Re: [newbie] Ipchains help
thanks man i appriciate it
Re: [newbie] Ipchains help
[EMAIL PROTECTED] wrote: Hi I was wondering if there is a rule I can set to drop *all* icmp? if so how would I add the rule? try something like this: ipchains -A INPUT -p icmp -s 0/0 -j DROP or ipchains -A INPUT -p icmp -i $INTERFACE -j DROP $INTERFACE = your outer interface: if you're using a dialup connection $INTERFACE = ppp0 if you're using a DLS or CABLE connection $INTERFACE = eth0 or eth1 which ever applies... Mark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Ipchains help
Hi I was wondering if there is a rule I can set to drop *all* icmp? if so how would I add the rule?
[newbie] ipchains question
I need to make a port enables on ipchains. but I cannot find how to do it. any ideas please let me know the port is 6901 Thanx in advance Mike Get your own free email account from http://www.popmail.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains and Mandrake
Hi, the problem was that Mandrake did not install ipchains during its installation during expert mode, select individual packages and medium security. It didn't have any check box for ipchains at all. ipchains did nt figure in list of packages. I had to install it thru' rpm on CD and then when I ran ipchains -A forward -j MASQ it said protocol: protocol not found. I am sure ipchains was not in the list for packages during install, as me and a friend were on lookout for it. thanks and bye. -Payal --- Gerald Waugh [EMAIL PROTECTED] wrote: On Saturday 06 April 2002 01:34 am, Payal Rathod wrote: Hi, Thanks for the mails. But I can use ipchains properly with Mandrake 7.0, 7.1, 7.2, 8.1, 8.2 without any kernel recompiling, then why not with 8.0? has anybody faced such a problem with 8.0? Thanks and bye. Please restate the problem, and yes you should be able to use ipchains on 8.X, although it is recommended to use iptables on 2.4x kernels -- Gerald Waugh : Registered Linux user # 255245 http://www.frontstreetnetworks.com Front Street Networks LLC - ph. 203.785.0699 229 Front Street, Ste. #C, New Haven, CT, United States of America 4:46am up 15 days, 13:11, 3 users, load average: 0.83, 1.00, 1.19 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains and Mandrake
On Saturday 06 April 2002 09:48 am, Payal Rathod wrote: Hi, the problem was that Mandrake did not install ipchains during its installation during expert mode, select individual packages and medium security. It didn't have any check box for ipchains at all. ipchains did nt figure in list of packages. I had to install it thru' rpm on CD and then when I ran ipchains -A forward -j MASQ it said protocol: protocol not found. I am sure ipchains was not in the list for packages during install, as me and a friend were on lookout for it. ## Masquerading ## Modules to help certain services /sbin/depmod -a /dev/null 21 /sbin/modprobe ip_masq_ftp /dev/null 21 /sbin/modprobe ip_masq_raudio /dev/null 21 /sbin/modprobe ip_masq_irc /dev/null 21 /sbin/modprobe ip_masq_icq /dev/null 21 /sbin/modprobe ip_masq_quake /dev/null 21 /sbin/modprobe ip_masq_user /dev/null 21 /sbin/modprobe ip_masq_vdolive /dev/null 21 ## Masquerading firewall timeouts: tcp conns 8hrs, tcp after fin pkt 60s, udp 10min $IPCHAINS -M -S 14400 60 600 ## Set up kernel to enable IP masquerading echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/ip_always_defrag ## Set up kernel to handle dynamic IP masquerading #echo 1 /proc/sys/net/ipv4/ip_dynaddr -- Gerald Waugh : Registered Linux user # 255245 http://www.frontstreetnetworks.com Front Street Networks LLC - ph. 203.785.0699 229 Front Street, Ste. #C, New Haven, CT, United States of America 11:55am up 15 days, 20:20, 3 users, load average: 0.77, 0.93, 1.08 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] ipchains and Mandrake
Hello all, Me and my friend have installed Mnadrake 8.0 3 times and all the times we found out that ipchains was not getting installed at all. 2nd and 3rd time anticipating this problem we were on lookout for ipchains package to be ticked. We install in expert mode with security level to medium and option select individual packages ON. We had to install it from source and then we found that the kernel did not have masquerading support build in cos' when we gave ipchains -A forward -j MASQ we had an error Protocol: no such protocol Is this a known problem with Mandrake 8.0? Thanks and bye. -Payal __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains and Mandrake
ipchains is the old stuff - iptables is used now. HTH Brian On Sat, 2002-04-06 at 12:45, Payal Rathod wrote: Hello all, Me and my friend have installed Mnadrake 8.0 3 times and all the times we found out that ipchains was not getting installed at all. 2nd and 3rd time anticipating this problem we were on lookout for ipchains package to be ticked. We install in expert mode with security level to medium and option select individual packages ON. We had to install it from source and then we found that the kernel did not have masquerading support build in cos' when we gave ipchains -A forward -j MASQ we had an error Protocol: no such protocol Is this a known problem with Mandrake 8.0? Thanks and bye. -Payal __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains and Mandrake
unless i'm wrong, the new kernels don't have 'built-in' support for ipchains. which isn't to say you can't use ipchains with the new 2.4 kernels...but you'll probably need to build a new kernel with ipchains support or try loading ipchains as a module. and, i would recommend that you get acquainted with netfilter...which uses iptables. shane chen has some decent (slightly outdated) stuff at: www.knowplace.org - he wrote some nice how-to's on building iptables firewalls. it's a good start. good luck and if you want to try, load ipchains as a module and see what you get - i'm not sure what will happen since i'm a big debian user. as root, modprobe ipchains ; insmod ipchains -jeff Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains and Mandrake
On Friday 05 April 2002 09:57 pm, Brian Parish wrote: ipchains is the old stuff - iptables is used now. does 8.0 have a 2.4 kernel, if not than ipchains is what he needs! -- Gerald Waugh : Registered Linux user # 255245 http://www.frontstreetnetworks.com Front Street Networks LLC - ph. 203.785.0699 229 Front Street, Ste. #C, New Haven, CT, United States of America 10:16pm up 15 days, 6:41, 3 users, load average: 1.29, 1.24, 1.39 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains and Mandrake
Hi, Thanks for the mails. But I can use ipchains properly with Mandrake 7.0, 7.1, 7.2, 8.1, 8.2 without any kernel recompiling, then why not with 8.0? has anybody faced such a problem with 8.0? Thanks and bye. -Payal --- Gerald Waugh [EMAIL PROTECTED] wrote: On Friday 05 April 2002 09:57 pm, Brian Parish wrote: ipchains is the old stuff - iptables is used now. does 8.0 have a 2.4 kernel, if not than ipchains is what he needs! -- Gerald Waugh : Registered Linux user # 255245 http://www.frontstreetnetworks.com Front Street Networks LLC - ph. 203.785.0699 229 Front Street, Ste. #C, New Haven, CT, United States of America 10:16pm up 15 days, 6:41, 3 users, load average: 1.29, 1.24, 1.39 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] ipchains-fw configuration
Hi, I have to re-configure for a remote access vpn. Authentification seems to work so far over udp port xx. But I can't send data over 'IP protocol 50 bi-directional'. How is the ipchains syntax to open 'IP protocol 50 bi-directional' in my firewall rules? Thanx for your help! -- ciao Michael *** Macht's gut, und Danke für den Fisch ... *** --- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] ipchains? iptables? iproute2?
