masq through an eth alias
can I masquerade through eth0:1 ? thanks, petre -- 10:06am up 9 min, 1 user, load average: 0.16, 0.22, 0.14
How accurate is iptables/netfilter Packet and byte counts??
Hi All, *** First I'd like to appologise for polluting list with discussion about outrageously excessive use of html in posts to this list. I'll think much more carefully about it in future, before posting. (ref thread: The posting of HTML format messages to this List) Also, I retract unconditionaly the bit about 12 year old former WebTV users..Sorry Jesse Asher. *** Now to the subject, quick question: If anyone has specific info about the accuracy of the byte counts that netfilter produces, for example, from the output of iptables -xvn -L I'd be very greatful. ie How accurate? Are these diffinitive counts, beyond doubt?? Thanks for reading, and I appreciate any information provided, Cheers, Michael
iptables : masq
Hi, As I said earlier I am using Mdk Linux 8.2 with kernel 2.4.18. I am trying to shift from ipchains to iptables for a simple reson that I cannot connect to one particular ftp site where ip_masq_ftp was required in earlier versions of kernel. Now this module is no longer available. So, I have to shift to iptables since connecting to that site is really imp. But I am having a problem. I read briefly NAT and iptables HOWTOs and decided the rule, iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE My loaded modules by lsmod include, ipt_MASQUERADE 1504 5 (autoclean) iptable_mangle 2336 0 (autoclean) (unused) iptable_nat15988 1 (autoclean) [ipt_MASQUERADE] ip_conntrack 15180 1 (autoclean) [ipt_MASQUERADE iptable_nat] iptable_filter 1952 0 (autoclean) ip_tables 11584 6 [ipt_MASQUERADE iptable_mangle iptable_nat iptable_filter] But my problem is that inspite of giving the above command I have, #iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination What is wrong now? Why is'nt my rule listed? I even have 1 in /proc/sys/net/ipv4/ip_forward. Please do tell as early as possible or atleast tell me how to get it working under ipchains. Thanks a lot in advance and bye. -Payal p.s i have some problems with my present email address, it would be great if you can cc the mail to payal99cyberspace.org
Re: TCP delay, solved
Antony Stone [EMAIL PROTECTED] wrote: On Wednesday 12 June 2002 5:33 pm, Nathan Cassano wrote: Well you learn something new every day. Today I learned inetd does ident checks on it's clients. Yes, it's called tcpwrappers, and has been pretty standard on systems for I'd say about four years now :-) That might not be true. Actually it depends on how the tcpwrappers are compiled. AFAIK the tcpwrappers are compiled with ident lookup by default but these are only done when you have a line like: in.ftpd: [EMAIL PROTECTED] in your hosts.access file. So in general the tcpwrappers do not do ident lookups. This is annoying, is there a way you can turn this off inside inetd? Yes, it's the bit on each line of /etc/inetd.conf which says /usr/sbin/tcpd - it does an ident lookup and logs the access to syslog before handing the connection over to the real daemon. If you don't want this to happen them remove the /usr/sbin/tcpd from inetd.conf and just have the standard daemon listed there on its own. This is a very bad advice as the tcpwrappers are a standard security tool which shouldn't be disabled! And it won't help in cases of telnet and ftp as they do their ident lookups themselfs! The only way to go is to use iptables to reject those lookups. Cheers, Juri -- Juri Haberland [EMAIL PROTECTED]
Re: iptables : masq
Use #iptables -t nat -L -Sathayn - Original Message - From: Payal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 13, 2002 3:28 PM Subject: iptables : masq Hi, As I said earlier I am using Mdk Linux 8.2 with kernel 2.4.18. I am trying to shift from ipchains to iptables for a simple reson that I cannot connect to one particular ftp site where ip_masq_ftp was required in earlier versions of kernel. Now this module is no longer available. So, I have to shift to iptables since connecting to that site is really imp. But I am having a problem. I read briefly NAT and iptables HOWTOs and decided the rule, iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE My loaded modules by lsmod include, ipt_MASQUERADE 1504 5 (autoclean) iptable_mangle 2336 0 (autoclean) (unused) iptable_nat15988 1 (autoclean) [ipt_MASQUERADE] ip_conntrack 15180 1 (autoclean) [ipt_MASQUERADE iptable_nat] iptable_filter 1952 0 (autoclean) ip_tables 11584 6 [ipt_MASQUERADE iptable_mangle iptable_nat iptable_filter] But my problem is that inspite of giving the above command I have, #iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination What is wrong now? Why is'nt my rule listed? I even have 1 in /proc/sys/net/ipv4/ip_forward. Please do tell as early as possible or atleast tell me how to get it working under ipchains. Thanks a lot in advance and bye. -Payal p.s i have some problems with my present email address, it would be great if you can cc the mail to payal99 @ cyberspace.org
Netfilter and Linux bridge
I was wondering whether Netfilter can filter away packets handled by Linux bridge. If the bridge forwards the packet to another port, the packet never goes through IP routing, so Netfilter should handle it inside the bridge. Also, is it possible to apply rules to packets according to the protocol type in Ethernet header (h_proto in struct ethhdr)? The man page says it is possible to apply rules according to source MAC, but says nothing about Ethernet protocol type. Fabrizio Gennari Philips Research Monza via G.Casati 23, 20052 Monza (MI), Italy tel. +39 039 2037816, fax +39 039 2037800
how to leave mangle table?
hi: i try to set some rules at mangle table. if rule 1 match, rule2 seems still be checked. can i leave mangle table if rule 1 match? eg: if rule 1 match, then rest of rules are not checked, just like filter table.. do i need to create a new chain to do this? example: rule1: iptables -t mangle -A PREROUTING -s 10.1.1.2 -j MARK --set-mark 1 rule2: iptables -t mangle -A PREROUTING -s 10.1.1.0/24 -j MARK --set-mark 2 Regards, tbsky
Re: TCP delay, solved
On Thursday 13 June 2002 10:59 am, Juri Haberland wrote: This is annoying, is there a way you can turn this off inside inetd? Yes, it's the bit on each line of /etc/inetd.conf which says /usr/sbin/tcpd - it does an ident lookup and logs the access to syslog before handing the connection over to the real daemon. If you don't want this to happen them remove the /usr/sbin/tcpd from inetd.conf and just have the standard daemon listed there on its own. This is a very bad advice as the tcpwrappers are a standard security tool which shouldn't be disabled! I wasn't advocating this as good advice - I was simply answering the question how do I do it. I don't regard eliminating tcpwrappers as a good idea, just for the record. Mind you, I do also think that ident lookups are a bit of an anachronism which we could well do without in many situations these days, however I don't like having a firewall which automatically responds on port 113 to anyone who cares to probe it... There's no satisfactory answer to this problem at present, I think. Antony.
Re: migration to iptables
Hi On Tuesday 11 June 2002 04:26, Payal wrote: Hi, Thanks for the mails. iptables -A POSTROUTING -o $EXT_IF -j MASQUERADE Warning: wierd character in interface `-j' (No aliases, :, ! or Is it possible that EXT_IF is not set? This really looks like EXT_IF=. Try expicitly iptables -A POSTROUTING -o ppp0 -j MASQUERADE (or eth1 or whatever). But I think it should be iptables -t nat -A POSTROUTING -o . -j MASQUERADE. From info iptables: MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. *). Bad argument `MASQUERADE' Try `iptables -h' or 'iptables --help' for more information. Same problem. May you should have a look at man iptables. and this gave, iptables -A forward -j MASQUERADE iptables: No chain/target/match by that name Correct. MASQUERADE is not valid there. My aim is very simple, I just wanted the equivalent command for ipchains -A forward -j MASQ in iptables. Thanks a lot in advance and eagerly waiting for the help. -Payal greetings Axel
splitting one network physically using linux box.
hi, I have a *very* standard situation: network: 10.1.1.97/27 small router 10 PCs ---[ 10.1.1.97 / 27 ] - [ 10.1.1.98-108 ] Now I want to create a firewall between the small router and 10 PCs. The only problem is: nobody should change configuration of PC. So the default gw still should be set to 10.1.1.97 on each PC. I did such configuration: --[ 10.1.1.97 / 27 ] - eth0 [ linux box ] eth1 -- [ 10.1.1.98-108 ] eth1 must have assigned IP: 10.1.1.97 because I don`t want to change configuration of PCs. eth0 can be set to one of unused addresses from 10.1.1.96 network (in my example 10.1.1.110) I have to set up the default gw for my linux box to 10.1.1.97. How to tell linux that he has to route packet through the external 10.1.1.97 rather the local one ? :) I tried to do it by several ways: 1) ip ro add 10.1.1.97/32 dev eth0 - doesn`t work because 10.1.1.97 exists in table local 2) ip ro del 10.1.1.97/32 table local - works fine for 1-2 minutes. After this short time the local table contains .97 again ! Any ideas how to solve this ? regards, Daniel Rycaj
iptables, stateful checking using tcp sequence numbers
Hi All, I hope somebody can assist me in finding information about this... Please consider the following argument: Although the TCP sequence numbers may get sent to the log file (if logging is turned on for a rule), if it not present in the state table (/proc/net/ip_conntrack), then it is not used to maintain state. However, I cannot verify that Firewall-1 does this as well (although any good firewall should), and tests conducted on older versions of Firewall-1 indicate that it did not used to use sequence numbers as part of state verification (and may still not use them). Can anybody PLEASE tell me: 1. if the sequence numbers are actually used in iptables to MAINTAIN the state of a connection, or if it is merely used to ESTABLISH connections, and thereafter ignored. 2. point me towards documentation confirming or denying this. Thank you very much Jacques Botha [EMAIL PROTECTED] South Africa ___ The views expressed in this email are, unless otherwise stated, those of the author and not those of the FirstRand Banking Group or its management. The information in this e-mail is confidential and is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted or does not reach its intended destination.
is there Microsoft Messenger module which masq file transfers for netfilter?
is there Microsoft Messenger module which masq file transfers for netfilter? thanks a lot in advanced !:)
Flag SYN not necessarily state NEW?
Good morning, just wondering if the behavior i discovered yesterday on our iptables- firewall is ok: I connect from Box A via SSH to Box B, where the firewall runs, and i get the state NEW on the first packet. Then - the first connection is still established - i connect AGAIN from Box A to Box B and do NOT get the state NEW anymore. (So obviously it's already accepted by the ESTABLISHED,RELATED -j ACCEPT rule). Is this behavior correct? Meaning that a (second, third, ...) connection to the firewall will never get the state NEW for the first packet when there IS already a connection to the same port, from the same host? regards, Chris
A question on netfilter behavior.
Hello, I have a question, on IPTables behavior in the following scenario. I have not subscribed to the netfilter list, so please CC me when answering. First, I am using Linux kernel version 2.4.9, and IPTables v1.2. The scenario is the following: I have a private network, with 192.168.x.x addresses, and an ADSL connection to the outside. I have configured NAT like this: Chain POSTROUTING (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.0.0/24 192.168.0.0/24 SNAT all -- 192.168.0.0/24 0.0.0.0/0 to:10.131.80.34 Now, I am running a program which uses a TCP connection to a server. The TCP connection is from the private network to the Internet. Now, when I try to block this connection by denying all traffic from this machine's IP address to outside world, the TCP connection is still there. I have put a DENY rule both to the INPUT chain and PREROUTING chain. Is this the way it should work? I think this could be a problem with normal firewall setups in some scenarios. If there is a malicious program connected from inside network to outside world, and the connection needs to be stopped at the firewall. This looks impossible with the current software. Greetings, - Tero Kilkanen
How to write filters for protocols over UDP/IP??
Hi, I would like to know if we can write filter for protocols running over UDP/IP in netfilter. Any info in this regard will be useful. thanks amit. DISCLAIMER: This message is proprietary to Hughes Software Systems Limited (HSS) and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. HSS accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus.
ACCEPT ESTABLISHED doesn't work
Hi all, I use following rules (not only :-) in my fw script: $IPTABLES -A INPUT -i $INTERNAL -m state --state INVALID -j DROP $IPTABLES -A INPUT -i $INTERNAL -m state --state RELATED,ESTABLISHED -j ACCEPT but when I try to connect to w98 using smbmount or smbclient it still drops returning packets. I think that they should be ESTABLISHED packets and should be accepted. Can you help me to find, where is a problem? Relevant syslog message: May 9 13:22:02 fw kernel: Rule21:IN=eth0 OUT= MAC=00:02:1b:f1:50:26:00:50:fc:50:24:6c:08:00 SRC=192.168.1.72 DST=192.168.1.2 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=39856 PROTO=UDP SPT=137 DPT=32784 LEN=70 where 192.168.1.2 is linuxbox from where I am trying to connect w98 computer with ip 192.168.1.72 and Rule21 is the last rule in the INPUT table: $IPTABLES -A INPUT -j LOG --log-prefix=Rule21: Default policy of INPUT table is DROP I am using Debian woody with 2.4.18 kernel and iptables v1.2.5 ucar
simple nat dilemma
Hello everyone, Let me preface this by saying that I am seriously disappointed by my failure to figure out what I'm doing wrong here, and any admonitions I receive from ramin for being an idiot will be appreciated. I've been using ipchains for a over a year for simple packet filtering and am now setting up a simple nat gateway with iptables, but can't get it to work. I'm trying to get the nat machine (bulgakov) to make zamyatin look and feel like 207.224.76.204 for all external activity, inbound and outbound. Eventually I'll be trying to make olesha look and feel like 207.224.76.202, but one step at a time. It's the classic setup: bulgakov eth0: 207.224.76.201 eth1: 10.1.1.1 zamyatin eth0: 10.1.1.107 I've got a 1 in /proc/sys/net/ipv4/ip_forward As an aside, when I set up # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Everything works great, for what it's worth (obviously not useful for inbound connections). I am able to connect to the outside world and do whatever I want (ping, traceroute, ftp, www, whatever) and It looks like the connection is coming from 207.224.76.201. Of course, that's not what I'm trying to do so I flush the chain, follow trusty rusty, and add the following: # iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.107 -j SNAT --to-source 207.224.76.204 No dice. I think the packets must be getting nat'd on the way out, but the return packects aren't getting sent to the right place, so I add: # iptables -t nat -A PREROUTING -d 207.224.76.204 -j DNAT --to-destination 10.1.1.107 Still nothing. I think maybe I need some explicit action on my FORWARD chain, so I add: # iptables -t filter -A FORWARD -s 10.1.1.107 -j ACCEPT And # iptables -t filter -A FORWARD -d 207.224.76.204 -j ACCEPT Alas, still no love. So, a plea for help to those more fluent. I know I must be missing something obvious. Thanks! patrick
Re: Security Advisory
On Wed, 8 May 2002 16:07:05 +0200 Harald Welte [EMAIL PROTECTED] wrote: Hi! Workarounds === Filter out untracked local packets: iptables -A OUTPUT -m state -p icmp --state INVALID -j DROPUnfortunately there is a very unpopular announcement to be made on this If i have default policy DROP for OUTPUT chain am i ok,right? Regards, Pavlos -- ~~ I love having the feeling of being in control while i have the sensation of speed The surfer of life ~~
Re[1] about ip fragmentation
I use the DOS ping command. The -l option allow to specify the length ot the icmppackets. iptables -A FORWARD ! -f -p icmp -j DROP should only drop the first fragment or the unfragmented packets Greg I can confirm your finding. iptables -A FORWARD -f -p icmp -j DROP does not drop the second and further fragments of fragmented icmp packets. However, iptables -A FORWARD ! -f -p icmp -j DROP does work as predicted. Can someone shed some light on this behavior? Ramin PS. I don't know which ping implementation you're using but on my machine -l means ping sends that many packets as fast as possible before ... and -s specifies the number of data bytes to be sent. On Thu, May 09, 2002 at 08:51:21AM +, gregory gilbert wrote: Hi i am a new user of iptables and i already have a problem : i have ton conigure a firewall with iptables command. I have this first very simple rule: iptables -A FORWARD -f -p icmp -j DROP i think this rule should drop any 2nd, or 3rd and so on ... fragment of a ping command. But if i ping a computer and the icmp packet goes through my firewall, i can see some fragments after the firewall (i use tcpdump). It seems this rule is not applied. The fragmented packets are before and after my linux firewall. So i have a question : is there any ip defragmentation before the rules of the iptables are applied by the firewall? I mean, i wonder if some fragments are received by iptables, or if the defragmentation occures before (it would be strange : the -f or ! -f flags exist ... so the defragmentation should occur after the iptables rules application) Or is there a mistake in my command? Or did i misunderstand something with iptables? In fact, if i just add the following command : iptables -A FORWARD -p icmp -j DROP all the packets are dropped (the first fragment, the second and so on ...). But if i just want to drop the 2nd, the 3rd ... fragments , i don't know which iptables rule to add. To ensure i have fragments, i ping this way : ping -l 2000 x.x.x.x and i can see the fragments with tcpdump. I really can't understand why my firewall does not behave the way i predicted. So could you help me? Greg _ Envoyez des messages musicaux sur le portable de vos amis http://mobile.lycos.fr/mobile/local/sms_musicaux/ __ Boîte aux lettres - Caramail - http://www.caramail.com
a discussion starter i hope.
