Re: [gentoo-user] iptables TARPIT match
On Tue, 15 Feb 2005 01:38:05 +, Michael Thompson [EMAIL PROTECTED] wrote: What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Any help appreciated. Did you compile load the kernel module for target TARPIT? -- Regards Karol Krzak -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables TARPIT match
On Tue, 15 Feb 2005, Michael Thompson wrote: What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Some modules need to be explicitly loaded with the -m flag. Assuming you have the tarpit modules compiled and installed, you would use this to load it: iptables -A INPUT --protocol tcp --dport 80 -m tarpit -j TARPIT -- gentoo-user@gentoo.org mailing list
[gentoo-user] iptables TARPIT match
What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Any help appreciated. -- Mike This message was sent for a thompsonmike.co.uk address, and may not reflect the views or opinions of the Network owner. All Views and Opinions are those of the author. binA2kBU2lzkh.bin Description: PGP Public Key -- gentoo-user@gentoo.org mailing list
[gentoo-user] IPTables - A good place to start ?
Hi List, I have previously used FWBuilder to build a firewall script, however now I need a simple fw script to protect a single host that will not be behind a net or anything like that... Can someone point me in the direction of some easy scripts to reference or some material good for a n00b to get me started ? Thanks in advance -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPTables - A good place to start ?
Mal Herring ha scritto: Hi List, I have previously used FWBuilder to build a firewall script, however now I need a simple fw script to protect a single host that will not be behind a net or anything like that... Can someone point me in the direction of some easy scripts to reference or some material good for a n00b to get me started ? Thanks in advance Continue using fwbuilder, to learn more compare the output of the compiled firewall (it is a bash script) to what you do in the program. The homepage for iptables/netfilter is http://www.netfilter.org/ docs (with translations) http://www.it.netfilter.org/documentation/index.html generally if you don't serve something to the network simply: - block connection that are not started from your host - block malformed packets - and accept the outgoing, one excepition is active ftp, on port 20. ciao francesco -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, There you go! That's very cool that calculator. Chris On 25 Jan 2005, at 20:02, Ralph Slooten wrote: Thanks Chris ... it's not all 100% clear now, but slowly understanding more. When I eventually get it I'll create a php script to do it for me *g*. Thanks again for your time. I did find this though: http://logi.cc/nw/NetBitCalc.html (using the netaddr option). Maybe it'll interest others too. Ralph Chris Boot wrote: Hi, I used the IP Address Converter section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris -- gentoo-user@gentoo.org mailing list -- Chris Boot [EMAIL PROTECTED] http://www.bootc.net/ -- gentoo-user@gentoo.org mailing list
[gentoo-user] iptables: block full ip-range
Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables: block full ip-range
Wow, thanks Chris for the link I just asked my boss to explain it to me (without showing him your answer) and he manually worked it out to be exactly the same. The issue I have is binary etc ... it's still greek to me (I will try learn it soon though). Ok, now for the real n00b question :-) In which section did you work it out on that page (possibly a screenshot sent to my email if explaining is hard)? Thanks for the help, Greetings Ralph Chris Boot wrote: Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, I used the IP Address Converter section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris Ralph Slooten wrote: Wow, thanks Chris for the link I just asked my boss to explain it to me (without showing him your answer) and he manually worked it out to be exactly the same. The issue I have is binary etc ... it's still greek to me (I will try learn it soon though). Ok, now for the real n00b question :-) In which section did you work it out on that page (possibly a screenshot sent to my email if explaining is hard)? Thanks for the help, Greetings Ralph Chris Boot wrote: Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables: block full ip-range
Thanks Chris ... it's not all 100% clear now, but slowly understanding more. When I eventually get it I'll create a php script to do it for me *g*. Thanks again for your time. I did find this though: http://logi.cc/nw/NetBitCalc.html (using the netaddr option). Maybe it'll interest others too. Ralph Chris Boot wrote: Hi, I used the IP Address Converter section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris -- gentoo-user@gentoo.org mailing list
[gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8-r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Neil Rachynski wrote: Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8-r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski What is lsmod |grep ipt saying ? U must see minimum ip_tables module, but I have about 15. Look to /lib/modules/./netfilter/* for all available modules. noro -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Not at home at the moment but when I did 'lsmod' earlier, only ip_tables was listed (I would have to manually 'modprobe' other modules for iptables. - Original Message - From: Norbert Kamenicky [EMAIL PROTECTED] Date: Monday, February 2, 2004 9:10 am Subject: Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter' Neil Rachynski wrote: Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8- r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski What is lsmod |grep ipt saying ? U must see minimum ip_tables module, but I have about 15. Look to /lib/modules/./netfilter/* for all available modules. noro -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
sorry for this message, it was accidental -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
On Feb 2, 2004, at 2:50 pm, Neil Rachynski wrote: iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. Dumb possibly irrelevant question: is the machine you got /var/lib/iptables/rules-save (??) also a Gentoo box..? Stroller. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Stroller wrote: On Feb 2, 2004, at 2:50 pm, Neil Rachynski wrote: iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. Dumb possibly irrelevant question: is the machine you got /var/lib/iptables/rules-save (??) also a Gentoo box..? Stroller. -- [EMAIL PROTECTED] mailing list Yes, both are Gentoo. -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables error
i get the following error when trying to add an iptables rule. /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. gentoo root # epm -qf /usr/src/linux-2.4.22/ vanilla-sources-2.4.22 any hints ? thank you ! -- Catalin Constantin Bounce Software www.bounce-software.com -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 January 2004 11:28, Catalin Constantin wrote: i get the following error when trying to add an iptables rule. /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. gentoo root # epm -qf /usr/src/linux-2.4.22/ vanilla-sources-2.4.22 any hints ? Something b0rked in your kernel compile. I'd backup your .config, make mrproper. copy back the .config and re-'make dep make bzImage make modules modules_install', copy new kernel and reboot. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAFPyJInuLMrk7bIwRAp6EAJ94K9uciK2R8KxqI3u42rRSNpBvbgCfaWVW gkVFoXj1CJmwHIc1DsSXbmc= =cJ17 -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Emerge iptables again. - Original Message - From: Catalin Constantin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 12:28 PM Subject: [gentoo-user] iptables error i get the following error when trying to add an iptables rule. /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. gentoo root # epm -qf /usr/src/linux-2.4.22/ vanilla-sources-2.4.22 any hints ? thank you ! -- Catalin Constantin Bounce Software www.bounce-software.com -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables
hi, i am seeking and application for easy building iptables scripts, its not anything advanced, it just gotta block some ports from public, and route some ports to another machine on my LAN, anyone can suggest an app? thanks! -- Regards, Redeeman () ascii ribbon campaign - against html e-mail /\- against microsoft attachments -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables
hi, i am seeking and application for easy building iptables scripts, its not anything advanced, it just gotta block some ports from public, and route some ports to another machine on my LAN, anyone can suggest an app? thanks! Many like shorewall, and some use fwbuilder. My preference is monmotha. You can also read some and write your own. -rex -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Fri, 21 Nov 2003 15:29:45 -0800, Redeeman muttered: hi, i am seeking and application for easy building iptables scripts, its not anything advanced, it just gotta block some ports from public, and route some ports to another machine on my LAN, anyone can suggest an app? rc.firewall - at projectfiles.com IIRC. -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
[gentoo-user] iptables and linux 2.6-test9
hi, i am running linux2.6-test9, and i want to use iptables, i read the gentoo ip masqurading guide, but, i am wondering about the stuff kernel side, i only want to filter some ports, and forward some ports, what stuff should i enable in the kernel? and after that, should i emerge iptables? (is iptables a program needed to use the iptables stuff in kernel?) thanks! -- Regards, Redeeman () ascii ribbon campaign - against html e-mail /\- against microsoft attachments -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables and linux 2.6-test9
Hi Redeeman, hi, i am running linux2.6-test9, and i want to use iptables, i read the gentoo ip masqurading guide, but, i am wondering about the stuff kernel side, i only want to filter some ports, and forward some ports, what stuff should i enable in the kernel? and after that, should i emerge iptables? (is iptables a program needed to use the iptables stuff in kernel?) I added all kernel options under netfilter (excluding ipchains and experimental stuff) as modules. The iptables in Portage wouldn't compile on my hardware so I downloaded the latest available from the iptables website, compiled and installed that successfully. Then used turtlefirewall to configure my firewall rules. Cheers! Chris -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
OK, it's getting better, but it still doesn't work. Here's what happens: root # iptables -t nat -I POSTROUTING -j MASQUERAQDE -s 192.168.1.3/16 /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. These are the kernel configs: # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_FTP=m I put everything I could think of in there. What's going on? Am I still missing something? Thanks. -Brian On Tue, 04 Nov 2003 11:56:20 + Mike Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 November 2003 23:27, Brian Doob wrote: Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. You need way more than that. Select 'IP tables support (required for filtering/masq/NAT)' then scroll down to and select the NAT option and it's options. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/p5PkInuLMrk7bIwRAp7FAJ9PWBdHpLUznyzH2/JX6NXHhQkP+gCeNnE5 9amORTZq3cv6BU7Y7SwazZ8= =5RgA -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 November 2003 23:27, Brian Doob wrote: Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. You need way more than that. Select 'IP tables support (required for filtering/masq/NAT)' then scroll down to and select the NAT option and it's options. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/p5PkInuLMrk7bIwRAp7FAJ9PWBdHpLUznyzH2/JX6NXHhQkP+gCeNnE5 9amORTZq3cv6BU7Y7SwazZ8= =5RgA -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
I just re-emerged iptables, but that didn't seem to help. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERAQDE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. I won't post my kernel configs this time, but it's the same as last time. Do I need to modify /etc/config.d/iptables? The file does contain ENABLE_FORWARDING_IPv4=no, do I need to change that? Do I need to run iptables as a service? When I try, I get: root # /etc/init.d/iptables start * Not starting iptables. First create some rules then run * /etc/init.d/iptables save If I need to this, what rules need to be set up? Thanks. -Brian On Sun, 02 Nov 2003 15:43:31 -0800 [EMAIL PROTECTED] (Andrew Farmer) wrote: On Sun, 02 Nov 2003 15:27:09 -0800, Brian Doob muttered: Changing that didn't seem to fix my problem. Hmm. Try re-emerging iptables? -- Andrew Farmer [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables and gentoo sources?
Hi everyone, I tried iptables/shorewall with gentoo-sources and it didn't work. So I changed to vanilla-sources and it works fine. I read somewhere that gentoo-sources had some incompatibility with iptables. This was some months ago, if I recall correctly. So the question is: is it all right to use gentoo-sources with iptables? Is the problem solved, assuming that there really was one? Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
iptables sometimes requires re-emerging to work with a different kernel. Dont know why, just that its needed sometimes. BillK On Sun, 2003-11-02 at 17:24, Jorge Almeida wrote: Hi everyone, I tried iptables/shorewall with gentoo-sources and it didn't work. So I changed to vanilla-sources and it works fine. I read somewhere that gentoo-sources had some incompatibility with iptables. This was some months ago, if I recall correctly. So the question is: is it all right to use gentoo-sources with iptables? Is the problem solved, assuming that there really was one? Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list -- William Kenworthy [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
On Sun, 2 Nov 2003, William Kenworthy wrote: iptables sometimes requires re-emerging to work with a different kernel. Dont know why, just that its needed sometimes. If I understand your point correctly, it doesn't apply: I had gentoo-sources running when I first installed iptables, and I changed to vanilla-sources only because the former didn't work. Anyway, what I need is just some input from people using gentoo-sources+iptables/shorewall (in other words: can it be done?). I may have to install gentoo on a new box soon, and I have to choose the kernel flavor. Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list
AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall ... thanks for help so far! simon -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
On Sunday 02 Nov 2003 13:28, Simon Kühling wrote: ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall Really?? I tried it when I was using Mandrake and didn't like it. What worked for me was the IP-Masquerade-HOWTO.html. With that I do feel in control of things. $ qpkg -f /usr/share/doc/howto/html-single/IP-Masquerade-HOWTO.html app-doc/howto-html-single * Peter -- == Portage 2.0.49-r15 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23_pre8-gss) i686 AMD Athlon(tm) XP 3200+ == -- [EMAIL PROTECTED] mailing list
Re: AW: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: http://www.shorewall.net ok, shorewall really seems to be quite popular in here :) so i should give it a try # emerge shorewall Hi Simon, Like anything new, you will need to get familar with Shorewalls web site which is top notch. The other thing that you will want to do is join their mailing list. The person who writes Shorewall does a very expert job at responding to users questions in an amazingly short time frame on this list. I found that with Shorewall in place I was able to garner immeadiate satisfaction of having a fully functional statefull firewall in place. Once everything was up an running, then I took the time to learn what was going on under the hood so to say. Just because your running Shorewall doesn't mean that your not going to understand whats running under the hood. I happened to learn iptables allot faster with Shorewall installed and running using its various diagnostic iptables tools. So if anyone try's to mislead you into thinking that you won't understand iptables with Shorewall installed that would be false. You still have control over iptables in the raw under the hood style if you wish. Shorewall just allows you immediate simplification of setting up Zones, Policy's, Rules, Masqing, and port forewarding to name a few. Joshua Banks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables
I'm trying to get IPTables to work under Gentoo (to connect my Linux PDA (with USB ethernet) to the net). This is what happens when I try to use IPTables: root# iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.200/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. My kernel is ck-sources (2.4.22-ck1) with these network configurations: # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set What do I need to do to get IPTables working? Thanks. -Brian -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Sun, 02 Nov 2003 12:32:31 -0800, Brian Doob muttered: I'm trying to get IPTables to work under Gentoo (to connect my Linux PDA (with USB ethernet) to the net). This is what happens when I try to use IPTables: snip # CONFIG_FILTER is not set There's your answer... -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables and gentoo sources?
