Re: [gentoo-user] iptables TARPIT match
On Tue, 15 Feb 2005, Michael Thompson wrote: > What do I need to do to enable the TARPIT match in IPTables? > > I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 > > When I try and add a tarpit rule, such as > > iptables -A INPUT -p TCP --dport 80 -j TARPIT > > I get back > > iptables: No chain/target/match by that name Some modules need to be explicitly loaded with the -m flag. Assuming you have the tarpit modules compiled and installed, you would use this to load it: iptables -A INPUT --protocol tcp --dport 80 -m tarpit -j TARPIT -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables TARPIT match
On Tue, 15 Feb 2005 01:38:05 +, Michael Thompson <[EMAIL PROTECTED]> wrote: > What do I need to do to enable the TARPIT match in IPTables? > > I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 > > When I try and add a tarpit rule, such as > > iptables -A INPUT -p TCP --dport 80 -j TARPIT > > I get back > > iptables: No chain/target/match by that name > > Any help appreciated. Did you compile && load the kernel module for target TARPIT? -- Regards Karol Krzak -- gentoo-user@gentoo.org mailing list
[gentoo-user] iptables TARPIT match
What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Any help appreciated. -- Mike This message was sent for a thompsonmike.co.uk address, and may not reflect the views or opinions of the Network owner. All Views and Opinions are those of the author. binA2kBU2lzkh.bin Description: PGP Public Key -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPTables - A good place to start ?
Mal Herring ha scritto: Hi List, I have previously used FWBuilder to build a firewall script, however now I need a simple fw script to protect a single host that will not be behind a net or anything like that... Can someone point me in the direction of some easy scripts to reference or some material good for a n00b to get me started ? Thanks in advance Continue using fwbuilder, to learn more compare the output of the compiled firewall (it is a bash script) to what you do in the program. The homepage for iptables/netfilter is http://www.netfilter.org/ docs (with translations) http://www.it.netfilter.org/documentation/index.html generally if you don't serve something to the network simply: - block connection that are not started from your host - block malformed packets - and accept the outgoing, one excepition is active ftp, on port 20. ciao francesco -- gentoo-user@gentoo.org mailing list
[gentoo-user] IPTables - A good place to start ?
Hi List, I have previously used FWBuilder to build a firewall script, however now I need a simple fw script to protect a single host that will not be behind a net or anything like that... Can someone point me in the direction of some easy scripts to reference or some material good for a n00b to get me started ? Thanks in advance -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, There you go! That's very cool that calculator. Chris On 25 Jan 2005, at 20:02, Ralph Slooten wrote: Thanks Chris ... it's not all 100% clear now, but slowly understanding more. When I eventually "get it" I'll create a php script to do it for me *g*. Thanks again for your time. I did find this though: http://logi.cc/nw/NetBitCalc.html (using the netaddr option). Maybe it'll interest others too. Ralph Chris Boot wrote: Hi, I used the "IP Address Converter" section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris -- gentoo-user@gentoo.org mailing list -- Chris Boot [EMAIL PROTECTED] http://www.bootc.net/ -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Thanks Chris ... it's not all 100% clear now, but slowly understanding more. When I eventually "get it" I'll create a php script to do it for me *g*. Thanks again for your time. I did find this though: http://logi.cc/nw/NetBitCalc.html (using the netaddr option). Maybe it'll interest others too. Ralph Chris Boot wrote: Hi, I used the "IP Address Converter" section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, I used the "IP Address Converter" section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris Ralph Slooten wrote: Wow, thanks Chris for the link I just asked my boss to explain it to me (without showing him your answer) and he manually worked it out to be exactly the same. The issue I have is binary etc ... it's still greek to me (I will try learn it soon though). Ok, now for the real n00b question :-) In which section did you work it out on that page (possibly a screenshot sent to my email if explaining is hard)? Thanks for the help, Greetings Ralph Chris Boot wrote: Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables: block full ip-range
Wow, thanks Chris for the link I just asked my boss to explain it to me (without showing him your answer) and he manually worked it out to be exactly the same. The issue I have is binary etc ... it's still greek to me (I will try learn it soon though). Ok, now for the real n00b question :-) In which section did you work it out on that page (possibly a screenshot sent to my email if explaining is hard)? Thanks for the help, Greetings Ralph Chris Boot wrote: Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list smime.p7s Description: S/MIME Cryptographic Signature
[gentoo-user] iptables: block full ip-range
Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Stroller wrote: On Feb 2, 2004, at 2:50 pm, Neil Rachynski wrote: iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. Dumb & possibly irrelevant question: is the machine you got /var/lib/iptables/rules-save (??) also a Gentoo box..? Stroller. -- [EMAIL PROTECTED] mailing list Yes, both are Gentoo. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
On Feb 2, 2004, at 2:50 pm, Neil Rachynski wrote: iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. Dumb & possibly irrelevant question: is the machine you got /var/lib/iptables/rules-save (??) also a Gentoo box..? Stroller. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
sorry for this message, it was accidental -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
-- Regards, Rust <[EMAIL PROTECTED]> -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Not at home at the moment but when I did 'lsmod' earlier, only ip_tables was listed (I would have to manually 'modprobe' other modules for iptables. - Original Message - From: Norbert Kamenicky <[EMAIL PROTECTED]> Date: Monday, February 2, 2004 9:10 am Subject: Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter' > Neil Rachynski wrote: > > Greetings, > > > > I have just finished a GRP installation on a box I was intending > to use > > as a router/firewall for my home computers. However, once I > reboot the > > system after the installation is done and emerge iptables (1.2.8- > r1), I > > can not add, list, or do anything to iptables itself. > > > > The error I receive is : > > > > iptables v1.2.8: can't intitialize iptables table 'filter': > Tables does > > not exist (do you need to insmod?) > > Perhaps iptables or your kernel needs to be upgraded. > > > > When I went to view the file 'rules-save' in /var/lib/iptables, > the file > > was completely blank (explaining why it can't find the filter > table). At > > that point, I copied rules-save file from another working PC to > this > > one. However, it would then give me an error when restoring the > ruleset > > (always the line containing '*filter'). The working one is > running > > iptables-1.2.9 so I'm not sure if that'll make a difference with > the > > rules-save file. > > > > I was hoping to be able to get iptables up and running before > connecting > > to the internet and doing an 'emerge sync' and 'emerge -u > world'. I have > > been through the gentoo user forums but the only suggestions I > could > > find there were to either re-emerge my kernel and/or iptables. > I've done > > so several times and have built iptables support right into the > kernel > > as well as as modules. > > > > If anyone has any suggestions, please let me know. > > > > Neil Rachynski > > > > What is "lsmod |grep ipt" saying ? > > U must see minimum ip_tables module, but I have about 15. > Look to /lib/modules/./netfilter/* for all available > modules. > > noro > > > > > > > > > > > > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Neil Rachynski wrote: Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8-r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski What is "lsmod |grep ipt" saying ? U must see minimum ip_tables module, but I have about 15. Look to /lib/modules/./netfilter/* for all available modules. noro -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8-r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Emerge iptables again. - Original Message - From: "Catalin Constantin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 26, 2004 12:28 PM Subject: [gentoo-user] iptables error > i get the following error when trying to add an iptables rule. > > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed > iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) > Perhaps iptables or your kernel needs to be upgraded. > > gentoo root # epm -qf /usr/src/linux-2.4.22/ > vanilla-sources-2.4.22 > > any hints ? > > thank you ! > > -- > Catalin Constantin > Bounce Software > www.bounce-software.com > > > -- > [EMAIL PROTECTED] mailing list > > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 January 2004 11:28, Catalin Constantin wrote: > i get the following error when trying to add an iptables rule. > > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved > symbol nf_unregister_sockopt > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved > symbol nf_register_sockopt > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed > /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables > failed iptables v1.2.8: can't initialize iptables table `filter': iptables > who? (do you need to insmod?) Perhaps iptables or your kernel needs to be > upgraded. > > gentoo root # epm -qf /usr/src/linux-2.4.22/ > vanilla-sources-2.4.22 > > any hints ? Something b0rked in your kernel compile. I'd backup your .config, make mrproper. copy back the .config and re-'make dep && make bzImage && make modules modules_install', copy new kernel and reboot. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAFPyJInuLMrk7bIwRAp6EAJ94K9uciK2R8KxqI3u42rRSNpBvbgCfaWVW gkVFoXj1CJmwHIc1DsSXbmc= =cJ17 -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables error
