On Wednesday 10 July 2002 1:00 am, j davis wrote:
Starband satallites claim they dont support real-time protocalls
like telnet,ssh,ftp and so on.
What protocols qualify as non real-time ?
Antony.
On Wednesday 10 July 2002 1:14 pm, Ramin Alidousti wrote:
Starband satallites claim they dont support real-time protocalls
like telnet,ssh,ftp and so on.
What protocols qualify as non real-time ?
I think what he meant was interactive, not real-time.
Well, that's what I guessed for
I am posting this message on behalf of Jeff Muntel [EMAIL PROTECTED] who
seems to be having some problems with his subscription to the list.
I must admit it sounds like a pretty unlikely possibility to me
-- Forwarded Message --
Is there any way to patch a Linux 2.0.x
On Wednesday 10 July 2002 2:54 pm, Mark Ayad wrote:
I have a problem with the following Firewall Script which works fine apart
from when I try to INTERNALLY connect to the webserver 192.168.0.3:80
using the public IP which if I'm right should be the same as $EXTIF. The
internal machine I'm
On Wednesday 10 July 2002 3:26 pm, Jan Humme wrote:
On Wednesday 10 July 2002 16:03, [EMAIL PROTECTED] wrote:
I believe it can only be fixed in the filter module somehow, as all
packets
travel through the filter module. You may insert a rule to the FORWARD
chain,
to block the
On Wednesday 10 July 2002 3:38 pm, Tom Eastep wrote:
[EMAIL PROTECTED] wrote:
This one looks a bit odd to me, even though I've written it myself, but I
think it should do the trick:
$IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j MASQUERADE
-i can't be used in the POSTROUTING
On Wednesday 10 July 2002 3:51 pm, Mark Ayad wrote:
Nice try but no luck
$IPTABLES -t nat -A POSTROUTING -o $INTIF -i $INTIF -j
can't use -i in POSTROUTING
Yup. Tom just pointed that out to me :-)
So I tried
$IPTABLES -t nat -A POSTROUTING -o $INTIF 192.168.0.0/24 -j MASQUERADE
No
Mark; here is your ruleset, with my comments:
$IPTABLES -P INPUT ACCEPT
With a default ACCEPT policy on INPUT, we can ignore any other rules in this
chain unless they DROP or REJECT packets.
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
With a default ACCEPT policy on OUTPUT, we can
On Wednesday 10 July 2002 4:49 pm, Jan Humme wrote:
On Wednesday 10 July 2002 16:43, Antony Stone wrote:
The mangle table might be your answer.
etc...
I don't get it: the source original addresses are only SNATted *after* the
FORWARD chain has already been filtered
On Wednesday 10 July 2002 5:53 pm, Jan Humme wrote:
On Wednesday 10 July 2002 17:55, Antony Stone wrote:
If the original poster doesn't know what addresses s/he wishes to block,
then I can't think of a netfilter rule which will help :-)
Harty-har-har.!
But I still don't
On Wednesday 10 July 2002 8:36 pm, Faruk Grozdanic wrote:
Hello,
I am trying to block broadcast IP traffic, that is IP traffic that has
255.255.255.255 in the destination feild. I pushed a rule:
iptables -I FORWARD -i eth4 -d 255.255.255.255 -j DROP
and it did not filter these out.
On Tuesday 09 July 2002 6:03 am, caricand.jean-michel wrote:
I have a local network with 10.0.2.0 address and 255.255.254.0 netmask.
My firewall have IP 10.0.2.130 on eth0.
My station have IP 10.0.2.2.
I configure my firewall for drop the ping from the station with 1 rules :
# iptables
On Tuesday 09 July 2002 2:41 pm, Dotan Lior wrote:
Hello,
So far it works well, However when I inspect the NAT table with iptables
-L -t nat -v -n -x, the bytes counter shows extremely low values. I've
transfer a 200Kb file via FTP on the windows client, but the counter was
less than 100
On Tuesday 09 July 2002 6:29 pm, Travis Crook wrote:
Hello,
I currently have two firewalls running. Both on Mandrake 8.1 running
iptables. I currently have two internet connections (one is a DSL line at
1Mb, the other is straight from an ISP at 2.5 Mb). I can get 700Kb speeds
On Tuesday 09 July 2002 6:57 pm, Travis Crook wrote:
The firewall on the DSL is an Athlon XP 1500+. The firewall on the ISP
line is a PII 333. I will check on the full/half duplex issue.
