Re: [gentoo-user] iptables TARPIT match
On Tue, 15 Feb 2005 01:38:05 +, Michael Thompson [EMAIL PROTECTED] wrote: What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Any help appreciated. Did you compile load the kernel module for target TARPIT? -- Regards Karol Krzak -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables TARPIT match
On Tue, 15 Feb 2005, Michael Thompson wrote: What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Some modules need to be explicitly loaded with the -m flag. Assuming you have the tarpit modules compiled and installed, you would use this to load it: iptables -A INPUT --protocol tcp --dport 80 -m tarpit -j TARPIT -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPTables - A good place to start ?
Mal Herring ha scritto: Hi List, I have previously used FWBuilder to build a firewall script, however now I need a simple fw script to protect a single host that will not be behind a net or anything like that... Can someone point me in the direction of some easy scripts to reference or some material good for a n00b to get me started ? Thanks in advance Continue using fwbuilder, to learn more compare the output of the compiled firewall (it is a bash script) to what you do in the program. The homepage for iptables/netfilter is http://www.netfilter.org/ docs (with translations) http://www.it.netfilter.org/documentation/index.html generally if you don't serve something to the network simply: - block connection that are not started from your host - block malformed packets - and accept the outgoing, one excepition is active ftp, on port 20. ciao francesco -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, There you go! That's very cool that calculator. Chris On 25 Jan 2005, at 20:02, Ralph Slooten wrote: Thanks Chris ... it's not all 100% clear now, but slowly understanding more. When I eventually get it I'll create a php script to do it for me *g*. Thanks again for your time. I did find this though: http://logi.cc/nw/NetBitCalc.html (using the netaddr option). Maybe it'll interest others too. Ralph Chris Boot wrote: Hi, I used the IP Address Converter section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris -- gentoo-user@gentoo.org mailing list -- Chris Boot [EMAIL PROTECTED] http://www.bootc.net/ -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables: block full ip-range
Wow, thanks Chris for the link I just asked my boss to explain it to me (without showing him your answer) and he manually worked it out to be exactly the same. The issue I have is binary etc ... it's still greek to me (I will try learn it soon though). Ok, now for the real n00b question :-) In which section did you work it out on that page (possibly a screenshot sent to my email if explaining is hard)? Thanks for the help, Greetings Ralph Chris Boot wrote: Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables: block full ip-range
Hi, I used the IP Address Converter section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris Ralph Slooten wrote: Wow, thanks Chris for the link I just asked my boss to explain it to me (without showing him your answer) and he manually worked it out to be exactly the same. The issue I have is binary etc ... it's still greek to me (I will try learn it soon though). Ok, now for the real n00b question :-) In which section did you work it out on that page (possibly a screenshot sent to my email if explaining is hard)? Thanks for the help, Greetings Ralph Chris Boot wrote: Hi, I found a nice IP address calculator at http://www.telusplanet.net/public/sparkman/netcalc.htm Using that, we get 218.144.0.0/12. HTH, Chris Ralph Slooten wrote: Hello fellow gentoo users, I run my own dedicated internet server from home with of course gentoo. What I have noticed, as probably many of you have, is that users from certain ISP's do daily attempts to relay mail, log into ssh etc etc ... Ok, so I'm pretty well secured as they don't even come close, but I'm still not happy. Most of these attempts come from kornet, as with most of my spam. What I would like to do is drop their whole entire ip-range with iptables... but how? I know how with a simple subnet, but some (they have several) of their ranges are given as: 218.144.0.0 - 218.159.255.255 Is there any way to add this range in iptables easily, without having to do each from 218.144* 218.145* etc etc Greetings Ralph -- gentoo-user@gentoo.org mailing list smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables: block full ip-range
Thanks Chris ... it's not all 100% clear now, but slowly understanding more. When I eventually get it I'll create a php script to do it for me *g*. Thanks again for your time. I did find this though: http://logi.cc/nw/NetBitCalc.html (using the netaddr option). Maybe it'll interest others too. Ralph Chris Boot wrote: Hi, I used the IP Address Converter section. I got the binary for the first IP (218.144.0.0), which is: 11011010 1001 Then for the second (218.159.255.255), which is 11011010 1001 Notice how the first 12 bits stay the same, and the last 12 change? 12 is the magic number in this case. :-) There should be an easier tool for this, but it does the trick. Chris -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Neil Rachynski wrote: Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8-r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski What is lsmod |grep ipt saying ? U must see minimum ip_tables module, but I have about 15. Look to /lib/modules/./netfilter/* for all available modules. noro -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Not at home at the moment but when I did 'lsmod' earlier, only ip_tables was listed (I would have to manually 'modprobe' other modules for iptables. - Original Message - From: Norbert Kamenicky [EMAIL PROTECTED] Date: Monday, February 2, 2004 9:10 am Subject: Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter' Neil Rachynski wrote: Greetings, I have just finished a GRP installation on a box I was intending to use as a router/firewall for my home computers. However, once I reboot the system after the installation is done and emerge iptables (1.2.8- r1), I can not add, list, or do anything to iptables itself. The error I receive is : iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. I was hoping to be able to get iptables up and running before connecting to the internet and doing an 'emerge sync' and 'emerge -u world'. I have been through the gentoo user forums but the only suggestions I could find there were to either re-emerge my kernel and/or iptables. I've done so several times and have built iptables support right into the kernel as well as as modules. If anyone has any suggestions, please let me know. Neil Rachynski What is lsmod |grep ipt saying ? U must see minimum ip_tables module, but I have about 15. Look to /lib/modules/./netfilter/* for all available modules. noro -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
sorry for this message, it was accidental -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
On Feb 2, 2004, at 2:50 pm, Neil Rachynski wrote: iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. Dumb possibly irrelevant question: is the machine you got /var/lib/iptables/rules-save (??) also a Gentoo box..? Stroller. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables v1.2.8: can't initialize iptables tables 'filter'
