On Sun, 21 Apr 2002 18:34:58 +0200 (CEST)
Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> wrote:
> http://www.linuxguruz.org/iptables/
I've found that shorewall (now apt-gettable) makes a very nice iptables
framework/wrapper.
--
J C Lawrence
-(*)Satan, os
On Sun, 21 Apr 2002 18:34:58 +0200 (CEST)
Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> wrote:
> http://www.linuxguruz.org/iptables/
I've found that shorewall (now apt-gettable) makes a very nice iptables
framework/wrapper.
--
J C Lawrence
-(*)Satan, o
On Sun, 21 Apr 2002, Jussi Ekholm wrote:
[snip]
> Thank you, I'll take a look at them. But, I'd still need some help
> concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
> and eyed all related HOWTOs from LDP (actually, the Debian package
> doc-linux-html), but *still* I'm unable
On Sun, 21 Apr 2002, Jussi Ekholm wrote:
[snip]
> Thank you, I'll take a look at them. But, I'd still need some help
> concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
> and eyed all related HOWTOs from LDP (actually, the Debian package
> doc-linux-html), but *still* I'm unable
Sami Dalouche <[EMAIL PROTECTED]> wrote:
> Here's a set of rules to replace ipmasq's ones..
Thank you, I'll take a look at them. But, I'd still need some help
concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
and eyed all related HOWTOs from LDP (actually, the Debian package
doc-
Sami Dalouche <[EMAIL PROTECTED]> wrote:
> Here's a set of rules to replace ipmasq's ones..
Thank you, I'll take a look at them. But, I'd still need some help
concerning the DROP chain -- I've read the Packet-filtering-HOWTO,
and eyed all related HOWTOs from LDP (actually, the Debian package
doc
* Quoting Mathias Palm ([EMAIL PROTECTED]):
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Sorry, I dont get that. The manpage says:
>
> ...ESTABLISHED meaning that the
> packet is associated with a connection which has
> seen packets in both directions...
>
* Quoting Mathias Palm ([EMAIL PROTECTED]):
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Sorry, I dont get that. The manpage says:
>
> ...ESTABLISHED meaning that the
> packet is associated with a connection which has
> seen packets in both directions...
>
Peter Cordes wrote:
> On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
>>First, you should set your policy to DROP. The way you configured your
>>filter with a policy set to ACCEPT would let all traffic pass through.
>
> No it doesn't; It would block new connections, because it re
Peter Cordes wrote:
> On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
>>First, you should set your policy to DROP. The way you configured your
>>filter with a policy set to ACCEPT would let all traffic pass through.
>
> No it doesn't; It would block new connections, because
On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote:
> ...
>
> >
> > I use the connection-tracking support, so I can drop everything except
> > traffic related to a connection I opened. This is what I use (NAT stuff
> > omitted):
> >
> > iptables -t filter -P FORWARD ACCEPT
> >
On Thu, Sep 20, 2001 at 05:05:11AM +0200, Mathias Palm wrote:
> ...
>
> >
> > I use the connection-tracking support, so I can drop everything except
> > traffic related to a connection I opened. This is what I use (NAT stuff
> > omitted):
> >
> > iptables -t filter -P FORWARD ACCEPT
> >
...
>
> I use the connection-tracking support, so I can drop everything except
> traffic related to a connection I opened. This is what I use (NAT stuff
> omitted):
>
> iptables -t filter -P FORWARD ACCEPT
> iptables -t filter -P INPUT DROP
> iptables -t filter -P OUTPUT ACCE
On Wed, Apr 17, 2002 at 01:09:27PM +0200, Martin Peikert wrote:
> Jussi Ekholm wrote:
> >I was just wondering, if some experienced iptables users could give me,
> >at least some, opinions about my iptables rules. It is supposed to close
> >all the other ports, but leave 1050, and 8080 open. He
...
