Hi,
I have this configuration
Redhat 7.2 with iptables 1.2.4 (rh rpm)
eth0: internet - 202.188.x.x
eth1: DMZ - 192.168.100.1
eth2: Internal network - 192.168.1.1
I want to set the rule that accept forwadingcome out from eth2 to eth1
(dmz).
/sbin/iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
--- langzi [EMAIL PROTECTED] wrote:
Hi,
I have this configuration
Redhat 7.2 with iptables 1.2.4 (rh rpm)
eth0: internet - 202.188.x.x
eth1: DMZ - 192.168.100.1
eth2: Internal network - 192.168.1.1
I want to set the rule that accept forwadingcome out
from eth2 to eth1
(dmz).
On Mon, 27 May 2002, Stewart Thompson wrote:
Normally the iptables script runs after the interfaces have been brought up
by the system.
By that time blocking DHCP is kind of irrelevant. A default policy of drop
should block everything
all right, but it is kind of closing the barn door
Roar:
You are absolutely right. I just tried on one of my machines.
It still manages to get an ip and start up with ifup. I don't have an
explanation for it. Time for the Guruz to chime in.
Stu..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
On Tuesday 28 May 2002 7:49 am, langzi wrote:
Hi,
I want to set the rule that accept forwarding from eth2 to eth1 (dmz).
/sbin/iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
But, when I do iptables -L,
The rules show that it is from Source: Anywhere to Destination: Anywhere
This is
Hello, netfilters!
I read that the iptables rule order is important.
In linux firewalls 2nd edition writeen by ziegler wrote like this.
1. blocking traffic rules must come before the rules allowing traffic to
specific service.
2. obviously, the FTP data channel rules must come near the
I thought this rule was forwarding all the packets to my windows2k machine.
iptables -t nat -A PREROUTING -s $internet -i eth0 -j DNAT --to $vpncomp
Do a specific rule would work better ?
Regards
High Speed [EMAIL PROTECTED] a écrit:
You need to forward IP protocol type 47 to your internal VPN
On Tuesday 28 May 2002 10:27 am, Miky J wrote:
I thought this rule was forwarding all the packets to my windows2k machine.
iptables -t nat -A PREROUTING -s $internet -i eth0 -j DNAT --to
$vpncomp
This is a PREROUTING rule, not a FORWARDING rule.
You need to make sure you are FORWARDING
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of SB CH
Sent: May 28, 2002 2:21 AM
To: [EMAIL PROTECTED]
Subject: iptables rule order
Hello, netfilters!
I read that the iptables rule order is important.
In linux firewalls 2nd edition writeen by ziegler
GEORGE GEORGALIS wrote:
I'm getting ready to put together a distro on a floppy (or cdrom)...
After poking around on the net I think this is the best place to start
http://leaf.sourceforge.net/devel/jnilo/
Anybody have comments or recommendations?
Not sure what you are trying to
Hi
I see all kind of postings about win32 VPN servers behind an iptables
firewall, so I suspect this will work.
Yesterday we already figured out my problem with the portmapping etc.
I need to be able to have multiple client connecting to my MS-VPN box
through an iptables firewall. From the
True (stewart) , there's no security, but at the moment i'd like it works first.
I put the rule
iptables -A FORWARD -p 47 -j ACCEPT
but it doesn't really change anything because i have tried with a default policy in ACCEPT. I forward all the packets to make sure that they reach my machine.
In
Dick Visser [EMAIL PROTECTED] a écrit:
HiI see all kind of postings about win32 VPN servers behind an iptablesfirewall, so I suspect this will work.Yesterday we already figured out my problem with the portmapping etc.I need to be able to have multiple client connecting to my MS-VPN boxthrough
Forwarding DHCP Discover and Request datagrams is the job of a BOOTP relay
agent, which will add the neccessary information to the request for the DHCP
server to know which address to assign.
Niels
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Antony
I
can understand your frustration. I am assuming you have other things working on
this firewall.
Perhaps
you could post a sanitized printout of iptables v L and your Kernel and
iptables version for the
Group so
they can see what is happening. Also, it has been my experience that tcpdump
Hi
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-).
Are masks that cannot be expressed in the IP/x schmeme (at least not in one
rule) used
* Thomas Heinz ([EMAIL PROTECTED]) wrote:
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work
;-).
Are masks that cannot be expressed in the
On Tue, 28 May 2002, Thomas Heinz wrote:
Hi
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-).
Are masks that cannot be expressed in
* Joost Remijn ([EMAIL PROTECTED]) wrote:
On Tue, 28 May 2002, Stephen Frost wrote:
* Thomas Heinz ([EMAIL PROTECTED]) wrote:
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use
Hi Joost
You wrote:
But something like IP/255.255.255.192 is still valid and is probably used
quite a lot. At least i use it. It's easy to use a $NETMASK variable in
scripts for this.
IP/255.255.255.192 == IP/26
Thomas
.
