Re: [gentoo-user] IPTables question... simple as possible for starters
On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote: Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/ Very interesting... were they aiming for something similar to *BSD's pf firewall? I personally prefer iptables-style firewall; no guessing about how a state machine will respond in strange situations. Especially since I greatly leverage ipset and '-m condition' (part of xtables-addons), which might or might not be fully supported by nftables. Rgds, --
Re: [gentoo-user] IPTables question... simple as possible for starters
On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan pa...@poluan.info wrote: On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote: Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/ Very interesting... were they aiming for something similar to *BSD's pf firewall? IDK (I think I remember reading that, but maybe I was just dreaming as I can't recall where), but that's sorta what it's looking like at this point. I personally prefer iptables-style firewall; no guessing about how a state machine will respond in strange situations. Especially since I greatly leverage ipset and '-m condition' (part of xtables-addons), which might or might not be fully supported by nftables. pf is easier to learn. I use iptables much more, but if I need to do something with pf, it wouldn't take me very long to re-learn what's going on so that's sorta a plus for pf. IIRC, nftables is supposed to be backward compatible. But, will x module work I hope they didn't go and break stuff too much :)
Re: [gentoo-user] IPTables question... simple as possible for starters
On 2013-12-29 1:39 PM, shawn wilson ag4ve...@gmail.com wrote: On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses to certain ports ie, for limiting SSH access I'd reverse the order that #1 and #2 appear. Well, I was just writing that as a general description. Looking in the rules 3. DROP ALL other connection attempts ie, I don't want to see these disallowed attempts in the logs In order to keep my rules more manageable, I have a commented text file that I manually edit whenever modifying my rules, then I do an 'iptables-restore /path/to/iptables-rules' to update them. My first question is about a trick I learned some time ago (but don't remember where)... For the ports for which I want to allow only restricted access, I have something like: ### # bgn exceptions blocks ### :f_22_I - [0:0] :f_25_I - [0:0] :f_22_O - [0:0] :f_25_O - [0:0] Am I correct that the above are what are called 'chains' in iptables speak? That defines non-kernel chains but you still need to jump to them from INPUT/OUTPUT or whatever. So, something like: -A -m tcp -p tcp --dport 22 --sport 1024:65535 -j f_22_I Well, yeah... I didn't post my entire ruleset... ;) ^ I just And am I also correct that the above adds each rule to the named chain in order, and that the order is significant? Yep - like ACLs, rules are processed from top down. ACCEPT, REJECT, and DROP are end points when they match. Good, thanks. Then... assuming that I have all of the specific rules after these set up to allow just the traffic I want, and I wanted to add a final rule that just silently DROPped all other inbound connection attempts, it would be: -A INPUT -j DROP What you're looking for is the policy which are by default ACCEPT on all kernel rules and which you change in the save file with something like this: :INPUT DROP [0:0] And, just so that there's no confusion, you should state the policy of OUTPUT and FORWARD at the top of your save file along with INPUT - see the output of iptables-save as an example of what your file should look like. Ok, well, maybe I should have posted my entire ruleset... I have this above where I define my chains: # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Does it matter where this goes? And then above that, I have something else that I've never understood: *mangle :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT Also, if you're creating a chain just to do the same thing with different addresses, look at using ipset. Then you just: ipset create ssh_in iphash ipset add ssh_in 1.2.3.4 and then this works: -A -m set --match-set ssh_in src -j ACCEPT ipset has the same save/load type things as ipt (minor differences with how you handle reload, but google or ask if you want to know). The set needs to be in place before the ipt rule is added, so ipset comes first in your boot sequence. Thanks, looks interesting and useful... So much to learn, so little time... ;)
Re: [gentoo-user] IPTables question... simple as possible for starters
On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: [-- LE SNIP --] Ok, well, maybe I should have posted my entire ruleset... I have this above where I define my chains: # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Does it matter where this goes? Yes. Chain declarations must come before the rules themselves. And then above that, I have something else that I've never understood: *mangle Begin declaration of the mangle table. :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... The second word is the 'policy' of the chain, i.e., the default action taken if no rules match in the chain -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP Alright, the `--tcp-flags` option takes two parameters: flags_to_check and expected_flags These 4 rules collectively block 'well-known TCP Attacks', which I've listed here: http://serverfault.com/a/245713/15440 NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. You *do* have to make sure that you don't forget to compile kernel support for RAW tables ;-) COMMIT End of mangle table declaration. Commit all chain definitions and chain rules in one atomic operation. ipset create ssh_in iphash ipset add ssh_in 1.2.3.4 and then this works: -A -m set --match-set ssh_in src -j ACCEPT ipset has the same save/load type things as ipt (minor differences with how you handle reload, but google or ask if you want to know). The set needs to be in place before the ipt rule is added, so ipset comes first in your boot sequence. Thanks, looks interesting and useful... So much to learn, so little time... ;) iptables is a powerful beast; learn it well, and you'll prosper :-) Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pandu.poluan.info/blog/ • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] IPTables question... simple as possible for starters
Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/
[gentoo-user] IPTables question... simple as possible for starters
Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses to certain ports ie, for limiting SSH access 3. DROP ALL other connection attempts ie, I don't want to see these disallowed attempts in the logs In order to keep my rules more manageable, I have a commented text file that I manually edit whenever modifying my rules, then I do an 'iptables-restore /path/to/iptables-rules' to update them. My first question is about a trick I learned some time ago (but don't remember where)... For the ports for which I want to allow only restricted access, I have something like: ### # bgn exceptions blocks ### :f_22_I - [0:0] :f_25_I - [0:0] :f_22_O - [0:0] :f_25_O - [0:0] Am I correct that the above are what are called 'chains' in iptables speak? # ### allow connections only from the following IP's # ## SSH # # my local admin hosts -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT # # external hosts -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT And am I also correct that the above adds each rule to the named chain in order, and that the order is significant? So, if I wanted to add a last rule to that chain that DROPs all other connection attempts, it would be just: -A f_22_I -j DROP ? Then... assuming that I have all of the specific rules after these set up to allow just the traffic I want, and I wanted to add a final rule that just silently DROPped all other inbound connection attempts, it would be: -A INPUT -j DROP ? Thanks...
Re: [gentoo-user] IPTables question... simple as possible for starters
On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses to certain ports ie, for limiting SSH access I'd reverse the order that #1 and #2 appear. 3. DROP ALL other connection attempts ie, I don't want to see these disallowed attempts in the logs In order to keep my rules more manageable, I have a commented text file that I manually edit whenever modifying my rules, then I do an 'iptables-restore /path/to/iptables-rules' to update them. My first question is about a trick I learned some time ago (but don't remember where)... For the ports for which I want to allow only restricted access, I have something like: ### # bgn exceptions blocks ### :f_22_I - [0:0] :f_25_I - [0:0] :f_22_O - [0:0] :f_25_O - [0:0] Am I correct that the above are what are called 'chains' in iptables speak? That defines non-kernel chains but you still need to jump to them from INPUT/OUTPUT or whatever. So, something like: -A -m tcp -p tcp --dport 22 --sport 1024:65535 -j f_22_I ^ I just came up with something for the sport - it's possible there's a default mor narrower for your client. # ### allow connections only from the following IP's # ## SSH # # my local admin hosts -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT # # external hosts -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT And am I also correct that the above adds each rule to the named chain in order, and that the order is significant? Yep - like ACLs, rules are processed from top down. ACCEPT, REJECT, and DROP are end points when they match. So, if I wanted to add a last rule to that chain that DROPs all other connection attempts, it would be just: -A f_22_I -j DROP I would do this just because it simplifies my life when looking at stuff (and probably removes microseconds of processing from the kernel). Only do this if you limit what hits this jump though (with --dport or whatever). Otherwise, the default behavior is basically a -j RETURN. ? Then... assuming that I have all of the specific rules after these set up to allow just the traffic I want, and I wanted to add a final rule that just silently DROPped all other inbound connection attempts, it would be: -A INPUT -j DROP What you're looking for is the policy which are by default ACCEPT on all kernel rules and which you change in the save file with something like this: :INPUT DROP [0:0] And, just so that there's no confusion, you should state the policy of OUTPUT and FORWARD at the top of your save file along with INPUT - see the output of iptables-save as an example of what your file should look like. Also, if you're creating a chain just to do the same thing with different addresses, look at using ipset. Then you just: ipset create ssh_in iphash ipset add ssh_in 1.2.3.4 and then this works: -A -m set --match-set ssh_in src -j ACCEPT ipset has the same save/load type things as ipt (minor differences with how you handle reload, but google or ask if you want to know). The set needs to be in place before the ipt rule is added, so ipset comes first in your boot sequence. ? Thanks...
Re: [gentoo-user] iptables question...
On 12/16/11 22:17, Tanstaafl wrote: Hi all, I was reading up on some iptables rules in the gentoo security handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable It mentions DROPing packets with an INVALID state. It sounded/sounds like a good idea, so I added the following rule: -A INPUT -i eth0 -m state --state INVALID -j LOG As suggested, I addd this rule just ABOVE this one: -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT I also changed the DROP action to LOG so I could see what it did if anything. Right after adding this rule, I started seeing lines like this in the log: Dec 16 10:15:31 myhost kernel: IN=eth0 OUT= MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233 DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 What I don't understand is why it isn't using my LOG prefix that is used for everything else: -A INPUT -j LOG --log-prefix (fw-drop): --log-level 7 Anyone? Did you put the log-prefix rule before or after the LOG rule? Or why didn't you put it in a 1liner, say: -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7 --log-prefix (fw-drop): --log-ip-options --log-tcp-options -- Regards,
Re: [gentoo-user] iptables question...
