Re: [Solved] iptables firewall and web sites not loading
Le 10/12/2019 à 20:13, nektarios a écrit : Pascal Hambourg wrote: Maybe a "MTU black hole" issue with PPPoE. Workarounds : - lower the MTU on the client side to 1492 - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router (...) The tip you gave me really did the job! I found this page in tldp.org describing the mtu issue http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html and the I simply ran the iptables command ``` iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ``` and it was fixed! Please note that - It's a hack. It does not fix the actual issue (inbound packets bigger than the PMTU are silently dropped). - It works only for TCP. - This rule works only for IPv4. If you have IPv6 connectivity, you must add a similar ip6tables rule. - It does not work inside VPNs and tunnels which hide the actual PMTU.
[Solved] iptables firewall and web sites not loading
On Tue, 10 Dec 2019 09:26:46 + Nektarios Katakis wrote: > On Tue, 10 Dec 2019 07:22:05 +0100 > Pascal Hambourg wrote: > > > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : > > > > > > I am running an iptables firewall on an openwrt router I ve got. > > > Which acts as Firewall/gateway and performs NATing for my internal > > > network - debian PCs and android phones. > > > > > > All good but specific web sites are not loading for the machines > > > that are sitting behind the home router. > > > > > > When attempting on the browser (firefox but tried different ones) > > > the browser stays at `Performing a TLS handshake to > > > bitbucket.org`. wget has similar results: > > > ``` > > > wget https://bitbucket.org > > > --2019-12-09 22:07:32-- https://bitbucket.org/ > > > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, > > > 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org > > > (bitbucket.org)|18.205.93.0|:443... connected. > > > ``` > > > When doing a tcpdump on the router side I can see some initial TCP > > > session establishment and then nothing: > > (...) > > > Of course doing a wget from the router itself works fine as it > > > also works fine on my desktop if I do dynamic port-forwarding > > > with eg. `ssh -D 1050 router` (and configure of course firefox to > > > use it). > > > > Maybe a "MTU black hole" issue with PPPoE. > > Workarounds : > > - lower the MTU on the client side to 1492 > > - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router > > > > Interesting. I m not a network engineer and actually didnt think of > that. I ll give it a shot and update. > > Thanks. > The tip you gave me really did the job! I found this page in tldp.org describing the mtu issue http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html and the I simply ran the iptables command ``` iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ``` and it was fixed! Thanks again! --- Nektarios Katakis
Re: iptables firewall and web sites not loading
On Tue, 10 Dec 2019 07:22:05 +0100 Pascal Hambourg wrote: > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : > > > > I am running an iptables firewall on an openwrt router I ve got. > > Which acts as Firewall/gateway and performs NATing for my internal > > network - debian PCs and android phones. > > > > All good but specific web sites are not loading for the machines > > that are sitting behind the home router. > > > > When attempting on the browser (firefox but tried different ones) > > the browser stays at `Performing a TLS handshake to bitbucket.org`. > > wget has similar results: > > ``` > > wget https://bitbucket.org > > --2019-12-09 22:07:32-- https://bitbucket.org/ > > Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, > > 18.205.93.2, ... Connecting to bitbucket.org > > (bitbucket.org)|18.205.93.0|:443... connected. > > ``` > > When doing a tcpdump on the router side I can see some initial TCP > > session establishment and then nothing: > (...) > > Of course doing a wget from the router itself works fine as it also > > works fine on my desktop if I do dynamic port-forwarding with eg. > > `ssh -D 1050 router` (and configure of course firefox to use it). > > Maybe a "MTU black hole" issue with PPPoE. > Workarounds : > - lower the MTU on the client side to 1492 > - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router > Interesting. I m not a network engineer and actually didnt think of that. I ll give it a shot and update. Thanks. -- Nektarios Katakis
Re: iptables firewall and web sites not loading
Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : I am running an iptables firewall on an openwrt router I ve got. Which acts as Firewall/gateway and performs NATing for my internal network - debian PCs and android phones. All good but specific web sites are not loading for the machines that are sitting behind the home router. When attempting on the browser (firefox but tried different ones) the browser stays at `Performing a TLS handshake to bitbucket.org`. wget has similar results: ``` wget https://bitbucket.org --2019-12-09 22:07:32-- https://bitbucket.org/ Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1, 18.205.93.2, ... Connecting to bitbucket.org (bitbucket.org)|18.205.93.0|:443... connected. ``` When doing a tcpdump on the router side I can see some initial TCP session establishment and then nothing: (...) Of course doing a wget from the router itself works fine as it also works fine on my desktop if I do dynamic port-forwarding with eg. `ssh -D 1050 router` (and configure of course firefox to use it). Maybe a "MTU black hole" issue with PPPoE. Workarounds : - lower the MTU on the client side to 1492 - add a "TCPMSS --clamp-to-pmtu" iptables rule on the router
Re: iptables firewall and web sites not loading
On 12/10/2019 12:01 AM, Nektarios Katakis wrote:
> Hello,
>
> I am running an iptables firewall on an openwrt router I ve got. Which
> acts as Firewall/gateway and performs NATing for my internal network -
> debian PCs and android phones.
>
> All good but specific web sites are not loading for the machines that
> are sitting behind the home router.
>
> When attempting on the browser (firefox but tried different ones) the
> browser stays at `Performing a TLS handshake to bitbucket.org`. wget has
> similar results:
> ```
> wget https://bitbucket.org
> --2019-12-09 22:07:32-- https://bitbucket.org/
> Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1,
> 18.205.93.2, ... Connecting to bitbucket.org
> (bitbucket.org)|18.205.93.0|:443... connected.
> ```
> When doing a tcpdump on the router side I can see some initial TCP
> session establishment and then nothing:
> ```
> tcpdump -vvvi br-lan port 443 | grep bitbucket.org
> tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size
> 262144 bytes
> 192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3
> (correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val
> 15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 >
> 192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq
> 1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val
> 4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 >
> bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win
> 229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0
> 192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5
> (correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684
> ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440:
> Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options
> [nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 >
> 192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668,
> ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684],
> length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum
> 0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val
> 15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ```
>
> Of course doing a wget from the router itself works fine as it also
> works fine on my desktop if I do dynamic port-forwarding with eg. `ssh
> -D 1050 router` (and configure of course firefox to use it).
>
> I m not sure what might be wrong here tbh. Of course other (most) sites
> work fine without dynamic forwarding or anything.
>
> I am attaching the output of `iptables --list-rules` for whoever is
> patient enough to read.
>
> Any help would be appreciated.
>
Are you still seeing the error if you do:
$ /etc/init.d/firewall stop
WARNING: You will not have any firewall protection if you do that
Is the issue still manifesting itself if the configuration is reset to
factory default?
This is a Debian mailing list, you might be better off on the OpenWrt forum.
--
John Doe
iptables firewall and web sites not loading
Hello,
I am running an iptables firewall on an openwrt router I ve got. Which
acts as Firewall/gateway and performs NATing for my internal network -
debian PCs and android phones.
All good but specific web sites are not loading for the machines that
are sitting behind the home router.
When attempting on the browser (firefox but tried different ones) the
browser stays at `Performing a TLS handshake to bitbucket.org`. wget has
similar results:
```
wget https://bitbucket.org
--2019-12-09 22:07:32-- https://bitbucket.org/
Resolving bitbucket.org (bitbucket.org)... 18.205.93.0, 18.205.93.1,
18.205.93.2, ... Connecting to bitbucket.org
(bitbucket.org)|18.205.93.0|:443... connected.
```
When doing a tcpdump on the router side I can see some initial TCP
session establishment and then nothing:
```
tcpdump -vvvi br-lan port 443 | grep bitbucket.org
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size
262144 bytes
192.168.2.168.54440 > bitbucket.org.443: Flags [S], cksum 0xb3a3
(correct), seq 2816225641, win 29200, options [mss 1460,sackOK,TS val
15744661 ecr 0,nop,wscale 7], length 0 bitbucket.org.443 >
192.168.2.168.54440: Flags [S.], cksum 0x5c8d (correct), seq
1149625734, ack 2816225642, win 26847, options [mss 1460,sackOK,TS val
4256708721 ecr 15744661,nop,wscale 7], length 0 192.168.2.168.54440 >
bitbucket.org.443: Flags [.], cksum 0xf33d (correct), seq 1, ack 1, win
229, options [nop,nop,TS val 15744683 ecr 4256708721], length 0
192.168.2.168.54440 > bitbucket.org.443: Flags [P.], cksum 0x58a5
(correct), seq 1:221, ack 1, win 229, options [nop,nop,TS val 15744684
ecr 4256708721], length 220 bitbucket.org.443 > 192.168.2.168.54440:
Flags [.], cksum 0xf211 (correct), seq 1, ack 221, win 219, options
[nop,nop,TS val 4256708810 ecr 15744684], length 0 bitbucket.org.443 >
192.168.2.168.54440: Flags [P.], cksum 0x9998 (correct), seq 2897:3668,
ack 221, win 219, options [nop,nop,TS val 4256708810 ecr 15744684],
length 771 192.168.2.168.54440 > bitbucket.org.443: Flags [.], cksum
0x4e08 (correct), seq 221, ack 1, win 251, options [nop,nop,TS val
15744705 ecr 4256708810,nop,nop,sack 1 {2897:3668}], length 0 ```
Of course doing a wget from the router itself works fine as it also
works fine on my desktop if I do dynamic port-forwarding with eg. `ssh
-D 1050 router` (and configure of course firefox to use it).
I m not sure what might be wrong here tbh. Of course other (most) sites
work fine without dynamic forwarding or anything.
I am attaching the output of `iptables --list-rules` for whoever is
patient enough to read.
Any help would be appreciated.
