Re: SNAT or MASQUERADE?
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2001.12.05 11:32:39+1000]: I didn't know you couldn't use DNAT if you used Masquerading. Are you sure? think about it. masquerade is used when you have a single dynamic IP. if you had multiple IPs, then you don't have a dynamic IP connection, which means that you should be using SNAT. and with a single IP, DNAT is less interesting. it is possible (and i do it), for instance, to redirect port 22004 to my machine .4, port 22, but even though that uses the DNAT chain, it's really just port forwarding or relaying... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] this week dragged past me so slowly; the days fell on their knees... -- david bowie pgpBOLrdLwlGK.pgp Description: PGP signature
Re: Searching for an appropriate iptables script
also sprach Gareth Bowker [EMAIL PROTECTED] [2002.02.07.1017 +0100]: If you're worried about missing stuff out, you could start with a firewall that defaults everything to DROP and go from there... good point. any-any-any-DROP is what i call the base firewall. there is *no* argument for a firewall that's based on anything but this essential rule. there *should* also be a rule any-any-any-LOG right before. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] at the turn of the century in vienna, the schoenberg food factory stopped making tonic, and started making cereal instead. -- hofstadter's geb pgpUq6Wo7mXJZ.pgp Description: PGP signature
iptables log-all and limits
hi, my iptables config can be reduced to the following example, which let's ssh pass and drops everything else. iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -j LOG this works perfectly as i want it, but every now and then, i get portscanned, and my kern.log grows like 14Mb in size because of that LOG rule. using the limitig features of iptables, i can say iptables -A INPUT -j LOG -m limit --limit 5/minute --limit-burst 5 to make it show a max. of 5/minute with an initial burst of 5. however, this way, a lot of information will be lost. granted, portscans can only be limited that way, but i am wondering if there's a method to limit logs for a specific type of package (i.e. same destination socket) only? like commercial products (e.g. FW-1) do. any clues? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] may your future be limited only by your dreams. -- christa mcauliffe pgpUB85N8lYHa.pgp Description: PGP signature
Re: Blocking SMB
also sprach Charlie Grosvenor [EMAIL PROTECTED] [2002.02.26.1657 +0100]: I am trying to block smb going out of my network using the following rules. why not also block it coming in? i'd leave out the -o ppp0 bit below. then there's nothing that can come in and nothing to go out. iptables -A FORWARD -o ppp0 -p tcp --dport 135 -j REJECT [others snipped] why REJECT? just DROP them! also, port 136 is not a micro$oft port. For some reason this is not working as http://stealthtests.lockdowncorp.com is able to find out information about my computer using smb for example it gives me my username that i used to log into windows with. this is what stealthtest does: fishbowl:~# tcpdump -i any -n host 216.41.20.17 tcpdump: listening on any 17:16:58.329572 216.41.20.17.137 217.162.222.147.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (which i don't answer since this is a linux system), but the reply should not pass through your rules. why don't you run the above tcpdump line on the router/firewall and see what the stealthtests cause. post that here... How can i get the blocking of smb working? Is ther a port that i should block that i haven't? just blocking dports 135,137-139 tcp and udp in FORWARD, INPUT and OUTPUT should do the trick, actually... but you never know with this micro$oft crap... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] 3 kinds of people: those who can count those who can't. pgpOoIyVxXJs0.pgp Description: PGP signature
Re: Firewall protects, so what directs?:(may be an easy workaround)
also sprach Pedro P Sacristan Sanz [EMAIL PROTECTED] [2002.03.20.0847 +0100]: If you don't want change anything at this time, may be you could use an easy workaround if you are now using SSH in your firewall and web server: if you use the -L option, you could start a SSH session from your firewall to your web server and forward every incomming connection to port 80 in the firewall to your web server... your_firewall#ssh -L 80:10.10.0.10:80 [EMAIL PROTECTED] You only will have to be sure that you allow TCP port 22 from your firewall to your web server, and that your SSH configuration allows port forwarding (well, and may be you shoul monitor you ssh tunnel: if it goes down, it stops working). have a look at my package at [1] for the same functionality except for the encryption (you don't always need it, and unencrypted is way faster). it does provide bandwidth control as a nice goody on the side... 1. http://www.madduck.net/~madduck/debian/iprelay/ -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] mirrors should reflect a little before throwing back images. -- jean cocteau pgpOMzSQdxT9O.pgp Description: PGP signature
Re: Crashing Firewall
also sprach Urs Martini [EMAIL PROTECTED] [2002.10.08.0129 +0200]: I got a problem with my new set up firewall: it crashes after some time! What's crashes? What does it do? Now before I get into details - is there anyone who's willing to help myself fixing that problem _personally_? Why? I''ll help you, but I won't take it off the list. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] the sick do not ask if the hand that smoothes their pillow is pure, nor the dying care if the lips that touch their brow have known the kiss of sin. -- oscar wilde pgpFNUie0Pcy1.pgp Description: PGP signature
Re: iptables -A or iptables -I?
