Re: lug-bg: iptables
|On Friday 28 February 2003 17:39, rusan wrote: > maskitam samo tesi IP-ta koiot wdigat PPP > > > blagodarq wi predwaritelno ispolzwai kato kriterii interfeisa - wsichki ppp-ta mojesh da ukajesh s -i ppp+ w iptables +-a zamestwa kakwoto i da e prodyljenie. Po tozi nachin wyobshte ne te byrka kakwo e IP-to na PPP klienta. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
On Tue, Mar 04, 2003 at 12:16:57PM +0200, rusan wrote: > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. > > Imam RedHat 7.2 i VPN iptables-1.2.5-3 > v /etc/rc.local si maskiram cqlata preva s reda > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j MASQUERADE > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat > PPP abe horata ti otgovoriha, be (osven ako ne sym go synuval tova :)) : /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -i ppp+ -j MASQUERADE neshto takova shte da beshe rgds, andrei A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
Oks Blagodarq wi mnogo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrei Boyanov Sent: Tuesday, March 04, 2003 1:03 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables On Tue, Mar 04, 2003 at 12:16:57PM +0200, rusan wrote: > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. > > Imam RedHat 7.2 i VPN iptables-1.2.5-3 > v /etc/rc.local si maskiram cqlata preva s reda > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j MASQUERADE > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat > PPP abe horata ti otgovoriha, be (osven ako ne sym go synuval tova :)) : /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -i ppp+ -j MASQUERADE neshto takova shte da beshe rgds, andrei A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
On Tuesday 04 March 2003 12:16, rusan wrote: > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. > > Imam RedHat 7.2 i VPN iptables-1.2.5-3 > v /etc/rc.local si maskiram cqlata preva s reda > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j MASQUERADE > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat > PPP > blagodarq wi predwaritelno Mi to ti mai ne si chetesh maila shtoto ti beshe otgovoreno. polzvai ppp+ i taka iptables shte razbira vsichki interface-i deto sa ppp kato niama da pbryshta vnimanie na nomera sled tova dali 0,1,2,3 ili etc. -- Marian Popov A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
Pro4etoh go I dave ti blagodarih Prosto pismata idwat s 1 den zkysnekoe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marian Popov Sent: Tuesday, March 04, 2003 6:31 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables On Tuesday 04 March 2003 12:16, rusan wrote: > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. > > Imam RedHat 7.2 i VPN iptables-1.2.5-3 > v /etc/rc.local si maskiram cqlata preva s reda > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j MASQUERADE > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat > PPP > blagodarq wi predwaritelno Mi to ti mai ne si chetesh maila shtoto ti beshe otgovoreno. polzvai ppp+ i taka iptables shte razbira vsichki interface-i deto sa ppp kato niama da pbryshta vnimanie na nomera sled tova dali 0,1,2,3 ili etc. -- Marian Popov A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
Znachi pich glei sia zaebi glupostite - VPN .. ako polzvash pptp, se puska na 1723 port (ako ne se luza - niakoi da me popravi). Ta moze da napravish slednoto neshto da si speresh vsichko !1723, posle puskash MASQUERADING -o (na output interfeisa ti toest tam ot kadeto ti idva neta) i zaspiva rabotata. цитирам rusan <[EMAIL PROTECTED]>: > Oks > Blagodarq wi mnogo __ 12MB-POP3-WAP-SMS-AHTИCПAM--TOBA-E-mail.bG -- HOB БEЗПЛATEH AДPEC - http://mail.bg/new/ -- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
Wsi4ko super samo deto ICQ I MIRC ne wyrwqt kato slova ppp+ Ne znam ne se li obyrkwa nesto zaradi VPN-a -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marian Popov Sent: Tuesday, March 04, 2003 6:31 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables On Tuesday 04 March 2003 12:16, rusan wrote: > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. > > Imam RedHat 7.2 i VPN iptables-1.2.5-3 > v /etc/rc.local si maskiram cqlata preva s reda > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j MASQUERADE > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat > PPP > blagodarq wi predwaritelno Mi to ti mai ne si chetesh maila shtoto ti beshe otgovoreno. polzvai ppp+ i taka iptables shte razbira vsichki interface-i deto sa ppp kato niama da pbryshta vnimanie na nomera sled tova dali 0,1,2,3 ili etc. -- Marian Popov A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
Mi slozi si modulite na IPtables za connection tracking za tova ne ti vurviat ICQ i mIRC. цитирам rusan <[EMAIL PROTECTED]>: > Wsi4ko super samo deto ICQ I MIRC ne wyrwqt kato slova ppp+ > Ne znam ne se li obyrkwa nesto zaradi VPN-a > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Marian Popov > Sent: Tuesday, March 04, 2003 6:31 PM > To: [EMAIL PROTECTED] > Subject: Re: lug-bg: iptables > > On Tuesday 04 March 2003 12:16, rusan wrote: > > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. > > > > Imam RedHat 7.2 i VPN iptables-1.2.5-3 > > v /etc/rc.local si maskiram cqlata preva s reda > > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j > MASQUERADE > > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat > > PPP > > blagodarq wi predwaritelno > > Mi to ti mai ne si chetesh maila shtoto ti beshe otgovoreno. > polzvai ppp+ i taka iptables shte razbira vsichki interface-i > deto sa ppp kato niama da pbryshta vnimanie na nomera > sled tova dali 0,1,2,3 ili etc. > > > -- > > Marian Popov > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara > Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > > > == == > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara > Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > == == > __ 12MB-POP3-WAP-SMS-AHTИCПAM--TOBA-E-mail.bG -- HOB БEЗПЛATEH AДPEC - http://mail.bg/new/ -- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
A imash li ip_conntrack_ftp i ip_conntrack_irc? ICQ-to raboti prez http proxy(squid). ip_contrack_irc ima optzii za portowete... Dai malko danni na tema kakwo qdro polzwash, kakyw pppd, poptp versiq ili, distro, versii... i taka natatyk. | On Wednesday 05 March 2003 09:53, rusan wrote: | Wsi4ko super samo deto ICQ I MIRC ne wyrwqt kato slova ppp+ | Ne znam ne se li obyrkwa nesto zaradi VPN-a | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Marian Popov | Sent: Tuesday, March 04, 2003 6:31 PM | To: [EMAIL PROTECTED] | Subject: Re: lug-bg: iptables | | On Tuesday 04 March 2003 12:16, rusan wrote: | > Prastam wi go towa pismo za 2-ri pyt s nadevata nqkoj da mi otgowori. | > | > Imam RedHat 7.2 i VPN iptables-1.2.5-3 | > v /etc/rc.local si maskiram cqlata preva s reda | > /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -j MASQUERADE | > nqkoj move lid a mi kave kak da maskitam samo tesi IP-ta koiot wdigat | > PPP | > blagodarq wi predwaritelno | | Mi to ti mai ne si chetesh maila shtoto ti beshe otgovoreno. | polzvai ppp+ i taka iptables shte razbira vsichki interface-i | deto sa ppp kato niama da pbryshta vnimanie na nomera | sled tova dali 0,1,2,3 ili etc. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
ops... moq greshka, taka e, w iptables ne mojesh da polzwash -i pri POSTROUTING-a :(. Spored documentatziqta moje da stane kato predi towa si gi markirash. Do kolkoto stignah az kato ideq... slednoto trqa da raboti: 1: markirash si na forward kakvoto shte trqa da maskirash root# iptables -t mangle -A FORWARD -i ppp+ -j MARK --set-mark 1 2. w postrouting-a maskirash markiranite paketi ;) root# iptables -t nat -A POSTROUTING -m mark --mark 1 -j MASQUERADE ako nqkoi zabeleji greshka i/ili e rabotil po tazi ideq da me korigira ako gresha. slagam w FORWARD markiraneto zashtoto ako sa direktno za router-a mislq nqa ideq da se markirat/maskirat ;) nali? Ne sym go probwal no 1 byrzo google po wyprosa razprawq che trqa da raboti... probwai i pishi ;) kysmet mojesh da mark-wash (eksperimentalno) s chislo koeto e dwoina duma: s drugi dumi do 4 294 967 295 razlichni markirowki (0x)... koeto mislq shte ti stigne... po skoro shte ti swyrshi RAM-a/CPU-to ;]]] - markiraite na volq (btw: sled kratka sprawka tuk... stignahme do izwoda che chowek moje da si markira wsqka mashina ot IPv4 prostranstwoto s sobstwen marker)... ok de, ok, spiram se! za irc-to wij help-a na linux-a w /usr/src/linux/Documentation - tam si pishe kak da zadadesh portowete za irc. ICQ-to nqma modul za connection tracking (oshte) poradi koeto mu dai http proxy kakto kazah, novite versii rabotqt bez problem s SQUID ako se dade keep-alive optziq (10xz 2 silent). | On Wednesday 05 March 2003 18:24, you wrote: | Linux gate 2.4.19 #1 Wed Oct 16 16:56:12 EEST 2002 i686 unknown | ppp-2.4.1-3mppe | pptpd-1.1.3-2 | cpp-2.96-112.7.2 | tcp_wrappers-7.6-19 | pptp-linux-1.1.0-1 | | [EMAIL PROTECTED] ~]# /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 | -i ppp+ -j MASQUERADE | iptables v1.2.5: Can't use -i with POSTROUTING | | sled towa slagam | /sbin/iptables -t nat -A POSTROUTING -s 192.168.101.0/24 -o ppp+ -j | MASQUERADE | oba4e ICQ I IRC ne wyrwqt | | | | -Original Message- | From: Doncho N. Gunchev [mailto:[EMAIL PROTECTED] | Sent: Wednesday, March 05, 2003 11:20 AM | To: [EMAIL PROTECTED] | Cc: rusan | Subject: Re: lug-bg: iptables | | A imash li ip_conntrack_ftp i ip_conntrack_irc? ICQ-to raboti prez | http | proxy(squid). ip_contrack_irc ima optzii za portowete... | Dai malko danni na tema kakwo qdro polzwash, kakyw pppd, poptp | versiq | ili, distro, versii... i taka natatyk. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: IPTABLES
On 06.01.2004 13:15, Vasko Tomanov wrote: > v minaloto niakoi beshe izpratil URL na sait koito generira IPTABLES > configuracionen fail.. moje li niakoi da mi pripomni URL-t http://morizot.net/firewall/gen/ Аз понякога ползвам горния генератор. На ръка като пипнеш, може да си го доизкусуриш както ти трябва! A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: IPTABLES
Vasko Tomanov wrote: v minaloto niakoi beshe izpratil URL na sait koito generira IPTABLES configuracionen fail.. moje li niakoi da mi pripomni URL-to ? ... http://morizot.net/firewall/gen/ -- Skelet -- http://skelet.hit.bg/ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
Ivan Dobrinov wrote: > Dosega zabranqwah icmp reply taka: > ipchains -A input -p icmp -s 0/0 -d 0/0 3 -j DENY > no sega preminah na kernel 2.4.18 i ne sum razu4awal vse oshte iptables. > Niakoy moje li da mi kaje kak da naprava sustoto s iptables? Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii horata ti davat dostatychno vyzhe za da se zastreliash v kraka probvai tova: iptables -A INPUT -p icmp -j DENY ^ zabelezhi razlikata, vav iptables vgradenite chainove sa veche sas GLAVNI bukvi. Ako ne te myrzi mozhesh da prochetesh man iptables sekciata: COMPATIBILITY WITH IPCHAINS shteshe da si spestish edno pitane -- Georgi Chorbadzhiyski http://georgi.top.bg/ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
Zdrawei Ako imash wyzmovnost procheti upytwaneto kym netfilter. Tam ima primer kak move da se predpazish ot razlichni nepriqtni ataki. Ednata e ping of death, kato primera e sledniq iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT e w twoq sluchai estestwenno move da zamenish werigata za prenasochwane s whodqshtata weriga Uspeh A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
> Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii > horata ti davat dostatychno vyzhe za da se zastreliash v kraka > probvai tova: mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod. http://boyan.ludost.net/papers/pmtu.html za poweche informaciq. BR, Boyan A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
Za suzhalenie i az kato Ivan Dobrinov ne sum mnogo najsno s iptables, zatova mozhe moja vupros sushto da izglezhda mngo laishki za koeto predvaritelno se izvinjvam, NO: Pri opit da sverja chasovnika pod Windows XP Pro v log-a se pojavjava slednoto: Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1 SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56 i chasovnika ne se sverjava. V iptables otnosno ICMP ima slednite neshta: [0:0] -A INPUT -s 192.168.xxx.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -d ! 192.168.xxx.0/255.255.255.0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j ACCEPT [0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT [0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPINBOUND -p icmp -j ACCEPT [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT [0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=DROP " [0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=REJECT " [0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable [0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable Zadadoh vuprosa na choveka kojto e napravil nastrojkite, no toj ne mozha da mi otgovori koe spira sverjavaneto na chasovnika. Chetejki po-dolu posochenata stranica (ne che shvanah neshto:) se zamislih dali imenno filtracijata na ICMP ne e vinovna za tozi problem. Znam che RTFM e zlatno pravilo no chestno kazano v momenta sum malko orjazan otkum vreme zatova i zadavam vuprosa. Ako vuprosa e mnogo tup ili vi drazni - prosto ne otgovarjajte za da ne suzdavame izlishen i bezmislen trafik. Yavor Atanasov P.S. Che sum tup si go znam i bez da mi kazvate : - Original Message - From: "Boyan Krosnov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 03, 2002 1:29 AM Subject: RE: lug-bg: iptables > > Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te > > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii > > horata ti davat dostatychno vyzhe za da se zastreliash v kraka > > probvai tova: > mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che > _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod. > http://boyan.ludost.net/papers/pmtu.html za poweche informaciq. > > BR, > Boyan A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 3 Jul 2002, Qsin wrote: > Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1 > SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127 > ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56 > êðúö... íÿêúäå èìàø ïðàâèëî, êîåòî çàáðàíÿâà ïðîòîêîë UDP è source èëè destination ïîðò 123, êîåòî ntp (less /etc/services). Ïðîâåðè ïî-âíèìàòåëíî firewall ñêðèïòà ñè (èëè êàæè íà ÷îâåêà, êîéòî ãî å ïèñàë, äà ãî ïîïðàâè), è ðàçðåøè âñè÷êî, äå ùî å udp sport 123 dport 123: iptables -A INPUT -p udp -m udp -s 192.168.xxx.yyy --dport 123 -j ACCEPT > i chasovnika ne se sverjava. > > V iptables otnosno ICMP ima slednite neshta: > Ñïîðåä ìåí ïðîáëåìà òè íå å â icmp. Âñè÷êî íàé-õóáàâî, Íèêîëà -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9Ip1Ro397UfM+hv0RAnJOAJ9MSwWR07xOzI3Z1t2pBpcijopxwACfUg8j 6OuekNClVxI/+lathbAs7YY= =C0i8 -END PGP SIGNATURE- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
