Re: iptables question
Le 14/11/2016 à 00:48, deloptes a écrit : Pascal Hambourg wrote: Well then, all I can suggest is to run a packet capture and try to see what's going on. I guess you mean on the firewall? Yes.
Re: iptables question
Henning Follmann wrote: > Last time I chime in here. > I understand growth and chaos, believe me. However sometimes we need a > nudge or a kick in the but to clean up. Maybe this is your call.. It is kicking me and calling me since some time but I can not do this before next summer. I have to sit there with RS232 cable to be able to do the testing and repair if something fails. Perhaps I have luck and I can do it earlier, but not very likely. > Simplicity is a beautiful thing my friend yes indeed - as I mentioned I did not write this and I don'T know why the guy who wrote it, did it that way. regards
Re: iptables question
On Mon, Nov 14, 2016 at 12:45:20AM +0100, deloptes wrote: > Henning wrote: > > > And usually there is no reason for two separate rfc1918 address ranges. > > Pick one matching your address space needs and design subnets. > > There is only one single reason for nat: you have more hosts than routable > > ip addresses. I guess 10.0.0.0 meets even the biggest organizations. > > Thank you for the line of argumentation. As usual if something works for 10y > it undergoes a lot of changes. So the reason for not using 10.0.0.0 > internally is that it is historically that way. Some years ago the firewall > was connected to the public network directly. The new provider gave me the > modem and it uses automatically 10.0.0.0, which I can not influence. I just > did the DMZ - this was the time I tried to rewrite the firewall rules, but > I found out I need to read again a lot about iptables and more important it > would mean I would need to experiment and jeopardize the network. > The setup is useful in the way that the whole wireless network is outside > the firewall in the 10.0.0.0/24 range. All that I need for operating works > perfectly. Now the only problem is that I can not access anything else on > the 10.0.0.0 network except the modem. > > thanks again > > Last time I chime in here. I understand growth and chaos, believe me. However sometimes we need a nudge or a kick in the but to clean up. Maybe this is your call. Simplicity is a beautiful thing my friend. -H -- Henning Follmann | hfollm...@itcfollmann.com
Re: iptables question
deloptes wrote: > Igor Cicimov wrote: > >> Run tcpdump and check whats happening > > That is strange - I will look into this direction - let me know if you > have any ideas > > regards > > > tcpdump -vvv dst 10.0.0.7 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > 08:07:11.591763 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 > tell 10.0.0.1, length 28 > 08:07:12.591729 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 > tell 10.0.0.1, length 28 > 08:07:13.591686 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 > tell 10.0.0.1, length 28 > 08:07:14.595695 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 > tell 10.0.0.1, length 28 > 08:07:15.595632 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 > tell 10.0.0.1, length 28 > 08:07:16.595620 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 > tell 10.0.0.1, length 28 > > > > tcpdump -vvv dst 10.0.0.138 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > 08:04:55.765744 IP (tos 0x0, ttl 63, id 26002, offset 0, flags [DF], proto > TCP (6), length 60) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [S], cksum 0xc2c6 (correct), > seq > 2408995280, win 29200, options [mss 1460,sackOK,TS val 223296578 ecr > 0,nop,wscale 7], length 0 > 08:04:55.767594 IP (tos 0x0, ttl 63, id 26003, offset 0, flags [DF], proto > TCP (6), length 40) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x242c (correct), > seq > 2408995281, ack 3147433360, win 229, length 0 > 08:04:55.772423 IP (tos 0x0, ttl 63, id 44890, offset 0, flags [none], > proto UDP (17), length 69) > 10.0.0.1.24455 > 10.0.0.138.domain: [udp sum ok] 7454+ PTR? > 138.0.0.10.in-addr.arpa. (41) > 08:04:55.774778 IP (tos 0x0, ttl 63, id 26004, offset 0, flags [DF], proto > TCP (6), length 79) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xfb15 (correct), > seq > 0:39, ack 1, win 229, length 39 > 08:04:55.787360 IP (tos 0x0, ttl 63, id 26005, offset 0, flags [DF], proto > TCP (6), length 40) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x23eb (correct), > seq > 39, ack 27, win 229, length 0 > 08:04:55.789504 IP (tos 0x0, ttl 63, id 26006, offset 0, flags [DF], proto > TCP (6), length 1500) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x7c86 (correct), > seq > 39:1499, ack 27, win 229, length 1460 > 08:04:55.789680 IP (tos 0x0, ttl 63, id 26007, offset 0, flags [DF], proto > TCP (6), length 228) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x46dd (correct), > seq > 1499:1687, ack 27, win 229, length 188 > 08:04:55.791326 IP (tos 0x0, ttl 63, id 26008, offset 0, flags [DF], proto > TCP (6), length 312) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xb0d6 (correct), > seq > 1687:1959, ack 339, win 237, length 272 > 08:04:55.796226 IP (tos 0x0, ttl 63, id 44893, offset 0, flags [none], > proto UDP (17), length 67) > 10.0.0.1.63625 > 10.0.0.138.domain: [udp sum ok] 17121+ PTR? > 1.0.0.10.in-addr.arpa. (39) > 08:04:58.223139 IP (tos 0x0, ttl 63, id 26009, offset 0, flags [DF], proto > TCP (6), length 56) > 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x0ea9 (correct), > seq > 1959:1975, ack 915, win 246, length 16 My wife turned off the wireless 08:59:06.127029 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 08:59:06.202411 IP (tos 0x0, ttl 63, id 50126, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x5a12 (correct), seq 3855619686, win 29200, options [mss 1460,sackOK,TS val 226547112 ecr 0,nop,wscale 7], length 0 08:59:07.172012 IP (tos 0x0, ttl 63, id 50127, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x55fa (correct), seq 3855619686, win 29200, options [mss 1460,sackOK,TS val 226548160 ecr 0,nop,wscale 7], length 0 08:59:09.219907 IP (tos 0x0, ttl 63, id 50128, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x4dfa (correct), seq 3855619686, win 29200, options [mss 1460,sackOK,TS val 226550208 ecr 0,nop,wscale 7], length 0 08:59:13.251697 IP (tos 0x0, ttl 63, id 50129, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x3e3a (correct), seq 3855619686, win 29200, options [mss 1460,sackOK,TS val 226554240 ecr 0,nop,wscale 7], length 0 08:59:21.571248 IP (tos 0x0, ttl 63, id 50130, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0x1dba (correct), seq 3855619686, win 29200, options [mss 1460,sackOK,TS val 226562560 ecr 0,nop,wscale 7], length 0 08:59:37.954393 IP (tos 0x0, ttl 63, id 50131, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.34912 > RM696.ssh: Flags [S], cksum 0xddb9 (correct), seq 3855619686, win 29200, options [mss 1460,sackOK,TS val 226578944 ecr 0,nop,wscale 7],
Re: iptables question
Igor Cicimov wrote: > Run tcpdump and check whats happening That is strange - I will look into this direction - let me know if you have any ideas regards tcpdump -vvv dst 10.0.0.7 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 08:07:11.591763 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 08:07:12.591729 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 08:07:13.591686 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 08:07:14.595695 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 08:07:15.595632 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 08:07:16.595620 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has RM696 tell 10.0.0.1, length 28 tcpdump -vvv dst 10.0.0.138 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 08:04:55.765744 IP (tos 0x0, ttl 63, id 26002, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [S], cksum 0xc2c6 (correct), seq 2408995280, win 29200, options [mss 1460,sackOK,TS val 223296578 ecr 0,nop,wscale 7], length 0 08:04:55.767594 IP (tos 0x0, ttl 63, id 26003, offset 0, flags [DF], proto TCP (6), length 40) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x242c (correct), seq 2408995281, ack 3147433360, win 229, length 0 08:04:55.772423 IP (tos 0x0, ttl 63, id 44890, offset 0, flags [none], proto UDP (17), length 69) 10.0.0.1.24455 > 10.0.0.138.domain: [udp sum ok] 7454+ PTR? 138.0.0.10.in-addr.arpa. (41) 08:04:55.774778 IP (tos 0x0, ttl 63, id 26004, offset 0, flags [DF], proto TCP (6), length 79) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xfb15 (correct), seq 0:39, ack 1, win 229, length 39 08:04:55.787360 IP (tos 0x0, ttl 63, id 26005, offset 0, flags [DF], proto TCP (6), length 40) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x23eb (correct), seq 39, ack 27, win 229, length 0 08:04:55.789504 IP (tos 0x0, ttl 63, id 26006, offset 0, flags [DF], proto TCP (6), length 1500) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [.], cksum 0x7c86 (correct), seq 39:1499, ack 27, win 229, length 1460 08:04:55.789680 IP (tos 0x0, ttl 63, id 26007, offset 0, flags [DF], proto TCP (6), length 228) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x46dd (correct), seq 1499:1687, ack 27, win 229, length 188 08:04:55.791326 IP (tos 0x0, ttl 63, id 26008, offset 0, flags [DF], proto TCP (6), length 312) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0xb0d6 (correct), seq 1687:1959, ack 339, win 237, length 272 08:04:55.796226 IP (tos 0x0, ttl 63, id 44893, offset 0, flags [none], proto UDP (17), length 67) 10.0.0.1.63625 > 10.0.0.138.domain: [udp sum ok] 17121+ PTR? 1.0.0.10.in-addr.arpa. (39) 08:04:58.223139 IP (tos 0x0, ttl 63, id 26009, offset 0, flags [DF], proto TCP (6), length 56) 10.0.0.1.52112 > 10.0.0.138.ssh: Flags [P.], cksum 0x0ea9 (correct), seq 1959:1975, ack 915, win 246, length 16