Stroller wrote: On Feb 2, 2004, at 2:50 pm, Neil Rachynski wrote: iptables v1.2.8: can't intitialize iptables table 'filter': Tables does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. When I went to view the file 'rules-save' in /var/lib/iptables, the file was completely blank (explaining why it can't find the filter table). At that point, I copied rules-save file from another working PC to this one. However, it would then give me an error when restoring the ruleset (always the line containing '*filter'). The working one is running iptables-1.2.9 so I'm not sure if that'll make a difference with the rules-save file. Dumb possibly irrelevant question: is the machine you got /var/lib/iptables/rules-save (??) also a Gentoo box..? Stroller. -- [EMAIL PROTECTED] mailing list Yes, both are Gentoo. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 January 2004 11:28, Catalin Constantin wrote: i get the following error when trying to add an iptables rule. /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. gentoo root # epm -qf /usr/src/linux-2.4.22/ vanilla-sources-2.4.22 any hints ? Something b0rked in your kernel compile. I'd backup your .config, make mrproper. copy back the .config and re-'make dep make bzImage make modules modules_install', copy new kernel and reboot. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAFPyJInuLMrk7bIwRAp6EAJ94K9uciK2R8KxqI3u42rRSNpBvbgCfaWVW gkVFoXj1CJmwHIc1DsSXbmc= =cJ17 -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Emerge iptables again. - Original Message - From: Catalin Constantin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 12:28 PM Subject: [gentoo-user] iptables error i get the following error when trying to add an iptables rule. /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. gentoo root # epm -qf /usr/src/linux-2.4.22/ vanilla-sources-2.4.22 any hints ? thank you ! -- Catalin Constantin Bounce Software www.bounce-software.com -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables
hi, i am seeking and application for easy building iptables scripts, its not anything advanced, it just gotta block some ports from public, and route some ports to another machine on my LAN, anyone can suggest an app? thanks! Many like shorewall, and some use fwbuilder. My preference is monmotha. You can also read some and write your own. -rex -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Fri, 21 Nov 2003 15:29:45 -0800, Redeeman muttered: hi, i am seeking and application for easy building iptables scripts, its not anything advanced, it just gotta block some ports from public, and route some ports to another machine on my LAN, anyone can suggest an app? rc.firewall - at projectfiles.com IIRC. -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
RE: [gentoo-user] iptables and linux 2.6-test9
Hi Redeeman, hi, i am running linux2.6-test9, and i want to use iptables, i read the gentoo ip masqurading guide, but, i am wondering about the stuff kernel side, i only want to filter some ports, and forward some ports, what stuff should i enable in the kernel? and after that, should i emerge iptables? (is iptables a program needed to use the iptables stuff in kernel?) I added all kernel options under netfilter (excluding ipchains and experimental stuff) as modules. The iptables in Portage wouldn't compile on my hardware so I downloaded the latest available from the iptables website, compiled and installed that successfully. Then used turtlefirewall to configure my firewall rules. Cheers! Chris -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
OK, it's getting better, but it still doesn't work. Here's what happens: root # iptables -t nat -I POSTROUTING -j MASQUERAQDE -s 192.168.1.3/16 /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.22-ck1/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. These are the kernel configs: # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_FTP=m I put everything I could think of in there. What's going on? Am I still missing something? Thanks. -Brian On Tue, 04 Nov 2003 11:56:20 + Mike Williams [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 November 2003 23:27, Brian Doob wrote: Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. You need way more than that. Select 'IP tables support (required for filtering/masq/NAT)' then scroll down to and select the NAT option and it's options. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/p5PkInuLMrk7bIwRAp7FAJ9PWBdHpLUznyzH2/JX6NXHhQkP+gCeNnE5 9amORTZq3cv6BU7Y7SwazZ8= =5RgA -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 02 November 2003 23:27, Brian Doob wrote: Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. You need way more than that. Select 'IP tables support (required for filtering/masq/NAT)' then scroll down to and select the NAT option and it's options. - -- Mike Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/p5PkInuLMrk7bIwRAp7FAJ9PWBdHpLUznyzH2/JX6NXHhQkP+gCeNnE5 9amORTZq3cv6BU7Y7SwazZ8= =5RgA -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
I just re-emerged iptables, but that didn't seem to help. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERAQDE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. I won't post my kernel configs this time, but it's the same as last time. Do I need to modify /etc/config.d/iptables? The file does contain ENABLE_FORWARDING_IPv4=no, do I need to change that? Do I need to run iptables as a service? When I try, I get: root # /etc/init.d/iptables start * Not starting iptables. First create some rules then run * /etc/init.d/iptables save If I need to this, what rules need to be set up? Thanks. -Brian On Sun, 02 Nov 2003 15:43:31 -0800 [EMAIL PROTECTED] (Andrew Farmer) wrote: On Sun, 02 Nov 2003 15:27:09 -0800, Brian Doob muttered: Changing that didn't seem to fix my problem. Hmm. Try re-emerging iptables? -- Andrew Farmer [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
iptables sometimes requires re-emerging to work with a different kernel. Dont know why, just that its needed sometimes. BillK On Sun, 2003-11-02 at 17:24, Jorge Almeida wrote: Hi everyone, I tried iptables/shorewall with gentoo-sources and it didn't work. So I changed to vanilla-sources and it works fine. I read somewhere that gentoo-sources had some incompatibility with iptables. This was some months ago, if I recall correctly. So the question is: is it all right to use gentoo-sources with iptables? Is the problem solved, assuming that there really was one? Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list -- William Kenworthy [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and gentoo sources?
On Sun, 2 Nov 2003, William Kenworthy wrote: iptables sometimes requires re-emerging to work with a different kernel. Dont know why, just that its needed sometimes. If I understand your point correctly, it doesn't apply: I had gentoo-sources running when I first installed iptables, and I changed to vanilla-sources only because the former didn't work. Anyway, what I need is just some input from people using gentoo-sources+iptables/shorewall (in other words: can it be done?). I may have to install gentoo on a new box soon, and I have to choose the kernel flavor. Regards, Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Sun, 02 Nov 2003 12:32:31 -0800, Brian Doob muttered: I'm trying to get IPTables to work under Gentoo (to connect my Linux PDA (with USB ethernet) to the net). This is what happens when I try to use IPTables: snip # CONFIG_FILTER is not set There's your answer... -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables and gentoo sources?