>
> I use the connection-tracking support, so I can drop everything except
> traffic related to a connection I opened. This is what I use (NAT stuff
> omitted):
>
> iptables -t filter -P FORWARD ACCEPT
> iptables -t filter -P INPUT DROP
> iptables -t filter -P OUTPUT ACC
Jussi Ekholm wrote:
Michal Melewski <[EMAIL PROTECTED]> wrote:
Lars Roland Kristiansen wrote:
I am no iptables guro, i just want to close all exept from
ssh(port 22), pop3(port 110) and imap(port143). Is there and
easy way to do this.
Sure it is easy...
I was just wondering, if so
quot; <[EMAIL PROTECTED]>
To:
Sent: Wednesday, April 17, 2002 11:45 AM
Subject: Re: Iptables config
rules-v0.1.tar.bz2
Description: Binary data
Michal Melewski <[EMAIL PROTECTED]> wrote:
> Lars Roland Kristiansen wrote:
>> I am no iptables guro, i just want to close all exept from
>> ssh(port 22), pop3(port 110) and imap(port143). Is there and
>> easy way to do this.
>
> Sure it is easy...
I was just wondering, if some experienced
On Mon, Apr 15, 2002 at 07:58:00PM +0200, Mathias Palm wrote:
> ...
> Looking at all these, people might say more about smtp-packages going
> astry
s/package/packet/g
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca)
"The gods confound the man who first found out how
On Mon, Apr 15, 2002 at 07:58:00PM +0200, Mathias Palm wrote:
> ...
> Looking at all these, people might say more about smtp-packages going
> astry
s/package/packet/g
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca)
"The gods confound the man who first found out how
I'd say it might very well work correctly, but the table nat is not
made for package filtering but for address translation
(nat--network address translation) which is used for masquerading and
portforwarding. If you only want a filtering firewall you might very well
save yourself the effort to comp
As mentioned in some other mail, always use iptables -F IMPUT first to
avoid piling up rules like in your case. You defined three rules and
there shouldn't be more (its not a windows maschine after all).
A couple more questions. What is your net set up: Are 192.168.2.2 and
xxx.yyy.zzz.com (the ip
I'd say it might very well work correctly, but the table nat is not
made for package filtering but for address translation
(nat--network address translation) which is used for masquerading and
portforwarding. If you only want a filtering firewall you might very well
save yourself the effort to com
As mentioned in some other mail, always use iptables -F IMPUT first to
avoid piling up rules like in your case. You defined three rules and
there shouldn't be more (its not a windows maschine after all).
A couple more questions. What is your net set up: Are 192.168.2.2 and
xxx.yyy.zzz.com (the ip
blished
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
-Original Message-
From: Marcin Bednarz [SMTP:[EMAIL PROTECTED]
Sent: dimanche 14 avril 2002 09:15
To: Lars Roland Kristiansen
Cc:
Subject: Re: Iptab
blished
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
-Original Message-
From: Marcin Bednarz [SMTP:[EMAIL PROTECTED]]
Sent: dimanche 14 avril 2002 09:15
To: Lars Roland Kristiansen
Cc:
Subject: Re: Iptab
On Sun, Apr 14, 2002 at 12:28:16PM +0200, Lars Roland Kristiansen wrote:
> When using the folowing rules
>
> -
> iptables -P INPUT ACCEPT
>
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j
> AC
On Sun, Apr 14, 2002 at 12:28:16PM +0200, Lars Roland Kristiansen wrote:
> When using the folowing rules
>
> -
> iptables -P INPUT ACCEPT
>
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j
> A
When using the folowing rules
-
iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j
ACCEPT
-
i
When using the folowing rules
-
iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 25,110,22 -i eth0 -j
ACCEPT
-
Hello.
I wrote :
>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22
> -j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Peter" == Peter Cordes <[EMAIL PROTECTED]> writes:
Peter> If you set INPUT policy to DROP, doesn't that drop everything,
Peter> not just incoming SYN packets? If you want to be able to
Peter> establish any connections from the machine to anyw
Hello.