wij po-dolu no problema spored mene e 4e zabranqwash icmp type timestamp timestamp-replay syotvetno type 13 i 14 Kostadin Karaivanov Senior System Administrator @ Ministry Of Finace tel: +359 2 98592062 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Qsin Sent: Wednesday, July 03, 2002 08:52 To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables Za suzhalenie i az kato Ivan Dobrinov ne sum mnogo najsno s iptables, zatova mozhe moja vupros sushto da izglezhda mngo laishki za koeto predvaritelno se izvinjvam, NO: Pri opit da sverja chasovnika pod Windows XP Pro v log-a se pojavjava slednoto: Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1 SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56 i chasovnika ne se sverjava. V iptables otnosno ICMP ima slednite neshta: [0:0] -A INPUT -s 192.168.xxx.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -d ! 192.168.xxx.0/255.255.255.0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j ACCEPT [0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT [0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP -> mahni toq red [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP -> mahni i toq [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPINBOUND -p icmp -j ACCEPT [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP -> toq toje [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP -> otnovo go mahni:-))) [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT [0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=DROP " [0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=REJECT " [0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable [0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable Zadadoh vuprosa na choveka kojto e napravil nastrojkite, no toj ne mozha da mi otgovori koe spira sverjavaneto na chasovnika. Chetejki po-dolu posochenata stranica (ne che shvanah neshto:) se zamislih dali imenno filtracijata na ICMP ne e vinovna za tozi problem. Znam che RTFM e zlatno pravilo no chestno kazano v momenta sum malko orjazan otkum vreme zatova i zadavam vuprosa. Ako vuprosa e mnogo tup ili vi drazni - prosto ne otgovarjajte za da ne suzdavame izlishen i bezmislen trafik. Yavor Atanasov P.S. Che sum tup si go znam i bez da mi kazvate : - Original Message - From: "Boyan Krosnov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 03, 2002 1:29 AM Subject: RE: lug-bg: iptables > > Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te > > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii > > horata ti davat dostatychno vyzhe za da se zastreliash v kraka > > probvai tova: > mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che > _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod. > http://boyan.ludost.net/papers/pmtu.html za poweche informaciq. > > BR, > Boyan A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
> Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1 > SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127 > ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56 > wij po-dolu no problema spored mene e 4e zabranqwash icmp > type timestamp > timestamp-replay syotvetno type 13 i 14 Ne e towa problema! ICMP timestamp request i reply e umrql protokol, syshto kakto i ICMP mask request i reply, information request i reply i t.n. Nachina po kojto si swerqwa chasownika ochewidno e NTP ili SNTP po source i destination port 123 w/u UDP. Nqma nishto obshto s ICMP-to, oswen razbira se che predawaneto na greshkite (primerno 'nqma ntp syrwyr pri men', 'nqmam pyt kym tozi host', etc) e prez ICMP. Boyan Krosnov, CCIE#8701 Just another techie speaking for himself A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
izvinqwam se kat ne sam si izpil kafeto e taka dokolkoto widqh entry-to w loga e ot fp=UDP:2 a towa koeto si paste-nal se otnasq za ICMP koeto si e syffsem druga bira.. ogledai si 4asta ot scripta koqto preglejda UDP-to ... Kostadin Karaivanov Senior System Administrator @ Ministry Of Finace tel: +359 2 98592062 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Qsin Sent: Wednesday, July 03, 2002 08:52 To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables Za suzhalenie i az kato Ivan Dobrinov ne sum mnogo najsno s iptables, zatova mozhe moja vupros sushto da izglezhda mngo laishki za koeto predvaritelno se izvinjvam, NO: Pri opit da sverja chasovnika pod Windows XP Pro v log-a se pojavjava slednoto: Jul 3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1 SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56 i chasovnika ne se sverjava. V iptables otnosno ICMP ima slednite neshta: [0:0] -A INPUT -s 192.168.xxx.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -d ! 192.168.xxx.0/255.255.255.0 -p tcp -m tcp --dport 41031:41900 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j ACCEPT [0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT [0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPINBOUND -p icmp -j ACCEPT [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP [0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT [0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=DROP " [0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "fp=ICMP:3 a=REJECT " [0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable [0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable Zadadoh vuprosa na choveka kojto e napravil nastrojkite, no toj ne mozha da mi otgovori koe spira sverjavaneto na chasovnika. Chetejki po-dolu posochenata stranica (ne che shvanah neshto:) se zamislih dali imenno filtracijata na ICMP ne e vinovna za tozi problem. Znam che RTFM e zlatno pravilo no chestno kazano v momenta sum malko orjazan otkum vreme zatova i zadavam vuprosa. Ako vuprosa e mnogo tup ili vi drazni - prosto ne otgovarjajte za da ne suzdavame izlishen i bezmislen trafik. Yavor Atanasov P.S. Che sum tup si go znam i bez da mi kazvate : - Original Message - From: "Boyan Krosnov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 03, 2002 1:29 AM Subject: RE: lug-bg: iptables > > Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te > > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii > > horata ti davat dostatychno vyzhe za da se zastreliash v kraka > > probvai tova: > mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che > _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod. > http://boyan.ludost.net/papers/pmtu.html za poweche informaciq. > > BR, > Boyan A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 15 Jul 2002, Nikolai Abromov wrote: > Zdraveyte, > > > dnes reshih da si pravq filtri na bazata na uid s iptables - tova moje da stane s >owner > modula koito vursi s iptables package - probvah da napisha edin prost rule za test v >koito > ima slednite neshta : > > iptables -A OUTPUT -m owner --uid-owner=0 -j DROP > no mi vurhsta slednata greshka - iptables: No chain/target/match by that name > > OUTPUT chaina go ima : > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > nqkoi sbluskwal li se e s tozi problem i ako da , kakwo burkam? > > > > br,Nikolay Abromov Çäðàâåé, àäàø, íàé-âåðîÿòíî íå ñè êîìïèëèðàë â ÿäðîòî Owner match support (EXPERIMENTAL) CONFIG_IP_NF_MATCH_OWNER: Packet owner matching allows you to match locally-generated packets based on who created them: the user, group, process or session. Ïðè ìåí å êîìïèëèðàíî, è ñå insert-âà ñúâñåì íîðìàëíî. target prot opt source destination DROP all -- 0.0.0.0/00.0.0.0/0 OWNER UID match 0 Âñè÷êî íàé-õóáàâî, Íèêîëà -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9MpSno397UfM+hv0RAuH+AJ46TbWbUu+gTWtPWMAd47JIe+g0TQCeO9Ih SRXfqKGrqLEgU9W9pOkF+Og= =u7OD -END PGP SIGNATURE- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
mersi adash , sega shte si prekompiliram kernela s MATCH_OWNER i shte probvam otnovo. - mersi za helpa. br,Nikolay Abromov -Original Message- From: Nickola Kolev [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:24 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 15 Jul 2002, Nikolai Abromov wrote: > Zdraveyte, > > > dnes reshih da si pravq filtri na bazata na uid s iptables - tova moje da stane s >owner > modula koito vursi s iptables package - probvah da napisha edin prost rule za test v >koito > ima slednite neshta : > > iptables -A OUTPUT -m owner --uid-owner=0 -j DROP > no mi vurhsta slednata greshka - iptables: No chain/target/match by that name > > OUTPUT chaina go ima : > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > nqkoi sbluskwal li se e s tozi problem i ako da , kakwo burkam? > > > > br,Nikolay Abromov Çäðàâåé, àäàø, íàé-âåðîÿòíî íå ñè êîìïèëèðàë â ÿäðîòî Owner match support (EXPERIMENTAL) CONFIG_IP_NF_MATCH_OWNER: Packet owner matching allows you to match locally-generated packets based on who created them: the user, group, process or session. Ïðè ìåí å êîìïèëèðàíî, è ñå insert-âà ñúâñåì íîðìàëíî. target prot opt source destination DROP all -- 0.0.0.0/00.0.0.0/0 OWNER UID match 0 Âñè÷êî íàé-õóáàâî, Íèêîëà -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9MpSno397UfM+hv0RAuH+AJ46TbWbUu+gTWtPWMAd47JIe+g0TQCeO9Ih SRXfqKGrqLEgU9W9pOkF+Og= =u7OD -END PGP SIGNATURE- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
Zdrasti Sheib tova s " " okolo $ beshe edno ot purvite neshta koito probvah da napravq inache (inache versiata mi e v1.2.6a) i putq do scriptovete si e kakto trqbva (pone na pruv pogled) i vse pak shte gi razgledam po-obstoino. thanks -Original Message- From: sheib [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 08, 2002 8:55 PM To: [EMAIL PROTECTED] Subject: Re: lug-bg: iptables On Thu, 8 Aug 2002, Nikolai Abromov wrote: zdrv. variant 1 - updatenal si iptables do 1.2.6a, no v scripta ti (/etc/init.d/iptables) ima pointvane kym chast(i) ot staria -- triabva da updatenesh linkovete/paths v nego. variant 2 - sloji "" okolo $ v iptables scriptovete (save part). pozdravi, /s > Zdraveyte list, > > > > imam maluk problem s iptables, pisah do [EMAIL PROTECTED] no oshte ne sa >mi otgovorili > zatova reshih da pisha na lug, znachi problema mi e slednia .. pravq si rule >izpolzvaiki owner i limit > modula - praviloto izglejda eto taka > > -A OUTPUT -m owner ! --uid-owner 0 -m limit ! --limit 1000/second -j DROP > > > sled koeto si save-am rule-to "/etc/init.d/iptables save active" - spiram go > i pak se opitvam da go pusna , efecta ot puskaneto beshe > > Loading iptables ruleset: load "active"iptables-restore v1.2.6a: Bad OWNER UID value >`!root' > > sled koeto reshih da smenq v /var/lib/iptables/active !root s !0 - efetcata beshe >sushtia. > > vtoria problem koito imam e che v statistikata nevijdam tozi invers koito pravq s ! >-- limit 1000/second > > stat: > DROP all -- anywhere anywhere OWNER UID match 340 >limit: avg 1000/sec burst 5 > > a izglejda che drop-va packatite koito sa pod 1000 koeto znachi che "!" nesrabotwa , > zatova si napravih test i sas > samostoqtelen user no i pri nego se drop-vaha packeti .. seshtam se za nachin >po-koito moga da go opravq no > ideqta e da go napisa na edin red tozi rule ako nqkoi e imal podoben problem shte se >radvam ako spodeli kak go e opravil > > > thanks in advance > > > > br,Nikolay Abromov > > . > > > > > > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
RE: lug-bg: iptables
privet, razgledah otnovo i vidiah kakvo kuca. sled kato savenesh tozi line: iptables -A OUTPUT -m owner ! --uid-owner 0 -m limit ! --limit 1000/second -j DROP v /etc/sysconfig/iptables otiva pogreshno kato: [5:249] -A OUTPUT -m owner --uid-owner !root -m limit --limit 1000/sec -j DROP vmesto kato: [5:249] -A OUTPUT -m owner ! --uid-owner 0 -m limit ! --limit 1000/sec -j DROP i iptables sled tova ne haresva syntaxisa. stava duma za malyk prase bug v /etc/init.d/iptables: vmesto tozi line: '/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \' sloji: 'echo > $IPTABLES_CONFIG ; chmod 600 $IPTABLES_CONFIG ; /usr/local/sbin/iptables-save -c &> /dev/null && \' i niama da ima nito gyk poveche. sledovatelno triabva da pishesh do vendora si :) pozdravi, /s On Fri, 9 Aug 2002, Nikolai Abromov wrote: > Zdrasti Sheib > > > tova s " " okolo $ beshe edno ot purvite neshta koito probvah da napravq > inache (inache versiata mi e v1.2.6a) i putq do scriptovete si e kakto > trqbva (pone na pruv pogled) i vse pak shte gi razgledam po-obstoino. > > > thanks > > > > > > > > -Original Message- > From: sheib [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 08, 2002 8:55 PM > To: [EMAIL PROTECTED] > Subject: Re: lug-bg: iptables > > > On Thu, 8 Aug 2002, Nikolai Abromov wrote: > > zdrv. > > variant 1 - updatenal si iptables do 1.2.6a, no v scripta ti > (/etc/init.d/iptables) ima pointvane kym chast(i) ot staria -- > triabva da updatenesh linkovete/paths v nego. > > variant 2 - sloji "" okolo $ v iptables scriptovete (save part). > > pozdravi, > > /s > > > Zdraveyte list, > > > > > > > > imam maluk problem s iptables, pisah do [EMAIL PROTECTED] no oshte ne >sa mi otgovorili > > zatova reshih da pisha na lug, znachi problema mi e slednia .. pravq si rule >izpolzvaiki owner i limit > > modula - praviloto izglejda eto taka > > > > -A OUTPUT -m owner ! --uid-owner 0 -m limit ! --limit 1000/second -j DROP > > > > > > sled koeto si save-am rule-to "/etc/init.d/iptables save active" - spiram go > > i pak se opitvam da go pusna , efecta ot puskaneto beshe > > > > Loading iptables ruleset: load "active"iptables-restore v1.2.6a: Bad OWNER UID >value `!root' > > > > sled koeto reshih da smenq v /var/lib/iptables/active !root s !0 - efetcata beshe >sushtia. > > > > vtoria problem koito imam e che v statistikata nevijdam tozi invers koito pravq s >! -- limit 1000/second > > > > stat: > > DROP all -- anywhere anywhere OWNER UID match 340 >limit: avg 1000/sec burst 5 > > > > a izglejda che drop-va packatite koito sa pod 1000 koeto znachi che "!" nesrabotwa >, zatova si napravih test i sas > > samostoqtelen user no i pri nego se drop-vaha packeti .. seshtam se za nachin >po-koito moga da go opravq no > > ideqta e da go napisa na edin red tozi rule ako nqkoi e imal podoben problem shte >se radvam ako spodeli kak go e opravil > > > > > > thanks in advance > > > > > > > > br,Nikolay Abromov > > > > . > > > > > > > > > > > > > > > > > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: [Lug-bg] iptables blocklist