On Tue, May 28, 2002 at 04:26:32PM +0100, Nick Drage wrote:
On Tue, May 28, 2002 at 07:17:38AM +0200, Raymond Leach wrote:
Neither active nor passive ftp is secure... both use (by default) plain text
passwords when authenticating.
Active ftp requires the least number of ports to be
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote:
Roar:
You are absolutely right. I just tried on one of my machines.
It still manages to get an ip and start up with ifup. I don't have an
explanation for it. Time for the Guruz to chime in.
What is the rule that
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote:
I'm on a local machine with interface eth0 down. I manually enter the
iptables policy DROP for all three normal chains, and then start up
interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and
ONBOOT=n).
In this
Hi All,
Why does this nmap scan show these ports filtered, not closed?
50420/tcp filteredunknown
50421/tcp filteredunknown
50422/tcp openunknown
50423/tcp filteredunknown
50424/tcp filteredunknown
On Tue, May 28, 2002 at 02:42:51PM -0400, George Georgalis wrote:
Hi All,
Why does this nmap scan show these ports filtered, not closed?
50420/tcp filteredunknown
50421/tcp filteredunknown
50422/tcp openunknown
hi,
cause you drop packets. nmap interprets this as filtered. the usual behavior
would be icmp port unreachable witch causes nmap to show these ports
as closed.
try iptables -P INPUT REJECT
it is not allway good to drop packet. Anyone will know there is most likely
a packetfilter in play.
so
On Tue, May 28, 2002 at 09:00:33PM +0200, Axel Christiansen wrote:
hi,
cause you drop packets. nmap interprets this as filtered. the usual behavior
would be icmp port unreachable witch causes nmap to show these ports
as closed.
try iptables -P INPUT REJECT
it is not allway good to
Quoting George Georgalis [EMAIL PROTECTED] at Die, Mai 28, 2002 at 08:42:51 CEST
Hi All,
Why does this nmap scan show these ports filtered, not closed?
50420/tcp filteredunknown
50421/tcp filteredunknown
50422/tcp openunknown
1. A SYN-ACK response: this means the port is open and accepting connections
2. An ICMP 'port unreachable' mening the port is closed and not accepting
connections.
3. Nothing at all, which tells nmap that something is blocking access,
because a normal TCP/IP stack would respond with
But, you're right. The decision between DROP and REJECT is a very
tough one. Some two or three weeks ago we were pleading for DROP
for some valid reasons and now it seems that we have good reasons
for REJECT. But, still, I'd prefer the DROP. It's less expensive
and besides who cares that
On Tue, May 28, 2002 at 10:16:13PM +0200, Maciej Soltysiak wrote:
1. A SYN-ACK response: this means the port is open and accepting connections
2. An ICMP 'port unreachable' mening the port is closed and not accepting
connections.
As Joe once pointed out: 'port unreachable' is not being
Hi Ramin:
The situation Roar was talking about was with a policy of drop all.
on all chains. I would think that would cover the rule before and any other
Equivalent rule wouldn't it?
Stu.
-Original Message-
From: Ramin Alidousti [mailto:[EMAIL PROTECTED]]
Sent: May
On Tue, May 28, 2002 at 10:38:45PM +0200, Maciej Soltysiak wrote:
On Tue, May 28, 2002 at 10:21:40PM +0200, Maciej Soltysiak wrote:
in my opinion, the only 100% sure place to put DROP is on a router, that
is only a router and does not have any ports open.
Why is that?
it makes
OK, so drop the ping probes as well ;-)
Nope, you didn't convince me.
Ok :)
If a router has no services on it then DROP/REJECT or even ACCEPT
doesn't make any difference. There is nothing to protect...
true, but some admins like if traceroute shows * * *, so that's your way
to go.
-)
Thanks for the excellent description Evan.
-Original Message-
From: Evan Cofsky [mailto:[EMAIL PROTECTED]]
Sent: May 28, 2002 9:34 AM
To: Stewart Thompson; [EMAIL PROTECTED]
Subject: Re: Can't block DHCP with iptables?
Derrik Pates touched on this earlier in the thread, but I'll try and
On Tue, May 28, 2002 at 07:53:18PM +0100, Antony Stone wrote:
On Tuesday 28 May 2002 7:42 pm, George Georgalis wrote:
Also, I was wondering why a connect from the LAN port 50422 (to the
firewall) does nat to 192.168.0.1:22? It works from the internet
Er, I don't quite understand the
On Tue, May 28, 2002 at 04:26:35PM -0400, George Georgalis wrote:
No, I want the LAN and Internet connections to :50422 to NAT to
192.168.0.1:22 but this command from the LAN hangs...
ssh -p50422 [EMAIL PROTECTED]
and there is no connection recorded in the 192.168.0.1 log. I'm
at a loss.
