Re: iptables question

Le 14/11/2016 à 00:48, deloptes a écrit : Pascal Hambourg wrote: Well then, all I can suggest is to run a packet capture and try to see what's going on. I guess you mean on the firewall? Yes.

Re: iptables question

Henning Follmann wrote: > Last time I chime in here. > I understand growth and chaos, believe me. However sometimes we need a > nudge or a kick in the but to clean up. Maybe this is your call.. It is kicking me and calling me since some time but I can not do this before next summer. I have to

Re: iptables question

On Mon, Nov 14, 2016 at 12:45:20AM +0100, deloptes wrote: > Henning wrote: > > > And usually there is no reason for two separate rfc1918 address ranges. > > Pick one matching your address space needs and design subnets. > > There is only one single reason for nat: you have more hosts than

Re: iptables question

deloptes wrote: > Igor Cicimov wrote: > >> Run tcpdump and check whats happening > > That is strange - I will look into this direction - let me know if you > have any ideas > > regards > > > tcpdump -vvv dst 10.0.0.7 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size >

Re: iptables question

Igor Cicimov wrote: > Run tcpdump and check whats happening That is strange - I will look into this direction - let me know if you have any ideas regards tcpdump -vvv dst 10.0.0.7 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 08:07:11.591763 ARP, Ethernet

Re: iptables question

On 13 Nov 2016 11:20 am, "deloptes" wrote: > > Joe wrote: > > > On Sat, 12 Nov 2016 22:15:45 +0100 > > deloptes wrote: > > > >> Hi, > >> I need some help and I'll appreciate it. > >> > >> I have a firewall with iptables behind the modem. > >> on this

Re: iptables question

On 14 Nov 2016 12:50 am, "Pascal Hambourg" wrote: > > Le 13/11/2016 à 13:37, Joe a écrit : >>> >>> >>> PPTP rather falls into the "complex protocols" described below. >> >> >> Exactly so. You wouldn't believe how many routers of ten years ago or >> so didn't handle it

Re: iptables question

Pascal Hambourg wrote: > Well then, all I can suggest is to run a packet capture and try to see > what's going on. I guess you mean on the firewall? I am not even sure I can install tcpdump there, but I will try and ask again for help here for sure thanks

Re: iptables question

Henning wrote: > And usually there is no reason for two separate rfc1918 address ranges. > Pick one matching your address space needs and design subnets. > There is only one single reason for nat: you have more hosts than routable > ip addresses. I guess 10.0.0.0 meets even the biggest

Re: iptables question

> On Nov 13, 2016, at 5:19 PM, Pascal Hambourg wrote: > >> Le 13/11/2016 à 22:27, Henning a écrit : >> I followed this thread and i wonder if there is a sane reason why you do nat >> inside your network. Why don't you just route between different subnets i.e. >>

Re: iptables question

Le 13/11/2016 à 21:43, deloptes a écrit : Pascal Hambourg wrote: replace 10.0.0.1/32 with 10.0.0.0/24 it does not work You should double check that. I checked replaced 10.0.0.1/32 with 10.0.0.0/24. Just insert this rule and check whether it changes anything : iptables -I FORWARD -j

Re: iptables question

Le 13/11/2016 à 22:27, Henning a écrit : I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 Probably because the modem and hosts in 10.0.0.0/24 don't know about

Re: iptables question

I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 you still can have a firewall between those subnets -H

Re: iptables question

Pascal Hambourg wrote: >> replace 10.0.0.1/32 with 10.0.0.0/24 it does not work > > You should double check that. > I checked replaced 10.0.0.1/32 with 10.0.0.0/24. >>> This ruleset does not need improvements but a total rewrite. >> >> Yes I was thinking the same, I'll put it on the TODO. I

Re: iptables question

Le 13/11/2016 à 20:40, deloptes a écrit : Pascal Hambourg wrote: Did you check the routing table on the firewall and the targets ? Do they have a route to all the 10.0.0.0/24 range ? the one I posted is on the firewall - firewall is the one I am trying to modify. The one you posted ? I

Re: iptables question

Pascal Hambourg wrote: > Le 13/11/2016 à 16:05, deloptes a écrit : >> >> These are the rules - a friend created this like 10y ago. I added few >> rules to forward ports from outside to the intranet and to be able to >> handle VPN. >> You can ignore 192.168.60.1 on eth2 - not used. > > IMO, this

Re: iptables question

Le 13/11/2016 à 16:05, deloptes a écrit : These are the rules - a friend created this like 10y ago. I added few rules to forward ports from outside to the intranet and to be able to handle VPN. You can ignore 192.168.60.1 on eth2 - not used. IMO, this ruleset is totally insane. However,