Re: iptables question
On 13 Nov 2016 11:20 am, "deloptes"wrote: > > Joe wrote: > > > On Sat, 12 Nov 2016 22:15:45 +0100 > > deloptes wrote: > > > >> Hi, > >> I need some help and I'll appreciate it. > >> > >> I have a firewall with iptables behind the modem. > >> on this firewall I have > >> eth0 with ip 10..1 to the modem ip: 10..12 > >> eth1 with ip 192..1 to the intranet > >> > >> iptables is doing SNAT from 192..1 to 10..1 > >> > >> I wonder how I can ssh from 192..NN to 10..NN > >> What magic should I apply to make it happen? > >> > >> Thanks in advance > >> > >> > > > > Can we take it that this does not work now? If that is the case, are > > you sure that iptables is preventing it? There are other possible > > reasons for a new ssh link not to work. > > > > Yes, it is not working and yes it might be a different issue. So here is > some additional information, if you wish. > > >From one computer ip 10..6 I can ssh to 10..7 and vv. > I also see that iptables forwards to the output, but in the output nothing > happens. So it is either in the output chain, or the back route blocks. > > > A typical simple iptables script will allow what you want to do to > > happen already, so there must either be some iptables restriction in > > place now, or there is some other reason for ssh not working. Are you > > able to connect to the modem web configuration page from the 192. > > network? > > > > Yes I forgot to mention that I can connect from 192..NN to the modem ip via > ssh lets say 10..200. > > On the modem there is also firewall. I tried disableing it but it did not > help. > > And you can bet there is restriction - basically it is pretty tight and is > opened only what is needed to intranet and basically all to modem net > > > The SNAT should not be an issue, it can handle all protocols > > transparently, and ssh uses the same tcp protocol as http. > > > > If there are iptables restrictions on outgoing protocols, you need to > > find the rule permitting tcp/80 to be forwarded, copy it and replace 80 > > with 22. Once this is working, we can restrict the destination to the > > 10. network, as presumably any existing port 80 rule allows connection > > to anywhere and you may not want that for ssh. > > there is nothing regarding the output - no rules based on ports > > thanks > Run tcpdump and check whats happening
Re: iptables question
On 14 Nov 2016 12:50 am, "Pascal Hambourg"wrote: > > Le 13/11/2016 à 13:37, Joe a écrit : >>> >>> >>> PPTP rather falls into the "complex protocols" described below. >> >> >> Exactly so. You wouldn't believe how many routers of ten years ago or >> so didn't handle it properly, at least with their initial firmware. But > > > Why wouldn't I ? Knowing how NAT is tricky, I am not surprised at all that the handling of "non standard" protocols (read : other than a single TCP or UDP connection) by many NAT systems is broken. > > >> it still doesn't need any additional NAT rules in iptables, the single >> SNAT rule handles it, as well as tcp, udp etc. Other rules are needed >> for correct *operation*, but not for NAT. > > > Proper NAT handling of a non standard protocol requires proper connection tracking, and both require additionnal conntrack/NAT helper modules. > A security change in the conntrack/NAT helper management of recent kernels requires additionnal iptables rule to explicitly attach a helper to a connection. See the CT target. > > Without this, only simples cases may be handled correctly, when no more than one host behind the NAT communicates with the same outside host. Please read below. > > >> Yes, I'm aware that NAT stops >> plain IPSec working, as the endpoint IP addresses are involved in the >> encryption. That isn't an iptables rule issue, and our single SNAT >> rule will forward Protocol 47 and 50 just as easily as Protocol 6. > > > Not as easily. IPSec protocols don't have ports, so SNAT cannot handle communications from several hosts behind the NAT device to the same host outside. The same applies to GRE without specific GRE handler support. > > Typical failure scenario : > > 1) Hosts A and B are behind the NAT router D and want to communicate with outside host C. > > 2) Host A sends a packet to host C through NAT router D. D changes the source address to its own and forwards the packet to C. > > 3) Host B sends a packet to host C through NAT router D. D changes the source address to its own and forwards the packet to C. > > 4) Host C sends a reply packet to NAT router D. Problem : there is nothing in the packet to tell D if it belongs to the connection initiated by A or B and if it must forward the packet to A or B. Communication failure. Actually netfilter conntrack detects the clash at stage 2) when B sends the initial packet to C, and discards the packet. > One can use NAT-T in that case. > With protocols such as TCP or UDP, the conntrack/NAT can use source and destination ports to associate a packet with a known connection. But GRE or IPSec don't have ports. GRE packets have some kind of connection ID, but the standard netfilter NAT does not use it. So to avoid the failure in the above scenario, you must use the GRE conntrack/NAT helper modules. However there is no luck with IPSec. > > >>> What is the "small-p sense" ? >> >> >> In the sense of 'a defined system for data transfer', as opposed to the >> Internet Protocols of tcp, udp, gre etc. http is spoken of as a >> 'protocol', small-p, although it is a tiny subset of the tcp Internet >> Protocol. > > > I guess you mean "application layer protocol" such as HTTP or SSH as opposed to "network layer protocol" such as IP or ICMP and "transport layer protocol" such as TCP or UDP. I had never read this expression before. >
Re: iptables question
Pascal Hambourg wrote: > Well then, all I can suggest is to run a packet capture and try to see > what's going on. I guess you mean on the firewall? I am not even sure I can install tcpdump there, but I will try and ask again for help here for sure thanks
Re: iptables question
Henning wrote: > And usually there is no reason for two separate rfc1918 address ranges. > Pick one matching your address space needs and design subnets. > There is only one single reason for nat: you have more hosts than routable > ip addresses. I guess 10.0.0.0 meets even the biggest organizations. Thank you for the line of argumentation. As usual if something works for 10y it undergoes a lot of changes. So the reason for not using 10.0.0.0 internally is that it is historically that way. Some years ago the firewall was connected to the public network directly. The new provider gave me the modem and it uses automatically 10.0.0.0, which I can not influence. I just did the DMZ - this was the time I tried to rewrite the firewall rules, but I found out I need to read again a lot about iptables and more important it would mean I would need to experiment and jeopardize the network. The setup is useful in the way that the whole wireless network is outside the firewall in the 10.0.0.0/24 range. All that I need for operating works perfectly. Now the only problem is that I can not access anything else on the 10.0.0.0 network except the modem. thanks again
Re: iptables question
> On Nov 13, 2016, at 5:19 PM, Pascal Hambourgwrote: > >> Le 13/11/2016 à 22:27, Henning a écrit : >> I followed this thread and i wonder if there is a sane reason why you do nat >> inside your network. Why don't you just route between different subnets i.e. >> 10.0.1.0/24 and 10.0.2.0/24 > > Probably because the modem and hosts in 10.0.0.0/24 don't know about > 192.168.40.0/24. > And usually there is no reason for two separate rfc1918 address ranges. Pick one matching your address space needs and design subnets. There is only one single reason for nat: you have more hosts than routable ip addresses. I guess 10.0.0.0 meets even the biggest organizations. -H
Re: iptables question
Le 13/11/2016 à 21:43, deloptes a écrit : Pascal Hambourg wrote: replace 10.0.0.1/32 with 10.0.0.0/24 it does not work You should double check that. I checked replaced 10.0.0.1/32 with 10.0.0.0/24. Just insert this rule and check whether it changes anything : iptables -I FORWARD -j ACCEPT If SSH works then the ruleset is faulty and I'll have to double-check it. If SSH does not work, then the cause is elsewhere. You can remove the rule with iptables -D FORWARD -j ACCEPT it does not work Well then, all I can suggest is to run a packet capture and try to see what's going on.
Re: iptables question
Le 13/11/2016 à 22:27, Henning a écrit : I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 Probably because the modem and hosts in 10.0.0.0/24 don't know about 192.168.40.0/24.
