duplicate rules and 
probably impact efficiency as well. I've googled around quite a bit but 
can find no references to multiple interfaces.


b.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/527e7517.9070...@uniserve.com

Re: IPTables question

[David F]

On 11/09/2013 12:47 PM, Bill.M wrote:
 But is there anyway to specify both eth0 and wlan0 as equally valid
 interfaces on my laptop depending on whether it's in my dock or on the road?

 For example, -i wlan0,eth0 or -o wlan0,eth0
 Is something like these possible?

* You can avoid specifying any interface at all, so long as you don't mind
the rule being applied to the loopback interface as well.  Chances are very
good that this will work for you and is the best solution, but you need to
evaluate the rules in question.

* You can use a '+' at the end of the interface name which acts as a
wildcard.  This won't help since your interfaces names differ in the first
character, not the last, but you can easily customize their names to differ
in their suffix rather than prefix by editing:
/etc/udev/rules.d/70-persistent-net.rules

* You can create a new chain, have packets from either interface jump to it
via two rules, then put the rest of your rules in that chain, without
specifying an interface name.

e.g. (untested):
iptables -t filter -N foo
iptables -t filter -A INPUT -i eth0  -j foo
iptables -t filter -A INPUT -i wlan0 -j foo
iptables -t filter -A foo --src 1.2.3.4 -j DROP
iptables -t filter -A foo -p tcp --dport 80 -j DROP
...

-- David


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/527e99f5.8070...@meta-dynamic.com

Re: IPTables question

[Shawn Wilson]

Redhat has something called firewalld which generates rules based on zones. I 
don't use it because using dbus to help manage rules scares me. But it's there 
and could be what you want. 

David F deb...@meta-dynamic.com wrote:
On 11/09/2013 12:47 PM, Bill.M wrote:
 But is there anyway to specify both eth0 and wlan0 as equally valid
 interfaces on my laptop depending on whether it's in my dock or on
the road?

 For example, -i wlan0,eth0 or -o wlan0,eth0
 Is something like these possible?

* You can avoid specifying any interface at all, so long as you don't
mind
the rule being applied to the loopback interface as well.  Chances are
very
good that this will work for you and is the best solution, but you need
to
evaluate the rules in question.

* You can use a '+' at the end of the interface name which acts as a
wildcard.  This won't help since your interfaces names differ in the
first
character, not the last, but you can easily customize their names to
differ
in their suffix rather than prefix by editing:
/etc/udev/rules.d/70-persistent-net.rules

* You can create a new chain, have packets from either interface jump
to it
via two rules, then put the rest of your rules in that chain, without
specifying an interface name.

e.g. (untested):
iptables -t filter -N foo
iptables -t filter -A INPUT -i eth0  -j foo
iptables -t filter -A INPUT -i wlan0 -j foo
iptables -t filter -A foo --src 1.2.3.4 -j DROP
iptables -t filter -A foo -p tcp --dport 80 -j DROP
...

-- David


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/b20675f7-67d9-4942-9dca-de4102336...@email.android.com

Re: IPTables question

[Pascal Hambourg]

Hello,

Bill.M a écrit :
 
 In IPTables one can specify multiple addresses, and multiple ports, but 
 is there anyway to specify multiple interfaces.
 
 For example,  -m multiport --destination-port 22,25,80
 
 Or  -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10

In addition to David's answer :
Unless recent change I am not aware of, you cannot specify an address
range in -s or -d. You must use the iprange match instead (or ipset if
your kernel supports it). Also, note that specifying multiple
comma-separated addresses or prefixes in -s or -d will result in
multiple rules being actually created, which can have undesirable
side-effects and impact efficiency.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/527eb0fa.8080...@plouf.fr.eu.org

Re: IPTables question

[Shawn Wilson]

Pascal Hambourg pas...@plouf.fr.eu.org wrote:
Hello,

Bill.M a écrit :
 
 In IPTables one can specify multiple addresses, and multiple ports,
but 
 is there anyway to specify multiple interfaces.
 
 For example,  -m multiport --destination-port 22,25,80
 
 Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10

In addition to David's answer :
Unless recent change I am not aware of, you cannot specify an address
range in -s or -d. You must use the iprange match instead (or ipset
if
your kernel supports it). Also, note that specifying multiple
comma-separated addresses or prefixes in -s or -d will result in
multiple rules being actually created, which can have undesirable
side-effects and impact efficiency.

The speed impact of a small rule set is negligible. One ipset vs 20 rules, yes 
please - it's easier to look at. Also, idk any way to match interface with 
ipset - ip and port (even src and dst in one line) but not interface. 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/4d539f94-5809-483f-bfa8-fc50e6e73...@email.android.com

Re: IPTables question

[Pascal Hambourg]

Shawn Wilson a écrit :
 
 Pascal Hambourg pas...@plouf.fr.eu.org wrote:

 Unless recent change I am not aware of, you cannot specify an address
 range in -s or -d. You must use the iprange match instead (or ipset if
 your kernel supports it).
 
 Also, idk any way to match interface with ipset

I did not suggest ipset for such purpose.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/527ebf36.5010...@plouf.fr.eu.org

Firewall/iptables question

[Hilco Wijbenga]

Hi all,

I'm attempting to set up a simple firewall on a virtual server. I have
the following:

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

(And iptables -L shows that this setup has been accepted.)

This was supposed to only allow my box (or at least my public IP)
access to port 80 on this server. I can not access port 80 at all,
however. (Please note that without --source it works as expected.)