I have been using iptables-netfilter for a while and wish to clarify in my mind for once how to do the following. Scenario: An iptables firewall has 2 interfaces, which are a public and a private interface, for simpilicty's sake. Behind the firewall a service runs which needs to be visible to the world at large in this case let's start with an easy one http, on port 80. No problems so far :) Now behind the firewall are 2 separate servers, each running a web service and each running on port 80. 1) The question is, with only 1 real world address available to you, what suggestions do you guy's have as to the configuration required to make both web servers available on the Internet ? So that incoming port 80 request on the firewall public interface go to the correct server. 2) The same as scenario 1) except you have 2 addresses available but only one external NIC. 3) Same as 2) except you have 2 NIC's. The reason for this is the following is that, i wish to understand if there is a path to this result. I realise there are probably many way's to skin this cat, and i have tried a few of them, some of you may already be doing this, but in my experience there seem to be a lot of pitfall's and consequently the issues i have faced seem to suggest the following: Some think it's possible, Some don't, some wish it was possible, many just say this way, others suggest that way, many just give up. All in all i would like to take this to the logical conclusion of getting it working in multiple scenarios securely and effectively. yours a.r.b.
H323 patch, 2.4.18 problem - read error: Is a directory
I am having trouble applying the H323 patch to the 2.4.18 kernel source. Is the H323 built into any development kernels at www.kernel.org? I used the following process: [starting with working 2.4.18 kernel] /usr/src freeswan-snap2002may7d - /usr/local/src/freeswan-snap2002may7d/ linux - /usr/local/src/linux netfilter - /usr/local/src/netfilter/ cd /usr/src cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot logincvs -d :pserver:[EMAIL PROTECTED]:/cvsroot co netfilter cd netfilter/userspace/patch-o-matic export KERNEL_DIR=/usr/src/linux ./runme ./runme newnat Welcome to Rusty's Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I don't recommend applying them all! --- Testing... Need directory and patch. The newnat/newnat newnat patch: - Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] t Testing patch newnat... patch: read error : Is a directory Failed to patch copy of /usr/src/linux - Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] Any input would be appreciated, If someone has a patched 2.4.18 kernel in source, that would also be helpful (but the real solution would be better). Best regards, -=[ Wylie Swanson .:[ DataMaersk, Inc.
a discussion starter i hope.
I have been using iptables-netfilter for a while and wish to clarify in my mind for once how to do the following. Scenario: An iptables firewall has 2 interfaces, which are a public and a private interface, for simpilicty's sake. Behind the firewall a service runs which needs to be visible to the world at large in this case let's start with an easy one http, on port 80. No problems so far :) Now behind the firewall are 2 separate servers, each running a web service and each running on port 80. 1) The question is, with only 1 real world address available to you, what suggestions do you guy's have as to the configuration required to make both web servers available on the Internet ? So that incoming port 80 request on the firewall public interface go to the correct server. 2) The same as scenario 1) except you have 2 addresses available but only one external NIC. 3) Same as 2) except you have 2 NIC's. The reason for this is the following is that, i wish to understand if there is a path to this result. I realise there are probably many way's to skin this cat, and i have tried a few of them, some of you may already be doing this, but in my experience there seem to be a lot of pitfall's and consequently the issues i have faced seem to suggest the following: Some think it's possible, Some don't, some wish it was possible, many just say this way, others suggest that way, many just give up. All in all i would like to take this to the logical conclusion of getting it working in multiple scenarios securely and effectively. yours a.r.b.
IP TABELS problems!
Hi I use this script http://www.linuxguruz.org/iptables/scripts/rc.firewall_023.txt for my box as a firewall/router for my windows computer. And i have problems with MIRC/IRC. I tried all the options in the local info in the mirc options with no results. If o choose Lookup method Normal i can DCC CHAT/SEND to people inside my LAN but not with those outside! If i choose i can Lookup method Server i can DCC CHAT/SEND to people outside the LAN but not inside! I tried to add and remove the ip_nat_irc and ip_conntrack_irc without no better results! Anyone who might be able to help me and tell what's wrong?? I have set MIRC to use ports 1400-1500 for DCC. Thanks in advance ... __ Do You Yahoo!? Yahoo! Shopping - Mother's Day is May 12th! http://shopping.yahoo.com
Question!
Dear, Rusty Russell. I'm sorry. I don't speck English. I am not understand. I want to that you expatiate on me about follow sentence. (which would leave all but the hardiest souls confused, paranoid and seeking heavy weaponry) Source of above sentence is 1.Introduction of Linux 2.4 Packet Filtering HOWTO. Now, I translate Linux 2.4 Packet Filtering HOWTO. _ ¶Ç ´Ù¸¥ ³ª! ±ôÂïÇÑ ¾Æ¹ÙŸ ¸¸µé±â - ¾ßÈÄ! ¾Æ¹ÙŸ http://avatar.yahoo.co.kr/ µ¿¿µ»óÀ¸·Î ½±°Ô ¹è¿ì´Â - ¾ßÈÄ! ¹è¿òÅÍ http://kr.education.yahoo.com/
[Announcement]: IP Traffic Accounting with NetFilter + ULOG
Hi All, I've sat down and written up some Traffic Accounting Software for some of my clients. I felt that it might be of some interest to those on this list. Here is an exerpt from my README file: - ulogd_ACCOUNT --- 1. What is it? --- As part of my UAS software suite (Users Arn't Stupid), I have a Traffic Accounting module for use with Harald Welte's ulog netfilter target. (http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ulog). I've been looking for a decent 2.4 Kernel traffic accounting module for a while and gave up and wrote my own. This module has one fairly interesting feature. Most networks that I administrate are generally quite dynamic. That is, all the workstations on it are assigned their network details and IP Address via DHCP. As some of my clients wished to have accounting down to the workstation detail, I've made this particular module use a mixture of the IP and MAC. This means that if a workstation gets a new IP, it will still have traffic statistics applied correctly to it. If more than one IP has the same MAC, as when they are behind a router, then accounting will still work, but will only give totals for all addresses. This means I'm trusting the MAC rather than the IP, and I am using two tables, one to store MAC's and one to store IP's, with a relationship of one MAC to many IP's. NOTE: Both a MAC and IP_can_ be forged, but this is a topic for another discussion. A quick description of HOW this module achieves this is as follows: - 1. On each packet, determine if it is 'outgoing' or 'incoming'. (We're assuming that this is running on a router which the packets pass through). We can then determine whether to use the source IP (on outgoing packets) or destination IP (on incoming packets). 2. We then try to work out a MAC address, as follows: - a) We check if we already have a cached entry that links the IP to a MAC, if so, we use it. b) Else if traffic is outgoing, then we will also have the source MAC address given to us. We cache the MAC and link this IP to it. c) Else If traffic is incoming then we store the traffic in a temp variable linked to the IP, and return. A future 'answer' will link this, and will also transfer the temp traffic counter to the MAC. 3. A few sanity checks are performed. ie: - a) If traffic is outgoing, check that the currently linked MAC to the IP is correct. If not, fix up. 4. Traffic counters for the MAC are updated, and the cache times are touched to current time. Some notes: * When a MAC cache expires, it is written to the log file, in the format: TIMESTAMP MACADDRESS TOTALTRAFFICFROM TOTALTRAFFICTO * When a SIGHUP is caught, all MAC stats are written to the log file and the tables cleared. * All memory allocation is cached so that performance is at optimum. Some sort of cleanup of the cached mallocs is probably useful to prevent Denial of Service. * Written for performance, so not much double-checking is done. * It would be fairly simple to write a web front-end that parses the file and links MAC to machine names. --- 2. How do I Compile it? --- I've probably done things the wrong way, but I've copied the needed files from ulogd and included them with this. A future change may to make a configuration script that determines the directory of a ulogd source and uses it. To compile this, it should be as simple as doing the following: - 1. Uncompress archive to some directory. 2. Compile it. Should be as simple as going 'make' in the directory. The makefile will install it in /usr/lib/ulogd 3. Edit /etc/ulogd.conf. Theres an example in the example directory to get you started, but heres an example of a section: - # Where to write the logfile dumpfile /var/log/ipacc/ipaccount.log # What is the external interface? (IE, gateway Interface) extif eth0 # Enable Plugin plugin /usr/lib/ulogd/ulogd_ACCOUNT.so 4. In your forward chain, just jump to ULOG. For example, I have: - iptables -A FORWARD -j ULOG --ulog-nlgroup 1 --ulog-cprange 20 \ --ulog-qthreshold 50 5. Start ulogd. 6. Set up a cronjob to send a HUP to ulogd every day or every hour. That way you can have fairly recent statistics. NOTE: I use a /var/log/ipacc directory so that the directory can be given a group write permission. This way a statistics parsing engine (ie: http://www.worldguard.com.au/projects/ipacc) can read and write securly to the directory. --- 3. TO DO --- Probably
[Announcement]: Web Statistics Frontend for ulacc
Hi All, I've sat down and written up some Traffic Accounting Software for some of my clients. This part of it is the Web Front End that they see. I thought this would be of interest to some of you. If you prefer to see a working (sane chrooted) example, click through to: http://www.worldguard.com.au/cgi-bin/ipacc Here is an except from my README file: - ipacc - --- 1. What is it? --- This piece of software has been designed to run with my Traffic Account Module written for ULOGd. Therefore I shall start off by giving a quote from its documentation: - As part of my UAS software suite (Users Aren't Stupid), I have a Traffic Accounting module for use with Harald Welte's ulog netfilter target. (http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ulog). I've been looking for a decent 2.4 Kernel traffic accounting module for a while and gave up and wrote my own. This module has one fairly interesting feature. Most networks that I administrate are generally quite dynamic. That is, all the workstations on it are assigned their network details and IP Address via DHCP. As some of my clients wished to have accounting down to the workstation detail, I've made this particular module use a mixture of the IP and MAC. This means that if a workstation gets a new IP, it will still have traffic statistics applied correctly to it. If more than one IP has the same MAC, as when they are behind a router, then accounting will still work, but will only give totals for all addresses. This means I'm trusting the MAC rather than the IP, and I am using two tables, one to store MAC's and one to store IP's, with a relationship of one MAC to many IP's. NOTE: Both a MAC and IP_can_ be forged, but this is a topic for another discussion. --8 Snip of Documentation on how it does this 8 --- * It would be fairly simple to write a web front-end that parses the file and links MAC to machine names. ipacc is essentially the 'web front-end' that parses in the logfile and gives a user friendly report. There's not terribly much more to comment on it, apart from the fact that its taken hours of work and I'm very pleased to FINALLY finish it. --- 2. How do I Compile it? --- Hopefully this is fairly simple. I'll just give some step-by-step instructions: - 1. Uncompressed archive to some directory. 2. Copy examples/ipacc.conf to /etc, and modify it. 3. Ensure ipaccount.log exists. Touch it if not. Did I mention that you should also have already set up my ulogd_ACCOUNT module? 4. Create a new group 'ipacc' and add the user the webserver runs under to it. On my system I added the following entry to my /etc/group ipacc:x:22:httpd 5. Set relevant modes on the config file and logfile dir. On mine I went: - chown root.root /etc/ipacc.conf chmod u=rw,g=r,o=r /etc/ipacc.conf chown root.ipacc /var/log/ipacc chmod u=rwx,g=rx,o= /var/log/ipacc chown root.root /var/log/ipacc/* chmod 644 /var/log/ipacc/* 6. Compile it. Should be as simple as going 'make' in the directory. 7. Copy the binary 'ipacc' to your cgi-bin directory. On my system it was /usr/shared/httpd/cgi-bin, and make sure the webserver has perms to run it. ie: - install -o root -g ipacc -m 750 ipacc /usr/shared/httpd/cgi-bin 8. Copy the icons directory to your webserver icons directory, or set up your web server such that http://localhost/icons/ipacc/blah.jpg will read the picture. Make sure permissions are correctly set. Done! --- 3. ipacc.conf --- The config file is fairly simple (I hope). It is based around having groups of options. For instance, if a company has 20 computers, and those 20 computers belong to 3 departments, it would make sense to create three groups, and stick the relevant computers into their relevant group. That way each department can pay for their internet usage. There is also one 'special' group called 'GLOBAL'. This simply holds a few global variables for use in configuring the software. It can also hold 'default' values for some variables. A typical options file will look like: - group GLOBAL { # Comment - Global Options set here } group RD { # Custom group called RD host 00:43:21:59:22:0d Hawk Eye host 00:43:21:59:0d:16 Eagle Eye } group OTHER { # I like to put unknowns in their own group accept_unknown 1 } A list of all the current variables are as follows. A [G] means it can be set in the GLOBAL group. A [C] means it can be set in a
Trying to load balance a port redirection
Hi, I'm trying to do a basic port redirect load balancing, here is what I tried : while true; do echo serv1 | nc -l -p 4001; done while true; do echo serv2 | nc -l -p 4002; done iptables -t nat -F PREROUTING iptables -t nat -I PREROUTING -p tcp --destination-port 1234 -j REDIRECT --to 4001-4002 But it doesn't work, I always get redirected on serv1. Note that it doesn't seems to work with DNAT --to my_extern_ip:4001-4002. May someone help me please ? -- Maxime
[Announcement]: IP Traffic Acocunting with NetFilter + ULOG