That's a hell of a difference, and could conceivably account for the
bandwidth. I'd say it depends on
On Tuesday 09 July 2002 7:25 pm, Martin Josefsson wrote:
On Tue, 2002-07-09 at 20:08, Antony Stone wrote:
On Tuesday 09 July 2002 6:57 pm, Travis Crook wrote:
The firewall on the DSL is an Athlon XP 1500+. The firewall on the ISP
line is a PII 333. I will check on the full/half
On Tuesday 09 July 2002 11:59 pm, Tim wrote:
Scenario: router eth0 to Fwall 192.168.2.2
Fwall eth0 from router 192.168.2.1
Fwall eth1 from DMZ 172.16.1.1
Fwall eth2 from LAN 192.168.1.1
My understanding of concepts of filtering and nat
Pinging
On Monday 08 July 2002 7:40 am, Tim wrote:
I'm pinging from INTERNAL = 192.168.1.4 and DMZ = 172.16.1.3 each one of
these machines has their own respective default gateway which are INTERNAL
= 192.168.1.11 and DMZ = 172.16.1.1
I agree the routing table looks a little odd in the sense (from
On Monday 08 July 2002 11:56 am, Rohan Almeida wrote:
Hi List,
How do i get the bandwidth usage of a particular IP address, on a m/c which
is performing NAT?
Can i use netstat? or maybe iptables?
Is there any tool available.
I tried iptraf, but its too much informative for me. I just
On Monday 08 July 2002 3:46 pm, Lukas Ruf wrote:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
Don't forget:
iptables -F -t nat
iptables -F -t mangle
Antony.
but rtfm.
Always good advice :-)
On Mon, 08 Jul 2002, Denis JULIEN
On Monday 08 July 2002 3:56 pm, Antony Stone wrote:
On Monday 08 July 2002 3:46 pm, Lukas Ruf wrote:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
I'd prefer to see:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Then you add
On Monday 08 July 2002 5:23 pm, Tim wrote:
I don't quite understand why you have the line
172.16.0.0 * 255.255.255.0 eth1
in the table ?
I have no idea how this got here to begin with, I certainly did no
such configuration. (??)
Ah. In that case you can blame
On Monday 08 July 2002 5:32 pm, Jan Humme wrote:
What is the reason that iptables does not support default policies on
user-chains?
I suppose it's partly because there's not a lot of point (that I can see).
You can only call a user-defined chain from one of the built-in chains (or
from
On Monday 08 July 2002 5:34 pm, Jan Humme wrote:
On Monday 08 July 2002 17:22, Antony Stone wrote:
I'd prefer to see:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Then you add in the rules for the stuff your definitely know you want to
allow
On Monday 08 July 2002 8:51 pm, Big Daddy wrote:
It worked when I was using a Linksys router. However maybe they have
changed it since then. Do my rules look fine?
Well, I hope these are not your *only* rules ? I mean, like Stewart
suggested, what about the ESTABLISHED packets as well as
On Monday 08 July 2002 9:00 pm, Mike G. Hammonds wrote:
I'm running RH7.2 with iptables1.2.4-2
every time I start iptables I get the following error
Bad Argument 'LOG_LEVEL=notice [FAILED]
any ideas on how to fix this?
Use a numeric argument to --log-level instead
notice=5
So you would
for yourself by doing a grep
on the script for LOOPBACK and spot the line with the mistake ?
Antony.
-Original Message-
From: Antony Stone [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 08, 2002 4:18 PM
To: netfilter
Subject: Re: Bad Argument error
On Monday 08 July 2002 9:00 pm, Mike G
On Monday 08 July 2002 9:39 pm, Big Daddy wrote:
all,
I guess my ISP is blocking port 80. I configured the web server to use
port 8080 and configured my rules the same as before but used port 8080 and
it worked. thanks for all of the help!
Round of applause to Tom Eastep, I think :-)
On Monday 08 July 2002 9:43 pm, Patrick Petermair wrote:
Hi!
