Assuming that the question relates to this posting:
http://www.geocrawler.com/archives/3/2489/2001/12/0/7433332/
On Sun, Jan 06, 2002 at 10:50:38AM +0000, richard wrote:
> Hi
> will this work
> /sbin/iptables -A INPUT -p 93 -i eth1 -j ACCEPT
This command ACCEPTs all IP protocol 93 traffic (yes, that's IPIP)
which comes in on interface eth1. Hwoever, in the context of an
addition to /sbin/bastille-netfilter, it sits where it's labelled
"custom rules", and I'd be tempted to write it as:
${IPTABLES} -A PUB_IN -p ipip -i eth1 -j ACCEPT
Adding it to PUB_IN rather than INPUT seems to be to be a better
fit with Bastille's logic.
Whether this is sufficient for your specific task I couldn't tell you.
I'm not personally familiar with the details of IPIP. And unfortunately
I couldn't quite follow your description of your network.
>From there on in, assuming that IPIP is decoded properly, yes, should
just be coming out of tunl0 or bpq0 or whatever interfaces you've set
up. Add rules to allow traffic between networks as appropriate. These
go in the spot commented "If you have networks that route traffic..."
An example might be to just let everything run transparently between an
encrypted link and the internal network.
${IPTABLES} -A FORWARD -i tunl0 -d 44.131.90.0/24 -j ACCEPT
${IPTABLES} -A FORWARD -i eth0 -o tunl0 -j ACCEPT
(This is assuming that eth0 is the physical interface of the "internal"
network, and that tunl0 is on eth1, your "outside" interface. The
destination shown is meant to be an "internal" network. And it assumes
you *do* want to let everything through like this.)
If you haven't already done so, turn on packet logging for what's
being blocked (set LOG_FAILURES="Y") and add rules to let thru what's
being blocked.
I realize I've gone fast thru that. Email me directly if you get
stuck on the details. Or if you think I've got something wrong, also
tell me. I'm skimming through this one and I have well have made a
mistake.
> I have been asking for help on both lists for 2 weeks , it seems that
> unless your face fits , its a very private club
It's also about how and when you ask. The guys with the real clue on
bastille-linux-discuss have been busy getting a new release locked down,
and then a bunch of the world closed down for a holiday season. Unless
a question is pretty clear about the set-up, what's been put where
exactly, and what information has been gathered so far, it'll all look
too hard and no-one will bother.
Not so much "private club" but "small pool of people to draw upon",
none of whom get paid to do this.
> bg Richard
> system now hacked as I cant put a firewall up without destroying the ip
> tunnel,.
> Strange that after I put my inet address as an example of what I was
> trying to do , I had 2 people ftp'd in and played
Doesn't seem strange to me, actually. Seems like *exactly* the sort of
thing to expect. Using a real address in the examples, especially when
it's being publically identified as a vulnerable set-uo, is just asking
for trouble. Sorry, but the world's a nasty place.
Stil
--
: Stilgherrian, Director of Operations, prussia.net
: Internet infrastructure services focussing on the essentials
: http://www.prussia.net/
: ARBN BN97858688, ABN 15 148 757 893
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
