dp -s 192.168.1.0/24 -d 189.174.135.110
--dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
All the guides only use these two rules:
I'm just worried that they use 192.168.1.0/24 because normally I see a
lot of iptables blocking this IP range for security.
‐‐‐ Original Message
y use 192.168.1.0/24 because normally I see a lot of
iptables blocking this IP range for security.
‐‐‐ Original Message ‐‐‐
On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen
wrote:
> Hello,
>
> I'm using nftables with wireguard and it runs perfectly.
>
> Don't fo
e most specific, secure and restrictive
iptables possible for a simple VPN connection on Debian. Could you
have a quick look if those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#no fragmented packets
-A INPUT -f -j
Hello, I'm trying to make the most specific, secure and restrictive iptables
possible for a simple VPN connection on Debian. Could you have a quick look if
those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
On 2016-05-24 00:01, Ralph Sanchez wrote:
> Also, it seems if I only allow Related and Established on OUTPUT I
> cannot access the internet, 90 percent of packets get dropped when I
> try to connect to anything, but allowing new established allows
> connection...but also any software would be able
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
140 DROP all -- * * 0.0.0.0/0
0.0.0.0/0ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0i
Also, it seems if I only allow Related and Established on OUTPUT I
cannot access the internet, 90 percent of packets get dropped when I
try to connect to anything, but allowing new established allows
connection...but also any software would be able to call home.
On Mon, May 23, 2016 at 5:28 PM, Ra
On 2016-05-23 23:28, Ralph Sanchez wrote:
> Thanks for the clarification : ) And you didn't confuse the two
> explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
> NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
> know.
>
> I have read through quite a few ma
On 2016-05-23 22:32, Ralph Sanchez wrote:
> On Mon, May 23, 2016 at 4:13 PM, wrote:
>> On 2016-05-23 19:54, Ralph Sanchez wrote:
>>> Yes, this is a personal laptop. If you notice, I have default POLICY
>>> as DROP, which means if I don't accept on ports 80 and 443 I can't
>>> accept HTTPS and HTT
Thanks for the clarification : ) And you didn't confuse the two
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.
I have read through quite a few manuals and online forums, although no
RFCs...I'm not re
On Mon, May 23, 2016 at 4:13 PM, wrote:
> On 2016-05-23 19:54, Ralph Sanchez wrote:
>> Yes, this is a personal laptop. If you notice, I have default POLICY
>> as DROP, which means if I don't accept on ports 80 and 443 I can't
>> accept HTTPS and HTTP, correct? I'm still learning how all this work
On 2016-05-23 19:54, Ralph Sanchez wrote:
> Yes, this is a personal laptop. If you notice, I have default POLICY
> as DROP, which means if I don't accept on ports 80 and 443 I can't
> accept HTTPS and HTTP, correct? I'm still learning how all this works,
> but that's what it seemed to me and was ex
-not-block-icmp
By the way, is this a non-server machine? If so, why do you care about
the ports 80 and 443?
On 2016-05-23 01:30, Ralph Sanchez wrote:
> Hello All, I have taken up to writing this bash script to change my
> iptables rules. It seems the only issue I've found is that it see
I'm not saying knowing iptables is bad, but Shorewall is much
better than these kind of things.
I think you may have some unlogged drops, that'd be the first
thing to check.
Ralph Sanchez wrote:
> Hello All, I have taken up to writing this bash script to
> change my iptables
Hello All, I have taken up to writing this bash script to change my
iptables rules. It seems the only issue I've found is that it seems to
not want to connect to certain websites at some moments and not
others, or generally but sometimes it let's it through without
changing anyt
Micky,
Let me understand what you want, Do you want some examples about Mangle
tables specialty the command line that drop packages?
I usually drop packages with table filter:
iptables -A INPUT -s "Source ip" -j DROP
All the best
2014-08-27 3:22 GMT-03:00 emmanuel segura
Hola,
Maybe you need to write in inglish.
2014-08-27 0:24 GMT+02:00 Micky :
>
> Salud colegas soy nuevo en esta lista, estoy bscando algo que me hable de la
> tabla mangle de iptables de como ponerla por defecto DROP pero no encuentro
> nada
> alguien que tenga algo como esto c
Salud colegas soy nuevo en esta lista, estoy bscando algo que me hable de la
tabla mangle de iptables de como ponerla por defecto DROP pero no encuentro nada
alguien que tenga algo como esto c los agradeceria. Salu2 y gracias de antemano
##--Micky
Hello everyone.