Bozhidar Maramski mumbled something about, On 9/3/07 2:17 AM: > Някой може ли да ми помогне да блокирам списък с домейни с iptables > Става въпрос за порно сайтове. iptables не е много подходящ за това, което искаш да направиш, но ако все пак държиш for PORN in DOMAIN1 DOMAIN2 DOMAIN2 do iptables -A FORWARD -s $PORN -p tcp --sport 80 -j REJECT iptables -A FORWARD -d $PORN -p tcp --dport 80 -j REJECT done или вместо in DOMAIN1 DOMAIN2, сложи $(cat FILE) и във файла FILE списъка на домейните. Внимание: горните примери няма да работят добре ако сайта, достъпа до който искаш да блокираш има повече от един IP адрес. -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Around 09/03/07 11:23, [EMAIL PROTECTED] scribbled: > Hi, > > можеш да използваш и iproute2 > > [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 > [EMAIL PROTECTED] ssh 209.10.26.51 > ssh: connect to address 209.10.26.51 port 22: No route to host > [EMAIL PROTECTED] tcpdump -nnq -i eth2 > tcpdump: listening on eth2 > 22:13:13.740406 192.168.99.35.51973 > 209.10.26.51.22: tcp 0 (DF) > 22:13:13.740714 192.168.99.254 > 192.168.99.35: icmp: host > 209.10.26.51 unreachable - admin prohibited filter [tos 0xc0] > > http://linux-ip.net/html/tools-ip-route.html Още по-готино, защото заема много по-малко ресурс от iptables решението. -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Hi, можеш да използваш и iproute2 [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 [EMAIL PROTECTED] ssh 209.10.26.51 ssh: connect to address 209.10.26.51 port 22: No route to host [EMAIL PROTECTED] tcpdump -nnq -i eth2 tcpdump: listening on eth2 22:13:13.740406 192.168.99.35.51973 > 209.10.26.51.22: tcp 0 (DF) 22:13:13.740714 192.168.99.254 > 192.168.99.35: icmp: host 209.10.26.51 unreachable - admin prohibited filter [tos 0xc0] http://linux-ip.net/html/tools-ip-route.html Поздрави Йордан Бойков :wq Quoting Georgi Chorbadzhiyski <[EMAIL PROTECTED]>: > Bozhidar Maramski mumbled something about, On 9/3/07 2:17 AM: >> Някой може ли да ми помогне да блокирам списък с домейни с iptables >> Става въпрос за порно сайтове. > > iptables не е много подходящ за това, което искаш да направиш, > но ако все пак държиш > > for PORN in DOMAIN1 DOMAIN2 DOMAIN2 > do >iptables -A FORWARD -s $PORN -p tcp --sport 80 -j REJECT >iptables -A FORWARD -d $PORN -p tcp --dport 80 -j REJECT > done > > или вместо in DOMAIN1 DOMAIN2, сложи $(cat FILE) > и във файла FILE списъка на домейните. > > Внимание: горните примери няма да работят добре ако сайта, > достъпа до който искаш да блокираш има повече от един IP > адрес. > > -- > Georgi Chorbadzhiyski > http://georgi.unixsol.org/ > > ___ > Lug-bg mailing list > Lug-bg@linux-bulgaria.org > http://linux-bulgaria.org/mailman/listinfo/lug-bg > ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
В пн, 2007-09-03 в 11:35 +0300, Georgi Chorbadzhiyski написа: > Around 09/03/07 11:23, [EMAIL PROTECTED] scribbled: > > Hi, > > > > можеш да използваш и iproute2 > > > > [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 > > [EMAIL PROTECTED] ssh 209.10.26.51 > > ssh: connect to address 209.10.26.51 port 22: No route to host > > [EMAIL PROTECTED] tcpdump -nnq -i eth2 > > tcpdump: listening on eth2 > > 22:13:13.740406 192.168.99.35.51973 > 209.10.26.51.22: tcp 0 (DF) > > 22:13:13.740714 192.168.99.254 > 192.168.99.35: icmp: host > > 209.10.26.51 unreachable - admin prohibited filter [tos 0xc0] > > > > http://linux-ip.net/html/tools-ip-route.html > > Още по-готино, защото заема много по-малко ресурс от iptables > решението. > А може просто да се сложи един squid като прозрачно proxy и да се филтрира по име на domain-а в заявката, вместо да се ходи на по-ниските слоеве на мрежовия модел, дето тия неща ги няма... signature.asc Description: Това е цифрово подписана част от писмото ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Around 09/03/07 12:00, Vasil Kolev scribbled: > В пн, 2007-09-03 в 11:35 +0300, Georgi Chorbadzhiyski написа: >> Around 09/03/07 11:23, [EMAIL PROTECTED] scribbled: >>> Hi, >>> >>> можеш да използваш и iproute2 >>> >>> [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 >>> [EMAIL PROTECTED] ssh 209.10.26.51 >>> ssh: connect to address 209.10.26.51 port 22: No route to host >>> [EMAIL PROTECTED] tcpdump -nnq -i eth2 >>> tcpdump: listening on eth2 >>> 22:13:13.740406 192.168.99.35.51973 > 209.10.26.51.22: tcp 0 (DF) >>> 22:13:13.740714 192.168.99.254 > 192.168.99.35: icmp: host >>> 209.10.26.51 unreachable - admin prohibited filter [tos 0xc0] >>> >>> http://linux-ip.net/html/tools-ip-route.html >> Още по-готино, защото заема много по-малко ресурс от iptables >> решението. > > А може просто да се сложи един squid като прозрачно proxy и да се > филтрира по име на domain-а в заявката, вместо да се ходи на по-ниските > слоеве на мрежовия модел, дето тия неща ги няма... Е па може, но пък трябва насила да прекарваш лузерта през проксито, което си идва с изискванията за памет, диск, настройки на на pool-ове и т.н. Ако искаш просто да отрежеш разните му там clubs.dir.bg, сладури, асл-та и подобни повърни най-лесно да null route-неш с всичките му проблеми (но пък е най-лесно :) -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
В пн, 2007-09-03 в 12:35 +0300, Georgi Chorbadzhiyski написа: > Е па може, но пък трябва насила да прекарваш лузерта през проксито, > което си идва с изискванията за памет, диск, настройки на на pool-ове > и т.н. Ако искаш просто да отрежеш разните му там clubs.dir.bg, > сладури, асл-та и подобни повърни най-лесно да null route-неш с > всичките му проблеми (но пък е най-лесно :) > Да де, ама списъка проблеми включва неща като поща до dir.bg и т.н., просто не се знае какво още има по тия ip адреси. null-routing-а е полезен за някои крайни случаи (като spamhaus DROP листата и bogon-ите, ама толкова)... signature.asc Description: Това е цифрово подписана част от писмото ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Around 09/03/07 12:44, Vasil Kolev scribbled: > В пн, 2007-09-03 в 12:35 +0300, Georgi Chorbadzhiyski написа: > >> Е па може, но пък трябва насила да прекарваш лузерта през проксито, >> което си идва с изискванията за памет, диск, настройки на на pool-ове >> и т.н. Ако искаш просто да отрежеш разните му там clubs.dir.bg, >> сладури, асл-та и подобни повърни най-лесно да null route-неш с >> всичките му проблеми (но пък е най-лесно :) >> > > Да де, ама списъка проблеми включва неща като поща до dir.bg и т.н., > просто не се знае какво още има по тия ip адреси. null-routing-а е > полезен за някои крайни случаи (като spamhaus DROP листата и bogon-ите, > ама толкова)... Е в конкретния пример, че няма да отварят клубс.дир.бг и X.дир.бг е бонус :) -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
> iptables не е много подходящ за това, което > искаш да направиш, > но ако все пак държиш Наистина е така: -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `myfirstorgasm.org' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `estella.warren.video.online.fr' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `estella.warren.video.online.fr' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `zooskool.com' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `zooskool.com' not found Та как да вкарам /etc/blacklist файла в iproute ? ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
> можеш да използваш и iproute2 > > [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 ip route add prohibit $(cat /etc/blacklist) -bash: /sbin/ip: Argument list too long :( ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Bozhidar Maramski wrote: >> iptables не е много подходящ за това, което >> искаш да направиш, >> но ако все пак държиш > > Наистина е така: > > -h' or 'iptables --help' for more information. > iptables v1.3.6: host/network `myfirstorgasm.org' not found > Try `iptables -h' or 'iptables --help' for more information. > iptables v1.3.6: host/network `estella.warren.video.online.fr' not found > Try `iptables -h' or 'iptables --help' for more information. > iptables v1.3.6: host/network `estella.warren.video.online.fr' not found > Try `iptables -h' or 'iptables --help' for more information. > iptables v1.3.6: host/network `zooskool.com' not found > Try `iptables -h' or 'iptables --help' for more information. > iptables v1.3.6: host/network `zooskool.com' not found > > Та как да вкарам /etc/blacklist файла в iproute ? Ти какво искаш всъщност да напрвиш или не си сигурен? Или си някакъв безмозъчен автоматичен copy-paster? P.S. Днес да не е ден на идиотите? -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
On 09/03/07 18:41, Bozhidar Maramski wrote: >> можеш да използваш и iproute2 >> >> [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 > > > ip route add prohibit $(cat /etc/blacklist) > -bash: /sbin/ip: Argument list too long for i in $(cat /etc/blacklist) do ip route add prohibit 209.10.26.51 $i done трети път няма да го пиша :) -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Ако женати се чука с друг или нямаш пет лева в джоба не съм ти виновен Избивай си го или си го набивай на друго място On Mon, 03 Sep 2007 19:26:19 +0300, Georgi Alexandrov <[EMAIL PROTECTED]> wrote: > Bozhidar Maramski wrote: >>> iptables не е много подходящ за това, което >>> искаш да направиш, >>> но ако все пак държиш >> >> Наистина е така: >> >> -h' or 'iptables --help' for more information. >> iptables v1.3.6: host/network `myfirstorgasm.org' not found >> Try `iptables -h' or 'iptables --help' for more information. >> iptables v1.3.6: host/network `estella.warren.video.online.fr' not found >> Try `iptables -h' or 'iptables --help' for more information. >> iptables v1.3.6: host/network `estella.warren.video.online.fr' not found >> Try `iptables -h' or 'iptables --help' for more information. >> iptables v1.3.6: host/network `zooskool.com' not found >> Try `iptables -h' or 'iptables --help' for more information. >> iptables v1.3.6: host/network `zooskool.com' not found >> >> Та как да вкарам /etc/blacklist файла в iproute ? > > > Ти какво искаш всъщност да напрвиш или > не си сигурен? Или си някакъв > безмозъчен автоматичен copy-paster? > > P.S. > Днес да не е ден на идиотите? > > -- live free or die хард :) ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Bozhidar Maramski wrote: Ако женати се чука с друг или нямаш пет лева в джоба не съм ти виновен Избивай си го или си го набивай на друго място Божидаре, нямаш никакво право да проявяваш такова аругантно отношение към хората които се опитват да ти помогнат. Най-малкото от уважение към останалите хора които четат тази листа, е редно да се съобразяваш с това което пишеш тук. Такова поведение може би се толерира в IRC или други подобни места, но тук със сигурност ще удариш на камък. On Mon, 03 Sep 2007 19:26:19 +0300, Georgi Alexandrov <[EMAIL PROTECTED]> wrote: Bozhidar Maramski wrote: iptables не е много подходящ за това, което искаш да направиш, но ако все пак държиш Тук Георги визираше самата реализация, и това как ще се процесва всяка една заявка, а не метода по който ще се забрани. Наистина е така: Кое е така? :) -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `myfirstorgasm.org' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `estella.warren.video.online.fr' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `estella.warren.video.online.fr' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `zooskool.com' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.3.6: host/network `zooskool.com' not found Та как да вкарам /etc/blacklist файла в iproute ? Това единствено показва, че не си си направил труда да отвориш, и да прочетеш няколко реда от документацията на iptables. Ти какво искаш всъщност да напрвиш или не си сигурен? Или си някакъв безмозъчен автоматичен copy-paster? Мисля че е редно да сме по-толерантни към подобен тип хора, все пак не се очаква всички които пишат в тази листа да са големи експерти. P.S. Днес да не е ден на идиотите? И сега накратко, ако файла съдържа имена на домейни, то трябва да си направиш труда, да resolve-неш техните IP адреси преди да ги подадеш като параметри на Iptables/iproute2. Това също може лесно да се реализира със скрипт, но е хубаво когато търсиш решение на подобен проблем, да бъдеш максимално изчерпателен. Можеше да копираш няколко реда от blacklist файла за да добием информация за струкутрата му, и тогава със сигурност Георги щеше да ти покаже по какъв начин точно да 'parse-неш' информацията. Поздрави, Данаил Петров -- Danail Petrov Senior Network Administrator Evolink, Sofia +359(2)9691650 www.evolink.com smime.p7s Description: S/MIME Cryptographic Signature ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Да ще пракарваш... мисля че е най-доброто решение. Памет си иска и то бая, но диск - не (зависи как го настроиш). Кой ще ти прави /blacklist..всеки ден ще update-ва, ще му бае.. squid3+squidguard(BerkeleyDB)+shalla's blacklist. "Shalla's url blacklist has just jumped over 1.400.000 entries" Набиваш го в крона да ти дърпа ъпдейти в неделя вечерта. и входящия трафик си го праща на порта на проксито. другия трафик се НАТ-ва... On 03/09/07, Georgi Chorbadzhiyski <[EMAIL PROTECTED]> wrote: > > Around 09/03/07 12:00, Vasil Kolev scribbled: > > В пн, 2007-09-03 в 11:35 +0300, Georgi Chorbadzhiyski написа: > >> Around 09/03/07 11:23, [EMAIL PROTECTED] scribbled: > >>> Hi, > >>> > >>> можеш да използваш и iproute2 > >>> > >>> [EMAIL PROTECTED] ip route add prohibit 209.10.26.51 > >>> [EMAIL PROTECTED] ssh 209.10.26.51 > >>> ssh: connect to address 209.10.26.51 port 22: No route to host > >>> [EMAIL PROTECTED] tcpdump -nnq -i eth2 > >>> tcpdump: listening on eth2 > >>> 22:13:13.740406 192.168.99.35.51973 > 209.10.26.51.22: tcp 0 (DF) > >>> 22:13:13.740714 192.168.99.254 > 192.168.99.35: icmp: host > >>> 209.10.26.51 unreachable - admin prohibited filter [tos 0xc0] > >>> > >>> http://linux-ip.net/html/tools-ip-route.html > >> Още по-готино, защото заема много по-малко ресурс от iptables > >> решението. > > > > А може просто да се сложи един squid като прозрачно proxy и да се > > филтрира по име на domain-а в заявката, вместо да се ходи на по-ниските > > слоеве на мрежовия модел, дето тия неща ги няма... > > Е па може, но пък трябва насила да прекарваш лузерта през проксито, > което си идва с изискванията за памет, диск, настройки на на pool-ове > и т.н. Ако искаш просто да отрежеш разните му там clubs.dir.bg, > сладури, асл-та и подобни повърни най-лесно да null route-неш с > всичките му проблеми (но пък е най-лесно :) > > -- > Georgi Chorbadzhiyski > http://georgi.unixsol.org/ > ___ > Lug-bg mailing list > Lug-bg@linux-bulgaria.org > http://linux-bulgaria.org/mailman/listinfo/lug-bg > -- Yulian Stefanov +359 (885) 161 535 [EMAIL PROTECTED] ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Bozhidar Maramski wrote: > Ако женати се чука с друг или нямаш пет лева в джоба не съм ти виновен > Избивай си го или си го набивай на друго място Мерси за поздравите, много си учтив. Наистина е по-добре да се занимаваш с двигатели с вътрешно горене. Малко обяснения: >>> Наистина е така: Кое наистина е така? >>> >>> -h' or 'iptables --help' for more information. >>> iptables v1.3.6: host/network `myfirstorgasm.org' not found >>> Try `iptables -h' or 'iptables --help' for more information. >>> iptables v1.3.6: host/network `estella.warren.video.online.fr' not found >>> Try `iptables -h' or 'iptables --help' for more information. >>> iptables v1.3.6: host/network `estella.warren.video.online.fr' not found >>> Try `iptables -h' or 'iptables --help' for more information. >>> iptables v1.3.6: host/network `zooskool.com' not found >>> Try `iptables -h' or 'iptables --help' for more information. >>> iptables v1.3.6: host/network `zooskool.com' not found Това не можеш ли да си го преведеш? Това което се опитваш да направиш с iptables по принцип работи на layer 3, а не както си мислиш ти. Т.е. iptables ще направи проверка за 'A' ресурсните записи за zooskool.com и според правилото което си извикал ако намери такива (а те ще представляват ip адреси) те ще се предадат на netfilter кода в кърнела. Ако не намери ще ти върне горното съобщение за грешка защото нищо повече не може да направи. Няма смисъл да обясняваме колко unreliable е това решение. Пример (като за децата в училище): [EMAIL PROTECTED]:~$ dig +short yahoo.com 66.94.234.13 216.109.112.135 [EMAIL PROTECTED]:~$ sudo iptables -A FORWARD -d yahoo.com -p tcp --dport 80 -j DROP [EMAIL PROTECTED]:~$ sudo iptables -t filter -nL FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/066.94.234.13tcp dpt:80 DROP tcp -- 0.0.0.0/0216.109.112.135 tcp dpt:80 [EMAIL PROTECTED]:~$ sudo iptables -A FORWARD -d nonexistant-domain-name.com -p tcp --dport 80 -j DROP iptables v1.3.6: host/network `nonexistant-domain-name.com' not found Try `iptables -h' or 'iptables --help' for more information. [EMAIL PROTECTED]:~$ >>> >>> Та как да вкарам /etc/blacklist файла в iproute ? [EMAIL PROTECTED]:~$ for i in `dig +short $(cat /tmp/blacklist)`; do sudo ip r a prohibit $i; done [EMAIL PROTECTED]:~$ ip r | grep prohibit prohibit 17.254.3.183 prohibit 64.4.32.7 prohibit 64.4.33.7 prohibit 207.46.30.34 [EMAIL PROTECTED]:~$ Съвсем друг е въпроса, че тези работи дето ги пишем по-нагоре са пълна глупост. Това което се опитваш да направиш не се прави с layer3 филтър а с proxy и/или content filter (както вече ти го казаха). Било то squid, squid+dansguardian, squid+squidguard и т.н. Решения много. -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
