Something recent (perhaps this update to libnftnl) broke iptables.
Re-emerging it fixed the problem.
Fri Feb 11 07:45:54
2022 >>> net-libs/libnftnl-1.2.1
iptables started giving errors such as this:
/sbin/iptables -A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
ERROR (2):
сб, 15 авг. 2020 г. в 01:34, tastytea :
> Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the
> dependency “net” is satisfied if only one net.* service is started.
If I remember correctly, it happened sometimes that iptables loaded
after net.eth0 service even with
On 2020-08-14 22:17- Grant Edwards
wrote:
> […]
> ### "rc-service iptables" vs. "/etc/init.d/iptables"
rc-service runs the same service scripts that are in /etc/init.d/, so
it's the same. However the manpage of rc-service(8) mentions that
“Service scripts could be in different places on
I read through the iptables wiki page this afternoon to refresh my
memory on how you save rules so they get load on startup.
https://wiki.gentoo.org/wiki/Iptables
There are some inconsitencies which I'm curious about.
### "rc-service iptables" vs. "/etc/init.d/iptables"
Most of the page's
On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote:
> On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote:
> > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> > > Today's update of iptables to 1.8.1 failed here because I didn't have
> > > USE=nftables set. After
On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote:
> On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> > Today's update of iptables to 1.8.1 failed here because I didn't have
> > USE=nftables set. After setting that in package.use it was fine. Before
> > I submit a bug
On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> Today's update of iptables to 1.8.1 failed here because I didn't have
> USE=nftables set. After setting that in package.use it was fine. Before
> I submit a bug report, though, I'd like to understand one thing:
>
> $ grep nftables
Hello list,
Today's update of iptables to 1.8.1 failed here because I didn't have
USE=nftables set. After setting that in package.use it was fine. Before I
submit a bug report, though, I'd like to understand one thing:
$ grep nftables $(equery w iptables)
IUSE="conntrack ipv6 netlink nftables
"siefke_lis...@web.de" writes:
> Hello,
>
> i try to run iptables, block bad ips and close the system.
>
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules
> manuell.
Hello,
On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenko
wrote:
> ...
> It is a bit old and isn't an ultimate description of all
> iptables features (you have manuals for that), but will give you a
> good understanding of how packet flow works and how they should be
>
Hi,
On Tue, 22 Dec 2015 22:45:12 +0100 siefke_lis...@web.de wrote:
> i try to run iptables, block bad ips and close the system.
>
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules
> manuell.
Hello,
i try to run iptables, block bad ips and close the system.
I want run firewall which block all INPUT, only ALLOW services i defined.
Ipset want to use to block spam ips, make it sure awesome as ever set rules
manuell.
Im not so sure is okay, i has try and read but at end often i kick
On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote:
On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote:
on my Android tablet I have installed a Gentoo rootfs.
I can start this by chgrooting it after Android has booted.
Via xvnc I can connect from a running
Hi,
On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote:
on my Android tablet I have installed a Gentoo rootfs.
I can start this by chgrooting it after Android has booted.
Via xvnc I can connect from a running Android to the also
running Gentoo Linux.
If I set up a firewall as root
Rich Freeman ri...@gentoo.org [15-08-15 13:04]:
On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote:
On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote:
on my Android tablet I have installed a Gentoo rootfs.
I can start this by chgrooting it after Android
On Sat, Aug 15, 2015 at 7:45 AM, meino.cra...@gmx.de wrote:
Last chance: Installing a fully functional chrooted Linux, setup
some handcrafted iptables/ipset/sidmat stuff (which I still have
to do) and...get a Yes, network is shared on kernel level as answer
from this thread. :)
And I got
Hi,
on my Android tablet I have installed a Gentoo rootfs.
I can start this by chgrooting it after Android has booted.
Via xvnc I can connect from a running Android to the also
running Gentoo Linux.
If I set up a firewall as root (the Android is rooted) while
I am in the chrooted Linux this
On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote:
Minor additions to what Pandu said...
On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote:
On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org
wrote:
The numbers within [brackets] are
On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan pa...@poluan.info wrote:
On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote:
Minor additions to what Pandu said...
On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote:
On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl
On 2013-12-29 1:39 PM, shawn wilson ag4ve...@gmail.com wrote:
On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote:
Hi all,
Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.
I'd like to start with something fairly simple:
1. Allow connections
On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote:
[-- LE SNIP --]
Ok, well, maybe I should have posted my entire ruleset...