I do have a VPS running services for me, such as:
-email server
-web server
-openvpn for remote connection
-ssh
the available speed is 10Mbps
up to now the system is protected by iptables and allows only the forementioned
services and blocks the brute force attackers.
I have
Hi, David. Thank you for correcting a rule for OUTPUT chain.
I mean that I forgot to add ... -P OUTPUT ... policy. I have only
one network device - router. Is that what you mean by writing
*network devices*?
So, according to your opinion, I have to use the second rule, right?
(iptables -P OUTPUT
Hello,
Daniel Curtis a écrit :
>
> I have a question about iptables and rules for OUTPUT
> chain. If I have a typical desktop without any services
> like SSH, Samba etc. it is better to use something like?;
>
> iptables -P DROP
> iptables -A OUTPUT -o eth0 -j ACCEPT
>
Your first example should be:
iptables -P OUTPUT DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
The difference between both is simply that in the first example you only
allow outbound traffic going through your eth0 device.
If you would have multiple network devices you would still be dropping
Hi
I have a question about iptables and rules for OUTPUT
chain. If I have a typical desktop without any services
like SSH, Samba etc. it is better to use something like?;
iptables -P DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
or it does not matter and it could be a simple one rule;
iptables -P
Matthew Babcock a écrit :
> On Thu, 2013-05-02 at 00:17 +0200, Pascal Hambourg wrote:
>> Hello,
>>
>> Matthew Babcock a écrit :
>>> Please excuse the delayed response.
>> No problem.
>>
>>> To answer your question, no I cannot, yet.
>>>
On Thu, 2013-05-02 at 00:17 +0200, Pascal Hambourg wrote:
> Hello,
>
> Matthew Babcock a écrit :
> > Please excuse the delayed response.
>
> No problem.
>
> > To answer your question, no I cannot, yet.
> >
> > However, I can demonstrate ipt
Hello,
Matthew Babcock a écrit :
> Please excuse the delayed response.
No problem.
> To answer your question, no I cannot, yet.
>
> However, I can demonstrate iptables following what the "state" be on UDP
> packets using DNS.
[...]
> You should see as I do, that th
Please excuse the delayed response.
To answer your question, no I cannot, yet.
However, I can demonstrate iptables following what the "state" be on UDP
packets using DNS.
Example, add this to your firewall and resolve a FQDN.
"iptables -I INPUT 1 -p udp -m state --state EST
Rainer's experience matches the rule. ;-)
>From IPTables man:
multiport — This module matches a set of source or destination ports. Up to
15 ports can be specified. A port range (port:port) counts as two ports. It
can only be used in conjunction with -p tcp or -p udp.
--
V
On Wed, Apr 10, 2013 at 06:37:46AM +0200, helpermn wrote:
I've got a Linux box sitting between different local networks. I'd
like
to set up access policies between each network so I though about a
zone
based firewall.
Use Shorewall.
And what problem does this solve?
Bastian
It solves all
On Wed, Apr 10, 2013 at 06:37:46AM +0200, helpermn wrote:
> >I've got a Linux box sitting between different local networks. I'd
> >like
> >to set up access policies between each network so I though about a
> >zone
> >based firewall.
> Use Shorewall.
And what problem does this solve?
Bastian
--
I've got a Linux box sitting between different local networks. I'd
like
to set up access policies between each network so I though about a
zone
based firewall.
Use Shorewall.
--
helpermn
--
To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org
with a subject of "unsubscri
firewalls for each network.
> I prefer to specify the allowed stuff depending on egress first and
> ingress second, it is pretty easy to understand.
That's what I do usually but this bow sits between many network and
therefore has many interfaces. I
> Also you want to use ferm
> Have you considered using RETURN instead of ACCEPT ?
> Something like:
>
># Traffic coming from the zones.
>-A FORWARD -i eth0 ZONE_MRKT_OUT
>-A FORWARD -i eth1 ZONE_SRV_OUT
>
># Traffic to the zones.