--
Regards,
Nektarios Katakis
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N forwarding_dmz_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_dmz_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_dmz_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_dmz_dest_ACCEPT
-N zone_dmz_forward
-N zone_dmz_input
-N zone_dmz_output
-N zone_dmz_src_ACCEPT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3"
-j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment
"!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-dmz -m comment --comment "!fw3" -j zone_dmz_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j
forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment
"!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-dmz -m comment --comment "!fw3" -j zone_dmz_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment
"!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-dmz -m comment --comment "!fw3" -j zone_dmz_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with
icmp-port-un
Android gmail through ferm /iptables firewall
Hello, I have router (debian) for LAN and an iptables firewall looks like Chain FORWARD (policy DROP) target prot opt source destination DROP all -- 0.0.0.0/00.0.0.0/0state INVALID DROP all -- 192.168.178.43 0.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/00.0.0.0/0icmptype 8 ACCEPT tcp -- 192.168.178.20 0.0.0.0/0tcp dpt:25 ACCEPT tcp -- 192.168.178.22 0.0.0.0/0tcp dpt:25 ACCEPT tcp -- 192.168.178.20 0.0.0.0/0tcp dpt:465 ACCEPT tcp -- 192.168.178.22 0.0.0.0/0tcp dpt:465 ACCEPT tcp -- 192.168.178.20 0.0.0.0/0tcp dpt:587 ACCEPT tcp -- 192.168.178.22 0.0.0.0/0tcp dpt:587 ACCEPT tcp -- 192.168.178.20 0.0.0.0/0tcp dpt:143 ACCEPT tcp -- 192.168.178.22 0.0.0.0/0tcp dpt:143 ACCEPT tcp -- 192.168.178.20 0.0.0.0/0tcp dpt:993 ACCEPT tcp -- 192.168.178.22 0.0.0.0/0tcp dpt:993 REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:25 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:465 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:587 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:143 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:993 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable my pc has ip 192.168.178.20 and I can receive mails (gmail address) with icedove. my android phone has ip 192.168.178.22 and i *can't* receive mails with standard gmail programm. when i add ACCEPT all -- 192.168.178.22 0.0.0.0/0 it also works with gmail programm. what is wrong here? did gmail programm use other ports? i have try to sniffer with tcpdump but cant find any relevant traffic. best regards, basti
Re: iptables firewall
On Wed, Jul 30, 2014 at 08:33:56PM +0200, Nemeth Gyorgy wrote: 2014-07-30 09:18 keltez?ssel, Joe ?rta: Something else you might do now is to place temporary logging rules before your 'DROP' rules, to confirm whether it is indeed iptables which is blocking those packets. No logs, it's somebody or something else. Perhaps it is not needed. iptables -L -v command shows the ruleset with packet counter. You can see whether the rule was used or not. snip Thank you that's useful to know. Mike -- It's not always polite to speak your mind. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140731161158.GA3644@playground
Re: iptables firewall
On Tue, 29 Jul 2014 14:04:23 -0700 Mike McClain mike.j...@nethere.com wrote: I've run into a difficulty with iptables in that both GRC.com and PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but not stealthed in spite of the fact that I have these statements in my firewall script: iptables -A INPUT -p udp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 139 -j DROP iptables -A INPUT -p tcp --dport 445 -j DROP iptables -A OUTPUT -p udp --dport 137:138 -j DROP iptables -A OUTPUT -p tcp --dport 137:138 -j DROP iptables -A OUTPUT -p tcp --dport 139 -j DROP iptables -A OUTPUT -p tcp --dport 445 -j DROP Both scans report all else stealthed. Suggestions? Apart from the suggestions others have offered, why are you listing these ports at all? Your iptables rules should block everything everywhere by default, and only permit in what you want. And if you are hoping to be invisible from the Net, as you imply, then you won't be letting in anything at all except that which is related to previous outward messages. Something else you might do now is to place temporary logging rules before your 'DROP' rules, to confirm whether it is indeed iptables which is blocking those packets. No logs, it's somebody or something else. And if you have anything other than just a bare modem between you and the outside world, which is not really best practice, then the first place to look is the Net router. And as someone else asked, why are you worried about this 'stealth'? As long as the bad packets don't get in, what does it matter? -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730081851.70446...@jretrading.com
Re: iptables firewall
On Tue, Jul 29, 2014 at 11:19:18PM +0200, Sven Hartge wrote: Maybe your ISP already filters those ports? Now that's a thought I hadn't considered. If the ISP is REJECTing those ports that would explain the responces I'm seeing. Thanks I'll look into it. Mike -- Who knows what evil lurks in the hearts of men? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730145828.GB14982@playground
Re: iptables firewall
On Tue, Jul 29, 2014 at 10:20:57PM +0100, Mark Carroll wrote: Use iptables --list-rules to check what rules are actually in force, applying in what order. -- Mark I've been using iptables-save which gives nearly the same output but fails to explain why 2 online scanners show those ports blocked. nmap reports the first 1024 ports filtered which is the same as stealthed. Thanks for the thought, Mike -- Who knows what evil lurks in the hearts of men? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730150546.GC14982@playground
Re: iptables firewall
On Wed, Jul 30, 2014 at 01:09:24AM +0200, Pascal Hambourg wrote: snip You can safely ignore that stealth FUD. block:REJECT::Stealth:DROP Why do you say it can be ignored? snip Use iptables-save instead. I do. Thanks for your thoughts, Mike -- Who knows what evil lurks in the hearts of men? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730151532.GD14982@playground
Re: iptables firewall
On Wed, Jul 30, 2014 at 08:18:51AM +0100, Joe wrote: snip Something else you might do now is to place temporary logging rules before your 'DROP' rules, to confirm whether it is indeed iptables which is blocking those packets. No logs, it's somebody or something else. And if you have anything other than just a bare modem between you and the outside world, which is not really best practice, then the first place to look is the Net router. The temporary logging rules is a good idea, I'll do that. And as someone else asked, why are you worried about this 'stealth'? As long as the bad packets don't get in, what does it matter? Why is there a DROP instruction in iptables as well as REJECT? If a hacker gets no response he's less likely to dig further. Thanks for your thoughts. Mike -- Who knows what evil lurks in the hearts of men? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730153335.GE14982@playground
Re: iptables firewall
Mike McClain mike.j...@nethere.com wrote: On Wed, Jul 30, 2014 at 01:09:24AM +0200, Pascal Hambourg wrote: snip You can safely ignore that stealth FUD. block:REJECT::Stealth:DROP Why do you say it can be ignored? If I try to connect to a system on (for example) IP 192.168.40.60 and port 80 and there is no system with that IP, the router for the network will tell me via an ICMP host unreachable package. When my request just vanishes and I get no response back, I will suspect that there is indeed a device at that IP which tries to be in stealth mode. The only way to be really stealthy and hide ones network existance is to configure the router _before_ your device to reject the packages with the correct ICMP. Doing on the device you want to stealth is futile. And it will increase the traffic you receive, because normal TCP stacks will assume a lost package and retry sending it multiple times. If your device justs RSTs the connection or sends an ICMP admin prohibited then the sending device will know what to do and stop trying to resend. Summary: DROP does not do what you think it does. Grüße, Sven. -- Sigmentation fault. Core dumped. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/aasdo1h96...@mids.svenhartge.de
Re: iptables firewall
Sven Hartge s...@svenhartge.de wrote: If I try to connect to a system on (for example) IP 192.168.40.60 and port 80 and there is no system with that IP, the router for the network will tell me via an ICMP host unreachable package. Erm, please replace package with packet while reading, thanks. Grüße, Sven -- Sigmentation fault. Core dumped. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/basdoi596...@mids.svenhartge.de
Re: iptables firewall
Mike McClain mike.j...@nethere.com wrote: On Wed, Jul 30, 2014 at 08:18:51AM +0100, Joe wrote: And as someone else asked, why are you worried about this 'stealth'? As long as the bad packets don't get in, what does it matter? Why is there a DROP instruction in iptables as well as REJECT? Sometimes you want to DROP packets, if you know what you are doing. For example in combination with a rate limit. REJECT 3 packets every second, DROP the rest, to counter any flooding attack but provide normal operations for normal connection attempts. Grüße, Sven. -- Sigmentation fault. Core dumped. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/casdolq96...@mids.svenhartge.de
Re: iptables firewall
2014-07-30 17:33 keltezéssel, Mike McClain írta: And as someone else asked, why are you worried about this 'stealth'? As long as the bad packets don't get in, what does it matter? Why is there a DROP instruction in iptables as well as REJECT? To allow you to do what you want. e.g DROP can slow down portscans and if your host does not reply to ping either sometimes it will not be found by scanners. If a hacker gets no response he's less likely to dig further. REJECT is actually a response :) -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53d93bb2.7020...@freemail.hu
Re: iptables firewall
2014-07-30 09:18 keltezéssel, Joe írta: Something else you might do now is to place temporary logging rules before your 'DROP' rules, to confirm whether it is indeed iptables which is blocking those packets. No logs, it's somebody or something else. Perhaps it is not needed. iptables -L -v command shows the ruleset with packet counter. You can see whether the rule was used or not. -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53d93a94.5000...@freemail.hu
Re: iptables firewall
Joe a écrit : Something else you might do now is to place temporary logging rules before your 'DROP' rules, to confirm whether it is indeed iptables which is blocking those packets. Or just run tcpdump while the port scan is running. No logs, it's somebody or something else. And if you have anything other than just a bare modem between you and the outside world, which is not really best practice, then the first place to look is the Net router. And as someone else asked, why are you worried about this 'stealth'? As long as the bad packets don't get in, what does it matter? He may have believed the claim by GRC et al. that not stealth=at risk. But that's just some kind of security by obscurity, isn't it ? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53d948af.4090...@plouf.fr.eu.org
Re: iptables firewall
On Wed, 30 Jul 2014 21:34:07 +0200 Pascal Hambourg pas...@plouf.fr.eu.org wrote: Joe a écrit : Something else you might do now is to place temporary logging rules before your 'DROP' rules, to confirm whether it is indeed iptables which is blocking those packets. Or just run tcpdump while the port scan is running. I like iptables, it's simple, and it tells you exactly what you want to know, in real time, without needing to wade through man pages. No logs, it's somebody or something else. And if you have anything other than just a bare modem between you and the outside world, which is not really best practice, then the first place to look is the Net router. And as someone else asked, why are you worried about this 'stealth'? As long as the bad packets don't get in, what does it matter? He may have believed the claim by GRC et al. that not stealth=at risk. But that's just some kind of security by obscurity, isn't it ? On the whole, I think Mr Gibson knows what he is talking about, but all the melodrama on his site is for the benefit of Windows users. If you don't hugely exaggerate risks these days, nobody pays you any attention. He may well have played a part in getting a firewall put into XP, I don't think Microsoft was ever very bothered about home users' security. I'm not a security expert, but I read a bit now and then, and I think if a competent Black Hat thinks there's a computer on a particular address, he'll find it, and what OS it runs, and what its owner had for breakfast... there's a lot more to life than well-formed TCP and UDP packets, and everything incoming has to be handled by the networking code, every protocol, every invalid packet, even when it pretends it's not there. Iptables and suchlike will keep out the bots, and that's all the small people need to do. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140730212540.314e4...@jretrading.com
iptables firewall
I've run into a difficulty with iptables in that both GRC.com and PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but not stealthed in spite of the fact that I have these statements in my firewall script: iptables -A INPUT -p udp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 139 -j DROP iptables -A INPUT -p tcp --dport 445 -j DROP iptables -A OUTPUT -p udp --dport 137:138 -j DROP iptables -A OUTPUT -p tcp --dport 137:138 -j DROP iptables -A OUTPUT -p tcp --dport 139 -j DROP iptables -A OUTPUT -p tcp --dport 445 -j DROP Both scans report all else stealthed. Suggestions? THX, Mike -- No electrons were harmed in sending this message, some were inconvenienced. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140729210423.GA25852@playground
Re: iptables firewall
Mike McClain mike.j...@nethere.com wrote: I've run into a difficulty with iptables in that both GRC.com and PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but not stealthed in spite of the fact that I have these statements in my firewall script: iptables -A INPUT -p udp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 139 -j DROP iptables -A INPUT -p tcp --dport 445 -j DROP iptables -A OUTPUT -p udp --dport 137:138 -j DROP iptables -A OUTPUT -p tcp --dport 137:138 -j DROP iptables -A OUTPUT -p tcp --dport 139 -j DROP iptables -A OUTPUT -p tcp --dport 445 -j DROP Both scans report all else stealthed. Suggestions? Maybe your ISP already filters those ports? Grüße, Sven. -- Sigmentation fault. Core dumped. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9asbo1196...@mids.svenhartge.de
Re: iptables firewall
Mike McClain mike.j...@nethere.com writes: I've run into a difficulty with iptables in that both GRC.com and PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but not stealthed in spite of the fact that I have these statements in my firewall script: (snip) Suggestions? Use iptables --list-rules to check what rules are actually in force, applying in what order. -- Mark -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/874mxzzwsm@ixod.org
Re: iptables firewall