On Tue, Sep 04, 2007 at 10:43:50AM +0300, Georgi Alexandrov wrote: > Bozhidar Maramski wrote: > > Ако женати се чука с друг или нямаш пет лева в джоба не съм ти виновен > > Избивай си го или си го набивай на друго място > > Мерси за поздравите, много си учтив. Наистина е по-добре да се занимаваш > с двигатели с вътрешно горене. Малко обяснения: > > > >>> Наистина е така: > > Кое наистина е така? > > >>> > >>> -h' or 'iptables --help' for more information. > >>> iptables v1.3.6: host/network `myfirstorgasm.org' not found > >>> Try `iptables -h' or 'iptables --help' for more information. > >>> iptables v1.3.6: host/network `estella.warren.video.online.fr' not found > >>> Try `iptables -h' or 'iptables --help' for more information. > >>> iptables v1.3.6: host/network `estella.warren.video.online.fr' not found > >>> Try `iptables -h' or 'iptables --help' for more information. > >>> iptables v1.3.6: host/network `zooskool.com' not found > >>> Try `iptables -h' or 'iptables --help' for more information. > >>> iptables v1.3.6: host/network `zooskool.com' not found > > Това не можеш ли да си го преведеш? Това което се опитваш да направиш с > iptables по принцип работи на layer 3, а не както си мислиш ти. Т.е. > iptables ще направи проверка за 'A' ресурсните записи за zooskool.com и > според правилото което си извикал ако намери такива (а те ще > представляват ip адреси) те ще се предадат на netfilter кода в кърнела. > Ако не намери ще ти върне горното съобщение за грешка защото нищо повече > не може да направи. Няма смисъл да обясняваме колко unreliable е това > решение. > > Пример (като за децата в училище): > > [EMAIL PROTECTED]:~$ dig +short yahoo.com > 66.94.234.13 > 216.109.112.135 > [EMAIL PROTECTED]:~$ sudo iptables -A FORWARD -d yahoo.com -p tcp --dport 80 > -j DROP > [EMAIL PROTECTED]:~$ sudo iptables -t filter -nL FORWARD > Chain FORWARD (policy ACCEPT) > target prot opt source destination > DROP tcp -- 0.0.0.0/066.94.234.13tcp dpt:80 > DROP tcp -- 0.0.0.0/0216.109.112.135 tcp dpt:80 > [EMAIL PROTECTED]:~$ sudo iptables -A FORWARD -d nonexistant-domain-name.com > -p > tcp --dport 80 -j DROP > iptables v1.3.6: host/network `nonexistant-domain-name.com' not found > Try `iptables -h' or 'iptables --help' for more information. > [EMAIL PROTECTED]:~$ > > > >>> > >>> Та как да вкарам /etc/blacklist файла в iproute ? > > > [EMAIL PROTECTED]:~$ for i in `dig +short $(cat /tmp/blacklist)`; do sudo ip > r a > prohibit $i; done Само като идея - хората и xargs са измислили :) xargs dig +short < /tmp/blacklist | sudo xargs -n 1 ip route add prohibit > [EMAIL PROTECTED]:~$ ip r | grep prohibit > prohibit 17.254.3.183 > prohibit 64.4.32.7 > prohibit 64.4.33.7 > prohibit 207.46.30.34 > [EMAIL PROTECTED]:~$ > > > Съвсем друг е въпроса, че тези работи дето ги пишем по-нагоре са пълна > глупост. Това което се опитваш да направиш не се прави с layer3 филтър а > с proxy и/или content filter (както вече ти го казаха). Било то squid, > squid+dansguardian, squid+squidguard и т.н. Решения много. Виж, тук съм съгласен - макар че за content филтрите ще трябва човек да се сблъска с новаторската идея, че Интернет не е само WWW и да мисли как да филтрира и другите използвани протоколи... но все пак филтриране на база blacklisting на IP адресите *само на конкретните имена на хостове* е малко безсмислено, най-малкото заради това, че така може и да успееш да блокираш трафик до zooskool.com, ама какво правиш с new.zooskool.com например? :) Поздрави, Петър -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. pgpdlwee5ZNFY.pgp Description: PGP signature ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: [Lug-bg] iptables blocklist
Peter Pentchev wrote: > Само като идея - хората и xargs са измислили :) > > xargs dig +short < /tmp/blacklist | sudo xargs -n 1 ip route add prohibit Прав си. Даже сега като се загледах видях, че dig има и '-f' опция. -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE signature.asc Description: OpenPGP digital signature ___ Lug-bg mailing list Lug-bg@linux-bulgaria.org http://linux-bulgaria.org/mailman/listinfo/lug-bg
Re: lug-bg: iptables & TOS
On Tue, Dec 21, 2004 at 11:51:49AM +0200, [EMAIL PROTECTED] wrote: > hi, > > nqkoi da ima ideq kak da markiram s iptables na bazata na nestandartni TOS > stoinosti.. > Mnoo se iznenadah che -m tos --tos XX move da markira samo na standartni > stoinost (super typa hawa) :") По принцип със самия модул TOS не можеш - проверката е силно hardcode-ната в linux-*/net/ipv4/netfilter/ipt_TOS.c:checkentry()... Не съм сигурен дали iptables не може да match-ва по стойност на байт на определено отместване вътре в пакета, нещо като tcpdump 'ip[1] = 7' примерно за TOS 7. С бързо преглеждане на manual page не видях такава възможност, но може би някой ще знае нещо повече. Поздрави, Петър -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. pgpKOEvZnDVBC.pgp Description: PGP signature
RE: lug-bg: iptables & TOS
Title: RE: lug-bg: iptables & TOS Ами мисля, че за да направиш такова нещо трябва да използваш DSCP модула. -- Regards, Stoimen > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > bulgaria.org] On Behalf Of Peter Pentchev > Sent: Tuesday, December 21, 2004 12:03 PM > To: [EMAIL PROTECTED] > Subject: Re: lug-bg: iptables & TOS > > On Tue, Dec 21, 2004 at 11:51:49AM +0200, [EMAIL PROTECTED] wrote: > > hi, > > > > nqkoi da ima ideq kak da markiram s iptables na bazata na nestandartni > TOS stoinosti.. > > Mnoo se iznenadah che -m tos --tos XX move da markira samo na standartni > > stoinost (super typa hawa) :") > > По принцип със самия модул TOS не можеш - проверката е силно hardcode-ната > в linux-*/net/ipv4/netfilter/ipt_TOS.c:checkentry()... > > Не съм сигурен дали iptables не може да match-ва по стойност на байт на > определено отместване вътре в пакета, нещо като tcpdump 'ip[1] = 7' > примерно за TOS 7. С бързо преглеждане на manual page не видях такава > възможност, но може би някой ще знае нещо повече. > > Поздрави, > Петър > > -- > Peter Pentchev [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > If you think this sentence is confusing, then change one pig.
Re: lug-bg: iptables & TOS
i az si misleh za nesto takowa !!! ako nqkoi ima pointer.. |On Tue, Dec 21, 2004 at 11:51:49AM +0200, [EMAIL PROTECTED] wrote: |> hi, |> |> nqkoi da ima ideq kak da markiram s iptables na bazata na nestandartni TOS stoinosti.. |> Mnoo se iznenadah che -m tos --tos XX move da markira samo na standartni |> stoinost (super typa hawa) :") | |По принцип със самия модул TOS не можеш - проверката е силно hardcode-ната |в linux-*/net/ipv4/netfilter/ipt_TOS.c:checkentry()... |Не съм сигурен дали iptables не може да match-ва по стойност на байт на |определено отместване вътре в пакета, нещо като tcpdump 'ip[1] = 7' |примерно за TOS 7. С бързо преглеждане на manual page не видях такава |възможност, но може би някой ще знае нещо повече. | |Поздрави, |Петър | - http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip> MS Office is popular in the same way as heart disease is the most popular way to die. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables & TOS
TOS/4 = DSCP puskash si _HEX_ calculator i smiatash TOS 64 = DSCP 19 TOS 60 = DSCP 18 etc.. -- Anton Glinkov network administrator A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables & TOS
On Tuesday 21 December 2004 18:21, [EMAIL PROTECTED] wrote: > i az si misleh za nesto takowa !!! > ako nqkoi ima pointer.. два варианта, или DSCP, или ако битовете които ти трябват не се хващат от него - u32, има го в POM. Вторият е за препоръчване, макар че до преди известно време не беше портнат за 2.6 .. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables & TOS
On Wed, 22 Dec 2004 16:50:48 +0200 (EET) "Anton Glinkov" <[EMAIL PROTECTED]> wrote: |TOS/4 = DSCP |puskash si _HEX_ calculator i smiatash | |TOS 64 = DSCP 19 |TOS 60 = DSCP 18 |etc.. | |-- |Anton Glinkov |network administrator Gledam iptables source i kernel i mi se struwa che ako mahna prowerkata w iptables za wywevdanata stoinost, nestata ste stanat... ako nqkoi ima wreme move li da chekne source i da kave praw li sam.. (ne sam C programer, no mi izglevda che ogranichenieto e w iptables tool-a a ne w kernel-a. Gledam 2.4 kernel) tia A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables & TOS
On Thu, Dec 23, 2004 at 09:48:23PM +0200, raptor wrote: > On Wed, 22 Dec 2004 16:50:48 +0200 (EET) > "Anton Glinkov" <[EMAIL PROTECTED]> wrote: > > |TOS/4 = DSCP > |puskash si _HEX_ calculator i smiatash > | > |TOS 64 = DSCP 19 > |TOS 60 = DSCP 18 > |etc.. > | > |-- > |Anton Glinkov > |network administrator > > Gledam iptables source i kernel i mi se struwa che ako mahna prowerkata > w iptables za wywevdanata stoinost, nestata ste stanat... ako nqkoi ima > wreme move li da chekne source i da kave praw li sam.. > (ne sam C programer, no mi izglevda che ogranichenieto e w iptables tool-a a > ne w kernel-a. Gledam 2.4 kernel) Погледни още първия ми отговор - в ядрото е, погледни функцията checkentry() в net/ipv4/netfilter/ipt_TOS.c :) По средата, около ред 70, има един голям if, който сравнява зададената стойност с купчината стандартни стойности за type of service. По-добра идея е ползването на DSCP наистина, това бях пропуснал при бързия преглед на manual page-а. А, и весела Коледа всички, които я празнуват :) Поздрави, Петър -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if it weren't self-referential? pgpb3x9rKHDgr.pgp Description: PGP signature
Re: lug-bg: iptables & TOS
da taka mai nai dobre... thx all | |По-добра идея е ползването на DSCP наистина, това бях пропуснал при бързия |преглед на manual page-а. | |А, и весела Коледа всички, които я празнуват :) | |Поздрави, |Петър - http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip> MS Office is popular in the same way as heart disease is the most popular way to die. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables + NARC
Ami predpolagam si update iptables do 1.2.2 i ne si prekompiliral kernela. === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: iptables + NARC
Az izpolzvam 1.2.3 napravo ne sum pravil update-i. Precompilirah kernela sled tova Yavor Atanasov - Original Message - From: "Georgi Iliev" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 05, 2001 8:15 PM Subject: Re: lug-bg: iptables + NARC > Ami predpolagam si update iptables do > 1.2.2 i ne si prekompiliral kernela. > > > > > === > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
RE: lug-bg: iptables vupros
towa wypros za iptables li e ? :))) izglejda che stata duma za /usr/src/linux ili tam kydeto si si razarhiviral kernela. -Original Message- From: Yavor Atanasov [mailto:[EMAIL PROTECTED]] Sent: Friday, September 28, 2001 12:57 PM To: [EMAIL PROTECTED] Subject: lug-bg: iptables vupros Mozhe bi vuprosa mi e tup za koeto se izvinjavam predvaritelno :) FOLLOW THESE STEPS: 0) There may be some outstanding bugfixes or tweaks which are not yet in the official kernel. To look through these, do: % make pending-patches KERNEL_DIR=<> Please note that you have to recompile your kernel and your kernel modules after this step of kernel patching. 1) Next, make the package. % make KERNEL_DIR=<> 2) Finally, you need to to install the shared libraries, and the binary: # make install KERNEL_DIR=<> Ta vuprosa mi e : <> - tova kude e? /usr/local/linux ili /boot/ ili /lib/modules/2.4.10/kernel Yavor Atanasov === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: iptables vupros
Da tova e chast ot INSTALL na iptables 1.2.3. Taka i predpolozhoh che e mjastoto na source na kernela. pri men toj e na /home/src i taka beshe ukazan pri instalacijata na iptables. No modulite ne se zarezhdat. Te ne trjabva li da se poajavjat v /lib/modules/2.4.10/kernel sled make install? Yavor Atanasov - Original Message - From: "Boyan Krosnov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 28, 2001 1:28 PM Subject: RE: lug-bg: iptables vupros > towa wypros za iptables li e ? :))) > > izglejda che stata duma za /usr/src/linux ili tam kydeto si si > razarhiviral kernela. > > -Original Message- > From: Yavor Atanasov [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 28, 2001 12:57 PM > To: [EMAIL PROTECTED] > Subject: lug-bg: iptables vupros > > > Mozhe bi vuprosa mi e tup za koeto se izvinjavam predvaritelno :) > > FOLLOW THESE STEPS: > > 0) There may be some outstanding bugfixes or tweaks which are not yet >in the official kernel. To look through these, do: > % make pending-patches KERNEL_DIR=<> > >Please note that you have to recompile your kernel and your kernel > modules >after this step of kernel patching. > > 1) Next, make the package. > % make KERNEL_DIR=<> > > 2) Finally, you need to to install the shared libraries, and the binary: > # make install KERNEL_DIR=<> > > > Ta vuprosa mi e : > > <> - tova kude e? > > /usr/local/linux > ili > /boot/ > ili > /lib/modules/2.4.10/kernel > > Yavor Atanasov > === > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
RE: lug-bg: iptables vupros