What am I doing wrong?

On a related note, the logging only logs the packet, but no timestamp.
Is that configurable somewhere?

Cheers,
Hilco


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/BANLkTi=9ir+se-w2fd_mjq4r-pdgvgo...@mail.gmail.com

Re: Firewall/iptables question

[Hilco Wijbenga]

On 3 May 2011 16:21, Hilco Wijbenga hilco.wijbe...@gmail.com wrote:
 Hi all,

 I'm attempting to set up a simple firewall on a virtual server. I have
 the following:

 iptables --flush
 iptables -t nat --flush
 iptables -t mangle --flush
 iptables --policy INPUT DROP
 iptables --policy OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT
 iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m
 state --state NEW -j ACCEPT
 iptables -A INPUT -p icmp -j ACCEPT
 iptables -A INPUT -j LOG
 iptables -A INPUT -j REJECT

 (And iptables -L shows that this setup has been accepted.)

 This was supposed to only allow my box (or at least my public IP)
 access to port 80 on this server. I can not access port 80 at all,
 however. (Please note that without --source it works as expected.)

 What am I doing wrong?

Mmmh, it does work after all. You have to be careful to restart
everything, I guess.

I've moved the --source to the SSH line. That works too but it seems
like I can only have 1 connection open at the same time. Sort of. I
have a reverse connection from a local server with a non-routable IP
to this public server. That works. But then I can't access the public
server anymore. If I kill the reverse connection and wait a few
minutes, I can login again. Switch the reverse connection back on ...
and I can't login anymore. Strange.

 On a related note, the logging only logs the packet, but no timestamp.
 Is that configurable somewhere?

 Cheers,
 Hilco



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_=g...@mail.gmail.com

Re: Firewall/iptables question

[green]

Hilco Wijbenga wrote at 2011-05-03 18:21 -0500:
 On a related note, the logging only logs the packet, but no timestamp.
 Is that configurable somewhere?

/etc/rsyslog.conf I suppose?


signature.asc
Description: Digital signature

Iptables question

[I Rattan]

I asked about a modem dialin server problem. I saw
no response, so, I rephrase it.

The Linux box is connected to Internet on 141.209.169.x

The dialin ppp (Linux end) ipaddr is 192.168.0.10
The dialing client gets ipaddr   192.168.0.11

How do I make iptables to forward form 192.168.x.x
to 141.209.169.x (looking for rules form ppp0 to eth0)?

-ishwar


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Iptables question

[Ariel Laganá]

For firewall relative question there's another, more specific, mail list:

debian-firew...@lists.debian.org

Anyway, if you are using ppp to connect to your ISP, the ppp0 interface
should have a public IP address not a private one like 192.168.0.10. In
order to enable kernel ipv4 fowarding you must change:

echo 1  /proc/sys/net/ipv4/ip_forward

echo 1  /proc/sys/net/ipv4/conf/all/forwarding

Then you should use NAT with iptables to share your internet connection
with a LAN.


I Rattan wrote:
 
 I asked about a modem dialin server problem. I saw
 no response, so, I rephrase it.
 
 The Linux box is connected to Internet on 141.209.169.x
 
 The dialin ppp (Linux end) ipaddr is 192.168.0.10
 The dialing client gets ipaddr   192.168.0.11
 
 How do I make iptables to forward form 192.168.x.x
 to 141.209.169.x (looking for rules form ppp0 to eth0)?
 
 -ishwar
 
 



signature.asc
Description: OpenPGP digital signature

RE: Iptables question

[Kevin Ross]

 From: I Rattan [mailto:ratt...@cps.cmich.edu]
 Sent: Thursday, September 10, 2009 2:03 PM
 
 I asked about a modem dialin server problem. I saw
 no response, so, I rephrase it.
 
 The Linux box is connected to Internet on 141.209.169.x
 
 The dialin ppp (Linux end) ipaddr is 192.168.0.10
 The dialing client gets ipaddr   192.168.0.11
 
 How do I make iptables to forward form 192.168.x.x
 to 141.209.169.x (looking for rules form ppp0 to eth0)?
 
 -ishwar

Make sure you have proxyarp in your /etc/ppp/options file.

And enable net.ipv4.ip_forward=1 in your /etc/sysctl.conf file.

It's been awhile since I set up PPP, but I think that's all
you need to do to enable PPP clients to get to the Internet.
You can also add ms-dns lines to set DNS servers for the client.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

iptables question?

[I Rattan]

Is it possible to restrict access by user-id
under iptables firewall?

If so, pointers to the info/example will be appreciated.

-ishwar


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question?

[Teemu Likonen]

On 2009-08-26 10:36 (-0400), I. Rattan wrote:

 Is it possible to restrict access by user-id
 under iptables firewall?

 If so, pointers to the info/example will be appreciated.

Does man iptables qualify as a pointer? In owner module there is
--uid-owner option.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[Andrei Popescu]

On Mon,12.Jan.09, 14:50:48, Paul Cartwright wrote:
 I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my 
 K3B 
 issue:).
 I noticed someone else with a message about iptables, and I basically copied 
 his script:
 # iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
 
 except changed it to my ssh port 22. Now I can ssh back to my box again.
 What would reset my iptables, did we have some updates with would put in a 
 vanilla config file somewhere?? is there an iptables .conf ( or whatever) 
 file, I didn't see one in the man pages, though I didn't look REAL hard at 
 all 297 pages...

I know this is old, but...