I have found the following log entry in my firewall log (I'm running RedHat
7.3 with iptables for firewalling and masquerading):
Jul 8 22:25:11 wormhole kernel: IN=ppp0 OUT= MAC= SRC=207.171.169.16
DST=213.225.41.145 LEN=40
On Monday 08 July 2002 9:43 pm, Patrick Petermair wrote:
Btw: What do the ACK and RST flags mean? Where can I find some infos about
the existing flags?
http://www.faqs.org/rfcs/rfc793.html
Esp. figure 6 p 23
Antony.
of the variable $LOOPBACK either.
Does the error occur on that line of the script, or later on (try commenting
it out and see if the error goes away) ?
How do you run the script ?
Antony.
-Original Message-
From: Antony Stone [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 08, 2002 4:38 PM
it's going to do anyway when it falls off the end.
Antony.
-Original Message-
From: Antony Stone [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 09 July 2002 2:57 AM
To: [EMAIL PROTECTED]
Subject: Re: Why are default policies not possible for user-defined
chains?
On Monday 08 July 2002 5
On Tuesday 09 July 2002 12:49 am, Allen wrote:
On Monday 08 July 2002 11:43 am, Antony Stone wrote:
On Monday 08 July 2002 1:31 pm, Tsachi Sharfman wrote:
snips
However, a more serious problem is what do you possibly want to change in
the NAT rules for a connection which is currently
On Tuesday 09 July 2002 12:31 am, Joakim Axelsson wrote:
2002-07-08 12:43:01+0100, Antony Stone [EMAIL PROTECTED] -
If you are talking about TCP, then I do not believe this assumption is
valid, because only the very first packet of a connection contains the
SYN flag, and only the second
On Sunday 07 July 2002 4:26 pm, Remo Mattei wrote:
Antony Stone wrote:
Depends whether you're talking about putting netfilter onto the server
itself (in which case you filter the INPUT chain), or whether netfilter
is on a router between the servers and the Internet (in which case you
On Monday 08 July 2002 12:32 am, Tim wrote:
Hey ppl,
echo [--Setting Policies--]
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
Please set this one to DROP as well :-)
#
#
## Allow inside traffic to get to the DMZ and back
iptables -A FORWARD -i
On Sunday 07 July 2002 11:54 pm, Dennis Cardinale wrote:
When running a netfilter firewall, is there any reason to continue using
the hosts.deny and hosts.allow files, or is this just superfluous?
hosts.allow can still be useful to specify a command to run when a connection
comes in (eg to
On Monday 08 July 2002 12:24 am, George Vieira wrote:
I thought iptables and linux could block spoofed ips anyway.. this is a
last resort..
How do you block a spoofed IP ? How do you know it's spoofed ?
Antony
On Monday 08 July 2002 12:33 am, Ed Street wrote:
Hello,
I've taken the hosts.deny file a bit further and wrote a hosts.trashcan
and a hosts.dnat.
The hosts.trashcan uses the time patch, it will reject any ip/netmask
from start_time to end_time on days.
The hosts.dnat file will setup a
On Monday 08 July 2002 12:36 am, George Vieira wrote:
spoofed as in local IP coming in from the internet..
I call that ingress filtering.
I regard spoofing as an incoming connection with a plausible but false source
address, typically used on Denial of Service attacks, either to disguise the
On Monday 08 July 2002 12:48 am, Ed Street wrote:
Hello,
Sure attached is the hosts.trashcan file I am currenly testing.
Interesting. How does your script handle resolving machine names to IP
addresses (as shown in several examples in your trashcan file) when one name
corresponds to
On Monday 08 July 2002 12:51 am, Jack Bowling wrote:
** Reply to message from Antony Stone [EMAIL PROTECTED] on Mon,
08 Jul 2002 00:04:34 +0100
hosts.allow can still be useful to specify a command to run when a
connection comes in (eg to provide some special logging ?), but these
files
]] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 7:57 PM
To: [EMAIL PROTECTED]
Subject: Re: hosts.deny
On Monday 08 July 2002 12:48 am, Ed Street wrote:
Hello,
Sure attached is the hosts.trashcan file I am currenly testing.
Interesting. How does your script handle resolving
On Monday 08 July 2002 1:14 am, Martin Tomasek wrote:
I most commonly see it in port scans, and probes for http / sql holes.
