Re: [SLUG] iptables & netfilter TCP timeouts

I haven't done a heck of a lot in anger with tuning iptables/netfilter based firewalls I know that on a Cisco ASA (formerly know as PIX) firewall the default TCP established time-out is 1 hour and half-closed (which I think is FIN wait) is 10 minutes. These timers/counters are always a compromise

[SLUG] iptables & netfilter TCP timeouts

I've been investigating some delays in my net connection recently and have become aware of the std tcp timeouts set in sysctl by netfilter's conntrack module. Namely; ip_conntrack_tcp_timeout_established 5 days ip_conntrack_tcp_timeout_fin_wait 2 min's ip_conntrack_tcp_time

Re: [SLUG] Iptables / Bridged

Andrew Hendrik Bootsma wrote: > Hi Guys; > > I recently setup a server with a main ip of x.x.x.x and a subnet which I > have bridged to an internal qtap0 adapter. > My current iptables setup however blocks all traffic of the subnet, and > when I allow the subnet; > iptables -I FORWARD -s 213.133.12

[SLUG] Iptables / Bridged

Hi Guys; I recently setup a server with a main ip of x.x.x.x and a subnet which I have bridged to an internal qtap0 adapter. My current iptables setup however blocks all traffic of the subnet, and when I allow the subnet; iptables -I FORWARD -s 213.133.127.0/29 -j ACCEPT iptables -I INPUT -s 213.

Re: [SLUG] IPTables

Rick, it dawned on at 04:30 this morning (don't ask) that you probably want to tighten this up even more (and simplify it too) by doing the following; iptables -A INPUT -i ethX -s -m multiport -p tcp --dport www,ssh -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o ethX -d -j ACCE

Re: [SLUG] IPTables

Rick, I do. I don't know whether it makes any difference or not your using the multiport keyword (I would imagine not), but I use three '-m' statements on one line as in; -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m limit --limit 2/minute --limit-burst 2 -m state --state NEW -j ACCEPT With

Re: [SLUG] IPTables

also, not syncing the clock makes date stamps in logs almost entirely unreliable. Also very true unless maybe his sever is a virtual one on top of a platform which provides an accurate clock. Or an external clock, perhaps GPS or some other solution for time sync. Dean -- http://fragfest.com

Re: [SLUG] IPTables

2009/11/11 Dean Hamstead : > sshd for example, will stall for quite an annoying amount of time trying to > do a reverse lookup. unless you dont actually have name servers configured > at all. Correct. Though specifically with sshd you can turn off reverse-dns lookup with "UseDNS no" in /etc/ssh/ss

Re: [SLUG] IPTables

On Tue, 10 Nov 2009 18:06:50 +1000, "Rick Phillips" said: > I am not very good at IPTables and was seeking opinions as to whether > this formula would work to fully block a connection from computer A to B > but allow ssh and web only from B to A. The tables would reside on A. In addition to rate

Re: [SLUG] IPTables

Kyle apologies for the top posting - mail2web is a bit dumb as this. Do you mean that the script should look like this iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j

Re: [SLUG] IPTables

You can also allow ping requests and limit the rate and packet size, which gives you the niceties of being able to determine some level of connectivity, whilst reducing scope for abuse. You can rate limit by source IP address with the "recent" module. For example the following rules limit new

Re: [SLUG] IPTables

Even though dns may not be 'turned on', almost everything tcpip related wants dns look ups. sshd for example, will stall for quite an annoying amount of time trying to do a reverse lookup. unless you dont actually have name servers configured at all. also, not syncing the clock makes date sta

Re: [SLUG] IPTables

No guarantees, as I'd have to think about it a bit more, but I would think you might want to add '-m state --state NEW' to the first rule otherwise the 2nd rule is irrelevant. The 2nd rule will presently allow ALL established connections from anywhere that managed to get in to the machine