i get the following error when trying to add an iptables rule. /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. gentoo root # epm -qf /usr/src/linux-2.4.22/ vanilla-sources-2.4.22 any hints ? thank you ! -- Catalin Constantin Bounce Software www.bounce-software.com -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Fri, 21 Nov 2003 15:29:45 -0800, Redeeman muttered: > hi, i am seeking and application for easy building iptables scripts, its > not anything advanced, it just gotta block some ports from public, and > route some ports to another machine on my LAN, anyone can suggest an > app? rc.firewall - at projectfiles.com IIRC. -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
RE: [gentoo-user] iptables
> > > hi, i am seeking and application for easy building iptables > scripts, its > not anything advanced, it just gotta block some ports from public, and > route some ports to another machine on my LAN, anyone can suggest an > app? > > thanks! > Many like shorewall, and some use fwbuilder. My preference is monmotha. You can also read some and write your own. -rex -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables
hi, i am seeking and application for easy building iptables scripts, its not anything advanced, it just gotta block some ports from public, and route some ports to another machine on my LAN, anyone can suggest an app? thanks! -- Regards, Redeeman () ascii ribbon campaign - against html e-mail /\- against microsoft attachments -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables and linux 2.6-test9
Hi Redeeman, > hi, i am running linux2.6-test9, and i want to use iptables, > i read the gentoo ip masqurading guide, but, i am wondering > about the stuff kernel side, i only want to filter some > ports, and forward some ports, what stuff should i enable in > the kernel? and after that, should i emerge iptables? (is > iptables a program needed to use the iptables stuff in > kernel?) I added all kernel options under netfilter (excluding ipchains and experimental stuff) as modules. The iptables in Portage wouldn't compile on my hardware so I downloaded the latest available from the iptables website, compiled and installed that successfully. Then used turtlefirewall to configure my firewall rules. Cheers! Chris -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables and linux 2.6-test9
hi, i am running linux2.6-test9, and i want to use iptables, i read the gentoo ip masqurading guide, but, i am wondering about the stuff kernel side, i only want to filter some ports, and forward some ports, what stuff should i enable in the kernel? and after that, should i emerge iptables? (is iptables a program needed to use the iptables stuff in kernel?) thanks! -- Regards, Redeeman () ascii ribbon campaign - against html e-mail /\- against microsoft attachments -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
OK, it's getting better, but it still doesn't work. Here's what happens: root # iptables -t nat -I POSTROUTING -j MASQUERAQDE -s 192.168.1.3/16 /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. These are the kernel configs: # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_FTP=m I put everything I could think of in there. What's going on? Am I still missing something? Thanks. -Brian On Tue, 04 Nov 2003 11:56:20 + Mike Williams <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sunday 02 November 2003 23:27, Brian Doob wrote: > > Changing that didn't seem to fix my problem. Here's what happened: > > > > root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 > > modprobe: Can't locate module ip_tables > > iptables v1.2.7a: can't initialize iptables table `nat': Table does not > > exist (do you need to insmod?) Perhaps iptables or your kernel needs to be > > upgraded. > > > > This is my network/netfilter configs (for ck-sources 2.4.22-ck1): > > > # > > # IP: Netfilter Configuration > > # > > CONFIG_IP_NF_CONNTRACK=m > > CONFIG_IP_NF_FTP=m > > # CONFIG_IP_NF_AMANDA is not set > > # CONFIG_IP_NF_TFTP is not set > > # CONFIG_IP_NF_IRC is not set > > # CONFIG_IP_NF_QUEUE is not set > > CONFIG_IP_NF_IPTABLES=y > > > > So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. > > You need way more than that. > Select 'IP tables support (required for filtering/masq/NAT)' then scroll down > to and select the NAT option and it's options. > > - -- > Mike Williams > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQE/p5PkInuLMrk7bIwRAp7FAJ9PWBdHpLUznyzH2/JX6NXHhQkP+gCeNnE5 > 9amORTZq3cv6BU7Y7SwazZ8= > =5RgA > -END PGP SIGNATURE- > > -- > [EMAIL PROTECTED] mailing list > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 November 2003 23:27, Brian Doob wrote: > Changing that didn't seem to fix my problem. Here's what happened: > > root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 > modprobe: Can't locate module ip_tables > iptables v1.2.7a: can't initialize iptables table `nat': Table does not > exist (do you need to insmod?) Perhaps iptables or your kernel needs to be > upgraded. > > This is my network/netfilter configs (for ck-sources 2.4.22-ck1): > # > # IP: Netfilter Configuration > # > CONFIG_IP_NF_CONNTRACK=m > CONFIG_IP_NF_FTP=m > # CONFIG_IP_NF_AMANDA is not set > # CONFIG_IP_NF_TFTP is not set > # CONFIG_IP_NF_IRC is not set > # CONFIG_IP_NF_QUEUE is not set > CONFIG_IP_NF_IPTABLES=y > > So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. You need way more than that. Select 'IP tables support (required for filtering/masq/NAT)' then scroll down to and select the NAT option and it's options. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/p5PkInuLMrk7bIwRAp7FAJ9PWBdHpLUznyzH2/JX6NXHhQkP+gCeNnE5 9amORTZq3cv6BU7Y7SwazZ8= =5RgA -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
I just re-emerged iptables, but that didn't seem to help. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERAQDE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. I won't post my kernel configs this time, but it's the same as last time. Do I need to modify "/etc/config.d/iptables"? The file does contain "ENABLE_FORWARDING_IPv4="no"", do I need to change that? Do I need to run iptables as a service? When I try, I get: root # /etc/init.d/iptables start * Not starting iptables. First create some rules then run * /etc/init.d/iptables save If I need to this, what rules need to be set up? Thanks. -Brian On Sun, 02 Nov 2003 15:43:31 -0800 [EMAIL PROTECTED] (Andrew Farmer) wrote: > On Sun, 02 Nov 2003 15:27:09 -0800, Brian Doob muttered: > > Changing that didn't seem to fix my problem. > > Hmm. Try re-emerging iptables? > > -- > Andrew Farmer > [EMAIL PROTECTED] > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Sun, 02 Nov 2003 15:27:09 -0800, Brian Doob muttered: > Changing that didn't seem to fix my problem. Hmm. Try re-emerging iptables? -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables
Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. -Brian On Sun, 02 Nov 2003 12:36:48 -0800 [EMAIL PROTECTED] (Andrew Farmer) wrote: > On Sun, 02 Nov 2003 12:32:31 -0800, Brian Doob muttered: > > I'm trying to get IPTables to work under Gentoo (to connect my Linux > > PDA (with USB ethernet) to the net). This is what happens when I try > > to use IPTables: > > > > # CONFIG_FILTER is not set > > There's your answer... > > -- > Andrew Farmer > [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
-- quoting Jorge Almeida -- > If I understand your point correctly, it doesn't apply: I had > gentoo-sources running when I first installed iptables, and I changed to > vanilla-sources only because the former didn't work. Anyway, what I need > is just some input from people using gentoo-sources+iptables/shorewall > (in other words: can it be done?). I may have to install gentoo on a new > box soon, and I have to choose the kernel flavor. Yes, no problem with this here. I just installed such a setup some days ago, gentoo-sources and the newest stable iptables version. IMHO it's a good idea to always have the newest (stable) version of iptables installed on a Linux firewall... Greetings, Matthias -- Homer: Hey, Flanders, it's no use praying. I already did the same thing, and we can't both win. Flanders: Actually, Simpson, we were praying that no one gets hurt. Dead Putting Society -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Sun, 02 Nov 2003 12:32:31 -0800, Brian Doob muttered: > I'm trying to get IPTables to work under Gentoo (to connect my Linux > PDA (with USB ethernet) to the net). This is what happens when I try > to use IPTables: > # CONFIG_FILTER is not set There's your answer... -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