>-A FORWARD -o eth0 ZONE_MRKT_IN
>-A FORWARD -o eth1 ZONE_SRV_IN
>
>
ty easy to understand. Also you want to use
ferm for iptables-based packet filters. A filter for your problem done
in my usual style would look like this:
domain (ip ip6) table filter chain FORWARD {
outerface $servers {
interface $marketing {
proto tcp dport 22 REJECT;
ACCEPT;
* [Tue, Apr 09, 2013 at 05:41:39PM +0200] Jimmy Thrasibule:
In can change the rules order but this will not solve the problem.
Another solution would be to mark the packet and then check the mark at
the end to decide on whether to accept or reject. But how about
performances on a large set of rul
| Servers |---
-
Marketing wants to reach a server. However, marketing is very large on
its outgoing traffic (allows everything) on the server side however we
would reject any SSH connection coming from marketing.
Here are the iptables rules I would go for:
# Zones creation.
-N ZONE_MRKT
-N MRKT
Hi
Because I'm using iptables (1.4.14-3.1) only for a few weeks,
I would like to ask about ipv4options module. By default,
this module is not available, right? So, do I have to install
xtables-addons package? This package is the successor of
so-called *patch-o-matic* and provides extra mo
Hi Pascal
If it does not matter, I will leave it as is. I mean rule with
conntrack state module instead of state. Okay, thank you
for the answer.
Best regards.
Matthew Babcock a écrit :
>
>
> I know iptables -A INPUT -m state --state INVALID -j DROP works well.
> And it does pick out invalid (aka out of state) UDP packets. DNS is one
> additional example.
AFAIK, UDP packets cannot be in the INVALID state. Can you provide an
example of a
t
"-m conntrack --ctstate INVALID" does exactly the same as "-m state
--state INVALID". The connection tracking is not performed by either
module, their purpose is just to match the state of the packet, not to
decide what state the packet is in.
> I know, that in e.g. iptabl
6, 7 hour of
computer use, there are about 40-50 logged events. Maybe
more. I don't know if it is something wrong.
I know, that in e.g. iptables v1.4.16.3, state module is obsolete.
But this is just an example;
$ ... INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
WARNING: The stat
there are other settings to switch for RP filtering.
> Sorry, but I do not understand how to drop "out of state"
> packets with the INVALID rules.
>
Like you had before
-A INPUT -conntrac
I know iptables -A INPUT -m state --state INVALID -j DROP works well. And it
does
Hi Matthew
How can I use Reverse Path filtering in the kernel? You
mean this option, right?; /proc/sys/net/ipv4/conf/*/rp_filter
Sorry, but I do not understand how to drop "out of state"
packets with the INVALID rules.
My logs:
Apr 5 17:18:18 t4 kernel: [13107.296065] INVALID OUT: IN=
OUT=eth0
1) it depends on you are calling "invalid"
2) same as above
I suggest you start by using Reverse Path filtering in the kernel, not in
iptables, and drop "out of state" packets with the INVALID rules.
What is in your logs?
On Apr 5, 2013, at 8:02, Daniel Curtis wrot
H
i
Matthew and Pascal;
So, what should I do to take care of INVALID packets? What is
"the best" method? I mentioned, that this system is for testing
purposes now, but in log files (e.g. kern.log, syslog) I see a lot
of INVALID packets logged - for both input and output connections.
Best regard
On Apr 4, 2013, at 18:58, Pascal Hambourg wrote:
> Hello,
>
> Daniel Curtis a écrit :
>>
>> I would only ask about iptables (1.4.14-3.1) rule, which is responsible for
>> filtering INVALID packets. If I decide to use this rule;
>>
>>>> iptabl
Hello,
Daniel Curtis a écrit :
>
> I would only ask about iptables (1.4.14-3.1) rule, which is responsible for
> filtering INVALID packets. If I decide to use this rule;
>
>>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Be aware that INVALID packets here
Hi David;
Thank you and sorry, because I forgot to mention, that I talked
about IP address spoofing protection. Sorry again. So, it seems,
that I'm in the right direction if it's about filtering; INVALID and
spoofing. For now, I will be using;
> iptables -A INPUT -m conntrack --ct
from your host itself on interfaces not
connected to that network.
http://www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html
I find the above link usefull to give you more details on how to block bad
address attacks.
But there might be a whole lot more
s to these two questions; INVALID and spoofing -
according to you, which solution is best, good? Frankly, you already
answered to question about INVALID packet filtering and
suggested, that the first rule is okay. So what about antispoof?