On Tue, May 28, 2002 at 09:34:58PM +0100, Antony Stone wrote:
On Tuesday 28 May 2002 9:26 pm, George Georgalis wrote:
Also, I was wondering why a connect from the LAN port 50422 (to the
firewall) does nat to 192.168.0.1:22? It works from the internet
I want the LAN and Internet
On Tue, May 28, 2002 at 04:56:45PM -0400, George Georgalis wrote:
On Tue, May 28, 2002 at 09:34:58PM +0100, Antony Stone wrote:
On Tuesday 28 May 2002 9:26 pm, George Georgalis wrote:
Also, I was wondering why a connect from the LAN port 50422 (to the
firewall) does nat to
On Tue, May 28, 2002 at 04:50:05PM -0400, Ramin Alidousti wrote:
On Tue, May 28, 2002 at 01:17:32PM -0700, Stewart Thompson wrote:
Thanks for the excellent description Evan.
Yes. Truely, a very good explanation.
Seconded.
But I have one question:
You say, the default policy DROP
On Tue, May 28, 2002 at 09:00:33PM +0200, Axel Christiansen wrote:
hi,
cause you drop packets. nmap interprets this as filtered. the usual behavior
would be icmp port unreachable witch causes nmap to show these ports
as closed.
The usual behaviour would be for a tcp RST to be sent back,
On Tue, May 28, 2002 at 03:10:12PM -0400, Ramin Alidousti wrote:
On Tue, May 28, 2002 at 09:00:33PM +0200, Axel Christiansen wrote:
snip
But, you're right. The decision between DROP and REJECT is a very
tough one. Some two or three weeks ago we were pleading for DROP
for some valid reasons
On Tuesday 28 May 2002 11:06 pm, Erik C Elmshauser wrote:
Hi, this is my first post to the list.
I agree with Stephen, these netmasks are (as far as I can tell)
meaningless. Because of the way that you compute network addresses by
comparing a mask to an address the 255.255.0.128 mask just
On Tue, May 28, 2002 at 07:07:38PM -0400, George Georgalis wrote:
A nice benefit will be the ease of running an IDS on the firewall. (not
that it wouldn't be easily circumvented ...I using a configurable
switch so no help there)
A mention of dropping the route to LAN on internal machines,
On Tue, May 28, 2002 at 07:43:42PM -0400, Ramin Alidousti wrote:
On Tue, May 28, 2002 at 07:07:38PM -0400, George Georgalis wrote:
A nice benefit will be the ease of running an IDS on the firewall. (not
that it wouldn't be easily circumvented ...I using a configurable
switch so no help there)
On Mon, May 27, 2002 at 03:43:02PM +0200, Jean Bel wrote:
Hi,
The result of the command:
iptables -A INPUT -p TCP --state NEW ! --syn -j DROP
is
Out of memory: Killed process 5166 (iptables).
well, it seems like your system is out of memory. Nothing
I don't think so because it is the only iptables command which causes
this error and it takes a few times before sending this error message
even if it's the first iptables I launch. I think there is an infinite
loop which take all the memory.
Did you try this command ?
Thanks
Jean Bel
On Tue, 28 May 2002, Jean Bel wrote:
I don't think so because it is the only iptables command which causes
this error and it takes a few times before sending this error message
even if it's the first iptables I launch. I think there is an infinite
loop which take all the memory.
Did you try
Hi
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-).
Are masks that cannot be expressed in the IP/x schmeme (at least not in one
rule) used
* Thomas Heinz ([EMAIL PROTECTED]) wrote:
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work
;-).
Are masks that cannot be expressed in the
Hi
Does anybody know a free network traffic generator somewhere on the net?
greetz,
Andre Kleibeuker
_
Chat with friends online, try MSN Messenger: http://messenger.msn.com
When it comes to searching I have always found google to be very
helpful. Check it out for more options :
http://www.google.com/search?hl=enq=network+traffic+generator+download
Cheers
Pradeep
On Tue, 28 May 2002, andre achternaam wrote:
Hi
Does anybody know a free network traffic
On Tue, 28 May 2002, Stephen Frost wrote:
* Thomas Heinz ([EMAIL PROTECTED]) wrote:
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work
Hi Joost
You wrote:
But something like IP/255.255.255.192 is still valid and is probably used
quite a lot. At least i use it. It's easy to use a $NETMASK variable in
scripts for this.
IP/255.255.255.192 == IP/26
Thomas
Good day, Andre,
On Tue, 28 May 2002, andre achternaam wrote:
Does anybody know a free network traffic generator somewhere on the net?
http://www.stearns.org/rain/
http://www.stearns.org/sendip/
http://www.stearns.org/spak/
I'd start with spak.
Cheers,
http://www.stearns.org/rain/
http://www.stearns.org/sendip/
http://www.stearns.org/spak/
I'd start with spak.
Cheers,
i never acomplished compiling spak.
Good day, Maciej,
On Tue, 28 May 2002, Maciej Soltysiak wrote:
http://www.stearns.org/rain/
http://www.stearns.org/sendip/
http://www.stearns.org/spak/
I'd start with spak.
Cheers,
i never acomplished compiling spak.
The src rpm from which I compiled it
57 matches
Mail list logo