Mark Carroll a écrit : Mike McClain mike.j...@nethere.com writes: I've run into a difficulty with iptables in that both GRC.com and PCFlank.com's firewall scans show ports 137-139 and 445 as blocked but not stealthed in spite of the fact that I have these statements in my firewall script: You can safely ignore that stealth FUD. Use iptables --list-rules to check what rules are actually in force, applying in what order. Use iptables-save instead. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53d829a4.5020...@plouf.fr.eu.org
Re: Arno-Iptables-Firewall en Debian 7.1
On Tue, 22 Apr 2014 10:21:19 -0500, Richard Díaz Rodríguez wrote: (no te olvides de desactivar el hmtl en los mensajes) Hola tengo arno-iptables-firewall instalado y configurado para hacer nat a mi LAN me gustaria hacer con el que todo el trafico que venga destinado para ese server donde tengo arno-iptables-firewall instaldo por puero 80 me lo mande para otro server que se encuentra dentro de mi LAN y viceversa todo el trafico que venga de ese server por el puerto 80 me lo mande para internet uso Debian 7.1 La generación de reglas en cortafuegos se me da muy mal, así que en lugar de lanzarme a la piscina sin flotador recomendaría que revisaras la documentación oficial, por ejemplo: http://rocky.eld.leidenuniv.nl/joomla/index.php?option=com_contentview=articleid=50Itemid=81 Q: How can I forward port 21 and 25 to 192.168.0.5 and forward port 5000-5010 to 192.168.0.6? A: Use NAT_FORWARD_TCP and/or NAT_FORWARD_UDP variable(s) in this way: NAT_FORWARD_TCP=21,25192.168.0.5 5000:5010192.168.0.6 NAT_FORWARD_UDP=21,25192.168.0.5 5000:5010192.168.0.6 Entiendo que para tu caso sería algo similar ya que quieres que el tráfico de entrada dirigido al puerto 80 del servidor1 donde tienes el cortafuegos, lo quieres reenviar a otro servidor2 de la red interna y el tráfico de salida por el puerto 80 del servidor2 se vaya a la pasarela de salida a Internet que entiendo será un módem u otro enrutador. Saludos, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/pan.2014.04.24.14.45...@gmail.com
Arno-Iptables-Firewall en Debian 7.1
Hola tengo arno-iptables-firewall instalado y configurado para hacer nat a mi LAN me gustaria hacer con el que todo el trafico que venga destinado para ese server donde tengo arno-iptables-firewall instaldo por puero 80 me lo mande para otro server que se encuentra dentro de mi LAN y viceversa todo el trafico que venga de ese server por el puerto 80 me lo mande para internet uso Debian 7.1 Esp.Richard Díaz Rodríguez Administrador de Red y Sistemas UEB Fibrocemento Sancti Spíritus.Cuba. Teléfono Trabajo: (53)41-861603 www.LinuxCounter.net Registered user #567498
RE: Implantar Servidor IPtables/Firewall
Muito obrigado pelas contribuições caros. Agora estou me sentindo mais confortável para trabalhar. __ Samuel __ Date: Thu, 27 Jun 2013 08:09:05 -0300 Subject: RE: Implantar Servidor IPtables/Firewall From: d4n1h...@gmail.com To: lista.debian.bra...@outlook.com CC: debian-user-portuguese@lists.debian.org Lembrando que firewall é um conceito e não uma feramenta só, firewall engloba filtro de portas, filtro de pacote e conteúdo, ids, IPs e outros. O que geralmente os sysadmin fazem: alterar as portas padrão dos serviços e as monitora e filtra, fazer loadbalance e failover se necessário, bloqueiam portas altas, limita privilégio e serviços. Adote a política de segurança: bloqueiar tudo é liberar somente o necessário, pois assim você está bloqueando tudo o que for desnecessário implicitamente, ajuda a dormir nos fins de semana kkk. On Jun 27, 2013 8:01 AM, d4n1h...@gmail.com wrote: Sempre separe seus serviços em servidores dinstintos (fw, proxy, Voip, dns, dhcp e etc), de preferência físicos, pois isso facilita a manutenção e ajuda não parar todos os serviços se um falahar ou se o Server hospedeiro cair. Crie seu projeto de rede (crie vlans, limite a máscara de rede se necessário, pois isola a rede e diminui o broadcast), e use camadas e níveis (fw de perímetro, dmz e etc) de segurança, no fw use no mínimo 2 placas físicas, se usar dmz coloque outra, se usar mais de 1 link adicione uma para cada, pois emular placa perde performance, desative todos os serviços que não for usar, filtre todas as portars, monitore seus ativos (zabbix, cacti) criei políticas de ids (snort, suricata). Emfin é um mundo a se explorar. Estude, se certifique. É importante, minha LPI tem me ajudado bastante. Bons estudos ;-) On Jun 26, 2013 9:16 PM, Samuel . lista.debian.bra...@outlook.com wrote: Agradeço aos que dedicaram um minuto do seu tempo para me ajudar! Estou procurando mesmo boas práticas de segurança em servidores linux. Eu tenho um serviço com somente uma placa de rede rodando um sistema de telefonia ip (Asterisk) e preciso implementar políticas de segurança urgente. __ Samuel __ De: Samuel . lista.debian.bra...@outlook.com Para: Lista Debian BR debian-user-portuguese@lists.debian.org Enviadas: Terça-feira, 25 de Junho de 2013 23:50 Assunto: Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
RE: Implantar Servidor IPtables/Firewall
Sempre separe seus serviços em servidores dinstintos (fw, proxy, Voip, dns, dhcp e etc), de preferência físicos, pois isso facilita a manutenção e ajuda não parar todos os serviços se um falahar ou se o Server hospedeiro cair. Crie seu projeto de rede (crie vlans, limite a máscara de rede se necessário, pois isola a rede e diminui o broadcast), e use camadas e níveis (fw de perímetro, dmz e etc) de segurança, no fw use no mínimo 2 placas físicas, se usar dmz coloque outra, se usar mais de 1 link adicione uma para cada, pois emular placa perde performance, desative todos os serviços que não for usar, filtre todas as portars, monitore seus ativos (zabbix, cacti) criei políticas de ids (snort, suricata). Emfin é um mundo a se explorar. Estude, se certifique. É importante, minha LPI tem me ajudado bastante. Bons estudos ;-) On Jun 26, 2013 9:16 PM, Samuel . lista.debian.bra...@outlook.com wrote: Agradeço aos que dedicaram um minuto do seu tempo para me ajudar! Estou procurando mesmo boas práticas de segurança em servidores linux. Eu tenho um serviço com somente uma placa de rede rodando um sistema de telefonia ip (Asterisk) e preciso implementar políticas de segurança urgente. __ Samuel __ *De:* Samuel . lista.debian.bra...@outlook.com *Para:* Lista Debian BR debian-user-portuguese@lists.debian.org *Enviadas:* Terça-feira, 25 de Junho de 2013 23:50 *Assunto:* Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
RE: Implantar Servidor IPtables/Firewall
Lembrando que firewall é um conceito e não uma feramenta só, firewall engloba filtro de portas, filtro de pacote e conteúdo, ids, IPs e outros. O que geralmente os sysadmin fazem: alterar as portas padrão dos serviços e as monitora e filtra, fazer loadbalance e failover se necessário, bloqueiam portas altas, limita privilégio e serviços. Adote a política de segurança: bloqueiar tudo é liberar somente o necessário, pois assim você está bloqueando tudo o que for desnecessário implicitamente, ajuda a dormir nos fins de semana kkk. On Jun 27, 2013 8:01 AM, d4n1h...@gmail.com wrote: Sempre separe seus serviços em servidores dinstintos (fw, proxy, Voip, dns, dhcp e etc), de preferência físicos, pois isso facilita a manutenção e ajuda não parar todos os serviços se um falahar ou se o Server hospedeiro cair. Crie seu projeto de rede (crie vlans, limite a máscara de rede se necessário, pois isola a rede e diminui o broadcast), e use camadas e níveis (fw de perímetro, dmz e etc) de segurança, no fw use no mínimo 2 placas físicas, se usar dmz coloque outra, se usar mais de 1 link adicione uma para cada, pois emular placa perde performance, desative todos os serviços que não for usar, filtre todas as portars, monitore seus ativos (zabbix, cacti) criei políticas de ids (snort, suricata). Emfin é um mundo a se explorar. Estude, se certifique. É importante, minha LPI tem me ajudado bastante. Bons estudos ;-) On Jun 26, 2013 9:16 PM, Samuel . lista.debian.bra...@outlook.com wrote: Agradeço aos que dedicaram um minuto do seu tempo para me ajudar! Estou procurando mesmo boas práticas de segurança em servidores linux. Eu tenho um serviço com somente uma placa de rede rodando um sistema de telefonia ip (Asterisk) e preciso implementar políticas de segurança urgente. __ Samuel __ *De:* Samuel . lista.debian.bra...@outlook.com *Para:* Lista Debian BR debian-user-portuguese@lists.debian.org *Enviadas:* Terça-feira, 25 de Junho de 2013 23:50 *Assunto:* Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: Implantar Servidor IPtables/Firewall
Amigo, tem um post sobre o assunto que me ajudou bastante quando comecei, pode usa-lo para tirar uma ideia assim como eu fiz: http://portaltecinformatica.blogspot.com.br/2010/06/versao-10-estavel-do-manual-de.html --®!©@®dø-- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! De: Samuel . lista.debian.bra...@outlook.com Para: Lista Debian BR debian-user-portuguese@lists.debian.org Enviadas: Terça-feira, 25 de Junho de 2013 23:50 Assunto: Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: Implantar Servidor IPtables/Firewall
ok se vc quer um material de estudo tem um que até hoje é o melhor em minha opinião para se aprender a lidar com iptables: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html agora se vc quer uma distro debian com uma interface via https para configurar um firewall/proxy de uma maneira bem, fácil e ainda glp3 tem esta: http://www.protejasuarede.com.br/ ats Em 26 de junho de 2013 08:34, Ricardo César ricardo_...@yahoo.comescreveu: Amigo, tem um post sobre o assunto que me ajudou bastante quando comecei, pode usa-lo para tirar uma ideia assim como eu fiz: http://portaltecinformatica.blogspot.com.br/2010/06/versao-10-estavel-do-manual-de.html --®!©@®dø-- -- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! ** -- *De:* Samuel . lista.debian.bra...@outlook.com *Para:* Lista Debian BR debian-user-portuguese@lists.debian.org *Enviadas:* Terça-feira, 25 de Junho de 2013 23:50 *Assunto:* Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: Implantar Servidor IPtables/Firewall
Solução pronta tem também o Pro-IS, já vi funcionando em alguns lugares. http://www.dualsolucoes.com.br/pro-is.asp --®!©@®dø-- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! De: paulo bruck paulobru...@gmail.com Para: Lista Debian BR debian-user-portuguese@lists.debian.org Enviadas: Quarta-feira, 26 de Junho de 2013 9:06 Assunto: Re: Implantar Servidor IPtables/Firewall ok se vc quer um material de estudo tem um que até hoje é o melhor em minha opinião para se aprender a lidar com iptables: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html agora se vc quer uma distro debian com uma interface via https para configurar um firewall/proxy de uma maneira bem, fácil e ainda glp3 tem esta: http://www.protejasuarede.com.br/ ats Em 26 de junho de 2013 08:34, Ricardo César ricardo_...@yahoo.com escreveu: Amigo, tem um post sobre o assunto que me ajudou bastante quando comecei, pode usa-lo para tirar uma ideia assim como eu fiz: http://portaltecinformatica.blogspot.com.br/2010/06/versao-10-estavel-do-manual-de.html --®!©@®dø-- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! De: Samuel . lista.debian.bra...@outlook.com Para: Lista Debian BR debian-user-portuguese@lists.debian.org Enviadas: Terça-feira, 25 de Junho de 2013 23:50 Assunto: Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: Implantar Servidor IPtables/Firewall
Tem o o pfsense também. Em 26 de junho de 2013 08:55, Ricardo César ricardo_...@yahoo.comescreveu: Solução pronta tem também o Pro-IS, já vi funcionando em alguns lugares. http://www.dualsolucoes.com.br/pro-is.asp --®!©@®dø-- -- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! ** -- *De:* paulo bruck paulobru...@gmail.com *Para:* Lista Debian BR debian-user-portuguese@lists.debian.org *Enviadas:* Quarta-feira, 26 de Junho de 2013 9:06 *Assunto:* Re: Implantar Servidor IPtables/Firewall ok se vc quer um material de estudo tem um que até hoje é o melhor em minha opinião para se aprender a lidar com iptables: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html agora se vc quer uma distro debian com uma interface via https para configurar um firewall/proxy de uma maneira bem, fácil e ainda glp3 tem esta: http://www.protejasuarede.com.br/ ats Em 26 de junho de 2013 08:34, Ricardo César ricardo_...@yahoo.comescreveu: Amigo, tem um post sobre o assunto que me ajudou bastante quando comecei, pode usa-lo para tirar uma ideia assim como eu fiz: http://portaltecinformatica.blogspot.com.br/2010/06/versao-10-estavel-do-manual-de.html --®!©@®dø-- -- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! ** -- *De:* Samuel . lista.debian.bra...@outlook.com *Para:* Lista Debian BR debian-user-portuguese@lists.debian.org *Enviadas:* Terça-feira, 25 de Junho de 2013 23:50 *Assunto:* Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: Implantar Servidor IPtables/Firewall
Olás, Comecei a brincar com o iptables recentemente. Além do manual do frozentux (que ainda não terminei de ler), eu recomendo estes dois links: http://wiki.debian.org/iptables e http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables -- Luther Blisset GNUPG/PGP KEY: 6722CF80 I challenge you to play the game in which there is no loser but everything is fun and worthwhile! ---BeginMessage--- ok se vc quer um material de estudo tem um que até hoje é o melhor em minha opinião para se aprender a lidar com iptables: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html agora se vc quer uma distro debian com uma interface via https para configurar um firewall/proxy de uma maneira bem, fácil e ainda glp3 tem esta: http://www.protejasuarede.com.br/ ats Em 26 de junho de 2013 08:34, Ricardo César ricardo_...@yahoo.comescreveu: Amigo, tem um post sobre o assunto que me ajudou bastante quando comecei, pode usa-lo para tirar uma ideia assim como eu fiz: http://portaltecinformatica.blogspot.com.br/2010/06/versao-10-estavel-do-manual-de.html --®!©@®dø-- -- TECNOLOGIA EM REDES DE COMPUTADORES. PÓS GRADUANDO EM SISTEMAS DE INFORMAÇÃO LIVRE POR NECESSIDADE, LINUX POR OPÇÃO! NÃO SEJA PRÁTICO, SEJA EFICIENTE! USE A FORÇA, OLHE OS FONTES! ** -- *De:* Samuel . lista.debian.bra...@outlook.com *Para:* Lista Debian BR debian-user-portuguese@lists.debian.org *Enviadas:* Terça-feira, 25 de Junho de 2013 23:50 *Assunto:* Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __ ---End Message--- signature.asc Description: This is a digitally signed message part
RE: Implantar Servidor IPtables/Firewall
Agradeço aos que dedicaram um minuto do seu tempo para me ajudar! Estou procurando mesmo boas práticas de segurança em servidores linux. Eu tenho um serviço com somente uma placa de rede rodando um sistema de telefonia ip (Asterisk) e preciso implementar políticas de segurança urgente. __ Samuel __ De: Samuel . lista.debian.bra...@outlook.com Para: Lista Debian BR debian-user-portuguese@lists.debian.org Enviadas: Terça-feira, 25 de Junho de 2013 23:50 Assunto: Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Implantar Servidor IPtables/Firewall
Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: Implantar Servidor IPtables/Firewall
Poderia passar mais informações? Vai usar proxy tb? Quais suas interfaces?? Conectado pelo MOTOBLUR™ -Mensagem Original- De: Samuel . lista.debian.bra...@outlook.com Para: Lista Debian BR debian-user-portuguese@lists.debian.org Enviado: quarta-feira, 26 de junho de 2013 02:51:07 GMT+00:00 Assunto: Implantar Servidor IPtables/Firewall Olá a todos! Alguém poderia me ajudar a implantar um servidor de firewall? Alguém tem pdf para me passar a respeito? Tudo bem que o que bloquear depende do meu ambiente, mas o que normalmente os administradores bloqueiam? No mais, meu muito obrigado! __ Samuel __
Re: iptables - firewall com comportamento estranho..