[gentoo-user] iptables
I'm trying to get IPTables to work under Gentoo (to connect my Linux PDA (with USB ethernet) to the net). This is what happens when I try to use IPTables: root# iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.200/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. My kernel is ck-sources (2.4.22-ck1) with these network configurations: # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set What do I need to do to get IPTables working? Thanks. -Brian -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling <[EMAIL PROTECTED]> wrote: > > http://www.shorewall.net > > ok, shorewall really seems to be quite popular in here :) so i should > give it a try > # emerge shorewall Hi Simon, Like anything new, you will need to get familar with "Shorewalls" web site which is top notch. The other thing that you will want to do is join their mailing list. The person who writes Shorewall does a very expert job at responding to users questions in an amazingly short time frame on this list. I found that with Shorewall in place I was able to garner immeadiate satisfaction of having a fully functional statefull firewall in place. Once everything was up an running, then I took the time to learn what was going on under the hood so to say. Just because your running Shorewall doesn't mean that your not going to understand whats running under the hood. I happened to learn iptables allot faster with Shorewall installed and running using its various diagnostic iptables tools. So if anyone try's to mislead you into thinking that you won't understand iptables with Shorewall installed that would be false. You still have control over iptables in the raw under the hood style if you wish. Shorewall just allows you immediate simplification of setting up Zones, Policy's, Rules, Masqing, and port forewarding to name a few. Joshua Banks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
On Sunday 02 Nov 2003 13:28, Simon Kühling wrote: > ok, shorewall really seems to be quite popular in here :) so i should > give it a try > # emerge shorewall Really?? I tried it when I was using Mandrake and didn't like it. What worked for me was the IP-Masquerade-HOWTO.html. With that I do feel in control of things. $ qpkg -f /usr/share/doc/howto/html-single/IP-Masquerade-HOWTO.html app-doc/howto-html-single * Peter -- == Portage 2.0.49-r15 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23_pre8-gss) i686 AMD Athlon(tm) XP 3200+ == -- [EMAIL PROTECTED] mailing list
AW: [gentoo-user] iptables firewall+nat problem
> --- Simon_Kühling <[EMAIL PROTECTED]> wrote: > > > I wonder if your firewall is blocking ping scans. Disable the > > > firewall and see > > > if you can ping google. > > > > well, you are right - disabling the firewall makes ping work again. > > maybe it is easier to build my own script from scratch instead of > > using the one from gentoo-security-guide. > > If you insist. Your making allot of extra work for yourself. > Shorewall already has all of the scripts that you need. All > you need to do is simply modify them. Trust me. Try it, and > you will understand. If you don't like it go back to writing > everything from scratch. > > http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall ... thanks for help so far! simon -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
On Sun, 2 Nov 2003, William Kenworthy wrote: > iptables sometimes requires re-emerging to work with a different > kernel. Dont know why, just that its needed "sometimes". > If I understand your point correctly, it doesn't apply: I had gentoo-sources running when I first installed iptables, and I changed to vanilla-sources only because the former didn't work. Anyway, what I need is just some input from people using gentoo-sources+iptables/shorewall (in other words: can it be done?). I may have to install gentoo on a new box soon, and I have to choose the kernel flavor. Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
iptables sometimes requires re-emerging to work with a different kernel. Dont know why, just that its needed "sometimes". BillK On Sun, 2003-11-02 at 17:24, Jorge Almeida wrote: > Hi everyone, > > I tried iptables/shorewall with gentoo-sources and it didn't work. So I changed to > vanilla-sources and it works fine. I read somewhere that gentoo-sources had some > incompatibility with iptables. > This was some months ago, if I recall correctly. So the question is: is it all right > to use gentoo-sources with iptables? Is the problem solved, assuming that there > really was one? > > Regards, > Jorge Almeida > > -- > [EMAIL PROTECTED] mailing list -- William Kenworthy <[EMAIL PROTECTED]> -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables and gentoo sources?
Hi everyone, I tried iptables/shorewall with gentoo-sources and it didn't work. So I changed to vanilla-sources and it works fine. I read somewhere that gentoo-sources had some incompatibility with iptables. This was some months ago, if I recall correctly. So the question is: is it all right to use gentoo-sources with iptables? Is the problem solved, assuming that there really was one? Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I have been running my own personally developed IPTABLES ruleset since I converted from ipchains to iptables. My topology is is pretty simple: WAN (cable modem) ---> eth1 [FW] eth0 ---> [HUB] --> [LAN boxes] Note that I am forwarding port 25 from the FW to an internet mail server. This thread caused me to take a closer look at both shorewall, and gsheild (I think it was). I actually emerged shorewall, and attempted to configure it. In the end I found it more confusing than my own custom built script. Which I have pretty extensively tested. (and which I will be happy to share if any one is interested). Frankly, I like understanding what is going on under the covers... so I unmerged shorewall, and went back to using my script. On Sat, 2003-11-01 at 19:17, Joshua Banks wrote: > --- Simon_Khling <[EMAIL PROTECTED]> wrote: > > > I wonder if your firewall is blocking ping scans. Disable the > > > firewall and see > > > if you can ping google. > > > > well, you are right - disabling the firewall makes ping work again. > > maybe it is easier to build my own script from scratch instead of > > using > > the one from gentoo-security-guide. > > If you insist. Your making allot of extra work for yourself. Shorewall > already has all of the scripts that you need. All you need to do is > simply modify them. Trust me. Try it, and you will understand. If you > don't like it go back to writing everything from scratch. > > http://www.shorewall.net > > JBanks > > __ > Do you Yahoo!? > Exclusive Video Premiere - Britney Spears > http://launch.yahoo.com/promos/britneyspears/ > > -- > [EMAIL PROTECTED] mailing list > -- Lincoln A. Baxter <[EMAIL PROTECTED]> -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling <[EMAIL PROTECTED]> wrote: > > I wonder if your firewall is blocking ping scans. Disable the > > firewall and see > > if you can ping google. > > well, you are right - disabling the firewall makes ping work again. > maybe it is easier to build my own script from scratch instead of > using > the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables firewall+nat problem
gshield and shorewall can build you a firewall.. I prefer gshield myself. > > I wonder if your firewall is blocking ping scans. Disable the > > firewall and see > > if you can ping google. > > well, you are right - disabling the firewall makes ping work again. > maybe it is easier to build my own script from scratch > instead of using > the one from gentoo-security-guide. > > > In my firewall, I do: > > > > # Block ping scans > > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP > > # ... but not coming from our LAN > > iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP > > iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
> I wonder if your firewall is blocking ping scans. Disable the > firewall and see > if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. > In my firewall, I do: > > # Block ping scans > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP > # ... but not coming from our LAN > iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP > iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP > ok, thanks for the hint! simon -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP On Saturday 01 November 2003 06:15 am, Simon Kühling wrote: > hi everyone, > > i'm trying to get my gentoo box running as a firewall and nat-router for > my home-network. -- Stephen From here to there and there to here, funny things are everywhere. -- Dr Seuss -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
