Re: new to nft

Le 13/01/2021 à 17:40, François Patte a écrit : I begin to use nftables and wrote thes rules: chain input { # handle 1     type filter hook input priority 0; policy drop;     ct state established,related accept # handle 4     ip saddr 192.168.1.0/24 accept # handle 5    

Re: Mason Error

Ralph Sanchez a écrit : > Mason is telling me my kernel doesnt support IPtable, Ipchains or the > third option...iptables is installed. Kernel version 3.16.?? (i > forget). Linux 2.6 and above does not support ipchains and ipfwadm. What does "iptables -L" report ?

Re: "ipfw fwd" command alternative in debian

Hello, M. V. a écrit : > > I'm porting one of my FreeBSD programs into Debian. I wanted to > know if I can have an iptables rule (or use any other service) which > work exactly similar to "ipfw forward" command in FreeBSD. > "ipfw forward" just changes dst-port of the packet, and other > parame

Re: #How can I recover debian?

Hello, John ffitch a écrit : > Sorry that this is off topic but I cannot find out where to ask What about the debian-user list ? -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https

Re: Passive FTP problem with a change of IP address

Frédéric Massot a écrit : > > I have not found EPSV setting in filezilla or in the ftp command line > (netkit-ftp). As an alternative to netkit-ftp, I use tnftp which supports extended passive and active modes. However the server software must also support them. -- To UNSUBSCRIBE, email to de

Re: Passive FTP problem with a change of IP address

Hello, Frédéric Massot a écrit : > Hi, > > I have a firewall with iptables rules (kernel 3.10), until now I have > always been able to connect to FTP server in passive or active mode. > > Here are the rules I use: > > iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT >

Re: [iptables] drop or accept policy for outgoing connections.

Hello, Daniel Curtis a écrit : > > I have a question about iptables and rules for OUTPUT > chain. If I have a typical desktop without any services > like SSH, Samba etc. it is better to use something like?; > > iptables -P DROP > iptables -A OUTPUT -o eth0 -j ACCEPT > > or it does not matter an

Re: iptables and INVALID packet filtering.

Matthew Babcock a écrit : > On Thu, 2013-05-02 at 00:17 +0200, Pascal Hambourg wrote: >> Hello, >> >> Matthew Babcock a écrit : >>> Please excuse the delayed response. >> No problem. >> >>> To answer your question, no I cannot, yet. >>>

Re: iptables and INVALID packet filtering.

Hello, Matthew Babcock a écrit : > Please excuse the delayed response. No problem. > To answer your question, no I cannot, yet. > > However, I can demonstrate iptables following what the "state" be on UDP > packets using DNS. [...] > You should see as I do, that the UDP DNS request are logged

Re: iptables and INVALID packet filtering.

Matthew Babcock a écrit : > > > I know iptables -A INPUT -m state --state INVALID -j DROP works well. > And it does pick out invalid (aka out of state) UDP packets. DNS is one > additional example. AFAIK, UDP packets cannot be in the INVALID state. Can you provide an example of a UDP DNS packet

Re: iptables and INVALID packet filtering.

Daniel Curtis a écrit : > > So, it is better to use state module instead of conntrack, > when it comes to filter INVALID packets or it does not > matter, which module will be in use? What is your > opinion on this? It does not matter. The conntrack match has more options, but "-m conntrack --ctst

Re: iptables and INVALID packet filtering.

Hello, Daniel Curtis a écrit : > > I would only ask about iptables (1.4.14-3.1) rule, which is responsible for > filtering INVALID packets. If I decide to use this rule; > >>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP Be aware that INVALID packets here means "packets in the INVAL

Re: Logging output UIDs.

[Reply CC'ed to the list] Sthu Deus a écrit : > Good time of the day, Pascal. > > Thank You for Your time and important to me answer. > You worte: > >> Is the UID missing for all packets or only for this one ? >> According to a quick test, it seems that the last ACK in a TCP >> connection does n

Re: Logging output UIDs.