also sprach Martin G.H. Minkler [EMAIL PROTECTED] [2004.10.19.1907 +0200]: The background to my question is a 1.4MB IP blacklist I have to block. I traverse so that only incoming NEW from $DEV_INET is passing that chain, but appending the ruleset (i.e. at boottime) takes roughly 30min. So I was wondering whether inserting might be quicker :-) Inserting is almost never quicker than appending. In fact, I am having trouble coming up with a data structure where insertions are as quick as appendages, provided, of course, that the difference makes sense. After all, appendage is nothing but an insertion at n+1. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables -A or iptables -I?
also sprach Juan Carlos Inostroza [EMAIL PROTECTED] [2004.10.19.1940 +0200]: Knowing that to insert an element at the end of a list, in pseudocode: - create_new_element(n) - link_element(list, n) And inserting an element at the beggining of a list: - create_new_element(n) - newlist = create_new_list(number_of_elements(list+1)) - link_element(newlist,n) - copy_elements(newlist,list,1,number_of_elements(n)) Uh, you should really read up on list/API design. This looks too much like Java or VB to me. Appending to a n-linked list requires modification of n pointers. Inserting to a n-linked list requires modification of 2n pointers. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables -A or iptables -I?
also sprach Blars Blarson [EMAIL PROTECTED] [2004.10.19.2019 +0200]: He asked about inserting at the beginning vs appending. If I was designing this data structure, I'd most likely use a single linked list where inserting at the beginning would be faster for long lists. (The latter needs to traverse the list.) If I am designing data structures to hold long lists, I most certainly keep a pointer to the last element somewhere. Of course, then, it doesn't matter whether you insert or append, as then you have to update 2 pointers anyway. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables -A or iptables -I?
also sprach Juan Carlos Inostroza [EMAIL PROTECTED] [2004.10.19.2056 +0200]: Inserting to a n-linked list requires modification of 2n pointers. Copying and Pasting elements from one list to other, yes (it's 2n+1, you're forgetting the inserted element). I am talking about different things. If your insertion requires you to copy all elements, your implementation is wrong. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables-save/restore with dynamic IP
also sprach Martin G.H. Minkler [EMAIL PROTECTED] [2004.10.21.1345 +0200]: iptables-restore file Sorry, beginners idiocy, copying stuff from a tutorial he read. No reason to be sorry. It took me a while to learn this too... Although it is hardly imaginable that someone tm manages to spoof the interface match, I wanted my rules as tight as possible thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d $IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it would naturally all be solved if I refrained from using variables and resorted to -i ppp0 instead. Why do you want your rules to be as tight as possible? While I fundamentally agree with this approach, I don't really see an added value for limiting the destination address. But since I'm experimenting and learning, some non-pragmatical approaches may occur, especially since I want to keep the script as generic/cross-distro-usable as possible :-) You do know that there are plenty firewall scripts for iptables already, right? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables-save/restore with dynamic IP
also sprach Martin G.H. Minkler [EMAIL PROTECTED] [2004.10.21.1532 +0200]: The basic idea was to double-latch things, if one criterium could be spoofed the other would still hold. Uh, ANY always holds, so it does not matter if you leave out the destination address. FWIW, destination IPs *cannot* be spoofed. Also, I am not sure you understand iptables correctly. If you specify two criteria in a rule, then they both have to hold. If you want to implement OR, you need two rules. setups in which a LAN and a gateway with just one NIC were sharing a What's a gateway with just one NIC? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables-save/restore with dynamic IP
also sprach [EMAIL PROTECTED] [EMAIL PROTECTED] [2004.10.21.1549 +0200]: The only time I've seen this done has been with PPPoE; the gateway talked PPPoE with the remote end, and communicated with the LAN via the same NIC. Not that secure, but got the network running. Sounds horrible. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: port _redirection_ within single machine
also sprach Robert Vangel [EMAIL PROTECTED] [2004.08.19.0239 +0200]: It isn't iptables, but you could try the redir package. also, the iproute package. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
DNS replies not RELATED/ESTABLISHED?