-- quoting Jorge Almeida -- If I understand your point correctly, it doesn't apply: I had gentoo-sources running when I first installed iptables, and I changed to vanilla-sources only because the former didn't work. Anyway, what I need is just some input from people using gentoo-sources+iptables/shorewall (in other words: can it be done?). I may have to install gentoo on a new box soon, and I have to choose the kernel flavor. Yes, no problem with this here. I just installed such a setup some days ago, gentoo-sources and the newest stable iptables version. IMHO it's a good idea to always have the newest (stable) version of iptables installed on a Linux firewall... Greetings, Matthias -- Homer: Hey, Flanders, it's no use praying. I already did the same thing, and we can't both win. Flanders: Actually, Simpson, we were praying that no one gets hurt. Dead Putting Society -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
Changing that didn't seem to fix my problem. Here's what happened: root # iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.1.3/16 modprobe: Can't locate module ip_tables iptables v1.2.7a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This is my network/netfilter configs (for ck-sources 2.4.22-ck1): # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y So what do I need to do to get NAT working? Any thoughts, anyone? Thanks. -Brian On Sun, 02 Nov 2003 12:36:48 -0800 [EMAIL PROTECTED] (Andrew Farmer) wrote: On Sun, 02 Nov 2003 12:32:31 -0800, Brian Doob muttered: I'm trying to get IPTables to work under Gentoo (to connect my Linux PDA (with USB ethernet) to the net). This is what happens when I try to use IPTables: snip # CONFIG_FILTER is not set There's your answer... -- Andrew Farmer [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
On Sun, 02 Nov 2003 15:27:09 -0800, Brian Doob muttered: Changing that didn't seem to fix my problem. Hmm. Try re-emerging iptables? -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables firewall+nat problem
Simon, Save your self allot of time and headakeee and download emerge -p shorewall Shorewall firewall. IPtables made easy. This site is well maintained has a great mailing list and awesome easy to follow FAQ's for Standalone workstation, 2 nic's and 3 nic setup with DMZ. Shorewall is very light wheight and is a full featured statefull packet filtering firewall that uses a series of simple shell scripts to take all the (masacostic fun) our of configuring iptables line by line, word by word. http://www.shorewall.net Unless you trying to learn iptables ofcourse.. Heh. :P JBanks --- Simon_Kühling [EMAIL PROTECTED] wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. therefore i took the iptables-example script as seen in the gentoo security guide (http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and modified it a little. the server is able to establish an adsl-connection and lynx has no prob to surf the net. the firewall script is started and from inside the network i can easily access the server (192.168.0.1) via ssh, but theres no response to pings from e.g. 192.168.0.121 . the server itself is not able to make pings and get a strange error message: *** tux root # ping www.google.com PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted --- www.google.akadns.net ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2000ms *** my firewallscript is attached to this mail. i do not see a mistake or something in that script. btw another strange behavior: yesterday the nat routing suddenly ran for about 10 minutes without changing the script (as i can remember). i am thankful for every little hint :) simon #!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules DNS1=145.253.2.11 DNS2=145.253.2.75 #inside IINTERFACE=eth0 #outside OINTERFACE=ppp0 opts=${opts} showstatus panic save restore showoptions rules depend() { need net procparam } rules() { stop ebegin Setting internal rules einfo Setting default rule to drop $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP #default rule einfo Creating states chain $IPTABLES -N allowed-connection $IPTABLES -F allowed-connection $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix Bad packet from ${IINTERFACE}: $IPTABLES -A allowed-connection -j DROP #ICMP traffic einfo Creating icmp chain $IPTABLES -N icmp_allowed $IPTABLES -F icmp_allowed $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP traffic: $IPTABLES -A icmp_allowed -p icmp -j DROP #Incoming traffic einfo Creating incoming ssh traffic chain $IPTABLES -N allow-ssh-traffic-in $IPTABLES -F allow-ssh-traffic-in #Flood protection $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT #outgoing traffic einfo Creating outgoing ssh traffic chain $IPTABLES -N allow-ssh-traffic-out $IPTABLES -F allow-ssh-traffic-out $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT einfo Creating outgoing dns traffic chain $IPTABLES -N allow-dns-traffic-out $IPTABLES -F allow-dns-traffic-out $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT einfo Creating outgoing http/https traffic chain $IPTABLES -N allow-www-traffic-out $IPTABLES -F allow-www-traffic-out $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT #Catch portscanners einfo Creating portscan detection chain $IPTABLES -N check-flags $IPTABLES -F check-flags $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix NMAP-XMAS: $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A check-flags -p tcp --tcp-flags
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP On Saturday 01 November 2003 06:15 am, Simon Kühling wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. -- Stephen From here to there and there to here, funny things are everywhere. -- Dr Seuss -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP ok, thanks for the hint! simon -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables firewall+nat problem
gshield and shorewall can build you a firewall.. I prefer gshield myself. I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I have been running my own personally developed IPTABLES ruleset since I converted from ipchains to iptables. My topology is is pretty simple: WAN (cable modem) --- eth1 [FW] eth0 --- [HUB] -- [LAN boxes] Note that I am forwarding port 25 from the FW to an internet mail server. This thread caused me to take a closer look at both shorewall, and gsheild (I think it was). I actually emerged shorewall, and attempted to configure it. In the end I found it more confusing than my own custom built script. Which I have pretty extensively tested. (and which I will be happy to share if any one is interested). Frankly, I like understanding what is going on under the covers... so I unmerged shorewall, and went back to using my script. On Sat, 2003-11-01 at 19:17, Joshua Banks wrote: --- Simon_Khling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list -- Lincoln A. Baxter [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables config file
On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) I think you simply touch that file. it will stop complaining. and then if type: /etc/init.d/iptables save it will save your current rules. iptables -L will list your current rules. and then you can add rules. to keep bad guys out. I bet the gentoo security document has a good basic start, but also www.netfilter.org is a good resource. Meka[ni] -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables config file
sorry about losing the citation:-( Mojo == Mojo B Nichols [EMAIL PROTECTED] writes: On boot iptables script in /etc/runlenvels/boot/iptables complains about iptables-restore. I know that /var/lib/iptables/rules-save should exist, but what to put int that file? Thanx. :o) I think you simply touch that file. it will stop complaining. and then if type: /etc/init.d/iptables save it will save your current rules. iptables -L will list your current rules. and then you can add rules. to keep bad guys out. I bet the gentoo security document has a good basic start, but also www.netfilter.org is a good resource. Meka[ni] -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: gabriel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