Re: [SLUG] IPTables

HI Dean > You most likely want to allow outbound dns and the subsequent reply > > Keep in mind that blocking outbound usually requires a few more > allowances than just the basic service you plan the box to provide. > > NTP also springs to mind, so that you can keep the clock in sync. > > You c

Re: [SLUG] IPTables

You most likely want to allow outbound dns and the subsequent reply Keep in mind that blocking outbound usually requires a few more allowances than just the basic service you plan the box to provide. NTP also springs to mind, so that you can keep the clock in sync. You can also allow ping req

[SLUG] IPTables

I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A

RE: [SLUG] iptables DNAT broadcast packets

Set up an ethernet tunnel interface (not an IP tunnel!) between the two systems and bridge the physical interface to the tunneled interface. The remote end will need an IP address on the local network. Trying to NAT a broadcast address seems to me to be asking for trouble. Note that by doing thi

Re: [SLUG] iptables DNAT broadcast packets

On 14/08/09 12:04, Tony Sceats wrote: Hi Sluggers, I have a strange requirement to redirect UDP packets sent to 255.255.255.255, forwarding them to another machine in a remote network... yes, this is borked - there is an application sending data to 255.255.255.255, not multicast or unicast, but

[SLUG] iptables DNAT broadcast packets

Hi Sluggers, I have a strange requirement to redirect UDP packets sent to 255.255.255.255, forwarding them to another machine in a remote network... yes, this is borked - there is an application sending data to 255.255.255.255, not multicast or unicast, but broadcasting UPD packets, and I'm in no

Re: [SLUG] iptables error msg

Hi Adam, You are using an undefined variable on the lines below - ## FROM INTRANET ## $IPTABLES -A INPUT -p ALL -i $INTERNAL_DEVICE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INTERNAL_DEVICE -j ACCEPT - INTERNAL_DEVICE variable is not defined, it is commented at the

Re: [SLUG] iptables error msg

Adam Bogacki writes: >> Setting up IPtables rules Using intrapositioned negation (`--option ! >> this`) is deprecated in favor of extrapositioned (`! --option this`). Bad >> argument `ACCEPT' Try `iptables -h' or 'iptables --help' for more >> information. Bad argument `ACCEPT' Try `iptables -h'

[SLUG] iptables error msg

Hi, I keep getting Setting up IPtables rules Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). Bad argument `ACCEPT' Try `iptables -h' or 'iptables --help' for more information. Bad argument `ACCEPT' Try `iptables -h' or 'iptables

Re: [SLUG] iptables defualt policy

On 10/09/2007, Alex Samad <[EMAIL PROTECTED]> wrote: > > iptables -P INPUT REJECT > iptables: Bad policy name This complies with what I understand from the man page of iptables 1.3.6(Debian Etch): -P, --policy chain target Set the policy for the chain to the given target. See the section TARGE

Re: [SLUG] iptables defualt policy

On 10/09/2007, Mark Chandler <[EMAIL PROTECTED]> wrote: > > Odd. My recollection was also that REJECT could be used in a policy. > However, it seems clear from the man pages and searching around that > ACCEPT, DROP, QUEUE, and RETURN are the only options. There are extended > targets that include R

Re: [SLUG] iptables defualt policy

Alex Samad wrote: On Mon, Sep 10, 2007 at 02:42:48PM +1000, Jamie Wilkinson wrote: This one time, at band camp, Alex Samad wrote: Hi I am just going through my firewall setup and I notice I can no longer do iptables -P INPUT REJECT when did this happen ? I could have sworn that is

Re: [SLUG] iptables defualt policy

On Mon, Sep 10, 2007 at 02:42:48PM +1000, Jamie Wilkinson wrote: > This one time, at band camp, Alex Samad wrote: > >Hi > > > >I am just going through my firewall setup and I notice I can no longer do > >iptables -P INPUT REJECT > > > >when did this happen ? I could have sworn that is what I used

Re: [SLUG] iptables defualt policy

This one time, at band camp, Alex Samad wrote: >Hi > >I am just going through my firewall setup and I notice I can no longer do >iptables -P INPUT REJECT > >when did this happen ? I could have sworn that is what I used to use as a >default, yes I know I can drop and add a -A -j REJECT News to m