I have a firewall which allows ESTABLISHED,RELATED packets on INPUT, and port 53/udp on OUTPUT. Now, if I query for a DNS name, the packet leaves the machine, but the reply is usually dropped: [INPUT]: IN=ppp0 OUT= MAC= SRC=217.232.161.91 DST=62.159.154.42 LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53 DPT=16468 LEN=48 Here are the relevant rules: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix [INPUT]: -P INPUT DROP I always have to add specific udp sport rules for all nameservers, which is a pain, and which should not be required. What am I doing wrong? (Note that I get the same results with '-m state' instead of '-m ctstate'). Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: DNS replies not RELATED/ESTABLISHED?
also sprach Blair Strang [EMAIL PROTECTED] [2005.03.15.1245 +0100]: I am guessing the problem is elsewhere. What does /proc/net/ip_conntrack say the kernel is expecting? The UDP connection is not listed. Someone else told me in private mail that DNS is special, but I do not see anything special about the following: 16:27:15.369276 217.233.52.92.62406 217.237.151.97.53: 21533+ A? debian.org. (28) (DF) 16:27:15.424481 217.237.151.97.53 217.233.52.92.62406: 21533 1/0/0 A 192.25.206.10 (44) The corresponding ip_contrack entry: udp 17 27 src=217.233.52.92 dst=217.237.151.97 sport=62406 dport=53 packets=1 bytes=67 src=217.237.151.97 dst=217.233.52.92 sport=53 dport=62406 packets=1 bytes=115 mark=0 use=1 This looks all good and fine. Whenever I get log entries generated by iptables, it seems that they are some sort of spurious responses by the servers, or else iptables would let them through. Of course right now there aren't any. However, I have seen this for years and always wondered... Maybe someone has a smart way to diagnose this? For now, I'll use -A INPUT -i ppp0 -p udp -m udp --sport 53 -j ULOG --ulog-prefix [DNS in] -A OUTPUT -o ppp0 -p udp -m udp --dport 53 -j ULOG --ulog-prefix [DNS out] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --sport 53 -j ULOG --ulog-prefix [spurious DNS] Let's see what that brings... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: DNS replies not RELATED/ESTABLISHED?
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.15.1512 +0100]: for INPUT, lose the conntrack. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT why? Also, please do not CC me on replies. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: DNS replies not RELATED/ESTABLISHED?