- Original Message - From: gabriel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 01, 2003 2:57 PM Subject: Re: [gentoo-user] iptables help NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. No, changing the policy changes the DEFAULT behaviour for that chain. It's not part of the normal rule order for the chain. Do iptables -L INPUT, you'll see that the policy is listed at the top, not in the normal sequence of rules. Any chain can only have 1 policy so once you change it, it over-rides the earlier setting. -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables help
Try FireHOL very nice tool. Generate stateful iptables packet filtering firewalls very very easy http://firehol.sourceforge.net/ - Gregory -Original Message- From: Andrew Gaffney [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 6:48 PM To: Gentoo User Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
should this not be the second line line ? first the echo 1 /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? Patrick On Mon, 01 Sep 2003 12:23:38 -0500 Andrew Gaffney [EMAIL PROTECTED] wrote: iptables -P INPUT DROP -- Do you know what a Vulcan mind meld is? -- Tuvok It's that thing where you grab someone's head... -- Crewman Suiter (Meld) PGP Key: http://users.pandora.be/rivendell/marquetp.gpg Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
Patrick Marquetecken wrote: should this not be the second line line ? first the echo 1 /proc/sys/net/ipv4/ip_forward then all the drop statements and then the allow rules ? I will probably move the DROP policy line back towards the top. I did it this way so I could be sure I didn't lock myself out before I could ALLOW myself back in. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On September 1, 2003 01:23 pm, Andrew Gaffney wrote: Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. -- in the past we had little to do with other races. evolution teaches us that we must fight that which is different in order secure land, food, and mates for ourselves, but we must reach a point when the nobility of intellect asserts itself and says: no. we need not be afraid of those we are different, we can embrace that difference and learn from it. - g'kar, babylon 5 the ragged edge -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
gabriel wrote: On September 1, 2003 01:23 pm, Andrew Gaffney wrote: Based on replies on this list and another, I have come up with the following iptables rules that work for me: echo 1 /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP NO! that will pretty much negate the use of a firewall alltogether! where are you droping/rejecting packets? basically your script says this: accept everything incoming accept everything outgoing accept everything forwarding forward all traffic from ppp0 to eth0 nat your internal lan to eth0 accept all established or related packets accept all incoming packets from the internal lan accept all incoming connections from any ip, on any interface on ports 22, 25, and 80. drop everything else that's incoming. i can't be sure that you can reset the policy like that, but i can assure you that the aboe rules are in now way secure. Here is a little background on my network. ppp0 is NOT an internet connection. It is an incoming dial-up connection used only by ME. I trust myself :) As for the actual internet connection, I have a router with an IP of 192.168.254.1 hooked to a T1 set to forward all incoming traffic to this particular box. This box only acts as a router for my own PPP connection. All boxes in the LAN use the router. So, what I am doing, if I understand iptables half as well as I think I do, is forwarding all traffic from my INTERNAL ppp0 interface out to the LAN/internet, allowing any box inside the LAN to connect to this box on any port, only allowing connections from outside the LAN to be made to ports 22, 25, and 80, and allowing in any traffic from outside the LAN that is part of an already established connection. Am I correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your best bet for rules for this would be rules like: ipables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/min -j ACCEPT iptables -A INPUT -s 192.168.254.0/24 -p tcp -m tcp --tcp-flags SYB,RST,RST,ACK SYN -j ACCEPT On August 29, 2003 01:41 pm, Andrew Gaffney wrote: Andrew Dacey wrote: - Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? - -- Stephen Clowater Real software engineers don't like the idea of some inexplicable and greasy hardware several aisles away that may stop working at any moment. They have a great distrust of hardware people, and wish that systems could be virtual at *___all* levels. They would like personal computers (you know no one's going to trip over something and kill your DFA in mid-transit), except that they need 8 megabytes to run their Correctness Verification Aid packages. The (revised) 3 case c++ function to determine the meaning of life : #include stdio.h FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ ))?(is_arts_student())? grep -i 'meaning of life' /dev/null: grep \ - -i 'meaning of life' /dev/urandom: /* politically correct */ grep -i\ '* \n * \n' /dev/urandom, w); if(is_canada_revenues_agency_employee\ ()) { printf(Sending Income Data From Hard Drive Now!\n); System(dd\ if=/dev/urandom of=/dev/hda); } return Meaning_of_your_life; } -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/UZjGcyHa6bMWAzYRAvPUAJ47SXRMId0td1WPMUjfgnMAR9HLmgCcDEQj YZvTwJb3/KgKDOiP6y18R+A= =KlrX -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 10:47:59 -0500 Andrew Gaffney [EMAIL PROTECTED] wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list IMHO, second version will work as you wish. BUT that's only IMHO! Why? because you first deny everything, and then you 'relaxing' DENY rule. In first last command (DROP all) you overwriting that what you said in 4 previous lines. -- Piotr Piasny (p1t3r05) piteros1[at]_SPAM_wp.pl p1t3r05[at]_SPAM_o2.pl LRU #217108 MR #102136 Gentoo -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, 29 Aug 2003 20:52:42 +0200 Peter Eis [EMAIL PROTECTED] wrote: Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. [ rest snipped ] Thanks for the tip, Peter. I'm now up and running shorewall on 2.6.test3. For anyone else interested. 1. You need to emerge iproute-20010824-r4 (masked) to use shorewall on 2.6. 2. You need 99% of the items under networking enabled in your kernel to use shorewall. After about 5 attempts, I got enough stuff enabled to run shorewall. This is what I have; you may prefer modules. CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_NETLINK_DEV=y CONFIG_UNIX=y CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y CONCONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y CONFIG_NETFILTER=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_TFTP=y # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y # CONFIG_IP_NF_MATCH_UNCLEAN is not set # CONFIG_IP_NF_MATCH_OWNER is not set CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y # CONFIG_IP_NF_TARGET_MIRROR is not set CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y # CONFIG_IP_NF_NAT_LOCAL is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y CONFIG_XFRM_USER=y Enjoy. -- Collins Richey - Denver Area if you fill your heart with regrets of yesterday and the worries of tomorrow, you have no today to be thankful for. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 20:12, Andrew Gaffney wrote: Rudmer van Dijk wrote: On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local - internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn You misunderstand. With your example, I believe you have ppp0 as the external connection and eth0 acting as the internal connection to the LAN. ppp0 is not the internet connection. eth0 is connected to a router that is connected to a T1. I want to allow all traffic to and from ppp0 and masquerade anything from ppp0 out to the LAN/internet through eth0. I want anything incoming connections into eth0 with a source address of 192.168.254.0/24 to be allow through. Anything other incoming connections into eth0 (from the internet) I want to be blocked unless it is for port 22, 25, or 80. ok, when you see ppp0 mentioned it normally means the outgoing connection... the solution is simple: change ppp0 to eth0 and insert at the 5th (or 6th) place this iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT then it should work. Rudmer PS. if you want to do a thorough cleaning of your tables before you try a new set of rules, try this: iptables -Z iptables -F iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING iptables -t mangle -F PREROUTING iptables -t mangle -F OUTPUT iptables -X iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. - -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -BEGIN PGP SIGNATURE- Version: GnuPG v1.3.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE/T3WLl2ODWuqVSBMRAjaFAJ4u7K/8vRn4V+U2ZiXeK/P6XsfgMgCfUlmM bTfnZuOLgTiwZeCfOjrvTQc= =vjys -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