AFAICT iptables has no config at all on Debian (dpkg -L shows no files 
in /etc). The only suspect would be some of the frontends. I would look 
into the reverse dependencies of iptables (a.k.a the packages depending 
on iptables). Try this:

aptitude search '?installed ?depends(iptables)'

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)


signature.asc
Description: Digital signature

iptables question

[Paul Cartwright]

I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my K3B 
issue:).
I noticed someone else with a message about iptables, and I basically copied 
his script:
# iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT

except changed it to my ssh port 22. Now I can ssh back to my box again.
What would reset my iptables, did we have some updates with would put in a 
vanilla config file somewhere?? is there an iptables .conf ( or whatever) 
file, I didn't see one in the man pages, though I didn't look REAL hard at 
all 297 pages...

-- 
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[chris]

On Sat, 03 Jan 2009 20:49:35 -0500, Napoleon wrote:

 Justin Piszcz wrote:
 
 
 On Thu, 1 Jan 2009, Napoleon wrote:
 
 I'll admit I'm still pretty green at a lot of this (lots of experience
 in computers, little in Linux) and don't understand everything.  But
 I'm trying to learn, so please go easy on me :-)

 I've been having a problem with dictionary hacker attempts on my
 system (hundreds or even thousands a day), so I implemented the
 following rules:

 snip
 
 Solution: apt-get install fail2ban (read up on the docs, it can drop
 IPs based on attempts etc)
 
 Justin.
 
 
 For Justin and all the others who responded - thanks.  I installed
 fail2ban a couple of days ago, and am waiting for someone to try it
 again.
 
 I also tried to find the support forums for qpopper, but the only ones I
 found hadn't had a post in over 2 years.  So maybe I need to change pop3
 servers.
 
 But I'm not worried about that right now.  I think from the docs that
 fail2ban will do what I need.
 

You might also want to check out http://packages.debian.org/sid/libpam-
shield. That will take care of it for any service. It's in Lenny too.


Have fun!


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[ghe]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Koh Choon Lin wrote:

 Be careful with IMAP, though. One of my users has well over 500MB of
 mail on my server that she apparently doesn't know how to delete (I
 know, I know).
 How can you not know how to delete?  (No, seriously, I'm not trying to be
 sarcastic...)
 
 Maybe they are trying to take after Gmail -- archive all your mails. I
 still remember the first version of Gmail doesn't have the delete
 button.

Note that I said apparently. I don't know what her problem really is.

Koh's explanation is reasonable, although it implies a higher level of
awareness than this particular user is capable of...

- --
Glenn English
g...@slsware.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklgraEACgkQ04yQfZbbTLbflgCePAxTJPDwYVibu7L2xQciRU3U
IzsAn1gvpLh/zXPCSvOZ4Ucot2b/k6aM
=9hqf
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[Napoleon]

Justin Piszcz wrote:



On Thu, 1 Jan 2009, Napoleon wrote:

I'll admit I'm still pretty green at a lot of this (lots of experience 
in computers, little in Linux) and don't understand everything.  But 
I'm trying to learn, so please go easy on me :-)


I've been having a problem with dictionary hacker attempts on my 
system (hundreds or even thousands a day), so I implemented the 
following rules:



snip


Solution: apt-get install fail2ban (read up on the docs, it can drop IPs 
based on attempts etc)


Justin.



For Justin and all the others who responded - thanks.  I installed 
fail2ban a couple of days ago, and am waiting for someone to try it again.


I also tried to find the support forums for qpopper, but the only ones I 
found hadn't had a post in over 2 years.  So maybe I need to change pop3 
servers.


But I'm not worried about that right now.  I think from the docs that 
fail2ban will do what I need.


Thanks again!


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

POP (was Re: iptables question)

[Ron Johnson]

On 01/03/09 19:49, Napoleon wrote:
[snip]


I also tried to find the support forums for qpopper, but the only ones I 
found hadn't had a post in over 2 years.  So maybe I need to change pop3 
servers.


Unless you are running an ISP, you should really ditch POP and move 
your mail to an IMAP store.  It'll centralize email, eliminating 
the need to synchronize across multiple machines, and make it much 
simpler to back up the data.


Also, with a bit of extra effort (and since you run Debian and care 
about firewalls, that shouldn't be a problem, you can implement 
IMAPS or web mail and thus gain access to email from remote systems.


--
Ron Johnson, Jr.
Jefferson LA  USA

I like my women like I like my coffee - purchased at above-market
rates from eco-friendly organic farming cooperatives in Latin America.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[Boyd Stephen Smith Jr.]

On Saturday 2009 January 03 19:49:35 Napoleon wrote:
 I also tried to find the support forums for qpopper, but the only ones I
 found hadn't had a post in over 2 years.  So maybe I need to change pop3
 servers.

I've recently had good luck with dovecot, which handles a pop3 and pop3s.  
I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I 
set up dovecot. 
-- 
Boyd Stephen Smith Jr. ,= ,-_-. =. 
b...@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy   `-'(. .)`-' 
http://iguanasuicide.net/  \_/ 


signature.asc
Description: This is a digitally signed message part.

Re: iptables question

[ghe]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Boyd Stephen Smith Jr. wrote:

 I've recently had good luck with dovecot, which handles a pop3 and pop3s.  
 I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I 
 set up dovecot. 

Dovecot also does SASL authentication for Postfix. It's also simple and
reliable.

Be careful with IMAP, though. One of my users has well over 500MB of
mail on my server that she apparently doesn't know how to delete (I
know, I know).