I have this above where I define my chains:
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#
Does it matter where
Minor additions to what Pandu said...
On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote:
On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote:
The numbers within [brackets] are statistics/countes. Just replace
them with [0:0], unless you really really
Hi all,
Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.
I'd like to start with something fairly simple:
1. Allow connections from anywhere ONLY to certain ports
ie, for encrypted IMAP/SMTP connections from users
2. Allow connections from only certain IP addresses
On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote:
Hi all,
Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.
I'd like to start with something fairly simple:
1. Allow connections from anywhere ONLY to certain ports
ie, for encrypted
Hello Everyone,
We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules
Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis sym...@gmail.com:
Hello Everyone,
We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
Looks like the packet never gets to the tcp chain. what is --syn?
It seems that way I am not sure what --syn is actually. But even
if I comment it out it does not work. Also, for testing I changed the
SSH rule to allow bidirectional traffic until this is fixed:
-A TCP -p tcp -m tcp --dport
On 21/05/2013 17:07, Nick Khamis wrote:
Hello Everyone,
We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking.
Now
Hello Everyone,
Thank you so much for your responses. I agree Alan, total pain in the
neck!!! But it's a ticket that was passed down to me. We moved the
stateful firewalls inside the network, broken down to each department.
But as a first on site defense on our BGP router running Quagga, we
only
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:
* Saving iptables state ...
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages
On 29-Mar-13 19:43, Mick wrote:
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when
On Mar 30, 2013 1:27 AM, Jarry mr.ja...@gmail.com wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I
On Friday 29 Mar 2013 19:03:57 Jarry wrote:
On 29-Mar-13 19:43, Mick wrote:
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if
On Friday 29 Mar 2013 19:34:39 Mick wrote:
On Friday 29 Mar 2013 19:03:57 Jarry wrote:
On 29-Mar-13 19:43, Mick wrote:
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
Hi Gentoo-users,
I noticed one thing on my server: during boot-up no message
about firewall being started is printed
On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:
Why do wikis and the like suggest that iptables should be in default
rather than boot runlevel?
Why not? There's no need to start it especially early, as long as it is
running before the network comes up, and the init script takes care of
that.
On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote:
On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:
Why do wikis and the like suggest that iptables should be in default
rather than boot runlevel?
Why not? There's no need to start it especially early, as long as it is
running before the
On Fri, 29 Mar 2013 23:29:39 +, Mick wrote:
Why do wikis and the like suggest that iptables should be in default
rather than boot runlevel?
Why not? There's no need to start it especially early, as long as it
is running before the network comes up, and the init script takes
On Sat, Jan 05, 2013 at 11:57:10AM +, Mick wrote
It will, but only partially. It seems that the list is long and it
is getting longer and longer! Check this out:
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route
(as advised by
On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote
On 12/30/2012 10:21 PM, Walter Dnes wrote:
[0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
[0:0] -A FECESBOOK -j DROP
[0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 169.254.0.0/16 -i
On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote:
On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote
On 12/30/2012 10:21 PM, Walter Dnes wrote:
[0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
[0:0] -A FECESBOOK -j DROP
[0:0] -A INPUT -s
On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote
On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote:
The mere fact that you haven't manually typed in...
http://www.facebook.com/blah_blah_blah does not mean you're not
connecting to it.
But all that's
On Jan 4, 2013 8:33 PM, Walter Dnes waltd...@waltdnes.org wrote:
On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote
On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org
wrote:
The mere fact that you haven't manually typed in...
On 2013-01-02 7:14 PM, Mick michaelkintz...@gmail.com wrote:
On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote:
Oh, ok - so, if I don't have any rules that use the 'mangle' command,
then I can safely remove mangle support from my kernel and lose the
mangle table altogether?
Yes, I would
Hi all,
This has been bugging me for a while...
I've googled, and can't seem to find a definitive answer to this question...
Lots of references to the Mangle table, but nothing that really explains
what this table is or does, and when or why I would want/need it.
Currently, I have this in
On 01/02/13 08:38, Tanstaafl wrote:
Hi all,
This has been bugging me for a while...
I've googled, and can't seem to find a definitive answer to this
question...
Lots of references to the Mangle table, but nothing that really explains
what this table is or does, and when or why I would
On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote:
Hi all,
This has been bugging me for a while...
I've googled, and can't seem to find a definitive answer to this
question...