Re: iptables question

Michael Milliman wrote: > Again, posting the exact ruleset would be helpful. These are the rules - a friend created this like 10y ago. I added few rules to forward ports from outside to the intranet and to be able to handle VPN. You can ignore 192.168.60.1 on eth2 - not used. Another important

Re: iptables question

Le 13/11/2016 à 13:37, Joe a écrit : PPTP rather falls into the "complex protocols" described below. Exactly so. You wouldn't believe how many routers of ten years ago or so didn't handle it properly, at least with their initial firmware. But Why wouldn't I ? Knowing how NAT is tricky, I am

Re: iptables question

On Sun, 13 Nov 2016 11:29:48 +0100 Pascal Hambourg wrote: > Le 13/11/2016 à 11:09, Joe a écrit : > > Pascal Hambourg wrote: > > > >> Le 12/11/2016 à 23:32, Joe a écrit : > >>> > >>> The SNAT should not be an issue, it can handle all protocols

Re: iptables question

On 11/12/2016 06:19 PM, deloptes wrote: Joe wrote: On Sat, 12 Nov 2016 22:15:45 +0100 deloptes wrote: Hi, I need some help and I'll appreciate it. I have a firewall with iptables behind the modem. on this firewall I have eth0 with ip 10..1 to the modem ip:

Re: iptables question

Le 13/11/2016 à 11:09, Joe a écrit : Pascal Hambourg wrote: Le 12/11/2016 à 23:32, Joe a écrit : The SNAT should not be an issue, it can handle all protocols transparently No it cannot. NAT is not possible with some IP protocols. Plain IPSec (without NAT-T

Re: iptables question

On Sun, 13 Nov 2016 10:35:29 +0100 Pascal Hambourg wrote: > Le 12/11/2016 à 23:32, Joe a écrit : > > > > The SNAT should not be an issue, it can handle all protocols > > transparently > > No it cannot. NAT is not possible with some IP protocols. Plain IPSec > (without

Re: iptables question

Le 13/11/2016 à 01:19, deloptes a écrit : Yes, it is not working How is it not working ? What do you do and what happens ? From one computer ip 10..6 I can ssh to 10..7 and vv. That does not concern the firewall between the modem and the LAN. I also see that iptables forwards to the

Re: iptables question

Le 12/11/2016 à 23:32, Joe a écrit : The SNAT should not be an issue, it can handle all protocols transparently No it cannot. NAT is not possible with some IP protocols. Plain IPSec (without NAT-T encapsulation) is the first one that comes in mind. Also many complex protocols such as FTP

Re: iptables question

Joe wrote: > On Sat, 12 Nov 2016 22:15:45 +0100 > deloptes wrote: > >> Hi, >> I need some help and I'll appreciate it. >> >> I have a firewall with iptables behind the modem. >> on this firewall I have >> eth0 with ip 10..1 to the modem ip: 10..12 >> eth1

Re: iptables question

On Sat, 12 Nov 2016 22:15:45 +0100 deloptes wrote: > Hi, > I need some help and I'll appreciate it. > > I have a firewall with iptables behind the modem. > on this firewall I have > eth0 with ip 10..1 to the modem ip: 10..12 > eth1 with ip 192..1 to the

iptables question

Hi, I need some help and I'll appreciate it. I have a firewall with iptables behind the modem. on this firewall I have eth0 with ip 10..1 to the modem ip: 10..12 eth1 with ip 192..1 to the intranet iptables is doing SNAT from 192..1 to 10..1 I wonder how I can ssh from 192..NN

Re: IPTables question

Le 09/11/2013 23:06, Shawn Wilson a écrit : Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. I use fwbuilder which helps to define elaborated rules ;

Re: IPTables question

Erwan David er...@rail.eu.org wrote: Le 09/11/2013 23:06, Shawn Wilson a écrit : Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. I use fwbuilder which

IPTables question

Hi folks, In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or-s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 But is there anyway to specify both eth0

Re: IPTables question

On 11/09/2013 12:47 PM, Bill.M wrote: But is there anyway to specify both eth0 and wlan0 as equally valid interfaces on my laptop depending on whether it's in my dock or on the road? For example, -i wlan0,eth0 or -o wlan0,eth0 Is something like these possible? * You can avoid specifying any

Re: IPTables question

Redhat has something called firewalld which generates rules based on zones. I don't use it because using dbus to help manage rules scares me. But it's there and could be what you want. David F deb...@meta-dynamic.com wrote: On 11/09/2013 12:47 PM, Bill.M wrote: But is there anyway to specify

Re: IPTables question

Hello, Bill.M a écrit : In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 In addition to David's

Re: IPTables question

Pascal Hambourg pas...@plouf.fr.eu.org wrote: Hello, Bill.M a écrit : In IPTables one can specify multiple addresses, and multiple ports, but is there anyway to specify multiple interfaces. For example, -m multiport --destination-port 22,25,80 Or -s 1.2.3.4,1.2.3.5,1.2.3.7