You cannot use random spoofed ip adresses with stateful protocol such as
tcp.
Not if you want the connection to succeed, you can't, no - but if you're just
trying
On Monday 08 July 2002 4:25 am, Tim wrote:
Well, it looks like my netfilter rules/commands are not forwarding even
though I have
## Routing packets (traffic) between INTERNAL and DMZ
echo 1 /proc/sys/net/ipv4/ip_forward
That really says
echo 1 /proc/sys/net/ipv4/ip_forward
or
echo 1
routing table ?
Antony.
- Original Message -
From: Antony Stone [EMAIL PROTECTED]
To: iptables-list [EMAIL PROTECTED]
Sent: Sunday, July 07, 2002 5:30 PM
Subject: Re: forwarding
On Monday 08 July 2002 4:25 am, Tim wrote:
Well, it looks like my netfilter rules/commands
confirmed-email-address list.
It came from IP address 202.102.242.178
Antony.
-- Forwarded Message --
Subject: How to find a firewall project example?
Date: Mon, 8 Jul 2002 9:10:48 +0800
From: GriefUseWeb=0 [EMAIL PROTECTED]
To: Antony Stone [EMAIL PROTECTED]
How to find
On Monday 08 July 2002 5:54 am, Tim wrote:
Antony,
INTERNAL IP = 192.168.1.0/24 -- range 1 thru 11
DMZ IP = 172.16.1.0/24 -- range 1 thru 5
The reason I believe I know it is not forwardingis that when I ping
from the DMZ I get a request time out
In fact I am fairly sure this is a
.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Antony Stone
Sent: Sunday, July 07, 2002 8:12 PM
To: [EMAIL PROTECTED]
Subject: Re: hosts.deny
On Monday 08 July 2002 1:01 am, Ed Street wrote:
Hello,
Dns lookups.
Well, yes, obviously the way
On Saturday 06 July 2002 12:39 pm, [EMAIL PROTECTED] wrote:
Hello,
the rule :
$PATH -A FORWARD -d 192.168.252.0/22 -p all -s 10.1.1.0/24 -j LOG
--log-level DEBUG --log-prefix FWlogDMZLAN :
When I do a
# iptables -L -v -n
I get this result
610 29280 LOGall -- * *
On Saturday 06 July 2002 9:58 pm, Patrick Petermair wrote:
Hi!
I've installed a firewall/gateway with RedHat 7.3 and iptables. I've set up
masquerading for my internal lan and some basic firewall rules.
Everything works fine (icq, ftp, http,...) but there is ONE homepage which
I cannot
On Saturday 06 July 2002 10:13 pm, John Adams wrote:
On Saturday 06 July 2002 04:58 pm, Patrick Petermair wrote:
Hi!
I've installed a firewall/gateway with RedHat 7.3 and iptables. I've set
up masquerading for my internal lan and some basic firewall rules.
Everything works fine (icq,
On Saturday 06 July 2002 11:03 pm, Patrick Petermair wrote:
Am Samstag, 6. Juli 2002 23:35 schrieb Dennis Cardinale:
You are right...he needs to change to dash (-) to a tilda (~).
Thnx, now it works (stupid me).
There is only one thingI still get those log entries when accessing
this
On Saturday 06 July 2002 11:49 pm, Patrick Petermair wrote:
Am Sonntag, 7. Juli 2002 00:03 schrieb Antony Stone:
What are the logging rules on your firewall ?
[ ... ]
#FWD: Allow all connections OUT and only existing and related ones IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m
On Friday 05 July 2002 2:27 pm, Cygnus - Flirttown Coder wrote:
Scenario:
X number of clients (with 1 or more ips bound to a box)
behind Cisco Catalysts, behind Cisco 3600, behind Internet
Problem:
We want to move clients off our non-portable IP range and onto our arin
range.
Why ?
On Friday 05 July 2002 3:25 pm, Cygnus - Flirttown Coder wrote:
On Fri, 5 Jul 2002, Antony Stone wrote:
On Friday 05 July 2002 2:27 pm, Cygnus - Flirttown Coder wrote:
Scenario:
X number of clients (with 1 or more ips bound to a box)
behind Cisco Catalysts, behind Cisco 3600, behind
On Friday 05 July 2002 10:25 am, david wrote:
OK , I agree.In fact I am just trying.