I setup sharing my internet connection under Mandrake Control Center on MDK 8. It installed ipchains, iptables, and iproute2? Are all these programs used for the internet sharing or does it install some of these for a just in case senerio? What are they all supposed to do? Thanks, Kevin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains? iptables? iproute2?
iproute2 is the way for kernel 2.4.x to handle IP source routing. (See docs at http://www.linuxgrill.com/iproute2-toc.html for information) ipchains and iptables are roughly equivalent to one another in that they both have the same end result -- configuring a firewall. ipchains is the firewalling utility from the 2.2.x kernels (although still supported under 2.4.x), while iptables is the kernel 2.4.x replacement for ipchains. Michael -- Michael Viron Registered Linux User #81978 Senior Systems Administration Consultant Web Spinners, University of West Florida At 08:55 PM 09/25/2001 -0400, you wrote: I setup sharing my internet connection under Mandrake Control Center on MDK 8. It installed ipchains, iptables, and iproute2? Are all these programs used for the internet sharing or does it install some of these for a just in case senerio? What are they all supposed to do? Thanks, Kevin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ipchains vs. iptables
--- civileme [EMAIL PROTECTED] wrote: On Tuesday 07 August 2001 22:20, jen wrote: L's and G's, This is my first time setting up InteractiveBastille and I must admit, It is a little nerve-racking to not know exactly what your doing. While I do undertand the premises of services, ports and basic TCP/IP-acks-denies and so-forth, I do not understand why most of these questions advise me that if I use Iptables, I should not worry about most of these settings. I did choose the I want to spend an hour learning my system option But half of the questions tell me I don't need to worry if I'm using iptables. Would someone be kind enough to tell me smiles or tell me where I might go to better understand the differences in the kernels. I never have dealt with anything other than 2.4.X (mandrake 8.0) as always, thanks in advance. j OK the difference in ipchains and iptables besides some obvious syntax in the rules is that iptables is _stateful_ while ipchains is not. And it looks like we got there with it just in time for people to start using it. What does stateful mean? It means that sending a packet changes the state of the engine handling packets. There are many ways to crack a TCP connection or to put intruder packets into a system. Most of them require the attacking system to have raw socket capability. With raw sockets, a machine can claim its packets are from any IP address and are of any protocol. It can also malform the packets sent for various purposes, as is done with the famed tear drop, bonk, ping of death: and nestea attacks to knock a computer off the internet.. Until recently, the easily compromised systems did not have raw socket capability, but now, this October, there will be WinXP with full raw socket capability and the famous nonexistent Microsoft security. Script kiddies will be recruiting new soldiers by compromising these systems, and their attacks will be extraordinarily potent. The windows machines recruited in the past could basically send pings and huge UDP packets to attack other machines, but now they can come in saying, Hi, I'm the packet from your best friend's machine, right in the middle of a trusted dialogue. Or, here is the nameservice information you requested, (return address is in fact that of your nameserver). With ipchains, you have NO defense against such rogue packets--they come through and try to do whatever it is they came to accomplish (not very much on a linux system, but if you are using your linux to protect a network of windows machines...) With iptables, the answer is, I beg your pardon, there was no dialogue? or Sorry, I have all answers I was looking for from nameservices In either case the rogue packet is dropped on the floor. With kernel 2.4.3 there is an iptables hole regarding ftp packets at the moment. We are testing a kernel udate which should plug this hole. Civileme * Thank You...this is good information and will help me know where to look for more info. Aren't you supposed to be on Vacation? va·ca·tion (v-kshn, v-) n. A period of time devoted to pleasure, rest, or relaxation, especially one with pay granted to an employee. A holiday. A fixed period of holidays, especially one during which a school, court, or business suspends activities. Archaic. The act or an instance of vacating. Thanks again! = Jennifer Registered Linux User #221463 Yahoo IM: jlynn2k #include knowledge.h void ignorance (it offers no value) */A freely given answer can offer enlightment to those who ask valid questions __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Re: [newbie] IPchains is missing....
On Sunday 17 June 2001 09:22 pm, s wrote: Well, naw, but it's cool he switched. I was just mentioning it because Tom said Steve was unwise to use windows for a server. -s No, I said I lack faith in any security expert who would choose the most insecure server available, Winblows. On Sunday 17 June 2001 05:53 pm, you wrote: s wrote: He has recently moved his site and ngs to a unix server (after the recent DoS attacks). So I guess he's catching on. :-) Can Linux protect him from a DoS attack? Randy Kramer Ya know I was gonna drop out of this because it's no longer on topic for this list, but search just now at http://www.netcraft.com/whats/ shows that www.grc.com (ShieldsUP) The site www.grc.com is running Microsoft-IIS/5.0 on Windows 2000. just as his site currently says Gibson is in his warning message that his scan could be innacurate 'cause his Windoze server is buggy.. The only reason this topic is pertinent is that after I gave the simple instructions for configuring an iptables firewall, I recommended that it be test scaned to verify it. Granted I implied the Gibson's site isn't the best, and that Secure Design's was better, more comprehensive and more accurate. I still believe SD is _much_ better, YMMV. BTW, www.sdesign.com reports The site www.sdesign.com is running Apache/1.3.6 (Unix) on Linux. To answer Randy, very little can be done to protect a site before a DoS begins, but much can be done during and after. FWIW, both sites were DoS'd. Gibson's Windoze server was down and out for several days after the attack was over. SecureDesign's Apache/Linux was only down during the attack for a few hours. You may want to Google 'Denial of Service' for more info. -- Tom Brinkman [EMAIL PROTECTED] Galveston Bay
Re: [newbie] IPchains is missing....
On Sat, 16 Jun 2001, Tom Brinkman wrote:
On Saturday 16 June 2001 03:52 pm, root wrote:
ipchains has been improved (long ago). 2.4.x kernels have iptables
support. Check to make sure iptables is installed (updated,
iptables-1.2.2-2mdk), and then run DrakConf as root and answer the few,
Is iptable's command format compatable with ipchains? Should my 'old' firewall
work with just name changes (ie. ipchains changed to iptables where
appropriate)
-Ross
--
http://bunyip.apana.org.au [ICQ No.9391313]
{For email change borg to org}
Waste not, get your budget cut next year.
Re: [newbie] IPchains is missing....
On Sunday 17 June 2001 02:32 am, Ross Slade wrote: ipchains has been improved (long ago). 2.4.x kernels have iptables support. Check to make sure iptables is installed (updated, iptables-1.2.2-2mdk), and then run DrakConf as root and answer the few, Is iptable's command format compatable with ipchains? Completely different from what I can tell Should my 'old' firewall work with just name changes (ie. ipchains changed to iptables where appropriate) -Ross Nope. Easiest thing, at least for me, is to su to root in a terminal and type 'DrakConf' (w/o the 's of course). Then under 'Security' / 'Firewalling' answer the questions. If you have a desktop system with a single connection to the Net, the default answers are already chosen for you. Presto!, you have a very secure Bastille (LM) firewall ; Now if ya wanna make it more interesting and difficult ; then type 'InteractiveBastille' in a term and you'll get the same type setup, just a heck'of'a lot more details, choices, explainations, and chances to really screw things up ;~ If for some reason you havt'a use ipchains, you can, but AFAIK you'll have to compile a kernel and enable (Y) ipchains ... 2,2,x style support during the config. This is what I was doin with 2.4.x kernels with 7.2 (until 8.0 came along :) Whatever, when you believe you've got it right, then try scans: https://grc.com/x/ne.dll?bh0bkyd2 [probly not worth the time since this 'expert' got hacked and shut down a few weeks ago. So much for their security ; ] http://www.sdesign.com/securitytest/ [a basic scan and a more comprehensive full scan, but they also got DoD'd a few weeks ago. AFAIK tho, this is the only scan that checks all 60,000 ports. Email address required, you're sent a report. Scan takes up to an hour] http://scan.sygatetech.com [variety of scans, but the 'quick' scan is probly all you need to do. Everything should report 'blocked' They escaped being hacked BTW ;) ] -- Tom Brinkman [EMAIL PROTECTED] Galveston Bay
Re: [newbie] IPchains is missing....
On Sun, 17 Jun 2001 18:59, Tom Brinkman wrote: Whatever, when you believe you've got it right, then try scans: https://grc.com/x/ne.dll?bh0bkyd2 [probly not worth the time since this 'expert' got hacked and shut down a few weeks ago. So much for their security ; ] Steve Gibson (the owner and maintainer of grc.com) did not get hacked -- he was the victim of a denial of service (DoS) attack. There is very little defence against these attacks. If you actually read his (very detailed yet very simple to understand) articles, you will see that he did everything humanly possible and more to end the attack. Sites like The Register have labelled this guy as nuts -- it is obvious that they had not read his lengthy accounts or recognised the great work he has done over the years. After reading his articles, I can say that he is an extremely resourceful and clever guy and I really feel sorry for how he has been attacked from all sides (the media included). It was he who realised that WinXP's full raw UNIX sockets support was both unnecessary and a major threat to the stabliity of the Internet. It was he who managed to modify a SubSeven trojan to lead him to its creator. This man is an unspoken genius. I suggest you actually try reviewing Steve Gibson's work (http://grc.com/) before criticising him. -- Sridhar Dhanapalan. There are two major products that come from Berkeley: LSD and UNIX. We don't believe this to be a coincidence. -- Jeremy S. Anderson
Re: [newbie] IPchains is missing....