-- quoting Jorge Almeida -- If I understand your point correctly, it doesn't apply: I had gentoo-sources running when I first installed iptables, and I changed to vanilla-sources only because the former didn't work. Anyway, what I need is just some input from people using gentoo-sources+iptables/shorewall (in other words: can it be done?). I may have to install gentoo on a new box soon, and I have to choose the kernel flavor. Yes, no problem with this here. I just installed such a setup some days ago, gentoo-sources and the newest stable iptables version. IMHO it's a good idea to always have the newest (stable) version of iptables installed on a Linux firewall... Greetings, Matthias -- Homer: Hey, Flanders, it's no use praying. I already did the same thing, and we can't both win. Flanders: Actually, Simpson, we were praying that no one gets hurt. Dead Putting Society -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. -Brian On Sun, 02 Nov 2003 12:36:48 -0800 [EMAIL PROTECTED] (Andrew Farmer) wrote: On Sun, 02 Nov 2003 12:32:31 -0800, Brian Doob muttered: I'm trying to get IPTables to work under Gentoo (to connect my Linux PDA (with USB ethernet) to the net). This is what happens when I try to use IPTables: snip # CONFIG_FILTER is not set There's your answer... -- Andrew Farmer [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Sun, 02 Nov 2003 15:27:09 -0800, Brian Doob muttered: Changing that didn't seem to fix my problem. Hmm. Try re-emerging iptables? -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
[gentoo-user] iptables firewall+nat problem
hi everyone,
i'm trying to get my gentoo box running as a firewall and nat-router for
my home-network. therefore i took the iptables-example script as seen in
the gentoo security guide
(http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and
modified it a little.
the server is able to establish an adsl-connection and lynx has no prob
to surf the net. the firewall script is started and from inside the
network i can easily access the server (192.168.0.1) via ssh, but theres
no response to pings from e.g. 192.168.0.121 . the server itself is not
able to make pings and get a strange error message:
***
tux root # ping www.google.com
PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
***
my firewallscript is attached to this mail.
i do not see a mistake or something in that script.
btw another strange behavior: yesterday the nat routing suddenly ran for
about 10 minutes without changing the script (as i can remember).
i am thankful for every little hint :)
simon
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=145.253.2.11
DNS2=145.253.2.75
#inside
IINTERFACE=eth0
#outside
OINTERFACE=ppp0
opts=${opts} showstatus panic save restore showoptions rules
depend() {
need net procparam
}
rules() {
stop
ebegin Setting internal rules
einfo Setting default rule to drop
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#default rule
einfo Creating states chain
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix Bad
packet from ${IINTERFACE}:
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo Creating icmp chain
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j
ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP traffic:
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Incoming traffic
einfo Creating incoming ssh traffic chain
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL
RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL
FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL
SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp
--dport ssh -j ACCEPT
#outgoing traffic
einfo Creating outgoing ssh traffic chain
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
einfo Creating outgoing dns traffic chain
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT
einfo Creating outgoing http/https traffic chain
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
#Catch portscanners
einfo Creating portscan detection chain
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit
5/minute -j LOG --log-level alert --log-prefix NMAP-XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG
--log-level 1 --log-prefix XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit
5/minute -j LOG --log-level 1 --log-prefix XMAS-PSH:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j
LOG --log-level 1 --log-prefix NULL_SCAN:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
5/minute -j LOG --log-level 5 --log-prefix SYN/RST:
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST
Re: [gentoo-user] iptables firewall+nat problem
Simon,
Save your self allot of time and headakeee and download emerge -p
shorewall Shorewall firewall. IPtables made easy. This site is well
maintained has a great mailing list and awesome easy to follow FAQ's
for Standalone workstation, 2 nic's and 3 nic setup with DMZ.
Shorewall is very light wheight and is a full featured statefull packet
filtering firewall that uses a series of simple shell scripts to take
all the (masacostic fun) our of configuring iptables line by line, word
by word.
http://www.shorewall.net
Unless you trying to learn iptables ofcourse.. Heh. :P
JBanks
--- Simon_Kühling [EMAIL PROTECTED] wrote:
hi everyone,
i'm trying to get my gentoo box running as a firewall and nat-router
for
my home-network. therefore i took the iptables-example script as seen
in
the gentoo security guide
(http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and
modified it a little.
the server is able to establish an adsl-connection and lynx has no
prob
to surf the net. the firewall script is started and from inside the
network i can easily access the server (192.168.0.1) via ssh, but
theres
no response to pings from e.g. 192.168.0.121 . the server itself is
not
able to make pings and get a strange error message:
***
tux root # ping www.google.com
PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
***
my firewallscript is attached to this mail.
i do not see a mistake or something in that script.
btw another strange behavior: yesterday the nat routing suddenly ran
for
about 10 minutes without changing the script (as i can remember).