[SLUG] iptables defualt policy

Hi I am just going through my firewall setup and I notice I can no longer do iptables -P INPUT REJECT when did this happen ? I could have sworn that is what I used to use as a default, yes I know I can drop and add a -A -j REJECT Alex signature.asc Description: Digital signature -- SLUG -

Re: [SLUG] IPTABLES rule change to allow interface with AD

[EMAIL PROTECTED] wrote: We have a server running in a DMZ servicing intranet and extranet. In the past we have blocked all traffic originating on the server from the two internal networks we run (eth1 and eth2) but have accepted traffic coming from the networks outside of the server. Eth0 is t

[SLUG] IPTABLES rule change to allow interface with AD

We have a server running in a DMZ servicing intranet and extranet. In the past we have blocked all traffic originating on the server from the two internal networks we run (eth1 and eth2) but have accepted traffic coming from the networks outside of the server. Eth0 is the direct connection to the

Re: [SLUG] Iptables

On Wednesday 22 February 2006 02:39, [EMAIL PROTECTED] wrote: > > Hi sluggers, > > > > Im quite ashamed to say it, but for a couple of years now all my > > firewalling and routing has been done using either webmin or > > firestarter. I have no idea how to  use iptables! I find I just dont > > feel

Re: [SLUG] Iptables

tuxta2 wrote: Hi sluggers, Im quite ashamed to say it, but for a couple of years now all my firewalling and routing has been done using either webmin or firestarter. I have no idea how to use iptables! I find I just dont feel totally in control when using gui front end and have now decided t

[SLUG] Iptables

Hi sluggers, Im quite ashamed to say it, but for a couple of years now all my firewalling and routing has been done using either webmin or firestarter. I have no idea how to use iptables! I find I just dont feel totally in control when using gui front end and have now decided to learn how to

Re: [SLUG] iptables weirdness

Grant Parnell wrote: On Tue, 5 Apr 2005, Howard Lowndes wrote: I've just upgraded a box (hardware & software) from RH 7.1 with an early 2.4.x kernel to FC3 with the latest 2.6.x kernel, but most of the config files I have brought over from the old box including the iptables rules sets, and it'

Re: [SLUG] iptables weirdness

On Tue, 5 Apr 2005, Howard Lowndes wrote: > I've just upgraded a box (hardware & software) from RH 7.1 with an early > 2.4.x kernel to FC3 with the latest 2.6.x kernel, but most of the config > files I have brought over from the old box including the iptables rules > sets, and it's these that a

Re: [SLUG] iptables weirdness

Howard, I'd have to see the rest of your rules, but here's an excerpt from my fc3 box for incoming ssh. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT i.e. you still need the 2nd rule. Actual

[SLUG] iptables weirdness

I've just upgraded a box (hardware & software) from RH 7.1 with an early 2.4.x kernel to FC3 with the latest 2.6.x kernel, but most of the config files I have brought over from the old box including the iptables rules sets, and it's these that are giving me grief. The box acts as a gateway filt

[SLUG] iptables SNAT not working

Just a couple of lines from my iptables rule set: iptables -A FORWARD -p UDP -s 192.168.254.17 --dport 4569 -i eth2 -o ppp0 -j ACCEPT iptables -t nat -A POSTROUTING -p UDP -s 192.168.254.17 --dport 4569 -o ppp0 -j SNAT --to-source 218.214.47.111 Can anyone think of any obvious reason why the

Re: [SLUG] Iptables / proxy server madness

Robert Collins wrote: [snip] If everything is fine until the second CR, then you probably have a MTU issue. See man iptables and put a MSS clamp rule in as they describe. Bingo! Thanks so much Rob this was exactly the problem. :-) For the curious, the relevant man iptables info is, TCPMSS