I use it myself, and it's great to have my email available anywhere I
log in. But IMAP can be a mixed blessing.

- --
Glenn English
g...@slsware.com

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklgM/gACgkQ04yQfZbbTLa27ACgic7kfvBlSloKlU8k+JXdc3fT
e9kAnA+DdoxYBoJaybkmlfVYLbZAwcb5
=6P/1
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[John Hasler]

ghe writes:
 Be careful with IMAP, though. One of my users has well over 500MB of mail
 on my server that she apparently doesn't know how to delete (I know, I
 know).

Heh.  My user (my wife) has about 150MB (text only) in /var/mail.  Some
of it is 20 years old.
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[Ron Johnson]

On 01/03/09 21:58, ghe wrote:
[snip]


Be careful with IMAP, though. One of my users has well over 500MB of
mail on my server that she apparently doesn't know how to delete (I
know, I know).


How can you not know how to delete?  (No, seriously, I'm not trying 
to be sarcastic...)


--
Ron Johnson, Jr.
Jefferson LA  USA

I like my women like I like my coffee - purchased at above-market
rates from eco-friendly organic farming cooperatives in Latin America.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

iptables question

[Koh Choon Lin]

 Be careful with IMAP, though. One of my users has well over 500MB of
 mail on my server that she apparently doesn't know how to delete (I
 know, I know).

 How can you not know how to delete?  (No, seriously, I'm not trying to be
 sarcastic...)

Maybe they are trying to take after Gmail -- archive all your mails. I
still remember the first version of Gmail doesn't have the delete
button.


-- 
Koh Choon Lin


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

iptables question

[Napoleon]

I'll admit I'm still pretty green at a lot of this (lots of experience 
in computers, little in Linux) and don't understand everything.  But I'm 
trying to learn, so please go easy on me :-)


I've been having a problem with dictionary hacker attempts on my system 
(hundreds or even thousands a day), so I implemented the following rules:


# Kill ssh hackers - watch for more than 3 connection attempts in under
# 15 minutes seconds and reject for 24 hours
iptables -N SSH-EVIL
iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level 
DEBUG --log-prefix evil SSH user: 

iptables -A SSH-EVIL -j REJECT

iptables -N SSH
iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j 
ACCEPT
iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 
86400 -j REJECT
iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 
900 --hitcount 3 -j SSH-EVIL

iptables -A SSH -p tcp --syn -m recent --name sshconn --set
iptables -A SSH -p tcp --syn -j ACCEPT

And something similar for ftp.  These work well.  But I'm also getting 
people trying to break in via the POP interface (I'm using qpopper).  So 
I tried the following, which does not work:


iptables -N POP-EVIL
iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level 
DEBUG --log-prefix evil POP user: 

iptables -A POP-EVIL -j REJECT

iptables -N POP
iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state 
ESTABLISHED,RELATED -j ACCEPT
iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP 
--rcheck --seconds 86400 -j REJECT
iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn 
--rcheck --seconds 900 --hitcount 5 -j POP-EVIL

iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
iptables -A FTP -p tcp --syn -j ACCEPT

So my question is - what am I doing wrong in the POP interface, and how 
can I stop it here, also.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[mouss]

Napoleon a écrit :
 I'll admit I'm still pretty green at a lot of this (lots of experience
 in computers, little in Linux) and don't understand everything.  But I'm
 trying to learn, so please go easy on me :-)
 
 I've been having a problem with dictionary hacker attempts on my system
 (hundreds or even thousands a day), so I implemented the following rules:
 
 # Kill ssh hackers - watch for more than 3 connection attempts in under
 # 15 minutes seconds and reject for 24 hours
 iptables -N SSH-EVIL
 iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
 DEBUG --log-prefix evil SSH user: 
 iptables -A SSH-EVIL -j REJECT
 
 iptables -N SSH
 iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
 ACCEPT
 iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
 86400 -j REJECT
 iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
 900 --hitcount 3 -j SSH-EVIL
 iptables -A SSH -p tcp --syn -m recent --name sshconn --set
 iptables -A SSH -p tcp --syn -j ACCEPT
 
 And something similar for ftp.  These work well.  But I'm also getting
 people trying to break in via the POP interface (I'm using qpopper).  So
 I tried the following, which does not work:
 
 iptables -N POP-EVIL
 iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level
 DEBUG --log-prefix evil POP user: 
 iptables -A POP-EVIL -j REJECT
 
 iptables -N POP
 iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state
 ESTABLISHED,RELATED -j ACCEPT
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP
 --rcheck --seconds 86400 -j REJECT
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn
 --rcheck --seconds 900 --hitcount 5 -j POP-EVIL
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
 iptables -A FTP -p tcp --syn -j ACCEPT
 
 So my question is - what am I doing wrong in the POP interface, and how
 can I stop it here, also.
 