Hello, Sthu Deus a écrit : > > I try to get UIDs of the processes that generate OUTPUT traffic: > > /sbin/iptables -A OUTPUT -j LOG --log-uid --log-prefix OUTPT-> > --log-level 2 > > But I do not get the UIDs: > > OUTPT->IN= OUT=br0 SRC= DST= LEN=52 TOS=0x00 > PREC=0x00 TTL=64 ID=0 DF

Re: Alternate route for port 80

Pascal Hambourg a écrit : > > 2) You may need to disable/soften source validation on the VPN interface > (i.e. max(net.ipv4.conf.all.rp_filter,net.ipv4.conf.all.rp_filter)=0 or > 2, but not 1) in order to accept return traffic through the VPN. Typo. I meant max(net.ipv4.conf.a

Re: Alternate route for port 80

Hello, Onur Aslan a écrit : > > I want to use my VPN for outgoing port 80 connections in my Debian router. > > tap0 is my virtual VPN device created by openvpn. > > Now, I want to use an alternate route for only port 80 outgoing > traffic. I create a table and set default gateway for this table

Re: iproute2 load balacing

Hello, ninn...@tin.it a écrit : > I have doubts about the management of the multipath with iproute2. > > In particular, do not understand how is the distrubution of traffic > between two gateways. > > Use this command > ip route add default scope global \ >nexthop via 192.168.1.1 dev eth1 we

Re: Iptables example for mail/web/opevpn server

Raven a écrit : > > Given that it is a standalone server, do I really need nat and mangle > tables? It is good practice to reset tables which you do not use, because you don't always know the prior state. However you can skip this step if you can check in /proc/net/ip_tables_names that thoses tab

Re: Iptables example for mail/web/opevpn server

Raven a écrit : > > I probably should have mentioned this earlier, but my predecessor left > me with a firewall script that, when launched, locks me out of the > server. > It seems all kosher to me, so I wonder why it's behaving like that: IMO it contains a number of inconsistencies and redundanc

Re: Iptables example for mail/web/opevpn server

Hello, Arturo Borrero Gonzalez a écrit : > 2012/2/15 Raven : >> I need some help in designing a simple iptables ruleset for a small >> server I have recently set up. >> >> It's a VPS so the primary interface is venet0 with a public ip. The >> server also runs an openvpn daemon with a 172.16.0.0/24

Re: libipt_ROUTE.so missing in package xtables-addons-common in squeeze

Hello, Martin Steele a écrit : > > I need to use the --tee function in iptables that comes with the ROUTE > module in order to clone copies of incoming packets and copy to another > host, but it seems that the functionality is missing from the iptables > (v. 1.4.8-3) and xtables-addons-common (v.

Re: ARP & RARP

Hello, jin&hitman&Barracuda a écrit : > I was wondering, how can i Drop or Accept the Arp and Rarp packets with > IPtables? You cannot. ARP packets are not IP packets. The ethertype, protocol and packet format are different. > Is there any special command about Adress Resulution Protocol? arpta

Re: iptables

Hello, Manu a écrit : > > Hello, > I'm French, I'm sorry for my bad english. You'd better be sorry for posting HTML. > I'm a beginner debian user. > In my home network, I have a linux machine with debian6. > My debian has to do dhcp server with isc-server. > I have 2 network card, eth0 = public

Re: Modify one PTR in existing bind9 setup?

Jean-Daniel FISCHER a écrit : > > This is a crappy solution but you could try to add hardcoded routes > for these two IPs that send the traffic back toward your NTP server > into your router. At the same time you could told to your NTP server to > consider this two IPs as alias. It's a smart

Re: Modify one PTR in existing bind9 setup?

Hello, Michelle Konzack a écrit : > > I have a hardware DSL/GSM Router where I can not change the setings for > the 2 NTP servers, because they are hardcoded. Hardcoded by IP address or host name ? > All I can do is to change the two NameServers to my and or > my internal server where I cou

Re: Help getting iptables REDIRECT to work

Hello, Julien Vehent a écrit : > On Thu, 21 Oct 2010 01:33:13 +0100, Chris Haynes > wrote: >> $ sudo iptables -v -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT >> --to-port 8080 >> REDIRECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 redir >> ports 8080 >> iptables: No chain/tar

Re: Blocked route LAN to LAN

Makara a écrit : > > Your advise > > iptables -I FORWARD -i eth0 -o eth0 -j DROP > > eth0 <<< WAN > eth1 <<< is LAN > > I think you are talking about > > iptables -I FORWARD -i eth1 -o eth1 -j DROP Yes, sorry for the mistake. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian

Re: Blocked route LAN to LAN

Hello, Makara a écrit : > > Here is my network diagram > > > / LAN1 [10.101.189.0/24 ] > internet---[eth0]--{Linux}-[eth1] >

Re: DNAT: forwarding all ports to a host

Hello, green a écrit : > > # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 192.168.2.10 > > But what affect does this have on ESTABLISHED,RELATED connections? Absolutely none. > Does this > interfere with, say, a reply from google.com:80 to network host 192.168.2.99? No. Onl

Re: some packets going out from the wrong interface

Hello, Jorge Salamero Sanz a écrit : > > i've a firewall with two routers as a multigw scenario. load balancing works > but some packets go out from the wrong interface to the routers. > > routerA: 10.10.1.251 -> 10.10.1.1 > firewall: > 192.