I totally agree ! He also found some major bugs and spyware in Netscape Navigator, which they denied, then threatened to sue Steve, until he proved it. At this point, the folks from Netscape quietly apologised, and fixed the holes, etc with Netscape 4.76 ! Anyone who criticizes Steve is either not aware of all the facts, or an idiot. Dan LaBine
Re: [newbie] IPchains is missing....
He has recently moved his site and ngs to a unix server (after the recent DoS attacks). So I guess he's catching on. :-) -s On Sunday 17 June 2001 10:52 am, you wrote: Personally, I lack faith in any security 'expert' that chooses to run his site on the most insecure server available, Windoze. As always, YMMV
Re: [newbie] IPchains is missing....
Well, naw, but it's cool he switched. I was just mentioning it because Tom said Steve was unwise to use windows for a server. -s On Sunday 17 June 2001 05:53 pm, you wrote: s wrote: He has recently moved his site and ngs to a unix server (after the recent DoS attacks). So I guess he's catching on. :-) Can Linux protect him from a DoS attack? Randy Kramer
Re: [newbie] IPchains is missing....
s wrote: He has recently moved his site and ngs to a unix server (after the recent DoS attacks). So I guess he's catching on. :-) Can Linux protect him from a DoS attack? Randy Kramer
Re: [newbie] IPchains is missing....
Well, actually he thinks it might help. Something about better filters since he has the attacker's ip addys (and the hijacked machines they used), in addition to a something similar to portsentry's methodology. I don't remember all the details, but it's on his site and in his ngs. However, it was a decision that came directly and indirectly (he's had problems with win2kp for a long time) from the aftermath of the attack. Last I heard, the attackers were planning some mega-attack in the near future. I guess we'll see. -s On Sunday 17 June 2001 09:29 pm, you wrote: s, Thanks for the response! Randy Kramer
Re: [newbie] IPchains is missing....
The 2.4 kernel uses iptables, no? Steve On Sat, Jun 16, 2001 at 03:52:20PM -0500, root wrote: Where the heck is the ipchains command... Using an install of LM8.0 on medium security. Looked in /usr/sbin and all over the place but seems to be afk...
Re: [newbie] IPchains is missing....
--- root [EMAIL PROTECTED] wrote: Where the heck is the ipchains command... Using an install of LM8.0 on medium security. Looked in /usr/sbin and all over the place but seems to be afk... After 'modprobe ipchains' it's in /sbin/ipchains for me. I'm using a pretty stock 8.0 install. iptables is the standard for 2.4 though. It's website is at http://netfilter.samba.org/ I'm pretty sure ipchains will be around for quite awhile though. __ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/
Re: [newbie] IPchains is missing....
On Saturday 16 June 2001 03:52 pm, root wrote: Where the heck is the ipchains command... Using an install of LM8.0 on medium security. Looked in /usr/sbin and all over the place but seems to be afk... ipchains has been improved (long ago). 2.4.x kernels have iptables support. Check to make sure iptables is installed (updated, iptables-1.2.2-2mdk), and then run DrakConf as root and answer the few, simple questions in 'Security - Firewalling'. This will set up a secure firewall for you. -- Tom Brinkman [EMAIL PROTECTED] Galveston Bay
Re: [newbie] IPChains Rules help
--- Jon Doe [EMAIL PROTECTED] wrote: My firewall won't allow me to connect to my news server or ICQ, can someone help me out with rules I can add to let news and ICQ connect? I'm assuming your still using kernel 2.x with IPChains, but if I'm wrong you may have better luck with IP Tables and kernel 2.4.x. A great tutorial that had my icq up and running quickly came from Mandrakeuser.org. It's for IPChains: http://www.mandrakeuser.org/docs/connect/cipc.html this tutorial won't get the best firewall running but it will show you how to get your ICQ working with IPChains. But if your using MDK 8.0 and kernel 2.4 you may want to try IP Tables for your firewall. http://pinehead.com/articles.php?view=371 http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html http://netfilter.samba.org/unreliable-guides/ These are great links for ip tables tutorials and explanations. IP Tables doesn't have all the available modules yet but it is definately the future of firewalling in linux (at least thats what I've read) If you can't find what you need maybe posting your script rules to the list would help and someone could point out the problem. Good Luck. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
[newbie] IPChains Rules help
My firewall won't allow me to connect to my news server or ICQ, can someone help me out with rules I can add to let news and ICQ connect?
Re: [newbie] ipchains/iptables in 8.0
Ok I have a bit of an answer to my question :) http://antarctica.penguincomputing.com/~netfilter/unreliable-guides/NAT-HOWTO/index.html Well I found a really super small thing in this how to that got the connection sharing up but I just wonder if everything will work. I still dont see the modules for things like quake, ftp, irc, etc. Ok now same boat basically. I still can't access some things. For example like when trying to get an ftp site I get an error (many different ftp sites not just one, I can't get to even one from the windows box). Here's the script from the NAT how-to: # Load the NAT module (this pulls in all the others). modprobe iptable_nat # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to # MASQUERADE the connection (-j MASQUERADE). iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Turn on IP forwarding echo 1 /proc/sys/net/ipv4/ip_forward All I did was copy it though so I'm not familiar with iptables yet. I'll keep reading and hopefully some one can tell me where the modules are (or even one hackish one that 'does it all'). __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
[newbie] ipchains/iptables in 8.0
I normally share my connection with my windows machine using ipchains and a few modules. I went to attempt this in 8.0 after the connection sharing wizard didn't give me the functionality I needed. The windows box can now surf the web but I cannot transfer files in icq, aim, or use things like Net Meeting. I figured since ipchains was still in the stock kernel the modules that I used to use would be too, but after a look in /proc/sys/net/ipv4/ I found them gone. Is there a better way to do this with iptables? I have no clue how to configure it or where to start but I would realy like to give the windows box access to all the things I want to use. If anyone can guide me in the right direction I would appreciate it. Jeff __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
[newbie] ipchains
I've moved from Red Hat 7.1 to Mandrake 8.0 out of frustration with trying to get masquerading to ppp to work. With Mandrake, ppp started to work, but then all of a sudden it stopped working completely upon connection with the message 'serial line is looped back'. I read a recent post on this, and will play with the chat script to see if I can get around this. Another problem I have is ipchains. It doesn't install by default even though I installed every package? I ran the 'connection sharing' tool, I saw it install ipchains, but the tool sets up my gateway for DHCP for the clients. I don't want that. I have static IP addresses for my clients in the 192.168.1 range. Also I noted that the tool changed my eth0 address from 192.168.1.1 to 192.168.0.1! That's odd! Finally, I tried to configure ipchains myself as I had it with Red Hat 6.0 previously, but on every ipchains command I run, it dies with the message 'protocol not available'. What I want to do is set up a manual ppp connection from this machine, have it masquerade for my internal network, then I'll add ipchains rules later to block the services I don't want exposed to the Internet. Does anyone have any suggestions for the best route to take to get to this point? Best Regards, Clarence Donath
Re: [newbie] ipchains
On Monday, May 14, 2001, Clarence Donath wrote: Another problem I have is ipchains. It doesn't install by default even though I installed every package? I don't know about the other problems, but if you're using the 2.4.3 kernel with Mandrake 8.0, it uses iptables instead of ipchains. -- [EMAIL PROTECTED], ICQ#: 25370820, OpenPGP key at www.keyserver.net 1024D/39F0BBF4 2024 B7CB 10BF 6BE7 2ECE E0FD 1360 0181 39F0 BBF4 Current Linux uptime: 9 days 2 hours 3 minutes.