My knowledge of iptables is not good, but I started to use
INPUT vs PREROUTING.
>
> Rules in the INPUT chain are ment to filter traffic going to the host
> itself where the PREROUTING chain is to filter traffic being routed through
> your host.
>
> How familiar are you with iptables?
>
> Regards,
>
> David
>
>
> 201
stion with INPUT vs PREROUTING.
Rules in the INPUT chain are ment to filter traffic going to the host
itself where the PREROUTING chain is to filter traffic being routed through
your host.
How familiar are you with iptables?
Regards,
David
2013/4/4 Daniel Curtis
> Hi David.
>
> Shou
Hi David.
Should be fine? So, you are not 100 percent sure? Okay, just
kidding (but who knows?) ;-)
Listen David, I have one more question regarding to antispoof.
As we know, typical rule can look, more or less, this way;
> iptables -A INPUT -s 0.0.0.0/8 -j DROP etc.
But recently I came acr
*>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP *
Should be fine if you want to drop any INVALID packers both tcp, udp
Kind Regards,
David
2013/4/4 Daniel Curtis
> Hi
>
> I would only ask about iptables (1.4.14-3.1) rule, which is responsible
> for filtering I
Hi
I would only ask about iptables (1.4.14-3.1) rule, which is responsible for
filtering INVALID packets. If I decide to use this rule;
>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
That's an example. By using this rule, iptables will also check tcp and udp
protocols
On Fri, Nov 16, 2012 at 04:09:56PM +0300, Vladimir Budnev wrote:
> 2012/11/16 Stephan Balmer :
> >> OS: debian testing, kernel 3.2.0-3-686-pae
> >>
> >> iptables -t filter -A OUTPUT --protocol tcp --dport 80 --match string
> >> --algo bm --from 0 --t
Hi All,
A few weeks ago, I gave a presentation on Netfilter, Iptables and some
advanced feature at my company. I figured it would of interest to this list.
If you have any comment, please reply here, or to me directly.
http://jve.linuxwall.info/blog/index.php?post/2012/08/01/Netfilter-and
es that thoses tables are not active.
>>> # Munin accounting stuff
>>> /sbin/iptables -A INPUT -d $INET_ADDRESS
>>> /sbin/iptables -A OUTPUT -s $INET_ADDRESS
>> If the address is correct, these two rules set the host wide open
>> inbound and outbound, so I do no
osher to me, so I wonder why it's behaving like that:
>
> IMO it contains a number of inconsistencies and redundances.
>
Pascal, thank you for your exhaustive review.
As I previously said, I "inherited" this firewall script from the IT guy
that came before me.
I'm trying t
inconsistencies and redundances.
> #!/bin/sh
> IPT="/sbin/iptables"
> # Internet Interface
> INET_IFACE="venet0"
> INET_ADDRESS="xxx.xxx.xxx.xxx"
> # OpenVPN
> OV="172.16.0.0/16"
>
> # Localhost Interface
> LO_IFACE="lo"
>
On 16/02/12 11:36, Raven wrote:
> I probably should have mentioned this earlier, but my predecessor left
> me with a firewall script that, when launched, locks me out of the
> server.
I would recommend having a look at Shorewall rather that wrestle with
iptables scripts.
use the file
On Wed, 2012-02-15 at 19:25 +0100, Arturo Borrero Gonzalez wrote:
> 2012/2/15 Raven :
> > Hi guys.
> > I need some help in designing a simple iptables ruleset for a small
> > server I have recently set up.
> >
> > It's a VPS so the primary interface is venet0
> ## flush old rules
> iptables -F
> # rules
> iptables -t filter -A INPUT -i venet0 -d your_public_ip \
> -p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -t filter -A INPUT -i venet0 -d your_ip \
> -p u
Hello,
Arturo Borrero Gonzalez a écrit :
> 2012/2/15 Raven :
>> I need some help in designing a simple iptables ruleset for a small
>> server I have recently set up.
>>
>> It's a VPS so the primary interface is venet0 with a public ip. The
>> server also ru
debian.org
Sent: Wednesday, February 15, 2012 12:25:12 PM GMT -06:00 US/Canada Central
Subject: Re: Iptables example for mail/web/opevpn server
2012/2/15 Raven :
> Hi guys.
> I need some help in designing a simple iptables ruleset for a small
> server I have recently set up.
