Le 10/12/2019 à 20:13, nektarios a écrit :
Pascal Hambourg wrote:
Maybe a "MTU black hole" issue with PPPoE.
Workarounds :
- lower the MTU on the client side to 1492
- add a "TCPMSS --clamp-to-pmtu" iptables rule on the router
(...)
The tip you gave me really did the job! I found this page i
On Tue, 10 Dec 2019 09:26:46 +
Nektarios Katakis wrote:
> On Tue, 10 Dec 2019 07:22:05 +0100
> Pascal Hambourg wrote:
>
> > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit :
> > >
> > > I am running an iptables firewall on an openwrt router I ve
On Tue, 10 Dec 2019 07:22:05 +0100
Pascal Hambourg wrote:
> Le 10/12/2019 à 00:01, Nektarios Katakis a écrit :
> >
> > I am running an iptables firewall on an openwrt router I ve got.
> > Which acts as Firewall/gateway and performs NATing for my internal
> > netwo
Le 10/12/2019 à 00:01, Nektarios Katakis a écrit :
I am running an iptables firewall on an openwrt router I ve got. Which
acts as Firewall/gateway and performs NATing for my internal network -
debian PCs and android phones.
All good but specific web sites are not loading for the machines that
On 12/10/2019 12:01 AM, Nektarios Katakis wrote:
> Hello,
>
> I am running an iptables firewall on an openwrt router I ve got. Which
> acts as Firewall/gateway and performs NATing for my internal network -
> debian PCs and android phones.
>
> All good but specific web sites ar
Hello,
I am running an iptables firewall on an openwrt router I ve got. Which
acts as Firewall/gateway and performs NATing for my internal network -
debian PCs and android phones.
All good but specific web sites are not loading for the machines that
are sitting behind the home router.
When
Hello,
I have router (debian) for LAN and an iptables firewall looks like
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 0.0.0.0/00.0.0.0/0state INVALID
DROP all -- 192.168.178.43 0.0.0.0/0
ACCEPT all
On Wed, Jul 30, 2014 at 08:33:56PM +0200, Nemeth Gyorgy wrote:
> 2014-07-30 09:18 keltez?ssel, Joe ?rta:
> > Something else you might do now is to place temporary logging rules
> > before your 'DROP' rules, to confirm whether it is indeed iptables
> > which is blocking those packets. No logs, it's
On Wed, 30 Jul 2014 21:34:07 +0200
Pascal Hambourg wrote:
> Joe a écrit :
> >
> > Something else you might do now is to place temporary logging rules
> > before your 'DROP' rules, to confirm whether it is indeed iptables
> > which is blocking those packets.
>
> Or just run tcpdump while the por
Joe a écrit :
>
> Something else you might do now is to place temporary logging rules
> before your 'DROP' rules, to confirm whether it is indeed iptables
> which is blocking those packets.
Or just run tcpdump while the port scan is running.
> No logs, it's somebody or something
> else. And if y
2014-07-30 09:18 keltezéssel, Joe írta:
> Something else you might do now is to place temporary logging rules
> before your 'DROP' rules, to confirm whether it is indeed iptables
> which is blocking those packets. No logs, it's somebody or something
> else.
Perhaps it is not needed.
iptables -L -v
2014-07-30 17:33 keltezéssel, Mike McClain írta:
>> And as someone else asked, why are you worried about this 'stealth'? As
>> long as the bad packets don't get in, what does it matter?
>
> Why is there a DROP instruction in iptables as well as REJECT?
To allow you to do what you want. e.g DROP c
Mike McClain wrote:
> On Wed, Jul 30, 2014 at 08:18:51AM +0100, Joe wrote:
>> And as someone else asked, why are you worried about this 'stealth'?
>> As long as the bad packets don't get in, what does it matter?
> Why is there a DROP instruction in iptables as well as REJECT?
Sometimes you want
Sven Hartge wrote:
> If I try to connect to a system on (for example) IP 192.168.40.60 and
> port 80 and there is no system with that IP, the router for the
> network will tell me via an "ICMP host unreachable" package.
Erm, please replace "package" with "packet" while reading, thanks.
Grüße,
S
Mike McClain wrote:
> On Wed, Jul 30, 2014 at 01:09:24AM +0200, Pascal Hambourg wrote:
>
>> You can safely ignore that "stealth" FUD.
> block:REJECT::Stealth:DROP
> Why do you say it can be ignored?
If I try to connect to a system on (for example) IP 192.168.40.60 and
port 80 and there is no s
On Wed, Jul 30, 2014 at 08:18:51AM +0100, Joe wrote:
> Something else you might do now is to place temporary logging rules
> before your 'DROP' rules, to confirm whether it is indeed iptables
> which is blocking those packets. No logs, it's somebody or something
> else. And if you have anything ot
On Wed, Jul 30, 2014 at 01:09:24AM +0200, Pascal Hambourg wrote:
> You can safely ignore that "stealth" FUD.
block:REJECT::Stealth:DROP
Why do you say it can be ignored?