Lots of references to the Mangle table, but nothing that really explains
what this table is or does, and when
On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote:
If you have a look at 'man iptables-extensions' it gives some examples of
using -t mangle.
I haven't looked in Google recently, but there should be some examples there
too.
Oh, ok - so, if I don't have any rules that use the
On 12/30/12 22:21, Walter Dnes wrote:
OK, here is version 2. I had an excellent adventure along the way.
I'm doing the upgrade on our servers right now, and there's another
possible gotcha: the newer iptables (requiring conntrack) requires
NETFILTER_XT_MATCH_CONNTRACK support in the kernel.
On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote:
On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote:
If you have a look at 'man iptables-extensions' it gives some examples of
using -t mangle.
I haven't looked in Google recently, but there should be some examples
there too.
On Jan 3, 2013 1:57 AM, Michael Orlitzky mich...@orlitzky.com wrote:
On 01/02/13 08:38, Tanstaafl wrote:
Hi all,
This has been bugging me for a while...
I've googled, and can't seem to find a definitive answer to this
question...
Lots of references to the Mangle table, but
On Jan 3, 2013 4:40 AM, Michael Orlitzky mich...@orlitzky.com wrote:
On 12/30/12 22:21, Walter Dnes wrote:
OK, here is version 2. I had an excellent adventure along the way.
I'm doing the upgrade on our servers right now, and there's another
possible gotcha: the newer iptables
On 12/30/2012 10:21 PM, Walter Dnes wrote:
[0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
[0:0] -A FECESBOOK -j DROP
[0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m
On 12/29/2012 01:32 PM, Walter Dnes wrote:
Two questions I'm not sure about.
1) I run a desktop, and use passive ftp. Is there any need for me to
accept RELATED packets?
Probably not, I think the server needs it though.
2) Does a -j LOG return to the chain it was called from, or does
2) Does a -j LOG return to the chain it was called from, or does it do
an implicit DROP?
It returns to spot where it was called from.
Yep, so you could create a new chain to drop and log;
/sbin/iptables -N logdrop
/sbin/iptables -A logdrop -j LOG --log-prefix 'DROP '
/sbin/iptables -A
OK, here is version 2. I had an excellent adventure along the way.
* At the very last line (COMMIT), iptables-restore said it failed, but
no clue whatsoever as to why.
* I copied the rules file to a scratch-file, and converted it to a bash
script that called iptables each time.
* This
Two questions I'm not sure about.
1) I run a desktop, and use passive ftp. Is there any need for me to
accept RELATED packets?
2) Does a -j LOG return to the chain it was called from, or does it do
an implicit DROP?
--
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I
On 29-Dec-12 19:32, Walter Dnes wrote:
1) I run a desktop, and use passive ftp. Is there any need for me to
accept RELATED packets?
No, but you must take care of related connections. Even passive
ftp opens command (1023 - 21) and data (1023 - 1023) channel.
BTW, icmp-error (i.e. host
On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote
On 12/27/2012 10:59 PM, Walter Dnes wrote:
Here's my revised Paranoia Plus ruleset. Any comments? Because I'm
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
However, I do have a backup dialup
Walter Dnes wrote:
On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote
On 12/27/2012 10:59 PM, Walter Dnes wrote:
Here's my revised Paranoia Plus ruleset. Any comments? Because I'm
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
However, I do have a
Michael Orlitzky mich...@orlitzky.com writes:
The 'conntrack' module is supposed to be a superset of 'state', so most
things should be compatible. You really have two warnings there; the
first is for the state - conntrack switch, and the second is because
you're missing the --state flag in
On 12/27/12 06:28, Graham Murray wrote:
Michael Orlitzky mich...@orlitzky.com writes:
The 'conntrack' module is supposed to be a superset of 'state', so most
things should be compatible. You really have two warnings there; the
first is for the state - conntrack switch, and the second is
Michael Orlitzky wrote:
My first -m state rule is,
iptables -A INPUT -p ALL -m state \
--state ESTABLISHED,RELATED -j ACCEPT
That was mine, too (you can omit -p in this case, can't you?).
And if what you say is true, I'd be in deep shit if it reset to,
iptables -A INPUT -p ALL -m
On 12/27/12 12:52, Matthias Hanft wrote:
Michael Orlitzky wrote:
My first -m state rule is,
iptables -A INPUT -p ALL -m state \
--state ESTABLISHED,RELATED -j ACCEPT
That was mine, too (you can omit -p in this case, can't you?).