Re: [newbie] ipchains n pmfirewall
Hi Go to Mandrakeuser.org and click on connectivity. There is a nice how-to on IP Masqueradin there. I followed that one and it is working great. Don't bother with PMfirewall. It's no good anyway. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 01, 2001 1:14 PM Subject: [newbie] ipchains n pmfirewall hi i have checked http://www.linux-mandrake.com/en/demos/Networking/IPmasq/pages/ipmasq3.php3 and used the documentation to install pmfirewall. i'm connected throught adsl modem and to get into outer web i have to ouse the isp's site (login1.telia.com) to log on else i have no connection at all. during configuration i even added login.telia.com as a "friendly" net which can get in. the installation (after second time) ended with : "can not creat normal file "/usr/man/man8/pmfirewal.8.bz2" : file or folder does not exist. now when i run netscape or anyother browser it just reloads in an endless loop and never loads the page. is there anything i can do or not to do in order to get online ? where can i find the logs about intruders/bad packages that been sent to me? i even need to know how to block ip ranges i.e 194.165.8.0 - 194.165.9.255 since many abusers from that ip range tried to hack me n their admin says as long as they pay for account he won't move a finger. plz feel free to send me all your thought and suggestions or i have to read ipchains-howto all over again without understanding it. thanks __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/
Re: [newbie] ipchains n pmfirewall
sorry that i forgot to mention , all i want is to protect one single machine from constant daily attacks , not a private network. tnx anyway :) [EMAIL PROTECTED] wrote: Hi Go to Mandrakeuser.org and click on connectivity. There is a nice how-to on IP Masqueradin there. I followed that one and it is working great. Don't bother with PMfirewall. It's no good anyway. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 01, 2001 1:14 PM Subject: [newbie] ipchains n pmfirewall hi i have checked http://www.linux-mandrake.com/en/demos/Networking/IPmasq/pages/ipmasq3.php3 and used the documentation to install pmfirewall. i'm connected throught adsl modem and to get into outer web i have to ouse the isp's site (login1.telia.com) to log on else i have no connection at all. during configuration i even added login.telia.com as a "friendly" net which can get in. the installation (after second time) ended with : "can not creat normal file "/usr/man/man8/pmfirewal.8.bz2" : file or folder does not exist. now when i run netscape or anyother browser it just reloads in an endless loop and never loads the page. is there anything i can do or not to do in order to get online ? where can i find the logs about intruders/bad packages that been sent to me? i even need to know how to block ip ranges i.e 194.165.8.0 - 194.165.9.255 since many abusers from that ip range tried to hack me n their admin says as long as they pay for account he won't move a finger. plz feel free to send me all your thought and suggestions or i have to read ipchains-howto all over again without understanding it. thanks __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/
RE: [newbie] ipchains n pmfirewall
pmfirewall is ok for that,, I use it, but found I had to add alot of new rules myself, but my machine has about 6 virtual domains, so I had an unusual situation, but for single machines using client apps instead of servers, it would probably be fine, and the install script does do most of the work for you. Frank Hauptle / / _ ---/ / (_)__ __ __ --/ /__/ / _ \/ // /\ \/ / -//_/_//_/\_,_/ /_/\_\ Gshop Network Payment Solutions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 3 April 2001 5:17 AM To: [EMAIL PROTECTED] Subject: Re: [newbie] ipchains n pmfirewall sorry that i forgot to mention , all i want is to protect one single machine from constant daily attacks , not a private network. tnx anyway :) [EMAIL PROTECTED] wrote: Hi Go to Mandrakeuser.org and click on connectivity. There is a nice how-to on IP Masqueradin there. I followed that one and it is working great. Don't bother with PMfirewall. It's no good anyway. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 01, 2001 1:14 PM Subject: [newbie] ipchains n pmfirewall hi i have checked http://www.linux-mandrake.com/en/demos/Networking/IPmasq/pages/ipmasq3.php3 and used the documentation to install pmfirewall. i'm connected throught adsl modem and to get into outer web i have to ouse the isp's site (login1.telia.com) to log on else i have no connection at all. during configuration i even added login.telia.com as a "friendly" net which can get in. the installation (after second time) ended with : "can not creat normal file "/usr/man/man8/pmfirewal.8.bz2" : file or folder does not exist. now when i run netscape or anyother browser it just reloads in an endless loop and never loads the page. is there anything i can do or not to do in order to get online ? where can i find the logs about intruders/bad packages that been sent to me? i even need to know how to block ip ranges i.e 194.165.8.0 - 194.165.9.255 since many abusers from that ip range tried to hack me n their admin says as long as they pay for account he won't move a finger. plz feel free to send me all your thought and suggestions or i have to read ipchains-howto all over again without understanding it. thanks __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/
Re: [newbie] ipchains n pmfirewall
On Monday 02 April 2001 04:16 pm, you wrote: sorry that i forgot to mention , all i want is to protect one single machine from constant daily attacks , not a private network. tnx anyway :) [EMAIL PROTECTED] wrote: Hi Go to Mandrakeuser.org and click on connectivity. There is a nice how-to on IP Masqueradin there. I followed that one and it is working great. Don't bother with PMfirewall. It's no good anyway. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 01, 2001 1:14 PM Subject: [newbie] ipchains n pmfirewall hi i have checked http://www.linux-mandrake.com/en/demos/Networking/IPmasq/pages/ipmasq3.ph p3 and used the documentation to install pmfirewall. i'm connected throught adsl modem and to get into outer web i have to ouse the isp's site (login1.telia.com) to log on else i have no connection at all. during configuration i even added login.telia.com as a "friendly" net which can get in. the installation (after second time) ended with : "can not creat normal file "/usr/man/man8/pmfirewal.8.bz2" : file or folder does not exist. now when i run netscape or anyother browser it just reloads in an endless loop and never loads the page. is there anything i can do or not to do in order to get online ? where can i find the logs about intruders/bad packages that been sent to me? i even need to know how to block ip ranges i.e 194.165.8.0 - 194.165.9.255 since many abusers from that ip range tried to hack me n their admin says as long as they pay for account he won't move a finger. plz feel free to send me all your thought and suggestions or i have to read ipchains-howto all over again without understanding it. thanks __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ Hi, just thought I would jump in here and let you know that I have downloaded the last beta of the firewall program " Bastille" and it is very easy to install and seems to work like a charm. You can find the link at the Mandrake home page or just go here http://www.bastille-linux.org. They are near a final release but the curren beta seems to run well on my system. Shields on max, -- Dennis M. registered Linux user # 180842
[newbie] ipchains n pmfirewall
hi i have checked http://www.linux-mandrake.com/en/demos/Networking/IPmasq/pages/ipmasq3.php3 and used the documentation to install pmfirewall. i'm connected throught adsl modem and to get into outer web i have to ouse the isp's site (login1.telia.com) to log on else i have no connection at all. during configuration i even added login.telia.com as a "friendly" net which can get in. the installation (after second time) ended with : "can not creat normal file "/usr/man/man8/pmfirewal.8.bz2" : file or folder does not exist. now when i run netscape or anyother browser it just reloads in an endless loop and never loads the page. is there anything i can do or not to do in order to get online ? where can i find the logs about intruders/bad packages that been sent to me? i even need to know how to block ip ranges i.e 194.165.8.0 - 194.165.9.255 since many abusers from that ip range tried to hack me n their admin says as long as they pay for account he won't move a finger. plz feel free to send me all your thought and suggestions or i have to read ipchains-howto all over again without understanding it. thanks __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/
[newbie] ipchains
Hello guys, I have this config in my ipchain both eth0 and eth1 has a public ip. Is it correct? I want all traffic from 192.168.100.0/24 will pass thru eth0 and 192.168.101.0/24 will also pass thru eth1. thanks in advance. /sbin/ifconfig eth0:0 192.168.100.1 netmask 255.255.255.0 up /sbin/route add -net 192.168.100.0 netmask 255.255.255.0 dev eth0:0 /sbin/ifconfig eth1:0 192.168.101.1 netmask 255.255.255.0 up /sbin/route add -net 192.168.101.0 netmask 255.255.255.0 dev eth1:0 /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.100.0/24 -d 0/0 -j MASQ /sbin/ipchains -A forward -j MASQ -s 192.168.100.0/24 -d 0.0.0.0/0 /sbin/ipchains -A forward -s 192.168.101.0/24 -d 0/0 -j MASQ /sbin/ipchains -A forward -j MASQ -s 192.168.101.0/24 -d 0.0.0.0/0 /sbin/depmod -a /dev/null 21 /sbin/modprobe ip_masq_ftp /dev/null 21 /sbin/modprobe ip_masq_raudio /dev/null 21 /sbin/modprobe ip_masq_irc /dev/null 21 /sbin/modprobe ip_masq_icq /dev/null 21 /sbin/modprobe ip_masq_quake /dev/null 21 /sbin/modprobe ip_masq_user /dev/null 21 /sbin/modprobe ip_masq_vdolive /dev/null 21 /sbin/modprobe ip_masq_cuseeme /dev/null 21 echo 1 /proc/sys/net/ipv4/ip_forward - - - - - - - - - - - - - - - - a l l a n t. p a r r e n o OneVirtual Internet - Iloilo -- Make the first effort to work toward greatness. You will learn a lot as you go, and perfect your approach. The important thing now is to get started and keep going.