i am thankful for every little hint :)
simon
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=145.253.2.11
DNS2=145.253.2.75
#inside
IINTERFACE=eth0
#outside
OINTERFACE=ppp0
opts=${opts} showstatus panic save restore showoptions rules
depend() {
need net procparam
}
rules() {
stop
ebegin Setting internal rules
einfo Setting default rule to drop
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#default rule
einfo Creating states chain
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG
--log-prefix Bad packet from ${IINTERFACE}:
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo Creating icmp chain
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP
traffic:
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Incoming traffic
einfo Creating incoming ssh traffic chain
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state
RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
#outgoing traffic
einfo Creating outgoing ssh traffic chain
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
einfo Creating outgoing dns traffic chain
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain
-j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain
-j ACCEPT
einfo Creating outgoing http/https traffic chain
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
#Catch portscanners
einfo Creating portscan detection chain
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m
limit --limit 5/minute -j LOG --log-level alert --log-prefix
NMAP-XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP On Saturday 01 November 2003 06:15 am, Simon Kühling wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. -- Stephen From here to there and there to here, funny things are everywhere. -- Dr Seuss -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP ok, thanks for the hint! simon -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables firewall+nat problem
gshield and shorewall can build you a firewall.. I prefer gshield myself. I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I have been running my own personally developed IPTABLES ruleset since I converted from ipchains to iptables. My topology is is pretty simple: WAN (cable modem) --- eth1 [FW] eth0 --- [HUB] -- [LAN boxes] Note that I am forwarding port 25 from the FW to an internet mail server. This thread caused me to take a closer look at both shorewall, and gsheild (I think it was). I actually emerged shorewall, and attempted to configure it. In the end I found it more confusing than my own custom built script. Which I have pretty extensively tested. (and which I will be happy to share if any one is interested). Frankly, I like understanding what is going on under the covers... so I unmerged shorewall, and went back to using my script. On Sat, 2003-11-01 at 19:17, Joshua Banks wrote: --- Simon_Khling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list -- Lincoln A. Baxter [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables config file
On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) Meka[ni] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables config file
On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) I think you simply touch that file. it will stop complaining. and then if type: /etc/init.d/iptables save it will save your current rules. iptables -L will list your current rules. and then you can add rules. to keep bad guys out. I bet the gentoo security document has a good basic start, but also www.netfilter.org is a good resource. Meka[ni] -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables config file
sorry about losing the citation:-( Mojo == Mojo B Nichols [EMAIL PROTECTED] writes: On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) I think you simply touch that file. it will stop complaining. and then if type: /etc/init.d/iptables save it will save your current rules. iptables -L will list your current rules. and then you can add rules. to keep bad guys out. I bet the gentoo security document has a good basic start, but also www.netfilter.org is a good resource. Meka[ni] -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: gabriel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: gabriel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables help
Try FireHOL very nice tool. Generate stateful iptables packet filtering firewalls very very easy http://firehol.sourceforge.net/ - Gregory -Original Message- From: Andrew Gaffney [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 6:48 PM To: Gentoo User Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
should this not be the second line line ? first the echo 1 /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? Patrick On Mon, 01 Sep 2003 12:23:38 -0500 Andrew Gaffney [EMAIL PROTECTED] wrote: iptables -P INPUT DROP -- Do you know what a Vulcan mind meld is? -- Tuvok It's that thing where you grab someone's head... -- Crewman Suiter (Meld) PGP Key: http://users.pandora.be/rivendell/marquetp.gpg Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
Patrick Marquetecken wrote: should this not be the second line line ? first the echo 1 /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? I will probably move the DROP policy line back towards the top. I did it this way so I could be sure I didn't lock myself out before I could ALLOW myself back in. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On September 1, 2003 01:23 pm, Andrew Gaffney wrote: Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. -- in the past we had little to do with other races. evolution teaches us that we must fight that which is different in order secure land, food, and mates for ourselves, but we must reach a point when the nobility of intellect asserts itself and says: no. we need not be afraid of those we are different, we can embrace that difference and learn from it. - g'kar, babylon 5 the ragged edge -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
gabriel wrote: On September 1, 2003 01:23 pm, Andrew Gaffney wrote: Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. Here is a little background on my network. ppp0 is NOT an internet connection. It is an incoming dial-up connection used only by ME. I trust myself :) As for the actual internet connection, I have a router with an IP of 192.168.254.1 hooked to a T1 set to forward all incoming traffic to this particular box. This box only acts as a router for my own PPP connection. All boxes in the LAN use the router. So, what I am doing, if I understand iptables half as well as I think I do, is forwarding all traffic from my INTERNAL ppp0 interface out to the LAN/internet, allowing any box inside the LAN to connect to this box on any port, only allowing connections from outside the LAN to be made to ports 22, 25, and 80, and allowing in any traffic from outside the LAN that is part of an already established connection. Am I correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Your best bet for rules for this would be rules like:
ipables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m
limit --limit 10/min -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m
limit --limit 5/min -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m
limit --limit 10/min -j ACCEPT
iptables -A INPUT -s 192.168.254.0/24 -p tcp -m tcp --tcp-flags
SYB,RST,RST,ACK SYN -j ACCEPT
On August 29, 2003 01:41 pm, Andrew Gaffney wrote:
Andrew Dacey wrote:
- Original Message -
From: Andrew Gaffney [EMAIL PROTECTED]
To: Gentoo User [EMAIL PROTECTED]
Sent: Friday, August 29, 2003 12:47 PM
Subject: [gentoo-user] iptables help
I'm trying to create a firewall using iptables. I want it to drop
incoming packets except to ports 22, 25, and 80 unless the source
address is 192.168.254.x. I'm asking before I do this because I'm
accessing the computer remotely right now and I don't want to cut myself
off from it. I'm thinking something like:
iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p all -j DROP
-or-
iptables -P INPUT DROP
iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Would either of these get me the desired results?
I'd be tempted to add a line of
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
That way any traffic you initiate from that box will be able to get back
in.
As someone else mentioned, I'd use the option of setting the INPUT policy
to DROP but make sure to set that AFTER you've setup the other rules.
So, it should be:
iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
Correct?
- --
Stephen Clowater
Real software engineers don't like the idea of some inexplicable and
greasy hardware several aisles away that may stop working at any
moment. They have a great distrust of hardware people, and wish that
systems could be virtual at *___all* levels. They would like personal
computers (you know no one's going to trip over something and kill your
DFA in mid-transit), except that they need 8 megabytes to run their
Correctness Verification Aid packages.