Yeah, it just makes the indentation line up in my
On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote
The problem is not really the OP's fault. The problem is that if you
have tables with the form -m state --state XXX at the point you
upgrade, iptables-save (quite possibly called automatically by
/etc/init.d/iptables stop) will
On 12/27/2012 06:11 PM, Walter Dnes wrote:
On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote
The problem is not really the OP's fault. The problem is that if you
have tables with the form -m state --state XXX at the point you
upgrade, iptables-save (quite possibly called
On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote
Once you've upgraded, you should be able to add all of your old --state
rules normally, albeit with a warning. The new iptables will translate
them to conntrack rules, and you can `/etc/init.d/iptables save` the result.
The
On 12/27/2012 10:59 PM, Walter Dnes wrote:
Here's my revised Paranoia Plus ruleset. Any comments? Because I'm
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
However, I do have a backup dialup connection in case of problems, so
most of my rules don't specify the
I'm sure I made more than one typo, but the ALLOWED_ICMP below
definitely needs a dollar sign.
for ok_icmp in ALLOWED_ICMP; do
iptables -A ICMP_IN -p icmp --icmp-type ${ok_icmp} -j ACCEPT
done
Many years ago, I understood IPCHAINS, and the first versions of
IPTABLES. However, IPTABLES has followed the example of Larry Wall's
Practical Extraction and Reporting Language
and turned into a pseudo-OS that I barely comprehend. Some rules
that I added many years ago were designed to reject
On 12/26/2012 07:47 PM, Walter Dnes wrote:
Many years ago, I understood IPCHAINS, and the first versions of
IPTABLES. However, IPTABLES has followed the example of Larry Wall's
Practical Extraction and Reporting Language
and turned into a pseudo-OS that I barely comprehend. Some rules
On 12/16/11 22:17, Tanstaafl wrote:
Hi all,
I was reading up on some iptables rules in the gentoo security handbook:
http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable
It mentions DROPing packets with an INVALID state.
It sounded/sounds like a good
On 2011-12-17 11:34 AM, Hari Purnama h...@mapits.com wrote:
Did you put the log-prefix rule before or after the LOG rule?
After - the log prefix rule is last...
Or why didn't you put it in a 1liner, say:
-A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
--log-prefix (fw-drop):
Hi all,
I was reading up on some iptables rules in the gentoo security handbook:
http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable
It mentions DROPing packets with an INVALID state.
It sounded/sounds like a good idea, so I added the following rule:
-A
Hello,
This is on a server box, and I am *not* doing NAT on it...
Do I even need the nat table? If not, I'd like to build the kernel
without NAT support, but if there's a good reason not to do that, I won't...
Thanks
--
Charles
Hi,
you can define a rule like that:
iptables -A FORWARD -s 192.168.235.43,192.168.235.46 -d
10.0.0.1,192.168.0.1 -j ACCEPT
it will create 4 rules.
be sure to activate Networking support-Networking options-Network
packet filtering framework-Core Netfilter Configuration-iprange
address range
On Mon, 2010-04-05 at 19:32 +0200, Jarry wrote:
Hi
I'd like to ask if there is some way to include multiple discrete
hosts/IP's in --source and --destination options of iptables.
I'm trying to write firewall rules for my server, but it has
12 IP's from different segments (and maybe it
Jarry writes:
I'd like to ask if there is some way to include multiple discrete
hosts/IP's in --source and --destination options of iptables.
I'm trying to write firewall rules for my server, but it has
12 IP's from different segments (and maybe it gets a few more
later), and the script
Hi
I'd like to ask if there is some way to include multiple discrete
hosts/IP's in --source and --destination options of iptables.
I'm trying to write firewall rules for my server, but it has
12 IP's from different segments (and maybe it gets a few more
later), and the script grows up as I have
Hello,
Can anyone good with iptables give this script a once over? It is
working, but in a very inconsistent manner, sometimes it lets traffic in,
other times not. Two things it does not have are dhcp rules as this box gets
it's address via dhcp and cifs rules, this machine mounts cifs
2009/7/17 Dave dave.meh...@gmail.com:
Hello,
Can anyone good with iptables give this script a once over? It is
working, but in a very inconsistent manner, sometimes it lets traffic in,
other times not. Two things it does not have are dhcp rules as this box gets
it's address via dhcp
Hi Dave,
this one is rather informative:
http://www.novell.com/coolsolutions/feature/18139.html
Also, this one from gentoo (although for 2.4) is worth reading:
http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
HTH!