I heve tested a simpler script :
# Standard default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
am here you have the output.
/etc/rc.d/init.d/iptables : command
a capital P
a space
INPUT in capitals
a space
DROP in capitals
enter.
If you really do get an error in response to this, your system is very sick.
Antony.
- Original Message -
From: Antony Stone [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 05, 2002 6:00 PM
Subject: Re
On Friday 05 July 2002 5:28 pm, Cygnus - Flirttown Coder wrote:
The address translation works like this:
iptables -A PREROUTING -d a.b.c.d -j DNAT --to w.x.y.z
ie any packets addressed to a.b.c.d are changed so that they go to
w.x.y.z instead.
so this is the only rule I need to
On Friday 05 July 2002 11:37 am, david wrote:
Antony;
#iptables -P INPUD DROP
iptables:Bad built in chain name
Okay, now type it with a 'T' next time.
Antony.
- Original Message -
From: Antony Stone [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 05, 2002 6:35 PM
) , maybe that is the reason
No, iptables works fine on SMP machines.
Antony.
- Original Message -
From: Joe Patterson [EMAIL PROTECTED]
To: david [EMAIL PROTECTED]; Antony Stone
[EMAIL PROTECTED] Cc: [EMAIL PROTECTED]
Sent: Friday, July 05, 2002 6:45 PM
Subject: RE: I need help
in the local directory were getting executed instead of the
ones in /sbin./bin etc.
By the way, did you ever try the list of rules I posted in
http://lists.samba.org/pipermail/netfilter/2002-July/024548.html ?
Antony.
- Original Message -
From: Antony Stone [EMAIL PROTECTED]
To: [EMAIL
On Friday 05 July 2002 3:44 pm, david wrote:
Tony:
When I write these rules in the command line all is OK and the rules works
fine.
Good. This is progress.
But if I put the same rules in a script :
#!/bin/bash
# Standard default policies
iptables -P INPUT DROP
iptables -P FORWARD
On Thursday 04 July 2002 5:31 am, Orca J. wrote:
Hi
I want to both DENY and LOG in the same rule ? or ACCEPT and LOG , or
DENY and LOG
You can't put them both in the same rule, butyou can create a user-defined
chain and jump to that:
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
On Thursday 04 July 2002 10:11 am, Manish K Arya wrote:
Hi all
I need some help regarding routing tables.
I want to ascertain whther my routing tables have been tampered by some
user having the admisnistrative rights and i want to restore the default
values and which are the routing files?
On Thursday 04 July 2002 2:16 pm, Denis JULIEN wrote:
Hi,
In order to validate the routing of my Red hat linux (7.2) I have to do an
echo 1 /proc/sys/net/ipv4/ip_forward.
But every time that I restart the network service the ip_forward file
returns to the 0 value and my server does not
On Thursday 04 July 2002 3:06 pm, Stephan Viljoen wrote:
Firewall 2:
eth0 : 193.220.24.8
eth1 : 193.220.24.193
eth2 : 192.168.1.1
What are the netmasks on eth0 and eth1 ?
What's the routing table on this machine ?
Antony.
On Thursday 04 July 2002 3:06 pm, Stephan Viljoen wrote:
Firewall 1:
eth0 : 193.220.24.230 : uplink , Gateway : 193.220.24.193
eth1 : 10.0.0.1/16
echoenabling forwarding..
echo 1 /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat
Someone just posted this to me instead of the list.
Antony.
-- Forwarded Message --
Subject: RE: MSM Mesanger through a iptables firewall.
Date: Thu, 4 Jul 2002 15:27:56 +0100
From: [EMAIL PROTECTED]
To: Antony Stone [EMAIL PROTECTED]
might be me but what about the irc
On Thursday 04 July 2002 9:38 am, david wrote:
It was a mistake.What I do is
# service iptables save
after that I got a new file in /etc/sysconfig/iptables .
and then :
#/etc/rc.d/init.d/iptables restart 2salida8
.And here you see all the errors.
What rules are you trying to set ?
Have
of machine
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Allow replies etc back in again
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Antony.