[newbie] IPCHAINS/MASQ/ROUTING Help!
OK, I setup my linux box using the "Home-Network-Howto" and everything is working great using ipchains and ipmasq. I'm using 2 nic cards, one with a public addy and one with a private addy. What I need to do is pass several of my public ip's thru the linux box to servers on my private network. The servers have to have the public ip assigned to them. Thanks, Mel
Re: [newbie] IPCHAINS/MASQ/ROUTING Help!
On Sun, 26 Nov 2000, Melvin C. Etheridge wrote: I setup my linux box using the "Home-Network-Howto" and everything is working great using ipchains and ipmasq. I'm using 2 nic cards, one with a public addy and one with a private addy. What I need to do is pass several of my public ip's thru the linux box to servers on my private network. The servers have to have the public ip assigned to them. Have a look at http://mandrakeuser.org and search for masquerading. It is in the PPP section. You should get your machines running with the info there, it worked for me too :) Paul -- No matter what scientists say about her, she is still our beautiful moon. (anonymous senryu) http://nlpagan.net - ICQ 147208 - Registered Linux User 174403 Linux Mandrake 7.2 - Pine 4.30
Re: [newbie] ipchains
bascule wrote: hi dan, i've been deleting mail today so your message appears orphaned but i think you are replying to a mail i sent and i would like to thankyou for replying, you are right, i was confused initially about the transient nature of ipchains rules and needing to run the commands each boot, bascule Yep ;-) Dan
Re: [newbie] ipchains
thank you mark, is there a simliar prog that you know of that might help me set up the routing from my other machines so that i can access the internet from them? simply setting up masquerading doesn't seem to do the trick, i think this is to do with 'default gateways' but i confess the concept of gateways confuses me bascule Mark Weaver wrote: Actually, as far as I've been able to assertain it doesn't matter where the actual "rules" are kept, however the executable script must be in root's path and must be executable by root. One of the easiest ways to learn about ipchains and how they work is to install and then study PMfirewall from pointman.org. Get this firewall setup and running and you will soon see how ipchains operates. It really takes the mystery out of ipchains. -- Mark i am currently reading up about ipchains but i can find no info about where the rules/scripts are kept, all i can deduce is that one creates a script of any name and runs it at boot up - or whenever, is that right? bascule
Re: [newbie] ipchains
On Sat, 04 Nov 2000, you wrote: thank you mark, is there a simliar prog that you know of that might help me set up the routing from my other machines so that i can access the internet from them? simply setting up masquerading doesn't seem to do the trick, i think this is to do with 'default gateways' but i confess the concept of gateways confuses me bascule Mark Weaver wrote: Actually, as far as I've been able to assertain it doesn't matter where the actual "rules" are kept, however the executable script must be in root's path and must be executable by root. One of the easiest ways to learn about ipchains and how they work is to install and then study PMfirewall from pointman.org. Get this firewall setup and running and you will soon see how ipchains operates. It really takes the mystery out of ipchains. -- Mark i am currently reading up about ipchains but i can find no info about where the rules/scripts are kept, all i can deduce is that one creates a script of any name and runs it at boot up - or whenever, is that right? bascule Bascule, PMfirewall will setup IP Masq for you also. You should only need this program. -- Eddie Torres www.veloct.net
Re: [newbie] ipchains
I use ipchains on 2 linux boxes I have here at home (no pmfirewall). There is a pair of scripts, one called ipchains-save, the other ipchains-restore. If you write a bunch of firewall rulesets and you are happy, you can just do something similar to: ipchains-save /etc/firewall Then in one of the startup scripts, you can do this: ipchains-restore /etc/firewall The actual ipchains rulesets are part of the Linux kernel, and exist in the memory of the computer, so they will go away if you set them up and then reboot or shutdown. I had a bit of confusion about this myself when I first started playing with ipchains, so it is understandable. The two scripts, ipchains-save and ipchains-restore will parse the firewall rulesets and determine which options you used when you set them up. Then they write the command line options to the standard output, which you then redirect into a file. Dan
Re: [newbie] ipchains
bascule wrote: i am currently reading up about ipchains but i can find no info about where the rules/scripts are kept, all i can deduce is that one creates a script of any name and runs it at boot up - or whenever, is that right? bascule My ipchains is stored in /sbin Marsden
Re: [newbie] ipchains
Actually, as far as I've been able to assertain it doesn't matter where the actual "rules" are kept, however the executable script must be in root's path and must be executable by root. One of the easiest ways to learn about ipchains and how they work is to install and then study PMfirewall from pointman.org. Get this firewall setup and running and you will soon see how ipchains operates. It really takes the mystery out of ipchains. -- Mark Larry is NOT a cucumber...he's a stinkin pickle... WITH WARTS! registered linux user # 182496 =/\= PINE 4.21 =/\= ** Surprisingly on Sat, 4 Nov 2000 stephen had this to say! no that is incorrect you might need to read in the ipchains or firewall how to stephen - Original Message - From: "bascule" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 04, 2000 11:02 AM Subject: [newbie] ipchains i am currently reading up about ipchains but i can find no info about where the rules/scripts are kept, all i can deduce is that one creates a script of any name and runs it at boot up - or whenever, is that right? bascule
[newbie] ipchains / pmfirewall problem, and Re: OT American politics
On Sat, 30 Sep 2000, [EMAIL PROTECTED] wrote: Oh, if it were as simple as that to get away from U.S. politics. -Gary- In a message dated 9/30/2000 2:27:29 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: I'm thinking about moving to Canada. I moved to the depth of Darkest Paraguay, and I still receive all kinds of US-politics related rubbish. The flip side of easy communications I suppose. Now, to come back on topic, I have installe pmfirewall. Since then, the only way I can get an answer to ping 192.168.1.2 (other machine on my LAN) is to do an ipchains -F; otherwise ping does not receive any packets. Which port I have blocked by mistake ? TIA, Ron the Frog, on the sunny banks of the Paraguay River Going to Summer Time tommorrow, newspaper advised us today to set our clocks and watches forward by 24 hours.. -- Any sufficiently advanced technology is indistinguishable from magic. -- Arthur C. Clarke --- http://personales.conexion.com.py/~rolgiati ---
[newbie] ipchains and ssh