> Please note that you have to recompile your kernel and your kernel > modules >after this step of kernel patching. predi da naprawish make modules_install w kernel tree-to trqbwa da si zatriesh modulite ot predishnata kompilaciq az obiknowenno redaktiram make file-q w /usr/src/linux/ tam dobawqm extra_version primerno bk towa kompilira kernel kojto si misli che e primerno 2.2.19bk i zarejda moduli ot /lib/modules/2.2.19bk/... system map w /boot/System-map.2.2.19bk dalawerata da se prawi taka e w towa che ne se nalaga da iztriwash predishnite moduli w ako wzeme che ne bootne ili neshto ne raboti mojesh da se wyrnesh na pradishniq si kernel/moduli kogato pojelaesh. > -Original Message- > From: Yavor Atanasov [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 28, 2001 1:51 PM > To: [EMAIL PROTECTED] > Subject: Re: lug-bg: iptables vupros > > > Da tova e chast ot INSTALL na iptables 1.2.3. > Taka i predpolozhoh che e mjastoto na source na kernela. > pri men toj e na /home/src i taka beshe ukazan pri instalacijata > na iptables. No modulite ne se zarezhdat. > Te ne trjabva li da se poajavjat v /lib/modules/2.4.10/kernel > sled make install? > > Yavor Atanasov > > - Original Message - > From: "Boyan Krosnov" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 28, 2001 1:28 PM > Subject: RE: lug-bg: iptables vupros > > > > towa wypros za iptables li e ? :))) > > > > izglejda che stata duma za /usr/src/linux ili tam kydeto si si > > razarhiviral kernela. > > > > -Original Message- > > From: Yavor Atanasov [mailto:[EMAIL PROTECTED]] > > Sent: Friday, September 28, 2001 12:57 PM > > To: [EMAIL PROTECTED] > > Subject: lug-bg: iptables vupros > > > > > > Mozhe bi vuprosa mi e tup za koeto se izvinjavam predvaritelno :) > > > > FOLLOW THESE STEPS: > > > > 0) There may be some outstanding bugfixes or tweaks which > are not yet > >in the official kernel. To look through these, do: > > % make pending-patches KERNEL_DIR=<> > > > >Please note that you have to recompile your kernel and > your kernel > > modules > >after this step of kernel patching. > > > > 1) Next, make the package. > > % make KERNEL_DIR=<> > > > > 2) Finally, you need to to install the shared libraries, > and the binary: > > # make install KERNEL_DIR=<> > > > > > > Ta vuprosa mi e : > > > > <> - tova kude e? > > > > /usr/local/linux > > ili > > /boot/ > > ili > > /lib/modules/2.4.10/kernel > > > > Yavor Atanasov > > > == > = > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) > > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara > Zagora > > == > = > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. > - Stara Zagora > === A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers) http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
Re: lug-bg: iptables MAC
Marian wrote: [ cut ] > iptables -A INPUT -s 192.168.0.40 -m mac -mac-source 00:04:c0:76:70:80 -j > DROP [ cut ] Липсва ти само едно тиренце. iptables -A INPUT -s 192.168.0.40 -m mac --mac-source 00:04:c0:76:70:80 -j DROP ^ Всичко най-хубаво, Никола pgp0.pgp Description: PGP signature
Re: lug-bg: iptables MAC
Marian Popov wrote: > Zdraveite pak :) > > Opitvam se da filtriram po MAC address s iptables > no niakak si ne se poluchava tova koeto triabva. > Naprimer: > > iptables -A INPUT -s 192.168.0.40 -m mac -mac-source 00:04:c0:76:70:80 -j > DROP > > Spored men tozi red triabva da spre vsichko > idvashto ot IP 192.168.0.40 s mac address 00:04:c0:76:70:80 > kym mashinata. > Sled izpylnenieto na reda obache idva syobshtenie za greshka > koeto se izraziava v slednoto: > > iptables v1.2.6a: Couldn't load match > `ac-source':/lib/iptables/libipt_ac-source.so: cannot open shared object > file: No such file or directory > > Tova e na Debian 3.0 no syshtia uspeh postigam > i na Slackware 8.1 iavno ima neshto deto ne go znam. > > Iskam i oshte neshto da pitam. Vyzmojno li e > s iptables da se spre vsichko idvashto ot MAC adres > edikoi si bez da se ukazva IP adres. > T.e. da rechem da se zabrani pristiganeto na kakvito > i da bilo paketi ot MAC 00:04:c0:76:70:80 kym localnata mashina > ili pyk da se spre FORWARD-a za tozi MAC adres. > > -- > Marian Popov > Siterm Engeneering Ltd. > [EMAIL PROTECTED] > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > Moje. compiliray si modula za MAC v iptables.Sled tova probvay:)) Vupreki , che sega vijdam edna greshka - pishe se "--mac-source" s dve "-":) Vsushtnost tova ti e greshkata se okaza:))) A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables MAC
Naposledyk sym tolkova zaspal che ne znam kyde mi e uma. Blagodaria ti vse pak a i na Nikola Kolev :)) Zaspala rabota. Ama toi Chorbadji verno kaza da ne se pishat takiva neshta na sybujdane ama ... > > Moje. > compiliray si modula za MAC v iptables.Sled tova probvay:)) > Vupreki , che sega vijdam edna greshka - pishe se "--mac-source" s dve "-":) > Vsushtnost tova ti e greshkata se okaza:))) > > -- Marian Popov Siterm Engeneering Ltd. [EMAIL PROTECTED] A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
Zdrasti, Na "prima vista" - otricanieto (!) trjabva da ima 1 interval "razstojanie",ako si copy/paste-val de :) -s !212.91.161.0/24 cykni go taka: -s ! 212.91.161.0/24 Stoyan A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
On 25.11.2003 11:53, Elin wrote: > iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp -s !212.91.161.0/24 > --dport 80 -j DNAT --to-destination 192.168.1.253:3128 Какви са тия пакети преди рутирането, дето идват от рални IP-та и отиват в частна мрежа? По-принцип такова нещо не би трябвало да има! Гого A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
ne sam copy pasteval ima interval prosto sam go ispusnal v pismoto Stoyan Zalev wrote: Zdrasti, Na "prima vista" - otricanieto (!) trjabva da ima 1 interval "razstojanie",ako si copy/paste-val de :) -s !212.91.161.0/24 cykni go taka: -s ! 212.91.161.0/24 Stoyan A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
Hi, ili az ne moga da te razbera ... ili ti ne si se izkazal prawilno :) Wupros N1. S kakwo IP e tazi mashina na koqto pishesh towa prawilo Wupros N2. Kakvot tochno se opitwash da naprawish ? shtoto w momenta s towa prawilo okazwash Wsichki TCP packeti !except 212.91.161.0/24 kum 192.168.1.2 na dport 80 da se DNAT-vat kum proxy-to ti ako ne raboti ima nqkolko weroqtnosti za towa ... edna ot tqh e ada ne si nastroil prawilno squid-a da raboti like transparent proxy ... drugata nqma da q kaja sega :) wzemi opishi po podrobno koe tochno ne raboti .. i pusni malko output from access log-a na squid-a da widim kakwo pishe i tam :) best regards danail petrow... > zdraveite grupa imam slednia problem > > tova pravilo > iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp -s !212.91.161.0/24 > --dport 80 -j DNAT --to-destination 192.168.1.253:3128 > kato go napisha samo raboti ideata mue tova e ip ot peearinga da ne > miniva prez proxyto a sichki ostanali daminava > i problema idva veche kato sled nego izreda celia pearing togava > otricanieto ne raboti "!" i kogato mahna otricanieto raboti > niakoi da ima ideia kade e buga > 10x > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara > Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
Az sym go naprawil taka : /usr/sbin/iptables -t nat -A PREROUTING -i eth1 -d ! free.dupnica.net -p tcp --dport 80 -j REDIRECT --to -port 3128 Towa e na4ina za izbjagwane na proksito za opredeleni IP ili mrevi . Proxyto mi e na sashtata mashina. t.e wsi4ko , except opisanoto sled ! d se redirektwa, a ostanaloto minawa naprawo. Na4ina po kojto si go naprawin milja 4e njama da stane . Stefan Elin wrote: zdraveite grupa imam slednia problem tova pravilo iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp -s !212.91.161.0/24 --dport 80 -j DNAT --to-destination 192.168.1.253:3128 kato go napisha samo raboti ideata mue tova e ip ot peearinga da ne miniva prez proxyto a sichki ostanali daminava i problema idva veche kato sled nego izreda celia pearing togava otricanieto ne raboti "!" i kogato mahna otricanieto raboti niakoi da ima ideia kade e buga 10x A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
10x za pomosht na sichki razbrah problema kade poneze kato edin red raboti no kato izreda celia piaring te stavt mnogo redove ot kadeto idva problema zashtoto oshte v purvia red izliza che osven tozi ip sichki drugi da gi prashta kam proxyto toest sledvashtite redove negi priema poneze oshte purvia red se okazava sichki razlichni ot ! 212.91.161.0/24 otivat kam proxy Stefan Stoilov wrote: Az sym go naprawil taka : /usr/sbin/iptables -t nat -A PREROUTING -i eth1 -d ! free.dupnica.net -p tcp --dport 80 -j REDIRECT --to -port 3128 Towa e na4ina za izbjagwane na proksito za opredeleni IP ili mrevi . Proxyto mi e na sashtata mashina. t.e wsi4ko , except opisanoto sled ! d se redirektwa, a ostanaloto minawa naprawo. Na4ina po kojto si go naprawin milja 4e njama da stane . Stefan Elin wrote: zdraveite grupa imam slednia problem tova pravilo iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp -s !212.91.161.0/24 --dport 80 -j DNAT --to-destination 192.168.1.253:3128 kato go napisha samo raboti ideata mue tova e ip ot peearinga da ne miniva prez proxyto a sichki ostanali daminava i problema idva veche kato sled nego izreda celia pearing togava otricanieto ne raboti "!" i kogato mahna otricanieto raboti niakoi da ima ideia kade e buga 10x A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables problem
On Tuesday 25 November 2003 10:48, Георги Акабалиев wrote: > On 25.11.2003 11:53, Elin wrote: > > iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp -s !212.91.161.0/24 > > --dport 80 -j DNAT --to-destination 192.168.1.253:3128 > > Какви са тия пакети преди рутирането, дето идват от рални IP-та и отиват в > частна мрежа? По-принцип такова нещо не би трябвало да има! > > Гого Нормални - вътрешна мрежа - и аз си имам подобни :) Щом рутер-а които се занимава с тях знае какво да ги прави - няма проблем, проблема е да не ги пуснеш извън твоята си мрежа. Има си човека примерно клиент с реално IP, но squid-а му е с вътрешно IP - защо да хаби реално и още повече защо неговия squid да е видим отвън? Бихме могли (ама само много теоретично) да решим, че в България ще си ползваме 10.0.0.0/8 за наши общи си нужди. Тогава можем да си ги рутираме измежду всички доставчици /за част от тях това го има/ примерно. При такъв сценарий ще трябва тези пакети да се режат/маскират само в точките в които пакетите напускат България (е това е фантастичен разказ от моя милост). -- Regards, Doncho N. Gunchev A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables accounting
Tosho Yankov wrote: Zdravejite, imam malyk problem v tochnostta na otchitane na accountinga si. Eto q shemata porxy i acconting na edna i systa mashina, real IP-ta za vsichki usres. Do kato bqh vse oste s ipchains vischko beshe nared. Zakachah broqchite na input i output verigata i vsichko si se broeshe ok. Sled kato minah na iptables eto kakvo poluchih: borqchite zakacheni na INPUT i OUTPUT verigite: - broi se samo proxy trafika (bez vsichko ostanalo) Suvsem normalno, stom proxy-to ti e na sustata machina. INPUT i OPTPUT verigite ne otchitat tranzitnia trafik, t.e. tova koeto minava prez verigata FORWARD ne se broi na INPUT i OUTPUT. broqcha zakachen samo na FORWARD verigata - broi se vsichko BEZ proxy trafika Suvsem estestveno, spored gorekazanoto. broqcha zakachen kakto sledva - vhodqst - INPUT + FORWARD (tuk ne sym sigruen dali ne trqbva da mu kaja vyv forwarda -s moita_mreja/moita_maska - izhodqst - OUTPUT + FORWARD (otnovo dali trqbva da se okaje -d moita_mreja/moita_maska) Kogato sumirash vhodiastia trafik zadai vhodiastia interface. Naprimer ako eth0 ti e kum internet rule A #iptables -I FORWARD -i eth0 Tova ti dava vsichko koeto e vhoidiast trafik ot internet kum tvoiata machina. Analogichno izhodiastia trafik ti e : rule B #iptables -I FORWARD -o eth0 ta taka tova v skobite poneje ne sym siguren i sa bes source i destination i imam otichtane na trafik v poveche ot kolkoto e deistvitelniq. sled tova pravish kalkulaciata: vhodiast= INPUT+"rule A" izhodiast=OUTPUT+"rule B" Imam nujda ot pomost kak tochno trqbva da podredq verigite. Blagodarq Vi predvaritelno. Dano sum te razbral pravilno Uspeh! P.S. Resheniq ot tipa na ipac-ng i kakvito i da e dopulnitelni softwares ne mi vyrshat rabota, prosto imam mnogo navyrzani scriptove koito vyrshat razni zadachi i iskam da imam vhodqst i izhodqt broqch, a az ot tam veche znam kakvo da si gi pravq :) -- Velin Getov JDC, Telecomputer BG -- Java Development Center, IIS Ltd. G.M. Dimitrov blvd. bl.60 apt.79 Sofia, BG-1172 email: [EMAIL PROTECTED] phone: +359(0)2-962-5581 fax:+359(0)2-720-531 -- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables accounting
нека потребителите са на eth0, а i-net-a на eth1 за да отчиташ общия изходящ и входящ трафик за eth1: iptables -N Accounting iptables -A Accounting -o eth1 # upstream traffic iptables -A Accounting -i eth1 # downstream traffic iptables -A INPUT -i eth1 -j Accounting iptables -A OUTPUT -o eth1 -j Accounting iptables -A FORWARD -i eth1 -j Accounting iptables -A FORWARD -o eth1 -j Accounting за отчиташ за 1 ip (например 192.168.1.33) добавяш : iptables -A Accounting -s 192.168.1.33 # upstream traffic iptables -A Accounting -d 192.168.1.33 # downstream traffic iptables -A INPUT -i eth0 -s 192.168.1.33 -j Accounting iptables -A OUTPUT -o eth0 -d 192.168.1.33 -j Accounting iptables -A FORWARD -i eth0 -s 192.168.1.33 -j Accounting iptables -A FORWARD -o eth0 -d 192.168.1.33 -j Accounting важно е тези правила да са първи, тъй като иначе ще има неотчетен трафик поздрави, Любо Tosho Yankov wrote: Zdravejite, imam malyk problem v tochnostta na otchitane na accountinga si. Eto q shemata porxy i acconting na edna i systa mashina, real IP-ta za vsichki usres. Do kato bqh vse oste s ipchains vischko beshe nared. Zakachah broqchite na input i output verigata i vsichko si se broeshe ok. Sled kato minah na iptables eto kakvo poluchih: borqchite zakacheni na INPUT i OUTPUT verigite: - broi se samo proxy trafika (bez vsichko ostanalo) broqcha zakachen samo na FORWARD verigata - broi se vsichko BEZ proxy trafika broqcha zakachen kakto sledva - vhodqst - INPUT + FORWARD (tuk ne sym sigruen dali ne trqbva da mu kaja vyv forwarda -s moita_mreja/moita_maska - izhodqst - OUTPUT + FORWARD (otnovo dali trqbva da se okaje -d moita_mreja/moita_maska) ta taka tova v skobite poneje ne sym siguren i sa bes source i destination i imam otichtane na trafik v poveche ot kolkoto e deistvitelniq. Imam nujda ot pomost kak tochno trqbva da podredq verigite. Blagodarq Vi predvaritelno. P.S. Resheniq ot tipa na ipac-ng i kakvito i da e dopulnitelni softwares ne mi vyrshat rabota, prosto imam mnogo navyrzani scriptove koito vyrshat razni zadachi i iskam da imam vhodqst i izhodqt broqch, a az ot tam veche znam kakvo da si gi pravq :) -- Best regards, Lyubomir Popov aka zEAL smime.p7s Description: S/MIME Cryptographic Signature
Re: lug-bg: iptables masquerade problem
On Wednesday 27 July 2005 15:08, Danail Petrov wrote: > Това е работило близо 1 година, но тези дни една от етернет платките на > сървъра е изгоряла , и вследствие подменена със същата като модел > платка. Примерно модулите ти се зареждат в различен ред, това което е било eth0 ти е станало eth1 ..
Re: lug-bg: iptables masquerade problem
Delian Krustev wrote: On Wednesday 27 July 2005 15:08, Danail Petrov wrote: Това е работило близо 1 година, но тези дни една от етернет платките на сървъра е изгоряла , и вследствие подменена със същата като модел платка. Примерно модулите ти се зареждат в различен ред, това което е било eth0 ти е станало eth1 .. Примерно няма смисъл да се пишат излишни неща? :) -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
Re: lug-bg: iptables masquerade problem
On Wednesday 27 July 2005 16:30, Danail Petrov wrote: > Примерно няма смисъл да се пишат излишни неща? :) Примерно, хич не са излишни. И пак примерно погледни къде е валиден входния интерфейс: -i, --in-interface [!] name Name of an interface via which a packet is going to be received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.