 

If the attacker uses a single connection to the POP3 server, then the
above won't help. it will only work if your POP3 disconnects after say 3
attempts.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[Justin Piszcz]

On Thu, 1 Jan 2009, Napoleon wrote:

I'll admit I'm still pretty green at a lot of this (lots of experience in 
computers, little in Linux) and don't understand everything.  But I'm trying 
to learn, so please go easy on me :-)


I've been having a problem with dictionary hacker attempts on my system 
(hundreds or even thousands a day), so I implemented the following rules:


# Kill ssh hackers - watch for more than 3 connection attempts in under
# 15 minutes seconds and reject for 24 hours
iptables -N SSH-EVIL
iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG 
--log-prefix evil SSH user: 

iptables -A SSH-EVIL -j REJECT

iptables -N SSH
iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 
-j REJECT
iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 
--hitcount 3 -j SSH-EVIL

iptables -A SSH -p tcp --syn -m recent --name sshconn --set
iptables -A SSH -p tcp --syn -j ACCEPT

And something similar for ftp.  These work well.  But I'm also getting people 
trying to break in via the POP interface (I'm using qpopper).  So I tried the 
following, which does not work:


iptables -N POP-EVIL
iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG 
--log-prefix evil POP user: 

iptables -A POP-EVIL -j REJECT

iptables -N POP
iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state 
ESTABLISHED,RELATED -j ACCEPT
iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck 
--seconds 86400 -j REJECT
iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck 
--seconds 900 --hitcount 5 -j POP-EVIL

iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
iptables -A FTP -p tcp --syn -j ACCEPT

So my question is - what am I doing wrong in the POP interface, and how can I 
stop it here, also.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject 
of unsubscribe. Trouble? Contact listmas...@lists.debian.org




Solution: apt-get install fail2ban (read up on the docs, it can drop IPs 
based on attempts etc)


Justin.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[David Schmidt]

Here is how I implemented it, coincidentially today :)


# Allow already established traffic
$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT

# No more than 2 connection attempts per 2
# minutes to prevent brute force attacks
# log blocked attempts to /var/log/kern.log
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent --name blacklist --set
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent --name blacklist --rcheck \
--seconds 120 --hitcount 3 -j LOG --log-level 5
--log-prefix max con attempts exceeded: 
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent --name blacklist --update \
--seconds 120 --hitcount 3 -j DROP

# only allow connections to localhost on $SSH_PORT if IP has
# knocked on $SSH_KNOCK_PORT within the last 60 seconds
$IPTABLES -A INPUT -p TCP --dport $SSH_KNOCK_PORT -m state
--state NEW -m recent \
--name knocklist --set
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent \
--name knocklist --rcheck --seconds 60 -j ACCEPT


the latter one can also be achieved using the debian package knockd



On Thu, Jan 1, 2009 at 4:51 PM, Justin Piszcz jpis...@lucidpixels.com wrote:


 On Thu, 1 Jan 2009, Napoleon wrote:

 I'll admit I'm still pretty green at a lot of this (lots of experience in
 computers, little in Linux) and don't understand everything.  But I'm trying
 to learn, so please go easy on me :-)

 I've been having a problem with dictionary hacker attempts on my system
 (hundreds or even thousands a day), so I implemented the following rules:

 # Kill ssh hackers - watch for more than 3 connection attempts in under
 # 15 minutes seconds and reject for 24 hours
 iptables -N SSH-EVIL
 iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
 DEBUG --log-prefix evil SSH user: 
 iptables -A SSH-EVIL -j REJECT

 iptables -N SSH
 iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
 ACCEPT
 iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
 86400 -j REJECT
 iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
 900 --hitcount 3 -j SSH-EVIL
 iptables -A SSH -p tcp --syn -m recent --name sshconn --set
 iptables -A SSH -p tcp --syn -j ACCEPT

 And something similar for ftp.  These work well.  But I'm also getting
 people trying to break in via the POP interface (I'm using qpopper).  So I
 tried the following, which does not work:

 iptables -N POP-EVIL
 iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level
 DEBUG --log-prefix evil POP user: 
 iptables -A POP-EVIL -j REJECT

 iptables -N POP
 iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state
 ESTABLISHED,RELATED -j ACCEPT
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP
 --rcheck --seconds 86400 -j REJECT
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn
 --rcheck --seconds 900 --hitcount 5 -j POP-EVIL
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
 iptables -A FTP -p tcp --syn -j ACCEPT

 So my question is - what am I doing wrong in the POP interface, and how
 can I stop it here, also.


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
 subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org


 Solution: apt-get install fail2ban (read up on the docs, it can drop IPs
 based on attempts etc)

 Justin.


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
 of unsubscribe. Trouble? Contact listmas...@lists.debian.org




-- 
David Schmidt   |   http://www.fm5.at


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question

[David Schmidt]

On Thu, Jan 1, 2009 at 5:44 PM, David Schmidt davew...@gmx.at wrote:
 Here is how I implemented it, coincidentially today :)


# Allow already established traffic
$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT

# No more than 2 connection attempts per 2
# minutes to prevent brute force attacks
# log blocked attempts to /var/log/kern.log
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
 NEW -m recent --name blacklist --set
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
 NEW -m recent --name blacklist --rcheck \
--seconds 120 --hitcount 3 -j LOG --log-level 5
 --log-prefix max con attempts exceeded: 
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
 NEW -m recent --name blacklist --update \
--seconds 120 --hitcount 3 -j DROP

# only allow connections to localhost on $SSH_PORT if IP has
# knocked on $SSH_KNOCK_PORT within the last 60 seconds
$IPTABLES -A INPUT -p TCP --dport $SSH_KNOCK_PORT -m state
 --state NEW -m recent \
--name knocklist --set
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
 NEW -m recent \
--name knocklist --rcheck --seconds 60 -j ACCEPT


 the latter one can also be achieved using the debian package knockd



 On Thu, Jan 1, 2009 at 4:51 PM, Justin Piszcz jpis...@lucidpixels.com wrote:


 On Thu, 1 Jan 2009, Napoleon wrote:

 I'll admit I'm still pretty green at a lot of this (lots of experience in
 computers, little in Linux) and don't understand everything.  But I'm trying
 to learn, so please go easy on me :-)

 I've been having a problem with dictionary hacker attempts on my system
 (hundreds or even thousands a day), so I implemented the following rules:

 # Kill ssh hackers - watch for more than 3 connection attempts in under
 # 15 minutes seconds and reject for 24 hours
 iptables -N SSH-EVIL
 iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
 DEBUG --log-prefix evil SSH user: 
 iptables -A SSH-EVIL -j REJECT

 iptables -N SSH
 iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
 ACCEPT
 iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
 86400 -j REJECT
 iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
 900 --hitcount 3 -j SSH-EVIL
 iptables -A SSH -p tcp --syn -m recent --name sshconn --set
 iptables -A SSH -p tcp --syn -j ACCEPT

 And something similar for ftp.  These work well.  But I'm also getting
 people trying to break in via the POP interface (I'm using qpopper).  So I
 tried the following, which does not work:

 iptables -N POP-EVIL
 iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level
 DEBUG --log-prefix evil POP user: 
 iptables -A POP-EVIL -j REJECT

 iptables -N POP
 iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state
 ESTABLISHED,RELATED -j ACCEPT
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP
 --rcheck --seconds 86400 -j REJECT
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn
 --rcheck --seconds 900 --hitcount 5 -j POP-EVIL
 iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
 iptables -A FTP -p tcp --syn -j ACCEPT

 So my question is - what am I doing wrong in the POP interface, and how
 can I stop it here, also.


 --
 To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
 subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org


 Solution: apt-get install fail2ban (read up on the docs, it can drop IPs
 based on attempts etc)

 Justin.



Sorry for top posting, gmail does this by default


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: etch - iptables question

[Manon Metten]

Hi Ann,

On 6/13/07, ann kok [EMAIL PROTECTED] wrote

I just install new debian.

but it seems nothing iptable in the default installation
how can I install?



I have used Guarddog to config my iptables.
It's very easy to use and it will take only about 15 - 30
mins reading the manual and setting up your firewall.

Manon.

etch - iptables question

[ann kok]

Hi all

I just install new debian.
but it seems nothing iptable in the default
installation

how can I install?
and

how can I install new kernel?

can you show me steps?

Thank you


   

Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mailp=summer+activities+for+kidscs=bz
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: etch - iptables question

[Robert Hodgins]

On Wed, 2007-06-13 at 15:47 -0700, ann kok wrote:
 Hi all
 
 I just install new debian.
 but it seems nothing iptable in the default
 installation
 
 how can I install?

1) you can use a pre-written script like this one:
http://www.hermann-uwe.de/files/fw_laptop

Getting it going is discussed here:
http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system
under the section called Networking, Upgrading and Apt-secure

2) you can install a package that will assist you in setting a firewall.
Shorewall, fwbuilder are a couple that folks use.



 and
 
 how can I install new kernel?

if you have synaptic installed search for ¨linux-image¨ and take your
pick.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

OT iptables question

[Glenn English]

I'm updating a RH ipchains packet filter script from the dim past to
iptables on Debian stable. 

I noticed that when I specified the network the host is on (by IP/mask),
the iptables listing called it localnet. So I tried using localnet in
the rule, and iptables seems to take it, and the chain seems to work.
But I can't find any documentation about that keyword in man, in Rusty's
HTML dox, or with google (lots of talk about it, but no dox). 

Is localnet a legit iptables network specification or an undocumented
feature? What does it actually do (should I hang a CIDR mask on the end,
or would that be redundant)? If the host responds to several IPs, does
localnet cover then all? Or just eth0? How about eth0:1?

It would be very handy because this script is to set filtering on all my
DMZ and LAN hosts (by switching on their hostnames and IPs). I know I
could just try it and see if it works, but this is to be the packet
filter on the DMZ, and I'd like to do it as rigorously as I can.

TIA...

-- 
Glenn English
[EMAIL PROTECTED]
GPG ID: D0D7FF20


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: OT iptables question

[Marty]

Glenn English wrote:

I'm updating a RH ipchains packet filter script from the dim past to
iptables on Debian stable. 


I noticed that when I specified the network the host is on (by IP/mask),
the iptables listing called it localnet. So I tried using localnet in
the rule, and iptables seems to take it, and the chain seems to work.
But I can't find any documentation about that keyword in man, in Rusty's
HTML dox, or with google (lots of talk about it, but no dox). 


Is localnet a legit iptables network specification or an undocumented
feature? What does it actually do (should I hang a CIDR mask on the end,
or would that be redundant)? If the host responds to several IPs, does
localnet cover then all? Or just eth0? How about eth0:1?

It would be very handy because this script is to set filtering on all my
DMZ and LAN hosts (by switching on their hostnames and IPs). I know I
could just try it and see if it works, but this is to be the packet
filter on the DMZ, and I'd like to do it as rigorously as I can.

TIA...



On my sarge system localnet seems to be defined in /etc/networks.
Try man networks  You might also try changing the network name there
and see what happens.

This raises another question for me,  I don't understand why I cannot find the
this file using dlocate or apt-file, or even using the package search tool on
debian.org.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables question: no chain/target/match by that name...

[Laurence J. Lane]

On Mon, Apr 05, 2004 at 02:08:35PM -0500, hugo vanwoerkom wrote:

 I'm trying it now with multiport + eject enabled in netfilter.