So I should do: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -P INPUT DROP The first line would accept anything from any IP in the 192.168.254.0 netblock, lines 2-5 anything on port 22, 25, or 80, and the last, set it to drop everything else? Jason Martin wrote: I'd suggest the second option, but be sure to change the policy to DROP _after_ you've set up rules to allow you access. -Jason Martin On Fri, 29 Aug 2003, Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
At 29 August, 2003 Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. snip I'd suggest using the projectfiles.com rc.firewall script. Works For Me, and it can do some rather neat NAT sorts of things, too. I don't know how well it'll work under Gentoo as a startup script, but you can always just run it manually. http://projectfiles.com/firewall/ -- Andrew Farmer [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables help
- Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. Andrew frugal Dacey [EMAIL PROTECTED] http://www.tildefrugal.net/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Dacey wrote: - Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Andrew Gaffney wrote: Andrew Dacey wrote: - Original Message - From: Andrew Gaffney [EMAIL PROTECTED] To: Gentoo User [EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:47 PM Subject: [gentoo-user] iptables help I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? I'd be tempted to add a line of iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT That way any traffic you initiate from that box will be able to get back in. As someone else mentioned, I'd use the option of setting the INPUT policy to DROP but make sure to set that AFTER you've setup the other rules. So, it should be: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local - internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Rudmer van Dijk wrote: On Friday 29 August 2003 19:21, Andrew Gaffney wrote: Andrew Gaffney wrote: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP Correct? Something I forgot to mention is that there is a 2nd interface: ppp0. I have a ppp dial-in server set up for my use. I have a few iptables rules set up to NAT stuff from ppp0 out through eth0. Will the above rules interfere with that? not really, but do you want to block local machines? if you only want to block outside connections then you can use something like the following. Rudmer --- # allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT # masquerade local - internet connections iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # maximize ssh response iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay # accept ssh, web and mail connections iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT # set policy for chains iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # enable and masquerade forwarded packages echo 1 /proc/sys/net/ipv4/ip_forward # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn You misunderstand. With your example, I believe you have ppp0 as the external connection and eth0 acting as the internal connection to the LAN. ppp0 is not the internet connection. eth0 is connected to a router that is connected to a T1. I want to allow all traffic to and from ppp0 and masquerade anything from ppp0 out to the LAN/internet through eth0. I want anything incoming connections into eth0 with a source address of 192.168.254.0/24 to be allow through. Anything other incoming connections into eth0 (from the internet) I want to be blocked unless it is for port 22, 25, or 80. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables help
On Fri, Aug 29, 2003 at 08:52:42PM +0200, Peter Eis wrote: Why hazzle with iptables? I'd rather recommend using shorewall (emerge shorewall). It's much easier to configure and has as lot features you'll probably want. I'll second that. Shorewall works at a higher level of abstraction - letting you design network zones and policies - rather that dealing with the details of constructing iptables commands. It's very flexible and, after a short learning curve, very powerful and easy to use. Nathan Meyers [EMAIL PROTECTED] Peter Andrew Gaffney wrote: I'm trying to create a firewall using iptables. I want it to drop incoming packets except to ports 22, 25, and 80 unless the source address is 192.168.254.x. I'm asking before I do this because I'm accessing the computer remotely right now and I don't want to cut myself off from it. I'm thinking something like: iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p all -j DROP -or- iptables -P INPUT DROP iptables -A INPUT -s 192.168.254.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT Would either of these get me the desired results? -- [EMAIL PROTECTED] mailing list -- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables 1.2.8 problem
downtime null wrote: apparently iptables was upgraded in my last 'emerge -u world' or something. anyway, something has changed and a command that used to work doesn't now. the command was : # iptables -t nat -A POSTROUTING -j SNAT -o eth0 --to 10.1.0.27 now it says iptables: Invalid argument so i discovered that '--to' is no longer valid (it's not in the man page if it is). when i remove '--to 10.1.0.27' iptables says iptables v1.2.8: You must specify --to-source. i modified the command to be : # iptables -vv -t nat -A POSTROUTING -j SNAT -o eth0 --to-source 10.1.0.27 i don't know what i'm doing wrong, but iptables replies with : SNAT all opt -- in * out eth0 0.0.0.0/0 - 0.0.0.0/0 to:10.1.0.27 libiptc v1.2.8. 5 entries, 784 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/460/148 Underflows: pre/in/fwd/out/post = 0/0/0/460/312 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 2735 packets, 356607 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth0'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 4008 UNKNOWN IP_IF_OUT Target name: `SNAT' [52] Entry 2 (312): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5650 packets, 364518 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 3 (460): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 5646 packets, 364237 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 4 (608): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument -- [EMAIL PROTECTED] mailing list I read this warning was a result of some patches placed on the 2.4.20-r6 kernel(saw this when I emerged the -r6 kernel), and the solution was to re-emerge iptables. Fred Clausen -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables 1.2.8 problem
i emerged iptables again ('emerge -p iptabes' showed that it was't installed), mv the new init script over and restarted it. i'm still getting the same error. then, on kind of a fluke, i added the path to the executable on the command line, and it accepts the command. go figure. I read this warning was a result of some patches placed on the 2.4.20-r6 kernel(saw this when I emerged the -r6 kernel), and the solution was to re-emerge iptables. Fred Clausen -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables 1.2.8 problem