Re: lug-bg: iptables masquerade problem
Danail Petrov wrote: Здравейте, преди малко попаднах на много странен проблем. Накратко схемата: Линукс (Дебиан sid) , действащ като рутер който се връзва по pppoe , и маскира вътрешната мрежа навън. Проблема е че ,в един момент iptables просто спря да маскира. С tcpdump виждам , как линукса не маскира вътрешните адреси , а просто ги forward-ва . Така и не успях да разбера защо. кернел-а беше 2.4.26-х , сега го подмених с 2.6.8 и ефекта е същия. Ето малко аутпут: tcpdump: 13:53:11.974931 IP (tos 0x0, ttl 128, id 6533, offset 0, flags [none], length: 60) 192.168.0.147 > 212.5.145.17: icmp 40: echo request seq 2051 13:53:17.474713 IP (tos 0x0, ttl 128, id 6534, offset 0, flags [none], length: 60) 192.168.0.147 > 212.5.145.17: icmp 40: echo request seq 2307 iptables: Chain POSTROUTING (policy ACCEPT 6 packets, 378 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- eth1 * 192.168.0.0/24 ! 192.168.0.0/24 to:84.xx.xx.xx примерно "-d ! 192.168.0.0/24" е безмислено в случая. sysctl: net.ipv4.conf.ppp0.mc_forwarding = 0 net.ipv4.conf.ppp0.forwarding = 1 net.ipv4.conf.eth1.mc_forwarding = 0 net.ipv4.conf.eth1.forwarding = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 1 net.ipv4.ip_forward = 1 proc/net/ip_contract: icmp 1 24 src=192.168.0.147 dst=212.5.145.17 type=8 code=0 id=512 [UNREPLIED] src=212.5.145.17 dst=192.168.0.147 type=0 code=0 id=512 use=1 Някои да има идея за какво иде реч?! Това е работило близо 1 година, но тези дни една от етернет платките на сървъра е изгоряла , и вследствие подменена със същата като модел платка. В момента от сървъра , имам връзка до машините от вътрешната мрежа , т.е. и 2-те Лан карти работят. Защо обаче линукса _НЕ_ маскира изходящия трафик , а просто го forward-ва?
Re: lug-bg: iptables masquerade problem
Delian Krustev wrote: On Wednesday 27 July 2005 16:30, Danail Petrov wrote: Примерно няма смисъл да се пишат излишни неща? :) Примерно, хич не са излишни. И пак примерно погледни къде е валиден входния интерфейс: -i, --in-interface [!] name Name of an interface via which a packet is going to be received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. Добре де , неискам да заформям флейм. Но не е това проблема. Както казах , имам връзка с всички у-ва и по двата интерфейса. Други предложения? П.с. (това с -i eth1 беше най-последното нещо което написах за да пробвам маскирането , по принцип не го слагам) -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
Re: lug-bg: iptables masquerade problem
Georgi Alexandrov wrote: примерно "-d ! 192.168.0.0/24" е безмислено в случая. Примерно , е просто така написано. Мислиш че това е проблема ли? :) П.с. В случая наистина няма смисал , но при други обстоятелства , ако мрежата е разделена на под-мрежи (/30, /29) , тогава не би искал да правиш снат на адреси , до които трябва да се достигне просто с рутинг. Други идеи? -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
RE: lug-bg: iptables masquerade problem
> iptables: > Chain POSTROUTING (policy ACCEPT 6 packets, 378 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- eth1 * > 192.168.0.0/24 ! 192.168.0.0/24 to:84.xx.xx.xx > Аз имам следното питане - как си успял да конфигурираш POSTROUTING rule с опция -i? Best e-gards, Georgi Sinapov smime.p7s Description: S/MIME cryptographic signature
Re: lug-bg: iptables masquerade problem
Georgi Sinapov wrote: iptables: Chain POSTROUTING (policy ACCEPT 6 packets, 378 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- eth1 * 192.168.0.0/24 ! 192.168.0.0/24 to:84.xx.xx.xx Аз имам следното питане - как си успял да конфигурираш POSTROUTING rule с опция -i? Best e-gards, Georgi Sinapov Много добър въпрос убий ме , немога да ти отговоря как е станало това?!?! Chain POSTROUTING (policy ACCEPT 74 packets, 4519 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.0.0/24 0.0.0.0 to:84.хх.хх.хх това е в момента правилото и пак нищо ... -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
RE: lug-bg: iptables masquerade problem
> Chain POSTROUTING (policy ACCEPT 74 packets, 4519 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * * 192.168.0.0/24 > 0.0.0.0 to:84.хх.хх.хх > > това е в момента правилото > и пак нищо ... > Може ли да сложиш един подобен FORWARD rule, за да видим дали има hits по него? Best e-gards, Georgi Sinapov smime.p7s Description: S/MIME cryptographic signature
Re: lug-bg: iptables masquerade problem
Georgi Sinapov wrote: Chain POSTROUTING (policy ACCEPT 74 packets, 4519 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.0.0/24 0.0.0.0 to:84.хх.хх.хх това е в момента правилото и пак нищо ... Може ли да сложиш един подобен FORWARD rule, за да видим дали има hits по него? Best e-gards, Georgi Sinapov Дам , на forward отчита Chain FORWARD (policy ACCEPT 2349 packets, 144K bytes) pkts bytes target prot opt in out source destination 15 870 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
RE: lug-bg: iptables masquerade problem
> Chain FORWARD (policy ACCEPT 2349 packets, 144K bytes) > pkts bytes target prot opt in out source > destination >15 870 ACCEPT all -- * * 192.168.0.0/24 > 0.0.0.0/0 > Какво казва lsmod? Best e-gards, Georgi Sinapov smime.p7s Description: S/MIME cryptographic signature
Re: lug-bg: iptables masquerade problem
Georgi Sinapov wrote: Chain FORWARD (policy ACCEPT 2349 packets, 144K bytes) pkts bytes target prot opt in out source destination 15 870 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 Какво казва lsmod? Best e-gards, Georgi Sinapov Там всичко е наред. Но явно проблема е или в кернел-а , или в иптаблес (въпреки че и двете ги ъпдейтнах) Сега като workaround ползвам ipchains :) Явно това ще остане един загадъчен и неразрешен проблем Благодаря на всички все пак -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
Re: lug-bg: iptables masquerade problem
Здравей, и въпреки всичко защо не опиташ без -d ! 192.168.0.0/24 тоест в нат да имаш само iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE аз имах същият ( да абсолютно същият ) проблем. Just try it! :) -- =+==+==+==+==+==+==+==+==+==+==+==+= Dragomir Zhelev Network Administrator & IT Support Varna,Bulgaria [EMAIL PROTECTED] =+==+==+==+==+==+==+==+==+==+==+==+=
Re: lug-bg: iptables masquerade problem
Dragomir Zhelev wrote: Здравей, и въпреки всичко защо не опиташ без -d ! 192.168.0.0/24 тоест в нат да имаш само iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE аз имах същият ( да абсолютно същият ) проблем. Just try it! :) ами да , и това пробвах но не ... не проработи :) -- Danail Petrov System Administrator Internet Group Stara Zagora Bulgaria AS21415 Phone : +359 42 601101 & 601112 Mobile: +359 888 289232 ICQ UIN: 989677 smime.p7s Description: S/MIME Cryptographic Signature
Re: lug-bg: iptables and ADSL
On Thu, 4 Dec 2003 10:18:54 -
"Vasko Tomanov" <[EMAIL PROTECTED]> wrote:
> Imama server s ADSL vrazaka.. obasthe adresa koito polutshavam ot
> ADSL-a se meni vseki pat kato se restartne vrazkata po niakakva
> pritshina..
>
> iskam w definiciata na pravilata na IPTABLES da zadan ne tvardo IP s
> maska a IP-to na ppp0 naprimer ?
>
> kak moga da go nparavia tova za da ne mi se nalaga sled vseki restart
> da opraviam ip tables
>
Дефинирай IP-то като променлива във firewall скрипта и задавай стойност
на променливата примерно така:
IFCONFIG="/usr/sbin/ifconfig"
EXTIF="ppp0"
GREP="/bin/grep"
AWK="/bin/awk"
SED="/bin/sed"
IP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' |
$SED -e 's/.*://'`"
HTH Pesho
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and ADSL
Здравей, On Thu, 4 Dec 2003 10:18:54 - "Vasko Tomanov" <[EMAIL PROTECTED]> wrote: >iskam w definiciata na pravilata na IPTABLES da zadan ne tvardo IP s >maska a IP-to na ppp0 naprimer ? > >kak moga da go nparavia tova za da ne mi se nalaga sled vseki restart >da opraviam ip tables RTFM. iptables(8) MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway). -- Best Regards, Hristo Erinin A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: IPtables question - speshno
Todor Belev wrote: >Zdraveite, >imam slednia vypros. >Na vynshna platka iskam da vdigna 4 realni IP-ta i trafika koito pristiga kym tiah da >se redirektva kym 4 vytreshni - private IP-ta. >Niakoi mojeli da mi podksaje nai udachni anachin za tova neshto. >Osven tova vytreshnite IP-ta gi SNAT-vam s iptables po slenia nachin kym edno vynshno >IP. >Dali ako napravia SNAT i ot realnite kym private IP adresi shte se postigne tova ili >ima niakakyv po gyvkav nachin. >A osven tova imashe edin trik s -b opciata navremeto v Ipchains, >kak moga da postigna bidirektional rule s iptables, >t.e. i v ednata i v drugata posoka da imam ednoznachno MAP-vane. > >blagodaria vi predvaritelno >todorin > > >- >Ïðàçíóâàé 500,000- èÿ ïîòðåáèòåë íà ÀÁÂ.bg ñ íàñ- ñïå÷åëè NOKIA 5510 òóê- >http://nokia.abv.bg > >A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). >http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora >To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > Zdrasti! Za da redirectvash trafika idvasht ot van, kam vatreshnite IP-ta traibva da pravish DNAT, a ot vater navan SNAT. RAdo A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
On Sunday 26 May 2002 17:02, you wrote: > Zdraveite vsichki. > > Naskoro mi se sluchi da configuriram edin server na edin priatel i s > iznenada razbrah che dostavchika mu e filtriral port 21 i veroiatno i port > 20. > > Taka che sichki mashini zad toia server ne mogat da dostypvat do ftp. > > Pomislih malko i reshih da prekaram vsichki ftp packeti presz drug server > na koito sym pusnal ftp proxy na port 3128. > > Eto kak go napravih: > > iptables -A PREROUTING -t nat -p tcp -s local.net.addre.ss -d 0.0.0.0/0 > --dport 21 -j DNAT --to ftp.proxy.addre.ss:3128 > > > Spored ochakvaniata mi tova triabvashe da sraboti no reszultatyt e > slednia. > > C:\WINDOWS>ftp ftp.cdrom.com > Connected to wcarchive.cdrom.com. > > I do tuk umira sled koeto dava timeout opitva da pravi active ftp session, opitaj s passive, tovaga ftp clienta iniciira connection-a, a ne kakto e pri active server-a da upload-va kym clienta, i v slu4aq ne mozhe da go dostypne stoto e nat-van. > Interesnoto e che ako sloja na brousera tova ftp proxy sichko si bachka. stoto browser-a po default pravi passive ftp session ;-) > Neshto propuskam li ? v kernel-a na NAT box-a support za FTP connection tracking. [ftp conn track helper - built-in ili module] demek CONFIG_IP_NF_FTP pri NAT-vani machini tova se iziskava (helpers) za FTP, DCC pri IRC i nqkoj drugi po-specialni protokoli ot tova visoko nivo. RealAudio ? -- Greets, fr33zb1 A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
On Sun, May 26, 2002 at 05:02:05PM +0300, Marian Popov wrote: > > > Zdraveite vsichki. > > Naskoro mi se sluchi da configuriram edin server na edin priatel i s > iznenada razbrah che dostavchika mu e filtriral port 21 i veroiatno i port > 20. > > Taka che sichki mashini zad toia server ne mogat da dostypvat do ftp. > > Pomislih malko i reshih da prekaram vsichki ftp packeti presz drug server > na koito sym pusnal ftp proxy na port 3128. > > Eto kak go napravih: > > iptables -A PREROUTING -t nat -p tcp -s local.net.addre.ss -d 0.0.0.0/0 --dport 21 >-j DNAT --to ftp.proxy.addre.ss:3128 > > > Spored ochakvaniata mi tova triabvashe da sraboti no reszultatyt e > slednia. > > C:\WINDOWS>ftp ftp.cdrom.com > Connected to wcarchive.cdrom.com. > > I do tuk umira sled koeto dava timeout > > Interesnoto e che ako sloja na brousera tova ftp proxy sichko si bachka. > > Neshto propuskam li ? Ahu - kogato ukajesh na browser-a niakakvo proxy toi (browsera) veche znae che stava duma za proxy i si formatira zaiavkite po specialen nachin. Na men specialno ne mi e izvesten nachin za puskane na FTP transparent proxy... ne che e nevazmojno da se postigne (teoretichno), no ne znam niakoi da go e pravil. -- Theodor Milkov Administrator IP Networks Davidov Electric Ltd.Phone: +359 (2) 730158 PGP: http://www.zimage.delbg.com/zimage.asc A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
Zdravej, En réponse à Marian Popov <[EMAIL PROTECTED]>: > > > Zdraveite vsichki. > > Naskoro mi se sluchi da configuriram edin server na edin priatel i s > iznenada razbrah che dostavchika mu e filtriral port 21 i veroiatno i > port > 20. > > Taka che sichki mashini zad toia server ne mogat da dostypvat do ftp. > > Pomislih malko i reshih da prekaram vsichki ftp packeti presz drug > server > na koito sym pusnal ftp proxy na port 3128. > > Eto kak go napravih: > > iptables -A PREROUTING -t nat -p tcp -s local.net.addre.ss -d 0.0.0.0/0 > --dport 21 -j DNAT --to ftp.proxy.addre.ss:3128 > > > Spored ochakvaniata mi tova triabvashe da sraboti no reszultatyt e > slednia. > > C:\WINDOWS>ftp ftp.cdrom.com > Connected to wcarchive.cdrom.com. > > I do tuk umira sled koeto dava timeout > > Interesnoto e che ako sloja na brousera tova ftp proxy sichko si > bachka. > > Neshto propuskam li ? > Ako proxyto ti e squid, toj ne poddyrja transparent ftp proxy. Toj moje da raboti kato ftp proxy over http, kakvoto i da znachi tova. Web browserite tochno po toia protokol otvariat ftp serveri prez proxy. Za ftp transparent proxy vij http://frox.sourceforge.net/. Ne sym go probval obache ... Oshte neshto, ako proxyto ti e na razlichna mashina ot taia, koiato pravi NAT, triabva da dobavish i neshto kato : iptables -A POSTROUTING -t nat -p tcp -s local.net.addre.ss -d ftp.proxy.addre.ss -j SNAT --to router.addre.ss za da znae proxy machinata da vryshta otgovorite na routera, a ne direktno na klientskata mashina. Andrei Boyanov A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
> > > > > > Ako proxyto ti e squid, toj ne poddyrja transparent ftp proxy. Toj moje da > raboti kato ftp proxy over http, kakvoto i da znachi tova. Web browserite tochno > po toia protokol otvariat ftp serveri prez proxy. > > Za ftp transparent proxy vij http://frox.sourceforge.net/. Ne sym go probval > obache ... > > Oshte neshto, ako proxyto ti e na razlichna mashina ot taia, koiato pravi NAT, > triabva da dobavish i neshto kato : > > > iptables -A POSTROUTING -t nat -p tcp -s local.net.addre.ss -d > ftp.proxy.addre.ss -j SNAT --to router.addre.ss > > za da znae proxy machinata da vryshta otgovorite na routera, a ne direktno na > klientskata mashina. > Ami ako niamam dostyp do mashinata s proxy-to ? Ima li nachin izobsht otva da se napravi ili ne ? > > > Andrei Boyanov > > > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