[To Moderator if Any]: My apologies on last emails. They had a typo in the return address. Resent with correct address. Hi All,I've sat down and written up some Traffic Accounting Software for some of myclients. I felt that it might be of some interest to those on this list.Here is an exerpt from my README file: -ulogd_ACCOUNT---1. What is it?---As part of my UAS software suite (Users Arn't Stupid), I have a TrafficAccounting module for use with Harald Welte's ulog netfilter target.(http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ulog). I've been looking fora decent 2.4 Kernel traffic accounting module for a while and gave up andwrote my own.This module has one fairly interesting feature. Most networks that Iadministrate are generally quite dynamic. That is, all the workstationson it are assigned their network details and IP Address via DHCP. As someof my clients wished to have accounting down to the workstation detail,I've made this particular module use a mixture of the IP and MAC. Thismeans that if a workstation gets a new IP, it will still have trafficstatistics applied correctly to it. If more than one IP has the same MAC,as when they are behind a router, then accounting will still work, butwill only give totals for all addresses. This means I'm trusting the MACrather than the IP, and I am using two tables, one to store MAC's and oneto store IP's, with a relationship of one MAC to many IP's. NOTE: Both aMAC and IP_can_ be forged, but this is a topic for another discussion.A quick description of HOW this module achieves this is as follows: -1. On each packet, determine if it is 'outgoing' or 'incoming'. (We're assuming that this is running on a router which the packets pass through). We can then determine whether to use the source IP (on outgoing packets) or destination IP (on incoming packets).2. We then try to work out a MAC address, as follows: - a) We check if we already have a cached entry that links the IP to a MAC, if so, we use it. b) Else if traffic is outgoing, then we will also have the source MAC address given to us. We cache the MAC and link this IP to it. c) Else If traffic is incoming then we store the traffic in a temp variable linked to the IP, and return. A future 'answer' will link this, and will also transfer the temp traffic counter to the MAC.3. A few sanity checks are performed. ie: - a) If traffic is outgoing, check that the currently linked MAC to the IP is correct. If not, fix up.4. Traffic counters for the MAC are updated, and the cache times are touched to current time.Some notes: * When a MAC cache expires, it is written to the log file, in the format: TIMESTAMP MACADDRESS TOTALTRAFFICFROM TOTALTRAFFICTO * When a SIGHUP is caught, all MAC stats are written to the log file and the tables cleared. * All memory allocation is cached so that performance is at optimum. Some sort of cleanup of the cached mallocs is probably useful to prevent Denial of Service. * Written for performance, so not much double-checking is done. * It would be fairly simple to write a web front-end that parses the file and links MAC to machine names.---2. How do I Compile it?---I've probably done things the wrong way, but I've copied the needed filesfrom ulogd and included them with this. A future change may to make aconfiguration script that determines the directory of a ulogd source anduses it.To compile this, it should be as simple as doing the following: -1. Uncompress archive to some directory.2. Compile it. Should be as simple as going 'make' in the directory. The makefile will install it in /usr/lib/ulogd3. Edit /etc/ulogd.conf. Theres an example in the example directory to get you started, but heres an example of a section: - # Where to write the logfile dumpfile /var/log/ipacc/ipaccount.log # What is the external interface? (IE, gateway Interface) extif eth0 # Enable Plugin plugin /usr/lib/ulogd/ulogd_ACCOUNT.so4. In your forward chain, just jump to ULOG. For example, I have: - iptables -A FORWARD -j ULOG --ulog-nlgroup 1 --ulog-cprange 20 \ --ulog-qthreshold 505. Start ulogd.6. Set up a cronjob to send a HUP to ulogd every day or every hour. That way you can have fairly recent statistics.NOTE: I use a /var/log/ipacc directory so that the directory can begiven a group write permission. This way a statistics parsing engine(ie: http://www.worldguard.com.au/projects/ipacc) can read and writesecurly to the directory.---3. TO DO---Probably something, but I'm sure it can
[Announcement]: Web Statistics Frontend for ulacc
[To Moderator if Any]: My apologies on last emails. They had a typo in the return address. Resent with correct address. Hi All,I've sat down and written up some Traffic Accounting Software for some of myclients. This part of it is the Web Front End that they see. I thought thiswould beof interest to some of you.If you prefer to see a working (sane chrooted) example, click through to:http://www.worldguard.com.au/cgi-bin/ipaccHere is an except from my README file: -ipacc1. What is it?---This piece of software has been designed to run with my Traffic AccountModule written for ULOGd. Therefore I shall start off by giving a quotefrom its documentation: - As part of my UAS software suite (Users Aren't Stupid), I have a Traffic Accounting module for use with Harald Welte's ulog netfilter target. (http://www.gnumonks.org/cgi-bin/cvsweb.cgi/ulog). I've been looking for a decent 2.4 Kernel traffic accounting module for a while and gave up and wrote my own. This module has one fairly interesting feature. Most networks that I administrate are generally quite dynamic. That is, all the workstations on it are assigned their network details and IP Address via DHCP. As some of my clients wished to have accounting down to the workstation detail, I've made this particular module use a mixture of the IP and MAC. This means that if a workstation gets a new IP, it will still have traffic statistics applied correctly to it. If more than one IP has the same MAC, as when they are behind a router, then accounting will still work, but will only give totals for all addresses. This means I'm trusting the MAC rather than the IP, and I am using two tables, one to store MAC's and one to store IP's, with a relationship of one MAC to many IP's. NOTE: Both a MAC and IP_can_ be forged, but this is a topic for another discussion.--8 Snip of Documentation on how it does this 8 --- * It would be fairly simple to write a web front-end that parses the file and links MAC to machine names.ipacc is essentially the 'web front-end' that parses in the logfile andgives a user friendly report. There's not terribly much more to commenton it, apart from the fact that its taken hours of work and I'm verypleased to FINALLY finish it.---2. How do I Compile it?---Hopefully this is fairly simple. I'll just give some step-by-stepinstructions: -1. Uncompressed archive to some directory.2. Copy examples/ipacc.conf to /etc, and modify it.3. Ensure ipaccount.log exists. Touch it if not. Did I mention that you should also have already set up my ulogd_ACCOUNT module?4. Create a new group 'ipacc' and add the user the webserver runs under to it. On my system I added the following entry to my /etc/group ipacc:x:22:httpd5. Set relevant modes on the config file and logfile dir. On mine I went: - chown root.root /etc/ipacc.conf chmod u=rw,g=r,o=r/etc/ipacc.conf chown root.ipacc /var/log/ipacc chmod u=rwx,g=rx,o=/var/log/ipacc chown root.root /var/log/ipacc/* chmod 644 /var/log/ipacc/*6. Compile it. Should be as simple as going 'make' in the directory.7. Copy the binary 'ipacc' to your cgi-bin directory. On my system it was /usr/shared/httpd/cgi-bin, and make sure the webserver has perms to run it. ie: - install -o root -g ipacc -m 750 ipacc /usr/shared/httpd/cgi-bin8. Copy the icons directory to your webserver icons directory, or set upyour web server such that http://localhost/icons/ipacc/blah.jpg will read the picture. Make sure permissions are correctly set.Done!---3. ipacc.conf---The config file is fairly simple (I hope). It is based around having groupsof options. For instance, if a company has 20 computers, and those 20computers belong to 3 departments, it would make sense to create threegroups, and stick the relevant computers into their relevant group. Thatway each department can pay for their internet usage.There is also one 'special' group called 'GLOBAL'. This simply holds a fewglobal variables for use in configuring the software. It can also hold'default' values for some variables.A typical options file will look like: - group GLOBAL { # Comment - Global Options set here } group RD { # Custom group called RD host 00:43:21:59:22:0d "Hawk Eye" host 00:43:21:59:0d:16 "Eagle Eye" } group OTHER { # I like to put unknowns in their own group accept_unknown 1 }A list of all the current variables are as follows. A [G] means it can beset in the GLOBAL group. A [C] means it can be set in a custom group.accept_unknown [C]Someone brings
Viewing NAT current mappings.
Is it possible to view some sort of cache for the current mappings NAT is handling? Thanks Justin Schroeder Network Security Analyst Virginia Tech Transportation Institute [EMAIL PROTECTED] 540-231-1578
Tweaking netfilter timers
Greetings, I apologise in case this is a question that you all are often faced with.. Unfortunately, I'm unable to find the answer in any of the documentation. I'm trying to find out how to set masquerading nat timeouts for tcp/udp/icmp sessions.. Also, does anyone know of a script that displays NAT/MASQ entries from /proc/net/ip_conntrack in a more human friendly form than 'cat' ? Just wanted to check before I cobble one together. -George
Re: MS Windows domain logon via netfilter NAT
On Sun, May 12, 2002 at 01:29:09PM -0400, Kramer wrote: Windows client hosts on the NATed LAN can't find the NT4 Domain for logon. Therefore Network Neighborhood browsing doesn't work. Strangely direct UNC connections will work if logon credentials are not required. In normal IP networks running windows, the DC is found via the WINS service. WINS is the pre win2k version of DNS. WINS is used to map host- and service- names to IP-addresses. AFAIK, there is currently no support for WINS in iptables/netfilter, thus the answer your win client gets back points to the not-NATed address, which is unreachable. By directly specifying the machine you work around that problem (you manually to what the wins service would have done otherwise). ciao Jörg -- Joerg Mayer [EMAIL PROTECTED] I found out that pro means instead of (as in proconsul). Now I know what proactive means.
Re: MS Windows domain logon via netfilter NAT
- Original Message - From: Kramer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 12, 2002 7:29 PM Subject: MS Windows domain logon via netfilter NAT I have gotten a RedHat 7.3 box operating as a router/filter to a private (192.168.132.0/24) with dhcp without too much trouble. One major problem remains that I can't find any info on. The fixes for the NAT public address reverse routing and the broadcast address fixes are already applied. Windows client hosts on the NATed LAN can't find the NT4 Domain for logon. Therefore Network Neighborhood browsing doesn't work. Strangely direct UNC connections will work if logon credentials are not required. I am sure I am not the first to run into this. Can anyone help? Jack Kramer University of Florida Fort Lauderdale Windows usually build its browselist via broadcasting. If the clients are not on the same network they need a domain master in each network that knows the other network. That cannot work if the domains are the same. Then set up fine routing and start a wins server a machine, and all other machines have to use wins. works fine here, im'm migrating a network to an other ip range without interrupting client users ... bye Iced_tea
netfilter/iptables/NAT/DNS problems
Help!! I have no hair left! I have been over the HOWTO, most exampes I can find and I still can't get things working entirely correct. I've looked in the archives, and that's gotten me about 95% of the way. But that last 5% is killing me. external net-firewall/dns-internal net I'd like anything sourced from inside to be able to get outside. I'd like nothing outside to be able to get in, other that traffic that originated from inside. I'd like ssh to be accepted from only internal connections. I want all my internal network machines to use the DNS on the firewall. The DNS on the firewall is pointing to a real internet DNS server. I want all my machines to be NAT'ed going through the firewall out to the internet. I have a cable modem with a dynamically assigned IP address, and depending on what range I get assigned to, I may end up with different DNS servers. I'd like my internal machines to use the firewall as the DNS server, and have the firewall actually do the requesting out to the internet. I can surf the internet from the linux firewall/dns box. I can get as far as being able to ping real ip addresses on the internet from any internal machine, but I can't ping DNS names of those same sites. Obviously, I don't quite have things set up correctly. Also, I can't get ssh to be accepted, PuTTy gives me an error that Software caused connection abort. BTW, most internal machines are Windoze2000 or XP. There are one or two crazy people that run linux on their desktop (me included...) But I'm not too concerned, because I think the problem is in how the iptable rules are accepting requests on port 53, right? Please help! Thanks, Paul
RE: Patch-o-matic Error
I had this same problem, but everything is working fine now for me. You must apply first all pending patches otherwise it will fail. (If a pending patch cannot be applied/failed at applying, that does not matter.) I suggest using make patch-o-matic from userspace/. There are pre-requisite patches neccesary for it to work properly. Hope this helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ing. CIP Alejandro Celi Mariátegui Sent: Monday, May 13, 2002 11:41 PM To: Netfilter Subject: Patch-o-matic Error Hi: I do all the steps about patch-o-matic in http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO. html But i have a problem with newnat, i have this error: == # ./runme newnat Welcome to Rusty's Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I don't recommend applying them all! --- Testing... Need directory and patch. The newnat/newnat newnat patch: - Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] y Testing patch newnat... patch: read error : Is a directory Failed to patch copy of /usr/src/linux TEST FAILED: patch NOT applied. [Press enter to continue] == thank you for your help. Best regards, Alex
newbie problem? Compilation error:ll_proto.c:36: `ETH_P_ECHO' undeclared
Howdy, Im working on a thesis and I'm learning Linux as I go along. I tried to compile the 1.2.6a IPtables at my RedHat-machine with kernel 2.4.18. I get the following message when running make. gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -I../include-glibc -include ../include-glibc/glibc-bugs.h -I/usr/src/linux/include -I../include -DRESOLVE_HOSTNAMES -c -o ll_proto.o ll_proto.c ll_proto.c:36: `ETH_P_ECHO' undeclared here (not in a function) ll_proto.c:36: initializer element is not constant ll_proto.c:36: (near initialization for `llproto_names[1].id') make[1]: *** [ll_proto.o] Error 1 make[1]: Leaving directory `/home/magnusvr/tmp/iproute2/lib' make: *** [all] Error 2 Any help is appreciated. Thanks, Magnus von Rosen, Sweden. [EMAIL PROTECTED]
How to use apache redirect with Iptables
Hello All I configure Iptables with 3 cards external,lan and dmz. I have 2 http servers in the dmz .Packets that coming in to port 80 I am doing DNAT to a web server in the DMZ.I try to do apache redirect from this web server (in the httpd.conf -redirect option Redirect / http://192.168.1.3) to another web server in this segment but it is not working. Does anyone know how to do this? Thanks in advance Nir
How to use apache redirect with iptables
Hello All I configure Iptables with 3 cards external,lan and dmz. I have 2 http servers in the dmz .Packets that coming in to port 80 I am doing DNAT to a web server in the DMZ.I try to do apache redirect from this web server (in the httpd.conf -redirect option Redirect / http://192.168.1.3) to another web server in this segment but it is not working. Does anyone know how to do this? Thanks in advance Nir
How to use apache redirect with Iptables
Hello All I configure Iptables with 3 cards external,lan and dmz. I have 2 http servers in the dmz .Packets that coming in to port 80 I am doing DNAT to a web server in the DMZ.I try to do apache redirect from this web server (in the httpd.conf -redirect option Redirect / http://192.168.1.3) to another web server in this segment but it is not working. Does anyone know how to do this? Thanks in advance Nir
Netfilter and Linux bridge
Hello. I was wondering whether Netfilter can filter away packets handled by Linux bridge. If the bridge forwards the packet to another port, the packet never goes through IP routing, so Netfilter should handle it inside the bridge. Also, is it possible to apply rules to packets according to the protocol type in Ethernet header (h_proto in struct ethhdr)? The man page says it is possible to apply rules according to source MAC, but says nothing about Ethernet protocol type. Fabrizio Gennari Philips Research Monza via G.Casati 23, 20052 Monza (MI), Italy tel. +39 039 2037816, fax +39 039 2037800
How do you specify an odd group of hosts?