On 2011-12-17 11:34 AM, Hari Purnama h...@mapits.com wrote: Did you put the log-prefix rule before or after the LOG rule? After - the log prefix rule is last... Or why didn't you put it in a 1liner, say: -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7 --log-prefix (fw-drop): --log-ip-options --log-tcp-options Well, because I thought the log prefix rule applied to everything that comes before it...?
[gentoo-user] iptables question...
Hi all, I was reading up on some iptables rules in the gentoo security handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable It mentions DROPing packets with an INVALID state. It sounded/sounds like a good idea, so I added the following rule: -A INPUT -i eth0 -m state --state INVALID -j LOG As suggested, I addd this rule just ABOVE this one: -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT I also changed the DROP action to LOG so I could see what it did if anything. Right after adding this rule, I started seeing lines like this in the log: Dec 16 10:15:31 myhost kernel: IN=eth0 OUT= MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233 DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 What I don't understand is why it isn't using my LOG prefix that is used for everything else: -A INPUT -j LOG --log-prefix (fw-drop): --log-level 7 Anyone?
Re: [gentoo-user] IPtables question
Dnia środa, 31 stycznia 2007, James Colby napisał: I have a small home server that I have connected to the internet through a linksys router and cable modem. The linksys router is currently forwarding all ssh traffic to my gentoo box. What I would ^ Take note, that forwarded traffic (it is DNAT-ed in Linksys) would appear on your host as originating from your router. Original source address is stripped by router's NAT. Ergo, you need source address filtering in your router. -- Pawel Kraszewski www.kraszewscy.net -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPtables question
Hi, On Fri, 2 Feb 2007 09:45:53 +0100 Pawel Kraszewski [EMAIL PROTECTED] wrote: Dnia środa, 31 stycznia 2007, James Colby napisał: I have a small home server that I have connected to the internet through a linksys router and cable modem. The linksys router is currently forwarding all ssh traffic to my gentoo box. What I would ^ Take note, that forwarded traffic (it is DNAT-ed in Linksys) would appear on your host as originating from your router. Original source address is stripped by router's NAT. Nope, just the target Adress is rewritten (by routing). DNAT is Destination NAT! I.e. the target IP of the packet is rewritten. Since the Linksys is the default gateway, packets can keep their source IP address. Of course, the source MAC address will be rewritten to the router's -- but that's got nothing to do with NAT but routing instead. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPtables question
Dnia piątek, 2 lutego 2007, Hans-Werner Hilse napisał: Nope, just the target Adress is rewritten (by routing). DNAT is Destination NAT! I.e. the target IP of the packet is rewritten. Since the Linksys is the default gateway, packets can keep their source IP address. Of course, the source MAC address will be rewritten to the router's -- but that's got nothing to do with NAT but routing instead. Jeee, I'm terrible sorry. My only excuse is that it was written without the morning coffee... Of course SNAT rewrites source IP and DNAT destination IP, and port forwarding uses DNAT. Once more, sorry for confusion - my mind was somehow floating around proxying not forwarding. -- Pawel Kraszewski www.kraszewscy.net -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPtables question
On Wednesday 31 January 2007 20:56, Albert Hopkins wrote: On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote: List members - I have a small home server that I have connected to the internet through a linksys router and cable modem. The linksys router is currently forwarding all ssh traffic to my gentoo box. What I would like to do is set up iptables to only allow ssh logins from a small number of internet hosts, and to reject and log all other ssh attempts. Can someone please help me out with this. All of the tutorials and documentation that I have found are setting up a fully functioning firewall / NAT / proxy, and I think that is a little overkill for my needs.s If you don't want the whole iptables suite you might want to consider good ole hosts.allow/hosts.deny as an alternative. They work fine with sshd if you have tcpwrappers enabled. It depends how secure you want your set up to be. I always suggest to disable passwd authentication and enable public key authentication, after you copy paste each client's public key in the file ~/.ssh/authorized_keys. Any passwd cracking attacks will simply fail. I would also suggest that you move your sshd port from 22 to a higher number. All/most of these bots scanning port 22 will now leave you alone. Finally, you can set up additional layers like allow/deny users, MAC addresses, etc. While you're at it, don't forget disabling root logins. If you want to introduce diverse protection then iptables (and as previously suggested hosts.allow/hosts.deny) is an option. In your iptables script (or saved set of iptables rules) add something like: iptables -A INPUT -i eth0 -p tcp -s client_ip_address -m tcp --dport 22 -d server_LAN_ip_address -j ACCEPT Of course, I suggest that you change port 22 in the line above to a higher number 'free' port. Your final catch-all rule at the bottom of your iptables will drop any packets (on any port) from hosts other than the clients you specified in my line above. Finally, you can repeat this in your router's firewall rules, assuming that you can specify WAN ip addresses (I know that you can in my hardware router, but don't know in yours). If any one manages to break in to the server through such a sshd setup, then they bl**dy well deserve it! HTH. -- Regards, Mick pgpABfgXYkFTf.pgp Description: PGP signature