Re: different firewall rules for different users

Philip a écrit : > That sounds good. > I don't need to transparently proxy, because I have configured the > dansguardian proxy into the > browser that the children use. > So a group for adults that allows port 80 and 443 would work. > I just need to block packets except 8080 to the proxy. > > I

Re: different firewall rules for different users

Hello, Philip a écrit : > > Is there an easy way to set up different rules for different users of a > desktop machine? > I have a small home network with different PCs for different purposes. > There is a general purpose Lenny desktop that the whole family uses. > It has a private IP address. >

Re: multiple interfaces and snat ?

Hello, Philip a écrit : > > I have a VLANed network to which I would like to connect a commercial > vulnerability scanner. > The scanner is an appliance from a vendor which is not very configurable. > Therefore I have put a debian lenny firewall in front of the scanner. > The firewall has these i

Re: iptables bug with neighborhood discovery?

Hello, Alram Lechner a écrit : > > i am administrate a debian firewall since 2 years without problems. this > weeks, we want to activate IPv6 in testing mode. out firewall script are > generated with fwbuilder. after i have activated IPv6 on our firewall, i > run into some troubles. the first

Re: Match owner

[Sent back on the list. Please pay attention to the recipient address.] Cory Oldford a écrit : > Is the traffic originating from a process on the machine with the firewall? Of course. The OUTPUT chain sees only packets generated by local processes. This is why the "owner" match is valid only in t

Re: Match owner

Bjoern Meier a écrit : > 2009/10/21 Pascal Hambourg > >>> If I set: >>> -A OUTPUT -d -m owner --uid-owner -j ACCEPT >>> >>> It fails and my logging shows, that the Rule will be ignored und goes to >> the >>> deny rule (last rule). >

Re: Match owner

Hello, Bjoern Meier a écrit : > > If I set: > -A OUTPUT -d -m owner --uid-owner -j ACCEPT > > It fails and my logging shows, that the Rule will be ignored und goes to the > deny rule (last rule). How does it fail ? What is the error message ? > I also read that that match is disabled in newe

Re: Route without masquerade

Hello, Jonis Maurin Ceará a écrit : > > I'm trying to get my Debian to route without masquerading, but didn't > work :( > > Eth0: 192.168.0.0/24 > Eth1: 10.165.50.0/24 > > ipv4_forward enabled, routes are OKbut didn't work :( > > hesrv-lx01:/etc/dhcp3# route -n > Kernel IP routing table >

Re: NAT

Ivan Shmakov a écrit : > Pascal Hambourg writes: > >> [...] although IPv6 NAT could be a helpful quick and dirty hack >> in a some situations (e. g. source NAT to work around some flaws in >> the source address selection). > > Couldn't ip(8) be used

Re: NAT

Ivan Shmakov a écrit : > > Somehow, I thought that DNAT will solve the problem the most > straightforward way. I was wrong, it was proxy_arp that made > the day. Agreed. > (Yes, one may use a bridge, too Yup. > Anyway, IPv4 seems to die slowly. The Internet Service P

Re: /etc/init.d/iptables

Ivan Shmakov a écrit : > > Strangely, I cannot find where these directories are documented. > Could you provide a pointer, please? The 'interfaces' manpage contains some information about /etc/network/if-*.d directories and exported variables. There are also some examples in /usr/shar

Re: /etc/init.d/iptables

Ivan Shmakov a écrit : > Pascal Hambourg writes: > >> Indeed. My opinion is that only interface-specific action such as >> creating interface-specific firewall rules should be performed in >> /etc/network/if-*.d/ scripts, > > Huh? Why one might need to

Re: /etc/init.d/iptables

Ivan Shmakov a écrit : > >>> I do know that /etc/init.d/iptables was removed sometime around >>> Sarge. What I do not know is the reasoning for such a change. > >> Maybe because the maintainer did not like it nor recommend its use ? > > Yes, I know it. The question is, why? Was it an in