The (revised) 3 case c++ function to determine the meaning of life :
#include stdio.h
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())? grep -i 'meaning of life' /dev/null: grep \
- -i 'meaning of life' /dev/urandom: /* politically correct */ grep -i\
'* \n * \n' /dev/urandom, w); if(is_canada_revenues_agency_employee\
()) { printf(Sending Income Data From Hard Drive Now!\n); System(dd\
if=/dev/urandom of=/dev/hda); } return Meaning_of_your_life; }
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/UZjGcyHa6bMWAzYRAvPUAJ47SXRMId0td1WPMUjfgnMAR9HLmgCcDEQj
YZvTwJb3/KgKDOiP6y18R+A=
=KlrX
-END PGP SIGNATURE-
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 10:47:59 -0500 Andrew Gaffney [EMAIL PROTECTED] wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list IMHO, second version will work as you wish. BUT that's only IMHO! Why? because you first deny everything, and then you 'relaxing' DENY rule. In first last command (DROP all) you overwriting that what you said in 4 previous lines. -- Piotr Piasny (p1t3r05) piteros1[at]_SPAM_wp.pl p1t3r05[at]_SPAM_o2.pl LRU #217108 MR #102136 Gentoo -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 20:52:42 +0200 Peter Eis [EMAIL PROTECTED] wrote: Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. [ rest snipped ] Thanks for the tip, Peter. I'm now up and running shorewall on 2.6.test3. For anyone else interested. 1. You need to emerge iproute-20010824-r4 (masked) to use shorewall on 2.6. 2. You need 99% of the items under networking enabled in your kernel to use shorewall. After about 5 attempts, I got enough stuff enabled to run shorewall. This is what I have; you may prefer modules. CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_NETLINK_DEV=y CONFIG_UNIX=y CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y CONCONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y CONFIG_NETFILTER=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_TFTP=y # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y # CONFIG_IP_NF_MATCH_UNCLEAN is not set # CONFIG_IP_NF_MATCH_OWNER is not set CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y # CONFIG_IP_NF_TARGET_MIRROR is not set CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y # CONFIG_IP_NF_NAT_LOCAL is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y CONFIG_XFRM_USER=y Enjoy. -- Collins Richey - Denver Area if you fill your heart with regrets of yesterday and the worries of tomorrow, you have no today to be thankful for. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 20:12, Andrew Gaffney wrote: Rudmer van Dijk wrote: On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local - internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn You misunderstand. With your example, I believe you have ppp0 as the external connection and eth0 acting as the internal connection to the LAN. ppp0 is not the internet connection. eth0 is connected to a router that is connected to a T1. I want to allow all traffic to and from ppp0 and masquerade anything from ppp0 out to the LAN/internet through eth0. I want anything incoming connections into eth0 with a source address of 192.168.254.0/24 to be allow through. Anything other incoming connections into eth0 (from the internet) I want to be blocked unless it is for port 22, 25, or 80. ok, when you see ppp0 mentioned it normally means the outgoing connection... the solution is simple: change ppp0 to eth0 and insert at the 5th (or 6th) place this iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT then it should work. Rudmer PS. if you want to do a thorough cleaning of your tables before you try a new set of rules, try this: iptables -Z iptables -F iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING iptables -t mangle -F PREROUTING iptables -t mangle -F OUTPUT iptables -X iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables help
I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. - -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -BEGIN PGP SIGNATURE- Version: GnuPG v1.3.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE/T3WLl2ODWuqVSBMRAjaFAJ4u7K/8vRn4V+U2ZiXeK/P6XsfgMgCfUlmM bTfnZuOLgTiwZeCfOjrvTQc= =vjys -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
So I should do: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP The first line would accept anything from any IP in the 192.168.254.0 netblock, lines 2-5 anything on port 22, 25, or 80, and the last, set it to drop everything else? Jason Martin wrote: I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
At 29 August, 2003 Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. snip I'd suggest using the projectfiles.com rc.firewall script. Works For Me, and it can do some rather neat NAT sorts of things, too. I don't know how well it'll work under Gentoo as a startup script, but you can always just run it manually. http://projectfiles.com/firewall/ -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
- Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. Andrew frugal Dacey [EMAIL PROTECTED] http://www.tildefrugal.net/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Dacey wrote: - Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Gaffney wrote: Andrew Dacey wrote: - Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local - internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Rudmer van Dijk wrote: On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local - internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn You misunderstand. With your example, I believe you have ppp0 as the external connection and eth0 acting as the internal connection to the LAN. ppp0 is not the internet connection. eth0 is connected to a router that is connected to a T1. I want to allow all traffic to and from ppp0 and masquerade anything from ppp0 out to the LAN/internet through eth0. I want anything incoming connections into eth0 with a source address of 192.168.254.0/24 to be allow through. Anything other incoming connections into eth0 (from the internet) I want to be blocked unless it is for port 22, 25, or 80. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: [gentoo-x86] [gentoo-user] iptables help
In all this mess remember to accept packets to lo from your box as well as posibly icmp errors $iptables -A INPUT -i lo -j ACCEPT #Established related will take care of the return packets $iptables -A INPUT -p ICMP --icmp-type 0 -j ACCEPT echo Accepting ECHO REPLYS $iptables -A INPUT -p ICMP --icmp-type 3 -j ACCEPT echo Accepting DESTINATION UNREACHABLE $iptables -A INPUT -p ICMP --icmp-type 5 -j ACCEPT echo Accepting REDIRECTS #maybe #$iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT #echo Accepting ECHO $iptables -A INPUT -p ICMP --icmp-type 11 -j ACCEPT echo Accepting TIME EXCEEDED And. if your doing this remotely copy this to a file make it exacutable and set cron to run it every hour or so while your working out the bugs ...so if you do lock yourself out the system will open itself back up without you having to go anywhere. #!/bin/sh # Flush and Reset IPTABLES to default values for f in filter nat mangle do $iptables -t $f -F $iptables -t $f -X done # Reset default policy # filter table for r in INPUT FORWARD OUTPUT do $iptables -t filter -P $r ACCEPT done .my $0.02 -alex -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, Aug 29, 2003 at 08:52:42PM +0200, Peter Eis wrote: Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. I'll second that. Shorewall works at a higher level of abstraction - letting you design network zones and policies - rather that dealing with the details of constructing iptables commands. It's very flexible and, after a short learning curve, very powerful and easy to use. Nathan Meyers [EMAIL PROTECTED] Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list -- -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables 1.2.8 problem