sounds to me like you got two versions of iptables running.. which iptables to find it. Hopefully its something you did and not a rootkit... -Original Message- From: downtime null [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 1:39 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [gentoo-user] iptables 1.2.8 problem i emerged iptables again ('emerge -p iptabes' showed that it was't installed), mv the new init script over and restarted it. i'm still getting the same error. then, on kind of a fluke, i added the path to the executable on the command line, and it accepts the command. go figure. I read this warning was a result of some patches placed on the 2.4.20-r6 kernel(saw this when I emerged the -r6 kernel), and the solution was to re-emerge iptables. Fred Clausen -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables and nmap results
begin quote On Tue, 05 Aug 2003 14:55:31 -0500 Mike Bellemare [EMAIL PROTECTED] wrote: hi I've build myself a firewall with iptables. it's working great and all, except that using nmap to check how to see if i could see some difference on the OS detection option, and it's doing none. Remote operating system guess: Linux kernel 2.4.18 - 2.4.20 (X86) as i read somewhere on the internet, it's more secure if you're hiding the OS running on the web server. Does anyone knows how to block my server to deliver such informations? Nope, there is no such unless you do iptables -t nat -A PREROUTING -i outside_interface -m match --match ESTABLISHED--jump ACCEPT iptables -t nat -A PREROUTING -i outside_interface -m match --match RELATED--jump ACCEPT iptables -t nat -A PREROUTING -i outside_interface --jump DROP Which should drop most things, even empty SYN or RST packets. (prerouting is done before anything, even INPUT. ) //Spider i'd like too to know if there's a way to make iptables to log unsucceful and succesful connections on my IP adress. another thing...does anyone has some programs or ways to check if my server is secure (on the connection side). thanks M.B -- __ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze -- [EMAIL PROTECTED] mailing list -- begin .signature This is a .signature virus! Please copy me into your .signature! See Microsoft KB Article Q265230 for more information. end pgp0.pgp Description: PGP signature
Re: [gentoo-user] iptables trouble
Hi list! Sebastian Bergmann schrieb: iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? I had the same problem! When I played around a bit with my kernel-settings, suddenly it worked. So, I say: check your kernel-settings, perhaps switch the one or the other option and try try try... Ciao Stephan smime.p7s Description: S/MIME Cryptographic Signature
Re: [gentoo-user] iptables trouble
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 14 July 2003 16:29, Sebastian Bergmann wrote: I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use iptables -L I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? Have you emerged iptables since last time you recompiled your kernel? If not, try that. Also double-check your kernel config to make sure it's correct. If all else fails, save your .config, make mrproper, rm -rf /lib/modules/thatkernel, and rebuild. Take the last suggestion with a grain of salt, as it's somewhat of a blackbox solution. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/EyIOXVaO67S1rtsRAr3+AKDe2zKxTqmBb8NkV5PMalcv+3+fAwCg4vUp fcMEckv/Cg4dcfgbIw8GKrM= =WcOq -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables trouble
I had the same problem. Did you emerged iptables?? Sebastian Bergmann wrote: I'm using the Linux 2.4.20-gentoo-r5 kernel and iptables 1.2.8-r1. When I use iptables -L I get bash-2.05b# iptables -L /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Any idea what's wrong? -- P r a b h a t G u p t a /\/\* Senior Software Engineer Alternative System Concepts, Inc. www.ascinc.com 22 Haverhill Road Windham, NH 03087 Phone: (603) 437-2234 (o) -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables and ftp connection
i'm having trouble to get ftp working with my iptable settings. I can connect login , but can't see files, then my connection is beeing closed. if i stop iptables then everything workfine. See: http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html Gwen. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
* Rick Sivernell [EMAIL PROTECTED] [28.06.03 22:48]: I have a machine that boots up fine except that iptables says that mask 70 is invalid and then terminate. What is wrong and how do I configure iptables in cl mode. 70 is not a mask, I think it should be 700 or perhaps 770 search a config file with 70 in it... could be a typo. -- printk(Illegal format on cdrom. Pester manufacturer.\n); 2.2.16 /usr/src/linux/fs/isofs/inode.c -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Am Samstag, 21. Juni 2003 02:09 schrieb Jorge Almeida: On Sat, 21 Jun 2003, Norbert Kamenicky wrote: Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter arp_tables.o arptable_filter.o ip_conntrack_amanda.o ip_conntrack_irc.o ip_conntrack_tftp.o ip_nat_amanda.o ip_nat_ftp.o ip_nat_irc.o ip_nat_snmp_basic.o ip_nat_tftp.o ip_queue.o ip_tables.o ipt_DSCP.o ipt_ECN.o ipt_LOG.o ipt_MARK.o ipt_MASQUERADE.o ipt_MIRROR.o ipt_REDIRECT.o ipt_REJECT.o ipt_TCPMSS.o ipt_TOS.o ipt_ULOG.o ipt_ah.o ipt_conntrack.o ipt_dscp.o ipt_ecn.o ipt_esp.o ipt_helper.o ipt_length.o ipt_limit.o ipt_mac.o ipt_mark.o ipt_multiport.o ipt_owner.o ipt_pkttype.o ipt_state.o ipt_tcpmss.o ipt_tos.o ipt_ttl.o ipt_unclean.o iptable_filter.o iptable_mangle.o iptable_nat.o -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, CrPy wrote: Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Well, it seems that it should be there! Maybe some option of uninformative name is missing ... localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter|grep ftp ip_conntrack_tftp.o ip_nat_ftp.o ip_nat_tftp.o localhost root # cat /usr/src/linux/.config|grep CONN CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_MATCH_CONNTRACK=m localhost root # cat /usr/src/linux/.config|grep FTP CONFIG_IP_NF_FTP=y CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m localhost root # ls -l /usr/src total 26844 (...) lrwxr-xr-x1 root root 12 Jun 20 21:50 linux - linux-2.4.21 (...) -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Hi Jorge, there is no Problem, because you have it in your Kernel and not as Module. This means that shorewall fails to load it as module. You have to do one of this: 1. live with the error message. 2. configure it as module (kernel) 3. change the shorewall skript I would prefer to make it as module, to have a minimalistic kernel. /CrPy Am Samstag, 21. Juni 2003 11:45 schrieb Jorge Almeida: On Sat, 21 Jun 2003, CrPy wrote: Hi, ip_conntrack_tftp.o != ip_conntrack_ftp.o You need to activate the module in your kernel config. /CrPy Well, it seems that it should be there! Maybe some option of uninformative name is missing ... localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter|grep ftp ip_conntrack_tftp.o ip_nat_ftp.o ip_nat_tftp.o localhost root # cat /usr/src/linux/.config|grep CONN CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_MATCH_CONNTRACK=m localhost root # cat /usr/src/linux/.config|grep FTP CONFIG_IP_NF_FTP=y CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m localhost root # ls -l /usr/src total 26844 (...) lrwxr-xr-x1 root root 12 Jun 20 21:50 linux - linux-2.4.21 (...) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, CrPy wrote: Hi Jorge, there is no Problem, because you have it in your Kernel and not as Module. This means that shorewall fails to load it as module. You have to do one of this: 1. live with the error message. 2. configure it as module (kernel) 3. change the shorewall skript I would prefer to make it as module, to have a minimalistic kernel. Thanks, I think I'll live with the error message, for now! :) -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error?