Simon, Save your self allot of time and headakeee and download "emerge -p shorewall" Shorewall firewall. IPtables made easy. This site is well maintained has a great mailing list and awesome easy to follow FAQ's for Standalone workstation, 2 nic's and 3 nic setup with DMZ. Shorewall is very light wheight and is a full featured statefull packet filtering firewall that uses a series of simple shell scripts to take all the (masacostic fun) our of configuring iptables line by line, word by word. http://www.shorewall.net Unless you trying to learn iptables ofcourse.. Heh. :P JBanks --- Simon_Kühling <[EMAIL PROTECTED]> wrote: > hi everyone, > > i'm trying to get my gentoo box running as a firewall and nat-router > for > my home-network. therefore i took the iptables-example script as seen > in > the gentoo security guide > (http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and > modified it a little. > > the server is able to establish an adsl-connection and lynx has no > prob > to surf the net. the firewall script is started and from inside the > network i can easily access the server (192.168.0.1) via ssh, but > theres > no response to pings from e.g. 192.168.0.121 . the server itself is > not > able to make pings and get a strange error message: > > *** > tux root # ping www.google.com > PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data. > ping: sendmsg: Operation not permitted > ping: sendmsg: Operation not permitted > ping: sendmsg: Operation not permitted > > --- www.google.akadns.net ping statistics --- > 3 packets transmitted, 0 received, 100% packet loss, time 2000ms > *** > > > my firewallscript is attached to this mail. > i do not see a mistake or something in that script. > btw another strange behavior: yesterday the nat routing suddenly ran > for > about 10 minutes without changing the script (as i can remember). > > i am thankful for every little hint :) > > simon > > #!/sbin/runscript > IPTABLES=/sbin/iptables > IPTABLESSAVE=/sbin/iptables-save > IPTABLESRESTORE=/sbin/iptables-restore > FIREWALL=/etc/firewall.rules > DNS1=145.253.2.11 > DNS2=145.253.2.75 > #inside > IINTERFACE=eth0 > #outside > OINTERFACE=ppp0 > > opts="${opts} showstatus panic save restore showoptions rules" > > depend() { > need net procparam > } > > rules() { > stop > ebegin "Setting internal rules" > > einfo "Setting default rule to drop" > $IPTABLES -P FORWARD DROP > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT DROP > > #default rule > einfo "Creating states chain" > $IPTABLES -N allowed-connection > $IPTABLES -F allowed-connection > $IPTABLES -A allowed-connection -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG > --log-prefix "Bad packet from ${IINTERFACE}:" > $IPTABLES -A allowed-connection -j DROP > > #ICMP traffic > einfo "Creating icmp chain" > $IPTABLES -N icmp_allowed > $IPTABLES -F icmp_allowed > $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type > time-exceeded -j ACCEPT > $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type > destination-unreachable -j ACCEPT > $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP > traffic:" > $IPTABLES -A icmp_allowed -p icmp -j DROP > > #Incoming traffic > einfo "Creating incoming ssh traffic chain" > $IPTABLES -N allow-ssh-traffic-in > $IPTABLES -F allow-ssh-traffic-in > #Flood protection > $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp > --tcp-flags ALL RST --dport ssh -j ACCEPT > $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp > --tcp-flags ALL FIN --dport ssh -j ACCEPT > $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp > --tcp-flags ALL SYN --dport ssh -j ACCEPT > $IPTABLES -A allow-ssh-traffic-in -m state --state > RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT > > #outgoing traffic > einfo "Creating outgoing ssh traffic chain" > $IPTABLES -N allow-ssh-traffic-out > $IPTABLES -F allow-ssh-traffic-out > $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT > > einfo "Creating outgoing dns traffic chain" > $IPTABLES -N allow-dns-traffic-out > $IPTABLES -F allow-dns-traffic-out > $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain > -j ACCEPT > $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain > -j ACCEPT > > einfo "Creating outgoing http/https traffic chain" > $IPTABLES -N allow-www-traffic-out > $IPTABLES -F allow-www-traffic-out > $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT > $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT > > #Catch portscanners > einfo "Creating portscan detection chain" > $IPTABLES -N check-flags > $IPTABLES -F check-flags > $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m > limit --limit 5/minute -j LOG --lo
[gentoo-user] iptables firewall+nat problem
hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. therefore i took the iptables-example script as seen in the gentoo security guide (http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and modified it a little. the server is able to establish an adsl-connection and lynx has no prob to surf the net. the firewall script is started and from inside the network i can easily access the server (192.168.0.1) via ssh, but theres no response to pings from e.g. 192.168.0.121 . the server itself is not able to make pings and get a strange error message: *** tux root # ping www.google.com PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- www.google.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2000ms *** my firewallscript is attached to this mail. i do not see a mistake or something in that script. btw another strange behavior: yesterday the nat routing suddenly ran for about 10 minutes without changing the script (as i can remember). i am thankful for every little hint :) simon #!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules DNS1=145.253.2.11 DNS2=145.253.2.75 #inside IINTERFACE=eth0 #outside OINTERFACE=ppp0 opts="${opts} showstatus panic save restore showoptions rules" depend() { need net procparam } rules() { stop ebegin "Setting internal rules" einfo "Setting default rule to drop" $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP #default rule einfo "Creating states chain" $IPTABLES -N allowed-connection $IPTABLES -F allowed-connection $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:" $IPTABLES -A allowed-connection -j DROP #ICMP traffic einfo "Creating icmp chain" $IPTABLES -N icmp_allowed $IPTABLES -F icmp_allowed $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:" $IPTABLES -A icmp_allowed -p icmp -j DROP #Incoming traffic einfo "Creating incoming ssh traffic chain" $IPTABLES -N allow-ssh-traffic-in $IPTABLES -F allow-ssh-traffic-in #Flood protection $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT #outgoing traffic einfo "Creating outgoing ssh traffic chain" $IPTABLES -N allow-ssh-traffic-out $IPTABLES -F allow-ssh-traffic-out $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT einfo "Creating outgoing dns traffic chain" $IPTABLES -N allow-dns-traffic-out $IPTABLES -F allow-dns-traffic-out $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT einfo "Creating outgoing http/https traffic chain" $IPTABLES -N allow-www-traffic-out $IPTABLES -F allow-www-traffic-out $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT #Catch portscanners einfo "Creating portscan detection chain" $IPTABLES -N check-flags $IPTABLES -F check-flags $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:" $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:" $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:" $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:" $IPTABLES -A check-flags -p
Re: [gentoo-user] iptables config file
sorry about losing the citation:-( > "Mojo" == Mojo B Nichols <[EMAIL PROTECTED]> writes: > On boot iptables script in /etc/runlenvels/boot/iptables > complains about iptables-restore. I know that > /var/lib/iptables/rules-save should exist, but what to put int that > file? Thanx. :o) > I think you simply touch that file. it will stop complaining. and > then if type: /etc/init.d/iptables save > it will save your current rules. > iptables -L will list your current rules. > and then you can add rules. to keep bad guys out. I bet the gentoo > security document has a good basic start, but also www.netfilter.org > is a good resource. > Meka[ni] > -- [EMAIL PROTECTED] mailing list > -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables config file
On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) I think you simply touch that file. it will stop complaining. and then if type: /etc/init.d/iptables save it will save your current rules. iptables -L will list your current rules. and then you can add rules. to keep bad guys out. I bet the gentoo security document has a good basic start, but also www.netfilter.org is a good resource. Meka[ni] -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables config file
On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) Meka[ni] -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables help
Try FireHOL very nice tool. Generate stateful iptables packet filtering firewalls very very easy http://firehol.sourceforge.net/ - Gregory -Original Message- From: Andrew Gaffney [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 6:48 PM To: Gentoo User Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: "gabriel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help > NO! that will pretty much negate the use of a firewall alltogether! where > are you droping/rejecting packets? basically your script says this: > > accept everything incoming > accept everything outgoing > accept everything forwarding > forward all traffic from ppp0 to eth0 > nat your internal lan to eth0 > accept all established or related packets > accept all incoming packets from the internal lan > accept all incoming connections from any ip, on any interface on ports 22, 25, > and 80. > drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: "gabriel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help > NO! that will pretty much negate the use of a firewall alltogether! where > are you droping/rejecting packets? basically your script says this: > > accept everything incoming > accept everything outgoing > accept everything forwarding > forward all traffic from ppp0 to eth0 > nat your internal lan to eth0 > accept all established or related packets > accept all incoming packets from the internal lan > accept all incoming connections from any ip, on any interface on ports 22, 25, > and 80. > drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