I wrote :
>
> # change of politics to drop
> iptables -t nat -P PREROUTING DROP
> iptables -t nat -P POSTROUTING DROP
>
> #add ssh serwer (allow incoming)
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j ACCEPT
>
> #add pop3 and imap
> iptables -t nat -A P
On Fri, Apr 12, 2002 at 11:37:09AM +0200, Michal Melewski wrote:
> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> > Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i just
> > want
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> "Peter" == Peter Cordes <[EMAIL PROTECTED]> writes:
Peter> If you set INPUT policy to DROP, doesn't that drop everything,
Peter> not just incoming SYN packets? If you want to be able to
Peter> establish any connections from the machine to any
On Fri, Apr 12, 2002 at 11:37:09AM +0200, Michal Melewski wrote:
> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> > Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i just
> > wan
Here is where i am now - if i dont run iptables it all works - for some
reason closing all the ports and setting the deafult policy to deny dosent
seam to work (if i then after set smtp, pop3 ssh to allow). But setting
the default policy to allow and then useing nmap to detect what ports that
ar
>
>>Here is where i am now - if i dont run iptables it all works - for some
>>reason closing all the ports and setting the deafult policy to deny dosent
>>seam to work (if i then after set smtp, pop3 ssh to allow). But setting
>>the default policy to allow and then useing nmap to detect what port
On Fri, Apr 12, 2002 at 04:05:54PM +0200, Lars Roland Kristiansen wrote:
> Here is where i am now - if i dont run iptables it all works - for some
> reason closing all the ports and setting the deafult policy to deny dosent
> seam to work (if i then after set smtp, pop3 ssh to allow). But setting
>
Sorry!
I cannot see this :)
Normally we use the smtp protocol not imap!
Thanks.
> True, but the necessary ports are 22, 110 and 143. Port 25 is for smtp
> which Lars didn't want to open.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL
Here is where i am now - if i dont run iptables it all works - for some
reason closing all the ports and setting the deafult policy to deny dosent
seam to work (if i then after set smtp, pop3 ssh to allow). But setting
the default policy to allow and then useing nmap to detect what ports that
are o
> well, it's better to replace DROP by ACCEPT in this last line if you want to
> accept the packets ;)
Damm ;)
Sure you are right; sorry , my fault.
I was a bit sleepy while writing this
--
Michael "carstein" Melewski | "One day, he said, in a taped segment
[EMAIL PROTECTED]
Henrique Pedroni Neto wrote:
Hi - i have just installed an mailserver with postfix and wu-imap/pop3
now i just want to have iptables running. I am no iptables guro, i just
want to close all exept from ssh(port 22), pop3(port 110) and
imap(port143). Is there and easy way to do this.
iptabl
El vie, 12-04-2002 a las 13:25, Lars Roland Kristiansen escribió:
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
> # POP#
> iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT
>
> I can connec
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this.
>Sure it is easy...
>iptables -
On Fri, Apr 12, 2002 at 04:05:54PM +0200, Lars Roland Kristiansen wrote:
> Here is where i am now - if i dont run iptables it all works - for some
> reason closing all the ports and setting the deafult policy to deny dosent
> seam to work (if i then after set smtp, pop3 ssh to allow). But setting
Laurent Luyckx <[EMAIL PROTECTED]> writes:
[snip]
> > i get "cant conect to smtp service" when trying to mail
>
> try by rejecting port 113 requests with :
>
> iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT
If you're going to use -j REJECT for a TCP packet, you really ought to u
En réponse à Lars Roland Kristiansen <[EMAIL PROTECTED]>:
> Thanks for the quick respons
>
> I have put this in my /etc/default/iptables file
>
> # Deny ALL
> iptables -P INPUT DROP
>
> # Allow these sevices
>
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> i
On Fri, 2002-04-12 at 13:27, VERBEEK, Francois wrote:
> BTW if you plan to use --dport you need rather a line like
>
> iptables -A INPUT -p tcp -s 0/0 -m tcp --dport 22 -i $dev -j ACCEPT
-m tcp is not needed. See manpage:
MATCH EXTENSIONS
iptables can use extended packet matching modules.
Sorry!
I cannot see this :)
Normally we use the smtp protocol not imap!
Thanks.