On Sun, May 26, 2002 at 10:31:08PM +0300, Marian Popov wrote: > > > > > > > > > > > > Ako proxyto ti e squid, toj ne poddyrja transparent ftp proxy. Toj moje da > > raboti kato ftp proxy over http, kakvoto i da znachi tova. Web browserite > tochno > > po toia protokol otvariat ftp serveri prez proxy. > > > > Za ftp transparent proxy vij http://frox.sourceforge.net/. Ne sym go > probval > > obache ... > > > > Oshte neshto, ako proxyto ti e na razlichna mashina ot taia, koiato pravi > NAT, > > triabva da dobavish i neshto kato : > > > > > > iptables -A POSTROUTING -t nat -p tcp -s local.net.addre.ss -d > > ftp.proxy.addre.ss -j SNAT --to router.addre.ss > > > > za da znae proxy machinata da vryshta otgovorite na routera, a ne direktno > na > > klientskata mashina. > > > > Ami ako niamam dostyp do mashinata s proxy-to ? Ima li nachin izobsht otva > da se napravi ili ne ? > Ako niamash kontrol nad vynshna mashina maj samo na nivo ftp client mojesh da go reshavash problema. T.e. da polzvash ftp klient, koito moje da izpolzva http proxy. Pod linux napr. lftp go poddyrja. Drugia nachin e da namerish ftp proxy, koeto pyk ot svoia strana da moje da polzva http proxy prez ftp over http. Ne znam dali ima ... Andrei A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
На 26 05 2002 18:39, [EMAIL PROTECTED] написахте: > On Sun, May 26, 2002 at 05:02:05PM +0300, Marian Popov wrote: > > Zdraveite vsichki. > > > > Naskoro mi se sluchi da configuriram edin server na edin priatel i s > > iznenada razbrah che dostavchika mu e filtriral port 21 i veroiatno i > > port 20. > > > > Taka che sichki mashini zad toia server ne mogat da dostypvat do ftp. > > > > Pomislih malko i reshih da prekaram vsichki ftp packeti presz drug server > > na koito sym pusnal ftp proxy na port 3128. > > > > Eto kak go napravih: > > > > iptables -A PREROUTING -t nat -p tcp -s local.net.addre.ss -d 0.0.0.0/0 > > --dport 21 -j DNAT --to ftp.proxy.addre.ss:3128 > > > > > > Spored ochakvaniata mi tova triabvashe da sraboti no reszultatyt e > > slednia. > > > > C:\WINDOWS>ftp ftp.cdrom.com > > Connected to wcarchive.cdrom.com. > > > > I do tuk umira sled koeto dava timeout > > > > Interesnoto e che ako sloja na brousera tova ftp proxy sichko si bachka. > > > > Neshto propuskam li ? > > Ahu - kogato ukajesh na browser-a niakakvo proxy toi (browsera) veche > znae che stava duma za proxy i si formatira zaiavkite po specialen > nachin. Na men specialno ne mi e izvesten nachin za puskane na FTP > transparent proxy... ne che e nevazmojno da se postigne (teoretichno), > no ne znam niakoi da go e pravil. frox - pri men si rabot chudesno. S nqkoi izkljucheniq kato audiogalaxy naprimer. Poddyrja si i parent i kakvoto oshte ti trqbva. A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables and PREROUTING
- Original Message - From: "Hristo Genkov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 29, 2002 1:49 PM Subject: Re: lug-bg: iptables and PREROUTING > ааА 26 05 2002 18:39, [EMAIL PROTECTED] аНаАаПаИбаАб баЕ: > > On Sun, May 26, 2002 at 05:02:05PM +0300, Marian Popov wrote: > > > Zdraveite vsichki. > > > > > > Naskoro mi se sluchi da configuriram edin server na edin priatel i s > > > iznenada razbrah che dostavchika mu e filtriral port 21 i veroiatno i > > > port 20. > > > > > > Taka che sichki mashini zad toia server ne mogat da dostypvat do ftp. > > > > > > Pomislih malko i reshih da prekaram vsichki ftp packeti presz drug server > > > na koito sym pusnal ftp proxy na port 3128. > > > > > > Eto kak go napravih: > > > > > > iptables -A PREROUTING -t nat -p tcp -s local.net.addre.ss -d 0.0.0.0/0 > > > --dport 21 -j DNAT --to ftp.proxy.addre.ss:3128 > > > > > > > > > Spored ochakvaniata mi tova triabvashe da sraboti no reszultatyt e > > > slednia. > > > > > > C:\WINDOWS>ftp ftp.cdrom.com > > > Connected to wcarchive.cdrom.com. > > > > > > I do tuk umira sled koeto dava timeout > > > > > > Interesnoto e che ako sloja na brousera tova ftp proxy sichko si bachka. > > > > > > Neshto propuskam li ? > > > > Ahu - kogato ukajesh na browser-a niakakvo proxy toi (browsera) veche > > znae che stava duma za proxy i si formatira zaiavkite po specialen > > nachin. Na men specialno ne mi e izvesten nachin za puskane na FTP > > transparent proxy... ne che e nevazmojno da se postigne (teoretichno), > > no ne znam niakoi da go e pravil. > > frox - pri men si rabot chudesno. S nqkoi izkljucheniq kato audiogalaxy > naprimer. Poddyrja si i parent i kakvoto oshte ti trqbva. a na 2.4.x kernel testval li si go? :) A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: IPTABLES i ethernet
Zdravei, Ami zashto ne si opishesh mac adresite na syotvetnite ip-ta primerno v /etc/ethers i kato napravish arp -f , to si gi chete ot tam i gi setva perm. primerno 192.168.1.1 00:50:BF:42:78:73 mislq che ot tyk shte se opravish veche:) -=Atanas Vlasakiev=- ICQ # 25942226 öèòèðàì Atanas Mavrov <[EMAIL PROTECTED]>: > Zdraweite > Tozi wypros mislq che be zadawan, no ne movah da go namerq. Zatowa wi > molq da > pomognete. > Znachi imame slednata situaciq slack 8.0, kernel 2.4.5 - towa e mashina > opredelena za serwer. Imame edna mreva w koqto edni mashini trqbwa da > imat > dostyp do internet, a drugi ne. Znachi trqbwa da ogranicha mashinite po > ip i > po mac adres /ne che e mnogo sigrno, no po dobro ne mi idwa na um/. > Ako priemem che imame mshina koqto trqbwa da ima internet s ip x.x.x.x i > mac > adrex y.y.y.y.y.y, to reshih da naprawq slednoto > iptables -t nat -A POSTROUTING -s x.x.x.x -m mac --mac-source y.y.y.y.y.y > -j > MASQUERADE > no kakto se okaza mac i POSTROUTING ne mogat da se izpolzwat zaedno. > Reshih da naprawq slednoto, makar che neznam do kolko e prawilno w moq > sluchai /ekserimentirah s loopback adresa/: > iptables -A INPUT -s 127.0.0.1 -j ACCEPT > iptables -A INPUT -j DROP > i tyi probwah telnet 127.0.0.1 - raboti. Reshih sled towa da izchistq > prawilata i da probwam slednoto > iptables -A INPUT -s 127.0.0.1 -m mac --mac-source y.y.y.y.y.y -j ACCEPT > > iptables -A INPUT -j DROP > no rezultata beshe che nqmam wryzka kym 127.0.0.1. > reshih da probwam i po drug nachin > iptables -A INPUT -m mac mac-source -j ACCEPT > iptabels -A INPUT -j DROP > otnowo nqmashe ochakwaniq rezultat. > > Zatowa ako nqkoi ima velanie da pomogne neka kave kyde byrkam i kak move > da > stane towa ogranichawane > Blagodarq > == == > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara > Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > == == > __ 12MB-POP3-WAP-SMS---TOBA-E-mail.bG -- " Ako uckame u Bue agpec B mail.bg ugeme myk: http://www.mail.bg/new/ " A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: IPTABLES i ethernet
Az syshto polzvam takova ogranichenie i eto kak sym go napravil: Imam si edin script v koito si opisvam ip adresite ot localnata mreja koito shte imat internet chrez MASQ. Davam ti primer s MASQ zashtoto vijdam che ti takova iskash da polzvash. Eto go i scripta. #!/bin/bash ipt="/usr/sbin/iptables" echo -en "Loading iptable_filter, \n" /sbin/modprobe iptable_filter echo -en "Loading ipt_REDIRECT, \n" /sbin/modprobe ipt_REDIRECT echo -en "Loading iptable_nat, \n" /sbin/modprobe iptable_nat echo -en "Loading ip_conntrack, \n" /sbin/modprobe ip_conntrack echo -en "Loading ip_conntrack_ftp, \n" /sbin/modprobe ip_conntrack_ftp echo -en "Loading ip_conntrack_irc, \n" /sbin/modprobe ip_conntrack_irc echo -en "Loading ip_nat_ftp, \n" /sbin/modprobe ip_nat_ftp echo -en "Loading iptable_mangle, \n" /sbin/modprobe iptable_mangle echo -en "Loading ip_tables, \n" /sbin/modprobe ip_tables echo -en "Loading ipt_state, \n" /sbin/modprobe ipt_state echo -en "Loading ipt_limit, \n" /sbin/modprobe ipt_limit echo -en "Loading ipt_LOG, \n" /sbin/modprobe ipt_LOG echo -en "Loading ipt_REJECT. \n" /sbin/modprobe ipt_REJECT echo -en "Finifhed loading modules. \n" # Flush and Delete $ipt -F; $ipt -X $ipt -t nat -F; $ipt -t nat -X # SNAT fake nets fake_nets="10.0.0.10 10.0.0.20 10.0.0.30 10.0.0.31 10.0.0.55 10.0.0.100 10.0.0.101 10.0.0.120 10.0.0.121 10.0.0.122 10.0.0.123 10.0.0.124 10.0.0.125" for fake_net in $fake_nets; do $ipt -t nat -A POSTROUTING -s $fake_net -j SNAT --to-source 212.116.159.97 done; . . . I taka nadolu prodyljava s razni drugi neshta no na teb shte ti triabva samo tova. Moje i da ne zarejdash vsichkite tia moduli tova e po tvoe jelanie. Az gi zarejdam zashtoto gi izpolzvam. Eto kakvo stava fakticheski: Ako imash razdadeni 250 adresa ot mrejata 10.0.0.0/24 to samo tezi koito opishesh v gornite redove shte imat internet. Do tuk s maskiraneto. Sega da vidim fix-vaneto po MAC address Znachi pravish si edin file niakyde naprimer s /etc/rc.d/rc.fixmac da rechem, v koito si opisvash MAC adresite na vsichki razdadeni ip adresi. Naprimer: #!/bin/bash arp="/sbin/arp -s" $arp 10.0.0.10 00:60:1D:20:FB:58 $arp 10.0.0.20 00:02:2D:19:0D:06 . . . # I stigame do tia deto ne iskame da imat net $arp 10.0.0.3 44:44:44:44:44:44 $arp 10.0.0.200 44:44:44:44:44:44 Pravish faila izpylnim i go startirash. Posle pishesh niakyde v console arp -n i shte vidish vsichkite si opisani MAC adresi s flagove CM a tia deto ne si gi opisal sa samo s flag C Nadiavam se che pomognah ako ima neshto neiasno pishi. mano - Original Message - From: "Atanas Mavrov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 22, 2002 10:31 PM Subject: lug-bg: IPTABLES i ethernet > Zdraweite > Tozi wypros mislq che be zadawan, no ne movah da go namerq. Zatowa wi molq da > pomognete. > Znachi imame slednata situaciq slack 8.0, kernel 2.4.5 - towa e mashina > opredelena za serwer. Imame edna mreva w koqto edni mashini trqbwa da imat > dostyp do internet, a drugi ne. Znachi trqbwa da ogranicha mashinite po ip i > po mac adres /ne che e mnogo sigrno, no po dobro ne mi idwa na um/. > Ako priemem che imame mshina koqto trqbwa da ima internet s ip x.x.x.x i mac > adrex y.y.y.y.y.y, to reshih da naprawq slednoto > iptables -t nat -A POSTROUTING -s x.x.x.x -m mac --mac-source y.y.y.y.y.y -j > MASQUERADE > no kakto se okaza mac i POSTROUTING ne mogat da se izpolzwat zaedno. > Reshih da naprawq slednoto, makar che neznam do kolko e prawilno w moq > sluchai /ekserimentirah s loopback adresa/: > iptables -A INPUT -s 127.0.0.1 -j ACCEPT > iptables -A INPUT -j DROP > i tyi probwah telnet 127.0.0.1 - raboti. Reshih sled towa da izchistq > prawilata i da probwam slednoto > iptables -A INPUT -s 127.0.0.1 -m mac --mac-source y.y.y.y.y.y -j ACCEPT > iptables -A INPUT -j DROP > no rezultata beshe che nqmam wryzka kym 127.0.0.1. > reshih da probwam i po drug nachin > iptables -A INPUT -m mac mac-source -j ACCEPT > iptabels -A INPUT -j DROP > otnowo nqmashe ochakwaniq rezultat. > > Zatowa ako nqkoi ima velanie da pomogne neka kave kyde byrkam i kak move da > stane towa ogranichawane > Blagodarq > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables MAC address
Íå ðàçáðàõ òî÷íî âúïðîñà, íî àêî ïèòàø äàëè ïðàâèëàòà êîèòî ñå îòíàñÿò çà INPUT è FORWARD âåðèãèòå îêàçâàò âëèÿíèå íà ìðåæîâîòî òðàíñëèðàíå /POSTROUTING è PREROUTING/,äî êîëêîòî íà ìåí ìè å èçâåñòíî îêàçâàò. Ïàêåòèòå ïúðâî ùå ïðåìèíàò ïðåç INPUT âåðèãà ïîñëå ïðåç FORWARD, è ïîëå ùå ñå òðàíñëèðàò. Ò.å. àêî äàäåíà ìàøèíà å çàáðàíåíà â INPUT èëè FORWARD íÿìà äà ìîæå äà ñå òðàíñëèðà ñúîòâåòíèÿ àäðåñ. Óñïåõ. Íà 09 01 2003 11:31, Denislav íàïèñàõòå: > Znachi moze li da se filtrira po niakakuv nachin po mac adres maskiraneto > na opredeleni adresi. Imam predvid tova che moze da se ogranici FORWARD i > INPUT verigata po MAC adres v iptables i go probvah, no ne sum mnogo > zapoznat i za tova pitam dali ako filtriram niakoia ot tezi verigi bi > okazalo vlianie na adresite koito se maskirat ili IPUT i FORWARD verigata > niamat nishto obshto s samoto maskirane. Blagodaria vi predvaritelno. __ 12MB-POP3-WAP-SMS-AHTÈCÏAM--TOBA-E-mail.bG -- HOB ÁEÇÏËATEH AÄPEC - http://mail.bg/new/ -- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables MAC address
Da tochno tova mi beshe vuprosa suzaliavam za neiasnotata. Znachi pravilata koito se otnasiat za INPUT i FORWARD okazvat li vlianie vurhu mrezovoto translirane na POSTROUTING i PREROUTING ? öèòèðàì Àòàíàñ Ìàâðîâ <[EMAIL PROTECTED]>: > Íå ðàçáðàõ òî÷íî âúïðîñà, íî àêî ïèòàø äàëè ïðàâèëàòà êîèòî ñå îòíàñÿò > çà > INPUT è FORWARD âåðèãèòå îêàçâàò âëèÿíèå íà ìðåæîâîòî òðàíñëèðàíå > /POSTROUTING è PREROUTING/,äî êîëêîòî íà ìåí ìè å èçâåñòíî îêàçâàò. > Ïàêåòèòå ïúðâî ùå ïðåìèíàò ïðåç INPUT âåðèãà ïîñëå ïðåç FORWARD, è ïîëå > ùå > ñå òðàíñëèðàò. Ò.å. àêî äàäåíà ìàøèíà å çàáðàíåíà â INPUT èëè FORWARD > íÿìà > äà ìîæå äà ñå òðàíñëèðà ñúîòâåòíèÿ àäðåñ. > Óñïåõ. > __ 12MB-POP3-WAP-SMS-AHTÈCÏAM--TOBA-E-mail.bG -- HOB ÁEÇÏËATEH AÄPEC - http://mail.bg/new/ -- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables MAC address
Ïðåïðàùàì òîâà ïèñìî îò "korio" <[EMAIL PROTECTED]>, çàùîòî íå å ïîãëåäíàë ÷îâåêà íà êîè àäðåñ ãî ïðàùà, ïðåäïîëàãàì å èñêàë äà ãî èçïðàòè òóê :-))) "Ami ne tochno. Taka minawat paketite pri ipchains (t.e. purwo prez INPUT posle prez FORWARD). Pri iptables ako paketa e prednaznachen za druga mashina minawa direktno kym FORWARD bez da minawa prez INPUT. Za sprawka: http://www.linuxguruz.org/iptables/howto/iptables-HOWTO-5.html Inache, hmf interesen nachin da si ogranichish internet-a. Ako nqmash proxy i sichko se forward-wa directno, spored men 1 DROP rule wyw FORWARD chain-a bi trqbwalo da swurshi rabota. <[EMAIL PROTECTED]> wrote: > Íå ðàçáðàõ òî÷íî âúïðîñà, íî àêî ïèòàø äàëè ïðàâèëàòà êîèòî ñå îòíàñÿò çà> INPUT è FORWARD âåðèãèòå îêàçâàò âëèÿíèå íà ìðåæîâîòî òðàíñëèðàíå > /POSTROUTING è PREROUTING/,äî êîëêîòî íà ìåí ìè å èçâåñòíî îêàçâàò. > Ïàêåòèòå ïúðâî ùå ïðåìèíàò ïðåç INPUT âåðèãà ïîñëå ïðåç FORWARD, è ïîëå > ñå òðàíñëèðàò. Ò.å. àêî äàäåíà ìàøèíà å çàáðàíåíà â INPUT èëè FORWARD íÿìà > äà ìîæå äà ñå òðàíñëèðà ñúîòâåòíèÿ àäðåñ. > Óñïåõ. > > Íà 09 01 2003 11:31, Denislav íàïèñàõòå: > > Znachi moze li da se filtrira po niakakuv nachin po mac adres maskiraneto > > na opredeleni adresi. Imam predvid tova che moze da se ogranici FORWARD i > > INPUT verigata po MAC adres v iptables i go probvah, no ne sum mnogo > > zapoznat i za tova pitam dali ako filtriram niakoia ot tezi verigi bi > > okazalo vlianie na adresite koito se maskirat ili IPUT i FORWARD verigata > > niamat nishto obshto s samoto maskirane. Blagodaria vi predvaritelno. __ 12MB-POP3-WAP-SMS-AHTÈCÏAM--TOBA-E-mail.bG -- HOB ÁEÇÏËATEH AÄPEC - http://mail.bg/new/ -- A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables SNAT --to pool ...