also sprach Blair L Strang [EMAIL PROTECTED] [2005.03.15.2256 +0100]: Sorry I didn't understand from your original post that this was only happening occasionally. Duh! It does only happen occassionally... Perhaps look into ip_conntrack_max? I don't have such a file. ip_conntrack_expect is the only other one... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
rewriting source and destination of local packets
I want to rewrite source and destination sockets of locally generated packets. Specifically, packets with the following pair 1.2.3.4:12345 - 8.7.6.5:80 should be rewritten as 127.0.0.1:12345 - 127.0.0.1:3128 Is it possible to achieve this with iptables? I can do the destination rewriting just fine (using REDIRECT in the OUTPUT chain), but to rewrite the source, I need to use SNAT (I think), which is only valid in POSTROUTING, and by that point in time it's too late. Thanks for any inputs. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! all i know is that i'm being sued for unfair business practices by micro$oft. hello pot? it's kettle on line two. -- michael robertson signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach David Schmitt [EMAIL PROTECTED] [2005.03.23.1222 +0100]: try to fwmark the packages when REDIRECTing and use the mark on POSTROUTING to SNAT too. As I said, POSTROUTING is too late. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! during the voyage of life, remember to keep an eye out for a fair wind; batten down during a storm; hail all passing ships; and fly your colours proudly! signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1301 +0100]: Knowing your motivation might be useful ... why do you want to do this? Have squid transparently proxy connections made by the local machine... without having to configure every single HTTP client with proxy settings. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! der beruf ist eine schutzwehr, hinter welche man sich erlaubterweise zurückziehen kann, wenn bedenken und sorgen allgemeiner art einen anfallen. - friedrich nietzsche signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Igor Genibel [EMAIL PROTECTED] [2005.03.23.1533 +0100]: Using firehol + transparent_proxy directive is completly transparent here for me (no need to change anything on clients) Does it also work for local connections on the squid machine itself? Try it: apt-get install libwww-perl HEAD debian.org | grep -q '^X-Cache' echo works fine. Martin you should try firehol and then you will never do filtering rules without it :) It amazing. Not for me. I understand iptables and prefer to use it directly, rather than through a wizard for the same reason that I prefer Debian over other distros. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! the pure and simple truth is rarely pure and never simple. -- oscar wilde signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Igor Genibel [EMAIL PROTECTED] [2005.03.23.1615 +0100]: Yes, it doesn't work but I think it is quite normal for a normal use of a firewall/proxy where no user have to connect on and do http requests :) I surely do not need a whole other layer for firewall building to set up transparent proxying for clients. Note that my question was about local packets in the first place. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! ah, but a man's reach should exceed his grasp, or what's a heaven for? -- robert browning signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1602 +0100]: I don't quite understand why you want to change the *source* address too, in this situation. It seems like you trying to SNAT the machines interface IP address to 127.0.0.1? Why? So I can restrict squid to source IP 127.0.0.1, rather than having to `http_access allow all`, which is surely not what I want. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! * Overfiend came out of the womb complaining. -- #debian-devel signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.23.1709 +0100]: acl thishost 1.2.3.4/255.255.255.255 (or whatever it's public IP is - I don't have the It's a dynamic IP. So short of script-editing squid.conf, iptables is the only way. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! alles sollte so einfach, wie möglich gemacht sein, aber nicht einfacher. -- albert einstein signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Raúl Alexis Betancort Santana [EMAIL PROTECTED] [2005.03.24.0948 +0100]: Are you trying to do transparent proxy on a router/gateway with dynamic ip on the public interface?, it's also you client's ip dynamic? local packets means: packets generated on the machine running squid itself. no clients involved. Maybe this is clear: (nat table) -A OUTPUT -o world -p tcp --dport 80 -j redirect-local-squid -A redirect-local-squid -m owner --gid-owner 13 -j ACCEPT -A redirect-local-squid -p tcp -j REDIRECT --to-port 3128 This works. Problem is that the packets arriving at 3128 have the dynamic external IP as source, when they should have 127.0.0.1. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! the early bird may get the worm, but the second mouse gets the cheese in the trap. signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.28.0041 +0200]: Martin, if/when you do find a solution, I hope you'll summarize to the list. I find this problem quite interesting... Certainly. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! people with narrow minds usually have broad tongues. signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach David Mandelberg [EMAIL PROTECTED] [2005.03.27.1617 +0200]: What about allowing all connections with squid's acls and using iptables to limit it to localhost? This is certainly the other possibility, but it's one I do not like a lot, maybe for aestethic reasons... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! windoze nt crashed. i am the blue screen of death. no one hears your screams. signature.asc Description: Digital signature