Hello, My first post on the newbie list... I have been struggling for some time to get SSH to work on my Linux box (2.2.13-4mdk : Mandrake 6.1). I believe I finally have it up and running, because I am able to create a SSH connection from/to the machine itself. What I can't seem to manage is to make a SSH connection from an external machine (I work in DC, Linux box is at home in OH). I am trying using FiSSH and I repeatedly get "Failed to Connect to Host." Now, I do have a firewall up, and it is a pretty basic one in order to provide IP-Masquerading (which works!), so I thought maybe my problem was simply that the firewall wasn't letting the connection to port 22. So, after extensive research I felt that what I needed to add was a couple rules to allow the connection in, and I tried to add something like this (and other similar variations): ipchains -A input -p tcp -s xxx.xxx.com -d yyy.yyy.yyy.yyy 22 -j ACCEPT ipchains -A output -p tcp -d xxx.xxx.com -d yyy.yyy.yyy.yyy 22 -j ACCEPT But it isn't working - and I think my problem lies with xxx.xxx.com and yyy.yyy.yyy.yyy (the source and destination addresses). 1. I don't exactly know the source IP address for where I'm at, so is it acceptable to use xxx.xxx.com instead? 2. I have a variable IP - so how the heck do I populate yyy.yyy.yyy.yyy with my current IP address if I don't even know it? For #2 - I've seen some people use $IPADDR which is all well and good, but I don't know how to populate that variable without simply hardcoding and that just presents the same problem again. In addition, I typed in the ipchains commands (both above) at the command prompt and used what my IP address is currently and I still couldn't connect to it remotely via SSH.So now my entire solution has been undermined. Any suggestions? Thanks, George
Re: [newbie] ipchains and ssh
At 08:11 AM 9/27/00 -0500, you wrote: Hello, My first post on the newbie list... I have been struggling for some time to get SSH to work on my Linux box (2.2.13-4mdk : Mandrake 6.1). I believe I finally have it up and running, because I am able to create a SSH connection from/to the machine itself. What I can't seem to manage is to make a SSH connection from an external machine (I work in DC, Linux box is at home in OH). I am trying using FiSSH and I repeatedly get "Failed to Connect to Host." Now, I do have a firewall up, and it is a pretty basic one in order to provide IP-Masquerading (which works!), so I thought maybe my problem was simply that the firewall wasn't letting the connection to port 22. So, after extensive research I felt that what I needed to add was a couple rules to allow the connection in, and I tried to add something like this (and other similar variations): ipchains -A input -p tcp -s xxx.xxx.com -d yyy.yyy.yyy.yyy 22 -j ACCEPT ipchains -A output -p tcp -d xxx.xxx.com -d yyy.yyy.yyy.yyy 22 -j ACCEPT But it isn't working - and I think my problem lies with xxx.xxx.com and yyy.yyy.yyy.yyy (the source and destination addresses). 1. I don't exactly know the source IP address for where I'm at, so is it acceptable to use xxx.xxx.com instead? 2. I have a variable IP - so how the heck do I populate yyy.yyy.yyy.yyy with my current IP address if I don't even know it? For #2 - I've seen some people use $IPADDR which is all well and good, but I don't know how to populate that variable without simply hardcoding and that just presents the same problem again. In addition, I typed in the ipchains commands (both above) at the command prompt and used what my IP address is currently and I still couldn't connect to it remotely via SSH.So now my entire solution has been undermined. Any suggestions? Thanks, George I have the exact same setup as you do (almost) and ssh works from anywhere. I just did this ipchains -A input -p tcp -d xxx.xxx.xxx.xxx 22 -j ACCEPT If you are really concerned about the source address, try using the ip address instead of the hostname/DNS name, because it may resolve to something unexpected. As you can see, in my example, I wasn't concerned with the source address. Only the destination address and port number. Dan
Re: [newbie] ipchains and ssh
Dan, I took out the source address and I'm still not able to connect.In your example, I assume you have a genuine IP address in place of xxx.xxx.xxx.xxx.Do you have a static IP then? Of course, I'm also starting to wonder if I'm barking up the wrong tree here and maybe I have something else wrong elsewhere. Any generic ideas on what to check to make sure ssh works?And if I can get out the server here with telnet, I should be able to get out with ssh also, right? Thanks, George "Daniel J. Ferris" [EMAIL PROTECTED] (Mailed by: [EMAIL PROTECTED]) 09/28/2000 08:58 AM CST Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject: Re: [newbie] ipchains and ssh At 08:11 AM 9/27/00 -0500, you wrote: Hello, My first post on the newbie list... I have been struggling for some time to get SSH to work on my Linux box (2.2.13-4mdk : Mandrake 6.1). I believe I finally have it up and running, because I am able to create a SSH connection from/to the machine itself. What I can't seem to manage is to make a SSH connection from an external machine (I work in DC, Linux box is at home in OH). I am trying using FiSSH and I repeatedly get "Failed to Connect to Host." Now, I do have a firewall up, and it is a pretty basic one in order to provide IP-Masquerading (which works!), so I thought maybe my problem was simply that the firewall wasn't letting the connection to port 22. So, after extensive research I felt that what I needed to add was a couple rules to allow the connection in, and I tried to add something like this (and other similar variations): ipchains -A input -p tcp -s xxx.xxx.com -d yyy.yyy.yyy.yyy 22 -j ACCEPT ipchains -A output -p tcp -d xxx.xxx.com -d yyy.yyy.yyy.yyy 22 -j ACCEPT But it isn't working - and I think my problem lies with xxx.xxx.com and yyy.yyy.yyy.yyy (the source and destination addresses). 1. I don't exactly know the source IP address for where I'm at, so is it acceptable to use xxx.xxx.com instead? 2. I have a variable IP - so how the heck do I populate yyy.yyy.yyy.yyy with my current IP address if I don't even know it? For #2 - I've seen some people use $IPADDR which is all well and good, but I don't know how to populate that variable without simply hardcoding and that just presents the same problem again. In addition, I typed in the ipchains commands (both above) at the command prompt and used what my IP address is currently and I still couldn't connect to it remotely via SSH.So now my entire solution has been undermined. Any suggestions? Thanks, George I have the exact same setup as you do (almost) and ssh works from anywhere. I just did this ipchains -A input -p tcp -d xxx.xxx.xxx.xxx 22 -j ACCEPT If you are really concerned about the source address, try using the ip address instead of the hostname/DNS name, because it may resolve to something unexpected. As you can see, in my example, I wasn't concerned with the source address. Only the destination address and port number. Dan
RE: [newbie] ipchains
would not a virtual nic work here? eth0:1, eth0:2 etc..?? =-Original Message- =From: Adrian Wildey [mailto:[EMAIL PROTECTED]] =Sent: Friday, September 15, 2000 4:01 PM =To: [EMAIL PROTECTED] =Subject: [newbie] ipchains = = =Hi, = =I am currently seting up ipchains with masquerading server to replace =our existing Novell BorderManager firewall. I have got the filters and =masquerading working but there is one issue I can't find any =info on :-( = =BorderManager allows multiple IP address to be assigned to the public =NIC eg 123.1.1.1, 123.1.1.2, 123.1.2.3 etc. =A static translation can be set up so that 123.1.1.2 points to private =address 192.4.5.6 (email server) and 123 1.1.3 points to =192.4.5.9 (web =server) whilst masquerading is done on 123.1.1.1. This allows the =public servers to be kept on the private LAN and not in a DMZ. =My question is can IPCHAINS do the same = =Regards =Adrian Wildey =
Re: [newbie] Ipchains - i have a question...