I am wondering what is the best way to specify an odd group of hosts. For example, I want to allow managment hosts access to 192.168.0.5. The managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96. As far as I can tell from the iptables docs you can only specify groups by netmask according to the following extract from the packet filtering HOWTO: *** The third and fourth ways allow specification of a group of IP addresses, such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'. These both specify any IP address from 199.95.207.0 to 199.95.207.255 inclusive; the digits after the `/' tell which parts of the IP address are significant. `/32' or `/255.255.255.255' is the default (match all of the IP address). To specify any IP address at all `/0' can be used, like so: *** This will not work with odd hosts such as the management hosts above. Should I create a managment chain where I list all the managment hosts and accept the packet if it matches a managment host and use this chain as the target? eg: iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT iptables -A MNG_HOST -j DENY I think this could be a little cumbersome when dealing with large numbers of hosts. Maybe a comma separated list of source hosts would be good, or a way to group. Adrian. UTS CRICOS Provider Code: 00099F DISCLAIMER This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects.
iptables problem when booting up
I built the iptables ruleset (/etc/sysconfig/iptables) in my RH7.2. It seems to work okay when booting my system as it shows when 'iptables -L -n' but some rules are not okay, I can't connect to the internet from my internal network even though the rule '-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT' is placed. The weird thing is that when I run 'service iptables restart' it restarts the firewall rules and the problem is fixed.
Port 25 forwarding:
Eugene: I made a couple of changes to your script. I added the ip_conntrack module. I rewrote your forwarding rules near the end. I would recommend that you make all Your default policies drop, and then open up what you need to. Try those changes. If they don't work do a iptables -v -L -t nat and iptables -v -L FORWARDING. Copy and paste them and send it to the group. The other thing to try is tcpdump. I usually use tcpdump -nvi eth0 port 25 and tcpdump -nvi eth1 port 25 on separate ssh windows, telnet should work fine as well. See if the packets are being DNAT'd and Forwarded. I am assuming everything else works ok. I.e. you can connect out via an internal machine etc, preferably the one in question. Let me know how you make out. Stu. #!/bin/sh #/usr/sbin/firewall.sh ###Flushing### iptables -F iptables -t nat -F iptables -X iptables -Z ###Default policies### iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ###Loading Iptables### /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack #Added this module /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp ###not to sure what this does### ### This is intended for antispoofing filtering echo 1 /proc/sys/net/ipv4/conf/all/rp_filter ### This one echo 1 /proc/sys/net/ipv4/ip_dynaddr ###Enable NAT/MASQUERADING and IPforwarding### iptables -t nat -A POSTROUTING -s intip -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward ###Disable response to ping###working echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_all ###Tranparent proxy### iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT-to-port 3128 ###Disable ICMP redirect acceptance### echo 0 /proc/sys/net/ipv4/conf/all/accept_redirects ###Disable response to broadcasts### echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ###Don't accept source routed packets### echo 0 /proc/sys/net/ipv4/conf/all/accept_source_route ###Enable bad error message protection### echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ###Log spoofed packets, source routed packets, redirect packets### echo 1 /proc/sys/net/ipv4/conf/all/log_martians ###INPUT Policies### iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 79 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 79 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 23 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 23 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 22 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 22 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 21 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 21 -j DROP iptables -A INPUT -p tcp -i eth0 -s 0/0 --dport 20 -j DROP ###Block e-mail password sender### iptables -A OUTPUT -p udp -o eth0 -s 0/0 --dport 25 -j DROP iptables -A INPUT -p udp -i eth0 -s 0/0 --dport 25 -j DROP ###Deny spoofed IPs### iptables -A INPUT -i etho -s intip -j DROP ###Port Forwarding Changes by Stu ### #Rule to DNAT incoming connections iptables -t nat -A PREROUTING -p tcp -i eth0 -d EXTIP \ -s 0/0 --dport 25 -j DNAT --to intip #Rule to forward traffic destined to Internal Machine on Port 25 iptables -A FORWARD -p tcp -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED \ -d intip --dport 25 -j ACCEPT #Rule to allow traffic out from the Internal Network iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Original Rules Commented out # iptables -t nat -A PREROUTING -p tcp -d extip --dport 25 -j DNAT-to intip:port # iptables -A FORWARD -i eth0 -p tcp -d intip-dport 25 -j ACCEPT ###Allow all connections on the loopback device### iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
conntrack/nat w monolithic kernel: how to ftp to servers on portother than 21?
Hi, consider the following: You want to connect to an ftp server running on, say, port 5432 from Your internal LAN. Between is a Linux box with netfilter, masquerading or S'natting respectively the internal addresses. All works fine with ftp servers on port 21, but on port 5432 connection tracking does not work for the ftp protocol. I'm aware, that i can do a modprobe ip_conntrack_ftp ports=21,5432 modprobe ip_nat_ftp ports=21,5432 to solve this problem. But what, if I have a monolithic kernel with all the netfilter code compiled into the Linux kernel? In this case there is no such thing like modprobe. Any idea how to pass these port arguments directly to the kernel, maybe a boot option I can pass to the kernel at booting time, or an advice what piece of the source code to change in what way (iptables 1.2.6a, linux 2.4.18) to make this work? TIA, Rainer
NAT with specific IP Address
Hello all I need to do a complicated configuration of NAT over that iptables. I have varius Network Access Server under Linux with PPP interfaces. Each time a client connect to one of these machines the final user will receive an IP like 10.10.x.x. Now.. These NAS server has a static defualt routing to a specific server, another LINUX server that will be able to perform all the NAT translation and all. The NAT server will have two interface, one with Public IP and one with Private IP. I had to route 2 Class C network to the NAT server. I have to configure NAT on a specific way. NAT - ServerNAS 1 OSPFOSPF Eth 1Eth 2 --- Eth1pppxy 195.1.1.1/24 192.168.1.1/24192.168.1.2/2410.20.0.1 195.100.100.0/24 195.100.200.0/24 I have no problem to run ospf and route all the traffic from ppp (10.20.0.1) connections to the NAT server 192.168.1.1. In the NAT and NAS servers will run a OSPFD damon.. that because i will route automatically each connected subnets Now.. On NAT machine i route the 2 C class, 195.100.100.0 and 195.100.200.0 both /24 I want to configure a NAT that permit me to say.. from 10.20.0.1 to 10.20.0.254 and 10.20.1.1 to 10.20.1.254 has to NAT using External IP 195.100.100.1. ppp from 10.20.2.1 to 10.20.2.254 and 10.20.3.1 to 10.20.3.254 has to NAT using External IP 195.100.100.2 and so on.. I have configured two CISCO 3640 router that do that without problems but i have to use a Linux machine instaed of that. Here is the router configuration string that permit to do that.. so much ppl will understand better. ip nat pool rete10.20.0.0 195.100.100.1 195.100.100.1 prefix-length 24 ip nat pool rete10.20.2.0 195.100.100.2 195.100.100.2 prefix-length 24 ip nat inside source list nas-100-1 pool rete10.20.0.0 overload ip nat inside source list nas-100-2 pool rete10.20.2.0 overload ip access-list standard nas-100-1 permit 10.20.0.0 0.0.1.255 ip access-list standard nas-100-2 permit 10.20.2.0 0.0.1.255 How can i tell iptables to use a specific IP address for NAT other specific IP addresses ? There will be any troubles with OSPF protocol over NAT ? Thanks in advice for any idea and suggestions !! Simone Sestini Plug IT s.p.a. System and Network Administrator Data Transmission Manager Via G. Ferraris, 216 - 52100 Arezzo ITALY Fax: +39 199 440088 Email: [EMAIL PROTECTED]
ftp problem ipchains unter kernel 2.4.18
ich verwende noch ipchains, weil ich dazu erfahrung habe und momentan erst andere Dinge lösen möchte. Ich habe auf kernel 2.4.18 umgesattelt. mein firewall leuft j auch schön braf bis auf ftp. unter Kernel 2.2.19 war dafür das modul ip_masq_ftp zuständig. dieses finde ich unter kernel 2.4.18 nicht mehr. die beiligende ftp filter sind alle für iptabls. Was kann ich tun der wie kann man es lsen ?
Understanding iptables
I'm just trying to teach myself how to configure a filewall using iptables. This is my current script: # Set up a default DROP policy for the built-in chains. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ## LOOPBACK # Allow unlimited traffic on the loopback interface. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## SYN-FLOODING PROTECTION iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP ## FRAGMENTS # Log fragments just to see if we get any, and deny them too. iptables -A INPUT -i eth0 -f -j LOG --log-prefix IPTABLES FRAGMENTS: iptables -A INPUT -i eth0 -f -j DROP ## SPOOFING # Refuse spoofed packets pretending to be from your IP address. iptables -A INPUT -i eth0 -s 192.168.1.4/27 -j DROP # Refuse packets claiming to be from a Class A private network. iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP # Refuse packets claiming to be from a Class B private network. iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP # Refuse packets claiming to be from a Class C private network. iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source # address. iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP # Refuse Class E reserved IP addresses. iptables -A INPUT -i eth0 -s 240.0.0.0/4 -j DROP # Refuse packets claiming to be to the loopback interface. iptables -A INPUT -i eth0 -d 127.0.0.1/27 -j DROP # Refuse broadcast address packets. iptables -A INPUT -i eth0 -d 192.168.1.31 -j DROP ## DNS server access (53) # Allow UDP packets in for DNS client from nameservers. iptables -A INPUT -i eth0 -p udp -s 205.152.16.20 --sport 53 -m \ state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 205.152.0.5 --sport 53 -m \ state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. iptables -A OUTPUT -o eth0 -p udp -d 205.152.16.20 --dport 53 -m \ state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 205.152.0.5 --dport 53 -m \ state --state NEW,ESTABLISHED -j ACCEPT ## Web sites access (80,443) # Allow www outbound to http. (80) iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state \ NEW,ESTABLISHED -j ACCEPT # Allow www outbound to https. (443) iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state \ NEW,ESTABLISHED -j ACCEPT ## POP (110) # Allow pop outbound. iptables -A INPUT -i eth0 -p tcp --sport 110 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 110 -m state --state \ NEW,ESTABLISHED -j ACCEPT ## SMTP (25) # Allow smtp outbound. iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state \ NEW,ESTABLISHED -j ACCEPT ## NTTP (119) # Allow news outbound. iptables -A INPUT -i eth0 -p tcp --sport 119 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 119 -m state --state \ NEW,ESTABLISHED -j ACCEPT ## FTP (20,21,1024:65535) # Allow ftp outbound. (21) iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state \ ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state \ NEW,ESTABLISHED -j ACCEPT 1) Active ftp. (20) iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state \ ESTABLISHED -j ACCEPT # 2) Passive ftp. (1024:65535) iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport \ 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 --dport \ 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT ## AUTH server (113) # Reject ident probes iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT ## TRACEROUTE # Outgoing traceroute anywhere. iptables -A OUTPUT -o eth0 -p udp --sport 32769:65535 --dport \ 33434:33523 -m state --state NEW -j ACCEPT ## ICMP # We accept icmp in if it is related to other connections (e.g a time # exceeded (11) from a traceroute) or it is part of an established # connection (e.g. an echo reply (0) from an echo-request (8)). iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED \ -j ACCEPT # We always allow icmp out. iptables -A OUTPUT -o eth0 -p icmp -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT I'm on a workstation which has no services to offer. Everything is working great, but I want to add a few things like ability to mount nfs shares, samba client, ssh out, ping out, and traceroute out. Can someone help me out? Also do I have do
Re: simple nat dilemma
On Thursday 09 May 2002 6:33 pm, patrick conlin wrote: Hello everyone, Let me preface this by saying that I am seriously disappointed by my failure to figure out what I'm doing wrong here, and any admonitions I receive from ramin for being an idiot will be appreciated. Will you appreciate it as much if I call you an idiot first :-) ? I'm trying to get the nat machine (bulgakov) to make zamyatin look and feel like 207.224.76.204 for all external activity, inbound and outbound. Have you applied the network address 207.224.76.204 to the external interface of the firewall, so that it receives packets for that address ? You either want to do: ifconfig eth0:1 217.224.76.204 netmask w.x.y.z or use the ip command from the iproute2 package if you have this on your system (can't quote you the syntax as I don't use it myself). By the way, if this solves your problem, I don't think you were an idiot. If you've already done this, and the problem turns out to be something else, then I'll wait before deciding :-) Antony.
Re: a discussion starter i hope.