[SLUG] SLUG] Iptables / proxy server madness

I would suggest put DNS by hand (not automatic detection) on client machine. Any IP DNS should do. EG Try Telstra's primary.61.9.192.14 & Try Telstra's secondary.61.9.192.15 Cheers Roger Sluggers, I'm hoping that someone can shed some light on this problem, otherwise I

[SLUG] Iptables / proxy server madness

Sluggers, I'm hoping that someone can shed some light on this problem, otherwise I must be going mad. I have two linux boxen, one of which is an internet gateway masquerading for the other using iptables. When I try to access a web site using Mozilla from the masqueraded box it fails miserably

Re: [SLUG] Iptables / proxy server madness

On Tue, 2004-05-04 at 09:30, Peter Rundle wrote: > Sluggers, > > I'm hoping that someone can shed some light on this problem, otherwise I must be > going mad. > > I have two linux boxen, one of which is an internet gateway masquerading for the > other > using iptables. When I try to access a w

Re: [SLUG] Iptables / proxy server madness

Also, Something that has tripped me up in the past when telneting to port 80 is transparent proxies. But using http 1.1 and not just typing GET, will work. Good luck, Greg. On Tue, 4 May 2004 10:09 am, Robert Collins wrote: > On Tue, 2004-05-04 at 09:30, Peter Rundle wrote: > > Sluggers, > > >

Re: [SLUG] iptables - filtering not working.

On Mon, 2004-05-03 at 20:52, Ken Foskey wrote: > Here are the rules, I want to stop port 80 being accepted from any > network except squid on this machine. This is not working. > > I think I have a drop all INPUT for port 80 and it is not dropping. get rid of the INPUT drop rule. You need a FORW

[SLUG] iptables - filtering not working.

Here are the rules, I want to stop port 80 being accepted from any network except squid on this machine. This is not working. I think I have a drop all INPUT for port 80 and it is not dropping. Help... gateway:~# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source

Re: [SLUG] IPtables DNAT question

Alexander Samad wrote: Why not something differnt and reverse proxy ? Because that means installing and configuring software such as squid or apache on the gateway, where as if I can do it with iptables that's a whole bunch less configuration I have to do. Also if I can figure this out with

Re: [SLUG] IPtables DNAT question

On Fri, 2004-02-20 at 10:43, Alexander Samad wrote: > Why not something differnt and reverse proxy ? Because I was answering the question. If we were talking reverse proxy, I'd be pimping squid, naturally. Rob -- GPG key available at: . signature.asc De

Re: [SLUG] IPtables DNAT question

Why not something differnt and reverse proxy ? On Fri, Feb 20, 2004 at 09:54:40AM +1100, Robert Collins wrote: > On Fri, 2004-02-20 at 09:49, Phil Scarratt wrote: > > Peter Rundle wrote: > > > Sluggers, > > > > > > I'm D'nating access to my web server via my Linux Gateway with this > > > stateme

Re: [SLUG] IPtables DNAT question

On Fri, 2004-02-20 at 09:49, Phil Scarratt wrote: > Peter Rundle wrote: > > Sluggers, > > > > I'm D'nating access to my web server via my Linux Gateway with this > > statement. > > > >iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to > > 172.16.0.148 > > > > This works g

Re: [SLUG] IPtables DNAT question

Peter Rundle wrote: Sluggers, I'm D'nating access to my web server via my Linux Gateway with this statement. iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 172.16.0.148 This works great as long as the default gateway on the web server (172.16.0.148) points to the Linu

[SLUG] IPtables DNAT question

Sluggers, I'm D'nating access to my web server via my Linux Gateway with this statement. iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 172.16.0.148 This works great as long as the default gateway on the web server (172.16.0.148) points to the Linux Gateway. However,

Re: [SLUG] iptables (debian)

Andrew Cowie wrote: On Sat, 2003-12-20 at 22:26, Daniel Bush wrote: am wondering if the LOG facility of iptables and syslogd are the problem. Have also disabled any '(x)console/tty' items from /etc/syslog.conf ) It's always possible you missed something... In any case, I always found on my Deb