Re: iptables question
I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 you still can have a firewall between those subnets -H
Re: iptables question
Pascal Hambourg wrote: >> replace 10.0.0.1/32 with 10.0.0.0/24 it does not work > > You should double check that. > I checked replaced 10.0.0.1/32 with 10.0.0.0/24. >>> This ruleset does not need improvements but a total rewrite. >> >> Yes I was thinking the same, I'll put it on the TODO. I even tried once >> with fw builder - it couldn't even import properly, because import and >> export produced not working firewall. > > Just insert this rule and check whether it changes anything : > > iptables -I FORWARD -j ACCEPT > > If SSH works then the ruleset is faulty and I'll have to double-check > it. If SSH does not work, then the cause is elsewhere. > > You can remove the rule with > > iptables -D FORWARD -j ACCEPT it does not work regards
Re: iptables question
Le 13/11/2016 à 20:40, deloptes a écrit : Pascal Hambourg wrote: Did you check the routing table on the firewall and the targets ? Do they have a route to all the 10.0.0.0/24 range ? the one I posted is on the firewall - firewall is the one I am trying to modify. The one you posted ? I didn't see a routing table in any of your posts. I am not sure that I have a rule to all the 10.0.0.0/24 range, but even if I replace 10.0.0.1/32 with 10.0.0.0/24 it does not work You should double check that. This ruleset does not need improvements but a total rewrite. Yes I was thinking the same, I'll put it on the TODO. I even tried once with fw builder - it couldn't even import properly, because import and export produced not working firewall. Just insert this rule and check whether it changes anything : iptables -I FORWARD -j ACCEPT If SSH works then the ruleset is faulty and I'll have to double-check it. If SSH does not work, then the cause is elsewhere. You can remove the rule with iptables -D FORWARD -j ACCEPT
Re: iptables question
Pascal Hambourg wrote: > Le 13/11/2016 à 16:05, deloptes a écrit : >> >> These are the rules - a friend created this like 10y ago. I added few >> rules to forward ports from outside to the intranet and to be able to >> handle VPN. >> You can ignore 192.168.60.1 on eth2 - not used. > > IMO, this ruleset is totally insane. > Haha, yes for me it is also hard to understand it all ... but as I said in the past 10y it did a good work. > However, after clearing out all irrelevant rules, I see nothing in what > is left which may block connections from 192.168.40.0/24 on eth1 to > anywhere through the firewall : > > *nat > :PREROUTING ACCEPT [26000:2533530] > :POSTROUTING ACCEPT [87:4966] > :OUTPUT ACCEPT [28:2038] > -A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1 > COMMIT > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > :ifilter - [0:0] > :ofilter - [0:0] > -A INPUT -j ifilter > -A FORWARD -j ifilter > -A FORWARD -j ofilter > -A OUTPUT -j ofilter > -A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT > -A ifilter -i eth1 -m state --state NEW -j ACCEPT > > What happens exactly when your try to connect ? What is the command, > what is the reply ? Did you make a packet capture on eth0 ? > I do ssh user@10...6 and nothing happens - connection time out after ~1min > Did you check the routing table on the firewall and the targets ? Do > they have a route to all the 10.0.0.0/24 range ? > the one I posted is on the firewall - firewall is the one I am trying to modify. I am not sure that I have a rule to all the 10.0.0.0/24 range, but even if I replace 10.0.0.1/32 with 10.0.0.0/24 it does not work >> Another important information perhaps is that the modem is configured to >> have a DMZ with 10.0.0.1. > > I don't think this is relevant. The modem is not involved. > The modem is a wireless modem so the cable goes to the firewall 10..1 and via the wlan I have 10..6 etc. So IMO it is involved, but I do not have root on it - I have only the admin iface and there I see firewall is active and setup in normal mode (you have easy and hard - translated from the local language) >> Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192 do not >> have any firewalls - they are mobile phones. >> >> I will really appreciate your help - perhaps reviewing the rules and >> suggesting improvements as well. > > This ruleset does not need improvements but a total rewrite. Yes I was thinking the same, I'll put it on the TODO. I even tried once with fw builder - it couldn't even import properly, because import and export produced not working firewall. IT is a bit complicated. However I think the ruleset is not that bad as testing from outside shows the network 192.168... is well protected thanks regards
Re: iptables question
Le 13/11/2016 à 16:05, deloptes a écrit : These are the rules - a friend created this like 10y ago. I added few rules to forward ports from outside to the intranet and to be able to handle VPN. You can ignore 192.168.60.1 on eth2 - not used. IMO, this ruleset is totally insane. However, after clearing out all irrelevant rules, I see nothing in what is left which may block connections from 192.168.40.0/24 on eth1 to anywhere through the firewall : *nat :PREROUTING ACCEPT [26000:2533530] :POSTROUTING ACCEPT [87:4966] :OUTPUT ACCEPT [28:2038] -A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :ifilter - [0:0] :ofilter - [0:0] -A INPUT -j ifilter -A FORWARD -j ifilter -A FORWARD -j ofilter -A OUTPUT -j ofilter -A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT -A ifilter -i eth1 -m state --state NEW -j ACCEPT What happens exactly when your try to connect ? What is the command, what is the reply ? Did you make a packet capture on eth0 ? Did you check the routing table on the firewall and the targets ? Do they have a route to all the 10.0.0.0/24 range ? Another important information perhaps is that the modem is configured to have a DMZ with 10.0.0.1. I don't think this is relevant. The modem is not involved. Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192 do not have any firewalls - they are mobile phones. I will really appreciate your help - perhaps reviewing the rules and suggesting improvements as well. This ruleset does not need improvements but a total rewrite.
Re: iptables question
Michael Milliman wrote: > Again, posting the exact ruleset would be helpful. These are the rules - a friend created this like 10y ago. I added few rules to forward ports from outside to the intranet and to be able to handle VPN. You can ignore 192.168.60.1 on eth2 - not used. Another important information perhaps is that the modem is configured to have a DMZ with 10.0.0.1. Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192 do not have any firewalls - they are mobile phones. I will really appreciate your help - perhaps reviewing the rules and suggesting improvements as well. thank you in advance regards # Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016 *nat :PREROUTING ACCEPT [26000:2533530] :POSTROUTING ACCEPT [87:4966] :OUTPUT ACCEPT [28:2038] -A PREROUTING -s 127.0.0.0/8 -j ACCEPT -A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.40.40:80 -A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.40.40:443 -A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 2 -j DNAT --to-destination 192.168.40.40:2 -A PREROUTING -d 10.0.0.1/32 -i eth0 -p tcp -m tcp --dport 64371 -j DNAT --to-destination 192.168.40.40:11371 -A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1 -A POSTROUTING -s 192.168.60.0/24 -o eth0 -j SNAT --to-source 10.0.0.1 -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -s 127.0.0.0/8 -o eth1 -j ACCEPT -A POSTROUTING -s 127.0.0.0/8 -o eth2 -j ACCEPT COMMIT # Completed on Sun Nov 13 15:57:01 2016 # Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016 *mangle :PREROUTING ACCEPT [234697:66952234] :INPUT ACCEPT [12588:1180664] :FORWARD ACCEPT [222077:65769320] :OUTPUT ACCEPT [11465:1137886] :POSTROUTING ACCEPT [233484:66847418] COMMIT # Completed on Sun Nov 13 15:57:01 2016 # Generated by iptables-save v1.4.14 on Sun Nov 13 15:57:01 2016 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :ifilter - [0:0] :ofilter - [0:0] -A INPUT -j ifilter -A FORWARD -j ifilter -A FORWARD -j ofilter -A OUTPUT -j ofilter -A ifilter -i lo -j ACCEPT -A ifilter -s 127.0.0.0/8 -i eth1 -j ACCEPT -A ifilter -s 127.0.0.0/8 -i eth2 -j ACCEPT -A ifilter -s 127.0.0.0/8 ! -i lo -m limit --limit 3/min -j LOG --log-prefix " -- BLOCK ( int -> lo) -- " -A ifilter -s 127.0.0.0/8 ! -i lo -j DROP -A ifilter -s 0.0.0.0/8 -i eth0 -j DROP -A ifilter -s 127.0.0.0/8 -i eth0 -j DROP -A ifilter -s 224.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 224.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 224.0.0.0/8 -j DROP -A ifilter -s 225.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 225.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 225.0.0.0/8 -j DROP -A ifilter -s 226.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 226.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 226.0.0.0/8 -j DROP -A ifilter -s 227.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 227.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 227.0.0.0/8 -j DROP -A ifilter -s 228.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 228.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 228.0.0.0/8 -j DROP -A ifilter -s 229.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 229.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 229.0.0.0/8 -j DROP -A ifilter -s 230.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 230.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 230.0.0.0/8 -j DROP -A ifilter -s 231.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 231.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 231.0.0.0/8 -j DROP -A ifilter -s 232.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 232.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 232.0.0.0/8 -j DROP -A ifilter -s 233.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 233.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 233.0.0.0/8 -j DROP -A ifilter -s 234.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 234.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 234.0.0.0/8 -j DROP -A ifilter -s 235.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 235.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 235.0.0.0/8 -j DROP -A ifilter -s 236.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 236.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 236.0.0.0/8 -j DROP -A ifilter -s 237.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 237.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 237.0.0.0/8 -j DROP -A ifilter -s 238.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 238.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 238.0.0.0/8 -j DROP -A ifilter -s 239.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 239.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 239.0.0.0/8 -j DROP -A ifilter -s 240.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 240.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 240.0.0.0/8 -j DROP -A ifilter -s 241.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 241.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 241.0.0.0/8 -j DROP -A ifilter -s 242.0.0.0/8 -p udp -m udp -j DROP -A ifilter -s 242.0.0.0/8 -p tcp -m tcp -j DROP -A ifilter -s 242.0.0.0/8 -j DROP -A ifilter -s 243.0.0.0/8 -p udp -m udp -j DROP -A ifilter
Re: iptables question
Le 13/11/2016 à 13:37, Joe a écrit : PPTP rather falls into the "complex protocols" described below. Exactly so. You wouldn't believe how many routers of ten years ago or so didn't handle it properly, at least with their initial firmware. But Why wouldn't I ? Knowing how NAT is tricky, I am not surprised at all that the handling of "non standard" protocols (read : other than a single TCP or UDP connection) by many NAT systems is broken. it still doesn't need any additional NAT rules in iptables, the single SNAT rule handles it, as well as tcp, udp etc. Other rules are needed for correct *operation*, but not for NAT. Proper NAT handling of a non standard protocol requires proper connection tracking, and both require additionnal conntrack/NAT helper modules. A security change in the conntrack/NAT helper management of recent kernels requires additionnal iptables rule to explicitly attach a helper to a connection. See the CT target. Without this, only simples cases may be handled correctly, when no more than one host behind the NAT communicates with the same outside host. Please read below. Yes, I'm aware that NAT stops plain IPSec working, as the endpoint IP addresses are involved in the encryption. That isn't an iptables rule issue, and our single SNAT rule will forward Protocol 47 and 50 just as easily as Protocol 6. Not as easily. IPSec protocols don't have ports, so SNAT cannot handle communications from several hosts behind the NAT device to the same host outside. The same applies to GRE without specific GRE handler support. Typical failure scenario : 1) Hosts A and B are behind the NAT router D and want to communicate with outside host C. 2) Host A sends a packet to host C through NAT router D. D changes the source address to its own and forwards the packet to C. 3) Host B sends a packet to host C through NAT router D. D changes the source address to its own and forwards the packet to C. 4) Host C sends a reply packet to NAT router D. Problem : there is nothing in the packet to tell D if it belongs to the connection initiated by A or B and if it must forward the packet to A or B. Communication failure. Actually netfilter conntrack detects the clash at stage 2) when B sends the initial packet to C, and discards the packet. With protocols such as TCP or UDP, the conntrack/NAT can use source and destination ports to associate a packet with a known connection. But GRE or IPSec don't have ports. GRE packets have some kind of connection ID, but the standard netfilter NAT does not use it. So to avoid the failure in the above scenario, you must use the GRE conntrack/NAT helper modules. However there is no luck with IPSec. What is the "small-p sense" ? In the sense of 'a defined system for data transfer', as opposed to the Internet Protocols of tcp, udp, gre etc. http is spoken of as a 'protocol', small-p, although it is a tiny subset of the tcp Internet Protocol. I guess you mean "application layer protocol" such as HTTP or SSH as opposed to "network layer protocol" such as IP or ICMP and "transport layer protocol" such as TCP or UDP. I had never read this expression before.