Ето още малко инфо: undertown:~# tcptraceroute -s 212.5.155.100 212.5.145.17 Selected device eth0, address 212.5.155.100, port 33065 for outgoing packets Tracing the path to 212.5.145.17 on TCP port 80, 30 hops max 1 zora.inetg.bg (212.5.155.97) 0.436 ms 0.348 ms 0.321 ms 2 Suny-DS-ether2-to-Zora2.PPPoE-leased (212.116.134.13) 2.879 ms 2.347 ms 2.235 ms 3 rszl-ether-2-RadioLAN.inetg.bg (212.116.134.129) 2.626 ms 1.726 ms 1.689 ms 4 sz.inetg.bg (212.5.145.17) [open] 3.319 ms 1.704 ms 2.865 ms undertown:~# tcptraceroute -s 212.5.155.101 212.5.145.17 Selected device eth0, address 212.5.155.101, port 33068 for outgoing packets Tracing the path to 212.5.145.17 on TCP port 80, 30 hops max 1 zora.inetg.bg (212.5.155.97) 0.498 ms 0.344 ms 0.373 ms 2 Suny-DS-ether2-to-Zora2.PPPoE-leased (212.116.134.13) 2.509 ms 3.269 ms 1.676 ms 3 rszl-ether-2-RadioLAN.inetg.bg (212.116.134.129) 5.354 ms 2.436 ms 1.900 ms 4 sz.inetg.bg (212.5.145.17) [open] 5.223 ms 3.422 ms 3.447 ms undertown:~# cat /proc/net/ip_conntrack |grep 212.5.155.101 udp 17 160 src=192.168.0.13 dst=212.5.145.17 sport=1027 dport=53 src=212.5.145.17 dst=212.5.155.101 sport=53 dport=1027 [ASSURED] use=1 tcp 6 431995 ESTABLISHED src=192.168.0.103 dst=64.12.24.221 sport=1888 dport=5190 src=64.12.24.221 dst=212.5.155.101 sport=5190 dport=1888 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.136 dst=62.26.127.132 sport=4310 dport=6667 src=62.26.127.132 dst=212.5.155.101 sport=6667 dport=4310 [ASSURED] use=1 tcp 6 431998 ESTABLISHED src=192.168.0.110 dst=212.91.161.18 sport=1646 dport=6667 src=212.91.161.18 dst=212.5.155.101 sport=6667 dport=1646 [ASSURED] use=1 tcp 6 431896 ESTABLISHED src=192.168.0.103 dst=216.155.193.161 sport=1897 dport=5050 src=216.155.193.161 dst=212.5.155.101 sport=5050 dport=1897 [ASSURED] use=1 tcp 6 68 TIME_WAIT src=195.34.96.5 dst=212.5.155.101 sport=2320 dport=80 src=212.5.155.101 dst=195.34.96.5 sport=80 dport=2320 [ASSURED] use=1 tcp 6 431985 ESTABLISHED src=192.168.0.128 dst=216.155.193.180 sport=2101 dport=25 src=216.155.193.180 dst=212.5.155.101 sport=25 dport=2101 use=1 tcp 6 431997 ESTABLISHED src=192.168.0.114 dst=194.12.225.69 sport=1879 dport=6667 src=194.12.225.69 dst=212.5.155.101 sport=6667 dport=1879 [ASSURED] use=1 (кръц ...) та ... трафик има , сичко има ... само Уеб няма :):):) незнам дали проблема не е в някой модул на иптаблес-а и сега докато пиша този емаил си направих експеримент да премахна превилото което прихваща всички тсп заявки за порт 80,3128 и ги редиректва на порт 8080 (скрито проксиране) и всичко тръгна ... но въпроса сега е ЗАЩО Помислих че може да има нещо общо rp_tables но ... и това не е ... хм... .много странно ... ?? какво ще кажете Вие ? Поздрави, Данаил Петров A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables SNAT --to pool ...
Чакай малко Прозрачното прокси на същата машина ли е ? Ако да, то резултата е естествен. Просто проксито излиза с първия адрес на мрежовия интерфейс от външната страна на машината и естественно не минава през POSTROUTING веригата на iptables. успех Цеци Danail Petrov wrote: Ето още малко инфо: undertown:~# tcptraceroute -s 212.5.155.100 212.5.145.17 Selected device eth0, address 212.5.155.100, port 33065 for outgoing packets Tracing the path to 212.5.145.17 on TCP port 80, 30 hops max 1 zora.inetg.bg (212.5.155.97) 0.436 ms 0.348 ms 0.321 ms 2 Suny-DS-ether2-to-Zora2.PPPoE-leased (212.116.134.13) 2.879 ms 2.347 ms 2.235 ms 3 rszl-ether-2-RadioLAN.inetg.bg (212.116.134.129) 2.626 ms 1.726 ms 1.689 ms 4 sz.inetg.bg (212.5.145.17) [open] 3.319 ms 1.704 ms 2.865 ms undertown:~# tcptraceroute -s 212.5.155.101 212.5.145.17 Selected device eth0, address 212.5.155.101, port 33068 for outgoing packets Tracing the path to 212.5.145.17 on TCP port 80, 30 hops max 1 zora.inetg.bg (212.5.155.97) 0.498 ms 0.344 ms 0.373 ms 2 Suny-DS-ether2-to-Zora2.PPPoE-leased (212.116.134.13) 2.509 ms 3.269 ms 1.676 ms 3 rszl-ether-2-RadioLAN.inetg.bg (212.116.134.129) 5.354 ms 2.436 ms 1.900 ms 4 sz.inetg.bg (212.5.145.17) [open] 5.223 ms 3.422 ms 3.447 ms undertown:~# cat /proc/net/ip_conntrack |grep 212.5.155.101 udp 17 160 src=192.168.0.13 dst=212.5.145.17 sport=1027 dport=53 src=212.5.145.17 dst=212.5.155.101 sport=53 dport=1027 [ASSURED] use=1 tcp 6 431995 ESTABLISHED src=192.168.0.103 dst=64.12.24.221 sport=1888 dport=5190 src=64.12.24.221 dst=212.5.155.101 sport=5190 dport=1888 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.136 dst=62.26.127.132 sport=4310 dport=6667 src=62.26.127.132 dst=212.5.155.101 sport=6667 dport=4310 [ASSURED] use=1 tcp 6 431998 ESTABLISHED src=192.168.0.110 dst=212.91.161.18 sport=1646 dport=6667 src=212.91.161.18 dst=212.5.155.101 sport=6667 dport=1646 [ASSURED] use=1 tcp 6 431896 ESTABLISHED src=192.168.0.103 dst=216.155.193.161 sport=1897 dport=5050 src=216.155.193.161 dst=212.5.155.101 sport=5050 dport=1897 [ASSURED] use=1 tcp 6 68 TIME_WAIT src=195.34.96.5 dst=212.5.155.101 sport=2320 dport=80 src=212.5.155.101 dst=195.34.96.5 sport=80 dport=2320 [ASSURED] use=1 tcp 6 431985 ESTABLISHED src=192.168.0.128 dst=216.155.193.180 sport=2101 dport=25 src=216.155.193.180 dst=212.5.155.101 sport=25 dport=2101 use=1 tcp 6 431997 ESTABLISHED src=192.168.0.114 dst=194.12.225.69 sport=1879 dport=6667 src=194.12.225.69 dst=212.5.155.101 sport=6667 dport=1879 [ASSURED] use=1 (кръц ...) та ... трафик има , сичко има ... само Уеб няма :):):) незнам дали проблема не е в някой модул на иптаблес-а и сега докато пиша този емаил си направих експеримент да премахна превилото което прихваща всички тсп заявки за порт 80,3128 и ги редиректва на порт 8080 (скрито проксиране) и всичко тръгна ... но въпроса сега е ЗАЩО Помислих че може да има нещо общо rp_tables но ... и това не е ... хм... .много странно ... ?? какво ще кажете Вие ? Поздрави, Данаил Петров A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables SNAT --to pool ...
Tsvetin Vasilev wrote: Чакай малко Прозрачното прокси на същата машина ли е ? Ако да, то резултата е естествен. Просто проксито излиза с първия адрес на мрежовия интерфейс от външната страна на машината и естественно не минава през POSTROUTING веригата на iptables. Да, Съгласен съм с теб ... на теория е така ... но това нещо работеше така доста време :) как? Поздрави, Данаил Петров A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
Re: lug-bg: iptables SNAT --to pool ...
Аз все още немога да разреша този проблем :) ето още малко инфо (в случай че на някой му е интересно:)) undertown:~# iptables -t nat -I POSTROUTING -p tcp -d 212.5.145.42 --dport 80 -j SNAT --to 212.5.155.101 /правя снат на всичко което излиза към ип 212.5.145.42:80 да излиза със сорс адрес 212.5.155.101/ undertown:~# tcptraceroute 212.5.145.42 80 Selected device eth0, address 212.5.155.100, port 33414 for outgoing packets Tracing the path to 212.5.145.42 on TCP port 80, 30 hops max 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * <кръц> (Тук се случва нещо странно , което ще опша малко по надолу ) 30 * * * Същият tcptrace минава когато твърдо задам ип-то с което искам да излезна undertown:~# tcptraceroute -s 212.5.155.101 212.5.145.42 Selected device eth0, address 212.5.155.101, port 33519 for outgoing packets Tracing the path to 212.5.145.42 on TCP port 80, 30 hops max 1 zora.inetg.bg (212.5.155.97) 0.531 ms 0.350 ms 0.321 ms 2 Suny-DS-ether2-to-Zora2.PPPoE-leased (212.116.134.13) 2.188 ms 3.426 ms 1.858 ms 3 rszl-ether-2-RadioLAN.inetg.bg (212.116.134.129) 1.924 ms 1.734 ms 2.643 ms 4 big.inetg.bg (212.5.145.20) 9.340 ms 2.696 ms 3.170 ms 5 crew.inetg.bg (212.5.145.42) [open] 6.045 ms 2.721 ms 6.754 ms та ... говорих за странните неща който се случват по време на първия tcptraceroute . Ето какво се случва на машината в същия момент ... undertown:~# tethereal -i eth0 dst host 212.5.145.42 and src host 212.5.155.101 Capturing on eth0 0.00 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 3.006024 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 6.007149 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 9.007678 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 12.008212 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 15.008759 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 18.009313 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 21.009841 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 24.011898 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 27.012430 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 30.013497 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 33.014027 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 36.014575 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 от тук нататък ., след като бъде изпратен TCP с повдигнат RST бит , машината 212.5.145.42 започва да получава --- 36.017318 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 39.015101 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 39.018119 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 42.015636 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 42.018897 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 Това е output от 212.5.145.42 , и всичката информация започва да се появява след първия TCP-RST bit 0.00 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 0.003112 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 3.000455 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 3.003957 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 6.000934 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 6.003924 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 9.000905 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 9.003998 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 12.001539 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 12.004478 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 15.000999 212.5.155.101 -> 212.5.145.42 TCP [TCP ZeroWindow] 33737 > www [SYN] Seq=0 Ack=0 Win=0 Len=0 15.003903 212.5.155.101 -> 212.5.145.42 TCP 33737 > www [RST] Seq=1 Ack=0 Win=0 Len=0 В началото си помислих че най-вероятно става въпрос за нещо свързано със syn-cookie support-a в кърнала , но не е това ... undertown:~# cat /proc/net/ip_conntrack |egrep 212.5.155.101 |grep dport=80|head tcp 6 92 TIME_WAIT src=192.168.0.23 dst=128.242.237.107 sport=1052 dport=80 src=212.5.155.101 dst=192.1
Re: lug-bg: iptables SNAT --to pool ...
Само за инфо , (на тези който им се е сторило интересно) ще спомена как реших проблема: undertown:~# uname -a Linux undertown 2.4.27 #2 Sun Sep 19 09:30:40 EDT 2004 i686 GNU/Linux Best Regards, Данаил Петров A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