Re: [SLUG] iptables (debian)

Hi Rene, That's bang on the money! And for a bonus, you've told me how to get a separate firewall log file without having to do too much extra work. You've seriously made my day. Thanks. My thanks also goes to Andrew and Julian for helpful extras in earlier posts. Cheers, Daniel. On 18:37 21-1

Re: [SLUG] iptables (debian)

On Sun, Dec 21, 2003 at 02:26:40PM +1100, Daniel Bush wrote: > example (iptables 'seems' to print this both to tty and > /var/log/messages... ) > - > IN=ppp0 OUT= MAC= SRC=63.154.36.125 DST=203.206.0.244 LEN=48 > TOS=0x00 PREC=0x00 TTL=110 ID=12283 DF PROTO=TCP SPT=3830 DPT=135 > WIND

RE: [SLUG] iptables (debian)

> It doesn't just print to any tty; it assiduously finds the one I'm > currently on and prints to that (ie the one currently on-screen > locally). It doesn't seem to happen when I log in remotely but still, > this is starting to get me down. I've noticed this with the Shorewall firewall. It was d

Re: [SLUG] iptables (debian)

On Sat, 2003-12-20 at 22:26, Daniel Bush wrote: > am wondering if the LOG facility of iptables and syslogd are the > problem. Have also disabled any '(x)console/tty' items from /etc/syslog.conf ) It's always possible you missed something... In any case, I always found on my Debian systems that t

[SLUG] iptables (debian)

Hi, Just recently tried out debian on one of my old machines in place of a redhat system I had been using for the past year. But I am having trouble with an iptables firewall script which keeps insisting on spraying stuff to my terminal (tty1,2,3...) even though its being syslogged into /var/log/m

Re: [SLUG] IPtables Script

On Wed, 15 Oct 2003, Robert Collins wrote: > On Wed, 2003-10-15 at 15:08, Craig Mead wrote: > > G'day, > > 1 - force it to come up on ppp0 > > unit 0 in the ppp config. Oh nice! BUT that's not in the current release of pppd (2.4.1) but is in the new beta version (2.4.2b3). Thanks for alerting

Fw: [SLUG] IPtables Script

- Original Message - From: "Robert Collins" <[EMAIL PROTECTED]> To: "Craig Mead" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, October 15, 2003 3:11 PM Subject: Re: [SLUG] IPtables Script > 2 - set a var. @ the top of the script so

Re: [SLUG] IPtables Script

[EMAIL PROTECTED] wrote on 15-10-2003 03:08:16 PM: > G'day, > > Got an iptables script which shares the DSL out over the network. Thanks to > the joys of being on Telstra the connections been up and down quite > regularly lately. > > Problem is the script is (well, was) based around ppp0 > > W

Re: [SLUG] IPtables Script

On Wed, 2003-10-15 at 15:08, Craig Mead wrote: > G'day, > 1 - force it to come up on ppp0 unit 0 in the ppp config. > 2 - set a var. @ the top of the script so its just one change per down or use ppp+ in the iptables script, which will match all ppp interfaces. And doesn't need to be bounced on

[SLUG] IPtables Script

G'day, Got an iptables script which shares the DSL out over the network. Thanks to the joys of being on Telstra the connections been up and down quite regularly lately. Problem is the script is (well, was) based around ppp0 When the connection goes down it usually doesn't come back up as ppp0, i

Re: [SLUG] IPTABLES/RH8

I guess it helps when I look at the info I am posting about...the HOWTO is actually the IP-MASQ HOWTO, which does talk about iptables, and although it is called the IP-MASQ howto, it is very easy to work out from the info how to turn of MASQ if you don't need it. Adam. On Thu, 2003-01-23 at 15:41

Re: [SLUG] IPTABLES/RH8

On Thu, Jan 23, 2003 at 01:29:42PM +1100, Peter Vogel wrote: > I am trying to configure a firewall for my new Reddhat 8 installation, > operating as a masquerading internet gateway. > > I have tried various IPTABLES scripts I have found on the net, but they > generate lots of errors when I try to

RE: [SLUG] IPTABLES/RH8

obert Collins Sent: Thursday, 23 January 2003 1:39 PM To: Peter Vogel Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] IPTABLES/RH8 On Thu, 2003-01-23 at 13:29, Peter Vogel wrote: > I am trying to configure a firewall for my new Reddhat 8 installation, > operating as a masquerading internet gateway.