Re: iptables question
On Sun, 13 Nov 2016 11:29:48 +0100 Pascal Hambourgwrote: > Le 13/11/2016 à 11:09, Joe a écrit : > > Pascal Hambourg wrote: > > > >> Le 12/11/2016 à 23:32, Joe a écrit : > >>> > >>> The SNAT should not be an issue, it can handle all protocols > >>> transparently > >> > >> No it cannot. NAT is not possible with some IP protocols. Plain > >> IPSec (without NAT-T encapsulation) is the first one that comes in > >> mind. > > > > I used to have a fair bit to do with PPTP through three or four > > NATs, > > PPTP rather falls into the "complex protocols" described below. Exactly so. You wouldn't believe how many routers of ten years ago or so didn't handle it properly, at least with their initial firmware. But it still doesn't need any additional NAT rules in iptables, the single SNAT rule handles it, as well as tcp, udp etc. Other rules are needed for correct *operation*, but not for NAT. Yes, I'm aware that NAT stops plain IPSec working, as the endpoint IP addresses are involved in the encryption. That isn't an iptables rule issue, and our single SNAT rule will forward Protocol 47 and 50 just as easily as Protocol 6. > > >> Also many complex protocols such as FTP or SIP (nothing exotic > >> here) require special support and this is not transparent as it > >> requires messing with the payload, not only with the packet > >> headers. Use of encryption with these protocoles may come in the > >> way and defeat NAT handling. > > > > Is ssh really a more difficult protocol to handle than http? > > No. SSH relies on a single TCP connection, like TCP and other > "simple" protocols. I reacted to you writing "NAT can handle *all* > protocols *transparently*". > > > I'm using 'protocol' in > > the small-p sense, not referring specifically to Internet > > Protocols. > > What is the "small-p sense" ? > In the sense of 'a defined system for data transfer', as opposed to the Internet Protocols of tcp, udp, gre etc. http is spoken of as a 'protocol', small-p, although it is a tiny subset of the tcp Internet Protocol. Many people used to confuse tcp port 47 with IP 47, to the extent that some router firmware would forward IP 47 if asked for tcp/47, which only perpetuated the confusion. -- Joe
Re: iptables question
On 11/12/2016 06:19 PM, deloptes wrote: Joe wrote: On Sat, 12 Nov 2016 22:15:45 +0100 delopteswrote: Hi, I need some help and I'll appreciate it. I have a firewall with iptables behind the modem. on this firewall I have eth0 with ip 10..1 to the modem ip: 10..12 eth1 with ip 192..1 to the intranet iptables is doing SNAT from 192..1 to 10..1 I wonder how I can ssh from 192..NN to 10..NN What magic should I apply to make it happen? Thanks in advance Can we take it that this does not work now? If that is the case, are you sure that iptables is preventing it? There are other possible reasons for a new ssh link not to work. Yes, it is not working and yes it might be a different issue. So here is some additional information, if you wish. >From one computer ip 10..6 I can ssh to 10..7 and vv. I also see that iptables forwards to the output, but in the output nothing happens. So it is either in the output chain, or the back route blocks. A typical simple iptables script will allow what you want to do to happen already, so there must either be some iptables restriction in place now, or there is some other reason for ssh not working. Are you able to connect to the modem web configuration page from the 192. network? Yes I forgot to mention that I can connect from 192..NN to the modem ip via ssh lets say 10..200. Ok, this confuses me a little. I thought the modem was 10..12? Nevertheless, it sounds like you have the ability to connect to _something_ on the 10. network. Therefore, I would suspect the settings on the 10. machine that you are not able to communicate with. Also, the 192. machine could be blocking (on the input chain) all communications from 10. except from the specific ip address of the modem. One of the other respondents indicated that posting a (sanitized) copy of your ruleset would help, this is indeed the case. On the modem there is also firewall. I tried disableing it but it did not help. The firewall on the modem should not affect the communications between 192. and 10. from what I understand of your setup. You have a firewall machine with two NICs one on the 192. network and one on the 10. network. The modem is on the 10. network along with some other machines (presumably with a switch or router) and the firewall is acting as a bridge between the 192. and the 10. And you can bet there is restriction - basically it is pretty tight and is opened only what is needed to intranet and basically all to modem net The SNAT should not be an issue, it can handle all protocols transparently, and ssh uses the same tcp protocol as http. If there are iptables restrictions on outgoing protocols, you need to find the rule permitting tcp/80 to be forwarded, copy it and replace 80 with 22. Once this is working, we can restrict the destination to the 10. network, as presumably any existing port 80 rule allows connection to anywhere and you may not want that for ssh. there is nothing regarding the output - no rules based on ports thanks Again, posting the exact ruleset would be helpful.
Re: iptables question
Le 13/11/2016 à 11:09, Joe a écrit : Pascal Hambourgwrote: Le 12/11/2016 à 23:32, Joe a écrit : The SNAT should not be an issue, it can handle all protocols transparently No it cannot. NAT is not possible with some IP protocols. Plain IPSec (without NAT-T encapsulation) is the first one that comes in mind. I used to have a fair bit to do with PPTP through three or four NATs, PPTP rather falls into the "complex protocols" described below. Also many complex protocols such as FTP or SIP (nothing exotic here) require special support and this is not transparent as it requires messing with the payload, not only with the packet headers. Use of encryption with these protocoles may come in the way and defeat NAT handling. Is ssh really a more difficult protocol to handle than http? No. SSH relies on a single TCP connection, like TCP and other "simple" protocols. I reacted to you writing "NAT can handle *all* protocols *transparently*". I'm using 'protocol' in the small-p sense, not referring specifically to Internet Protocols. What is the "small-p sense" ?
Re: iptables question
On Sun, 13 Nov 2016 10:35:29 +0100 Pascal Hambourgwrote: > Le 12/11/2016 à 23:32, Joe a écrit : > > > > The SNAT should not be an issue, it can handle all protocols > > transparently > > No it cannot. NAT is not possible with some IP protocols. Plain IPSec > (without NAT-T encapsulation) is the first one that comes in mind. I used to have a fair bit to do with PPTP through three or four NATs, which sometimes involved guessing what Windows equivalents of conntrack were up to. > > Also many complex protocols such as FTP or SIP (nothing exotic here) > require special support and this is not transparent as it requires > messing with the payload, not only with the packet headers. Use of > encryption with these protocoles may come in the way and defeat NAT > handling. Is ssh really a more difficult protocol to handle than http? In the context of this question, I would suggest not. I'm using 'protocol' in the small-p sense, not referring specifically to Internet Protocols. -- Joe
Re: iptables question
Le 13/11/2016 à 01:19, deloptes a écrit : Yes, it is not working How is it not working ? What do you do and what happens ? From one computer ip 10..6 I can ssh to 10..7 and vv. That does not concern the firewall between the modem and the LAN. I also see that iptables forwards to the output, but in the output nothing happens. This does not make any sense. Iptables does not forward anything. It just accepts, drops or mangles packets. Yes I forgot to mention that I can connect from 192..NN to the modem ip via ssh lets say 10..200. Huh ? What are these addresses ? The source, the destination ? It would be much simple if you provided the output of iptables-save so we can see your ruleset.
Re: iptables question
Le 12/11/2016 à 23:32, Joe a écrit : The SNAT should not be an issue, it can handle all protocols transparently No it cannot. NAT is not possible with some IP protocols. Plain IPSec (without NAT-T encapsulation) is the first one that comes in mind. Also many complex protocols such as FTP or SIP (nothing exotic here) require special support and this is not transparent as it requires messing with the payload, not only with the packet headers. Use of encryption with these protocoles may come in the way and defeat NAT handling.