Re: /etc/init.d/iptables

Ivan Shmakov a écrit : > Jonathan Yu writes: >> >> I apparently used /etc/network/if-pre-up.d (I can't remember the >> reasoning why, but I guess it's useful to make sure you load the >> rules prior to bringing the interfaces up, which means the rules will >> be there once network connectivity is

Re: /etc/init.d/iptables

Hello, Ivan Shmakov a écrit : > I do know that /etc/init.d/iptables was removed sometime around > Sarge. What I do not know is the reasoning for such a change. Maybe because the maintainer did not like it nor recommend its use ? The file /etc/default/iptables in the iptables package

Re: Building network

Hello, Jack Knowlton a écrit : {Debian} ppp0: bridge interface (PPPoE via eth0) ppp0 is a PPP(oE) interface, not a bridge interface. eth1: LAN with public IP interface (xxx.xxx.xxx.153) eth2: LAN with private IP interface (10.0.1.2) {server2} eth0: LAN with public IP (in /29 subnet) eth1:

Re: recent/hitcount broken in Lenny?

Guillaume Tamboise a écrit : Yep, very good explanation and your fix works just fine. Note that it means that until now the "offending" rule would never match and thus was ineffective. 2 hours and 17 minutes to get an explanation and a fix, impressive, thank you! You were lucky : I don't

Re: recent/hitcount broken in Lenny?

Hello, Guillaume Tamboise a écrit : I used to rate limit the number of incoming HTTP connections in Etch, using these iptables statements: iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTP iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state

Re: Router does not more work under Lenny

Milan P. Stanic a écrit : Your internal IP addresses are from non-routable (private) IP range Private addresses are /routable/. They are just not (at least, not supposed to be) /routed/ over the public internet. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a su

Re: Router does not more work under Lenny

Hello, Michelle Konzack a écrit : No IPT rules. It seems that your internal network uses private addresses, so masquerading/SNAT is required. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of "unsub

Re: Netfilter Version

Hello, daniel a écrit : How can I know Netfilter's version on my Debian Etch? AFAIK there is no such version. Netfilter is a part of the kernel. What do you mean exactly ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is connlimit available in etch? Will it be available in future?

Nick Y Kuzminyh a écrit : It seems that "connlimit" doesn't work even on kernel etch-n-half. (though error output in etch-n-half is quite different from that in default 2.6.18-6 kernel) [...] 4) iptables command: frya:/home/nick# iptables -t filter -A INPUT -p tcp --syn --dport 23 -m

Re: blocking brute force attempts using iptables

Stephen Vaughan a écrit : okay, so using this rule: $IPTABLES -A INPUT -p tcp --dport 21 -j FTP2 spits out this error: iptables: Too many levels of symbolic links I guess it's because there is a potential loop FTP2 -> FTPNEW -> FTP2. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a sub

Re: blocking brute force attempts using iptables

Stephen Vaughan a écrit : I don't follow... that is not my entire ruleset, but everything for the brute force is there.. No it's not. In order to be effective, user-defined chains have to be called by another rule from a built-in chain (INPUT, OUTPUT, FORWARD...), and I do not see such a rule

Re: Is connlimit available in etch? Will it be available in future?

Hello, Nick Y Kuzminyh a écrit : Dear Professionals, Huh ? Can you please explain me: * is "connlimit" module available in etch? The connlimit match support was included in the mainline kernel since version 2.6.23, so it is not available in the default 2.6.18 kernels included in Debian e

Re: blocking brute force attempts using iptables

Hello, Stephen Vaughan a écrit : I have a ruleset which works for blocking brute force attempts on port 21, but I'm not sure how to open port 21 without exluding the rules, ie: # default $IPTABLES -P INPUT DROP # when this rule is enabled it doesn't go any further since it's a match, so how do

Re: iptables filtering ports under nat

Hello, Luis Rondon Paz a écrit : /sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -o $EXT_IF -j MASQUERADE how can i DROP ALL TRAFIC FROM IP 12.16.2.5 ??? exept port 80 to one external ip ? how can i do that /sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5 -d EXTERNALONEHOSTONLY -o $E