>
2012/2/15 Raven :
> Hi guys.
> I need some help in designing a simple iptables ruleset for a small
> server I have recently set up.
>
> It's a VPS so the primary interface is venet0 with a public ip. The
> server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
&g
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.
It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
There is obviously no need for NAT or packet forwa
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.
It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
There is obviously no need for NAT or packet forwa
.
Thank you again
- Original Message -
From: Eden Caldas
To: Javier Charne
Cc: debian-firewall@lists.debian.org
Sent: Wednesday, June 22, 2011 10:53 PM
Subject: Re: iptables
Since it's a dsl maybe the interface is ppp0 ? Check if this interface comes
up when you di
Manu,
You need to enable Packet forwarding and NAT. Considering your network
architecture these commands may do the trick:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -A FORWARD -s 10.20.30.0/24 -d 0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
If you
cesspoint Wifi : 10.20.30.3
> NAS server : 10.20.30.4
> MAO PC: 10.20.30.5
> laptop : 10.20.30.6
> IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
> I can connect to lan machines but not to wan.
>
> cat /proc/sys/net/ipv4/ip_forward is 1
>
> What are routes I have to c
NAS server : 10.20.30.4
> MAO PC: 10.20.30.5
> laptop : 10.20.30.6
> IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
> I can connect to lan machines but not to wan.
>
> cat /proc/sys/net/ipv4/ip_forward is 1
>
> What are routes I have to create with route command ?
> How can
.5
laptop : 10.20.30.6
IP phone : 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables ?
thank you for your help !
Manu:
Check
lobally.
next three steps are iptables rules:
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Next step is to configure the DHCP-server to propagate the IP
addresses to
ward is 1
>
> What are routes I have to create with route command ?
> How can I routed 80 port to 10.20.30.1 with iptables ?
> thank you for your help !
>
> --
>
> AMICALEMENT
> Manu
>
> SITES WEBS
> Mon site web Officiel (Manu-dpk.n
forward is 1
>
> What are routes I have to create with route command ?
Probably none. But maybe you missed the masquerading.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> How can I routed 80 port to 10.20.30.1 with iptables ?
If you mean port forwarding of connections com
> cat /proc/sys/net/ipv4/ip_forward is 1
>
> What are routes I have to create with route command ?
Normally you shouldn't have to create any for that kind of setup.
Please post the output of "iptables -nL" and "iptables -t nat -nL".
> How can I routed 80 p
: 10.20.30.7, 10.20.30.8, 10.20.30.9
I can connect to lan machines but not to wan.
cat /proc/sys/net/ipv4/ip_forward is 1
What are routes I have to create with route command ?
How can I routed 80 port to 10.20.30.1 with iptables
*thank you Remzi
*
2011/4/1 Remzi AKYÜZ
> iptables -A INPUT -j allow
> iptables -A INPUT -j LOG --log-prefix="Dropped :"
>
> iptables -N allow
> iptables -A allow -p tcp -m multiport --dports http,https,domain -m
> conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEP
example;
iptables -A INPUT -j allow
iptables -A INPUT -j LOG --log-prefix="Dropped :"
iptables -N allow
iptables -A allow -p tcp -m multiport --dports http,https,domain -m
conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A allow -p udp --dport 63
iptables -P INPUT
hi,
2011/4/1 Flavio A. Reis :
> Hello,
> friends, you can log into all that iptables is being blocked without logging
> rules ACCEPT.
> Example:
> My Firewall has only opened the ports (80, 443, 53).
> You can log all other connection attempts?
> Thanks
> att
sure.
- Set
Hello,
friends, you can log into all that iptables is being blocked without logging
rules ACCEPT.
Example:
My Firewall has only opened the ports (80, 443, 53).
You can log all other connection attempts?
Thanks
att
2011/1/10 Sthu Deus :
> Good day.
>
>
> I want my iptables statistics, like the one I see w/
>
> /sbin/iptables -nvL
>
> survive reboot so that to the accumulated info the new one will be
> just added . How I can achieve this?
iptables-save -c
"man iptables-save&q
Good day.
I want my iptables statistics, like the one I see w/
/sbin/iptables -nvL
survive reboot so that to the accumulated info the new one will be
just added . How I can achieve this?
And another question - OT: when necessary, how I can reset the
statistics? - The accumulated info? - I can
y a 'firewall' question, I expect the experts on
> iptables are on this list.