Re: [SLUG] IPTABLES/RH8

On 23 Jan 2003, Adam Hewitt wrote: > Hi Peter, > > Have a look at the HOWTO (firewall iirc) under the documentation section > at linux.org, you can cut and paste that script and it will work and you > will learn nuts and bolts while you are reading throught the > documentation... this howto appe

Re: [SLUG] IPTABLES/RH8

Hi Peter, Have a look at the HOWTO (firewall iirc) under the documentation section at linux.org, you can cut and paste that script and it will work and you will learn nuts and bolts while you are reading throught the documentation... Adam. On Thu, 2003-01-23 at 13:29, Peter Vogel wrote: > I am t

Re: [SLUG] IPTABLES/RH8

Hi Peter, On Thu, 23 Jan 2003 13:29:42 +1100 Peter Vogel <[EMAIL PROTECTED]> wrote: > I am trying to configure a firewall for my new Reddhat 8 installation, > operating as a masquerading internet gateway. > > I have tried various IPTABLES scripts I have found on the net, but they > generate lots

Re: [SLUG] IPTABLES/RH8

On Thu, 2003-01-23 at 13:29, Peter Vogel wrote: > I am trying to configure a firewall for my new Reddhat 8 installation, > operating as a masquerading internet gateway. You might try firestarter - its quite nice. (If you don't want to get down to the metal, that is) Rob -- GPG key available at:

[SLUG] IPTABLES/RH8

I am trying to configure a firewall for my new Reddhat 8 installation, operating as a masquerading internet gateway. I have tried various IPTABLES scripts I have found on the net, but they generate lots of errors when I try to run them; some examples: Unkown arg --sport --state Command not found

RE: [SLUG] Iptables - UDP Frag?

Thanks for the info! I think I will follow your last two suggestions. Cheers, Jarrod chesty wrote: > I think its safer to tell the kernel to always reassemble fragments, > therefore iptables will never see fragments. > Its done automatically if you load a NAT or connection > tracking module,

Re: [SLUG] Iptables - UDP Frag?

On Fri, Jan 10, 2003 at 09:22:15AM +1100, MacFarlane, Jarrod wrote: > Jan 10 08:57:58 firewall kernel: __FORWARD_DROP__IN=eth1 OUT=eth2 > SRC=10.1.1.72 DST=10.2.0.11 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=11435 > FRAG:185 PROTO=UDP > Wondering what it is, and how I can allow it? If a packet is bi

[SLUG] Iptables - UDP Frag?

Hi all, I'm having the following show up in my internal firewall logs. Jan 10 08:57:58 firewall kernel: __FORWARD_DROP__IN=eth1 OUT=eth2 SRC=10.1.1.72 DST=10.2.0.11 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=11435 FRAG:185 PROTO=UDP Wondering what it is, and how I can allow it? I've allowed tcp/udp

Re: [SLUG] iptables ip-address format question...

[EMAIL PROTECTED] wrote: G'day all... When creating my iptables firewall rules, if I specify an address as 192.168.0.0 will that match all 192.168.*.* addresses? No, you'd want 192.168.0.0/16 for that Andy -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slu

Re: [SLUG] iptables ip-address format question...

No, but 192.168.0.0/16 will (or 192.168.0.0/24 for 192.168.0.*) Tim White On Tue, 2002-11-19 at 14:05, [EMAIL PROTECTED] wrote: > G'day all... > > When creating my iptables firewall rules, if I specify an address as > 192.168.0.0 will that match all 192.168.*.* addresses? > > Thanks... > >

Re: [SLUG] iptables ip-address format question...