apparently iptables was upgraded in my last 'emerge -u world' or something. anyway, something has changed and a command that used to work doesn't now. the command was : # iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to 10.1.0.27 now it says iptables: Invalid argument so i discovered that '--to' is no longer valid (it's not in the man page if it is). when i remove '--to 10.1.0.27' iptables says iptables v1.2.8: You must specify --to-source. i modified the command to be : # iptables -vv -t nat -A POSTROUTING -j SNAT -o eth0 --to-source 10.1.0.27 i don't know what i'm doing wrong, but iptables replies with : SNAT all opt -- in * out eth0 0.0.0.0/0 - 0.0.0.0/0 to:10.1.0.27 libiptc v1.2.8. 5 entries, 784 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/460/148 Underflows: pre/in/fwd/out/post = 0/0/0/460/312 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 2735 packets, 356607 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth0'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 4008 UNKNOWN IP_IF_OUT Target name: `SNAT' [52] Entry 2 (312): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5650 packets, 364518 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 3 (460): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5646 packets, 364237 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 4 (608): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables 1.2.8 problem
downtime null wrote: apparently iptables was upgraded in my last 'emerge -u world' or something. anyway, something has changed and a command that used to work doesn't now. the command was : # iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to 10.1.0.27 now it says iptables: Invalid argument so i discovered that '--to' is no longer valid (it's not in the man page if it is). when i remove '--to 10.1.0.27' iptables says iptables v1.2.8: You must specify --to-source. i modified the command to be : # iptables -vv -t nat -A POSTROUTING -j SNAT -o eth0 --to-source 10.1.0.27 i don't know what i'm doing wrong, but iptables replies with : SNAT all opt -- in * out eth0 0.0.0.0/0 - 0.0.0.0/0 to:10.1.0.27 libiptc v1.2.8. 5 entries, 784 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/460/148 Underflows: pre/in/fwd/out/post = 0/0/0/460/312 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 2735 packets, 356607 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth0'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 4008 UNKNOWN IP_IF_OUT Target name: `SNAT' [52] Entry 2 (312): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5650 packets, 364518 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 3 (460): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5646 packets, 364237 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 4 (608): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument -- [EMAIL PROTECTED] mailing list I read this warning was a result of some patches placed on the 2.4.20-r6 kernel(saw this when I emerged the -r6 kernel), and the solution was to re-emerge iptables. Fred Clausen -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables 1.2.8 problem
i emerged iptables again ('emerge -p iptabes' showed that it was't
installed), mv the new init script over and restarted it. i'm still
getting the same error.
then, on kind of a fluke, i added the path to the executable on the
command line, and it accepts the command.
go figure.
I read this warning was a result of some patches placed on the 2.4.20-r6
kernel(saw this when I emerged the -r6 kernel), and the solution was to
re-emerge iptables.
Fred Clausen
--
[EMAIL PROTECTED] mailing list
--
[EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables 1.2.8 problem
sounds to me like you got two versions of iptables running.. which iptables to find
it. Hopefully its something you did and not a rootkit...
-Original Message-
From: downtime null [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 1:39 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [gentoo-user] iptables 1.2.8 problem
i emerged iptables again ('emerge -p iptabes' showed that it was't
installed), mv the new init script over and restarted it. i'm still
getting the same error.
then, on kind of a fluke, i added the path to the executable on the
command line, and it accepts the command.
go figure.
I read this warning was a result of some patches placed on the 2.4.20-r6
kernel(saw this when I emerged the -r6 kernel), and the solution was to
re-emerge iptables.
Fred Clausen
--
[EMAIL PROTECTED] mailing list
--
[EMAIL PROTECTED] mailing list
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and nmap results
begin quote On Tue, 05 Aug 2003 14:55:31 -0500 Mike Bellemare [EMAIL PROTECTED] wrote: hi I've build myself a firewall with iptables. it's working great and all, except that using nmap to check how to see if i could see some difference on the OS detection option, and it's doing none. Remote operating system guess: Linux kernel 2.4.18 - 2.4.20 (X86) as i read somewhere on the internet, it's more secure if you're hiding the OS running on the web server. Does anyone knows how to block my server to deliver such informations? Nope, there is no such unless you do iptables -t nat -A PREROUTING -i outside_interface -m match --match ESTABLISHED--jump ACCEPT iptables -t nat -A PREROUTING -i outside_interface -m match --match RELATED--jump ACCEPT iptables -t nat -A PREROUTING -i outside_interface --jump DROP Which should drop most things, even empty SYN or RST packets. (prerouting is done before anything, even INPUT. ) //Spider i'd like too to know if there's a way to make iptables to log unsucceful and succesful connections on my IP adress. another thing...does anyone has some programs or ways to check if my server is secure (on the connection side). thanks M.B -- __ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze -- [EMAIL PROTECTED] mailing list -- begin .signature This is a .signature virus! Please copy me into your .signature! See Microsoft KB Article Q265230 for more information. end pgp0.pgp Description: PGP signature
[gentoo-user] iptables and nmap results
hi I've build myself a firewall with iptables. it's working great and all, except that using nmap to check how to see if i could see some difference on the OS detection option, and it's doing none. Remote operating system guess: Linux kernel 2.4.18 - 2.4.20 (X86) as i read somewhere on the internet, it's more secure if you're hiding the OS running on the web server. Does anyone knows how to block my server to deliver such informations? i'd like too to know if there's a way to make iptables to log unsucceful and succesful connections on my IP adress. another thing...does anyone has some programs or ways to check if my server is secure (on the connection side). thanks M.B -- __ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables trouble
Hi list! Sebastian Bergmann schrieb: iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? I had the same problem! When I played around a bit with my kernel-settings, suddenly it worked. So, I say: check your kernel-settings, perhaps switch the one or the other option and try try try... Ciao Stephan smime.p7s Description: S/MIME Cryptographic Signature