- Original Message -
From: Antony Stone [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 04, 2002 4:53 PM
On Thursday 04 July 2002 6:59 pm, Ross Vandegrift wrote:
On Wed, Jul 03, 2002 at 08:12:22PM +0100, Antony Stone wrote:
What kernel source do you start from ?
I start from a clean, bleeding edge tree in the 2.4 series. I usually
apply a few misc patches: Andrew Morton's lowlatency, any
On Thursday 04 July 2002 7:59 pm, Jan Humme wrote:
On Thursday 04 July 2002 20:51, Antony Stone wrote:
On Thursday 04 July 2002 7:48 pm, Jan Humme wrote:
On Thursday 04 July 2002 20:20, Antony Stone wrote:
# Redirect http requests to local proxy
iptables -A PREROUTING -t nat -p tcp
On Thursday 04 July 2002 9:04 pm, Paul Dunphy wrote:
Hi Everyone,
I'm new to stateful firewalls (can you tell?!), and I have a couple of
iptables-related questions:
Question 1:
Is there any reason to itemize the established connections
one by one, or can I simply allow all ESTABLISHED
On Wednesday 03 July 2002 7:13 am, David Gaston Rodriguez wrote:
Sorry! i wrote bad. here is the correction:
Hi!, i am new in the list, i am from argentina, this is mi problem:
I have a small LAN with a server doing masquerading, I used the kernel
2.2.20 and did not have any problem, now i
On Wednesday 03 July 2002 10:18 am, George Vieira wrote:
Yes limitation is to all versions and it's not a netfilter problem.. it's
the design of PPTP which was microsoft big stuff up from memory. The design
didn't allow multiple connections from the same source..
Use a Linux to Linux VPN and
On Wednesday 03 July 2002 10:28 am, George Vieira wrote:
All you really need is to POSTROUTE the workstations..
With PPPoE do this..
INTSN=192.168.1.0/24
IPTABLES=/sbin/iptables
EXTDEV=`adsl-status | grep Link encap | awk {'print $1'}
$IPTABLES -A POSTROUTING -o $EXTDEV -t nat -s $INTSN
On Wednesday 03 July 2002 4:57 pm, Jörgen Danielsson wrote:
This is part of the rules
$PROG -t nat -A PREROUTING -p tcp -d ooo.ooo.*17.*54
--dport 25 -j DNAT --to iii.iii.iii.*15:25
Any packets coming in to ooo.oo.*17.*54 TCP port 25 get destination
translated to iii.iii.iii.*15 port 25.
On Wednesday 03 July 2002 5:39 pm, Jörgen Danielsson wrote:
Thanks for the reply
I asked the company earlier why they don't put it on
the 172 net they have aswell, the explanation will be
abit too long to get here, but the answer is that they
must have a real c-net behind the firewall
On Wednesday 03 July 2002 7:41 pm, Karina Gómez Salgado wrote:
The rules i'm using are these:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
$IPTABLES -A OUTPUT -s
On Wednesday 03 July 2002 8:01 pm, Ross Vandegrift wrote:
I'd rather use IPSEC if I can only just compile my damn kernel right
for once.. (it's been a while)..
FreeS/WAN isn't difficult - it just takes a while, and you have to follow
the instructions carefully. I think the guides
On Wednesday 03 July 2002 10:27 pm, Karl Kopper wrote:
I am trying upgrade a long list of ipchains rules to iptables and am stuck.
On ipchains I was able to create ACCEPT rules in the forward chain that
would cause some packets (based usually on source IP address AND port
number) to simply
On Wednesday 03 July 2002 11:24 pm, Simon McLeod wrote:
I currently have a linux machine with a perm modem connection to the
net. I'm using iptables to port forward from this machine to other
machines in my private network. All is working fine.
I've now just installed ADSL in bridged mode
On Tuesday 02 July 2002 3:25 pm, Daniel Letkiewicz wrote:
Hi,
I'm wonnder if there are same ideas to exchange stateful information
between to (or more) hosts (like in CheckPoint) to build HA enviroment.
Try section 12 under:
On Tuesday 02 July 2002 9:13 pm, Jan Humme wrote:
Ain't this what masquerading is all about?
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Are you asking about the difference between MASQUERADE and SNAT ?