Cara, por favor, roda um iptables -vnL -t nat e cola? Abraço 2009/8/11 Alexandre Lima lima...@gmail.com: Tá sim Fábio, estou chamando ele dentro do rc.local pra rodar no boot. Não sei te dizer qual é o runlevel, mas não é por save/reload, ele roda como se eu estivesse digitando os comandos no Shell... Olha só, no log, se eu colocar para logar o INPUT ou FORWARD, não aparece nada na porta 3389... Então estou copiando o iptables -v --list pra ver se te ajuda a me ajudar... Valeu a força, abraço! concreto:~# iptables -v --list Chain INPUT (policy ACCEPT 465K packets, 324M bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- any any anywhere anywhere tcp dpt:5042 LOG level warning prefix `Servico: Wincrash' 0 0 LOG tcp -- any any anywhere anywhere tcp dpt:12345 LOG level warning prefix `Servico: BackOrifice' 0 0 LOG tcp -- any any anywhere anywhere tcp dpt:12346 LOG level warning prefix `Servico: BackOrifice' 0 0 LOG tcp -- any any anywhere anywhere tcp dpt:31337 LOG level warning prefix `Servico: BackOrifice' 4 228 DROP tcp -- eth0 any anywhere anywhere tcp dpt:www 1 48 DROP tcp -- eth0 any anywhere anywhere tcp dpt:3128 0 0 ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:ssh 307K 50M ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:3128 0 0 ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:www 0 0 ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:ftp 0 0 ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:3389 0 0 ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:9875 0 0 ACCEPT tcp -- any any 192.168.2.0/24 anywhere tcp dpt:8017 Chain FORWARD (policy ACCEPT 2555K packets, 1777M bytes) pkts bytes target prot opt in out source destination 1284 63060 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 12 480 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 0 0 REJECT all -- any any anywhere 216.35.208.0/24 reject-with icmp-port-unreachable 0 0 REJECT all -- any any anywhere 206.142.53.0/24 reject-with icmp-port-unreachable 3 144 REJECT tcp -- any any anywhere anywhere tcp dpt:kazaa reject-with icmp-port-unreachable 0 0 REJECT all -- any any anywhere 213-248-112-0.customer.teliacarrier.com/24 reject-with icmp-port-unreachable 0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:kazaa reject-with icmp-port-unreachable 0 0 ACCEPT tcp -- any any anywhere cmt.caixa.gov.br tcp dpt:www 0 0 ACCEPT tcp -- any any anywhere 192.168.2.0/24 tcp dpt:8017 18582 26M ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp 10942 492K ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3 1029 86802 ACCEPT tcp -- any any anywhere anywhere tcp dpt:3389 Chain OUTPUT (policy ACCEPT 934K packets, 434M bytes) pkts bytes target prot opt in out source destination concreto:~# -Mensagem original- De: fabio.tramas...@gmail.com [mailto:fabio.tramas...@gmail.com] Em nome de Fábio Tramasoli Enviada em: segunda-feira, 10 de agosto de 2009 22:10 Para: lima...@gmail.com Assunto: Re: iptables - firewall com comportamento estranho.. Cara, esse script tá colocado pra executar no boot? Em qual runlevel, ou estás usando um iptables-save/load nas alterações e no boot? Fora isso, tens log do netfilter? Daí ficaria mais fácil de ajudar :) Abraço 2009/8/10 Alexandre Lima lima...@gmail.com: Pessoal, configurei um firewall com o script abaixo. Aconteceu algo que nunca tinha visto...Ele simplesmente se comporta de maneira estranha...ignora as regras...por exemplo... Um simples forward da porta 3389 para um micro local, se reinciar o servidor, funciona alguns segundos, depois disso não funciona mais. Dá a impressão de que quando o rc.local roda o script de firewall ele perde as conf. e para de funcionar. Ou deve ser bobeira minha no script...alguém pode ajudar?? abração! PS: Distro Debian, Kernel 2.6.26-17, iptables 1.4.2 Segue o script: modprobe ip_nat_pptp modprobe ip_conntrack_pptp modprobe ip_nat_pptp modprobe ip_gre INTERNET_IP=200.179.98.74 INTERNET_CLASS
iptables - firewall com comportamento estranho..
Pessoal, configurei um firewall com o script abaixo. Aconteceu algo que nunca tinha visto...Ele simplesmente se comporta de maneira estranha...ignora as regras...por exemplo... Um simples forward da porta 3389 para um micro local, se reinciar o servidor, funciona alguns segundos, depois disso não funciona mais. Dá a impressão de que quando o rc.local roda o script de firewall ele perde as conf. e para de funcionar. Ou deve ser bobeira minha no script...alguém pode ajudar?? abração! PS: Distro Debian, Kernel 2.6.26-17, iptables 1.4.2 Segue o script: modprobe ip_nat_pptp modprobe ip_conntrack_pptp modprobe ip_nat_pptp modprobe ip_gre INTERNET_IP=200.179.98.74 INTERNET_CLASS=200.179.98.72/255.255.255.248 INTERNAL_IP=192.168.2.1 INTERNAL_CLASS=192.168.2.0/24 INTERNET_ETH=eth0 INTERNAL_ETH=eth1 case $1 in start) iptables -F iptables -Z iptables -t nat -F iptables -t filter -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -s $INTERNAL_CLASS -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward # Bloquear apache e squid para internet iptables -A INPUT -p tcp --dport 80 -i $INTERNET_ETH -j DROP iptables -A INPUT -p tcp --dport 3128 -i $INTERNET_ETH -j DROP # Liberando acessos da rede interna iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 3128 -j ACCEPT iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 80 -j ACCEPT iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 21 -j ACCEPT iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 3389 -j ACCEPT iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 9875 -j ACCEPT iptables -A INPUT -p tcp -s $INTERNAL_CLASS --dport 8017 -j ACCEPT iptables -A FORWARD -d $INTERNAL_CLASS -p tcp --dport 8017 -j ACCEPT # Emails iptables -A FORWARD -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -p tcp --dport 110 -j ACCEPT # Forward iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT # Libera Acesso da VPN do Siagri echo Liberando VPN SIAGRI [OK] VPNSERVER=200.163.51.83 iptables -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to $VPNSERVER iptables -t nat -A PREROUTING -p gre -j DNAT --to $VPNSERVER # Redirects iptables -t nat -A PREROUTING -i $INTERNET_ETH -p tcp --dport 9875 -j DNAT --to 192.168.2.5:9875 iptables -t nat -A PREROUTING -i $INTERNET_ETH -p tcp --dport 3389 -j DNAT --to 192.168.2.5:3389
Re: arno-iptables-firewall package question
On Wed, 06 Aug 2008 04:42:15 +0200, s. keeling wrote: Jude DaShiell [EMAIL PROTECTED]: So far as I can tell, the firewall package is only installing itself after the network has already come up. From what reading I've done, this is the wrong order. How can I correct that order after the package has been installed so arno-iptables-firewall runs just before the network connection gets brought up? Caveat: http://linuxgazette.net/114/keeling.html, and I no longer use it (no need). I was using ppp at the time I wrote that, and ppp provides ways to call it pre if-up, ... I expect it's easy to do with ethN. However, I was also using the upstream tarball, not Debian's package. YMMV. I've been using Debian's package for some time. I have a link in /etc/ rcS.d/ that starts it up before the network. I think I had to put that there myself. Nice article by the way. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arno-iptables-firewall package question
Jude DaShiell [EMAIL PROTECTED]: So far as I can tell, the firewall package is only installing itself after the network has already come up. From what reading I've done, this is the wrong order. How can I correct that order after the package has been installed so arno-iptables-firewall runs just before the network connection gets brought up? Caveat: http://linuxgazette.net/114/keeling.html, and I no longer use it (no need). I was using ppp at the time I wrote that, and ppp provides ways to call it pre if-up, ... I expect it's easy to do with ethN. However, I was also using the upstream tarball, not Debian's package. YMMV. -- Any technology distinguishable from magic is insufficiently advanced. (*)http://blinkynet.net/comp/uip5.html Linux Counter #80292 - -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arno-iptables-firewall package question
On Sat, 02 Aug 2008 04:36:59 -0400, Jude DaShiell wrote: So far as I can tell, the firewall package is only installing itself after the network has already come up. From what reading I've done, this is the wrong order. How can I correct that order after the package has been installed so arno-iptables-firewall runs just before the network connection gets brought up? How did you tell? What is the order in /etc/rcS.d/ ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
arno-iptables-firewall package question
So far as I can tell, the firewall package is only installing itself after the network has already come up. From what reading I've done, this is the wrong order. How can I correct that order after the package has been installed so arno-iptables-firewall runs just before the network connection gets brought up? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Better iptables firewall
On 8/30/07, Michael Pobega [EMAIL PROTECTED] wrote: [...] I'm hoping some seasoned Debian sysadmins out there can help me by advising me on how to better setup iptables...My current setup is: quite some info you can find here Securing Debian howto http://www.debian.org/doc/manuals/securing-debian-howto/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Better iptables firewall