with ipchains i would like to take all incoming traffic on port 21 and send it to a peticular machine on my network. my linux box is mandrake 7.1 and i have 2 nic's in it. PMFirewall is installed and working smoothly, no problems there. anyone know the syntax? i was reading through but its a lot to take in for a newb like me. ipchains -A input -s $REMOTENET -d $OUTERNET 21 -j ACCEPT well this didnt exactly work, im not sure what $OUTERNET is in comparasin to $REMOTENET well, can anyone help please? and yes i am about to try to join pmfirewall list but this is still ipchains stuff... thanks On Tue, 08 Aug 2000, you wrote: Hi Kelly... You will need a dialer program like kppp to dial your modem. You use ipchains to prevent users-hackers- (outside of your network) from using your resources through your dialup connection. Best of luck! Steve Weltman - Original Message - From: Kelly To: [EMAIL PROTECTED] Sent: Sunday, August 06, 2000 1:06 PM Subject: [newbie] Ipchains Is there a way to make ipchains dial (modem) on demand? I want to set up a server to dial and log into my isp when ever we open a browser or email. Thanks kelly Visit my web site Kelly's Vikings page http://www.mnsports.addr.com Content-Type: text/html; name="unnamed" Content-Transfer-Encoding: quoted-printable Content-Description:
[newbie] IPChains
With Mandrake 7.1 I see Ipchains is started with the other startup items now. The question I have is where do the rules get put and does it get read when the chains are loaded? C Nielsen
Re: [newbie] Ipchains
ipchains doesn't do the dialing... pppd does. You can try to add the following lines to your /etc/ppp/options file if the kernel compiled on your system supports demand dial (it probably does): # To set the daemon for demand dialing demand # To satisfy an IP address until DHCP assigns one :10.0.0.0 # To set a default time-out to close connection on inactivity idle 500 # in seconds = 5 minutes This caused problems on my home LAN when the masqued machines attempted to open the connection (authentication failed, for some reason and I haven't had the time to figure out why)...But triggering the connection from the firewall was successful without a glitch. There's also the diald daemon, which I believe takes the place of a firewall sets ipchains masquerading as well as listens for outgoing packets and manages them. The only thing was, it seemed a bit fidgety to install, so I didn't bother with it. --Greg - Original Message - From: Kelly To: [EMAIL PROTECTED] Sent: Sunday, August 06, 2000 1:06 AM Subject: [newbie] Ipchains Is there a way to make ipchains dial (modem) on demand? I want to set up a server to dial and log into my isp when ever we open a browser or email. Thanks kelly Visit my web siteKelly's Vikings pagehttp://www.mnsports.addr.com
Re: [newbie] Ipchains
Hi Kelly... You will need a dialer program like kppp to dial your modem. You use ipchains to prevent users-hackers- (outside of your network) from using your resources through your dialup connection. Best of luck! Steve Weltman - Original Message - From: Kelly To: [EMAIL PROTECTED] Sent: Sunday, August 06, 2000 1:06 PM Subject: [newbie] Ipchains Is there a way to make ipchains dial (modem) on demand? I want to set up a server to dial and log into my isp when ever we open a browser or email. Thanks kelly Visit my web siteKelly's Vikings pagehttp://www.mnsports.addr.com
[newbie] IpChains for confused Newbie :)
I just went through exactly what you are going through now. First thing to do is check out this whoop ass page on LinuxNewbie.org http://www.linuxnewbie.org/nhf/intel/network/ipchains2.html The template that they give is your basic rc.firewall file and I have seen umptine times on linux boxes since than. Weird thing is ...there is already a rc.firewall installed on my linux Box with this text in it. interlude ### # Mandrake-Security : if you remove this comment, remove the next line too. echo 1 /proc/sys/net/ipv4/conf/all/rp_filter # I was wondering if anyone knew exaclty what that did since we are on the subject. /interlude They give you a simple break down to get it working. If you don't feel like farting around with another "walk-through" (although its damn good) try typing this at the command prompt for generic purposes...just to see if you can get it working with your machine as is. #echo "1"/proc/sys/net/ipv4/ip_forward ---This will enable IP forwarding. #ipchains -P forward DENY -- ? #ipchains -A forward -s 192.168.0.0/24 -j MASQ --- ? This will not make the ipchains perm but its good for testing the concept and to see if you machine is capable as is...instead of having to recompile and all that ALthough I do not fully understand all of the options that can be applied with IP chains...I have been working on this for about 3 weeks, and finally got it working on MOnday. Its all I have been working on since than. I am guessing that your "router/gateway/firewall/buffass linux box" is sitting at 192.168.0.1 and you have assigned fake IP's to your Win98 boxes like 192.168.0.2+ If you have any more questions about this feel free to pass them back..I am still working with it, and it would be great to have a few more people working on it with me...like that whole OPen Source thing we hear about all the time... hehehhhe Kat -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 11, 2000 9:23 AM To: [EMAIL PROTECTED] Subject: [newbie] ip chains (newbie confusion) I have been setting up a samba server with adsl connected to several win98 boxes. I was told that to share the dsl connection all I had to do was set up IP chains. I then downloaded the current ip chains howto and am now completely lost. I read the first 4 chapters right up to where you set up the win98 boxes. Do I have to recompile the Kernel (I have never done this before); I am running mandrake 7.02. I was assuming that the IP chains was already built in. Is there a easy way to set it up. I don't mind recompiling but could use any suggestions or help that anyone could put forward. Thanx in advance Mike Get your own free email account from http://www.popmail.com
Re: [[newbie] IPCHAINS/MASQ/FORWARDING]
Mike Fieschko [EMAIL PROTECTED] wrote: "Jaguar" == Jaguar [EMAIL PROTECTED] writes: Jaguar I wrote to the list a few days ago, asking for some Jaguar help...the _ONLY_ reply I got was, RTFM...well I have Jaguar RTFM's till I am more confused. I wanted to know if in Jaguar MDK7.02, IPV4 is compiled in the default install kerenl, Jaguar or if I have to recompile with IPV4 enabled??? How [snip] Is there a directory /proc/sys/net/ipv4 on your box? If yes, what's in it? What are the files' contents? Have you checked what the defaults are when you try to compile a kernel? yes there is a /proc/sys/net/ipv4 it has DIRS for /conf /neigh /route, and a buncha other files no I didn't compile a kernel There are many options for IP, and experimental support for IPv6. What specifically are you looking for with IPv4 I want to share my cable modem with 3 other Win boxes and use Linux as a firewall/proxy JaguarI have run the /proc/(something's??)/ip_chains, and got JaguarPERMISSION DENIED and yes as ROOT. I don't understand this. What command did you run? Doing 'find /proc/ -name ip_chains' on my machine returns no matches. Were you doing 'echo 1 /proc/sys/net/ipv4/ip_forward' ? yes it gave a PERMISSION DENIED -- Mike Fieschko, West Orange, NJ, USA X-Mailer: VM 6.75 under 21.1.8 XEmacs and random-sig.el Kernel 2.2.15-0.16mdk http://www.viconet.com/fieschko/home.htm Mar 26 St Margaret Clitherow "It is terrible to contemplate how few politicians are hanged." - [G.K. Chesterton, in The Cleveland Press, 3/1/21] Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
Re: [[newbie] IPCHAINS/MASQ/FORWARDING]