> Use iptables-save instead.
I do.
Thanks for your thoughts,
Mike
--
Who knows what evil lurks in the hearts of men?
--
On Tue, Jul 29, 2014 at 10:20:57PM +0100, Mark Carroll wrote:
>
> Use iptables --list-rules to check what rules are actually in force,
> applying in what order.
>
> -- Mark
I've been using iptables-save which gives nearly the same output but
fails to explain why 2 online scanners show those ports
On Tue, Jul 29, 2014 at 11:19:18PM +0200, Sven Hartge wrote:
>
> Maybe your ISP already filters those ports?
>
Now that's a thought I hadn't considered.
If the ISP is REJECTing those ports that would explain the responces
I'm seeing.
Thanks I'll look into it.
Mike
--
Who knows what evil lurks in th
On Tue, 29 Jul 2014 14:04:23 -0700
Mike McClain wrote:
> I've run into a difficulty with iptables in that both GRC.com and
> PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but
> not stealthed in spite of the fact that I have these statements in my
> firewall script:
> ipta
Mark Carroll a écrit :
> Mike McClain writes:
>
>> I've run into a difficulty with iptables in that both GRC.com and
>> PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but
>> not stealthed in spite of the fact that I have these statements in my
>> firewall script:
You can safe
Mike McClain writes:
> I've run into a difficulty with iptables in that both GRC.com and
> PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but
> not stealthed in spite of the fact that I have these statements in my
> firewall script:
(snip)
> Suggestions?
Use iptables --list-r
Mike McClain wrote:
> I've run into a difficulty with iptables in that both GRC.com and
> PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but
> not stealthed in spite of the fact that I have these statements in my
> firewall script:
>iptables -A INPUT -p udp --dport 137:13
I've run into a difficulty with iptables in that both GRC.com and
PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but
not stealthed in spite of the fact that I have these statements in my
firewall script:
iptables -A INPUT -p udp --dport 137:138 -j DROP
iptables -A INPUT
r. How can I correct that order after the
>> package has been installed so arno-iptables-firewall runs just before
>> the network connection gets brought up?
>
> Caveat: http://linuxgazette.net/114/keeling.html, and I no longer use it
> (no need). I was using ppp at the time
Jude DaShiell <[EMAIL PROTECTED]>:
> So far as I can tell, the firewall package is only installing itself after
> the network has already come up. From what reading I've done, this is the
> wrong order. How can I correct that order after the package has been
> ins
been installed so arno-iptables-firewall runs just before the
> network connection gets brought up?
How did you tell? What is the order in /etc/rcS.d/ ?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
So far as I can tell, the firewall package is only installing itself after
the network has already come up. From what reading I've done, this is the
wrong order. How can I correct that order after the package has been
installed so arno-iptables-firewall runs just before the ne
Michael Pobega <[EMAIL PROTECTED]> writes:
> # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35639:3072343]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p icm
On Thu, Aug 30, 2007 at 12:25:25AM -0400, Michael Pobega wrote:
> Currently I'm using iptables as my main firewall, and I'm having no
> trouble with it whatsoever. But lately (Since college has started) I've
> been connecting to a lot more networks, with more peers connected. I'm
> worried about so
On 8/30/07, Michael Pobega <[EMAIL PROTECTED]> wrote:
> [...]
> I'm hoping some seasoned Debian sysadmins out there can help me by
> advising me on how to better setup iptables...My current setup is:
quite some info you can find here
Securing Debian howto
http://www.debian.org/doc/manuals/securing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Currently I'm using iptables as my main firewall, and I'm having no
trouble with it whatsoever. But lately (Since college has started) I've
been connecting to a lot more networks, with more peers connected. I'm
worried about somebody breaking through t
Hi, did you get it working? i'm still going crazy
about it.
Thanks a lot in advance and sorry for a private
mail.
Ziggy
John Hedge wrote:
Brian,
You might like to take a look at www.shorewall.net. It helped me when I
was at a similar stage as it seems you may be.
I agree. Shorewall has awesome documentation (like step-by-step)
for most common situations.
-Roberto
signature.asc
Description: OpenPGP digital signat
Brian,
You might like to take a look at www.shorewall.net. It helped me when I
was at a similar stage as it seems you may be.
Another idea is to join [EMAIL PROTECTED]
John
On Tue, 2004-03-02 at 17:53, Brian Schmidt wrote:
> I'm trying to make a good firewall/gateway iptables script, this is
I'm trying to make a good firewall/gateway iptables script, this is what
I have so far but I would love input and ideas, as well as some help
with a few features.
Below is the script I've put together so far, hopefully this post could
get a nice allround firewall/gateway iptables script made for
Thanks for all the suggestions on firewalls, I will be looking at them,
and that was exactly what I was looking for, thanks Adam :)
Sincerely
Brian Schmidt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, 2004-01-26 at 10:11, Brian Schmidt wrote:
> I'm trying to set up a proper firewall, and have a decent one set up so
> far..