Re: iptables question
Joe wrote: > On Sat, 12 Nov 2016 22:15:45 +0100 > delopteswrote: > >> Hi, >> I need some help and I'll appreciate it. >> >> I have a firewall with iptables behind the modem. >> on this firewall I have >> eth0 with ip 10..1 to the modem ip: 10..12 >> eth1 with ip 192..1 to the intranet >> >> iptables is doing SNAT from 192..1 to 10..1 >> >> I wonder how I can ssh from 192..NN to 10..NN >> What magic should I apply to make it happen? >> >> Thanks in advance >> >> > > Can we take it that this does not work now? If that is the case, are > you sure that iptables is preventing it? There are other possible > reasons for a new ssh link not to work. > Yes, it is not working and yes it might be a different issue. So here is some additional information, if you wish. >From one computer ip 10..6 I can ssh to 10..7 and vv. I also see that iptables forwards to the output, but in the output nothing happens. So it is either in the output chain, or the back route blocks. > A typical simple iptables script will allow what you want to do to > happen already, so there must either be some iptables restriction in > place now, or there is some other reason for ssh not working. Are you > able to connect to the modem web configuration page from the 192. > network? > Yes I forgot to mention that I can connect from 192..NN to the modem ip via ssh lets say 10..200. On the modem there is also firewall. I tried disableing it but it did not help. And you can bet there is restriction - basically it is pretty tight and is opened only what is needed to intranet and basically all to modem net > The SNAT should not be an issue, it can handle all protocols > transparently, and ssh uses the same tcp protocol as http. > > If there are iptables restrictions on outgoing protocols, you need to > find the rule permitting tcp/80 to be forwarded, copy it and replace 80 > with 22. Once this is working, we can restrict the destination to the > 10. network, as presumably any existing port 80 rule allows connection > to anywhere and you may not want that for ssh. there is nothing regarding the output - no rules based on ports thanks
Re: iptables question
On Sat, 12 Nov 2016 22:15:45 +0100 delopteswrote: > Hi, > I need some help and I'll appreciate it. > > I have a firewall with iptables behind the modem. > on this firewall I have > eth0 with ip 10..1 to the modem ip: 10..12 > eth1 with ip 192..1 to the intranet > > iptables is doing SNAT from 192..1 to 10..1 > > I wonder how I can ssh from 192..NN to 10..NN > What magic should I apply to make it happen? > > Thanks in advance > > Can we take it that this does not work now? If that is the case, are you sure that iptables is preventing it? There are other possible reasons for a new ssh link not to work. A typical simple iptables script will allow what you want to do to happen already, so there must either be some iptables restriction in place now, or there is some other reason for ssh not working. Are you able to connect to the modem web configuration page from the 192. network? The SNAT should not be an issue, it can handle all protocols transparently, and ssh uses the same tcp protocol as http. If there are iptables restrictions on outgoing protocols, you need to find the rule permitting tcp/80 to be forwarded, copy it and replace 80 with 22. Once this is working, we can restrict the destination to the 10. network, as presumably any existing port 80 rule allows connection to anywhere and you may not want that for ssh. -- Joe
iptables question
Hi, I need some help and I'll appreciate it. I have a firewall with iptables behind the modem. on this firewall I have eth0 with ip 10..1 to the modem ip: 10..12 eth1 with ip 192..1 to the intranet iptables is doing SNAT from 192..1 to 10..1 I wonder how I can ssh from 192..NN to 10..NN What magic should I apply to make it happen? Thanks in advance
Re: IPTables question
Le 09/11/2013 23:06, Shawn Wilson a écrit : Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. I use fwbuilder which helps to define elaborated rules ; there is also shorewall which uses zones, both generates the ryules either as shell script or itptables-save/restore configuration. Both are available in debian. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527f5a88.80...@rail.eu.org
Re: IPTables question
Erwan David er...@rail.eu.org wrote: Le 09/11/2013 23:06, Shawn Wilson a écrit : Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. I use fwbuilder which helps to define elaborated rules ; there is also shorewall which uses zones, both generates the ryules either as shell script or itptables-save/restore configuration. Both are available in debian. Just FYI, a shell script will be slower than iptables-save since the later only makes one call while the former makes one call per ipt command. I looked at shorewall and didn't know it had zones - that's cool (since I don't like xml that firewalld uses). I've now got a 2k line perl script that does almost everything we need but I'll take another look at shorewall (for ideas if nothing else). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3da3a425-3862-4156-9116-1ebc3d3b3...@email.android.com
IPTables question
Hi folks, In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or-s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 But is there anyway to specify both eth0 and wlan0 as equally valid interfaces on my laptop depending on whether it's in my dock or on the road? For example, -i wlan0,eth0 or -o wlan0,eth0 Is something like these possible? It would save quite a bit of work in having to write duplicate rules and probably impact efficiency as well. I've googled around quite a bit but can find no references to multiple interfaces. b. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527e7517.9070...@uniserve.com
Re: IPTables question
On 11/09/2013 12:47 PM, Bill.M wrote: But is there anyway to specify both eth0 and wlan0 as equally valid interfaces on my laptop depending on whether it's in my dock or on the road? For example, -i wlan0,eth0 or -o wlan0,eth0 Is something like these possible? * You can avoid specifying any interface at all, so long as you don't mind the rule being applied to the loopback interface as well. Chances are very good that this will work for you and is the best solution, but you need to evaluate the rules in question. * You can use a '+' at the end of the interface name which acts as a wildcard. This won't help since your interfaces names differ in the first character, not the last, but you can easily customize their names to differ in their suffix rather than prefix by editing: /etc/udev/rules.d/70-persistent-net.rules * You can create a new chain, have packets from either interface jump to it via two rules, then put the rest of your rules in that chain, without specifying an interface name. e.g. (untested): iptables -t filter -N foo iptables -t filter -A INPUT -i eth0 -j foo iptables -t filter -A INPUT -i wlan0 -j foo iptables -t filter -A foo --src 1.2.3.4 -j DROP iptables -t filter -A foo -p tcp --dport 80 -j DROP ... -- David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527e99f5.8070...@meta-dynamic.com
Re: IPTables question
Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. David F deb...@meta-dynamic.com wrote: On 11/09/2013 12:47 PM, Bill.M wrote: But is there anyway to specify both eth0 and wlan0 as equally valid interfaces on my laptop depending on whether it's in my dock or on the road? For example, -i wlan0,eth0 or -o wlan0,eth0 Is something like these possible? * You can avoid specifying any interface at all, so long as you don't mind the rule being applied to the loopback interface as well. Chances are very good that this will work for you and is the best solution, but you need to evaluate the rules in question. * You can use a '+' at the end of the interface name which acts as a wildcard. This won't help since your interfaces names differ in the first character, not the last, but you can easily customize their names to differ in their suffix rather than prefix by editing: /etc/udev/rules.d/70-persistent-net.rules * You can create a new chain, have packets from either interface jump to it via two rules, then put the rest of your rules in that chain, without specifying an interface name. e.g. (untested): iptables -t filter -N foo iptables -t filter -A INPUT -i eth0 -j foo iptables -t filter -A INPUT -i wlan0 -j foo iptables -t filter -A foo --src 1.2.3.4 -j DROP iptables -t filter -A foo -p tcp --dport 80 -j DROP ... -- David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b20675f7-67d9-4942-9dca-de4102336...@email.android.com
Re: IPTables question
Hello, Bill.M a écrit : In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 In addition to David's answer : Unless recent change I am not aware of, you cannot specify an address range in -s or -d. You must use the iprange match instead (or ipset if your kernel supports it). Also, note that specifying multiple comma-separated addresses or prefixes in -s or -d will result in multiple rules being actually created, which can have undesirable side-effects and impact efficiency. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527eb0fa.8080...@plouf.fr.eu.org
Re: IPTables question
Pascal Hambourg pas...@plouf.fr.eu.org wrote: Hello, Bill.M a écrit : In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 In addition to David's answer : Unless recent change I am not aware of, you cannot specify an address range in -s or -d. You must use the iprange match instead (or ipset if your kernel supports it). Also, note that specifying multiple comma-separated addresses or prefixes in -s or -d will result in multiple rules being actually created, which can have undesirable side-effects and impact efficiency. The speed impact of a small rule set is negligible. One ipset vs 20 rules, yes please - it's easier to look at. Also, idk any way to match interface with ipset - ip and port (even src and dst in one line) but not interface. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d539f94-5809-483f-bfa8-fc50e6e73...@email.android.com
Re: IPTables question
Shawn Wilson a écrit : Pascal Hambourg pas...@plouf.fr.eu.org wrote: Unless recent change I am not aware of, you cannot specify an address range in -s or -d. You must use the iprange match instead (or ipset if your kernel supports it). Also, idk any way to match interface with ipset I did not suggest ipset for such purpose. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527ebf36.5010...@plouf.fr.eu.org
Firewall/iptables question
Hi all, I'm attempting to set up a simple firewall on a virtual server. I have the following: iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j REJECT (And iptables -L shows that this setup has been accepted.) This was supposed to only allow my box (or at least my public IP) access to port 80 on this server. I can not access port 80 at all, however. (Please note that without --source it works as expected.) What am I doing wrong? On a related note, the logging only logs the packet, but no timestamp. Is that configurable somewhere? Cheers, Hilco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTi=9ir+se-w2fd_mjq4r-pdgvgo...@mail.gmail.com
Re: Firewall/iptables question
On 3 May 2011 16:21, Hilco Wijbenga hilco.wijbe...@gmail.com wrote: Hi all, I'm attempting to set up a simple firewall on a virtual server. I have the following: iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -i venet0 --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i venet0 --source m.y.i.p --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j REJECT (And iptables -L shows that this setup has been accepted.) This was supposed to only allow my box (or at least my public IP) access to port 80 on this server. I can not access port 80 at all, however. (Please note that without --source it works as expected.) What am I doing wrong? Mmmh, it does work after all. You have to be careful to restart everything, I guess. I've moved the --source to the SSH line. That works too but it seems like I can only have 1 connection open at the same time. Sort of. I have a reverse connection from a local server with a non-routable IP to this public server. That works. But then I can't access the public server anymore. If I kill the reverse connection and wait a few minutes, I can login again. Switch the reverse connection back on ... and I can't login anymore. Strange. On a related note, the logging only logs the packet, but no timestamp. Is that configurable somewhere? Cheers, Hilco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTim62rNnK1m6gJuCziQaZZ=OOF6_=g...@mail.gmail.com
Re: Firewall/iptables question
Hilco Wijbenga wrote at 2011-05-03 18:21 -0500: On a related note, the logging only logs the packet, but no timestamp. Is that configurable somewhere? /etc/rsyslog.conf I suppose? signature.asc Description: Digital signature
Iptables question
I asked about a modem dialin server problem. I saw no response, so, I rephrase it. The Linux box is connected to Internet on 141.209.169.x The dialin ppp (Linux end) ipaddr is 192.168.0.10 The dialing client gets ipaddr 192.168.0.11 How do I make iptables to forward form 192.168.x.x to 141.209.169.x (looking for rules form ppp0 to eth0)? -ishwar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Iptables question
For firewall relative question there's another, more specific, mail list: debian-firew...@lists.debian.org Anyway, if you are using ppp to connect to your ISP, the ppp0 interface should have a public IP address not a private one like 192.168.0.10. In order to enable kernel ipv4 fowarding you must change: echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/conf/all/forwarding Then you should use NAT with iptables to share your internet connection with a LAN. I Rattan wrote: I asked about a modem dialin server problem. I saw no response, so, I rephrase it. The Linux box is connected to Internet on 141.209.169.x The dialin ppp (Linux end) ipaddr is 192.168.0.10 The dialing client gets ipaddr 192.168.0.11 How do I make iptables to forward form 192.168.x.x to 141.209.169.x (looking for rules form ppp0 to eth0)? -ishwar signature.asc Description: OpenPGP digital signature
RE: Iptables question
From: I Rattan [mailto:ratt...@cps.cmich.edu] Sent: Thursday, September 10, 2009 2:03 PM I asked about a modem dialin server problem. I saw no response, so, I rephrase it. The Linux box is connected to Internet on 141.209.169.x The dialin ppp (Linux end) ipaddr is 192.168.0.10 The dialing client gets ipaddr 192.168.0.11 How do I make iptables to forward form 192.168.x.x to 141.209.169.x (looking for rules form ppp0 to eth0)? -ishwar Make sure you have proxyarp in your /etc/ppp/options file. And enable net.ipv4.ip_forward=1 in your /etc/sysctl.conf file. It's been awhile since I set up PPP, but I think that's all you need to do to enable PPP clients to get to the Internet. You can also add ms-dns lines to set DNS servers for the client. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
iptables question?