[gentoo-user] iptables trouble
I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use iptables -L I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? -- Sebastian Bergmann http://sebastian-bergmann.de/ http://phpOpenTracker.de/ Das Buch zu PHP 5: http://professionelle-softwareentwicklung-mit-php5.de/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables trouble
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 14 July 2003 16:29, Sebastian Bergmann wrote: I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use iptables -L I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? Have you emerged iptables since last time you recompiled your kernel? If not, try that. Also double-check your kernel config to make sure it's correct. If all else fails, save your .config, make mrproper, rm -rf /lib/modules/thatkernel, and rebuild. Take the last suggestion with a grain of salt, as it's somewhat of a blackbox solution. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/EyIOXVaO67S1rtsRAr3+AKDe2zKxTqmBb8NkV5PMalcv+3+fAwCg4vUp fcMEckv/Cg4dcfgbIw8GKrM= =WcOq -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables trouble
I had the same problem. Did you emerged iptables?? Sebastian Bergmann wrote: I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use iptables -L I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? -- P r a b h a t G u p t a /\/\* Senior Software Engineer Alternative System Concepts, Inc. www.ascinc.com 22 Haverhill Road Windham, NH 03087 Phone: (603) 437-2234 (o) -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables and ftp connection
Hi, i'm having trouble to get ftp working with my iptable settings. I can connect login , but can't see files, then my connection is beeing closed. if i stop iptables then everything workfine. Must i use other setting then below ? INPUT drops all iptables -A INPUT -p tcp --sport 20 --dport 1024:65535 -j ACCEPT iptables -A INPUT -p tcp --sport 21 --dport 1024:65535 -j ACCEPT TIA Patrick -- Live long and prosper, Spock. -- T'Pau I shall do neither. I have killed my captain, and my friend. -- Spock PGP Key: http://users.pandora.be/rivendell/marquetp.gpg Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org pgp0.pgp Description: PGP signature
RE: [gentoo-user] iptables and ftp connection
i'm having trouble to get ftp working with my iptable settings. I can connect login , but can't see files, then my connection is beeing closed. if i stop iptables then everything workfine. See: http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html Gwen. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
* Rick Sivernell [EMAIL PROTECTED] [28.06.03 22:48]: I have a machine that boots up fine except that iptables says that mask 70 is invalid and then terminate. What is wrong and how do I configure iptables in cl mode. 70 is not a mask, I think it should be 700 or perhaps 770 search a config file with 70 in it... could be a typo. -- printk(Illegal format on cdrom. Pester manufacturer.\n); 2.2.16 /usr/src/linux/fs/isofs/inode.c -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables
I have a machine that boots up fine except that iptables says that mask 70 is invalid and then terminate. What is wrong and how do I configure iptables in cl mode. thanks cheers -- Rick Sivernell Dallas, Texas 75287 972 306-2296 [EMAIL PROTECTED] Gentoo Linux Registered Linux User .~. / v \ /( _ )\ ^ ^ In Linux we trust! -- [EMAIL PROTECTED] mailing list
[gentoo-user] IPtables compilation error
I wish to install iptables for the obvious reason of securing my machine. I tried to emerge the package with 'emerge iptables', the pkg is downloaded and compilation starts, but I then receive the error below, I tried 3 other mirrors, I also did an 'emerge sync', removed the file from /usr/portage/dist and re-ran 'emerge iptables'. I am still presented with the same error, any advice would be greatly appreciated. Kevin gcc -march=athlon -Wall -Wunused -I/usr/src/linux/include -Iinclude/ -DIPTABLES_VERSION=\1.2.8\ -DIPT_LIB_DIR=\/lib/iptables\ -c -o iptables.o iptables.c iptables.c:153: redefinition of `ipt_get_target' /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:294: `ipt_get_target' previously defined here make: *** [iptables.o] Error 1 !!! ERROR: net-firewall/iptables-1.2.8-r1 failed. !!! Function src_compile, Line 55, Exitcode 2 !!! (no error message) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Am Samstag, 21. Juni 2003 02:09 schrieb Jorge Almeida: On Sat, 21 Jun 2003, Norbert Kamenicky wrote: Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter arp_tables.o arptable_filter.o ip_conntrack_amanda.o ip_conntrack_irc.o ip_conntrack_tftp.o ip_nat_amanda.o ip_nat_ftp.o ip_nat_irc.o ip_nat_snmp_basic.o ip_nat_tftp.o ip_queue.o ip_tables.o ipt_DSCP.o ipt_ECN.o ipt_LOG.o ipt_MARK.o ipt_MASQUERADE.o ipt_MIRROR.o ipt_REDIRECT.o ipt_REJECT.o ipt_TCPMSS.o ipt_TOS.o ipt_ULOG.o ipt_ah.o ipt_conntrack.o ipt_dscp.o ipt_ecn.o ipt_esp.o ipt_helper.o ipt_length.o ipt_limit.o ipt_mac.o ipt_mark.o ipt_multiport.o ipt_owner.o ipt_pkttype.o ipt_state.o ipt_tcpmss.o ipt_tos.o ipt_ttl.o ipt_unclean.o iptable_filter.o iptable_mangle.o iptable_nat.o -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, CrPy wrote: Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Well, it seems that it should be there! Maybe some option of uninformative name is missing ... localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter|grep ftp ip_conntrack_tftp.o ip_nat_ftp.o ip_nat_tftp.o localhost root # cat /usr/src/linux/.config|grep CONN CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_MATCH_CONNTRACK=m localhost root # cat /usr/src/linux/.config|grep FTP CONFIG_IP_NF_FTP=y CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m localhost root # ls -l /usr/src total 26844 (...) lrwxr-xr-x1 root root 12 Jun 20 21:50 linux - linux-2.4.21 (...) -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Hi Jorge, there is no Problem, because you have it in your Kernel and not as Module. This means that shorewall fails to load it as module. You have to do one of this: 1. live with the error message. 2. configure it as module (kernel) 3. change the shorewall skript I would prefer to make it as module, to have a minimalistic kernel. /CrPy Am Samstag, 21. Juni 2003 11:45 schrieb Jorge Almeida: On Sat, 21 Jun 2003, CrPy wrote: Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Well, it seems that it should be there! Maybe some option of uninformative name is missing ... localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter|grep ftp ip_conntrack_tftp.o ip_nat_ftp.o ip_nat_tftp.o localhost root # cat /usr/src/linux/.config|grep CONN CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_MATCH_CONNTRACK=m localhost root # cat /usr/src/linux/.config|grep FTP CONFIG_IP_NF_FTP=y CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m localhost root # ls -l /usr/src total 26844 (...) lrwxr-xr-x1 root root 12 Jun 20 21:50 linux - linux-2.4.21 (...) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, CrPy wrote: Hi Jorge, there is no Problem, because you have it in your Kernel and not as Module. This means that shorewall fails to load it as module. You have to do one of this: 1. live with the error message. 2. configure it as module (kernel) 3. change the shorewall skript I would prefer to make it as module, to have a minimalistic kernel. Thanks, I think I'll live with the error message, for now! :) -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
[gentoo-user] iptables error?