On Thu, Aug 30, 2007 at 12:25:25AM -0400, Michael Pobega wrote: Currently I'm using iptables as my main firewall, and I'm having no trouble with it whatsoever. But lately (Since college has started) I've been connecting to a lot more networks, with more peers connected. I'm worried about somebody breaking through the security on my laptop and doing something malicious. I'm hoping some seasoned Debian sysadmins out there can help me by advising me on how to better setup iptables...My current setup is: # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [35639:3072343] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT -A INPUT -p icmp -j DROP #-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT COMMIT # Completed on Mon Jun 18 09:55:18 2007 The commented rules are uncommented in my ruleset for home (I only have those ports forwarded on my home router, so opening them outside is a potential security hazard) It looks like you're allowing unlimited output which means that if something does break into your system then they can use your system to spit stuff out without you knowing. Overall, it seems like very few rules. Personally, I use shorewall to setup my netfilter rules. If nothing else, you probably should install the shorewall-doc package since it covers the subject very well. Here are my relavent shorewall configs with the pramble-comments removed. This box is my main box and also acts as a firewall for the rest of the network. Policy first: ### #SOURCE DESTPOLICY LOG LIMIT:BURST # LEVEL loc net REJECT info fw net REJECT info net all DROP - all all REJECT info #LAST LINE -- DO NOT REMOVE Then the rules: # #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINALRATEUSER/ # PORT(S) PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW DNS/ACCEPT loc fw DNS/ACCEPT loc net DNS/ACCEPT fw net DNS/ACCEPT fw loc SSH/ACCEPT loc fw SSH/ACCEPT fw loc NTP/ACCEPT fw net NTP/ACCEPT fw loc NTP/ACCEPT loc fw POP3/ACCEPT fw net POP3/ACCEPT fw loc POP3/ACCEPT loc fw POP3S/ACCEPTfw net POP3S/ACCEPTfw loc POP3S/ACCEPTloc fw SMTP/ACCEPT loc fw SMTP/ACCEPT fw net SMTP/ACCEPT fw loc SMTPS/ACCEPTloc fw SMTPS/ACCEPTfw net SMTPS/ACCEPTloc fw Syslog/ACCEPT fw loc Syslog/ACCEPT loc fw FTP/ACCEPT loc net FTP/ACCEPT fw net FTP/ACCEPT fw loc Ping/ACCEPT loc net Ping/ACCEPT fw net Ping/ACCEPT loc fw Ping/ACCEPT fw loc HTTP/ACCEPT fw net HTTP/ACCEPT loc net HTTP/ACCEPT fw loc HTTPS/ACCEPTfw net HTTPS/ACCEPTloc net HTTPS/ACCEPTfw loc Rsync/ACCEPTloc net Rsync/ACCEPTloc fw Rsync/ACCEPTfw net Rsync/ACCEPTfw loc Trcrt/ACCEPTloc net Trcrt/ACCEPTfw net Trcrt/ACCEPTloc fw Trcrt/ACCEPTfw loc ACCEPT fw loc tcp printer ACCEPT loc fw tcp printer # for GnuPG (OpenPGP) to retreive/send keys to key server ACCEPT fw net tcp 11371 ACCEPT fw net udp 11371 ACCEPT loc net tcp 11371 ACCEPT loc net udp 11371 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Better iptables firewall
Michael Pobega [EMAIL PROTECTED] writes: # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [35639:3072343] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT -A INPUT -p icmp -j DROP #-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT COMMIT # Completed on Mon Jun 18 09:55:18 2007 I took the rules look fine -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Better iptables firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Currently I'm using iptables as my main firewall, and I'm having no trouble with it whatsoever. But lately (Since college has started) I've been connecting to a lot more networks, with more peers connected. I'm worried about somebody breaking through the security on my laptop and doing something malicious. I'm hoping some seasoned Debian sysadmins out there can help me by advising me on how to better setup iptables...My current setup is: # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [35639:3072343] - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT - -A INPUT -p icmp -j DROP #-A INPUT -p tcp -m tcp --dport 5030 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT COMMIT # Completed on Mon Jun 18 09:55:18 2007 The commented rules are uncommented in my ruleset for home (I only have those ports forwarded on my home router, so opening them outside is a potential security hazard) - -- If programmers deserve to be rewarded for creating innovative programs, by the same token they deserve to be punished if they restrict the use of these programs. - Richard Stallman -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG1ka1g6qL2BGnx4QRAqiAAJ9ga+7x+ShT64BWbZ/59BYTJ+eCgQCfQo5O ZLlBxl1aLfm3tlaDOO75GU0= =CYxy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Iptables / Firewall / Webmin
Martin Müller [EMAIL PROTECTED] writes: Die Firewall funktioniert (fast) so wie ich es will, wenn ich mir auf der Konsole die aktuelle Policy ansehen will wird diese allerdings nicht aufgelistet. Ein iptables -L bringt folgendes Ergebnis: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Auch ein iptables -F zeigt keinerlei Wirkung. Der Masquerading-Funktion funktioniert immer noch. Geht die Webin-Firewall-Konfiguration nicht über die iptables? iptables heißt so, weil es mehrere Tabellen einrichtet, die ein Paket durchlaufen muss, jede dieser Tabellen enthält dann noch die oben gezeigten Chains. Per default verwendet iptables die Tabelle filter. Um die Einstellungen für Masquerading u.ä. Operationen mit der IP-Addresse zu sehen, musst Du die Tabelle nat einstellen (also 'iptables -t nat -L' wäre das Kommando, daß Du suchst). Thomas Jahns -- Computers are good at following instructions, but not at reading your mind. D. E. Knuth, The TeXbook, Addison-Wesley 1984, 1986, 1996, p. 9
Iptables / Firewall / Webmin
Hallo! Ich habe hier eine Sarge-Installation laufen bei deri mit dem Firewall-Webin-Modul die Regeln bastle. Die Firewall funktioniert (fast) so wie ich es will, wenn ich mir auf der Konsole die aktuelle Policy ansehen will wird diese allerdings nicht aufgelistet. Ein iptables -L bringt folgendes Ergebnis: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Auch ein iptables -F zeigt keinerlei Wirkung. Der Masquerading-Funktion funktioniert immer noch. Geht die Webin-Firewall-Konfiguration nicht über die iptables? Vielen Dank für eure Antworten! Martin
Re: Iptables / Firewall / Webmin
On 19.Mär 2005 - 11:53:39, Martin Müller wrote: Boeser Bube, hijackst einfach einen fremden Thread. Sowas macht man nicht, naechstes Mal bitte eine neue Mail schreiben und nicht auf eine bestehende Antworten. Die Firewall funktioniert (fast) so wie ich es will, wenn ich mir auf der Konsole die aktuelle Policy ansehen will wird diese allerdings nicht aufgelistet. Ein iptables -L bringt folgendes Ergebnis: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Du hast keine Firewall definiert. Alles geht rein, alles geht raus... Auch ein iptables -F zeigt keinerlei Wirkung. Der Masquerading-Funktion funktioniert immer noch. Auch wenn du webmin benutzt solltest du ein gewisses Grundwissen ueber die Funktionsweise von iptables haben. Auf www.netfilter.org gibts ausreichend Doku dazu. (Du guckst dir die falsche Tabelle an oben). Andreas -- You will be awarded some great honor. -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Iptables / Firewall / Webmin
am 19.03.2005, um 11:53:39 +0100 mailte Martin Müller folgendes: Hallo! Ich habe hier eine Sarge-Installation laufen bei deri mit dem Firewall-Webin-Modul die Regeln bastle. *würg* Die Firewall funktioniert (fast) so wie ich es will, wenn ich mir auf der Konsole die aktuelle Policy ansehen will wird diese allerdings nicht aufgelistet. Ein Dann geht sie nicht so, wie Du es willst. Auch ein iptables -F zeigt keinerlei Wirkung. Der Masquerading-Funktion funktioniert immer noch. Geht die Webin-Firewall-Konfiguration nicht über die iptables? Doch, aber Du suchst iptables-save zum anschauen der Regeln bzw. iptables -L -n -t nat zum anzeigen der NAT-Regeln. Oder ganz allgemein: man iptabls. Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Heynitz: 035242/47212, D1: 0160/7141639 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: iptables firewall and MSN messanger
Hi, did you get it working? i'm still going crazy about it. Thanks a lot in advance and sorry for a private mail. Ziggy
Re: iptables firewall, help.
John Hedge wrote: Brian, You might like to take a look at www.shorewall.net. It helped me when I was at a similar stage as it seems you may be. I agree. Shorewall has awesome documentation (like step-by-step) for most common situations. -Roberto signature.asc Description: OpenPGP digital signature
iptables firewall, help.
I'm trying to make a good firewall/gateway iptables script, this is what
I have so far but I would love input and ideas, as well as some help
with a few features.
Below is the script I've put together so far, hopefully this post could
get a nice allround firewall/gateway iptables script made for a home
LAN, that doesn't require too much knowledge of setting up.
I'm hoping to get it working for a 2.6.3+ kernel with all iptables
optoins enabled, without having to patch in any other stuff.
Features I'm looking for, that I would love help for:
* Send REJECT as default for none-opened ports rather than DROP.
* Logging mechanism of misc. attacks and portscans.
* Blocking of IP ranges
* Parsing of PeerGuardian file for easy blocking of IPranges.
So far the script I've made (please correct any errors) supports:
* Opening ports with a simple FOR loop on a string (variable).
* Forwarding ports with a simple FOR loop on a string (variable).
* Denying IP's with a simple FOR loop on a string (variable).
Sincerely
Brian Schmidt
- Firewall-iptables.sh -
#!/bin/sh
# Executables
IPTABLES=/sbin/iptables
# LAN configuration
LAN_IP=10.0.0.1
LAN_IP_RANGE=10.0.0.0/24
LAN_BCAST_ADDRESS=10.0.0.255
LAN_IFACE=eth1
# Internet configuration
INET_IP=1.2.3.4
INET_IFACE=eth0
# WorkStation configuration
WS_IP=10.0.0.2
WS_MISC_RANGE=5200:5999
# Notebook configuration
NB_IP=10.0.0.3
NB_MISC_RANGE=6800:6999
# Various ports
PROFTPD_PASSIVE_RANGE=49900:5
IRCD=6667:6669 7000
# Ports to ACCEPT connections to from INET, syntax: port port:range
PORTS_ACCEPT=21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE
$PROFTPD_PASSIVE_RANGE
# Ports to forward to LAN, syntax:
source_portdestination_ip,destination_port
PORTS_FORWARD=$NB_MISC_RANGE$NB_IP,$NB_MISC_RANGE
$WS_MISC_RANGE$WS_IP,$WS_MISC_RANGE
# IP's to deny, both from LAN and INET, syntax: 10.0.0.5 192.168.10.32
#DENY_IPS=
## Don't edit anything below here unless you know what you are doing. ##
# Name of our custom blockchain
BLOCKCHAIN=block
echo 1 /proc/sys/net/ipv4/ip_forward
echo 1 /proc/sys/net/ipv4/conf/all/rp_filter
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Flush chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
# Check to see if our custom blockchain is set, if not create
$IPTABLES -L $BLOCKCHAIN | grep target /dev/null
if [ $? = 1 ]; then
$IPTABLES -N $BLOCKCHAIN
fi
# Allow local traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic on established connections
$IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections coming from the LAN
$IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT
# Deny connections from AND to specific IP's
for i in $DENY_IPS; do
$IPTABLES -A INPUT -s $i -j DROP
$IPTABLES -A INPUT -d $i -j DROP
done
# Activate source NAT
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -j
SNAT --to $INET_IP
# Log something. FIXME: Throttle how many log entries?
#$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1
# Allow access to specific services from the Internet
for i in $PORTS_ACCEPT; do
$IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT
$IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT
done
# Accept pings, but throttle it to max 10 packets per second, to avoid
flooding.
$IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit
10/s -j ACCEPT
# Ignore invalid packets
$IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP
# Attach our custom blockchain to INPUT and FORWARD chains
$IPTABLES -A INPUT -j $BLOCKCHAIN
$IPTABLES -A FORWARD -j $BLOCKCHAIN
# Optimize SSH for low delay and FTP for high throughout
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos
Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos
Maximize-Throughput
# Forwards to machines on the LAN
for i in $PORTS_FORWARD; do
_SRC_PORT=`echo $i | awk -F '' {'print $1'}`
_DEST=`echo $i | awk -F '' {'print $2'}`
_DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}`
_DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport
$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport
$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
done
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables firewall, help.
Brian,
You might like to take a look at www.shorewall.net. It helped me when I
was at a similar stage as it seems you may be.
Another idea is to join [EMAIL PROTECTED]
John
On Tue, 2004-03-02 at 17:53, Brian Schmidt wrote:
I'm trying to make a good firewall/gateway iptables script, this is what
I have so far but I would love input and ideas, as well as some help
with a few features.
Below is the script I've put together so far, hopefully this post could
get a nice allround firewall/gateway iptables script made for a home
LAN, that doesn't require too much knowledge of setting up.
I'm hoping to get it working for a 2.6.3+ kernel with all iptables
optoins enabled, without having to patch in any other stuff.
Features I'm looking for, that I would love help for:
* Send REJECT as default for none-opened ports rather than DROP.
* Logging mechanism of misc. attacks and portscans.
* Blocking of IP ranges
* Parsing of PeerGuardian file for easy blocking of IPranges.
So far the script I've made (please correct any errors) supports:
* Opening ports with a simple FOR loop on a string (variable).
* Forwarding ports with a simple FOR loop on a string (variable).
* Denying IP's with a simple FOR loop on a string (variable).
Sincerely
Brian Schmidt
- Firewall-iptables.sh -
#!/bin/sh
# Executables
IPTABLES=/sbin/iptables
# LAN configuration
LAN_IP=10.0.0.1
LAN_IP_RANGE=10.0.0.0/24
LAN_BCAST_ADDRESS=10.0.0.255
LAN_IFACE=eth1
# Internet configuration
INET_IP=1.2.3.4
INET_IFACE=eth0
# WorkStation configuration
WS_IP=10.0.0.2
WS_MISC_RANGE=5200:5999
# Notebook configuration
NB_IP=10.0.0.3
NB_MISC_RANGE=6800:6999
# Various ports
PROFTPD_PASSIVE_RANGE=49900:5
IRCD=6667:6669 7000
# Ports to ACCEPT connections to from INET, syntax: port port:range
PORTS_ACCEPT=21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE
$PROFTPD_PASSIVE_RANGE
# Ports to forward to LAN, syntax:
source_portdestination_ip,destination_port
PORTS_FORWARD=$NB_MISC_RANGE$NB_IP,$NB_MISC_RANGE
$WS_MISC_RANGE$WS_IP,$WS_MISC_RANGE
# IP's to deny, both from LAN and INET, syntax: 10.0.0.5 192.168.10.32
#DENY_IPS=
## Don't edit anything below here unless you know what you are doing. ##
# Name of our custom blockchain
BLOCKCHAIN=block
echo 1 /proc/sys/net/ipv4/ip_forward
echo 1 /proc/sys/net/ipv4/conf/all/rp_filter
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Flush chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
# Check to see if our custom blockchain is set, if not create
$IPTABLES -L $BLOCKCHAIN | grep target /dev/null
if [ $? = 1 ]; then
$IPTABLES -N $BLOCKCHAIN
fi
# Allow local traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic on established connections
$IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections coming from the LAN
$IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT
# Deny connections from AND to specific IP's
for i in $DENY_IPS; do
$IPTABLES -A INPUT -s $i -j DROP
$IPTABLES -A INPUT -d $i -j DROP
done
# Activate source NAT
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -j
SNAT --to $INET_IP
# Log something. FIXME: Throttle how many log entries?
#$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1
# Allow access to specific services from the Internet
for i in $PORTS_ACCEPT; do
$IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT
$IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT
done
# Accept pings, but throttle it to max 10 packets per second, to avoid
flooding.
$IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit
10/s -j ACCEPT
# Ignore invalid packets
$IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP
# Attach our custom blockchain to INPUT and FORWARD chains
$IPTABLES -A INPUT -j $BLOCKCHAIN
$IPTABLES -A FORWARD -j $BLOCKCHAIN
# Optimize SSH for low delay and FTP for high throughout
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos
Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos
Maximize-Throughput
# Forwards to machines on the LAN
for i in $PORTS_FORWARD; do
_SRC_PORT=`echo $i | awk -F '' {'print $1'}`
_DEST=`echo $i | awk -F '' {'print $2'}`
_DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}`
_DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport
$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport
$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
done
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
iptables firewall
I'm trying to set up a proper firewall, and have a decent one set up so far.. A few things I'm missing though are the ability to allow/deny ipranges, so I have been looking around a bit, and saw that there was a module called iprange. How do I install this with debian? Doesn't seem like there is an option to enable it when building a kernel, nor any deb package with it, and to be honest I'm quite a linux illiterate when it comes to patching something like iptables :( Another thing with iptables I have been thinking of letting my firewall do, is to give a proper reply to connections on closed ports, rather than just dropping the connection. Reason for this is that I run a few services for LAN only that I cannot simply bind to the LAN side. Also when people know my host is up and tries to connect to a specific port, rather than having to time out their client would just get the standard (its even in som RC if I remember correct) closed reply. Hope someone is able to help on this one.. Sincerely Brian Schmidt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables firewall
Have you try the `firehol' pacakge available in testing ? hth, Jerome Brian Schmidt wrote: I'm trying to set up a proper firewall, and have a decent one set up so far.. A few things I'm missing though are the ability to allow/deny ipranges, so I have been looking around a bit, and saw that there was a module called iprange. How do I install this with debian? Doesn't seem like there is an option to enable it when building a kernel, nor any deb package with it, and to be honest I'm quite a linux illiterate when it comes to patching something like iptables :( Another thing with iptables I have been thinking of letting my firewall do, is to give a proper reply to connections on closed ports, rather than just dropping the connection. Reason for this is that I run a few services for LAN only that I cannot simply bind to the LAN side. Also when people know my host is up and tries to connect to a specific port, rather than having to time out their client would just get the standard (its even in som RC if I remember correct) closed reply. Hope someone is able to help on this one.. Sincerely Brian Schmidt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables firewall
On Monday 26 January 2004 10:11 am, Brian Schmidt wrote: Another thing with iptables I have been thinking of letting my firewall do, is to give a proper reply to connections on closed ports, rather than just dropping the connection. Iptables comes with a REJECT target, used like this: iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable This will give the RFC-compliant closed port response for TCP and UDP. If it gives an error and suggest you need to insmod, then support for REJECT is not enabled in your kernel. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables firewall
On Mon, 2004-01-26 at 10:11, Brian Schmidt wrote: I'm trying to set up a proper firewall, and have a decent one set up so far.. A few things I'm missing though are the ability to allow/deny ipranges, so I have been looking around a bit, and saw that there was a module called iprange. How do I install this with debian? Doesn't seem like there is an option to enable it when building a kernel, nor any deb package with it, and to be honest I'm quite a linux illiterate when it comes to patching something like iptables :( Another thing with iptables I have been thinking of letting my firewall do, is to give a proper reply to connections on closed ports, rather than just dropping the connection. Reason for this is that I run a few services for LAN only that I cannot simply bind to the LAN side. Also when people know my host is up and tries to connect to a specific port, rather than having to time out their client would just get the standard (its even in som RC if I remember correct) closed reply. Hope someone is able to help on this one.. A quick overview of the relevant Debian packages: fwbuilder 1.1.1-0.1 Firewall administration tool GUI fwbuilder-ipf 1.1.1-0.1 FreeBSD 4.4 ipf policy compiler fwbuilder-ipt 1.1.1-0.1 Linux iptables policy compiler fwbuilder-pf 1.1.1-0.1 OpenBSD pf policy compiler libfwbuilder5 1.0.2-0.1 Firewall Builder API library iptables 1.2.9-3 IP packet filter administration tools kernel-image 2.4.24-1 Linux Kernel Image FWBuilder == Very Nice, excellent, extended, workable Firewall Script builder. Nice feature set, Nice wizard (that mostly works) gives yyou something to start with... I'd be hard pressed to recommend anything else. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: iptables firewall
Thanks for all the suggestions on firewalls, I will be looking at them, and that was exactly what I was looking for, thanks Adam :) Sincerely Brian Schmidt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables firewall question ?