Re: IPTables question

Shawn Wilson a écrit : Pascal Hambourg pas...@plouf.fr.eu.org wrote: Unless recent change I am not aware of, you cannot specify an address range in -s or -d. You must use the iprange match instead (or ipset if your kernel supports it). Also, idk any way to match interface with ipset I

Firewall/iptables question

Hi all, I'm attempting to set up a simple firewall on a virtual server. I have the following: iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i venet0 -m state

Re: Firewall/iptables question

On 3 May 2011 16:21, Hilco Wijbenga hilco.wijbe...@gmail.com wrote: Hi all, I'm attempting to set up a simple firewall on a virtual server. I have the following: iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --policy INPUT DROP iptables --policy OUTPUT

Re: Firewall/iptables question

Hilco Wijbenga wrote at 2011-05-03 18:21 -0500: On a related note, the logging only logs the packet, but no timestamp. Is that configurable somewhere? /etc/rsyslog.conf I suppose? signature.asc Description: Digital signature

Iptables question

I asked about a modem dialin server problem. I saw no response, so, I rephrase it. The Linux box is connected to Internet on 141.209.169.x The dialin ppp (Linux end) ipaddr is 192.168.0.10 The dialing client gets ipaddr 192.168.0.11 How do I make iptables to forward form 192.168.x.x to

Re: Iptables question

For firewall relative question there's another, more specific, mail list: debian-firew...@lists.debian.org Anyway, if you are using ppp to connect to your ISP, the ppp0 interface should have a public IP address not a private one like 192.168.0.10. In order to enable kernel ipv4 fowarding you

RE: Iptables question

From: I Rattan [mailto:ratt...@cps.cmich.edu] Sent: Thursday, September 10, 2009 2:03 PM I asked about a modem dialin server problem. I saw no response, so, I rephrase it. The Linux box is connected to Internet on 141.209.169.x The dialin ppp (Linux end) ipaddr is 192.168.0.10 The

iptables question?

Is it possible to restrict access by user-id under iptables firewall? If so, pointers to the info/example will be appreciated. -ishwar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: iptables question?

On 2009-08-26 10:36 (-0400), I. Rattan wrote: Is it possible to restrict access by user-id under iptables firewall? If so, pointers to the info/example will be appreciated. Does man iptables qualify as a pointer? In owner module there is --uid-owner option. -- To UNSUBSCRIBE, email to

Re: iptables question

On Mon,12.Jan.09, 14:50:48, Paul Cartwright wrote: I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my K3B issue:). I noticed someone else with a message about iptables, and I basically copied his script: # iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i

iptables question

I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my K3B issue:). I noticed someone else with a message about iptables, and I basically copied his script: # iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT except changed it to my ssh port 22. Now

Re: iptables question

On Sat, 03 Jan 2009 20:49:35 -0500, Napoleon wrote: Justin Piszcz wrote: On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go

Re: iptables question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Koh Choon Lin wrote: Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). How can you not know how to delete? (No, seriously, I'm not trying to be

Re: iptables question

Justin Piszcz wrote: On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary

POP (was Re: iptables question)

On 01/03/09 19:49, Napoleon wrote: [snip] I also tried to find the support forums for qpopper, but the only ones I found hadn't had a post in over 2 years. So maybe I need to change pop3 servers. Unless you are running an ISP, you should really ditch POP and move your mail to an IMAP

Re: iptables question

On Saturday 2009 January 03 19:49:35 Napoleon wrote: I also tried to find the support forums for qpopper, but the only ones I found hadn't had a post in over 2 years. So maybe I need to change pop3 servers. I've recently had good luck with dovecot, which handles a pop3 and pop3s. I'll also

Re: iptables question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Boyd Stephen Smith Jr. wrote: I've recently had good luck with dovecot, which handles a pop3 and pop3s. I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I set up dovecot. Dovecot also does SASL authentication for

Re: iptables question

ghe writes: Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). Heh. My user (my wife) has about 150MB (text only) in /var/mail. Some of it is 20 years old. -- John Hasler -- To

Re: iptables question

On 01/03/09 21:58, ghe wrote: [snip] Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). How can you not know how to delete? (No, seriously, I'm not trying to be sarcastic...) -- Ron

iptables question

Be careful with IMAP, though. One of my users has well over 500MB of mail on my server that she apparently doesn't know how to delete (I know, I know). How can you not know how to delete? (No, seriously, I'm not trying to be sarcastic...) Maybe they are trying to take after Gmail --

iptables question

I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds or even thousands a

Re: iptables question

Napoleon a écrit : I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my system (hundreds

Re: iptables question

On Thu, 1 Jan 2009, Napoleon wrote: I'll admit I'm still pretty green at a lot of this (lots of experience in computers, little in Linux) and don't understand everything. But I'm trying to learn, so please go easy on me :-) I've been having a problem with dictionary hacker attempts on my