Is it possible to restrict access by user-id under iptables firewall? If so, pointers to the info/example will be appreciated. -ishwar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question?
On 2009-08-26 10:36 (-0400), I. Rattan wrote: Is it possible to restrict access by user-id under iptables firewall? If so, pointers to the info/example will be appreciated. Does man iptables qualify as a pointer? In owner module there is --uid-owner option. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
On Mon,12.Jan.09, 14:50:48, Paul Cartwright wrote: I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my K3B issue:). I noticed someone else with a message about iptables, and I basically copied his script: # iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT except changed it to my ssh port 22. Now I can ssh back to my box again. What would reset my iptables, did we have some updates with would put in a vanilla config file somewhere?? is there an iptables .conf ( or whatever) file, I didn't see one in the man pages, though I didn't look REAL hard at all 297 pages... I know this is old, but... AFAICT iptables has no config at all on Debian (dpkg -L shows no files in /etc). The only suspect would be some of the frontends. I would look into the reverse dependencies of iptables (a.k.a the packages depending on iptables). Try this: aptitude search '?installed ?depends(iptables)' Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
iptables question
I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my K3B issue:). I noticed someone else with a message about iptables, and I basically copied his script: # iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT except changed it to my ssh port 22. Now I can ssh back to my box again. What would reset my iptables, did we have some updates with would put in a vanilla config file somewhere?? is there an iptables .conf ( or whatever) file, I didn't see one in the man pages, though I didn't look REAL hard at all 297 pages... -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
On Sat, 03 Jan 2009 20:49:35 -0500, Napoleon wrote: Justin Piszcz wrote: On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: snip Solution: apt-get install fail2ban (read up on the docs, it can drop IPs based on attempts etc) Justin. For Justin and all the others who responded - thanks. I installed fail2ban a couple of days ago, and am waiting for someone to try it again. I also tried to find the support forums for qpopper, but the only ones I found hadn't had a post in over 2 years. So maybe I need to change pop3 servers. But I'm not worried about that right now. I think from the docs that fail2ban will do what I need. You might also want to check out http://packages.debian.org/sid/libpam- shield. That will take care of it for any service. It's in Lenny too. Have fun! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Koh Choon Lin wrote: Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). How can you not know how to delete? (No, seriously, I'm not trying to be sarcastic...) Maybe they are trying to take after Gmail -- archive all your mails. I still remember the first version of Gmail doesn't have the delete button. Note that I said apparently. I don't know what her problem really is. Koh's explanation is reasonable, although it implies a higher level of awareness than this particular user is capable of... - -- Glenn English g...@slsware.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklgraEACgkQ04yQfZbbTLbflgCePAxTJPDwYVibu7L2xQciRU3U IzsAn1gvpLh/zXPCSvOZ4Ucot2b/k6aM =9hqf -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
Justin Piszcz wrote: On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: snip Solution: apt-get install fail2ban (read up on the docs, it can drop IPs based on attempts etc) Justin. For Justin and all the others who responded - thanks. I installed fail2ban a couple of days ago, and am waiting for someone to try it again. I also tried to find the support forums for qpopper, but the only ones I found hadn't had a post in over 2 years. So maybe I need to change pop3 servers. But I'm not worried about that right now. I think from the docs that fail2ban will do what I need. Thanks again! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
POP (was Re: iptables question)
On 01/03/09 19:49, Napoleon wrote: [snip] I also tried to find the support forums for qpopper, but the only ones I found hadn't had a post in over 2 years. So maybe I need to change pop3 servers. Unless you are running an ISP, you should really ditch POP and move your mail to an IMAP store. It'll centralize email, eliminating the need to synchronize across multiple machines, and make it much simpler to back up the data. Also, with a bit of extra effort (and since you run Debian and care about firewalls, that shouldn't be a problem, you can implement IMAPS or web mail and thus gain access to email from remote systems. -- Ron Johnson, Jr. Jefferson LA USA I like my women like I like my coffee - purchased at above-market rates from eco-friendly organic farming cooperatives in Latin America. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
On Saturday 2009 January 03 19:49:35 Napoleon wrote: I also tried to find the support forums for qpopper, but the only ones I found hadn't had a post in over 2 years. So maybe I need to change pop3 servers. I've recently had good luck with dovecot, which handles a pop3 and pop3s. I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I set up dovecot. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/ signature.asc Description: This is a digitally signed message part.