On Thursday 09 May 2002 9:11 pm, alan barrow wrote: Now behind the firewall are 2 separate servers, each running a web service and each running on port 80. 1) The question is, with only 1 real world address available to you, what suggestions do you guy's have as to the configuration required to make both web servers available on the Internet ? So that incoming port 80 request on the firewall public interface go to the correct server. Which is the correct server ? Are the two identical, and you want to do some sort of load balancing, or are they different, in which case what is the answer to the question which is the correct server for packets coming in to this address ? 2) The same as scenario 1) except you have 2 addresses available but only one external NIC. No problem here - apply both external addresses to the NIC, have two translation rules forwarding packets from ExtAddrA to IntAddrA and ExtAddrB to IntAddrB. 3) Same as 2) except you have 2 NIC's. Easy. Take out one NIC and do what I suggested for question 2 above. Antony.
Accuracy of packet counting?
I would be grateful for expert opinion on a simple matter: I am trying to reconcile the traffic charges of my ISP with my own counts. I have a plain 1500/256 bridged ADSL connection (i.e. no connection software or overhead) to eth0 on a lightly-loaded web/mail server. My traffic counter is simply this: #iptables -L -n -v -x Chain INPUT (policy ACCEPT 21095 packets, 2640498 bytes) pkts bytes target prot opt in out source destination 9639 1817610 ACCOUNTING all -- eth0 * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT 629 packets, 262264 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 20654 packets, 5383330 bytes) pkts bytes target prot opt in out source destination 9957 4391462 ACCOUNTING all -- * eth0 0.0.0.0/00.0.0.0/0 Chain ACCOUNTING (2 references) pkts bytes target prot opt in out source destination 19596 6209072 RETURN all -- * * 0.0.0.0/00.0.0.0/0 My question: Is there ANY reason to suppose that the ACCOUNTING total is not an accurate count of all IP traffic into and out of eth0? (The machine is a dual-Pentium Pro Linux box, daily traffic 20-30 MB average, ifconfig never reports any dropped packets). TIA, -- Best regards, John Holman Eastax WWW Melbourne, Australia
path of packets in the default chains
Sorry if this is someplace else but can't find the answer. There are 8 default tables INPUT, OUTPUT, FORWARD, nat/PREROUTING, nat/OUTPUT, nat/POSTROUTING, mangle/PREROUTING, mangle/OUTPUT. For a packet coming into an interface and going to leave another interface (not going to userspace), what tables does the packet traverse? Is it ethX - mangle/PREROUTING - nat/PREROUTING - route process - FORWARD - nat/POSTROUTING -ethZ? or are fewer items involved? What about for a packet going into userspace is it ethX - mangle/PREROUTING - nat/PREROUTING - route process - INPUT - userspace ? What about for a packet going from userspace - userspace - OUTPUT - mangle/OUTPUT - nat/POSTROUTING -ethZ? Thanks for the clarification in advance. Jay Brown __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Masquerading on 2 ppp's
I haven't seen this addressed in any FAQ or HOWTO on netfilter.samba.org so I hope this is an appropriate place. I'd like to do Masquerading on to 2 different ppp interfaces. So when a packet reaches the gateway from the internal LAN (the first packet of its connection) the gateway should choose the least-used ppp (or pick one at random, whatever) and do NAT masquerading for the duration of that connection, sending all packets to the same ppp with the same source ip/port modification. Think of it as running 2 standard masquerading set-ups in parallel, transparent to the client LAN. The 2 ppp connections are standard ISP dialups, dynamically assigned IPs. Has anyone done this? Is it possible? Stupid? Thanks, Adam
DROP vs. REJECT vs. MIRROR
Hello all, Please pardon me if this is answered elsewhere. I have tried looking through all of the documentation, but I am still left wondering what are the advantages/disadvantages of the DROP, REJECT, and MIRROR targets? I know what they do, but I'm not quite certain as to what are some of the situations when I would want to use each. (I know that this may fall more under the heading of site policy. I'm more interested in examples of why people chose what they did.) I am especially interested in examples of the MIRROR target. I'll summarize if there is a larage enough response. Thanks in advance. Sincerely, John Guthrie [EMAIL PROTECTED]
DCC send connections
Hello. I have a problem with dcc send in irc.I've read past posts on the lists and done everything they said but i can't figure what goes wrong. I have a machine with a plain 56k pstn modem. My setup is the following. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m limit --limit 5/minute -j LOG --log-level warning --log-prefix INPUT DROP: iptables -A OUTPUT -o ppp0 -j ACCEPT iptables -A OUTPUT -m limit --limit 5/minute -j LOG --log-level warning --log-prefix OUTPUT DROP: I have some other irrelevant rules too. I can dcc recieve even without the ip_conntrack_irc and ip_nat_irc but i cannot dcc send. I have tried with ip_conntrack_irc and with ip_conntrack_irc/ip_nat_irc. I also passed ports=6667,6668 as a parameter. P.S i have only one machine that's why i am so confused why it isn't working What i have seen in the logs is that i block for some reason the packets from the machine i am trying to send so i guess the connection tracking didn't work Thank you for your time and excuse the size of my post. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
ARP PROBLEMS -- PLEASE HELP
Hi, I have a problem with arp : The problem is : Adding arp lines manually to a Red hat 6.x/7.x machine - I have a Mac address and want to add it manually to the linux arp table. Thanks in advance, REALLY SORRY FOR THE BOTHER, Dov.
Re: Can iptables do this?
Hi, first of all thank you for your time Missatge citat per: Antony Stone [EMAIL PROTECTED]: On Monday 20 May 2002 1:03 pm, Eduardo GARCIA wrote: For example my network is 1.2.3.0 and I want that a host with an IP address 10.9.8.7 can navigate. First of all, the host will send arp request to find the MAC of its DNS server (I'll have to redirect it to my DNS), then it will look for its default gateway, etc (I can't work with mobile IP nor change any host configuration). Not any host is allowed to do this, only hosts with known MACs. Here comes (I belive) iptables Sounds like you want BOOTP / DHCP ? No, this way the network configuration dynamically changes. I don't quite see where IPtables comes into this ? I have to translate the ip of the host, but the problem comes when the host tries to find its DNS, it first has to send an ARP request that must be responsed by somebody on my network. Is possible to mangle an arp request to change dest ip? Antony.
can't access FTPs
Hello all, Im having trouble allowing internal computers to access remote FTP sites on the net. The new version of CUTE FTP can seem to connect ok. But Internet Explorer gives an error Invalid PORT command. And Bullet Proof FTP says it cant open the socket. Also, one other question. Below is a section from my script. I wrote most of my script from scratch but added this from another one that I found. I notice that it slows down my internet a little. Any ideas why? # ICMP Control and Status Messages # Log and drop initial ICMP fragments iptables -A INPUT --fragment -p icmp -j LOG \ --log-prefix Fragmented incoming ICMP: iptables -A INPUT --fragment -p icmp -j DROP iptables -A OUTPUT --fragment -p icmp -j LOG \ --log-prefix Fragmented outgoing ICMP: iptables -A OUTPUT --fragment -p icmp -j DROP iptables -A FORWARD --fragment -p icmp -j LOG \ --log-prefix Fragmented forwarded ICMP: iptables -A FORWARD --fragment -p icmp -j DROP iptables -A INPUT -p icmp \ --icmp-type source-quench -d $NETIP -j ACCEPT iptables -A OUTPUT -p icmp \ --icmp-type source-quench -j ACCEPT iptables -A FORWARD -p icmp \ --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp \ --icmp-type parameter-problem -j ACCEPT iptables -A OUTPUT -p icmp \ --icmp-type parameter-problem -j ACCEPT iptables -A FORWARD -p icmp \ --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp \ --icmp-type destination-unreachable -j ACCEPT iptables -A OUTPUT -p icmp \ --icmp-type fragmentation-needed -j ACCEPT iptables -A FORWARD -p icmp \ --icmp-type fragmentation-needed -j ACCEPT # Don¹t log dropped outgoing ICMP error messages iptables -A OUTPUT -p icmp \ --icmp-type destination-unreachable -j DROP iptables -A FORWARD -o $NETFACE -p icmp \ --icmp-type destination-unreachable -j DROP thanks for any help. Mark.
ip_conntrack cleanup
Hello, I've been using ipt 1.2.6a for 2 month's. There's seem to be a problem in /proc/net/ip_conntrack. I have chains here, that can't be cleared out. Example: tcp 6 321156 ESTABLISHED src=63.218.135.142 dst=62.xx.x.44 sport=63920 dport=80 [UNREPLIED] src=192.168.101.2 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322238 ESTABLISHED src=63.218.135.142 dst=62.xx.x.45 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.45 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322374 ESTABLISHED src=63.218.135.142 dst=62.xx.x.46 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.46 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322240 ESTABLISHED src=63.218.135.142 dst=62.xx.x.45 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.45 dst=63.218.135.142 sport=80 dport=63921 use=1 tcp 6 322376 ESTABLISHED src=63.218.135.142 dst=62.xx.x.46 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.46 dst=63.218.135.142 sport=80 dport=63921 use=1 tcp 6 321842 ESTABLISHED src=63.218.135.142 dst=62.xx.x.47 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.47 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322390 ESTABLISHED src=63.218.135.142 dst=62.xx.x.48 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.48 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 321843 ESTABLISHED src=63.218.135.142 dst=62.xx.x.47 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.47 dst=63.218.135.142 sport=80 dport=63921 use=1 tcp 6 321930 ESTABLISHED src=63.218.135.142 dst=62.xx.x.49 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.49 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 321930 ESTABLISHED src=63.218.135.142 dst=62.xx.x.49 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.49 dst=63.218.135.142 sport=80 dport=63921 use=1 tcp 6 321960 ESTABLISHED src=63.218.135.142 dst=62.xx.x.51 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.51 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322328 ESTABLISHED src=63.218.135.142 dst=62.xx.x.52 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.52 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322036 ESTABLISHED src=63.218.135.142 dst=62.xx.x.53 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.53 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322096 ESTABLISHED src=63.218.135.142 dst=62.xx.x.54 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.54 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322036 ESTABLISHED src=63.218.135.142 dst=62.xx.x.53 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.53 dst=63.218.135.142 sport=80 dport=63921 use=1 tcp 6 321518 ESTABLISHED src=63.218.135.142 dst=62.xx.x.55 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.55 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322290 ESTABLISHED src=63.218.135.142 dst=62.xx.x.56 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.56 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322022 ESTABLISHED src=63.218.135.142 dst=62.xx.x.57 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.57 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322024 ESTABLISHED src=63.218.135.142 dst=62.xx.x.57 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.57 dst=63.218.135.142 sport=80 dport=63921 use=1 tcp 6 321565 ESTABLISHED src=63.218.135.142 dst=62.xx.x.58 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.58 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 321238 ESTABLISHED src=63.218.135.142 dst=62.xx.x.59 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.59 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 321342 ESTABLISHED src=63.218.135.142 dst=62.xx.x.60 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.60 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 321515 ESTABLISHED src=63.218.135.142 dst=62.xx.x.61 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.61 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 322192 ESTABLISHED src=63.218.135.142 dst=62.xx.x.62 sport=63920 dport=80 [UNREPLIED] src=62.xx.xx.62 dst=63.218.135.142 sport=80 dport=63920 use=1 tcp 6 321516 ESTABLISHED src=63.218.135.142 dst=62.xx.x.61 sport=63921 dport=80 [UNREPLIED] src=62.xx.xx.61 dst=63.218.135.142 sport=80 dport=63921 use=1 Such table can stay even 2 or 3 days. If I put DROP into INPUT or PREROUTING it doesn't change. Is this something suspicious? Maybe there's setting which can be adjusted to stop such behavior? I can say that kernel is patched with freeswan-1.97. Seems that connection was initiated by 192.168.101.2. Regards, -- Wojciech Sobola Unix System Engineer
AW: Masquerading on 2 ppp's
Although I didn't take a closer look at it, I guess that http://www.samag.com/documents/s=1824/sam0201h/0201h.htm (posted on the list a few days ago) is interesting for you... Cheers, Uli -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Adam Mitz Gesendet: Montag, 20. Mai 2002 18:18 An: [EMAIL PROTECTED] Betreff: Masquerading on 2 ppp's I haven't seen this addressed in any FAQ or HOWTO on netfilter.samba.org so I hope this is an appropriate place. I'd like to do Masquerading on to 2 different ppp interfaces. So when a packet reaches the gateway from the internal LAN (the first packet of its connection) the gateway should choose the least-used ppp (or pick one at random, whatever) and do NAT masquerading for the duration of that connection, sending all packets to the same ppp with the same source ip/port modification. Think of it as running 2 standard masquerading set-ups in parallel, transparent to the client LAN. The 2 ppp connections are standard ISP dialups, dynamically assigned IPs. Has anyone done this? Is it possible? Stupid? Thanks, Adam
Re: can iptables do this?
On Tue, 21 May 2002, Antony Stone wrote: On Tuesday 21 May 2002 10:47 am, Eduardo GARCIA wrote: For example my network is 1.2.3.0 and I want that a host with an IP from any unknown network (i. e. 10.9.8.7) can navigate. No way. You can't create a network which will allow a host with some arbitrary preset IP address (and gateway, and DNS...) to come along an plug into - for two reasons: You can, at least one commercial device does right that - see www.nomadix.com for ther usg (universal subscriber gateway). It seems to be some kind of answer to every arp request combined with nat - won't be easy, but it should be doable with iptables and some home-grown programs. c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
icmp fragmentation
hi 2 all introduction: my box (RedHat 7.0 with patches etc) was actively fllooded by big ICMP packets wthout last fragments. ok, well, i had tryed to log them by using iptables -f -j LOG rule but no logs were generated! nevertheless, tcpdump was duly reporting fragmented icmp traffic. problem: i think that due to ip_conntrack module all fragmented packets needs to be defragmented. but in my case, when there are no last fragments, the packets could not be defragmented and thus will never pass through ip_conntrack module. so it's impossible to log or filter such packets. am i right ? and if it is, is there any way to log fragments with ip_conntrack loaded ? StaX Inline Technologies, SATD ...there are no wonders in our life... ...there is no life without wonders... so ...there is no life at all...
dscp match
Is dscp match work in the recent iptables? # uname -a Linux router 2.4.17 #10 Tue Mar 26 01:26:47 EET 2002 i686 unknown # iptables --version iptables v1.2.7-20020520 # iptables -A INPUT -m dscp --dscp 0x20 -j ACCEPT iptables: No chain/target/match by that name The same happens with iptables 1.2.6a (from slackware-current) Please CC me on replies I'm not on the list. Thanks.