gabriel wrote: On September 1, 2003 01:23 pm, Andrew Gaffney wrote: Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. Here is a little background on my network. ppp0 is NOT an internet connection. It is an incoming dial-up connection used only by ME. I trust myself :) As for the actual internet connection, I have a router with an IP of 192.168.254.1 hooked to a T1 set to forward all incoming traffic to this particular box. This box only acts as a router for my own PPP connection. All boxes in the LAN use the router. So, what I am doing, if I understand iptables half as well as I think I do, is forwarding all traffic from my INTERNAL ppp0 interface out to the LAN/internet, allowing any box inside the LAN to connect to this box on any port, only allowing connections from outside the LAN to be made to ports 22, 25, and 80, and allowing in any traffic from outside the LAN that is part of an already established connection. Am I correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On September 1, 2003 01:23 pm, Andrew Gaffney wrote: > Based on replies on this list and another, I have come up with the > following iptables rules that work for me: > > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -P INPUT ACCEPT > iptables -F INPUT > iptables -P OUTPUT ACCEPT > iptables -F OUTPUT > iptables -P FORWARD ACCEPT > iptables -F FORWARD > iptables -t nat -F > iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. -- in the past we had little to do with other races. evolution teaches us that we must fight that which is different in order secure land, food, and mates for ourselves, but we must reach a point when the nobility of intellect asserts itself and says: no. we need not be afraid of those we are different, we can embrace that difference and learn from it. - g'kar, babylon 5 "the ragged edge" -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Patrick Marquetecken wrote: should this not be the second line line ? first the echo 1 > /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? I will probably move the DROP policy line back towards the top. I did it this way so I could be sure I didn't lock myself out before I could ALLOW myself back in. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
should this not be the second line line ? first the echo 1 > /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? Patrick On Mon, 01 Sep 2003 12:23:38 -0500 Andrew Gaffney <[EMAIL PROTECTED]> wrote: > iptables -P INPUT DROP -- "Do you know what a Vulcan mind meld is?" -- Tuvok "It's that thing where you grab someone's head..." -- Crewman Suiter (Meld) PGP Key: http://users.pandora.be/rivendell/marquetp.gpg Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 20:52:42 +0200 Peter Eis <[EMAIL PROTECTED]> wrote: > Why hazzle with iptables? > I'd rather recommend using shorewall (emerge shorewall). It's much > easier to configure and has as lot features you'll probably want. > > Peter > > Andrew Gaffney wrote: > > > I'm trying to create a firewall using iptables. [ rest snipped ] Thanks for the tip, Peter. I'm now up and running shorewall on 2.6.test3. For anyone else interested. 1. You need to emerge iproute-20010824-r4 (masked) to use shorewall on 2.6. 2. You need 99% of the items under networking enabled in your kernel to use shorewall. After about 5 attempts, I got enough stuff enabled to run shorewall. This is what I have; you may prefer modules. CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_NETLINK_DEV=y CONFIG_UNIX=y CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y CONCONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y CONFIG_NETFILTER=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_TFTP=y # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y # CONFIG_IP_NF_MATCH_UNCLEAN is not set # CONFIG_IP_NF_MATCH_OWNER is not set CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y # CONFIG_IP_NF_TARGET_MIRROR is not set CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y # CONFIG_IP_NF_NAT_LOCAL is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y CONFIG_XFRM_USER=y Enjoy. -- Collins Richey - Denver Area if you fill your heart with regrets of yesterday and the worries of tomorrow, you have no today to be thankful for. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 10:47:59 -0500 Andrew Gaffney <[EMAIL PROTECTED]> wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut > myself off from it. I'm thinking something like: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p all -j DROP > > -or- > > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > Would either of these get me the desired results? > > -- > Andrew Gaffney > > > -- > [EMAIL PROTECTED] mailing list > > IMHO, second version will work as you wish. BUT that's only IMHO! Why? because you first deny everything, and then you 'relaxing' DENY rule. In first last command (DROP all) you overwriting that what you said in 4 previous lines. -- Piotr Piasny (p1t3r05) piteros1[at]_SPAM_wp.pl p1t3r05[at]_SPAM_o2.pl LRU #217108 MR #102136 Gentoo -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your best bet for rules for this would be rules like: ipables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p tcp -m tcp --tcp-flags SYB,RST,RST,ACK SYN -j ACCEPT On August 29, 2003 01:41 pm, Andrew Gaffney wrote: > Andrew Dacey wrote: > > - Original Message - > > From: "Andrew Gaffney" <[EMAIL PROTECTED]> > > To: "Gentoo User" <[EMAIL PROTECTED]> > > Sent: Friday, August 29, 2003 12:47 PM > > Subject: [gentoo-user] iptables help > > > >>I'm trying to create a firewall using iptables. I want it to drop > >>incoming packets except to ports 22, 25, and 80 unless the source > >>address is 192.168.254.x. I'm asking before I do this because I'm > >>accessing the computer remotely right now and I don't want to cut myself > >>off from it. I'm thinking something like: > >> > >>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >>iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >>iptables -A INPUT -p all -j DROP > >> > >>-or- > >> > >>iptables -P INPUT DROP > >>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >>iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >>iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >> > >>Would either of these get me the desired results? > > > > I'd be tempted to add a line of > > > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > That way any traffic you initiate from that box will be able to get back > > in. > > > > As someone else mentioned, I'd use the option of setting the INPUT policy > > to DROP but make sure to set that AFTER you've setup the other rules. > > So, it should be: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -P INPUT DROP > > Correct? - -- Stephen Clowater Real software engineers don't like the idea of some inexplicable and greasy hardware several aisles away that may stop working at any moment. They have a great distrust of hardware people, and wish that systems could be virtual at *___all* levels. They would like personal computers (you know no one's going to trip over something and kill your DFA in mid-transit), except that they need 8 megabytes to run their Correctness Verification Aid packages. The (revised) 3 case c++ function to determine the meaning of life : #include FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ ))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ - -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ '* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ ()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/UZjGcyHa6bMWAzYRAvPUAJ47SXRMId0td1WPMUjfgnMAR9HLmgCcDEQj YZvTwJb3/KgKDOiP6y18R+A= =KlrX -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 20:12, Andrew Gaffney wrote: > Rudmer van Dijk wrote: > > On Friday 29 August 2003 19:21, Andrew Gaffney wrote: > >>Andrew Gaffney wrote: > >>>iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >>>iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >>>iptables -P INPUT DROP > >>> > >>>Correct? > >> > >>Something I forgot to mention is that there is a 2nd interface: ppp0. I > >>have a ppp dial-in server set up for my use. I have a few iptables rules > >>set up to NAT stuff from ppp0 out through eth0. Will the above rules > >>interfere with that? > > > > not really, but do you want to block local machines? if you only want to > > block outside connections then you can use something like the following. > > > > Rudmer > > > > --- > > > > # allow forwarding > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > >iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT > >iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT > > > > # masquerade local -> internet connections > >iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > > # maximize ssh response > >iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos > > Minimize-Delay > > > > # accept ssh, web and mail connections > >iptables -A INPUT -p tcp --dport ssh -j ACCEPT > >iptables -A INPUT -p tcp --dport http -j ACCEPT > >iptables -A INPUT -p tcp --dport smtp -j ACCEPT > > > > # set policy for chains > >iptables -P INPUT DROP > >iptables -P OUTPUT ACCEPT > >iptables -P FORWARD DROP > > > > # enable and masquerade forwarded packages > > echo 1 > /proc/sys/net/ipv4/ip_forward > > # disable ExplicitCongestionNotification > > echo 0 > /proc/sys/net/ipv4/tcp_ecn > > You misunderstand. With your example, I believe you have ppp0 as the > external connection and eth0 acting as the internal connection to the > LAN. ppp0 is not the internet connection. eth0 is connected to a router > that is connected to a T1. I want to allow all traffic to and from ppp0 > and masquerade anything from ppp0 out to the LAN/internet through eth0. > I want anything incoming connections into eth0 with a source address of > 192.168.254.0/24 to be allow through. Anything other incoming > connections into eth0 (from the internet) I want to be blocked unless it > is for port 22, 25, or 80. ok, when you see ppp0 mentioned it normally means the outgoing connection... the solution is simple: change ppp0 to eth0 and insert at the 5th (or 6th) place this iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT then it should work. Rudmer PS. if you want to do a thorough cleaning of your tables before you try a new set of rules, try this: iptables -Z iptables -F iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING iptables -t mangle -F PREROUTING iptables -t mangle -F OUTPUT iptables -X iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, Aug 29, 2003 at 08:52:42PM +0200, Peter Eis wrote: > Why hazzle with iptables? > I'd rather recommend using shorewall (emerge shorewall). It's much > easier to configure and has as lot features you'll probably want. I'll second that. Shorewall works at a higher level of abstraction - letting you design network zones and policies - rather that dealing with the details of constructing iptables commands. It's very flexible and, after a short learning curve, very powerful and easy to use. Nathan Meyers [EMAIL PROTECTED] > > Peter > > Andrew Gaffney wrote: > > >I'm trying to create a firewall using iptables. I want it to drop > >incoming packets except to ports 22, 25, and 80 unless the source > >address is 192.168.254.x. I'm asking before I do this because I'm > >accessing the computer remotely right now and I don't want to cut > >myself off from it. I'm thinking something like: > > > >iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >iptables -A INPUT -p all -j DROP > > > >-or- > > > >iptables -P INPUT DROP > >iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > >iptables -A INPUT -p tcp --dport 22 -j ACCEPT > >iptables -A INPUT -p tcp --dport 25 -j ACCEPT > >iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > > >Would either of these get me the desired results? > > > > > > -- > [EMAIL PROTECTED] mailing list > > > -- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: [gentoo-x86] [gentoo-user] iptables help
In all this mess remember to accept packets to "lo" from your box as well as posibly icmp errors $iptables -A INPUT -i lo -j ACCEPT #Established related will take care of the return packets $iptables -A INPUT -p ICMP --icmp-type 0 -j ACCEPT echo "Accepting ECHO REPLYS" $iptables -A INPUT -p ICMP --icmp-type 3 -j ACCEPT echo "Accepting DESTINATION UNREACHABLE" $iptables -A INPUT -p ICMP --icmp-type 5 -j ACCEPT echo "Accepting REDIRECTS" #maybe #$iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT #echo "Accepting ECHO" $iptables -A INPUT -p ICMP --icmp-type 11 -j ACCEPT echo "Accepting TIME EXCEEDED" And. if your doing this remotely copy this to a file make it exacutable and set cron to run it every hour or so while your working out the bugs ...so if you do lock yourself out the system will open itself back up without you having to go anywhere. #!/bin/sh # Flush and Reset IPTABLES to default values for f in filter nat mangle do $iptables -t $f -F $iptables -t $f -X done # Reset default policy # filter table for r in INPUT FORWARD OUTPUT do $iptables -t filter -P $r ACCEPT done .my $0.02 -alex -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 2003-08-29 at 11:47, Andrew Gaffney wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'm thinking something like: > > > > Would either of these get me the desired results? i'm thinkin' you want: # policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # accept established connections to save having to go through all of those rules. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # dns, repeat for each address iptables -A OUTPUT -o eth0 -p udp -s --sport 1024:65535 -d --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 -d --dport 53 -m state --state NEW -j ACCEPT # outgoing traffic iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -s --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT # incomming connections iptables -A INPUT -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d --dport 25 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s --sport 192.168.254.0/24 1024:65535 -d --dport 80 -m state --state NEW -j ACCEPT note the following: (a) the chain policy (-P) should always be put at the top. (b) the output DROP policy is generally regarded as a little too restrictive, but i like it that way... you may want to use them or not. (c) this script doesn't do everything, ie. it doesn't disable forwarding and check for martains etc. i would suggest you buy a book and get the low-down on iptables to fully understand everything about it. (d) connection tracking must be available to iptables. so you should either load the module (ip_conntrack), or compile it directly into your kernel. -- this is your life and it's ending one minute at a time. - tyler Durden, "fight club" -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Rudmer van Dijk wrote: On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local -> internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 > /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn You misunderstand. With your example, I believe you have ppp0 as the external connection and eth0 acting as the internal connection to the LAN. ppp0 is not the internet connection. eth0 is connected to a router that is connected to a T1. I want to allow all traffic to and from ppp0 and masquerade anything from ppp0 out to the LAN/internet through eth0. I want anything incoming connections into eth0 with a source address of 192.168.254.0/24 to be allow through. Anything other incoming connections into eth0 (from the internet) I want to be blocked unless it is for port 22, 25, or 80. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 19:21, Andrew Gaffney wrote: > Andrew Gaffney wrote: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -P INPUT DROP > > > > Correct? > > Something I forgot to mention is that there is a 2nd interface: ppp0. I > have a ppp dial-in server set up for my use. I have a few iptables rules > set up to NAT stuff from ppp0 out through eth0. Will the above rules > interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local -> internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 > /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 18:41, Andrew Gaffney wrote: > Andrew Dacey wrote: > > - Original Message - > >>I'm trying to create a firewall using iptables. I want it to drop > >>incoming packets except to ports 22, 25, and 80 unless the source > >>address is 192.168.254.x. I'm asking before I do this because I'm > >>accessing the computer remotely right now and I don't want to cut myself > >>off from it. I'm thinking something like: > >> > So, it should be: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -P INPUT DROP > > Correct? yes, and if you use ssh to connect to that box you can try the following: iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay I use that for my outgoing connection, but don't really know if it really helps... Rudmer -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Gaffney wrote: Andrew Dacey wrote: - Original Message - From: "Andrew Gaffney" <[EMAIL PROTECTED]> To: "Gentoo User" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Dacey wrote: - Original Message - From: "Andrew Gaffney" <[EMAIL PROTECTED]> To: "Gentoo User" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: "Andrew Gaffney" <[EMAIL PROTECTED]> To: "Gentoo User" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'm thinking something like: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p all -j DROP > > -or- > > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. Andrew "frugal" Dacey [EMAIL PROTECTED] http://www.tildefrugal.net/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
At 29 August, 2003 Andrew Gaffney wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'd suggest using the projectfiles.com rc.firewall script. Works For Me, and it can do some rather neat NAT sorts of things, too. I don't know how well it'll work under Gentoo as a startup script, but you can always just run it manually. http://projectfiles.com/firewall/ -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
So I should do: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP The first line would accept anything from any IP in the 192.168.254.0 netblock, lines 2-5 anything on port 22, 25, or 80, and the last, set it to drop everything else? Jason Martin wrote: I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. - -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: > I'm trying to create a firewall using iptables. I want it to drop > incoming packets except to ports 22, 25, and 80 unless the source > address is 192.168.254.x. I'm asking before I do this because I'm > accessing the computer remotely right now and I don't want to cut myself > off from it. I'm thinking something like: > > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -p all -j DROP > > -or- > > iptables -P INPUT DROP > iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j ACCEPT > > Would either of these get me the desired results? > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.3.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE/T3WLl2ODWuqVSBMRAjaFAJ4u7K/8vRn4V+U2ZiXeK/P6XsfgMgCfUlmM bTfnZuOLgTiwZeCfOjrvTQc= =vjys -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables help