On Tue, 19 Nov 2002 [EMAIL PROTECTED] wrote: > When creating my iptables firewall rules, if I specify an address as > 192.168.0.0 will that match all 192.168.*.* addresses? No, that'll match the IP address 192.168.0.0 (it isn't necessarily a network address, you know). You'd be wanting 192.168.

[SLUG] iptables ip-address format question...

G'day all... When creating my iptables firewall rules, if I specify an address as 192.168.0.0 will that match all 192.168.*.* addresses? Thanks... Mike --- Michael S. E. Kraus Administration Capital Holdings Group (NSW) Pty Ltd [EMAIL PROTECTED] phone (02) 9955 8000 fax (02) 9955 8144 -- SLUG

Re: [SLUG] iptables problems

Matt M was once rumoured to have said: > At 17:31 11/11/2002, you wrote: > >I'm having a hard time deciphering iptables rules. Would any of these > >rules cause a "sendto: operation not permitted" error? > > Short answer: Probably not. [much snipped] Gah, I can't trust anybody on this list to a

Re: [SLUG] iptables problems

On Mon, 11 Nov 2002, Rob B wrote: > I'm having a hard time deciphering iptables rules. Would any of these > rules cause a "sendto: operation not permitted" error? Look at /proc/sys/net/ipv4/ip_forward It should be = 1 if you are doing forwarding. Also look at your routing table - route -n You

Re: [SLUG] iptables problems

At 17:31 11/11/2002, you wrote: I'm having a hard time deciphering iptables rules. Would any of these rules cause a "sendto: operation not permitted" error? Short answer: Probably not. Long answer: Yes, but only if your IP is in the range 10.0.0.0/24, and if it was, well, you wouldn't be able

[SLUG] iptables problems

I'm having a hard time deciphering iptables rules. Would any of these rules cause a "sendto: operation not permitted" error? bunbun:~# iptables --list Chain INPUT (policy DROP) target prot opt source destination ipac_inall -- anywhere anywhere ACCEPT all

Re: [SLUG] iptables / ipchains - Which suits me best?

Really iptables is native for kernel 2.4, ipchains is perfect under kernel 2.2 I have tried running my ipchains rules under redhat 7.1 and found that it would not run. So I upgraded my firewall rules to iptable based. If you are a little lazy :) have a look at guarddog it requres KDE and from w

RE: [SLUG] iptables / ipchains - Which suits me best?

> > I'm looking to share my dialup Internet connection on a soon to be > > Redhat 7.3 machine, with two clients behind it on a private > IP range. [snip] > > Works for me also. > > - Netmeeting (nice, but not essential) Netmeeting was a broken protocol last I looked (~18 mths ago), embeddi

Re: [SLUG] iptables / ipchains - Which suits me best?

> I'm looking to share my dialup Internet connection on a soon to be > Redhat 7.3 machine, with two clients behind it on a private IP range. Excellent, I've been doing this for a few years on and off, depending of when I have a permenant or dynamic circuit to the net.> > It has been about 3 years

[SLUG] iptables / ipchains - Which suits me best?

I'm looking to share my dialup Internet connection on a soon to be Redhat 7.3 machine, with two clients behind it on a private IP range. It has been about 3 years since I last did this, and I remember at the time there was fiddling that was required to get things like IRC and ICQ to work, spec

Re: [SLUG] IPTABLES help needed

Hi Bernhard, Sorry don't have an answer for you but would be very interested in any you got. > What do I need to do to get the return packet to go out on the > correct interface? Yeah, run into this issue many a time, "asymetric routing". Perhaps you can re-write the source address to be the ip

[SLUG] IPTABLES help needed

Hi, I want to make this short. So the situation is: A gateway Linux box with 3 interfaces. 1 to a DSL link (Default route) 2 to a ISDN link 3 LAN A web server on the LAN. Its default route is via

[SLUG] IPTables and routing

Dear list, I have a Linux box acting as a NAT router with a number of ethernet ports. Each port uses the accounting features of IPTables but the masquerading is interfering with accounting functions. Should I use IProute2 and ignore the masquerading? The example in the Advanced Routing Howto

[SLUG] IPTables modules .gz??