Re: PPTP/GRE + Newnat Issues
I have received private email's regarding similar occurrences. Perhaps there is some weirdness about since I am not alone on this? Additionally if this is a problem with the module should I move this conversation to the netfilter-devel list ? opinions ? -- Re: PPTP/GRE + Newnat Issues Date: Thu, 13 Jun 2002 15:47:00 +0200 From: [EMAIL PROTECTED] To: SoulBlazer [EMAIL PROTECTED] same promblems at me, no solution known greets On June 12, 2002 07:53 pm, SoulBlazer wrote: Hey List, I've been having a problem getting PPTP/GRE (ms-vpn) sessions to work properly using netfilter cvs (06/12/2002) and a 2.4.19-pre10 kernel (please note I have tried the following with a vanilla 2.4.18 kernel as well to which the same results have occurred). After applying the newnat and pptp patches to my kernel I compile with the following : CONFIG_IP_NF_CT_PROTO_GRE=y CONFIG_IP_NF_PPTP=y (I also have standard iptables options allowing for nat enabled) After a recompile and reboot, I create the following rule for a winXP workstation on my LAN: iptables -t nat -A POSTROUTING -s 192.168.12.19 -j SNAT --to 64.119.104.135 I then verify connectivity on the winXP box via the ping command and subsequent web browsing; all which yield success. I then attempt to use the VPN adapter in Network places and it appears to work however gets stuck at the 'Verifying username/password' (the l/p is correct btw). I go on the linux firewall and open up tcpdump to which I am getting the following: my.ext.addr.1081 remote.vpn.server.1723: tcp 0 (DF) remote.vpn.server.1723 my.ext.addr.1081: tcp 0 my.ext.addr.1081 remote.vpn.server.1723: tcp 156 (DF) remote.vpn.server.1723 my.ext.addr.1081: tcp 156 my.ext.addr.1081 remote.vpn.server.1723: tcp 168 (DF) remote.vpn.server.1723 my.ext.addr.1081: tcp 32 remote.vpn.server my.ext.addr: gre-proto-0x880B (gre encap) my.ext.addr remote.vpn.server: icmp: my.ext.addr protocol 47 unreachable I have a feeling the pptp/gre support does not like being built internally opposed to modularly, so I recompile them as modules and attempt again. With the same rules and the following loaded as modules : Module Size Used by ip_nat_proto_gre1248 0 (unused) ip_conntrack_pptp 2352 1 (autoclean) ip_nat_pptp 1712 0 (unused) ip_conntrack_proto_gre1952 0 [ip_conntrack_pptp ip_nat_pptp] I again try to establish a vpn connection .. and again I get the same protocol 47 unreachable messages. Any ideas ?
Re: How to use apache redirect with Iptables
On Wednesday 15 May 2002 4:04 pm, Nir Cohen wrote: Hello All I configure Iptables with 3 cards external,lan and dmz. I have 2 http servers in the dmz .Packets that coming in to port 80 I am doing DNAT to a web server in the DMZ.I try to do apache redirect from this web server (in the httpd.conf -redirect option Redirect / http://192.168.1.3) to another web server in this segment but it is not working. You must make sure that the redirect points to the *public* address of the other webserver, otherwise people will be contacting PublicServerA, which redirects them to PrivateServerB, and they can't route to a private address, so it fails. If ServerA redirects them to PublicServerB then that is the second connection their browser will make and they will be able to connect. Antony.
RE: a discussion starter i hope.
Hi Alan, Now behind the firewall are 2 separate servers, each running a web service and each running on port 80. 1) The question is, with only 1 real world address available to you, what suggestions do you guy's have as to the configuration required to make both web servers available on the Internet ? So that incoming port 80 request on the firewall public interface go to the correct server. If you are solely interested in distributing http requests from a single access point I would suggest running apache as a reverse proxy on your firewall. This way http requests for different domains can be directed to different internal (or external) web servers. Optionally this could be done on layer 4 with DNAT, by rewriting the destination of packets and perhaps adding a user level program to direct packets but I am less knowledgeable about the implementation of such a setup. Here is a simple example of a reverse proxy apache configuration. VirtualHost *:80 DocumentRoot /usr/local/apache/htdocs/server.tld ServerName public.server.tld # Rewrite URL to back-end server URL RewriteEngine on RewriteLog logs/proxy_rewrite RewriteLogLevel 0 RewriteRule ^/(.*)$ http://www1.server.internal/$1 [P] # Reverse Proxy the requested URL ProxyRequests on ProxyVia on ProxyPassReverse / http://www1.server.internal/ /VirtualHost
dnat problem
hello all, this is my first time posting to this board. i am having trouble with my iptables rules. my configuration consists of a linux router as the main network gateway and firewall providing NAT and ipsec. i have compiled kernel 2.4.17 with freeS/WAN version 1.91. i have a source nat rule set up so my non-routable addresses can use the gateway to reach the internet. i did not use the MASQUERADE target. here is my Source nat rule iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to w.x.y.z I also have some destination nat rules set up. iptables -t nat -A PREROUTING -d w.x.y.a -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.48 There are about 5 additional dnat rules that are basically the same so I won't list them. the problem i am having is that the internal private subnet (192.168.1.0/24) on my network is unable to bring up sites that have been setup using dnat rules. external users have no problem viewing the sites i have set up dnat rules for. any help would be greatly appreciated. thanks --- Ollie Gallardo
Re: can iptables do this?
Thank you all for your time, I'll have to squeeze hard my brain to solve it. Just one more question: I've heard that there is a Cisco system (just one machine that solves the whole problem?) that allows all that thing. Anybody knows it? Thanks again. Edu
Complex multi-homed/NAT setup
Hi, I have the following setup: external_net_1 \ firewall internal_net external_net_2 / the machine on the internal_net only has one IP address (in this case 193.72.186.6, could be e.g. 192.168.x.x), but must be reachable from the outside as: 62.2.159.14 and 194.38.85.209. The firewall has addresses 62.2.159.15, 194.38.85.206 and 193.72.186.15 (again, this one could have been 192.168.x.x). [ http://www-internal.alphanet.ch/~schaefer/nf_firewall/firewall.eps for the graphical version ] The machine on the internal_net cannot do any special tricks. She must receive all packets to 193.72.186.6 (the from can be an external address). Now, the firewall must remember what was the incoming address (62.2.159.14 or 194.38.85.209) and re-NAT it accordingly when it goes out, and send it on the correct outgoing interface. So far I have problems to make the SECOND thing work (ie it works for 62.2.159.14, but not for the other: the address is correctly NATed according to tcpdump -i external_net_2 -n, but does not ever reach the inside). You can look at the scripts and graphics at: http://www-internal.alphanet.ch/~schaefer/nf_firewall/ if you have any idea or hint please do :) I will try to debug this more, but I wanted to know if what I wanted is at all possible. thanks for any idea.
DNAT and udp
hi, i'm trying to do some DNATing and i'm having some trouble. The particular problem exists only for a udp port. The port is 3283. It's for apple's remote desktop. i've got allow DNATs setup for appletalk and other protocals over tcp. They work fine. But when i try to connect to this port, i see the following logged. May 23 12:41:31 one kernel: IN= OUT=eth0 SRC=192.168.0.4 DST=64.229.137.72 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=6476 PROTO=UDP SPT=3283 DPT=3283 LEN=46 May 23 12:41:41 one kernel: IN= OUT=eth0 SRC=192.168.0.4 DST=192.168.181.3 LEN=33 TOS=0x00 PREC=0x00 TTL=63 ID=6486 PROTO=UDP SPT=3283 DPT=3283 LEN=13 My question is is why do i see the 192.168.181.3 address, which is what is suppose to be DNATed. Obviously my machine cannot get to it. The logs for the other tcp ports shows only the first line and the connection works. Anyway, here is the rule i have. /sbin/iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 3283 -j DNAT --to 192.168.181.3:3283 i appreciate any thoughts that anyone has. ~darcy w. christ 1000camels in a courtyard
Autoloading h323 module
Hi, I am trying to autoload via kmod some modules from iptables, specifically ip_conntrack_h323.o. I can load it manually, but to do it automatically I need to have the correct info. in my /etc/modules.rc file. If anyone else uses this method of module loading and can help me with my options I would be very grateful. The rest of iptables seems to load OK without any options in my modules.conf file which makes me think I might be using the module wrongly. I simply expect it to autoload when an h323 connection is made. In my rules I just use: iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT Someone please correct me if this is not the case. The modules which I have loaded are: ipt_state ip_conntrack iptable_filter ip_tables I have checked the files in the source, the FAQ's and archives but can't find anything on how to do this. I also saw someone else with the same trouble, but their question went unanswered. Many thanks for any help, Jmc.
Current CVS version doesn't compile
iptables-1.2.6a-cvs020520: cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/ -DNETFILTER_VERSIO N=\1.2.7\ -fPIC -o extensions/libipt_REJECT_sh.o -c extensions/libipt_REJECT.c extensions/libipt_REJECT.c: In function `init': extensions/libipt_REJECT.c:92: structure has no member named `fake_source_address' extensions/libipt_REJECT.c: In function `parse': extensions/libipt_REJECT.c:128: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:143: structure has no member named `fake_source_address' extensions/libipt_REJECT.c: In function `print': extensions/libipt_REJECT.c:173: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:174: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:174: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:174: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:174: structure has no member named `fake_source_address' extensions/libipt_REJECT.c: In function `save': extensions/libipt_REJECT.c:189: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:190: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:190: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:190: structure has no member named `fake_source_address' extensions/libipt_REJECT.c:190: structure has no member named `fake_source_address' make: *** [extensions/libipt_REJECT_sh.o] Error 1 Taka
Weird behavior on simple -j MASQUERADE
Hi I made a complex firewall script that had very strange problems. I took plenty of time trying to find out what was wrong until I found that even this simple script (that is said to be working in NAT-HOWTO on netfilter website) had the same problems : # Begin script iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Turn on IP forwarding echo 1 /proc/sys/net/ipv4/ip_forward # End script These are the strange behavior : - Can access some http website (www.lemonde.fr www.google.com ...) - Can't access some http website (www.yahoo.fr www.meteo-france.fr ..) - Some apps that were working under a firewall under ipchains (the roaring penguin ADSL firewall script) do not work any more. I tried a simple telnet www.yahoo.fr 80 to see what was wrong, connection was accepted, I typed GET and i received the HTML code to the ending /html, but it didn't close the connection as they did for the working website. A friend told me that it could be the website with cookies that are involved in the problem. My config : Firewall : Processor : 486 DX 33 (is it enough ?) Connection type : ADSL (France telecom, modem ECI) on ppp0 Kernel : Linux 2.4.18 + patch-o-matic 1.2.6a IPtable ver : 1.2.6a LAN device : NE2000 (10BASET) compatible device on eth0 LAN computer : Linux or win2000, with bigger config than Firewall connected on 100 Mbits network device. DNS are those of the provider or an internal DNS. (that doesn't change anything to my problems) I would appreciate a quick help. I'm quite new to firewall and iptables, so even if you haven't the solution, i'll be glad to learn more. Do not hesitate to answers if you have something in mind. Valentin LAB mail : vaab at wanadoo.fr
Web borwser proxy settings
I am using iptables-1.2 ,kernel 2.4 and Squid-2.3.STABLE4 on Redhat 7.1 . A static ip a.b.c.d and aztech dsl router having an ip private ip 192.168.1.1 and a gateway 192.168.1.7 and squid running on the eth0 192.168.1.7 and external ip eth1 a.b.c.d. I want to set nat iptables ,squid for transparent proxy . AND MY PROBLEM IS I WANT TO CONFIGURE MY PRIVATE CLIENTS NEED TO ACCESS NET WITH OUT CHANING THEIR PROXY SETTINGS AT THEIR WEB BROWSER PROXY SETTINGS PLEASE give me details how it can be done ??? Eagerly awaiting for u reply Parvatam Venkata Jagannadha Rao [EMAIL PROTECTED] __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
strange behaviour with DNAT
hi, i'm still having trouble trying to dnat for udp. Below is a tcpdump while trying to connect. i wanted to present this to the list and see if anyone knows why my server machine machine would be trying to communicate directly with the masq'd machine. To me, that is a problem since 192.168.1.3 is internal to another network and there is no way that H86.C247.tor.velocet.net can communicate directly with 192.168.1.3 H86.C247.tor.velocet.net = server HSE-Ottawa-ppp158027.sympatico.ca = client gateway (where DNAT rule is) 192.168.1.3 = internal masq'd ip [root@one root]# tcpdump|grep 3283 tcpdump: listening on eth0 13:08:06.727269 H86.C247.tor.velocet.net.3283 HSE-Ottawa- ppp158027.sympatico.ca.3283: udp 38 13:08:06.769878 HSE-Ottawa-ppp158027.sympatico.ca.3283 H86.C247.tor.velocet.net.3283: udp 8 (DF) 13:08:06.774276 H86.C247.tor.velocet.net.3283 HSE-Ottawa- ppp158027.sympatico.ca.3283: udp 6 13:08:06.816271 HSE-Ottawa-ppp158027.sympatico.ca.3283 H86.C247.tor.velocet.net.3283: udp 12 (DF) 13:08:06.825569 H86.C247.tor.velocet.net.3283 HSE-Ottawa- ppp158027.sympatico.ca.3283: udp 72 13:08:06.874428 HSE-Ottawa-ppp158027.sympatico.ca.3283 H86.C247.tor.velocet.net.3283: udp 62 (DF) 13:08:06.891537 H86.C247.tor.velocet.net.3283 192.168.1.3.3283: udp 5 13:08:08.499730 H86.C247.tor.velocet.net.3283 192.168.1.3.3283: udp 5 13:08:11.940161 H86.C247.tor.velocet.net.3283 192.168.1.3.3283: udp 5 13:08:17.115976 H86.C247.tor.velocet.net.3283 192.168.1.3.3283: udp 5 my rules for the DNAT are: /sbin/iptables -I PREROUTING -t nat -p udp --dport 3283 -i ppp0 -j DNAT --to 192.168.1.3 /sbin/iptables -I FORWARD -p udp -d 192.168.1.3 --dport 3283 -j ACCEPT any thoughts on the problem.