I have installed a simple firewall, personal home PC, dial up link, no ethernet. It consisted of ... iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP iptables -A INPUT -J block iptables -A FORWARD -j block using the /etc/init.d/iptables script. In the kernel 2.4.19 I have ... YNetwork dev support/Universal TUN/TAP device driver Enables user space I/F between kernel and iptables prog YNetworking options/Network packet filtering (replaces IP chains) YFor all the IP options that are needed MNetworking options/IP netfilter config/IP tables support M For ALL the sub sections !!! YNetwork device support/PPP BSD compress compression YNetwork device support/PPP deflate compression I now have cause for concern that this firewall may not be working. I have descoverd that /var/log/messages contains ... Dec 3 18:44:08 debian kernel: 0: nvidia: loading NVIDIA Linux x86 nvidia.o Kernel Modul e 1.0-4349 Thu Mar 27 19:00:02 PST 2003 Dec 3 19:04:01 debian -- MARK -- Dec 3 19:24:01 debian -- MARK -- Dec 3 19:29:01 debian pppd[347]: pppd 2.4.1 started by ADT, uid 1003 Dec 3 19:29:01 debian pppd[347]: Using interface ppp0 Dec 3 19:29:01 debian pppd[347]: *kernel does not support PPP filtering* Dec 3 19:29:01 debian pppd[347]: local IP address 10.64.64.64 Dec 3 19:29:01 debian pppd[347]: remote IP address 10.112.112.112 Am I missing a kernel module? If so which one ? Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Setting up mail server behind iptables firewall
This is really getting frustrating - mainly because I don't really understand what I'm doing. Using a port scanner from an external webserver, it shows that ports 25, 80, and 10025 are all closed. What am I missing? Here's the iptables dump from both my firewall and my internal server. *** FIREWALL IPTABLES *** iptables -n -v -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 903 84552 ACCEPT all -- eth0 * 192.168.69.0/24 0.0.0.0/0 0 0 drop-and-log-it all -- eth1 * 192.168.69.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 67.106.235.126 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 6 644 drop-and-log-it all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 619 290K ACCEPT all -- eth1 eth00.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 709 49179 ACCEPT all -- eth0 eth10.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 67.106.235.126 tcp dpt:25 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 67.106.235.126 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.69.2 tcp dpt:25 4 240 drop-and-log-it all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth067.106.235.126 192.168.69.0/24 900 154K ACCEPT all -- * eth0192.168.69.0/24 192.168.69.0/24 0 0 drop-and-log-it all -- * eth10.0.0.0/0 192.168.69.0/24 6 504 ACCEPT all -- * eth167.106.235.126 0.0.0.0/0 0 0 drop-and-log-it all -- * * 0.0.0.0/0 0.0.0.0/0 Chain drop-and-log-it (5 references) pkts bytes target prot opt in out source destination 10 884 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable iptables -n -v -t nat -L Chain PREROUTING (policy ACCEPT 68 packets, 4258 bytes) pkts bytes target prot opt in out source destination 2 120 DNAT tcp -- eth1 * 0.0.0.0/0 67.106.235.126 tcp dpt:25 to:192.168.0.2:25 160 DNAT tcp -- eth1 * 0.0.0.0/0 67.106.235.126 tcp dpt:80 to:192.168.0.2:80 160 DNAT tcp -- * * 0.0.0.0/0 67.106.235.126 tcp dpt:10025 to:192.168.0.2:25 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 49 2666 SNAT all -- * eth10.0.0.0/0 0.0.0.0/0 to:67.106.235.126 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination *** INTERNAL SERVER IPTABLE *** iptables -n -v -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 13961 2377K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1998 255K ACCEPT all -- eth0 * 192.168.0.0/24 0.0.0.0/0 0 0 drop-and-log-it all -- eth1 * 192.168.0.0/24 0.0.0.0/0 7474 2121K ACCEPT all -- eth1 * 0.0.0.0/0 192.168.69.2 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2333 196K drop-and-log-it all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth1 eth00.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth10.0.0.0/0 0.0.0.0/0 0 0 drop-and-log-it all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 13961 2377K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 116 11809 ACCEPT all -- * eth0192.168.69.2 192.168.0.0/24 2318 709K ACCEPT all -- * eth0192.168.0.0/24 192.168.0.0/24 0 0 drop-and-log-it all -- * eth10.0.0.0/0 192.168.0.0/24 10229 840K ACCEPT all -- * eth1192.168.69.2 0.0.0.0/0 0 0
RE: Setting up mail server behind iptables firewall
This is really getting frustrating - mainly because I don't really understand what I'm doing. Using a port scanner from an external webserver, it shows that ports 25, 80, and 10025 are all closed. What am I missing? Here's the iptables dump from both my firewall and my internal server. *** FIREWALL IPTABLES *** iptables -n -v -L Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth067.106.235.126 192.168.69.0/24 I _think_ the above rule is not necessary and maybe not valid.. This is your internet ip adress, is it not? I believe your intent here is to ACCEPT and pass email and http? I _believe_ you need to change the source to 0.0.0.0/0 - well, really - probably replace this line altogether and substitute lines with source 0.0.0.0/0 and dports 25 and 80. The source for a packet would be wherever it originated, and not your email address. Those output lines (and basically everything else that isn't port specific) is from the IP-Masquerade HOWTO. I'm not saying they're right or wrong - but that's where I got 'em from. I believe the intent is to explicitly state what traffic is or is not acceptable to create a minimal firewall. So the output lines say that anything can go out on eth1, and only packets intended for the 192.168.69.0 DMZ go on eth0. That part has been working fine - unless it's interfering with my port forwarding? I still don't understand all the relationships of the different chains - for example, what's the difference between prerouting and forward, and if I have prerouting and forward enabled do I need to have input or output enabled? From what I can gather, eth0 is your internal machine and eth1 is your outside connection.. Correct. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Setting up mail server behind iptables firewall
On Thu, Aug 14, 2003 at 10:04:56AM -0700, Daniel L. Miller wrote: This is really getting frustrating - mainly because I don't really understand what I'm doing. Using a port scanner from an external webserver, it shows that ports 25, 80, and 10025 are all closed. What am I missing? Here's the iptables dump from both my firewall and my internal server. *** FIREWALL IPTABLES *** iptables -n -v -L Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth067.106.235.126 192.168.69.0/24 I _think_ the above rule is not necessary and maybe not valid.. This is your internet ip adress, is it not? I believe your intent here is to ACCEPT and pass email and http? I _believe_ you need to change the source to 0.0.0.0/0 - well, really - probably replace this line altogether and substitute lines with source 0.0.0.0/0 and dports 25 and 80. The source for a packet would be wherever it originated, and not your email address. From what I can gather, eth0 is your internal machine and eth1 is your outside connection.. 900 154K ACCEPT all -- * eth0192.168.69.0/24 192.168.69.0/24 0 0 drop-and-log-it all -- * eth10.0.0.0/0 192.168.69.0/24 6 504 ACCEPT all -- * eth167.106.235.126 0.0.0.0/0 0 0 drop-and-log-it all -- * * 0.0.0.0/0 0.0.0.0/0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Setting up mail server behind iptables firewall
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.69.2:25 you mean --dport 25 don't you? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Setting up mail server behind iptables firewall
I'm sure this is covered SOMEWHERE - but I haven't found anything obvious in the archives / howto's. I currently have the following configuration: (please comment if you find this arrangement objectionable in itself!) Internal LAN - 192.168.0.30 through 192.168.0.50 Dual-Homed Gateway (is that the right term?) - two NIC's - 192.168.0.1 and 192.168.69.2 Dual-Homed Firewall (again, whatcha call it?) - two NIC's - 192.168.69.1 and Internet Static IP The gateway is set up with entries in the routing table and has forwarding enabled. I've setup iptables on the firewall with sourceNAT and a reject anything from the outside that isn't the result of a connection. Works fine. (Actually, I've also had the same iptables script running on the gateway server - probably overkill) Postfix is running on the gateway server - works fine. What do I need to set on the firewall/gateway to make my Postfix server available to the internet? I've tried: iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.69.2:25 BTW - eth1 of the firewall (and gateway too) is the dangerous side (internet) - eth0 is the safe (internal). And variations of the same - but no go. What am I missing? P.S. How can I test this without an additional internet connection? If this is working, can I telnet from either the gateway or a LAN workstation (assuming the gateway is forwarding for that workstation) to the external static IP address and port? Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Jay´s Iptables Firewall
Alguien seria tan amble de pasarme alguna direccion, donde yo pueda bajarme este programa http://firewall-jay.sourceforge.net/download.php desde aca no puedo... David
Re: Jay´s Iptables Firewall
El Mon, 26 May 2003 11:52:17 -0300 Giacchetta, David [EMAIL PROTECTED] escribió: Giacchetta,|Alguien seria tan amble de pasarme alguna direccion, donde yo pueda bajarme Giacchetta,|este programa Giacchetta,|http://firewall-jay.sourceforge.net/download.php desde aca no puedo... Giacchetta,| Giacchetta,| Giacchetta,|David http://sourceforge.net/project/showfiles.php?group_id=67682release_id=154358 Tanto el .deb como el .rpm como e. .tar.gz andan en los 75Kilobytes... chiquito. Te lo mando en privado... si no podés acceder. Decime de los 3 cual uerés. Éxito... Rolfo.- = Rodolfo H. González - Pigüé (Bs.As.) ARG - Usuario Linux#= 140699 = = !!! Linux, Karate, Rock'nBlues, y Ford... Un solo corazón... !!! =
RE: Jay´s Iptables Firewall
Buenisimo... Ahora lo puede bajar.. Vamos a investigar como anda... Muchas Gracias.. Rodolfo Giacchetta L. David Tecnología Informática Soco-Ril S.A Tel: 03489-438848 Int:109 Fax: 03489-424602 Cel: 011-15-5639-9149 E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Mensaje original- De: Rodolfo H.González [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 26 de Mayo de 2003 05:41 p.m. Para: debian-user-spanish@lists.debian.org Asunto: Re: Jay´s Iptables Firewall El Mon, 26 May 2003 11:52:17 -0300 Giacchetta, David [EMAIL PROTECTED] escribió: Giacchetta,|Alguien seria tan amble de pasarme alguna direccion, donde yo pueda bajarme Giacchetta,|este programa Giacchetta,|http://firewall-jay.sourceforge.net/download.php desde aca no puedo... Giacchetta,| Giacchetta,| Giacchetta,|David http://sourceforge.net/project/showfiles.php?group_id=67682release_id=15435 8 Tanto el .deb como el .rpm como e. .tar.gz andan en los 75Kilobytes... chiquito. Te lo mando en privado... si no podés acceder. Decime de los 3 cual uerés. Éxito... Rolfo.- = Rodolfo H. González - Pigüé (Bs.As.) ARG - Usuario Linux#= 140699 = = !!! Linux, Karate, Rock'nBlues, y Ford... Un solo corazón... !!! = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables Firewall Script
Hallo debian-user-german, derzeit konvertiere ich gerade von SuSE 7.3 zu debian/woody und es macht richtig Spass. Eine der Erleichterungen, die ich vermisse, ist das SuSEfirewall2 Script, dessen Konfiguration ich zuletzt fast im Griff hatte. Da ich gerade feststellte, das das im Netz erhältlich (http://www.suse.de/~marc/SuSEfirewall2-2.1.tar.gz) und verwendbar ist, frage ich mich, ob es das unter woody auch tut. Hat jemand Erfahrung? (Übrigens weisst der Link V2.1 vom 8.12.2001 aus, während die relativ neue SuSE 7.3 über V1.7 verfügt.) Das Script hat sich auf unserem Haus-Server (AMD K6-II 300MHz) aber bei jedem Verbindungsaufbau als Performance-Killer in ip-up erwiesen. Gibt es eine vergleichbare Alternative, für alle Leute, die nicht alle RFCs und die Angriffstechniken der letzten Jahre auswendig kennen? Vielen Dank Dieter Tremel -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: iptables Firewall Script
Wednesday, April 3, 2002, 5:08:01 PM, Dieter Tremel wrote: Gibt es eine vergleichbare Alternative, für alle Leute, die nicht alle RFCs und die Angriffstechniken der letzten Jahre auswendig kennen? Für die Schnelle: http://monmotha.mplug.org/firewall/index.php Ansonsten geht aber nichts über ein eigenes Skript, das man, da selbstgeschrieben, auch wirklich versteht. Gruß, Marcus -- Fickle minds, pretentious attitudes and ugly make-up on ugly faces... The Goth Goose Of The Week: http://www.gothgoose.net -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
RE: iptables Firewall Script
Hallo Dieter, das Skript sollte wohl auch unter Debian laufen, eventuell müssen noch Pfade angepasst werden. Ansonsten bastele Dir selber eines, oder schau Dir doch mal mein Skript von www.wolfgarten.com, ist auch ganz okay :-) Gruß Sebastian -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Iptables Firewall + HTTP
Pessoal, Tenho uma rede interna, onde os usuários necessitam do uso de proxy (squid) para acessar HTTP e FTP, onde faz autenticação e libera-o. Tudo funciona normalmente, só que existe alguns sites que simplesmente não entram de forma alguma quando o firewall (iptables) está ativado. Como pode a maioria dos sites entrar e outros não, sendo que todos se conectam usando a porta 80, e nenhum está bloqueado nas minhas regras. Já varri minhas regras de firewall várias vezes tentando achar o possível problema, e nada! Alguém tem uma idéia do que pode estar acontecendo?