Re: Policy routing on local packets

Gerardo Castillo Alvarado a écrit : Andreas Onderka escribió: iptables -t nat -A POSTROUTING -p tcp -o --sport 25 -j SNAT --to-source Don't forget that the SNAT target is for static ip. Otherwise, you should use MASQUERADE if you are on a dynamic IP address. Irrelevant. MASQUERADE does n

Re: Policy routing on local packets

Hello, Jason Voorhees a écrit : I have a linux box with multiple ip addresses: eth0 -> IP1 eth0:0 -> IP2 eth0:1 -> IP3 eth0:2 -> IP4 All outgoing traffic is using IP1 as source address. But now I want to use a different IP address (IP1, IP2, IP3 or IP4) as the source address for all smtp ou

Re: DNAT TCP 12345 -> 22

Hello, Frédéric Massot a écrit : I have servers with public IP addresses in a DMZ behind a firewall. The firewall has two network interface, one connected to the DMZ, the other to the ISP router. From local network, I can access the server via SSH on port 22/TCP. What local network ? I

Re: problems with (perhaps) IPMASQ

Hello, Carlos Enrique Carleos Artime a écrit : [EMAIL PROTECTED]:~$ ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted Does anybody know where the problem is? This message means that iptables

Re: dante block(2)

Michael Vogt a écrit : 87.180.112.175 is not part of 87.180.0.0/24 [87.180.0.0-87.180.0.255]. Ah Thanks, I thought the 0 is something like an asterisk. No, the wildcard is specified by the prefix length /24, meaning that only the first 24 bits (3 octets) are significant. What must I writ

Re: dante block(2)

Hello, Michael Vogt a écrit : Hi. I'm trying to set up a dante-proxy-server, But dante always close the connection without any visible error (firefox shows an white page). In the log are many of these errors: Dec 25 20:48:43 danted[5372]: block(2): tcp/accept [: 87.180.112.175.50663 -> 62.75.

Re: hallo pleae help me. :)

Hello, Alexandr Shurigin a écrit : debian:/lib# iptables -A INPUT -p tcp --syn --dport 3128 -m connlimit ! --connlimit-above 5 -j ACCEPT iptables: No chain/target/match by that name debian:/lib# modprobe ipt_connlimit FATAL: Module ipt_connlimit not found. [...] how to install connlimit modu

Re: Módulo MAC

Hello, ThEcHaCaL a écrit : Olá lista, estou implementando um firewall no kernel 2.6.18-4-686 e percebi que o módulo ipt_mac não está carregado, esse módulo não vêm no pacote como default? Automatically translated by Google (I hope it is accurate) : Hello list, I am implementing a firewall in

Re: routing problem

Hello, Alexandr Shurigin a écrit : ok example ethrnet ip / gateway 87.224.234.XX / 87.224.234.1(metric 10) pppoe exaple ip(every reconnect are ifferent ip and gateways) = 212.122.43.12 / 212.122.43.6(metric 1) i want allow users be available to work with 87.224.234.XX . similar proble with t

Re: policy routing problem

Alexandr Shurigin a écrit : YEAH Big thanks YOU. all works fine!!! You're welcome. :-) 2007/11/29, Pascal Hambourg <[EMAIL PROTECTED]>: Try the following quick fix : ip route add 192.168.1.0/24 dev eth2 table ETH1 ip route add 192.168.1.0/

Re: policy routing problem

Hello, Alexandr Shurigin a écrit : ip route add 87.224.167.g1 dev eth1 table ETH1 ip route add default via 87.224.167.g1 dev eth1 table ETH1 ip route add 212.49.121.g2 dev eth3 table ETH3 ip route add default via 212.49.121.g2 dev eth3 table ETH3 iptables -t mangle -A OUTPUT -m owner --uid-own

Re: only 8 fixed IP's but 42 physical servers (routing with iptables)

Hello, Michelle Konzack a écrit : I have a client with a SDSL 3.5 Mbit and only 8 fixed IP's. Do you mean a /29 IP subnet ? +---+ ISP 12port|D R| nerim.net---SDSL---SWITCH---NIC1-|E O|-NIC2-192.168.0.0/255.255.255.192

Re: Multi port firewall

Hello, Andy Simpkins a écrit : eth0 and eth1 will therefore share the same subnet. Preferably not if you want to avoid trouble and dirty hacks. How do I configure my firewall/router to route to these boxes correctly? If you want the same subnet on two interface, you'd better bridge them

Re: Port 80 Open

Hello, Ansgar -59cobalt- Wiechers a écrit : On 2007-10-27 Telly Williams wrote: -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s XX.XXX.XXX.XXX -i lo -j ACCEPT No other source address than 127.0.0.1/8 is supposed to appear at the loopback interface. Wrong. Any local address, including th

Re: Default Policy = DROP. Help-me

[This message seems to have been silently discarded, so I try to send it again] Hello, Ansgar -59cobalt- Wiechers a écrit : On 2007-10-24 Yuri Rodrigues wrote: I usually browse the Internet, get ssh servers for my network and get my ssh server when I am in a remote location. But can not acce

Re: arp_proxy does not work with static DHCP/PERM arp ?