Re: [gentoo-user] IPtables question
James Colby wrote: currently forwarding all ssh traffic to my gentoo box. What I would like to do is set up iptables to only allow ssh logins from a small number of internet hosts, iptables -A INPUT -s ip-address-of-know-host --dport 22 -j ACCEPT and to reject and log all other ssh attempts. iptables -A INPUT --dport 22 -j LOG iptables -A INPUT --dport 22 -j REJECT Regards, Norberto pgp1bYpX8fXSL.pgp Description: PGP signature
[gentoo-user] iptables question
Hi, I want to configure firewall such that network 192.168.1.0/24 canonly access http server from server1(192.168.0.2/24) andnetwork 192.168.0.0/24 can not access http server. So I tried this: #service iptables stop#iptables -P INPUT DROP#iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT But this command sends error that Unknown arg: --dport HOW CAN I ACHIEVE THIS? ALSO IS THEREANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF IPTABLES? TnRHiren
Re: [gentoo-user] iptables question
On Tuesday 28 March 2006 07:38, Hiren Dave [EMAIL PROTECTED] wrote about '[gentoo-user] iptables question': #service iptables stop #iptables -P INPUT DROP #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT But this command sends error that Unknown arg: --dport HOW CAN I ACHIEVE THIS? Raw IP doesn't have port numbers; You'll have to match on the TCP or UDP protocol to be able to match ports. ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF IPTABLES? Tldp is a good resource. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgp93bYhxqc76.pgp Description: PGP signature
Re: [gentoo-user] iptables question
On 28 March 2006 15:38, Hiren Dave wrote: Hi, I want to configure firewall such that network 192.168.1.0/24 can only access http server from server1(192.168.0.2/24) and network 192.168.0.0/24 can not access http server. So I tried this: #service iptables stop #iptables -P INPUT DROP #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT But this command sends error that Unknown arg: --dport HOW CAN I ACHIEVE THIS? Iptables is right, that line is nonsense. ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF IPTABLES? I don't have the URL handy right now, but google for Iptables Tutorial 1.2.0. Uwe -- Why do consumers keep buying products they will live to curse? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables question
On Tue, 28 Mar 2006 19:08:38 +0530 Hiren Dave [EMAIL PROTECTED] wrote: Hi, I want to configure firewall such that network 192.168.1.0/24 can only access http server from server1(192.168.0.2/24) and network 192.168.0.0/24 can not access http server. So I tried this: #service iptables stop #iptables -P INPUT DROP #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT But this command sends error that Unknown arg: --dport HOW CAN I ACHIEVE THIS? Because you need to put in a protocol like -p tcp. ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF IPTABLES? http://www.google.com/search?q=iptables+howto -- gentoo-user@gentoo.org mailing list
[gentoo-user] iptables question
somewhat offtopic, but since I need any help I can get: how do I redirect trafic from outward facing interface (192.168.1.114:80) to loopback device (127.0.0.1:80) ? my most obvious trick: iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \ -j DNAT --to 127.0.0.1:80 and echo 1 /proc/sys/net/ipv4/ip_forward didn't help. Machine which is opening connection is hanging there indefinitely... what did I miss? -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 pgpGUeQ4bFleF.pgp Description: PGP signature
Re: [gentoo-user] iptables question
Under the *nat rule, -A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to 192.168.7.1:443 Under the *filter rules. -A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT On 1/20/06, Dmitry S. Makovey [EMAIL PROTECTED] wrote: somewhat offtopic, but since I need any help I can get: how do I redirect trafic from outward facing interface (192.168.1.114:80) to loopback device (127.0.0.1:80) ? my most obvious trick: iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \ -j DNAT --to 127.0.0.1:80 and echo 1 /proc/sys/net/ipv4/ip_forward didn't help. Machine which is opening connection is hanging there indefinitely... what did I miss? -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables question
On Friday 20 January 2006 13:49, Trenton Adams wrote: Under the *nat rule, -A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to 192.168.7.1:443 Under the *filter rules. -A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT I tried similar combination as well to no avail. :( -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 pgpplhtQFKxWJ.pgp Description: PGP signature