> A few things I'm missing though are the ability to allow/deny ipranges,
> so I have been looking around a bit, and saw that there was a module
> called iprange.
>
On Monday 26 January 2004 10:11 am, Brian Schmidt wrote:
> Another thing with iptables I have been thinking of letting my firewall
> do, is to give a proper reply to connections on closed ports, rather
> than just dropping the connection.
Iptables comes with a REJECT target, used like this:
iptab
Have you try the `firehol' pacakge available in testing ?
hth,
Jerome
Brian Schmidt wrote:
I'm trying to set up a proper firewall, and have a decent one set up so
far..
A few things I'm missing though are the ability to allow/deny ipranges,
so I have been looking around a bit, and saw that there
I'm trying to set up a proper firewall, and have a decent one set up so
far..
A few things I'm missing though are the ability to allow/deny ipranges,
so I have been looking around a bit, and saw that there was a module
called iprange.
How do I install this with debian? Doesn't seem like there is
I have installed a simple firewall, personal home PC, dial up link, no
ethernet. It consisted of ...
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
iptables -A INPUT -J block
i
I'm sure this is covered SOMEWHERE - but I haven't found anything
obvious in the archives / howto's.
I currently have the following configuration:
(please comment if you find this arrangement objectionable in itself!)
Internal LAN - 192.168.0.30 through 192.168.0.50
Dual-Homed Gateway (is that
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to
192.168.69.2:25
you mean --dport 25 don't you?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Thu, Aug 14, 2003 at 10:04:56AM -0700, Daniel L. Miller wrote:
> This is really getting frustrating - mainly because I don't really
> understand what I'm doing. Using a port scanner from an external
> webserver, it shows that ports 25, 80, and 10025 are all closed.
>
> What am I missing?
>
>
> > This is really getting frustrating - mainly because I don't really
> > understand what I'm doing. Using a port scanner from an external
> > webserver, it shows that ports 25, 80, and 10025 are all closed.
> >
> > What am I missing?
> >
> > Here's the iptables dump from both my firewall and
This is really getting frustrating - mainly because I don't really
understand what I'm doing. Using a port scanner from an external
webserver, it shows that ports 25, 80, and 10025 are all closed.
What am I missing?
Here's the iptables dump from both my firewall and my internal server.
*** FIRE
Hello everybody
Is it possible to use MSN messanger's voice call over iptables firewall ?
I haven't found any module (stg like ip_nat_ftp.o) for this purpose.
I use SNAT on 2.4.x kernel, Debian/woody.
Thank for your help.
Marek Cermak
Cliff Sarginson([EMAIL PROTECTED]) is reported to have said:
> >
> > Cliff
> >This might be what you are looking for
> >
> > $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j LOG --log-level NOTICE
> > --log-prefix "Printer-Attack-Rejected:"
> > $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515
On Wed, Aug 29, 2001 at 12:00:00AM -0400, Wayne Topa wrote:
>
> Subject: Re: who has *arguably* the best iptables firewall script
> around here?
> Date: Tue, Aug 28, 2001 at 11:55:19PM +0200
>
> In reply to:Cliff Sarginson
>
> Quoting Cliff Sarginson([EMAIL
Subject: Re: who has *arguably* the best iptables firewall script
around here?
Date: Tue, Aug 28, 2001 at 11:55:19PM +0200
In reply to:Cliff Sarginson
Quoting Cliff Sarginson([EMAIL PROTECTED]):
> On Tue, Aug 28, 2001 at 10:42:39PM +0200, thomas anderson wrote:
> &
At 999056559s since epoch (08/28/01 16:42:39 -0400 UTC), thomas anderson wrote:
>
> If you think you do please tell us why
I do, for one good reason: I *understand* it.
Firewalls are one of those things where you really should have at least some
of an idea of how they work. Who writes your fire
On Tue, Aug 28, 2001 at 10:42:39PM +0200, thomas anderson wrote:
> Hello,
>
> If you think you do please tell us why and also kindly send me a copy too!
> :)
>
Well, mine seems ok, I do not run inetd when connected, which does
not really lose me that much in pratcise. Nexus's only complaint
abou
Hello,
If you think you do please tell us why and also kindly send me a copy too!
:)
--
Sent through GMX FreeMail - http://www.gmx.net
arters, I'd like to have a good, secure, well-commented iptables
> firewall script that I could use and learn from. Then I'd like to see
> some online documentation on firewall considerations.
>
> For the summer, I want a firewall that works with dynamic IP addresses so
> my
> I would like to upgrade my kernel from 2.2 to 2.4. The main thing that
> concerns me is building a new iptables-based firewall (as opposed to
> ipchains).
>
>
> So for starters, I'd like to have a good, secure, well-commented iptables
> firewall script that I could use a
that with the switch to 2.4 and iptables, now would be a good
time to really learn how to write a good firewall script.
So for starters, I'd like to have a good, secure, well-commented iptables
firewall script that I could use and learn from. Then I'd like to see
some online documentation o
57 matches
Mail list logo