Re: iptables question

Here is how I implemented it, coincidentially today :) # Allow already established traffic $IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT # No more than 2 connection attempts per 2 # minutes to prevent brute force attacks # log blocked

Re: iptables question

On Thu, Jan 1, 2009 at 5:44 PM, David Schmidt davew...@gmx.at wrote: Here is how I implemented it, coincidentially today :) # Allow already established traffic $IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT # No more than 2 connection attempts per 2

Re: etch - iptables question

Hi Ann, On 6/13/07, ann kok [EMAIL PROTECTED] wrote I just install new debian. but it seems nothing iptable in the default installation how can I install? I have used Guarddog to config my iptables. It's very easy to use and it will take only about 15 - 30 mins reading the manual and

etch - iptables question

Hi all I just install new debian. but it seems nothing iptable in the default installation how can I install? and how can I install new kernel? can you show me steps? Thank you Got a little couch

Re: etch - iptables question

On Wed, 2007-06-13 at 15:47 -0700, ann kok wrote: Hi all I just install new debian. but it seems nothing iptable in the default installation how can I install? 1) you can use a pre-written script like this one: http://www.hermann-uwe.de/files/fw_laptop Getting it going is discussed

OT iptables question

I'm updating a RH ipchains packet filter script from the dim past to iptables on Debian stable. I noticed that when I specified the network the host is on (by IP/mask), the iptables listing called it localnet. So I tried using localnet in the rule, and iptables seems to take it, and the chain

Re: OT iptables question

Glenn English wrote: I'm updating a RH ipchains packet filter script from the dim past to iptables on Debian stable. I noticed that when I specified the network the host is on (by IP/mask), the iptables listing called it localnet. So I tried using localnet in the rule, and iptables seems to

Re: iptables question: no chain/target/match by that name...

On Mon, Apr 05, 2004 at 02:08:35PM -0500, hugo vanwoerkom wrote: I'm trying it now with multiport + eject enabled in netfilter. Check REJECT in /proc/net/ip_tables_targets and check for multiport in /proc/net/ip_tables_matches. Using either loaded netfilter modules or built in netfilter

Re: iptables question: no chain/target/match by that name...

On Mon, Apr 05, 2004 at 12:09:31PM -0500, hugo vanwoerkom wrote: + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT [ ... ] + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT Now I know nothing of iptables, but why can he do

iptables question: no chain/target/match by that name...

Hi World! The lokkit question yesterday by Faheem Mitha prompted me to install lokkit on Sarge. As Dircha pointed out: it don't work. All lokkit does is create a little iptables script that sits in /etc/default/lokkit. Then upon boot lokkit in /etc/init.d executes that script. As Dircha

Re: iptables question: no chain/target/match by that name...

hugo vanwoerkom wrote: Hi World! The lokkit question yesterday by Faheem Mitha prompted me to install lokkit on Sarge. As Dircha pointed out: it don't work. All lokkit does is create a little iptables script that sits in /etc/default/lokkit. Then upon boot lokkit in /etc/init.d executes that

iptables question

I have a box that I use for routing, it's running sid, with ipmaq on it. It works fine for the most part. For a while I had an internal axis webcam that was port forwarded. I use to put in the following at the command prompt iptables -t nat -A PREROUTING -j DNAT --proto tcp --dport

pop3vscan iptables question

I'd like to use pop3vscan to run clamscan. I added the following iptables rule: # /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 8110 I then went through the procedures in /etc/default/iptables so that the rule would remain after rebooting, but that doesn't

IPTABLES QUESTION

I´m using Debian 3.0r1 with kernel 2.4.19 as a iptables firewall I have internal webservers that I need to publish as Internet Sites For this manipulation I´m using Apache ProxyPass. The site works perfectly under apache.. even when the internal host is an ISS. 1. How can I do it without

Re: successful server installation, iptables question

Firstly: iptables is the firewalling system built into the 2.4 kernel. ipchains is the system from 2.2 (and an unsupported legacy option in 2.4). iptables is better in nearly every way, so use it if you can. On Mon, Oct 28, 2002 at 07:18:39PM +, Alan Chandler wrote: On Monday 28 October

successful server installation, iptables question

Hi, i successfuly installed my new debian server instead of the suse 7.2 that was on it. It was a lot easier to install and i knew what i was doing or at least i thought i was :-) I have installed the ipmasq package to share my internet connection. All works ok. However, how does one customize

Re: successful server installation, iptables question

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 28 October 2002 12:01 pm, [EMAIL PROTECTED] wrote: Hi, i successfuly installed my new debian server instead of the suse 7.2 that was on it. It was a lot easier to install and i knew what i was doing or at least i thought i was :-) I