[PATCH] ipchains bugs in 2.2/2.4/2.5 related to netlink calls
Hi there! oom-loop fixes error handling after a netlink failure - it does not do a cleanup and it makes every next call to ip_fw_check to detect a loop and drop the packet. nlma fixes a call to netlink_broadcast with GFP_KERNEL ( passed to skb_clone ) while we are in_interrupt() ( catched by a BUG() in slab.c:1109 ). 2.4 patches apply to 2.5 too , tested on 2.5.15. -- Best Regards, Alexander Atanasov --- net/ipv4/netfilter/ipchains_core.c.orig Fri May 24 19:27:01 2002 +++ net/ipv4/netfilter/ipchains_core.c Fri May 24 19:31:24 2002 -723,6 +723,7 src_port, dst_port, count, tcpsyn)) { ret = FW_BLOCK; + cleanup(chain, 0, slot); goto out; } break; --- net/ipv4/netfilter/ipchains_core.c.orig Fri May 24 19:27:01 2002 +++ net/ipv4/netfilter/ipchains_core.c Fri May 24 19:27:34 2002 -549,7 +549,7 strcpy(outskb-data+sizeof(__u32)*2, rif); memcpy(outskb-data+sizeof(__u32)*2+IFNAMSIZ, ip, len-(sizeof(__u32)*2+IFNAMSIZ)); - netlink_broadcast(ipfwsk, outskb, 0, ~0, GFP_KERNEL); + netlink_broadcast(ipfwsk, outskb, 0, ~0, GFP_ATOMIC); } else { #endif --- net/ipv4/ip_fw.c.orig Fri May 24 19:33:52 2002 +++ net/ipv4/ip_fw.cFri May 24 19:34:18 2002 -747,6 +747,7 src_port, dst_port, count, tcpsyn)) { ret = FW_BLOCK; + cleanup(chain, 0, slot); goto out; } break;
Re: How to drop traffic Kazza and AudioGalaxy Ports?
you have to block port 1214 on the FORWARD chain for KaZaa and my guess would be to block the audio galaxy servers IPs on the FORWARD chain since audio galaxy just use standard http port 80 and ftp port 2120 for transfers and frontend Carlos Horacio Silva Elizondo wrote: Hello , Any body knows how to drop the port of kazza and AudioGalaxy using IPtables I want to restrict All Internal Network to use This Programs eth0 External Network eth1 Internal Network Running SuSE 7.3 Kernel 2.4.-10 Thanks! Informatica y Redes, S.A. de C.V. Corregidora 711 y 714 Norte Linares, N.L., CP.67700 Tels. (821) 2124600,2127080,2120198 www.linaresonline.com http://www.linaresonline.com/ Tecnología a Tú Servicio ! -- Robert Botha jabber: [EMAIL PROTECTED] #include witty_taglines.h void main() { printf(%s\n,witty()); }
Re: Weird behavior for -j MASQUERADE, please help ! :)
On Sat, May 25, 2002 at 04:39:18PM +0200, Valentin LAB wrote: Well, I've found the solution. It's in the forgotten PPPoe manual in kernel mode of 2.4.x (i've found it in google's cache, it had disappeared from the referenced link.) Fortunately, it is documented in the (recent) iptables manpage... It links to this page : http://www.hgfelger.de/mss/mss.html , which is quite interesting to read when you have an ADSL Modem and you have problems as those mentionned above with kernel-mode PPPoe driver. It tells to add only one line to the firewall script : iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu if this isn't magic, i'm a toaster :)) This work really fine for me now. Could somebody comment this line for my education ? (or give a quick link to explain, or give the state-of-the-art on the TCPMSS target) Isn't the manpage explication sufficient? RV -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/
local NAT of connections conflicts with ftp conntrack?
I enabled local natting of connections in the kernel so that I can do transparent proxy from the local host itself running squid, and I only use these two rules in the new table called OUTPUT for nat. # transparent proxy for localhost iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 Now the problem that I have is that when the box itself tries to ftp to the outside world, it just hangs as soon as it does the PORT command. Then in syslog I see a couple of these messages: ip_conntrack: max number of expected connections 1 of ftp reached for hideen ip-hidden ip, reusing Is there any way I could configure iptables to not use ftp conntrack for the local nat or is this a bug? I'm using kernel 2.4.19-pre7 with the newnat patch applied and h323, but no other patches. Iptables userspace 1.2.6a.My POSTROUTING of nat contains a typical SNAT setting to let my internal machines access the internet. That machine running squid/iptables has direct access to the internet and is also my a machine that I use for working on it too. I provide access to my laptop from it on a 2nd interface. I have not tested with other plugins, so I'm wondering if it might do the same thing for IRC conntrack. Thanks
Re: Accuracy of packet counting?
Harald Welte wrote: On Fri, May 17, 2002 at 08:39:39AM +1000, John Holman wrote: My question: Is there ANY reason to suppose that the ACCOUNTING total is not an accurate count of all IP traffic into and out of eth0? yes, since you only count locally-generated and locally-targeted traffic, not the traffic forwarded by your machine. use your accounting rules in the mangle table (PREROUTING and POSTROUTING) to cover all traffic. Thank you for that, Harald, it was a RTFM problem :( [I eventually managed to work out the reason for the discrepancies byself, by checking against a detailed traffic report supplied by my ISP.] -- Best regards, John Holman Eastax WWW Melbourne, Australia
H323 patch, 2.4.18 problem - read error: Is a directory
I am having trouble applying the H323 patch to the 2.4.18 kernel source. Is the H323 built into any development kernels at www.kernel.org? I used the following process: [starting with working 2.4.18 kernel] /usr/src freeswan-snap2002may7d - /usr/local/src/freeswan-snap2002may7d/ linux - /usr/local/src/linux netfilter - /usr/local/src/netfilter/ cd /usr/src cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot co netfilter cd netfilter/userspace/patch-o-matic export KERNEL_DIR=/usr/src/linux ./runme ./runme newnat Welcome to Rusty's Patch-o-matic! Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so I don't recommend applying them all! --- Testing... Need directory and patch. The newnat/newnat newnat patch: - Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] t Testing patch newnat... patch: read error : Is a directory Failed to patch copy of /usr/src/linux - Do you want to apply this patch [N/y/t/f/a/r/b/w/v/q/?] Any input would be appreciated, If someone has a patched 2.4.18 kernel in source, that would also be helpful (but the real solution would be better). Best regards, -=[ Wylie Swanson .:[ DataMaersk, Inc.
router on a floppy or cdrom...
I'm getting ready to put together a distro on a floppy (or cdrom)... After poking around on the net I think this is the best place to start http://leaf.sourceforge.net/devel/jnilo/ Anybody have comments or recommendations? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george
starcraft problems
Hey, this is a general question about getting a bunch of windows boxes behind a masqueraded connection to play starcraft on battle net. Battle net uses a few tcp connections along with udp port 6112 for each machine. For some reason I am getting incredible lag behind my nat/firewall (slightly insecure at this point). Here are my rules: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -j ACCEPT iptables -A block -j DROP iptables -A INPUT -j block iptables -A FORWARD -i ! eth0 -j block iptables -t nat -I POSTROUTING -s 10.0.0.13 -p udp --dport 6112\ -j SNAT --to-source 12.253.91.68:9001 iptables -t nat -I POSTROUTING -s 10.0.0.13 -p udp --sport 6112\ -j SNAT --to-source 12.253.91.68:9001 iptables -t nat -I PREROUTING -p udp -d 12.253.91.68 --dport 9001\ -j DNAT --to-destination 10.0.0.13:6112 iptables -t nat -I PREROUTING -p udp -d 12.253.91.68 --sport 6112\ -j DNAT --to-destination 10.0.0.13:6112 I am trying to get the stuff to work to one computer (10.0.0.13) and then I will generalize. I don't think the upd stuff is getting routed correctly, I don't exactly know why. If you do offhand, that would be the best information. If not, then: Does the masquerade rule mess up the snat and dnat stuff? What tools can I use to see what the router is sending out (I am not sure the udp packets are getting changed according to the rules)? Thanks, Chris
router on a floppy or cdrom...
I'm getting ready to put together a distro on a floppy (or cdrom)... After poking around on the net I think this is the best place to start http://leaf.sourceforge.net/devel/jnilo/ Anybody have comments or recommendations? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george
Nedding some help to check iptables configuration
Hi there, I did setup a classical linux firewall box with two private ip segment, one for the intranet(192.168.1.0/24), the other one for dmz (10.0.0.0/8). Please find my firewall scripts (i ve deleted ip addresses for security purpose but it's not very important to understand, isn't it ? Sorry for the french comments, nobody is perfect :) ): ___ # Configuration firewall # Variables ### # Locale LO_IFACE=lo # Internet NET_IFACE=eth1 IP_NET=*ip address of the box* # Intranet TRA_IFACE=eth0 IP_TRA=192.168.1.1 TRA_LAN=192.168.1.0/24 # Dmz DMZ_IFACE=eth2 IP_DMZ=10.0.0.1 DMZ_LAN=10.0.0.1/8 # Nettoyage des tables existantes ### iptables -F iptables -X iptables -t nat -F iptables -t nat -X # Permet le mode ftp passif ### /sbin/insmod -s ip_conntrack_ftp /sbin/insmod -s ip_nat_ftp # Options systemes ### # Activation de la NAT echo 1 /proc/sys/net/ipv4/ip_forward # Bloque les echo ICMP echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Le firewall ne repond plus au ping et les traceroute ne sont plus routes echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_all # Empeche le routage des paquets pre-routes echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route # Protege de l'ip-spoofing echo 1 /proc/sys/net/ipv4/conf/all/rp_filter # log les paquets portant des adresses impossibles echo 1 /proc/sys/net/ipv4/conf/$NET_IFACE/log_martians # Blocage de tous les paquets pour le temps de la configuration # (sauf loopback) ### iptables -A INPUT -i ! $LO_IFACE -j DROP iptables -A OUTPUT -j DROP iptables -A FORWARD -j DROP # Creation des tables ### # Table ICMP iptables -N ICMP # Table log et jette iptables -N LOGDROP # Table Intranet vers Internet iptables -N TRA_NET # Table Internet vers Intranet iptables -N NET_TRA # Table Intranet vers Dmz iptables -N TRA_DMZ # Table Dmz vers Intranet iptables -N DMZ_TRA # Table Internet vers Dmz iptables -N NET_DMZ # Table Dmz vers Internet iptables -N DMZ_NET # Table client SSH vers Firewall iptables -N SSH_FW # Acces en SSH au fw a partir de l'ext ### iptables -A SSH_FW -p tcp --dport ssh -j ACCEPT iptables -A SSH_FW -p udp --dport ssh -j ACCEPT # Regles de la table ICMP ### iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT iptables -A ICMP -p icmp --icmp-type time-exceed -j ACCEPT iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT iptables -A ICMP -m limit --limit 15/minute -j LOG --log-prefix Firewall_icmp: iptables -A ICMP -j DROP # Regles de la table LOGDROP ### iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-prefix Firewall: iptables -A LOGDROP -j DROP # Regles de la table TRA_NET ### iptables -A TRA_NET -p icmp -j ICMP iptables -A TRA_NET -p tcp --dport smtp -j ACCEPT #smtp iptables -A TRA_NET -p tcp --dport pop3 -j ACCEPT #pop3 iptables -A TRA_NET -p tcp --dport http -j ACCEPT #http iptables -A TRA_NET -p udp --dport http -j ACCEPT #http iptables -A TRA_NET -p tcp --dport https -j ACCEPT #https iptables -A TRA_NET -p udp --dport https -j ACCEPT #https iptables -A TRA_NET -p tcp --dport ftp -j ACCEPT #ftp iptables -A TRA_NET -p udp --dport ftp -j ACCEPT #ftp iptables -A TRA_NET -p tcp --dport ftp-data -j ACCEPT #ftp-data iptables -A TRA_NET -p udp --dport ftp-data -j ACCEPT #ftp-data iptables -A TRA_NET -p tcp --dport domain -j ACCEPT #dns iptables -A TRA_NET -p udp --dport domain -j ACCEPT #dns # Regles de la table NET_TRA ### # Regles Log et drop iptables -A NET_TRA -p tcp --tcp-flags ALL FIN,URG,PSH -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags ALL ALL -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags ALL NONE -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGDROP iptables -A NET_TRA -p icmp -j LOGDROP # Regles de la table TRA_DMZ ### # Regles de la table DMZ_TRA
Re: Arbitrary Netmasks
Hi, (removed netfilter-devel from the headers, this is not a development Q) Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? They are used in practise. I have been using them with ipfwadm, and I am using them with iptables. What I use them for, is statistical multiplexing based on one or more of the low bits (but not the lowest!) of IP addresses. For example, I have a dual-processor system with two squid processes, and want to distribute a number of incoming clients evenly (and deterministically) over the two squid processes. For godgiven reasons, under light load, the even client IPs are preferred over the odd client IPs. To get a good distribution for both light load and full load, I look at the second lowest bit of the client IP address to determine where to REDIRECT to, like this: iptables -t nat -A PREROUTING -s 0.0.0.0/0.0.0.2 -j REDIRECT --to-port 1234 iptables -t nat -A PREROUTING -s 0.0.0.2/0.0.0.2 -j REDIRECT --to-port 1235 Another real world example I have seen in use in Cisco access-lists, where the noncontigous mask works just like in iptables, is to pick out the same local ip in a range of subnets. Imagine you have a number of LANs with IP addresses 10.23.x.y/16, and y==1 is your default gateway in every LAN. Given 10.23.0.1/255.255.0.255, you have a single-rule expression for all gateways in my LANs, which is preferrable (if you manage to keep to the scheme!) to a sequential list of rules, one per LAN. best regards Patrick
Re: Can't block DHCP with iptables?
Derrik Pates touched on this earlier in the thread, but I'll try and clarify a bit. The DNCP server of the ISC (Internet Software Consortium, http://www.isc.org) uses a different type of network access in Linux, so to speak. Normally, when programs need network access, they open up an Internet socket of the correct protocol (TCP/UDP), which gets any packets destined for it and can send packets after the kernel has applied all IP Tables rules to them. So if you have a policy of DROP/REJECT or you have a rule that matches a packet to.from this socket that DROP/REJECTs it, the socket will not receive or be able to send that packet. However, the ISC DHCP server uses an Internet Socket of protocol Raw instead of TCP or UDP. This facility, naturally, is only available to root (uid 0, really), and receives packets before the IP Tables processing. It also receives all Internet packet headers as well, so it gets to do additional processing. But because Raw sockets get packets before the IP Tables processing, the ISC DHCP server is able to obtain an IP address through DHCP. More information (possibly not in a useful state) can be found in the man pages for socket, ip, tcp, udp, http://nodevice.com/sections/ManIndex/man1275.html, and, of course, the source code. On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bjørgum Rotvik -- In a display of perverse brilliance, Carl the repairman mistakes a room humidifier for a mid-range computer but manages to tie it into the network anyway. -- The 5th Wave Evan Cofsky, The UNIX Man, [EMAIL PROTECTED]
Re: Arbitrary Netmasks
On Tuesday 28 May 2002 15:18, Thomas Heinz wrote: Netfilter supports arbitrary netmasks for IP addresses which is more powerful than just those IP/x (0 = x = 32) expressions. For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work ;-). Yes, this is the fastest method when matching filter expressions.. Are masks that cannot be expressed in the IP/x schmeme (at least not in one rule) used in practise? Are they used at all in firewall rulesets? Not in real life networks, but such masks are useful in certain types of expressions, for example load balancing based on destination, or as wildcard matches for matching all your routers / servers / whatever assuming you have a well structured addressing scheme in your own networks.. Regards Henrik
Re: Can't block DHCP with iptables?