Re: rewriting source and destination of local packets
also sprach Arnt Karlsen [EMAIL PROTECTED] [2005.03.27.0439 +0200]: ..a weird set of details from which I couldn't make out any kinda sense of your overall purpose, as in ok, you told me _how_ you wanna do it, but _what_ are you trying to do, and _why_?. [...] ..now we're talking. ;o) Communication stategy: Try explain _what_ you're trying to do, and _why_, like you would to some new date's sceptical grandma. I think you should re-read this thread from the beginning. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! convictions are more dangerous enemies of truth than lies. - friedrich nietzsche signature.asc Description: Digital signature
Re: Stuck in a hell of routing :(
also sprach Werner Oswald [EMAIL PROTECTED] [2005.03.29.1659 +0200]: I try to have a URL based routing which then gets routed to 6 different Modems accessing the internet. There is ann iptables match target capable of inspecting content, and it would not be hard to extend it to be HTTP aware. Anyway... the squid approach is probably nicer. With this I was able to have URL based routing. Do you need multiple squid instances? Are you sure you can't just set the outgoing interface? I don't have a squid here to test, but I seem to recall that it could do something like that from back when I played with policy-based routing... but don't waste your time researching this, I am everything but sure. the tcp_outgoind_address has been set to 192.168.x.100 for each squid instance so that the packages for the requests launched in different networks. Uh, it's the destination address which determines which network a packet goes to. The source IP does not usually play a role. the second part is now a win2k3 system with all the modems connected and with routing enabled. Urks. the idea is now that the requests coming from 192.168.10.100 areA getting routed via modem A This is easy to do with iproute and Linux 2.4/2.6. :) as each modem is in priciple a 0.0.0.0 gateway, I get in trouble as only one is allowed. Well, more are allowed, but the Windows TCP/IP stack will just end up toppling. I guess the solution is something akin to virtual circuits. Not sure if Windows understands that. this was an idea to get my 192.168.10.0 packages to the win2k3 system but this route is only valid for 192.168.10.x destinations so how could I also deliver 0.0.0.0 destinated packages to 192.168.10.103 (win2k3) and 192.168.11.x sourced packages to 192.168.11.103 which are for 0.0.0.0 and so on. This is your document: http://lartc.org/ You can either use iptables to mark packets and then create routing policies with /sbin/ip (from iproute), or use iproute's own filtering framework (should be enough). -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! emacs sucks, literally, not an insult, just a comment that it's large enough to have a noticeable gravitational pull... -- mercury on #debian-devel signature.asc Description: Digital signature
Re: Stuck in a hell of routing :(
also sprach Elton Algera [EMAIL PROTECTED] [2005.03.29.1818 +0200]: I still don't get it. How can modems connected to the internet supply different rights to users? In other words, please tell us the functional problem... I know that it's sometimes a good idea to make sure that the person is actually looking for the right answer, but I have been noticing a tendency here (and elsewhere) to always ask first about the motivations. To me, his motivations are clear. The six different lines are probably with different taxes, bandwidths, and/or volume restrictions, so URL-based arbitration is useful. AFAIK this is done by a number of companies. Let's just get down to answering questions and asking about motivations when we're deadlocked and/or the question is inconsistent, okay? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! be the change you want to see in the world -- mahatma gandhi signature.asc Description: Digital signature
answering questions, not asking new ones (was: Stuck in a hell of routing :()