I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables 1.2.8 problem
sounds to me like you got two versions of iptables running.. which iptables to find it. Hopefully its something you did and not a rootkit... -Original Message- From: downtime null [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:39 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [gentoo-user] iptables 1.2.8 problem i emerged iptables again ('emerge -p iptabes' showed that it was't installed), mv the new init script over and restarted it. i'm still getting the same error. then, on kind of a fluke, i added the path to the executable on the command line, and it accepts the command. go figure. > I read this warning was a result of some patches placed on the 2.4.20-r6 > kernel(saw this when I emerged the -r6 kernel), and the solution was to > re-emerge iptables. > > Fred Clausen > > > -- > [EMAIL PROTECTED] mailing list > -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables 1.2.8 problem
i emerged iptables again ('emerge -p iptabes' showed that it was't installed), mv the new init script over and restarted it. i'm still getting the same error. then, on kind of a fluke, i added the path to the executable on the command line, and it accepts the command. go figure. > I read this warning was a result of some patches placed on the 2.4.20-r6 > kernel(saw this when I emerged the -r6 kernel), and the solution was to > re-emerge iptables. > > Fred Clausen > > > -- > [EMAIL PROTECTED] mailing list > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables 1.2.8 problem
downtime null wrote: apparently iptables was upgraded in my last 'emerge -u world' or something. anyway, something has changed and a command that used to work doesn't now. the command was : # iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to 10.1.0.27 now it says "iptables: Invalid argument" so i discovered that '--to' is no longer valid (it's not in the man page if it is). when i remove '--to 10.1.0.27' iptables says "iptables v1.2.8: You must specify --to-source". i modified the command to be : # iptables -vv -t nat -A POSTROUTING -j SNAT -o eth0 --to-source 10.1.0.27 i don't know what i'm doing wrong, but iptables replies with : SNAT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 to:10.1.0.27 libiptc v1.2.8. 5 entries, 784 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/460/148 Underflows: pre/in/fwd/out/post = 0/0/0/460/312 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 2735 packets, 356607 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth0'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 4008 UNKNOWN IP_IF_OUT Target name: `SNAT' [52] Entry 2 (312): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5650 packets, 364518 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 3 (460): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5646 packets, 364237 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 4 (608): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument -- [EMAIL PROTECTED] mailing list I read this warning was a result of some patches placed on the 2.4.20-r6 kernel(saw this when I emerged the -r6 kernel), and the solution was to re-emerge iptables. Fred Clausen -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables 1.2.8 problem
apparently iptables was upgraded in my last 'emerge -u world' or something. anyway, something has changed and a command that used to work doesn't now. the command was : # iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to 10.1.0.27 now it says "iptables: Invalid argument" so i discovered that '--to' is no longer valid (it's not in the man page if it is). when i remove '--to 10.1.0.27' iptables says "iptables v1.2.8: You must specify --to-source". i modified the command to be : # iptables -vv -t nat -A POSTROUTING -j SNAT -o eth0 --to-source 10.1.0.27 i don't know what i'm doing wrong, but iptables replies with : SNAT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0 to:10.1.0.27 libiptc v1.2.8. 5 entries, 784 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/460/148 Underflows: pre/in/fwd/out/post = 0/0/0/460/312 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 2735 packets, 356607 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth0'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 4008 UNKNOWN IP_IF_OUT Target name: `SNAT' [52] Entry 2 (312): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5650 packets, 364518 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 3 (460): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5646 packets, 364237 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 4 (608): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and nmap results
begin quote On Tue, 05 Aug 2003 14:55:31 -0500 "Mike Bellemare" <[EMAIL PROTECTED]> wrote: > > hi > I've build myself a firewall with iptables. > it's working great and all, except that using nmap to check how to see > if i could see some difference on the OS detection option, and it's > doing none. > > Remote operating system guess: Linux kernel 2.4.18 - 2.4.20 (X86) > as i read somewhere on the internet, it's more secure if you're hiding > the OS running on the web server. Does anyone knows how to block my > server to deliver such informations? Nope, there is no such unless you do iptables -t nat -A PREROUTING -i outside_interface -m match --match ESTABLISHED--jump ACCEPT iptables -t nat -A PREROUTING -i outside_interface -m match --match RELATED--jump ACCEPT iptables -t nat -A PREROUTING -i outside_interface --jump DROP Which should drop most things, even empty SYN or RST packets. (prerouting is done before anything, even INPUT. ) //Spider > i'd like too to know if there's a way to make iptables to log > unsucceful and succesful connections on my IP adress. > > another thing...does anyone has some programs or ways to check if my > server is secure (on the connection side). > > thanks > > M.B > > -- > __ > http://www.linuxmail.org/ > Now with e-mail forwarding for only US$5.95/yr > > Powered by Outblaze > > -- > [EMAIL PROTECTED] mailing list > -- begin .signature This is a .signature virus! Please copy me into your .signature! See Microsoft KB Article Q265230 for more information. end pgp0.pgp Description: PGP signature
[gentoo-user] iptables and nmap results
hi I've build myself a firewall with iptables. it's working great and all, except that using nmap to check how to see if i could see some difference on the OS detection option, and it's doing none. Remote operating system guess: Linux kernel 2.4.18 - 2.4.20 (X86) as i read somewhere on the internet, it's more secure if you're hiding the OS running on the web server. Does anyone knows how to block my server to deliver such informations? i'd like too to know if there's a way to make iptables to log unsucceful and succesful connections on my IP adress. another thing...does anyone has some programs or ways to check if my server is secure (on the connection side). thanks M.B -- __ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables trouble
Hi list! Sebastian Bergmann schrieb: iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? I had the same problem! When I played around a bit with my kernel-settings, suddenly it worked. So, I say: check your kernel-settings, perhaps switch the one or the other option and try try try... Ciao Stephan smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables trouble
I had the same problem. Did you emerged iptables?? Sebastian Bergmann wrote: I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use "iptables -L" I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? -- P r a b h a t G u p t a /\/\* Senior Software Engineer Alternative System Concepts, Inc. www.ascinc.com 22 Haverhill Road Windham, NH 03087 Phone: (603) 437-2234 (o) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables trouble
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 14 July 2003 16:29, Sebastian Bergmann wrote: > I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. > > When I use "iptables -L" I get > > bash-2.05b# iptables -L > /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: > unresolved symbol nf_unregister_sockopt > /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: > unresolved symbol nf_register_sockopt > /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: > insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o > failed > /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: > insmod ip_tables failed > iptables v1.2.8: can't initialize iptables table `filter': iptables who? > (do you need to insmod?) > Perhaps iptables or your kernel needs to be upgraded. > > Any idea what's wrong? Have you emerged iptables since last time you recompiled your kernel? If not, try that. Also double-check your kernel config to make sure it's correct. If all else fails, save your .config, make mrproper, rm -rf /lib/modules/thatkernel, and rebuild. Take the last suggestion with a grain of salt, as it's somewhat of a blackbox solution. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/EyIOXVaO67S1rtsRAr3+AKDe2zKxTqmBb8NkV5PMalcv+3+fAwCg4vUp fcMEckv/Cg4dcfgbIw8GKrM= =WcOq -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables trouble