Roar Bjørgum Rotvik [EMAIL PROTECTED] writes: In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. Iptables only deals with IP packets. DHCP-clients don't use the IP-stack, but uses raw sockets to talk directly to the network interface. Very simplified, what you have is this: eth0 +--- iptables - IP-stack |filtering Raw socket | DHCP-client /Marcus -- ---+-- Marcus Sundberg [EMAIL PROTECTED] | Firewalls with SIP NAT Firewall Developer, Ingate Systems AB | http://www.ingate.com/
Needing some help to check iptables configuration
Hi there, I did setup a classical linux firewall box with two private ip segment, one for the intranet(192.168.1.0/24), the other one for dmz (10.0.0.0/8). Please find my firewall scripts (i ve deleted ip addresses for security purpose but it's not very important to understand, isn't it ? Sorry for the french comments, nobody is perfect :) ): ___ # Configuration firewall # Variables ### # Locale LO_IFACE=lo # Internet NET_IFACE=eth1 IP_NET=*ip address of the box* # Intranet TRA_IFACE=eth0 IP_TRA=192.168.1.1 TRA_LAN=192.168.1.0/24 # Dmz DMZ_IFACE=eth2 IP_DMZ=10.0.0.1 DMZ_LAN=10.0.0.1/8 # Nettoyage des tables existantes ### iptables -F iptables -X iptables -t nat -F iptables -t nat -X # Permet le mode ftp passif ### /sbin/insmod -s ip_conntrack_ftp /sbin/insmod -s ip_nat_ftp # Options systemes ### # Activation de la NAT echo 1 /proc/sys/net/ipv4/ip_forward # Bloque les echo ICMP echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Le firewall ne repond plus au ping et les traceroute ne sont plus routes echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_all # Empeche le routage des paquets pre-routes echo 1 /proc/sys/net/ipv4/conf/all/accept_source_route # Protege de l'ip-spoofing echo 1 /proc/sys/net/ipv4/conf/all/rp_filter # log les paquets portant des adresses impossibles echo 1 /proc/sys/net/ipv4/conf/$NET_IFACE/log_martians # Blocage de tous les paquets pour le temps de la configuration # (sauf loopback) ### iptables -A INPUT -i ! $LO_IFACE -j DROP iptables -A OUTPUT -j DROP iptables -A FORWARD -j DROP # Creation des tables ### # Table ICMP iptables -N ICMP # Table log et jette iptables -N LOGDROP # Table Intranet vers Internet iptables -N TRA_NET # Table Internet vers Intranet iptables -N NET_TRA # Table Intranet vers Dmz iptables -N TRA_DMZ # Table Dmz vers Intranet iptables -N DMZ_TRA # Table Internet vers Dmz iptables -N NET_DMZ # Table Dmz vers Internet iptables -N DMZ_NET # Table client SSH vers Firewall iptables -N SSH_FW # Acces en SSH au fw a partir de l'ext ### iptables -A SSH_FW -p tcp --dport ssh -j ACCEPT iptables -A SSH_FW -p udp --dport ssh -j ACCEPT # Regles de la table ICMP ### iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT iptables -A ICMP -p icmp --icmp-type time-exceed -j ACCEPT iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT iptables -A ICMP -m limit --limit 15/minute -j LOG --log-prefix Firewall_icmp: iptables -A ICMP -j DROP # Regles de la table LOGDROP ### iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-prefix Firewall: iptables -A LOGDROP -j DROP # Regles de la table TRA_NET ### iptables -A TRA_NET -p icmp -j ICMP iptables -A TRA_NET -p tcp --dport smtp -j ACCEPT #smtp iptables -A TRA_NET -p tcp --dport pop3 -j ACCEPT #pop3 iptables -A TRA_NET -p tcp --dport http -j ACCEPT #http iptables -A TRA_NET -p udp --dport http -j ACCEPT #http iptables -A TRA_NET -p tcp --dport https -j ACCEPT #https iptables -A TRA_NET -p udp --dport https -j ACCEPT #https iptables -A TRA_NET -p tcp --dport ftp -j ACCEPT #ftp iptables -A TRA_NET -p udp --dport ftp -j ACCEPT #ftp iptables -A TRA_NET -p tcp --dport ftp-data -j ACCEPT #ftp-data iptables -A TRA_NET -p udp --dport ftp-data -j ACCEPT #ftp-data iptables -A TRA_NET -p tcp --dport domain -j ACCEPT #dns iptables -A TRA_NET -p udp --dport domain -j ACCEPT #dns # Regles de la table NET_TRA ### # Regles Log et drop iptables -A NET_TRA -p tcp --tcp-flags ALL FIN,URG,PSH -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags ALL ALL -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags ALL NONE -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP iptables -A NET_TRA -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGDROP iptables -A NET_TRA -p icmp -j LOGDROP # Regles de la table TRA_DMZ ### # Regles de la table DMZ_TRA
Re: Arbitrary Netmasks
I've always wondered about the concept of useing wierd netmasks on private internal networks, just to thourouly confuse anyone who actually breaks into them (obsurity isn't security by itself, but any little bit you can add on and anything you can do that will break standard tools) never had a chance to actually implement it however :-) I think this wird netmask could on bigger firm's have an very simple explanation. Example: Firm with 2 Floors and 4 Subunits each subunit have an router with 100MBit and the are numbered serial when they was created. 1 Floor 10.0.0.0/16 10.2.0.0/24 2 Floor 10.1.0.0/16 10.3.0.0/24 Now the 100MBit backbone is replaced with fibber optik and one router per floor. And the admin is to lacy to renumber 2 whole units. This is an simple example but i think from these direction it come. That it is sometimes easyer to use wired netmask insteed of two or more routing entry's and agregation wasn't choice because of change time. Cu Thomas smime.p7s Description: S/MIME Cryptographic Signature
Filtering in POSTROUTING
Hi all I am trying to use iptables as firewall. Now I want to filter the packets which are Masqueraded. In one of the tutorial, there is written that filtering is not done in POSTROUTING chain since certain packets will bypass the chain. Then where to filter the network traffic from internal network to outside regards Blesson Paul
Re: which rule is right? HUH??
I noticed this message and a couple of others from this list when clearing out my spam folder. If you are writing in latin script, why in the name of are you setting ks_c_5601-1987 as your charset?!? If you use a Korean charset no-one will see your messages. If you are a Korean (this guy is in Canada), and assuming you want to send your message in English, please set a charset appropriate to the script you are using, that is, US-ASCII or ISO-8859-1. Hi: You are half way there. Rule 1 is ok. However you need to change rule 2. Rule 1 means - If a packet is received from the desired ip destined fo r the external ip for telnet. DNAT it to the internal telnet server address. However the packet is still sitting at the external interface. Rule 2 means - if there is a packet from the desired ip to the internal telnet Server then forward it. You will also need a rule to allow the internal traffic out if it isn't already in your script. I normally specify the interfaces in the rules as well. Tr y to make your rules as specific as possible. Set your default policy to drop fir st thing. Then open up things as required with specific rules. I removed the ip:23 from your DNAT rule. It is ok, but is only required if you are actually changing the destination port. Below 1024 iptables shouldn 't change the destination port. Stu. 1. PREROUTING chain iptables -A PREROUTING -p tcp -s 10.0.0.1/24 --sport 1024:65535 -d \ 211.1.1.1 --dport 23 -j DNAT --to 192.168.1.2 2. FORWARD chain iptables -A FORWARD -p tcp -s 10.0.0.1/24 --sport 1024:65535 -d 192.168.1.2 \ --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT Which is right? or both are right? Thanks a lot.
Re: DROP vs. REJECT vs. MIRROR
On Saturday 18 May 2002 6:11 am, John T. Guthrie wrote: Hello all, Please pardon me if this is answered elsewhere. I have tried looking through all of the documentation, but I am still left wondering what are the advantages/disadvantages of the DROP, REJECT, and MIRROR targets? I know what they do, but I'm not quite certain as to what are some of the situations when I would want to use each. (I know that this may fall more under the heading of site policy. I'm more interested in examples of why people chose what they did.) I am especially interested in examples of the MIRROR target. Basically: You DROP packets when you don't want the sender to get anything back (ie as far as they're concerned, there wasn't a machine waiting to receive them on that IP address). It's by far best if you can make sure you DROP *all* packets which are not being routed by your firewall (and of course you don't run any services *on* the firewall, do you :-) so that the machine is invisible on the net - if you DROP some, and ACCEPT or REJECT some, then a program such as nmap will know there's something there which is actively DROPping things. You REJECT packets when you want to sender to get a connection reset, which will make their client respond much more quickly with connection lost or some such. ie you don't want them to be waiting around for a long time whilst the TCP connection times out. My recommendation for choosing between these two is to DROP packets from the outside (people you don't know and don't have any incentive to be nice to), and REJECT packets coming from the inside (people on your local network who you presumably want to get a quick and efficient response that the connection cannot be made). I've never used MIRROR, and although it can sound quite cool, you should be careful about using it, as it is pretty aggressive. Basically anything which comes in will be sent back to the source IP address, so someone port scanning you will actually end up port scanning themselves. The main problem is when they port scan you with spoofed source addresses mixed in, and you end up scanning someone else's system, who may (a) not like it, or (b) block access from your network address/es. Like you, I'd be interested to hear of anyone using MIRROR for good reasons. Antony.
Re: ip_conntrack cleanup
On Tuesday 21 May 2002 8:33 am, Wojciech Sobola wrote: Hello, I've been using ipt 1.2.6a for 2 month's. There's seem to be a problem in /proc/net/ip_conntrack. I have chains here, that can't be cleared out. Example: tcp 6 321156 ESTABLISHED src=63.218.135.142 dst=62.xx.x.44 sport=63920 dport=80 [UNREPLIED] src=192.168.101.2 dst=63.218.135.142 sport=80 dport=63920 use=1 Such table can stay even 2 or 3 days. The standard TCP timeout on an ESTABLISHED connection is 5 days. I have no idea why this was once thought to be a good idea, but it is now in the standards. You could change it and recompile your kernel if you want, but this is the reason you are seeing these connections for 2 or 3 days - they're not even halfway to timing out yet :-) Also, once a connection is in the conntrack table, you cannot get rid of it by doing anything at all to your netfilter rules. If you compiled modules you can remove and reinstall the ip_conntrack module, but if you use a monolithic kernelonly a reboot willget these out of the table. Antony.
A new documentation about Iptables HA with VRRP published (in english!)
Yes, finally published at: http://www.gnusec.com/resource/security-stuff/Guides%20and%20Documents/HAFir ewallLinux-VRRP.pdf You can download it in spanish... Un saludo, Sancho Lerena [EMAIL PROTECTED] GNU Security Networking http://www.gnusec.com
CVS built
Hello, I'm newbie in netfilter hacking and I have to filter my packet with an external application. I think that I have to look around ip_queue. I just have checkouted the cvs netfilter/usernamespace and netfilter/testsuite but I have an error building the libipq. The error says Francois : make Making dependencies: please wait... Something wrong... deleting dependencies. make: *** [/usr/src/linux/include/linux/netfilter_ipv4/ipt_dcsp.h] Error 1 I have a linux 2.4.17 kernel src on a woody debian Linux box. Any idea ? Thank in advance. François msg03915/pgp0.pgp Description: PGP signature
Loose packets
Dear all I have recently built a firewall for my home office. All seems well, its fairly secure. One problem though, every time my Windows client sends a packet destined for my Linux box that is not destined for the Internet (say for example when I use PUTTY over SSH) PPPD dials up. I am pretty sure I need to set up a firewall rule to stop this, but I have tried several iptables rules all to no avail. Any guidance is much appreciated Ross
-m state ESTABLISHED, NEW etc...
Hi all TCP connection flow by this scenario Can someone explain me where pass borders of state ESTABLISHED, NEW. 1- SYN 2- SYN ACK 3- ACK connected 4- ACK 5- ACK 6- FIN 7- ACK 8- FIN 9- ACK closed I think so: 1,2,3 NEW 2,3,4,5,6,7,8,9 ESTABLISHED 2,3,4,5,6,7,8,9 RELATED i`m wrong? with this rules outgoing connect work incomming connect not work this demonstrate 2,3,4,5,6,7,8,9 = ESTABLISHED iptables -A FORWARD -o eth_external -i eth_internal -p tcp -d x.x.x.x --dport x -j ACCEPT iptables -A FORWARD -i eth_external -o eth_internal -p tcp -s x.x.x.x --sport x -m state --state ESTABLISHED -j ACCEPT
Re: sendto: Operation not permitted
On Thursday 30 May 2002 2:46 pm, [EMAIL PROTECTED] wrote: Antony, ever heard of TCP MTU Discovery? Er, yes, it's a mechanism whereby machines communicating by TCP find out the maximum size of packets which can be transmitted between them, across whatever underlying protocol connects them. Please read up on it and try again. What is the point you are trying to make ? Antony.
Quick Question
Hello Everyone. I hope you all can help me, I'm sure you can (it seems like a pretty simple problem). I am setting up a Squid proxy server to run in transparent mode. To do this, I need to forward all port 80 and 443 traffic to squids' port, 3128. Additionally, I would like all other traffic on all other ports to forward on to the router. I have found a script to forward port 80 to squid (note: eth1 is my internal interface, eth0 is external): iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 I assume I can run the same line for 443: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport443 -j REDIRECT --to-port 3128 However, what can I use to forward EVERYTHING that is not port 80 out of the eth0 interface, to our router (192.168.0.2)? I know it has something to do with --dport ! 80, but I can't figure it out. Thanks for your help. BTW, this is RedHat 72. if that makes any difference. Linux kernel 2.4.9-31. -mike __Mike Atlas 703.385.8362(v)Senior System Engineer 703.385.3674(f)Vista Innovation www.vistainnovation.com