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.29.2204 +0200]: It is helpful to those answering the (apparently unusual) query to know what problem is being addressed, since past history shows that often the poster is approaching the problem from the wrong angle, or may even be addressing the wrong problem! Yes, and I have often fallen into that trap. However, at other times, I have not been able to disclose more information, or it would have not been worth the effort. At other times, it's just been plain impossible to convince others that I know pretty well what I need: http://lists.debian.org/debian-firewall/2005/03/msg00074.html If I post something strange or esoteric as a question, I feel obliged to at least *outline* what my motivations are, if only to pre-empt the sort of question that *I* would retort were I answering that same question. Agreed. That, or the obvious counter questions should be pro-actively answered in the first post. I suppose we could answer the question but also query the poster's motives at the same time :-) Yes, it is a great way to follow up some initial pointers with the if you give more detail, so will I line. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! whatever you do will be insignificant, but it is very important that you do it. -- mahatma gandhi signature.asc Description: Digital signature
Re: answering questions, not asking new ones (was: Stuck in a hell of routing :()
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.29.2237 +0200]: http://lists.debian.org/debian-firewall/2005/03/msg00074.html Yeah, that was me, wasn't it? ;-) It's a small world, no? :) -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! plan to be spontaneous tomorrow. signature.asc Description: Digital signature
problem with recent match
[I sent this message to the netfilter list two days ago and have not received a reply yet. https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html ] Hi, I am somewhat baffled by a problem with a bunch of my machines. I use the following rules there to limit SSH brute force attacks: -A INPUT -p tcp -m tcp --dport 22 -j ssh-tarpit -A ssh-tarpit -m recent --name ssh_tarpit --set --rsource -j ssh-whitelist -A ssh-tarpit -m recent ! --update --seconds 60 --hitcount 8 --name ssh_tarpit - -A ssh-tarpit -j LOG --log-prefix [SSH flood] -A ssh-tarpit -p tcp -j TARPIT -A ssh-tarpit -j DROP -A ssh-whitelist -s 1.2.3.0/24 -j ACCEPT This used to work, and I still have a machine or two where it works just as I want it: 8 connections per minute, if exceeded, you have to wait for a full minute before trying again (update instead of rcheck). The problem now is that I cannot log in from anywhere anymore, except for the whitelisted hosts. If I check the kernel output on the machine, I see the SSH flood log entries generated by the LOG line even for the first connection attempt. I tried to echo clear /proc/net/ipt_recent/ssh_tarpit but the result is the same: even with an empty recent packets list, packets from non-whitelisted hosts are dropped by the SSH flood rules. The same ruleset works fine on another machine. If I run tcpdump filtered to port 22, I don't see any stray packets that could be interfering. In fact, logged in via a whitelisted machine (.73), I can see this behaviour: gaia:~# tcpdump -n port 22 and not host 130.60.75.73 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes gaia:~# tail -fn0 /var/log/kern.log gaia:~# echo clear /proc/net/ipt_recent/ssh_tarpit gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit 0 /proc/net/ipt_recent/ssh_tarpit [now try to connect from a non-whitelisted machine] 13:59:17.401234 IP 84.72.27.34.33657 130.60.75.60.22: S 1510041102:1510041102(0) win 5840 mss 1460,sackOK,timestamp 350551978 0,nop,wscale 2 Mar 8 13:59:17 gaia kernel: [SSH flood] IN=eth0 OUT= MAC=00:0b:6a:f0:fd:6b:00:05:5e:46:0e:ff:08:00 SRC=84.72.27.34 DST=130.60.75.60 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=39332 DF PROTO=TCP SPT=33657 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 gaia:~# wc -l /proc/net/ipt_recent/ssh_tarpit 1 /proc/net/ipt_recent/ssh_tarpit gaia:~# cat /proc/net/ipt_recent/ssh_tarpit src=84.72.27.34 ttl: 56 last_seen: 3341207100 oldest_pkt: 1 last_pkts: 3341207100 What could be the reason for this behaviour, which I claim to be completely unexpected? ipt_recent knows about a single packet from that source, but it acts as if eight packets had come in within the last 60 seconds. Any help appreciated. Thanks, -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] invalid/expired pgp (sub)keys? use subkeys.pgp.net as keyserver! spamtraps: [EMAIL PROTECTED] 'oh, that was easy,' says Man, and for an encore goes on to prove that black is white and gets himself killed on the next zebra crossing. -- douglas adams, the hitchhiker's guide to the galaxy signature.asc Description: Digital signature (GPG/PGP)
Re: problem with recent match
also sprach Adam James [EMAIL PROTECTED] [2006.03.10.1448 +0100]: Sounds like you are experiencing the timer overflow bug in ipt_recent. On 32bit machines with HZ at 1000 (the default in 2.6), you'll hit the bug after ~25 days of uptime. This could explain why you're only seeing this on some of your machines. Nice! I'll verify this one of these days. Can I forward your email to the netfilter list? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! the truth is rarely pure and never simple. modern life would be very tedious if it were either, and modern literature a complete impossibility! -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: problem with recent match