Re: Iptables Firewall + HTTP
Tenho uma rede interna, onde os usuários necessitam do uso de proxy (squid) para acessar HTTP e FTP, onde faz autenticação e libera-o. Tudo funciona normalmente, só que existe alguns sites que simplesmente não entram de forma alguma quando o firewall (iptables) está ativado. Como pode a maioria dos sites entrar e outros não, sendo que todos se conectam usando a porta 80, e nenhum está bloqueado nas minhas regras. Já varri minhas regras de firewall várias vezes tentando achar o possível problema, e nada! Alguém tem uma idéia do que pode estar acontecendo? O Próprio Squid através de suas regras pode proibir o acesso a sites. Veja se não tem nenhum configurado por padrão para não poder ser acessado. A regra poderia ser assim: acl all src 0.0.0.0/0.0.0.0- Cria uma chain chamada all que tem por valor qualquer rede acl DeniedSites url_regex batepapo- Cria uma chain chamada DeniedSites nesse caso ela proibe qualquer url que possua a palavra batepapo http_access deny DeniedSites all - Proibe os sites que estão em DeniedSites para all que é toda a rede interna. Isso faz com que outros sites sejam acessados mas os que contiverem em suas urls a palavra batepapo não. Espero ter ajudado. Henrique
Re: Iptables Firewall + HTTP
Henrique, O squid também não está bloqueando site algum. Na minha analíse talvez possa ser que o servidor web tente conectar em alguma porta do meu servidor qeu esteja bloqueada. Será que existe algum servidor web que faz isso? On Wed, 6 Feb 2002 16:13:16 -0200 Henrique Pedroni Neto [EMAIL PROTECTED] wrote: | | Tenho uma rede interna, onde os usuários necessitam do uso de proxy |(squid) para acessar HTTP e FTP, onde faz autenticação e libera-o. Tudo |funciona normalmente, só que existe alguns sites que simplesmente não |entram de forma alguma quando o firewall (iptables) está ativado. Como pode |a maioria dos sites entrar e outros não, sendo que todos se conectam usando |a porta 80, e nenhum está bloqueado nas minhas regras. | | Já varri minhas regras de firewall várias vezes tentando achar o possível |problema, e nada! | | Alguém tem uma idéia do que pode estar acontecendo? | | |O Próprio Squid através de suas regras pode proibir o acesso a sites. |Veja se não tem nenhum configurado por padrão para não poder ser acessado. |A regra poderia ser assim: | |acl all src 0.0.0.0/0.0.0.0- Cria uma chain chamada all |que tem por valor qualquer |rede |acl DeniedSites url_regex batepapo- Cria uma chain chamada DeniedSites |nesse caso |ela proibe qualquer url que possua a palavra batepapo |http_access deny DeniedSites all - Proibe os sites que estão em |DeniedSites para all que é |toda a rede interna. | |Isso faz com que outros sites sejam acessados mas os que contiverem em suas |urls a palavra batepapo não. | |Espero ter ajudado. | |Henrique | | | |-- |To UNSUBSCRIBE, email to [EMAIL PROTECTED] |with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] | |
Re: Iptables Firewall + HTTP
O https tá funcionando perfeitamente. E esses sites não usam https. To começando a achar que pode ser um bug do netfilter. On Wed, 6 Feb 2002 16:16:21 -0200 Giuliano Cardozo Medalha [EMAIL PROTECTED] wrote: |AS vezes voce pode estar acessando sites seguros | |Dai a porta 80 nao e mais utilizada | |Seria a 443 | |Giuliano | | |Em 6 Feb 2002, Alex Fernandes Rosa escreveu: | |Pessoal, | |Tenho uma rede interna, onde os usuários necessitam do uso de proxy (squid) | |para acessar HTTP e FTP, onde faz autenticação e libera-o. Tudo funciona |normalmente, só que existe alguns sites que simplesmente não entram de |forma |alguma quando o firewall (iptables) está ativado. Como pode a maioria dos |sites entrar e outros não, sendo que todos se conectam usando a porta 80, e | |nenhum está bloqueado nas minhas regras. | |Já varri minhas regras de firewall várias vezes tentando achar o possível |problema, e nada! | |Alguém tem uma idéia do que pode estar acontecendo? | |-- |To UNSUBSCRIBE, email to [EMAIL PROTECTED] |with a subject of unsubscribe. Trouble? Contact |[EMAIL PROTECTED] | |-- | | | | |
Re: Iptables Firewall + HTTP
Henrique, O squid também não está bloqueando site algum. Na minha analíse talvez possa ser que o servidor web tente conectar em alguma porta do meu servidor qeu esteja bloqueada. Será que existe algum servidor web que faz isso? Nas nossas regras de firewall aqui no anglo o princípio básico usado é fechar todas as portas e abrir as necessárias. Quando fizemos isso alguns sites não abriram justamente por usar certas portas que estavam fechadas como por exemplo a 8080 (webcache) o site era www.algumacoisa.com:8080 ai ele não entrava. Abri a porta 8080 e passou a funcionar. Verifique as portas que os sites que não consegue entrar usam, use o nmap ou netstat -a para saber, digitar nmap ip.do.seu.site mostra quais portas suas que estão abertas. Se o site a ser acessado for um site seguro a porta do SSL (443) tem que estar aberta senão ele não carrega. Espero ter ajudado. Henrique
iptables firewall and MSN messanger
Hello everybody Is it possible to use MSN messanger's voice call over iptables firewall ? I haven't found any module (stg like ip_nat_ftp.o) for this purpose. I use SNAT on 2.4.x kernel, Debian/woody. Thank for your help. Marek Cermak
Re: who has *arguably* the best iptables firewall script around here?
Subject: Re: who has *arguably* the best iptables firewall script around here? Date: Tue, Aug 28, 2001 at 11:55:19PM +0200 In reply to:Cliff Sarginson Quoting Cliff Sarginson([EMAIL PROTECTED]): On Tue, Aug 28, 2001 at 10:42:39PM +0200, thomas anderson wrote: Hello, If you think you do please tell us why and also kindly send me a copy too! :) Well, mine seems ok, I do not run inetd when connected, which does not really lose me that much in pratcise. Nexus's only complaint about my setup is about lpd, and I do not know how to solve that yet. Cliff This might be what you are looking for $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j LOG --log-level NOTICE --log-prefix Printer-Attack-Rejected: $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j DROP ^^^ ppp0 in my case -- Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun ___
Re: who has *arguably* the best iptables firewall script around here?
On Wed, Aug 29, 2001 at 12:00:00AM -0400, Wayne Topa wrote: Subject: Re: who has *arguably* the best iptables firewall script around here? Date: Tue, Aug 28, 2001 at 11:55:19PM +0200 In reply to:Cliff Sarginson Quoting Cliff Sarginson([EMAIL PROTECTED]): On Tue, Aug 28, 2001 at 10:42:39PM +0200, thomas anderson wrote: Hello, If you think you do please tell us why and also kindly send me a copy too! :) Well, mine seems ok, I do not run inetd when connected, which does not really lose me that much in pratcise. Nexus's only complaint about my setup is about lpd, and I do not know how to solve that yet. Cliff This might be what you are looking for $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j LOG --log-level NOTICE --log-prefix Printer-Attack-Rejected: $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j DROP ^^^ ppp0 in my case Ah..an iptables expert..:) I will try that. I am hoping that iptables is the last incarnation of firewall syntax in linux for a while, my learning capacity strains against my age.. lol Cliff
Re: who has *arguably* the best iptables firewall script around here?
Cliff Sarginson([EMAIL PROTECTED]) is reported to have said: Cliff This might be what you are looking for $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j LOG --log-level NOTICE --log-prefix Printer-Attack-Rejected: $IPTABLES -A INPUT -i $IEXT -p tcp --dport 515 -j DROP ^^^ ppp0 in my case Ah..an iptables expert..:) I will try that. I am hoping that iptables is the last incarnation of firewall syntax in linux for a while, my learning capacity strains against my age.. lol Not an expert by any stretch. Just an old man that tried to get the dang thing to work, and finally did. -- Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN. ___
who has *arguably* the best iptables firewall script around here?
Hello, If you think you do please tell us why and also kindly send me a copy too! :) -- Sent through GMX FreeMail - http://www.gmx.net
Re: who has *arguably* the best iptables firewall script around here?
On Tue, Aug 28, 2001 at 10:42:39PM +0200, thomas anderson wrote: Hello, If you think you do please tell us why and also kindly send me a copy too! :) Well, mine seems ok, I do not run inetd when connected, which does not really lose me that much in pratcise. Nexus's only complaint about my setup is about lpd, and I do not know how to solve that yet. But i make no claims about it, it probably needs more testing than I have had the time for. I allow in SMTP and ssh. Cliff
Re: who has *arguably* the best iptables firewall script around here?
At 999056559s since epoch (08/28/01 16:42:39 -0400 UTC), thomas anderson wrote: If you think you do please tell us why I do, for one good reason: I *understand* it. Firewalls are one of those things where you really should have at least some of an idea of how they work. Who writes your firewall script doesn't really matter if you have no idea how it actually works. Each firewall script is unique and may serve different purposes. For example, my script is designed for a machine that's sharing a cable modem connection with other boxes on a private LAN (with bogus IP addresses). That's useful for me. However, it doesn't have a DMZ, and it doesn't forward any ports to the internal machines. I'm sure others will have other scripts that are good for other things (single machines with no services; machines that run servers; permissive firewalls that allow connections to the internal machines; etc). Pick the ones you like, study them well, and use them. I personally read some good tutorials, borrowed a lot of stuff, and crafted my own to fit my needs. If you're interested in a DHCP-cable-NAT-gateway-that-runs-services firewall script, drop me a line. Jason -- Jason Healy| [EMAIL PROTECTED] LogN Systems | http://www.logn.net/
Re: iptables firewall help
Hello, a couple of weeks I found this link on debian-firewall: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/adsl4linux/ADSL4Linux/ADS L4Linux/templates/firewall.iptables.devel?rev=HEADcontent-type=text/vnd .viewcvs-markup It is a pretty good script. You have to set y or n for a list of services you want to run. The rest of the script is very readable and the firewall is pretty robuust. It is originally desinged for a Dutch ADSL line, but it can easily be adapted to every kind of interface. And it handles dynamic ip's. Put the script in /etc/ppp/ip-up.d (not sure about this), this should start the script when dailed in. Greetz, Sebastiaan On Tue, 26 Jun 2001, Matthew Garman wrote: I would like to upgrade my kernel from 2.2 to 2.4. The main thing that concerns me is building a new iptables-based firewall (as opposed to ipchains). I was using the TrinityOS firewall for ipchains. I read through it, somewhat, but basically accepted its security on blind faith. I figure that with the switch to 2.4 and iptables, now would be a good time to really learn how to write a good firewall script. So for starters, I'd like to have a good, secure, well-commented iptables firewall script that I could use and learn from. Then I'd like to see some online documentation on firewall considerations. For the summer, I want a firewall that works with dynamic IP addresses so my dad and I can share a modem (standard, ultra-slow serial analog modem), running no services. Then, when I go back to school, I'll want to change the script so I can share a cablemodem with my roommates. I'll also run a couple basic services at that time, such as a mailer, an SSH daemon, and probably Apache. If anyone can point me in the right direction to get started, I would be very appreciative :) Thanks! Matt -- Matt Garman, [EMAIL PROTECTED] I'll tip my hat to the new constitution, Take a bow for the new revolution Smile and grin at the change all around, Pick up my guitar and play Just like yesterday, Then I'll get on my knees and pray... -- Pete Townshend/The Who, Won't Get Fooled Again -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables firewall help
I would like to upgrade my kernel from 2.2 to 2.4. The main thing that concerns me is building a new iptables-based firewall (as opposed to ipchains). I was using the TrinityOS firewall for ipchains. I read through it, somewhat, but basically accepted its security on blind faith. I figure that with the switch to 2.4 and iptables, now would be a good time to really learn how to write a good firewall script. So for starters, I'd like to have a good, secure, well-commented iptables firewall script that I could use and learn from. Then I'd like to see some online documentation on firewall considerations. For the summer, I want a firewall that works with dynamic IP addresses so my dad and I can share a modem (standard, ultra-slow serial analog modem), running no services. Then, when I go back to school, I'll want to change the script so I can share a cablemodem with my roommates. I'll also run a couple basic services at that time, such as a mailer, an SSH daemon, and probably Apache. If anyone can point me in the right direction to get started, I would be very appreciative :) Thanks! Matt -- Matt Garman, [EMAIL PROTECTED] I'll tip my hat to the new constitution, Take a bow for the new revolution Smile and grin at the change all around, Pick up my guitar and play Just like yesterday, Then I'll get on my knees and pray... -- Pete Townshend/The Who, Won't Get Fooled Again
Re: iptables firewall help
Matt, I can't remember the exact URL, but somewhere in the IBM developer forums is a really good tutorial on using iptables to create a firewall. It includes some nice scripts, and is much clearer than Rusty's guides. John P Foster http://www.golden-orb.com Matthew Garman wrote: I would like to upgrade my kernel from 2.2 to 2.4. The main thing that concerns me is building a new iptables-based firewall (as opposed to ipchains). snip So for starters, I'd like to have a good, secure, well-commented iptables firewall script that I could use and learn from. Then I'd like to see some online documentation on firewall considerations. snip If anyone can point me in the right direction to get started, I would be very appreciative :) Thanks! Matt -- Matt Garman, [EMAIL PROTECTED] I'll tip my hat to the new constitution, Take a bow for the new revolution Smile and grin at the change all around, Pick up my guitar and play Just like yesterday, Then I'll get on my knees and pray... -- Pete Townshend/The Who, Won't Get Fooled Again -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