Check REJECT in /proc/net/ip_tables_targets and check for multiport
in /proc/net/ip_tables_matches. Using either loaded netfilter
modules or built in netfilter support, netfilter functionality
should be listed in ip_tables_names, ip_tables_targets and
ip_tables_matches.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables question: no chain/target/match by that name...

[David]

On Mon, Apr 05, 2004 at 12:09:31PM -0500, hugo vanwoerkom wrote:

 + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
  [ ... ]
 + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j 
 REJECT
 
 Now I know nothing of iptables, but why can he do destination port 80 
 and not 0:1023? If you delete the --dport 80 rule and put 0:1023 in its 
 place, he says the same thing.

No, it's different.  Iptables processes rules in the order that they're
entered.  Any target except LOG will cause iptables to quit the
particular chain it's in. LOG just logs and then continues in the same
chain it's processing.

In the example above, a tcp packet will go through the --dport 80
rule.  If it's destined for port 80, then it's accepted and and IPTABLES
is done with it.  That packet will never go through any further rules.

If the packet is NOT destined for port 80, then it will continue being
processed, and if it gets to the --dport 0:1023 rule, that is, of no
rules in between cause it to be ACCEPTED or REJECTED, it will be
REJECTED here.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

iptables question: no chain/target/match by that name...

[hugo vanwoerkom]

Hi World!

The lokkit question yesterday by Faheem Mitha prompted me to install 
lokkit on Sarge.

As Dircha pointed out: it don't work.

All lokkit does is create a little iptables script that sits in 
/etc/default/lokkit.

Then upon boot lokkit in /etc/init.d executes that script.

As Dircha also said: you have to dig into iptables. (1) which kernel 
options do you need?

I figured out that you need network packet filtering, netfilter, 
iptables support and netfilter packet filtering. I am not sure you 
need the last one.

(2)Now execution of that script gets:

Starting basic firewall rules: + PATH=/sbin:/sbin:/bin:/usr/sbin:/usr/bin
+ iptables -N RH-Lokkit-0-50-INPUT
+ iptables -F RH-Lokkit-0-50-INPUT
+ iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
+ iptables -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
+ iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j 
REJECT
iptables: No chain/target/match by that name
+ iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j 
REJECT
iptables: No chain/target/match by that name
+ iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
iptables: No chain/target/match by that name
+ iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
iptables: No chain/target/match by that name
+ iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn 
-j REJECT
iptables: No chain/target/match by that name
+ iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j 
REJECT
iptables: No chain/target/match by that name
failed.

Now I know nothing of iptables, but why can he do destination port 80 
and not 0:1023? If you delete the --dport 80 rule and put 0:1023 in its 
place, he says the same thing.

Where do you find this info?

Thanks!

Hugo

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables question: no chain/target/match by that name...

[hugo vanwoerkom]

hugo vanwoerkom wrote:
Hi World!

The lokkit question yesterday by Faheem Mitha prompted me to install 
lokkit on Sarge.

As Dircha pointed out: it don't work.

All lokkit does is create a little iptables script that sits in 
/etc/default/lokkit.

Then upon boot lokkit in /etc/init.d executes that script.

As Dircha also said: you have to dig into iptables. (1) which kernel 
options do you need?

I figured out that you need network packet filtering, netfilter, 
iptables support and netfilter packet filtering. I am not sure you 
need the last one.

(2)Now execution of that script gets:
snip

I'm trying it now with multiport + eject enabled in netfilter.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

iptables question

[techlists]

I have a box that I use for routing, it's running sid, with ipmaq on
it.  It works fine for the most part.  For a while I had an internal
axis webcam that was port forwarded.  I use to put in the following at
the command prompt

iptables -t nat -A PREROUTING -j DNAT --proto tcp --dport 
 --to-destination 192.168.0.200:80

this always worked before, but recently I installed a new server for
routing, and set it up the same, but when I put the iptables line in, it
no longer works.  I don't get an error, but when I open up a web browser
it trells me the connedction was refused.

Am I missing something?

Stan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

pop3vscan iptables question

[Glen Snyder]

I'd like to use pop3vscan to run clamscan. I added the following
iptables rule:
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j
REDIRECT --to-port 8110

I then went through the procedures in /etc/default/iptables so that the
rule would remain after rebooting, but that doesn't seem to work. If I
reboot, the rule isn't there when I try:
#iptables -t nat -v -L 
If I do:
# /etc/init.d/iptables restart
It will load the rule with: Loading iptables rulesel: load active .

A couple of possible issues:
-I had compiled nat, iptables, and redirect support into the kernel,
rather than as modules.

-If I run
#dpkg-reconfigure iptables
I am not prompted for anything.

-I had to create the directory /var/lib/iptables/ in order to save
active and inactive. It has the same permissions as all of the other
directories in /var/lib

Any suggestions on how to get dpkg-reconfigure iptables to work (I
suspect the problem is there) would be greatly appreciated.

Thank you in advance.








-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

IPTABLES QUESTION

[GBV]

 I´m using Debian 3.0r1 with kernel 2.4.19 as a iptables firewall

 I have internal webservers that I need to publish as Internet Sites For
this
 manipulation I´m using Apache ProxyPass. The site works perfectly under
 apache.. even when the internal host is an ISS.

 1. How can I do it without apache proxypass, using iptables?

 2. This internal webserver also have a IRC server... how can I
manipulating
 iptables, to the external hosts use this internal IRC server, since i´m
only
 sharing the httpd via apache proxypass?