Re: iptables question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Boyd Stephen Smith Jr. wrote: I've recently had good luck with dovecot, which handles a pop3 and pop3s. I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I set up dovecot. Dovecot also does SASL authentication for Postfix. It's also simple and reliable. Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). I use it myself, and it's great to have my email available anywhere I log in. But IMAP can be a mixed blessing. - -- Glenn English g...@slsware.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklgM/gACgkQ04yQfZbbTLa27ACgic7kfvBlSloKlU8k+JXdc3fT e9kAnA+DdoxYBoJaybkmlfVYLbZAwcb5 =6P/1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
ghe writes: Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). Heh. My user (my wife) has about 150MB (text only) in /var/mail. Some of it is 20 years old. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
On 01/03/09 21:58, ghe wrote: [snip] Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). How can you not know how to delete? (No, seriously, I'm not trying to be sarcastic...) -- Ron Johnson, Jr. Jefferson LA USA I like my women like I like my coffee - purchased at above-market rates from eco-friendly organic farming cooperatives in Latin America. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
iptables question
Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). How can you not know how to delete? (No, seriously, I'm not trying to be sarcastic...) Maybe they are trying to take after Gmail -- archive all your mails. I still remember the first version of Gmail doesn't have the delete button. -- Koh Choon Lin -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
iptables question
I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: # Kill ssh hackers - watch for more than 3 connection attempts in under # 15 minutes seconds and reject for 24 hours iptables -N SSH-EVIL iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix evil SSH user: iptables -A SSH-EVIL -j REJECT iptables -N SSH iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 -j REJECT iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 --hitcount 3 -j SSH-EVIL iptables -A SSH -p tcp --syn -m recent --name sshconn --set iptables -A SSH -p tcp --syn -j ACCEPT And something similar for ftp. These work well. But I'm also getting people trying to break in via the POP interface (I'm using qpopper). So I tried the following, which does not work: iptables -N POP-EVIL iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG --log-prefix evil POP user: iptables -A POP-EVIL -j REJECT iptables -N POP iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck --seconds 86400 -j REJECT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck --seconds 900 --hitcount 5 -j POP-EVIL iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set iptables -A FTP -p tcp --syn -j ACCEPT So my question is - what am I doing wrong in the POP interface, and how can I stop it here, also. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
Napoleon a écrit : I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: # Kill ssh hackers - watch for more than 3 connection attempts in under # 15 minutes seconds and reject for 24 hours iptables -N SSH-EVIL iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix evil SSH user: iptables -A SSH-EVIL -j REJECT iptables -N SSH iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 -j REJECT iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 --hitcount 3 -j SSH-EVIL iptables -A SSH -p tcp --syn -m recent --name sshconn --set iptables -A SSH -p tcp --syn -j ACCEPT And something similar for ftp. These work well. But I'm also getting people trying to break in via the POP interface (I'm using qpopper). So I tried the following, which does not work: iptables -N POP-EVIL iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG --log-prefix evil POP user: iptables -A POP-EVIL -j REJECT iptables -N POP iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck --seconds 86400 -j REJECT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck --seconds 900 --hitcount 5 -j POP-EVIL iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set iptables -A FTP -p tcp --syn -j ACCEPT So my question is - what am I doing wrong in the POP interface, and how can I stop it here, also. If the attacker uses a single connection to the POP3 server, then the above won't help. it will only work if your POP3 disconnects after say 3 attempts. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: # Kill ssh hackers - watch for more than 3 connection attempts in under # 15 minutes seconds and reject for 24 hours iptables -N SSH-EVIL iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix evil SSH user: iptables -A SSH-EVIL -j REJECT iptables -N SSH iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 -j REJECT iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 --hitcount 3 -j SSH-EVIL iptables -A SSH -p tcp --syn -m recent --name sshconn --set iptables -A SSH -p tcp --syn -j ACCEPT And something similar for ftp. These work well. But I'm also getting people trying to break in via the POP interface (I'm using qpopper). So I tried the following, which does not work: iptables -N POP-EVIL iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG --log-prefix evil POP user: iptables -A POP-EVIL -j REJECT iptables -N POP iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck --seconds 86400 -j REJECT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck --seconds 900 --hitcount 5 -j POP-EVIL iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set iptables -A FTP -p tcp --syn -j ACCEPT So my question is - what am I doing wrong in the POP interface, and how can I stop it here, also. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Solution: apt-get install fail2ban (read up on the docs, it can drop IPs based on attempts etc) Justin. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
Here is how I implemented it, coincidentially today :) # Allow already established traffic $IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT # No more than 2 connection attempts per 2 # minutes to prevent brute force attacks # log blocked attempts to /var/log/kern.log $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent --name blacklist --set $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent --name blacklist --rcheck \ --seconds 120 --hitcount 3 -j LOG --log-level 5 --log-prefix max con attempts exceeded: $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent --name blacklist --update \ --seconds 120 --hitcount 3 -j DROP # only allow connections to localhost on $SSH_PORT if IP has # knocked on $SSH_KNOCK_PORT within the last 60 seconds $IPTABLES -A INPUT -p TCP --dport $SSH_KNOCK_PORT -m state --state NEW -m recent \ --name knocklist --set $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent \ --name knocklist --rcheck --seconds 60 -j ACCEPT the latter one can also be achieved using the debian package knockd On Thu, Jan 1, 2009 at 4:51 PM, Justin Piszcz jpis...@lucidpixels.com wrote: On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: # Kill ssh hackers - watch for more than 3 connection attempts in under # 15 minutes seconds and reject for 24 hours iptables -N SSH-EVIL iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix evil SSH user: iptables -A SSH-EVIL -j REJECT iptables -N SSH iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 -j REJECT iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 --hitcount 3 -j SSH-EVIL iptables -A SSH -p tcp --syn -m recent --name sshconn --set iptables -A SSH -p tcp --syn -j ACCEPT And something similar for ftp. These work well. But I'm also getting people trying to break in via the POP interface (I'm using qpopper). So I tried the following, which does not work: iptables -N POP-EVIL iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG --log-prefix evil POP user: iptables -A POP-EVIL -j REJECT iptables -N POP iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck --seconds 86400 -j REJECT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck --seconds 900 --hitcount 5 -j POP-EVIL iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set iptables -A FTP -p tcp --syn -j ACCEPT So my question is - what am I doing wrong in the POP interface, and how can I stop it here, also. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Solution: apt-get install fail2ban (read up on the docs, it can drop IPs based on attempts etc) Justin. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org -- David Schmidt | http://www.fm5.at -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: iptables question
On Thu, Jan 1, 2009 at 5:44 PM, David Schmidt davew...@gmx.at wrote: Here is how I implemented it, coincidentially today :) # Allow already established traffic $IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT # No more than 2 connection attempts per 2 # minutes to prevent brute force attacks # log blocked attempts to /var/log/kern.log $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent --name blacklist --set $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent --name blacklist --rcheck \ --seconds 120 --hitcount 3 -j LOG --log-level 5 --log-prefix max con attempts exceeded: $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent --name blacklist --update \ --seconds 120 --hitcount 3 -j DROP # only allow connections to localhost on $SSH_PORT if IP has # knocked on $SSH_KNOCK_PORT within the last 60 seconds $IPTABLES -A INPUT -p TCP --dport $SSH_KNOCK_PORT -m state --state NEW -m recent \ --name knocklist --set $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state NEW -m recent \ --name knocklist --rcheck --seconds 60 -j ACCEPT the latter one can also be achieved using the debian package knockd On Thu, Jan 1, 2009 at 4:51 PM, Justin Piszcz jpis...@lucidpixels.com wrote: On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a day), so I implemented the following rules: # Kill ssh hackers - watch for more than 3 connection attempts in under # 15 minutes seconds and reject for 24 hours iptables -N SSH-EVIL iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix evil SSH user: iptables -A SSH-EVIL -j REJECT iptables -N SSH iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 -j REJECT iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 --hitcount 3 -j SSH-EVIL iptables -A SSH -p tcp --syn -m recent --name sshconn --set iptables -A SSH -p tcp --syn -j ACCEPT And something similar for ftp. These work well. But I'm also getting people trying to break in via the POP interface (I'm using qpopper). So I tried the following, which does not work: iptables -N POP-EVIL iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG --log-prefix evil POP user: iptables -A POP-EVIL -j REJECT iptables -N POP iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck --seconds 86400 -j REJECT iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck --seconds 900 --hitcount 5 -j POP-EVIL iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set iptables -A FTP -p tcp --syn -j ACCEPT So my question is - what am I doing wrong in the POP interface, and how can I stop it here, also. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Solution: apt-get install fail2ban (read up on the docs, it can drop IPs based on attempts etc) Justin. Sorry for top posting, gmail does this by default -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: etch - iptables question
Hi Ann, On 6/13/07, ann kok [EMAIL PROTECTED] wrote I just install new debian. but it seems nothing iptable in the default installation how can I install? I have used Guarddog to config my iptables. It's very easy to use and it will take only about 15 - 30 mins reading the manual and setting up your firewall. Manon.
etch - iptables question
Hi all I just install new debian. but it seems nothing iptable in the default installation how can I install? and how can I install new kernel? can you show me steps? Thank you Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mailp=summer+activities+for+kidscs=bz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: etch - iptables question
On Wed, 2007-06-13 at 15:47 -0700, ann kok wrote: Hi all I just install new debian. but it seems nothing iptable in the default installation how can I install? 1) you can use a pre-written script like this one: http://www.hermann-uwe.de/files/fw_laptop Getting it going is discussed here: http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system under the section called Networking, Upgrading and Apt-secure 2) you can install a package that will assist you in setting a firewall. Shorewall, fwbuilder are a couple that folks use. and how can I install new kernel? if you have synaptic installed search for ¨linux-image¨ and take your pick. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT iptables question
I'm updating a RH ipchains packet filter script from the dim past to iptables on Debian stable. I noticed that when I specified the network the host is on (by IP/mask), the iptables listing called it localnet. So I tried using localnet in the rule, and iptables seems to take it, and the chain seems to work. But I can't find any documentation about that keyword in man, in Rusty's HTML dox, or with google (lots of talk about it, but no dox). Is localnet a legit iptables network specification or an undocumented feature? What does it actually do (should I hang a CIDR mask on the end, or would that be redundant)? If the host responds to several IPs, does localnet cover then all? Or just eth0? How about eth0:1? It would be very handy because this script is to set filtering on all my DMZ and LAN hosts (by switching on their hostnames and IPs). I know I could just try it and see if it works, but this is to be the packet filter on the DMZ, and I'd like to do it as rigorously as I can. TIA... -- Glenn English [EMAIL PROTECTED] GPG ID: D0D7FF20 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT iptables question
Glenn English wrote: I'm updating a RH ipchains packet filter script from the dim past to iptables on Debian stable. I noticed that when I specified the network the host is on (by IP/mask), the iptables listing called it localnet. So I tried using localnet in the rule, and iptables seems to take it, and the chain seems to work. But I can't find any documentation about that keyword in man, in Rusty's HTML dox, or with google (lots of talk about it, but no dox). Is localnet a legit iptables network specification or an undocumented feature? What does it actually do (should I hang a CIDR mask on the end, or would that be redundant)? If the host responds to several IPs, does localnet cover then all? Or just eth0? How about eth0:1? It would be very handy because this script is to set filtering on all my DMZ and LAN hosts (by switching on their hostnames and IPs). I know I could just try it and see if it works, but this is to be the packet filter on the DMZ, and I'd like to do it as rigorously as I can. TIA... On my sarge system localnet seems to be defined in /etc/networks. Try man networks You might also try changing the network name there and see what happens. This raises another question for me, I don't understand why I cannot find the this file using dlocate or apt-file, or even using the package search tool on debian.org. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables question: no chain/target/match by that name...
On Mon, Apr 05, 2004 at 02:08:35PM -0500, hugo vanwoerkom wrote: I'm trying it now with multiport + eject enabled in netfilter. Check REJECT in /proc/net/ip_tables_targets and check for multiport in /proc/net/ip_tables_matches. Using either loaded netfilter modules or built in netfilter support, netfilter functionality should be listed in ip_tables_names, ip_tables_targets and ip_tables_matches. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables question: no chain/target/match by that name...