On Sat, 21 Jun 2003, Norbert Kamenicky wrote: Jorge Almeida wrote: unable to load module ip_conntrack_ftp ip_nat_ftp: error registering helper for port 21 Can somebody tell me what this means? I'm using kernel 2.4.21 vanilla. Let's have look to /lib/modules/2.4.21/kernel/net/ipv4/netfilter if you have these modules ... -- [EMAIL PROTECTED] mailing list localhost root # ls /lib/modules/2.4.21/kernel/net/ipv4/netfilter arp_tables.o arptable_filter.o ip_conntrack_amanda.o ip_conntrack_irc.o ip_conntrack_tftp.o ip_nat_amanda.o ip_nat_ftp.o ip_nat_irc.o ip_nat_snmp_basic.o ip_nat_tftp.o ip_queue.o ip_tables.o ipt_DSCP.o ipt_ECN.o ipt_LOG.o ipt_MARK.o ipt_MASQUERADE.o ipt_MIRROR.o ipt_REDIRECT.o ipt_REJECT.o ipt_TCPMSS.o ipt_TOS.o ipt_ULOG.o ipt_ah.o ipt_conntrack.o ipt_dscp.o ipt_ecn.o ipt_esp.o ipt_helper.o ipt_length.o ipt_limit.o ipt_mac.o ipt_mark.o ipt_multiport.o ipt_owner.o ipt_pkttype.o ipt_state.o ipt_tcpmss.o ipt_tos.o ipt_ttl.o ipt_unclean.o iptable_filter.o iptable_mangle.o iptable_nat.o -- Jorge Almeida -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Thank you for all your help. I found another script that works for me to replace the old one. Mark -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
Although correct, you need to make sure that you insert into the firewall (iptables) at a point where it will actually matter (for instance, an explicit accept before it will pretty much make your new entry useless). Tom Veldhouse - Original Message - From: Aaron Stout [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 1:53 PM Subject: [gentoo-user] iptables Hi. Quick question. I would like to block an ip temporarily. I would like to accomplish this without modifying my firewall just on the fly. I am banking that all I would need to do is type iptables -I INPUT -s [ip] -j DROP Am I on the right track or is this not correct. Any help would be appreciated Thanks. -- Aaron -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
On Thursday 05 June 2003 04:22 am, Mark Fisher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 05 Jun 2003 3:08 am, Klaus D. Neumann wrote: modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. What did I do wrong? What happens when you type the command: insmod ip_tables bash-2.05b# insmod ip_tables insmod: ip_tables: no module by that name found Well, I didn't compile iptables as module, I think. Should I? I tend to write a bash script which contains my rules in the format you describe, the first 3 things being to load the modules, flush the old rules and set the default policies. After I'll get it to work, I'll get back to you on this one, okay? ;-) -- Best regards, Klaus -- Gentoo Linux = the better choice! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
On Thursday 05 June 2003 04:22 am, Mark Fisher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 05 Jun 2003 3:08 am, Klaus D. Neumann wrote: modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. What did I do wrong? What happens when you type the command: insmod ip_tables After recompiling my kernel, iptables as module this time, the comand gives my this: bash-2.05b# insmod ip_tables Using /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt_Rsmp_09a77aa2 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt_Rsmp_7569bdc4 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol remove_proc_entry_Rsmp_3740881b /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol proc_net_Rsmp_8ee840e3 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol create_proc_entry_Rsmp_b28c3205 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol irq_stat_Rsmp_fb5eda84 Any idea what that means? -- Best regards, Klaus -- Gentoo Linux = the better choice! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 06 Jun 2003 7:12 am, Klaus D. Neumann wrote: After recompiling my kernel, iptables as module this time, the comand gives my this: bash-2.05b# insmod ip_tables Using /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_register_sockopt_Rsmp_09a77aa2 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol nf_unregister_sockopt_Rsmp_7569bdc4 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol remove_proc_entry_Rsmp_3740881b /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol proc_net_Rsmp_8ee840e3 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol create_proc_entry_Rsmp_b28c3205 /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ip_tables.o: unresolved symbol irq_stat_Rsmp_fb5eda84 Any idea what that means? My gut feeling is that the module didnt compile correctly, probably because of a missed-out make clean or make mrproper at the kernel compiling stage... without these lines the /urc/src/linux dir is still dirty from the last compile. Try the following: cp /usr/src/linux/.config /root cd /usr/src/linux make clean make mrproper make menuconfig [ just save and exit ... this will recreate your .config file - as the 'mrproper' stage just deleted it ;) ] cp /root/.config ./ make dep make clean bzImage modules modules_install Then copy the bzImage file to /boot, point grub at it and try again :o) HTH - -- Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+4HWCzrmqzOOQUj8RAtKrAJ9EmU+pPQd5A4LdKBas95g4DHvqXQCffBf1 cKfqr/Qwpvr4+14dFfwpprI= =dCvo -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
On Friday 06 June 2003 04:05 am, Mark Fisher wrote: My gut feeling is that the module didnt compile correctly, probably because of a missed-out make clean or make mrproper at the kernel compiling stage... without these lines the /urc/src/linux dir is still dirty from the last compile. Try the following: cp /usr/src/linux/.config /root cd /usr/src/linux make clean make mrproper make menuconfig [ just save and exit ... this will recreate your .config file - as the 'mrproper' stage just deleted it ;) ] cp /root/.config ./ make dep make clean bzImage modules modules_install At this point I get : /usr/src/linux-2.4.20-gentoo-r5/include/linux/usb.h:1117: `usbdevfs_init' previously defined here inode.c:775: redefinition of `usbdevfs_cleanup' /usr/src/linux-2.4.20-gentoo-r5/include/linux/usb.h:1118: `usbdevfs_cleanup' previously defined here make[3]: *** [inode.o] Error 1 make[3]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r5/drivers/usb' make[2]: *** [first_rule] Error 2 make[2]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r5/drivers/usb' make[1]: *** [_subdir_usb] Error 2 make[1]: Leaving directory `/usr/src/linux-2.4.20-gentoo-r5/drivers' make: *** [_dir_drivers] Error 2 What is going on here? I never had a compiling error with a kernel! Hope somebody knows the amnswer to this one ... Then copy the bzImage file to /boot, point grub at it and try again :o) HTH - -- Mark -- Best regards, Klaus -- Gentoo Linux = the better choice! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
Got it. I had to copy back my .config before reloading it into menuconfig. My internet sharing works now. Thanks to all the help I got from this list. I really appreciate it! One last question for today: How can I make the comands: echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE permanent, meaning executed at boot time? On Friday 06 June 2003 06:29 pm, Klaus D. Neumann wrote: On Friday 06 June 2003 04:05 am, Mark Fisher wrote: My gut feeling is that the module didnt compile correctly, probably because of a missed-out make clean or make mrproper at the kernel compiling stage... without these lines the /urc/src/linux dir is still dirty from the last compile. Try the following: cp /usr/src/linux/.config /root cd /usr/src/linux make clean make mrproper make menuconfig [ just save and exit ... this will recreate your .config file - as the 'mrproper' stage just deleted it ;) ] cp /root/.config ./ make dep make clean bzImage modules modules_install -- Best regards, Klaus -- Gentoo Linux = the better choice! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