--
Regards,
Marco
On Thu, Jul 16, 2009 at 5:32 AM,
Maybe this thread could be helpful as well:
http://marc.info/?l=gentoo-userm=124058693215810w=2
--
Regards,
Marco
On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote:
Hi Dave,
this one is rather informative:
http://www.novell.com/coolsolutions/feature/18139.html
Also, this
2009/7/16 Marco listwo...@gmail.com
Maybe this thread could be helpful as well:
http://marc.info/?l=gentoo-userm=124058693215810w=2
--
Regards,
Marco
On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote:
Hi Dave,
this one is rather informative:
Alejandro wrote:
On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com
mailto:dave.meh...@gmail.com wrote:
Hello,
I'm looking for a guide for iptables specifically for
gentoo 2.6.
I was also wondering if anyone was using apf Advanced
Hello,
I'm looking for a guide for iptables specifically for gentoo 2.6.
I was also wondering if anyone was using apf Advanced Policy
Firewall on a gentoo 2008.0 2.6 machine?
Thanks.
Dave.
I was following this guide to set it up home filter: iptables, DansGuardian,
and Squid.
http://www.linux.com/articles/113733
in the past it worked but when I try it now eg:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables: No chain/target/match by that
Chuanwen Wu wrote:
I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1.
Is't all right?
I don't know, it depends on what's your gw's IP is.
Let's say you have this setup:
GW: 192.168.1.1
Other PCs are: 192.168.1.2... 192.168.1.3... and so on.
On the GW you need:
2007/5/14, Norberto Bensa [EMAIL PROTECTED]:
Chuanwen Wu wrote:
I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1.
Is't all right?
I don't know, it depends on what's your gw's IP is.
Let's say you have this setup:
GW: 192.168.1.1
Other PCs are: 192.168.1.2...
On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
Thank you!I think i have done what you meant.
Here is the information:
/etc/conf.d/net in the server
config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 )
routes_eth0=( default gw 202.114.10.129 )
OK
config_eth1=(
Greetings all. Hope the weather in bejing is pleasant, Mr Wu.
On Mon, 14 May 2007 11:58:34 -0300 (ART)
Norberto Bensa [EMAIL PROTECTED] wrote:
On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
Thank you!I think i have done what you meant.
Here is the information:
/etc/conf.d/net in
Thank Norberto and Dan Farrell!I think i had a misunderstand and made
some mistakes.I hope I have correct it now.
/etc/conf.d/net in the server
config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 )
routes_eth0=( default gw 202.114.10.129 )
config_eth1=( 192.168.1.1 netmask
On Tue, 15 May 2007 10:35:38 +0800
Chuanwen Wu [EMAIL PROTECTED] wrote:
Does it mean that eth1(the interface in my subnet) receive the request
but don't post forward it?
Perhaps you should attach the output of iptables -t nat -L -v;
iptables -L -v; so I can see the rules... while you're at it,
2007/5/15, Dan Farrell [EMAIL PROTECTED]:
On Tue, 15 May 2007 10:35:38 +0800
Chuanwen Wu [EMAIL PROTECTED] wrote:
Does it mean that eth1(the interface in my subnet) receive the request
but don't post forward it?
Perhaps you should attach the output of iptables -t nat -L -v;
iptables -L -v;
Hi,guys!
I use iptables to let the PCs in the subnet to connect the internet outside.
And i write a simple script,but it doesn't work:
#!/bin/sh
iptables -F
#Define packets from Internet server to Intranet
iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT
#Define packets from Intranet to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Wu,
Instead of the commands you posted, you should use
echo 1 /proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
Long explanation:
The first command enables the kernel to _forward_ packets from
2007/5/13, Fabio A Correa [EMAIL PROTECTED]:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Wu,
Instead of the commands you posted, you should use
echo 1 /proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
I have tried.But still not work.
Chuanwen Wu wrote:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
On Saturday 21 April 2007 20:34, Mark Shields wrote:
On 4/21/07, Dan Johansson [EMAIL PROTECTED] wrote:
On Saturday 21 April 2007 15:53, Uwe Thiem wrote:
On 21 April 2007, Dan Johansson wrote:
After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
firewall won't start
After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall
won't start (shorewall).
The here's the error:
iptables: Invalid argument
ERROR: Command /sbin/iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT Failed
I'm getting the same errormessage when it try
1 - 100 of 188 matches
Mail list logo