I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use "iptables -L" I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? -- Sebastian Bergmann http://sebastian-bergmann.de/ http://phpOpenTracker.de/ Das Buch zu PHP 5: http://professionelle-softwareentwicklung-mit-php5.de/ -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables and ftp connection
> i'm having trouble to get ftp working with my iptable settings. > I can connect login , but can't see files, then my > connection is beeing closed. if i stop iptables then > everything workfine. See: http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html Gwen. -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables and ftp connection
Hi, i'm having trouble to get ftp working with my iptable settings. I can connect login , but can't see files, then my connection is beeing closed. if i stop iptables then everything workfine. Must i use other setting then below ? INPUT drops all iptables -A INPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT TIA Patrick -- "Live long and prosper, Spock." -- T'Pau "I shall do neither. I have killed my captain, and my friend." -- Spock PGP Key: http://users.pandora.be/rivendell/marquetp.gpg Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables
* Rick Sivernell <[EMAIL PROTECTED]> [28.06.03 22:48]: > I have a machine that boots up fine except that iptables says that mask 70 is > invalid and then terminate. What is wrong and how do I configure iptables in cl > mode. 70 is not a mask, I think it should be 700 or perhaps 770 search a config file with 70 in it... could be a typo. -- printk("Illegal format on cdrom. Pester manufacturer.\n"); 2.2.16 /usr/src/linux/fs/isofs/inode.c -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables
I have a machine that boots up fine except that iptables says that mask 70 is invalid and then terminate. What is wrong and how do I configure iptables in cl mode. thanks cheers -- Rick Sivernell Dallas, Texas 75287 972 306-2296 [EMAIL PROTECTED] Gentoo Linux Registered Linux User .~. / v \ /( _ )\ ^ ^ In Linux we trust! -- [EMAIL PROTECTED] mailing list
[gentoo-user] IPtables compilation error
I wish to install iptables for the obvious reason of securing my machine. I tried to emerge the package with 'emerge iptables', the pkg is downloaded and compilation starts, but I then receive the error below, I tried 3 other mirrors, I also did an 'emerge sync', removed the file from /usr/portage/dist and re-ran 'emerge iptables'. I am still presented with the same error, any advice would be greatly appreciated. Kevin gcc -march=athlon -Wall -Wunused -I/usr/src/linux/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.8\" -DIPT_LIB_DIR=\"/lib/iptables\" -c -o iptables.o iptables.c iptables.c:153: redefinition of `ipt_get_target' /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:294: `ipt_get_target' previously defined here make: *** [iptables.o] Error 1 !!! ERROR: net-firewall/iptables-1.2.8-r1 failed. !!! Function src_compile, Line 55, Exitcode 2 !!! (no error message) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, CrPy wrote: > Hi Jorge, > > there is no Problem, because you have it in your Kernel and not as Module. > This means that shorewall fails to load it as module. > > You have to do one of this: > 1. live with the error message. > 2. configure it as module (kernel) > 3. change the shorewall skript > > I would prefer to make it as module, to have a minimalistic kernel. Thanks, I think I'll live with the error message, for now! :) -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Hi Jorge, there is no Problem, because you have it in your Kernel and not as Module. This means that shorewall fails to load it as module. You have to do one of this: 1. live with the error message. 2. configure it as module (kernel) 3. change the shorewall skript I would prefer to make it as module, to have a minimalistic kernel. /CrPy Am Samstag, 21. Juni 2003 11:45 schrieb Jorge Almeida: > On Sat, 21 Jun 2003, CrPy wrote: > > Hi, > > > > ip_conntrack_tftp.o != ip_conntrack_ftp.o > > > > You need to activate the module in your kernel config. > > > > /CrPy> > > Well, it seems that it should be there! Maybe some option of uninformative > name is missing ... > > > localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter|grep ftp > ip_conntrack_tftp.o > ip_nat_ftp.o > ip_nat_tftp.o > > localhost root # cat /usr/src/linux/.config|grep CONN > CONFIG_IP_NF_CONNTRACK=y > CONFIG_IP_NF_MATCH_CONNTRACK=m > > localhost root # cat /usr/src/linux/.config|grep FTP > CONFIG_IP_NF_FTP=y > CONFIG_IP_NF_TFTP=m > CONFIG_IP_NF_NAT_FTP=m > CONFIG_IP_NF_NAT_TFTP=m > > localhost root # ls -l /usr/src > total 26844 > (...) > lrwxr-xr-x1 root root 12 Jun 20 21:50 linux -> > linux-2.4.21 (...) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, CrPy wrote: > Hi, > > ip_conntrack_tftp.o != ip_conntrack_ftp.o > > You need to activate the module in your kernel config. > > /CrPy> Well, it seems that it should be there! Maybe some option of uninformative name is missing ... localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter|grep ftp ip_conntrack_tftp.o ip_nat_ftp.o ip_nat_tftp.o localhost root # cat /usr/src/linux/.config|grep CONN CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_MATCH_CONNTRACK=m localhost root # cat /usr/src/linux/.config|grep FTP CONFIG_IP_NF_FTP=y CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m localhost root # ls -l /usr/src total 26844 (...) lrwxr-xr-x1 root root 12 Jun 20 21:50 linux -> linux-2.4.21 (...) -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Am Samstag, 21. Juni 2003 02:09 schrieb Jorge Almeida: > On Sat, 21 Jun 2003, Norbert Kamenicky wrote: > > Jorge Almeida wrote: > > >unable to load module ip_conntrack_ftp > > >ip_nat_ftp: error registering helper for port 21 > > > > > >Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. > > > > Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if > > you have these modules ... > > > > > > -- > > [EMAIL PROTECTED] mailing list > > localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter > arp_tables.o > arptable_filter.o > ip_conntrack_amanda.o > ip_conntrack_irc.o > ip_conntrack_tftp.o > ip_nat_amanda.o > ip_nat_ftp.o > ip_nat_irc.o > ip_nat_snmp_basic.o > ip_nat_tftp.o > ip_queue.o > ip_tables.o > ipt_DSCP.o > ipt_ECN.o > ipt_LOG.o > ipt_MARK.o > ipt_MASQUERADE.o > ipt_MIRROR.o > ipt_REDIRECT.o > ipt_REJECT.o > ipt_TCPMSS.o > ipt_TOS.o > ipt_ULOG.o > ipt_ah.o > ipt_conntrack.o > ipt_dscp.o > ipt_ecn.o > ipt_esp.o > ipt_helper.o > ipt_length.o > ipt_limit.o > ipt_mac.o > ipt_mark.o > ipt_multiport.o > ipt_owner.o > ipt_pkttype.o > ipt_state.o > ipt_tcpmss.o > ipt_tos.o > ipt_ttl.o > ipt_unclean.o > iptable_filter.o > iptable_mangle.o > iptable_nat.o -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, Norbert Kamenicky wrote: > Jorge Almeida wrote: > > >unable to load module ip_conntrack_ftp > >ip_nat_ftp: error registering helper for port 21 > > > >Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. > > > > > Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if > you have these modules ... > > > -- > [EMAIL PROTECTED] mailing list > localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter arp_tables.o arptable_filter.o ip_conntrack_amanda.o ip_conntrack_irc.o ip_conntrack_tftp.o ip_nat_amanda.o ip_nat_ftp.o ip_nat_irc.o ip_nat_snmp_basic.o ip_nat_tftp.o ip_queue.o ip_tables.o ipt_DSCP.o ipt_ECN.o ipt_LOG.o ipt_MARK.o ipt_MASQUERADE.o ipt_MIRROR.o ipt_REDIRECT.o ipt_REJECT.o ipt_TCPMSS.o ipt_TOS.o ipt_ULOG.o ipt_ah.o ipt_conntrack.o ipt_dscp.o ipt_ecn.o ipt_esp.o ipt_helper.o ipt_length.o ipt_limit.o ipt_mac.o ipt_mark.o ipt_multiport.o ipt_owner.o ipt_pkttype.o ipt_state.o ipt_tcpmss.o ipt_tos.o ipt_ttl.o ipt_unclean.o iptable_filter.o iptable_mangle.o iptable_nat.o -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables error?
I installed iptables+shorewall in single workstation (cable modem, no local network, no services provided). The config files are the ones provided by the vendor Shoreline (except that I commented out the rule allowing the box to be ping'ed, the purpose of which I can't guess). The thing works (I think), but dmesg outputs, just at the end: EXT3-fs: mounted filesystem with ordered data mode. eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. ip_tables: (C) 2000-2002 Netfilter core team unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. TIA. -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Thank you for all your help. I found another script that works for me to replace the old one. Mark -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
MIKE MacMartin wrote: One last question for today: How can I make the comands: echo "1" >/proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE permanent, meaning executed at boot time? Copy one of the /etc/init.d scripts and make it your own. For example (here's a quick example): .. but gentoo already has one. /etc/init.d/iptables start ... set your firewall rules, manually or via a script... /etc/init.d/iptables save Edit /etc/conf.d/iptables and change: ENABLE_FORWARDING_IPv4="no" to: "yes" Run: rc-update add iptables default Now your firewall(/router) will come up every boot. MAL -- [EMAIL PROTECTED] mailing list