Wojciech Ziniewicz a écrit : 2007/9/30, Pascal Hambourg : My guess is that the client checks that the offered IP address is not already in use by issuing an ARP request and expecting no reply. When the router has proxy_arp enabled, it replies to the ARP request so the client believes the IP

Re: arp_proxy does not work with static DHCP/PERM arp ?

Hello, Wojciech Ziniewicz a écrit : Yesterday after starting using arp_proxy i've received many lines like this (in syslog) : Sep 30 21:15:28 beta dhcpd: DHCPDISCOVER from 00:17:08:49:22:80 via eth1 Sep 30 21:15:28 beta dhcpd: DHCPOFFER on 10.100.1.21 to 00:17:08:49:22:80 via eth1 Sep 30 21:15:

Re: NAT problems

Carlos Pasqualini a écrit : this is what i'm looking for documentation about do you know where the new nf_nat framework is documented?? i want to learn just about it I'm afraid there is not much documentation. Anyway there is not so much to say about it. The primary goal was to add connection

Re: NAT problems

Hello, Carlos Pasqualini - SETI Soluciones Informáticas a écrit : i'm working with debian since potato, i had a lots of firewalls but... now with lenny i execute my script and it didn't work well (or it didn't work at all ough!) what changed from kernel 2.6.18 / iptales 1.3.6 to kernel 2.6.2

Re: Iptables and FTP problem

Mahdi Rahimi a écrit : my Rules for passive FTP look like this and works without problem but i want to my LAN works in active ftp. ###control connection $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWA

Re: Iptables and FTP problem

Hello, Mahdi Rahimi a écrit : My NAT(PREROUTING) and Filter table default Policy is DROP. Bad idea. The nat table is not intended for filtering. Just leave the nat table chains default policies to ACCEPT, and do the filtering in the filter table chains. hello I have problem in our client

Re: droping internal network icmp usign forward

Hello, luis a écrit : hi there ani advise to drop icmp usign forward? example iptables -A FORWARD -s 10.30.0.0/24 -d $mylan(10.30.146.4/24) -p icmp -j DROP is that ok? Well, it drops ICMP packets which hit the rule and match the source and destination address conditions. However it won't

Re: Port Forward by MAC

Hello, George P Boutwell a écrit : I know it's an odd request, but is it possible to port forward based on MAC address instead of by IP address? What do you mean by "port forward" ? DNAT ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL

Re: iptables rules : two in one

Franck Joncourt a écrit : Andrey Kozlov wrote: with use connection tracking you can define common rules for ongoing traffic on top of you rule set: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT and then add

Re: iptables rules : two in one

franck a écrit : [merge rules] It is not that important, I just wondered whether it was possible or not. My file would have been easier to read, that is it. If you want a file easier to read, my advice is that you group rules which have common matches into user-defined chains. For instance :

Re: iptables rules : two in one

Hello, franck a écrit : I have got some iptables rules suche as : Code: iptables -A OUTPUT -o eth0 -p tcp -d pop.mail.yahoo.co.uk --dport 110 --sport $UNPRIVPORTS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -d pop.1and1.fr --dport 110 -

Re: Public IP's with 1:1 mapping does not map all ports or passive ftp does not work [long]

Hello, Wojciech Ziniewicz a écrit : I give my customers public ips with SNAT/DNAT (we call it 1:1) ip mapping. When A client with lan ip 10.100.1.123 has public ip 217.17.x.123 he can use all the apps he want (apps that demand public ip or forwardded port) so everything seems to be okay... No

Re: IP affinity with netfilter and NAT

Hello, Pablo a écrit : There are any secret to configure IP affinity with netfilter when I do SNAT with a pool of publics IPs so not every new conection from de some host get a different source IP ?? You can use the SAME target for this purpose. Description here : http://www.netf

Re: physical mac address

Micha a écrit : | ip route list table local spits out: broadcast 192.168.1.0 dev eth0 proto kernel scope link src 192.168.1.2 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 192.168.1.2 dev eth0 proto kernel scope host src 192.168.1.2 broadcast 192.168.