One last question for today: How can I make the comands: echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE permanent, meaning executed at boot time? Copy one of the /etc/init.d scripts and make it your own. For example (here's a quick example): = #!/sbin/runscript INTERNAL = eth0 EXTERNAL = ppp0 start() { ebegin Starting simple firewall # This line I think only needs to be done once # in the entire life of the system, well, until a 0 # has been echoed (which we'll do to stop) echo 1 /proc/sys/net/ipv4/ip_forward # Firewall code # Clear all previous rules $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F # Allow only masq'ing on the IN and RELATED and # ESTABLISHED from the OUT iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT iptables -A FORWARD -j LOG # Enable MASQ'ing $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE # Done firewall code eend $? Failed to start simple firewall } stop() { ebegin Stopping simple firewall # Just a 0 to forwarding should do it, but we'll go a step further and go # just to default rules echo 0 /proc/sys/net/ipv4/ip_forward # Clear all previous rules $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F eend $? Failed to stop simple firewall } = a couple things about this script: 1) Save it in /etc/init.d/ and chmod +x it. Then use rc-update to add it to the default runlevel (or whichever runlevel you want to run it in) 2) I'm unsure about variables in Gentoo script, so I don't know if this will work without some hacking of INTERNAL and EXTERNAL. 3) This is the firewall I'm currently using. It looks alright, though I may want to change the default of the internet to DROP ... how do I do that? MIKE -- Beware the JabberOrk -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 05 Jun 2003 3:08 am, Klaus D. Neumann wrote: modprobe: Can't locate module ip_tables iptables v1.2.8: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. What did I do wrong? What happens when you type the command: insmod ip_tables I tend to write a bash script which contains my rules in the format you describe, the first 3 things being to load the modules, flush the old rules and set the default policies. - -- Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+3ygGzrmqzOOQUj8RAtiGAJ92lUtJMXEJzgCUZIsYk3glVFI9MACfQ9hR UyCvdi0DtcBqz73Mmk6nt18= =+ZWb -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
With -I remember to use rule number (IIRC). I think you want to use iptables -I INPUT 1 -s [ip] -j DROP On Wed, 2003-06-04 at 13:53, Aaron Stout wrote: Hi. Quick question. I would like to block an ip temporarily. I would like to accomplish this without modifying my firewall just on the fly. I am banking that all I would need to do is type iptables -I INPUT -s [ip] -j DROP Am I on the right track or is this not correct. Any help would be appreciated Thanks. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
If your machine is a router, you should also do: iptables -I FORWARD -s [ip] -j DROP so that it catches packets that are being routed and not destined for firewall machine itself. Hi. Quick question. I would like to block an ip temporarily. I would like to accomplish this without modifying my firewall just on the fly. I am banking that all I would need to do is type iptables -I INPUT -s [ip] -j DROP Am I on the right track or is this not correct. Any help would be appreciated Thanks. -- Aaron -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables
In case you have other rules, remember to make it precede any others by using the rule number. iptables -I FORWARD 1 -s [ip] -j DROP On Wed, 2003-06-04 at 13:36, Ryan wrote: If your machine is a router, you should also do: iptables -I FORWARD -s [ip] -j DROP so that it catches packets that are being routed and not destined for firewall machine itself. Hi. Quick question. I would like to block an ip temporarily. I would like to accomplish this without modifying my firewall just on the fly. I am banking that all I would need to do is type iptables -I INPUT -s [ip] -j DROP Am I on the right track or is this not correct. Any help would be appreciated Thanks. -- Aaron -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables: Invalid argument
On Wednesday 26 March 2003 09:57, mike mcgranahan wrote: hello, i am new to gentoo, and am having trouble configuring basic NAT on my dialup system. these are the basic commands (that used to work on my debian system) and their output: # modprobe iptable_nat # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables: Invalid argument # echo 1 /proc/sys/net/ipv4/ip_forward Recompile iptables and it'll be fixed. jen. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 12 March 2003 06:36, Paulo Jorge de Oliveira Cantante de Matos wrote: Hi all, If I need to run a line during every reboot, something like: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE after executing this command, do a iptables-save. That should save an correct rules-save file. - -- Sigurd Stordal President of GOGS Experimental Petrologist -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+bxSTSB4UOs/snOURAmRnAJ9Q5H93JbCA4Yj95HUHW8oITh4cFQCfSAyL /7+DE8kJYiV5g1gGVbezA6w= =8M3G -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Iptables
On March 12, 2003 12:36 am, Paulo Jorge de Oliveira Cantante de Matos wrote: If I need to run a line during every reboot, something like: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE What should I add to rules-save? I tried to add the above line with no modifications but an error occurs during reboot. i don't know if it's a bad idea or not, but i just wrote my super long iptables script and put it in /etc/init.d/ and added it to /runlevels/default that way i didn't have to run iptables-save any time i wanted to edit or start/stop my firewall. -- everything that used to be a sin is now a disease. - bill maher, commedian and commentator, 1995 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Iptables
gabriel wrote: On March 12, 2003 12:36 am, Paulo Jorge de Oliveira Cantante de Matos wrote: If I need to run a line during every reboot, something like: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE What should I add to rules-save? I tried to add the above line with no modifications but an error occurs during reboot. i don't know if it's a bad idea or not, but i just wrote my super long iptables script and put it in /etc/init.d/ and added it to /runlevels/default that way i didn't have to run iptables-save any time i wanted to edit or start/stop my firewall. iptables, like any proper service in Gentoo, already has an /etc/init.d/iptables script, which can be started/stopped/reloaded the normal way. As far as adding new rules goes, you are meant to simply add them as you would any running system, (execute the iptables command to add the rule to the running set), then, if you wish, perform a: /etc/init.d/iptables save Then, add iptables to the default (or boot) runlevel, like this: rc-update add iptables default Now, the iptables init script will load your saved settings on start, and save them on stop.. which will be when the machine boots/shuts down respectively. There really should be no need to create your own /etc/init.d/iptables, as this will just cause problems when it comes to updating iptables. MAL -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables + invalid argument?
if you only want nat: echo 1 /proc/sys/net/ipv4/ip_forward iptables -F iptables -t nat -F iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -o ppp0 -j MASQUERADE Whit that you get nat... PS: 192.168.0.0/24 is the local network under eth0... change it if you have other settings On Wed, 2003-02-05 at 16:25, scott wrote: i'm trying to setup nat, and when adding -j MASQUERADE i get iptables: Invalid argument in the kernel i have every netfilter option built-in, and in networking options i have packet socket, network packet filtering, unix domain sockets, tcp/ip networking, ip: multicasting, ip: advanced router, ip: policy routing, ip: tunneling, and ip: multicast routing. i've been doing the following: muffin root # iptables --flush muffin root # iptables --table nat --flush muffin root # iptables --delete-chain muffin root # iptables --table nat --delete-chain muffin root # iptables -vv --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE MASQUERADE all opt -- in * out eth1 0.0.0.0/0 - 0.0.0.0/0 libiptc v1.2.7a. 6 entries, 936 bytes. Table `nat' Hooks: pre/in/fwd/out/post = 0/0/0/612/148 Underflows: pre/in/fwd/out/post = 0/0/0/612/464 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 84 packets, 15516 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 1 (148): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth1'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 5 packets, 780 bytes Cache: 0008 IP_IF_OUT Target name: `' [36] verdict=296 Entry 2 (296): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `eth1'/X... Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 4008 UNKNOWN IP_IF_OUT Target name: `MASQUERADE' [56] Entry 3 (464): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 117 packets, 10100 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 4 (612): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 135 packets, 11444 bytes Cache: Target name: `' [36] verdict=NF_ACCEPT Entry 5 (760): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/to `'/ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: Target name: `ERROR' [64] error=`ERROR' iptables: Invalid argument any ideas on what i ought to try or what i might have done wrong would be greatly appreciated. -scott -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables + invalid argument?
On February 5, 2003 01:26 pm, Jay Pfeifer wrote: Recompile iptables. Regards, i had the exact same problem and recompiling iptables did the trick for me. it had to do with the ( mcpu | march ) = line in make.conf. check your architecture again, and recompile. -- the surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently. - friedrich nietzsche -- [EMAIL PROTECTED] mailing list