 3. Since I´m using apache proxypass I defined in virtualhosts that
 '/internalhost' leads to http://192.168.0.69:8080 , and I need to mantain
 that www.foo.com/internalhost , but using iptables someway. And I need the
 ircd of this internal server, responds via the same host. I´d like to
 mantain my apache since it´s in use... Is it possible? OR I´ll have to put
 this apache in another internal host, and them using iptables for
 manipulating?

 4. I´ve create in my DNS an internalhost.foo.com that leads to
 www.foo.com/internalhost this must be manteined too.

 I have something like:

 Internet - Firewall(Debian) - Internal httpd and ircd server
 external   foo.com
 internal 192.168.0.1  192.168.0.69


 Thanks all.

 Debian... because codes mather more than commercials



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: successful server installation, iptables question

[Rob Weir]

Firstly: iptables is the firewalling system built into the 2.4 kernel.
ipchains is the system from 2.2 (and an unsupported legacy option in
2.4).  iptables is better in nearly every way, so use it if you can.

On Mon, Oct 28, 2002 at 07:18:39PM +, Alan Chandler wrote:
 On Monday 28 October 2002 12:01 pm, [EMAIL PROTECTED] wrote:
  Hi,
 
  i successfuly installed my new debian server instead of the suse 7.2 that
  was on it. It was a lot easier to install and i knew what i was doing or at
  least i thought i was :-)
  I have installed the ipmasq package to share my internet connection.
  All works ok. However, how does one customize the settings? For instance
  if you want to allow an ssh connection in?
 
 There are two packages one is ipmasq and the other is iptables.  

The iptables package provides the userland tool (iptables(8)) to
configure the kernel's firewalling system.  ipmasq is a set of shell
scripts that set up a basic firewalling using either iptables or
ipchains (depending on which is installed).

 They conflict with each other.  

No, they don't.  ipmasq _Depends_ on iptables to handle setting up the
firewall (if you have a 2.4 kernel with ipchains, at least).

 I think you need a linux 2.4 kernel to use iptables, ipmasq can be
 used on 2.2 (and 2.4?).

Too many damn things with the same name, true, but they do have
well-defined meanings. s/ipmasq/ipchains/ is mostly right here.

 They are very similar to each other 

See above.

 a) It brings more options with it to check things like open sessions or 
 requests to start a session 

ipchains did not support this, but iptables does, and so does ipmasq
when your machine is running a 2.4 kernel (with iptables enabled).

 b) The input and forward tables are completely separate (in ipmasq forwarded 
 stuff also traversed the input table making it very difficult to have one set 
 of rules for filtering into the gateway box and another for forwarding).
 
 I have a custom iptables script to set up my firewall rules - I believe the 
 standard debian package does something itself, but I have not really looked 
 at that part.

The iptables package itself does not setup any sort of firewalling at
all, since this is local administrative decision that has no reasonable
default.  It does include `iptables-save' and `iptables-restore' scripts
that can save and restore locally defined setups.

 My suggestion would be to remove ipmasq and install iptables (I use dselect to 
 do this sort of thing) and then both man iptables and look at 

As I've said above, ipmasq _uses_ iptables.  If you have a 2.4 kernel,
and you want to use any sort of firewalling (custom bash script,
shorewall, ipmasq, hand entered commands) you _have to_ have the
iptables package installed.  There's no other way to talk to the kernel
about firewalling.

-rob



msg09877/pgp0.pgp
Description: PGP signature

successful server installation, iptables question

[[EMAIL PROTECTED]]

Hi,

i successfuly installed my new debian server instead of the suse 7.2 that
was on it. It was a lot easier to install and i knew what i was doing or at
least i thought i was :-)
I have installed the ipmasq package to share my internet connection.
All works ok. However, how does one customize the settings? For instance
if you want to allow an ssh connection in?

I thought of installing shorewall (conflicts with ipmasq). 
I could install this and test, see if my box is secure enough, and if 
it's not, i can always install ipmasq again ( a simple 
apt-get install ipmasq does it all ).

Anyone have experience with this?

Thanks.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: successful server installation, iptables question

[Alan Chandler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Monday 28 October 2002 12:01 pm, [EMAIL PROTECTED] wrote:
 Hi,

 i successfuly installed my new debian server instead of the suse 7.2 that
 was on it. It was a lot easier to install and i knew what i was doing or at
 least i thought i was :-)
 I have installed the ipmasq package to share my internet connection.
 All works ok. However, how does one customize the settings? For instance
 if you want to allow an ssh connection in?

There are two packages one is ipmasq and the other is iptables.  They conflict 
with each other.  I think you need a linux 2.4 kernel to use iptables, ipmasq 
can be used on 2.2 (and 2.4?).

They are very similar to each other - although I have always prefered iptables 
because

a) It brings more options with it to check things like open sessions or 
requests to start a session 

b) The input and forward tables are completely separate (in ipmasq forwarded 
stuff also traversed the input table making it very difficult to have one set 
of rules for filtering into the gateway box and another for forwarding).

I have a custom iptables script to set up my firewall rules - I believe the 
standard debian package does something itself, but I have not really looked 
at that part.

My suggestion would be to remove ipmasq and install iptables (I use dselect to 
do this sort of thing) and then both man iptables and look at 
/usr/share/doc/iptables/html for a howto on NAT)

- -- 
Alan Chandler
[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9vY2PuFHxcV2FFoIRAvXSAKCAqU67f9phrd5a4S3zZJDjDghoxACgjSIE
4ixhv9Maxc93KhfzbQNi0v0=
=kc9r
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]