also sprach Alexander Reelsen [EMAIL PROTECTED] [2006.03.10.1614 +0100]: Loosely following netfilter-devel, I think this is not necessary. The ipt_recent problems are known and being worked on. Mh, I didn't find anything during a quick look and since I like to answer my own questions on all mailing lists where I posted them, well... it's for history. Perhaps you could ask them why the module is still being distributed within the kernel tree, when submitted patches are rejected by the maintainers because it needs a complete rewrite? Patches which don't change any of the functionality (or proc file system entries) are currently rejected wait, what? Has the netfilter team turned the stable concept around? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! vulgarity is simply the conduct of other people. -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: problem with recent match
also sprach martin f krafft [EMAIL PROTECTED] [2006.03.10.1507 +0100]: Sounds like you are experiencing the timer overflow bug in ipt_recent. On 32bit machines with HZ at 1000 (the default in 2.6), you'll hit the bug after ~25 days of uptime. This could explain why you're only seeing this on some of your machines. Nice! I'll verify this one of these days. Can I forward your email to the netfilter list? I just rebooted one of the affected 32bit machines and the problem remains... so I guess there are other issues... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! alle vorurteile kommen aus den eingeweiden. - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
Re: problem with recent match
also sprach martin f krafft [EMAIL PROTECTED] [2006.03.13.1103 +0100]: I just rebooted one of the affected 32bit machines and the problem remains... so I guess there are other issues... I sure feel silly now. The blog post mentions the first rollover after 5 minutes, so waiting for 5 minutes got me in. Sorry. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! i always choose my friends for their good looks and my enemies for their good intellects. man cannot be too careful in his choice of enemies. -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
ssh connection survives reboot of stateful iptables router
I was surprised today to find an SSH connection from my LAN to the 'Net surviving a power cycle of my router -- a laptop running sarge with kernel 2.6 and iptables. I have the following two rules first thing in the FORWARD chain: -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP to me, this means that SYN packets may pass to the actual rules, and packets belonging to a connection known to the router are accepted. During the reboot, the router surely forgot about the existing connections, so why can the SSH connection persist? Is there some Linux magic going on? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system consciousness: that annoying time between naps. signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Ralf Döblitz [EMAIL PROTECTED] [2006.07.04.0927 +0200]: After reboot the packets of your SSH connection were not known to belong to an established connection but fell through to your set of filter rules. How? I load the DROP rules before the ACCEPT ones. I can't think of a way this would be possible. am sure that they were accepted there, Yes, if they ever got there. Many people have rules like -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT I've done research and found that -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT is the same, meaning that the INVALID state matches all non-SYN packets at this point. Still surprised, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system in a country where the sole employer is the state, opposition means death by slow starvation. the old principle: who does not work shall not eat, has been replaced by a new one: who does not obey shall not eat. -- leon trotsky, 1937 signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Rene Mayrhofer [EMAIL PROTECTED] [2006.07.04.1013 +0200]: That must be connection pickup. At http://iptables-tutorial.frozentux.net/iptables-tutorial.html search for pickup. Excellent pointer, and yet another reason why we should really be looking for alternatives to the Linux kernel. The default, without the tcp-window-tracking patch, is to have this behaviour, and is not changeable. So what's the point of iptables and statefulness in the end? It keeps track of connections and lets packets belonging to established connections passed, but if there's an ACK packet that doesn't belong anywhere, iptables is kind enough to invite it to the club? So then, if I run e.g. cups on 0.0.0.0 and used the firewall rules to make sure that no external clients can connect to it (say, because I was too lazy to modify cupsd.conf), an attacker just has to send an ACK packet to the socket, iptables will throw open the doors, and let the connection in? Reminds me of Microsoft Bob, which would, after three invalid password entries, ask you whether you wanted to change your password. Or is there some actual benefit I am overseeing? The FAQ does say it's after a failover only, but no mention over how long. So, NetBSD... one step closer... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system i never travel without my diary. one should always have something sensational to read on the train. -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Jozsef Kadlecsik [EMAIL PROTECTED] [2006.07.04.1130 +0200]: is the same, meaning that the INVALID state matches all non-SYN packets at this point. That's plain false: the INVALID state does not match all non-SYN packets at that point. It's nowhere written or stated in any decent documentation. Let me get this straight: http://www.faqs.org/docs/iptables/userlandstates.html The INVALID state means that the packet can not be identified or that it does not have any state. From what I was told, a packet that is not ESTABLISHED or RELATED, but does not have the SYN bit set cannot be identified and thus has no state. I seem to recall it was actually an iptables developer who told me that INVALID = ALL - (ESTABLISHED + RELATED + NEW). -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system linux: because a pc is a terrible thing to waste signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Jozsef Kadlecsik [EMAIL PROTECTED] [2006.07.04.1143 +0200]: That is false, because from connection tracking point of view a plain ACK packet which does not belong to any existing connections has got a state, which is NEW. That is why connection pickup can work. Yeah, and so it's not INVALID. I did not know about connection tracking, but other than that, the following two are equivalent, no? accept ESTABLISHED,RELATED drop INVALID accept --dport 22 drop and accept ESTABLISHED,RELATED accept --dport 22 --syn drop -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system if you have built castles in the air, your work need not be lost; that is where they should be. now put the foundations under them. -- henry david thoreau signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Pascal Hambourg [EMAIL PROTECTED] [2006.07.04.1143 +0200]: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT I'd add a condition on state NEW in the second rule. What's the difference between state NEW and --syn? This way of building rulesets, first blocking bad packets and then accepting good packets assuming that bad packets were already blocked, is wrong. What happens when, for any reason you might imagine, the rule which is supposed to block first is ineffective ? Your firewall has a hole. The right way is accepting the good packets first and then dropping the rest. You are absolutely right. However, I wonder whether that hole you're mentioning doesn't already exist anyway, thanks to the feature of connection pickup. Actually, both rulesets are wrong. What you want is a combination that takes the best of each (state NEW *and* SYN flag) : -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --syn --dport 22 -j ACCEPT Okay. So a good way to do this would be: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports -A open-tcp-ports --dport 22 -j ACCEPT ... ? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system i don't think so, said rene descartes. just then, he vanished. signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Pascal Hambourg [EMAIL PROTECTED] [2006.07.04.1222 +0200]: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports -A open-tcp-ports --dport 22 -j ACCEPT Yes. You just need to add the protocol match (-p tcp) again, because the --dport match is valid only with TCP and UDP. Right. One other question before I go and try out what I learnt today: on the basis that it's not okay to drop bad packets before accepting good packets, the following would not be okay even though they're logically equivalent? accept ESTABLISHED,RELATED drop INVALID accept NEW --dport ssh --syn drop and accept ESTABLISHED,RELATED drop INVALID drop ! NEW drop ! --syn accept --dport ssh drop ? Thanks guys for your patience. ... and I thought I had moderately understood this stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system an intellectual is someone who has found something more interesting than sex. -- edgar wallace signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Pascal Hambourg [EMAIL PROTECTED] [2006.07.04.1505 +0200]: accept ESTABLISHED,RELATED drop INVALID drop ! NEW drop ! --syn accept --dport ssh drop Very bad ! The accept rule relies on previous drop rules. I understand the fundamental issue very well. The things that can go wrong here are: - I accidentally delete or comment out one of the drop rules - drop ! NEW doesn't do the same as !drop NEW due to a bug - the universe folds in on itself Are there any other ones I am overlooking? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system a cigarette a day will make you fly away. signature.asc Description: Digital signature (GPG/PGP)
Re: ssh connection survives reboot of stateful iptables router
also sprach Ralf Döblitz [EMAIL PROTECTED] [2006.07.05.0835 +0200]: The things that can go wrong here are: - I accidentally delete or comment out one of the drop rules - drop ! NEW doesn't do the same as !drop NEW due to a bug - the universe folds in on itself Are there any other ones I am overlooking? How about One rule fails to load for obscure reasons. ? iptables-restore, which is what I used, fortunately uses a transaction to commit new rules. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system the only real advantage to punk music is that nobody can whistle it. signature.asc Description: Digital signature (GPG/PGP)