> True, but the necessary ports are 22, 110 and 143. Port 25 is for smtp
> which Lars didn't want to open.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL
Here is where i am now - if i dont run iptables it all works - for some
reason closing all the ports and setting the deafult policy to deny dosent
seam to work (if i then after set smtp, pop3 ssh to allow). But setting
the default policy to allow and then useing nmap to detect what ports that
are
> well, it's better to replace DROP by ACCEPT in this last line if you want to
> accept the packets ;)
Damm ;)
Sure you are right; sorry , my fault.
I was a bit sleepy while writing this
--
Michael "carstein" Melewski | "One day, he said, in a taped segment
[EMAIL PROTECTED]
Henrique Pedroni Neto wrote:
>>Hi - i have just installed an mailserver with postfix and wu-imap/pop3
>>now i just want to have iptables running. I am no iptables guro, i just
>>want to close all exept from ssh(port 22), pop3(port 110) and
>>imap(port143). Is there and easy way to do this.
>
El vie, 12-04-2002 a las 13:25, Lars Roland Kristiansen escribió:
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
> iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
> # POP#
> iptables -I INPUT -p tcp -s 0/0 --dport 110 -i eth0 -j ACCEPT
>
> I can conne
-security@lists.debian.org
Subject:Re: Iptables config
<< File: SMIME.txt >>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Thanks for the quick respons
I have put this in my /etc/default/iptables file
# Deny ALL
iptables -P INPUT DROP
# Allow these sevices
# SMTP
iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
# SSH
iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
# POP#
iptables -I INPUT
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this.
>Sure it is easy...
>iptables
Laurent Luyckx <[EMAIL PROTECTED]> writes:
[snip]
> > i get "cant conect to smtp service" when trying to mail
>
> try by rejecting port 113 requests with :
>
> iptables -I INPUT -p tcp -s 0/0 --dport 113 -i eth0 -j REJECT
If you're going to use -j REJECT for a TCP packet, you really ought to
En réponse à Lars Roland Kristiansen <[EMAIL PROTECTED]>:
> Thanks for the quick respons
>
> I have put this in my /etc/default/iptables file
>
> # Deny ALL
> iptables -P INPUT DROP
>
> # Allow these sevices
>
> # SMTP
> iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
> # SSH
>
On Fri, 2002-04-12 at 13:27, VERBEEK, Francois wrote:
> BTW if you plan to use --dport you need rather a line like
>
> iptables -A INPUT -p tcp -s 0/0 -m tcp --dport 22 -i $dev -j ACCEPT
-m tcp is not needed. See manpage:
MATCH EXTENSIONS
iptables can use extended packet matching modules
En réponse à Michal Melewski <[EMAIL PROTECTED]>:
> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen
> wrote:
> > Hi - i have just installed an mailserver with postfix and
> wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i
> just
> > want to clos
Hello
I will try to help you.
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this.
On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143
: [EMAIL PROTECTED]
Subject:Re: Iptables config
<< File: SMIME.txt >>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Thanks for the quick respons
I have put this in my /etc/default/iptables file
# Deny ALL
iptables -P INPUT DROP
# Allow these sevices
# SMTP
iptables -I INPUT -p tcp -s 0/0 --dport 25 -i eth0 -j ACCEPT
# SSH
iptables -I INPUT -p tcp -s 0/0 --dport 22 -i eth0 -j ACCEPT
# POP#
iptables -I INPUT
En réponse à Michal Melewski <[EMAIL PROTECTED]>:
> On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen
> wrote:
> > Hi - i have just installed an mailserver with postfix and
> wu-imap/pop3
> > now i just want to have iptables running. I am no iptables guro, i
> just
> > want to clo
Hello
I will try to help you.
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port143). Is there and easy way to do this.
On Fri, Apr 12, 2002 at 11:17:38AM +0200, Lars Roland Kristiansen wrote:
> Hi - i have just installed an mailserver with postfix and wu-imap/pop3
> now i just want to have iptables running. I am no iptables guro, i just
> want to close all exept from ssh(port 22), pop3(port 110) and
> imap(port14
68 matches
Mail list logo