Re: physical mac address

Hello, Micha a écrit : Am i right that locally generated traffic never has a MAC address (besides 00:00:00:00:00:00:00:00:00:00:00:00:08:00 ) even for traffic from/to the own 'external' IP, that is, the physical NIC attached to the gateway (like, eth0=192.168.1.2) ? It never can be sniffed, f

Re: iproute2, alternative tables, no default route: routing trouble for localhost

Pokotilenko Kostik a écrit : # ip rule add dev lo table Servers Solved my problem! I've spent 3 day searching for the answer. I'll make more testing tomorrow. So, correct me if I'm wrong: even if the local sending application wouldn't explicitly specify source IP address it will in any way be

Re: iptables MARK + ip rule fwmark

Hello, Pokotilenko Kostik a écrit : Where should I set iptables MARK, so that I can then use them for route decision in ip rule fwmark? In the mangle PREROUTING chain for input routing, and in the mangle OUTPUT chain for output routing (locally generated packets). -- To UNSUBSCRIBE, email

Re: Change MTU for forwarded packets

George Borisov a écrit : Pascal Hambourg wrote: Yes, if the firewall is a router (not a bridge). You just set the desired MTU on the output interface. This confuses me a little. If by outgoing you mean the external interface on my firewall Yes, that's what I mean. then why did cha

Re: iproute2, alternative tables, no default route: routing trouble for localhost

Hello, Pokotilenko Kostik a écrit : 1. There 3 servers and a router with 2 PPPoE connections (let call them: ppp0, ppp1). 2. There are several groups of Inet-clients to be served (Servers, Clients and Club). 3. The task is: - to route Club through the ppp1; - to Servers and Clients throug

Re: Change MTU for forwarded packets

Hello, George Borisov a écrit : Is there a way of forcing an MTU size for forwarded traffic on the firewall? Yes, if the firewall is a router (not a bridge). You just set the desired MTU on the output interface. I have tried playing with TCPMSS in iptables, but I haven't managed to get it

Re: iptables -j ROUTE

Pokotilenko Kostik a écrit : So I guess iptables version is 1.2.11 which includes support for the ROUTE target (but not for the --tee option). My "man iptables" says: === ROUTE This is used to explicitly override the core network stack's routing

Re: iptables -j ROUTE

Hello, Pokotilenko Kostik a écrit : I'm trying to settle routing with iptables. I have a router with 2 Inet connections, and I need routing decision upon source IP. # iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -j ROUTE --oif eth0 iptables: No chain/target/match by that name # So, what's w

Re: SCSI

Hello, Varady Zoltan a écrit : I know why i cant see the hda1 Out topic. The debian-firewall list deals only with firewall issues on Debian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ssh connection survives reboot of stateful iptables router

martin f krafft a écrit : on the basis that it's not okay to drop bad packets before accepting good packets, the following would not be okay even though they're logically equivalent? I want to make things clear : dropping packets first is not bad ; what is bad is accepting packets with the as

Re: ssh connection survives reboot of stateful iptables router

martin f krafft a écrit : What's the difference between state NEW and --syn? NEW is based on the packet state as seen by the connection tracking system. --syn is based on the value of TCP flags in the packet header. So NEW and --syn must be considered independent, even though the TCP conntr

Re: ssh connection survives reboot of stateful iptables router

Hello, martin f krafft a écrit : Many people have rules like -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT I'd add a condition on state NEW in the second rule. I've done research and found that -A INPUT -m conntrack -

Re: iptables by mac

Hello, Daniel Givens a écrit : i would like to do using FORWARD example iptables -A FORWARD -s -m ! 00:0F:EA:91:04:08 -d 0.0.0.0/0 -p tcp --dport 3128 -j DROP i want to set this rule to avoid the computer being cloned i think using mac & iptables i can solve this rigth ? What do you mean by

Re: How to kill DNAT'ed connection

Pokotilenko Kostik wrote : When the client disconnects, the rules are deleted and new connection are being rejected. But the problem is that existant DNAT'ed connection are continue to operate. That's the normal behaviour of NAT. That has raised a question: How to kill DNAT'ed connection?

  1   2   >