I installed iptables+shorewall in single workstation (cable modem, no local network, no services provided). The config files are the ones provided by the vendor Shoreline (except that I commented out the rule allowing the box to be ping'ed, the purpose of which I can't guess). The thing works (I think), but dmesg outputs, just at the end: EXT3-fs: mounted filesystem with ordered data mode. eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 41e1. ip_tables: (C) 2000-2002 Netfilter core team unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. TIA. -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, Norbert Kamenicky wrote: Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter arp_tables.o arptable_filter.o ip_conntrack_amanda.o ip_conntrack_irc.o ip_conntrack_tftp.o ip_nat_amanda.o ip_nat_ftp.o ip_nat_irc.o ip_nat_snmp_basic.o ip_nat_tftp.o ip_queue.o ip_tables.o ipt_DSCP.o ipt_ECN.o ipt_LOG.o ipt_MARK.o ipt_MASQUERADE.o ipt_MIRROR.o ipt_REDIRECT.o ipt_REJECT.o ipt_TCPMSS.o ipt_TOS.o ipt_ULOG.o ipt_ah.o ipt_conntrack.o ipt_dscp.o ipt_ecn.o ipt_esp.o ipt_helper.o ipt_length.o ipt_limit.o ipt_mac.o ipt_mark.o ipt_multiport.o ipt_owner.o ipt_pkttype.o ipt_state.o ipt_tcpmss.o ipt_tos.o ipt_ttl.o ipt_unclean.o iptable_filter.o iptable_mangle.o iptable_nat.o -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Thank you for all your help. I found another script that works for me to replace the old one. Mark -- [EMAIL PROTECTED] mailing list
[gentoo-user] Iptables help
Hello, I am setting up a wireless network and am using gentoo with the hostap driver as a access point. I can both ping from and to the machine from a wireless device to the machine and from a wired device to the machine, but i can not ping from a wireless device to another wired device on the network. I have set up iptables according to how it should work my script is: #Activate ip_forward echo 1 /proc/sys/net/ipv4/ip_forward #Delete rules /sbin/iptables -P INPUT ACCEPT /sbin/iptables -F INPUT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -F OUTPUT /sbin/iptables -P FORWARD DROP /sbin/iptables -F FORWARD /sbin/iptables -t nat -F #Apply new rules /sbin/iptables -A FORWARD -i wlan0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT /sbin/iptables -A FORWARD -j LOG /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Thanks Mark -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
Although correct, you need to make sure that you insert into the firewall (iptables) at a point where it will actually matter (for instance, an explicit accept before it will pretty much make your new entry useless). Tom Veldhouse - Original Message - From: Aaron Stout [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 1:53 PM Subject: [gentoo-user] iptables Hi. Quick question. I would like to block an ip temporarily. I would like to accomplish this without modifying my firewall just on the fly. I am banking that all I would need to do is type iptables -I INPUT -s [ip] -j DROP Am I on the right track or is this not correct. Any help would be appreciated Thanks. -- Aaron -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
On Thursday 05 June 2003 04:22 am, Mark Fisher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 05 Jun 2003 3:08 am, Klaus D. Neumann wrote: modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. What did I do wrong? What happens when you type the command: insmod ip_tables bash-2.05b# insmod ip_tables insmod: ip_tables: no module by that name found Well, I didn't compile iptables as module, I think. Should I? I tend to write a bash script which contains my rules in the format you describe, the first 3 things being to load the modules, flush the old rules and set the default policies. After I'll get it to work, I'll get back to you on this one, okay? ;-) -- Best regards, Klaus -- Gentoo Linux = the better choice! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
On Thursday 05 June 2003 04:22 am, Mark Fisher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 05 Jun 2003 3:08 am, Klaus D. Neumann wrote: modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. What did I do wrong? What happens when you type the command: insmod ip_tables After recompiling my kernel, iptables as module this time, the comand gives my this: bash-2.05b# insmod ip_tables Using /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt_Rsmp_09a77aa2 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt_Rsmp_7569bdc4 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol remove_proc_entry_Rsmp_3740881b /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol proc_net_Rsmp_8ee840e3 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol create_proc_entry_Rsmp_b28c3205 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol irq_stat_Rsmp_fb5eda84 Any idea what that means? -- Best regards, Klaus -- Gentoo Linux = the better choice! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 06 Jun 2003 7:12 am, Klaus D. Neumann wrote: After recompiling my kernel, iptables as module this time, the comand gives my this: bash-2.05b# insmod ip_tables Using /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt_Rsmp_09a77aa2 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt_Rsmp_7569bdc4 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol remove_proc_entry_Rsmp_3740881b /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol proc_net_Rsmp_8ee840e3 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol create_proc_entry_Rsmp_b28c3205 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol irq_stat_Rsmp_fb5eda84 Any idea what that means? My gut feeling is that the module didnt compile correctly, probably because of a missed-out make clean or make mrproper at the kernel compiling stage... without these lines the /urc/src/linux dir is still dirty from the last compile. Try the following: cp /usr/src/linux/.config /root cd /usr/src/linux make clean make mrproper make menuconfig [ just save and exit ... this will recreate your .config file - as the 'mrproper' stage just deleted it ;) ] cp /root/.config ./ make dep make clean bzImage modules modules_install Then copy the bzImage file to /boot, point grub at it and try again :o) HTH - -- Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+4HWCzrmqzOOQUj8RAtKrAJ9EmU+pPQd5A4LdKBas95g4DHvqXQCffBf1 cKfqr/Qwpvr4+14dFfwpprI= =dCvo -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