...
> I'm trying to get the following iptables command to work (response shown
> on lines 2 & 3):
> $ sudo iptables -v -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT
> --to-por
Chris,
I use something along the lines of the following to do a transparent proxy
via squid.
# Squid redirect
iptables -t nat -A PREROUTING -i bond0 -p tcp --src 192.168.0.0/16 \
--dport 80 -j DNAT --to 192.168.1.1:3128
# Don't think you need this one, It never see's a
On Thu, 21 Oct 2010 11:55:53 +0200, Pascal Hambourg
wrote:
> Hello,
>
> Julien Vehent a écrit :
>> On Thu, 21 Oct 2010 01:33:13 +0100, Chris Haynes
>> wrote:
>>> $ sudo iptables -v -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT
>>> --to-port 8080
>
Hello,
Julien Vehent a écrit :
> On Thu, 21 Oct 2010 01:33:13 +0100, Chris Haynes
> wrote:
>> $ sudo iptables -v -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT
>> --to-port 8080
>> REDIRECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 redir
>>
On Thu, 21 Oct 2010 01:33:13 +0100, Chris Haynes
wrote:
> $ sudo iptables -v -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> REDIRECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 redir
> ports 8080
> iptables: No chain/target/match by that nam
* [Thu, Oct 21, 2010 at 01:33:13AM +0100] Chris Haynes:
Although no strictly a 'firewall' question, I expect the experts on
iptables are on this list.
Not an expert, anyway...
I have Debian lenny.
$ uname -r
2.6.32.21-m64-mb1
It isn't from a Debian package, is it?
$ s
Although no strictly a 'firewall' question, I expect the experts on
iptables are on this list.
I have Debian lenny.
$ uname -r
2.6.32.21-m64-mb1
I'm trying to get the following iptables command to work (response shown
on lines 2 & 3):
$ sudo iptables -v -A PREROUTING -t na
green wrote at 2010-06-20 12:54 -0600:
> Huang, Tao wrote at 2010-06-20 09:42 -0600:
> > On Sun, Jun 20, 2010 at 10:07 PM, green wrote:
> > > However, iptables scripts usually begin with a flush, and then it takes
> > > time to
> > > add all those rules
Huang, Tao wrote at 2010-06-20 09:42 -0600:
> On Sun, Jun 20, 2010 at 10:07 PM, green wrote:
> > However, iptables scripts usually begin with a flush, and then it takes
> > time to
> > add all those rules, plus some possible interruption to traffic meanwhile.
> >
On Sun, Jun 20, 2010 at 10:07 PM, green wrote:
> I am working on setting up a firewall on a server/router (see
> http://wiki.debian.org/green/Router ). I have considered several different
> firewall packages, but am more comfortable just running iptables in a shell
> script.
I am working on setting up a firewall on a server/router (see
http://wiki.debian.org/green/Router ). I have considered several different
firewall packages, but am more comfortable just running iptables in a shell
script.
However, iptables scripts usually begin with a flush, and then it takes
Alram
The majority of ICMPv6 types including 135 are not stateful, therefore you
must place rules to accept packets in both directions before you test for
state INVALID.
PIng type 128 is one that is stateful, that is why it works.
Steven.
--
To UNSUBSCRIBE, email to debian-firewall-requ...@
Hello,
Alram Lechner a écrit :
>
> i am administrate a debian firewall since 2 years without problems. this
> weeks, we want to activate IPv6 in testing mode. out firewall script are
> generated with fwbuilder. after i have activated IPv6 on our firewall, i
> run into some troubles. the first
dear debian admins,
because i don't know, what the better list, i sent this mail to the
firewall and ipv6 mailinglist - i hope this is OK.
i am administrate a debian firewall since 2 years without problems. this
weeks, we want to activate IPv6 in testing mode. out firewall script are
generat
o anything unless
explicitly asked for. In particular:
+ it doesn't try to load the configuration if the respective
files do not exist; it merely issues a message saying that
it has no iptables configuration to load;
+ it doesn't try to lo
ot; is not always enough. An example is a PPP server which
> accepts multiple clients simultaneously and gives each one a
> different address. A script in /etc/ppp/ip-up.d/ can use the
> interface name and the remote address to block IP spoofing by clients
> :
> iptables -
1 - 100 of 1334 matches
Mail list logo