Dear list, I am trying to install some IPTables rules on Mandrake 8.2. I have an sample rule set and tried to modify it and install it. 1. Using iptables -L I get the following error " insmod error caused by incorrect modules parameters 2. iptables can't initiate iptables 'filter' After d

Re: [SLUG] iptables: newbie question

Thanks for all the great suggestions, especially like ntsysv I found its a Mandrake distro thing, which has its own quirks. Mdk has a different directory system to what the ipchains compile and as a result it doesn't get started. I found this by installing iptables-ipv6-1.2.6a-1mdk.i586.rpm

Re: [SLUG] iptables: newbie question

Shouldn't post this late. I meant < 1.2.6. :( Antony Clarke wrote: > Apparently some issues with > 1.2.6 and the 2.4.18 as the iptables had > bugging turned on by default. I know you are using 1.2.6, however I > would download the latest version and compile it too see if this fixes > it. Is t

Re: [SLUG] iptables: newbie question

Apparently some issues with > 1.2.6 and the 2.4.18 as the iptables had bugging turned on by default. I know you are using 1.2.6, however I would download the latest version and compile it too see if this fixes it. Is the source you are talking about from the install cd-rom or a newer download.

[SLUG] iptables: newbie question

Hi, I'm having few challenges getting iptables up and running. please help! The kernel can't seem to see iptables when its called and replies with The kernel is 2.4.18, iptables is 1.2.6a, iptables has been compiled from source, and kernel recompiled to include iptables and netfilter as per ins

Re: [SLUG] iptables DNAT help required

Oops, Ignore that last question, I forgot to re-enable forwarding. Doh! But hey I love it when it's that easy. Cheers Pete -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] iptables DNAT help required

> > >s/POSTROUTING/PREROUTING/ > >DNAT has to be applied before a routing decision is made so the >packets can be routed correctly. > Hmmm, ok that makes sense. 'spose I should send a mail to the author and let him know that his webpage is wrong (uh hmm "incorrect" :-) Anyways the rule sticks n

Re: [SLUG] iptables DNAT help required

On Sun, Mar 24, 2002 at 07:12:52PM +1100, Crossfire wrote: > Peter Rundle was once rumoured to have said: > > # iptables -t nat -A POSTROUTING -p tcp -s 0/0 --dport 80 -j DNAT --to > > 192.168.1.99 > > iptables: Invalid argument > > > > Cluesticks? > > s/POSTROUTING/PREROUTING/ > > DNAT has to

Re: [SLUG] iptables DNAT help required

Peter Rundle was once rumoured to have said: > Sluggers, > > I'm playing around with DNAT on iptables but whenever I try to put > the rule in I just get an error "Invalid argument". I've looked at a > number of examples on the net and they all seem to be doing the same > thing that I am. Does any

[SLUG] iptables DNAT help required

Sluggers, I'm playing around with DNAT on iptables but whenever I try to put the rule in I just get an error "Invalid argument". I've looked at a number of examples on the net and they all seem to be doing the same thing that I am. Does anyone know if there is a version problem? I've got kerne

Re: [SLUG] iptables help required

At 12:57 22/03/02 +1100, Kevin Saenz wrote: >Peter, > >Firstly don't try by trial and error. Someone has already gone thru the >same trouble as yourself. I would suggest that you go to freshmeat.net >and do a search for iptables, there is a tutorial there I think it's >boingworld.com or something

Re: [SLUG] iptables accounting

In fact,instead of loggging each packet, you should simply use the 2 counters associated with each rule. So, for example: Chain FORWARD (policy ACCEPT 2408 packets, 1136110 bytes) pkts bytes target prot opt in out source destination 0

  1   2   >