"Jaguar" == Jaguar [EMAIL PROTECTED] writes: [snip] Jaguar yes there is a /proc/sys/net/ipv4 it has DIRS for /conf Jaguar /neigh /route, and a buncha other files no I didn't Jaguar compile a kernel There are many options for IP, and experimental support for IPv6. What specifically are you looking for with IPv4 Jaguar I want to share my cable modem with 3 other Win boxes and Jaguar use Linux as a firewall/proxy There ought to be a how-to on this, because so many people with high speed connections ask about it. You need to set up ip masquerading, as you already know. You need the MS Win boxes to be talking tcp/ip, as you know. For cable modem sharing: http://www.cablemodeminfo.com/cablesharing.html (I found that site from among the matches returned by http://www.google.com/linux , searching on "cable modem sharing". Take a look at http://www.enteract.com/~lspitz/linux.html (the Preparing your linux box for the Internet site [security]) and the ipchains-howto, which ought to be on your box. I have some links to scripts and other things at http://www.viconet.com/fieschko/linux_security.htm. Unless the modules are already loaded, you'll need to modprobe them: echo 1 /proc/sys/net/ipv4/ip_forward /sbin/modprobe ip_masq_autofw /sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_irc /sbin/modprobe ip_masq_mfw /sbin/modprobe ip_masq_portfw /sbin/modprobe ip_masq_quake /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_user /sbin/modprobe ip_masq_vdolive (This is probably excessive.) Jaguar I have run the /proc/(something's??)/ip_chains, and got Jaguar PERMISSION DENIED and yes as ROOT. I don't understand this. What command did you run? Doing 'find /proc/ -name ip_chains' on my machine returns no matches. Were you doing 'echo 1 /proc/sys/net/ipv4/ip_forward' ? Jaguar yes it gave a PERMISSION DENIED Bizarre. On my box /proc/sys/net/ipv4/ip_forward is owned by root in group root, and for ip masquerading, I have to do 'echo 1 /proc/sys/net/ipv4/ip_forward' as root, and it works. If I do it as non-root, I get 'bash: /proc/sys/net/ipv4/ip_forward: Permission denied' -- Mike Fieschko, West Orange, NJ, USA X-Mailer: VM 6.75 under 21.1.8 XEmacs and random-sig.el Kernel 2.2.15-0.17mdk http://www.viconet.com/fieschko/home.htm Mar 27 St John Damascene "Blasphemy is an artistic effect, because blasphemy depends upon a philosophic conviction. Blasphemy depends upon belief and is fading with it. If any one doubts this, let him sit down seriously and try to think blasphemous thoughts about Thor. I think his family will find him at the end of the day in a state of some exhaustion." [G.K. Chesterton, in Heretics]
[newbie] IPCHAINS/MASQ/FORWARDING
"Jaguar" == Jaguar [EMAIL PROTECTED] writes: Jaguar I wrote to the list a few days ago, asking for some Jaguar help...the _ONLY_ reply I got was, RTFM...well I have Jaguar RTFM's till I am more confused. I wanted to know if in Jaguar MDK7.02, IPV4 is compiled in the default install kerenl, Jaguar or if I have to recompile with IPV4 enabled??? How [snip] Is there a directory /proc/sys/net/ipv4 on your box? If yes, what's in it? What are the files' contents? Have you checked what the defaults are when you try to compile a kernel? There are many options for IP, and experimental support for IPv6. What specifically are you looking for with IPv4 JaguarI have run the /proc/(something's??)/ip_chains, and got JaguarPERMISSION DENIED and yes as ROOT. I don't understand this. What command did you run? Doing 'find /proc/ -name ip_chains' on my machine returns no matches. Were you doing 'echo 1 /proc/sys/net/ipv4/ip_forward' ? -- Mike Fieschko, West Orange, NJ, USA X-Mailer: VM 6.75 under 21.1.8 XEmacs and random-sig.el Kernel 2.2.15-0.16mdk http://www.viconet.com/fieschko/home.htm Mar 26 St Margaret Clitherow "It is terrible to contemplate how few politicians are hanged." - [G.K. Chesterton, in The Cleveland Press, 3/1/21]
[newbie] IPCHAINS/MASQ/FORWARDING
I wrote to the list a few days ago, asking for some help...the _ONLY_ reply I got was, RTFM...well I have RTFM's till I am more confused. I wanted to know if in MDK7.02, IPV4 is compiled in the default install kerenl, or if I have to recompile with IPV4 enabled??? How pucking hard is it to tell me yes or no??? I have run the /proc/(something's??)/ip_chains, and got PERMISSION DENIED , and yes as ROOT. Is there a HOWTO posted on installing/setting up IPCHAINS for sharing a cable modem over a network? Jaguar Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
Re: [newbie] IPCHAINS/MASQ/FORWARDING
Hi, Here is the VERYT END of my /etc/rc.d/rc.local entry that handles this.. /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i eth0 -j MASQ echo 1 /proc/sys/net/ipv4/ip_forward If you are getting permission denied, make sure ROOT has RW . You may need to actually create the file first by?? touch /proc/sys/net/ipv4/ip_forward I too, am using my cable mode for shared access. It may possibly be that you need to change perms on ipchains. This worked without modification on all my prev. Mandrake indstalls, but I know for whatever reason, not two setups are ever the same!! Hope this helps! Bryan Jaguar [EMAIL PROTECTED] on 03/24/2000 10:52:38 AM Please respond to [EMAIL PROTECTED] To: Linux Newbie [EMAIL PROTECTED] cc:(bcc: Bryan Moorehead/Link/Allied Holdings) Subject: [newbie] IPCHAINS/MASQ/FORWARDING I wrote to the list a few days ago, asking for some help...the _ONLY_ reply I got was, RTFM...well I have RTFM's till I am more confused. I wanted to know if in MDK7.02, IPV4 is compiled in the default install kerenl, or if I have to recompile with IPV4 enabled??? How pucking hard is it to tell me yes or no??? I have run the /proc/(something's??)/ip_chains, and got PERMISSION DENIED , and yes as ROOT. Is there a HOWTO posted on installing/setting up IPCHAINS for sharing a cable modem over a network? Jaguar Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
[newbie] ipchains inaccurate byte report?
Hello, I'm masquerading some friends of me to get them on the internet over my modem. I use ipchains command to make the chains. Everything works ok except for the: ipchains -L -v command wich returns about 20 times smaller values for their transfers than in reality. If I have an overall bytes in of 4.000.000 (as shown in the kppp dialer), I get an 200.000 bytes from the ipchains even if I don't transfer a byte. So all my transfer should be theirs. Everybody noticed that or am I doing something wrong? Alek
[newbie] ipchains and ip_fw.c
On the ipchains home page, there is an alert regarding fragmented packets and ipchains. I need to know if this bug affects Mandrake 6.0 (2.2.9) - as there is a patch supplied for 2.2.10 but not 2.2.9 Any help appreciated. James Lewis [EMAIL PROTECTED]
[newbie] IPCHAINS
I am trying only allow 10 users httpd telnet access to my company web server(Linux-Mandrake 6.0 with Apache). Right now the whole company has access to my web server. I tried to lock the server down with httpd.conf, but gave up when I couldn't get it to work at the ip level(it works no problem at the subnet level, however I need to lock out some users at the same subnet level). I have decided that ipchains may be my best option. The web server ip =204.130.236.101 Example users = say 10.999.999.999 httpd 10.888.888.888 telnet 204.666.666.666 httpd 204.555.555.555 telnet I just installed the rpm for ipchains. The file /proc/net/ip_fwchains is empty. And ipchains is setup as: Chain input(policy ACCEPT) Chain forward(policy ACCEPT) Chain output(policy ACCEPT) Questions: 1.) Is the first step to add to the following lines to file /proc/net/ip_fwchains? : CONFIG FIREWALL=y CONFIG_IP_FIREWALL=y 2.) How do I first deny all telnet and httpd trafic? Assuming that a rule for denying is the first step! 2.) How does one go about only allowing 10 users to telnet httpd? With seperate rules for telnet vs httpd? There will be more httpd users in future. Thanks for getting me started!
[newbie] Ipchains
Hi I have a question, How do I check to make sure my firewall is loaded and running when I start my box up? I know this a dumb question, But I cant think of the answer TIA Hugh -- The objective of all dedicated employees should be to thoroughly analyze all situations, anticipate all problems prior to their occurrence, have answers for these problems, and move swiftly to solve these problems when called upon. However, When you are up to your ass in alligators it is difficult to remind yourself your initial objective was to drain the swamp.
Re: [newbie] Ipchains
Hugh Semmler wrote: Well, it depends on your firewall... If you are using ipchains, try ipchains -L in a console or an xterm or even as part of an initscript also, test the file /proc/net/sys/ipv4/ip_forward which should contain a "1" unless you are using an interface-specific activation file instead, then test that one. If you were really ambitious, you might even write a short Perl or Python or tcl script to do that for you and call it from an initscript. Civileme Hi I have a question, How do I check to make sure my firewall is loaded and running when I start my box up? I know this a dumb question, But I cant think of the answer TIA Hugh -- The objective of all dedicated employees should be to thoroughly analyze all situations, anticipate all problems prior to their occurrence, have answers for these problems, and move swiftly to solve these problems when called upon. However, When you are up to your ass in alligators it is difficult to remind yourself your initial objective was to drain the swamp.
[newbie] ipchains question.
I have installed LM as firewall for a company that was using NT proxy. All IP from the private network routes out fine except they can no longer receive exchange email from internet senders. The exchange server is on a private IP number (192.168.0.2) behind the firewall as it was with the proxy server before. I am not familiar with Exchange server (and I do not expect anyone here to be...) but is this just a port forwarding thing for SMTP traffic??? If so, how does one port forward with ipchains? I assume that I would forward the smtp port to my NT server right? Thanks! --- Beach ¤ [EMAIL PROTECTED] No, try not.. do, or do not.. there is no try. -Yoda
