- Forwarded message from Shaheen Hossain [EMAIL PROTECTED] -
From: Shaheen Hossain [EMAIL PROTECTED]
Subject: Re: Thanks for willing to help
Date: Wed, 12 Feb 2003 01:53:02 +0600
Thanks Bartek, this was of great help. As a result, my mail is now
functional. Great, thanks.
- Original Message -
From: Bartek Krajnik [EMAIL PROTECTED]
To: Shaheen Hossain [EMAIL PROTECTED]
Sent: Tuesday, February 11, 2003 5:28 PM
Subject: Re: Thanks for willing to help
bk On Sun, Feb 09, 2003 at 08:56:36PM +0600, Shaheen Hossain wrote:
bk sh Dear Bartek, thanks for willing to help. Since the mail is not working,
please respond back to [EMAIL PROTECTED] File II works for email and
pinging to the server. Strangely File I does not, difference I can see is in
line 162. Thanks again. I really appreciate it.
bk sh
bk sh -- shaheen hossain
bk sh
bk Line 162 from fileI:
bk $IPTABLES -A allowed -p TCP -j DROP
bk fileII:
bk $IPTABLES -A allowed -p TCP -j REJECT
bk there shouldn't be problems.
bk
bk Do You know about this?
bk less /usr/src/linux-2.4.20/include/linux/icmp.h
bk #define ICMP_ECHO 8 /* Echo Request */
bk #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded*/
bk
bk Scenariowith fileI.
bk Now, when someone tries from world
bk # telnet 203.76.102.44 25
bk first SYN packet goes to:
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j LOG --log-prefix IPTABLES
TCP-IN:
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j DROP
bk
bk You don't have instruction like:
bk $IPTABLES -A INPUT -p tcp -j tcp_packets
bk
bk So it should be:
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j LOG --log-prefix IPTABLES
TCP-IN:
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j DROP
bk
bk Now after:
bk # telnet 203.76.102.44 25
bk first SYN packet goes to:
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets
bk $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk and it's OK.
bk From your server goes back packet:
bk $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
bk $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk And next:
bk $IPTABLES -A INPUT -i $INET_IFACE -p tcp -j tcp_packets
bk $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
bk and should be OK.
bk
bk With icmp:
bk # ping 203.76.102.44
bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j LOG --log-prefix IPTABLES
ICMP-IN:
bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j DROP
bk
bk When you change this:
bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j icmp_packets
bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j LOG --log-prefix IPTABLES
ICMP-IN:
bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j DROP
bk
bk packet icmp-request (ping) goes:
bk $IPTABLES -A INPUT -i $INET_IFACE -p icmp -j icmp_packets
bk $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
bk
bk Now from Your server echo-response (pong):
bk $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
bk
bk IMHO Your scripts needs more work.
bk Read somewhere about TCP/ICMP/UDP protocols.
bk
bk Best regards,
bk Bartek.
bk --
bk GPG-Key:
bkhttp://www.bartek.bicom.pl/public_key.txt
bkpub 1024D/948DE45D 2002-12-12 Bartek Krajnik [EMAIL PROTECTED]
bkPrimary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D
E45D
bk
bk
bk
- End forwarded message -
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/