On Mon, Apr 05, 2004 at 12:09:31PM -0500, hugo vanwoerkom wrote: + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT [ ... ] + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT Now I know nothing of iptables, but why can he do destination port 80 and not 0:1023? If you delete the --dport 80 rule and put 0:1023 in its place, he says the same thing. No, it's different. Iptables processes rules in the order that they're entered. Any target except LOG will cause iptables to quit the particular chain it's in. LOG just logs and then continues in the same chain it's processing. In the example above, a tcp packet will go through the --dport 80 rule. If it's destined for port 80, then it's accepted and and IPTABLES is done with it. That packet will never go through any further rules. If the packet is NOT destined for port 80, then it will continue being processed, and if it gets to the --dport 0:1023 rule, that is, of no rules in between cause it to be ACCEPTED or REJECTED, it will be REJECTED here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables question: no chain/target/match by that name...
Hi World! The lokkit question yesterday by Faheem Mitha prompted me to install lokkit on Sarge. As Dircha pointed out: it don't work. All lokkit does is create a little iptables script that sits in /etc/default/lokkit. Then upon boot lokkit in /etc/init.d executes that script. As Dircha also said: you have to dig into iptables. (1) which kernel options do you need? I figured out that you need network packet filtering, netfilter, iptables support and netfilter packet filtering. I am not sure you need the last one. (2)Now execution of that script gets: Starting basic firewall rules: + PATH=/sbin:/sbin:/bin:/usr/sbin:/usr/bin + iptables -N RH-Lokkit-0-50-INPUT + iptables -F RH-Lokkit-0-50-INPUT + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT + iptables -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT iptables: No chain/target/match by that name + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT iptables: No chain/target/match by that name + iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT iptables: No chain/target/match by that name + iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT iptables: No chain/target/match by that name + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT iptables: No chain/target/match by that name + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT iptables: No chain/target/match by that name failed. Now I know nothing of iptables, but why can he do destination port 80 and not 0:1023? If you delete the --dport 80 rule and put 0:1023 in its place, he says the same thing. Where do you find this info? Thanks! Hugo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables question: no chain/target/match by that name...
hugo vanwoerkom wrote: Hi World! The lokkit question yesterday by Faheem Mitha prompted me to install lokkit on Sarge. As Dircha pointed out: it don't work. All lokkit does is create a little iptables script that sits in /etc/default/lokkit. Then upon boot lokkit in /etc/init.d executes that script. As Dircha also said: you have to dig into iptables. (1) which kernel options do you need? I figured out that you need network packet filtering, netfilter, iptables support and netfilter packet filtering. I am not sure you need the last one. (2)Now execution of that script gets: snip I'm trying it now with multiport + eject enabled in netfilter. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables question
I have a box that I use for routing, it's running sid, with ipmaq on it. It works fine for the most part. For a while I had an internal axis webcam that was port forwarded. I use to put in the following at the command prompt iptables -t nat -A PREROUTING -j DNAT --proto tcp --dport --to-destination 192.168.0.200:80 this always worked before, but recently I installed a new server for routing, and set it up the same, but when I put the iptables line in, it no longer works. I don't get an error, but when I open up a web browser it trells me the connedction was refused. Am I missing something? Stan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pop3vscan iptables question
I'd like to use pop3vscan to run clamscan. I added the following iptables rule: # /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 8110 I then went through the procedures in /etc/default/iptables so that the rule would remain after rebooting, but that doesn't seem to work. If I reboot, the rule isn't there when I try: #iptables -t nat -v -L If I do: # /etc/init.d/iptables restart It will load the rule with: Loading iptables rulesel: load active . A couple of possible issues: -I had compiled nat, iptables, and redirect support into the kernel, rather than as modules. -If I run #dpkg-reconfigure iptables I am not prompted for anything. -I had to create the directory /var/lib/iptables/ in order to save active and inactive. It has the same permissions as all of the other directories in /var/lib Any suggestions on how to get dpkg-reconfigure iptables to work (I suspect the problem is there) would be greatly appreciated. Thank you in advance. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
IPTABLES QUESTION
I´m using Debian 3.0r1 with kernel 2.4.19 as a iptables firewall I have internal webservers that I need to publish as Internet Sites For this manipulation I´m using Apache ProxyPass. The site works perfectly under apache.. even when the internal host is an ISS. 1. How can I do it without apache proxypass, using iptables? 2. This internal webserver also have a IRC server... how can I manipulating iptables, to the external hosts use this internal IRC server, since i´m only sharing the httpd via apache proxypass? 3. Since I´m using apache proxypass I defined in virtualhosts that '/internalhost' leads to http://192.168.0.69:8080 , and I need to mantain that www.foo.com/internalhost , but using iptables someway. And I need the ircd of this internal server, responds via the same host. I´d like to mantain my apache since it´s in use... Is it possible? OR I´ll have to put this apache in another internal host, and them using iptables for manipulating? 4. I´ve create in my DNS an internalhost.foo.com that leads to www.foo.com/internalhost this must be manteined too. I have something like: Internet - Firewall(Debian) - Internal httpd and ircd server external foo.com internal 192.168.0.1 192.168.0.69 Thanks all. Debian... because codes mather more than commercials -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: successful server installation, iptables question
Firstly: iptables is the firewalling system built into the 2.4 kernel. ipchains is the system from 2.2 (and an unsupported legacy option in 2.4). iptables is better in nearly every way, so use it if you can. On Mon, Oct 28, 2002 at 07:18:39PM +, Alan Chandler wrote: On Monday 28 October 2002 12:01 pm, [EMAIL PROTECTED] wrote: Hi, i successfuly installed my new debian server instead of the suse 7.2 that was on it. It was a lot easier to install and i knew what i was doing or at least i thought i was :-) I have installed the ipmasq package to share my internet connection. All works ok. However, how does one customize the settings? For instance if you want to allow an ssh connection in? There are two packages one is ipmasq and the other is iptables. The iptables package provides the userland tool (iptables(8)) to configure the kernel's firewalling system. ipmasq is a set of shell scripts that set up a basic firewalling using either iptables or ipchains (depending on which is installed). They conflict with each other. No, they don't. ipmasq _Depends_ on iptables to handle setting up the firewall (if you have a 2.4 kernel with ipchains, at least). I think you need a linux 2.4 kernel to use iptables, ipmasq can be used on 2.2 (and 2.4?). Too many damn things with the same name, true, but they do have well-defined meanings. s/ipmasq/ipchains/ is mostly right here. They are very similar to each other See above. a) It brings more options with it to check things like open sessions or requests to start a session ipchains did not support this, but iptables does, and so does ipmasq when your machine is running a 2.4 kernel (with iptables enabled). b) The input and forward tables are completely separate (in ipmasq forwarded stuff also traversed the input table making it very difficult to have one set of rules for filtering into the gateway box and another for forwarding). I have a custom iptables script to set up my firewall rules - I believe the standard debian package does something itself, but I have not really looked at that part. The iptables package itself does not setup any sort of firewalling at all, since this is local administrative decision that has no reasonable default. It does include `iptables-save' and `iptables-restore' scripts that can save and restore locally defined setups. My suggestion would be to remove ipmasq and install iptables (I use dselect to do this sort of thing) and then both man iptables and look at As I've said above, ipmasq _uses_ iptables. If you have a 2.4 kernel, and you want to use any sort of firewalling (custom bash script, shorewall, ipmasq, hand entered commands) you _have to_ have the iptables package installed. There's no other way to talk to the kernel about firewalling. -rob msg09877/pgp0.pgp Description: PGP signature
successful server installation, iptables question
Hi, i successfuly installed my new debian server instead of the suse 7.2 that was on it. It was a lot easier to install and i knew what i was doing or at least i thought i was :-) I have installed the ipmasq package to share my internet connection. All works ok. However, how does one customize the settings? For instance if you want to allow an ssh connection in? I thought of installing shorewall (conflicts with ipmasq). I could install this and test, see if my box is secure enough, and if it's not, i can always install ipmasq again ( a simple apt-get install ipmasq does it all ). Anyone have experience with this? Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: successful server installation, iptables question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 28 October 2002 12:01 pm, [EMAIL PROTECTED] wrote: Hi, i successfuly installed my new debian server instead of the suse 7.2 that was on it. It was a lot easier to install and i knew what i was doing or at least i thought i was :-) I have installed the ipmasq package to share my internet connection. All works ok. However, how does one customize the settings? For instance if you want to allow an ssh connection in? There are two packages one is ipmasq and the other is iptables. They conflict with each other. I think you need a linux 2.4 kernel to use iptables, ipmasq can be used on 2.2 (and 2.4?). They are very similar to each other - although I have always prefered iptables because a) It brings more options with it to check things like open sessions or requests to start a session b) The input and forward tables are completely separate (in ipmasq forwarded stuff also traversed the input table making it very difficult to have one set of rules for filtering into the gateway box and another for forwarding). I have a custom iptables script to set up my firewall rules - I believe the standard debian package does something itself, but I have not really looked at that part. My suggestion would be to remove ipmasq and install iptables (I use dselect to do this sort of thing) and then both man iptables and look at /usr/share/doc/iptables/html for a howto on NAT) - -- Alan Chandler [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9vY2PuFHxcV2FFoIRAvXSAKCAqU67f9phrd5a4S3zZJDjDghoxACgjSIE 4ixhv9Maxc93KhfzbQNi0v0= =kc9r -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]