If so, the answer's not a lot, except:
1. MASQUERADE checks the address of
On Tuesday 02 July 2002 9:47 pm, Jan Humme wrote:
On Tuesday 02 July 2002 22:18, Antony Stone wrote:
On Tuesday 02 July 2002 9:13 pm, Jan Humme wrote:
Ain't this what masquerading is all about?
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
1. MASQUERADE checks
On Tuesday 02 July 2002 9:51 pm, Ben wrote:
On Tue, 2 Jul 2002, Jan Humme wrote:
No, I just wanted to point out that masquerading provides an easy way to
get the desired results.
It does, true, but the howto recommends not using MASQ for static IPs. If
I had just done what told me what
On Monday 01 July 2002 12:20 am, angela cearns wrote:
hello group,
i want to check if there is anyway i can measure the # of
packets after the iptables acted on them i.e. after dropping the
packets. i use ethereal, it gives me all the packets before the
iptables have acted on?
What do
On Monday 01 July 2002 12:45 am, Dan Crooks wrote:
I have two internet connections, one DSL and one Cable. I want to run both
connections to one machine using seperate NIC's. Can I apply the same
rules to both interfaces? I can't see a problem with incoming connections
but not sure about
On Sunday 30 June 2002 3:37 pm, Luigi Cartuccia wrote:
Hi to all I'm Luigi.I have a recompile problem.I have linux-2.4.7 and I
must recompile linux-2.4.3.On the desktop PC I haven't problem but in my
laptop PC (Compaq Armada 1590DT pentium 166M) after recompile,I choose
linux-2.4.3 and :
On Saturday 29 June 2002 7:21 pm, Tim wrote:
Hi everyone,
On my firewall box, as mentioned previously, I have
three NICs. On PCI slot 1: video card; PCI slot 2: 1st NIC; PCI slot 3: 2nd
NIC; PCI slot 4: 3rd NIC. Now, eth0 would be the 1st NIC on slot 2 ? Is
this correct ? I need to
On Saturday 29 June 2002 9:19 pm, Axel Christiansen wrote:
hi,
how can one capture packets before
netfilter throws them away.
What do you mean by 'capture' ?
If you mean send them to a user application, have you tried the ULOG target ?
Antony.
On Saturday 29 June 2002 9:56 pm, ganesh kumar godavari wrote:
hello group,
i have attached my shell code to limit the ping-icmp and
tcp-syn and tcp-portscan protection. i need some help in this
matter.
i am not able to limit the incoming tcp-syn packet and port scan
packets done
demonstrates the problem, and we'll see what we can do.
Antony.
-Original Message-
From: Antony Stone [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 26 June 2002 7:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Iptables forwarding
On Wednesday 26 June 2002 8:41 am, Loc Huynh wrote:
Hi
On Thursday 27 June 2002 1:49 pm, Mika Ullgren wrote:
Thank you all for answering with such a short notice...
I have read each one of you answers.
I changed the -I -A in the script to append the rules.
Now when I connect to either http://192.168.64.59 or
http://192.168.64.75 I get the
On Thursday 27 June 2002 2:49 pm, Mika Ullgren wrote:
Yes I did. Sorry I forgot to mention that... If I use DNAT exactly the
same thing happens as with REDIRECT.
Any other ideas?
Here's a bit of a daft idea, but you never know.
Try using DNAT to a completely different address (which
On Thursday 27 June 2002 1:49 pm, Mika Ullgren wrote:
Now when I connect to either http://192.168.64.59 or
http://192.168.64.75 I get the same DocumentRoot. But when I go to
http://192.168.64.75:8443 (eth0:0) i get the other DocumentRoot. So it
seems there is something strange in the
On Thursday 27 June 2002 7:27 pm, Ramin Alidousti wrote:
Hi,
Does anyone have a good solution to catch the third (ACK) packet
in a tcp connection setup?
Is the --ctstatus connection tracking extension any use ? The value
SEEN_REPLY will tell you when the second packet's come in, and
On Thursday 27 June 2002 8:10 pm, Joe Patterson wrote:
catching the third packet is easy. The hard part is to both catch the
third packet and *not* catch all of the rest of the ack packets.
There are some distinguishing characteristics... it is the first packet
sent by the client that is
On Thursday 27 June 2002 8:44 pm, Patrick Schaaf wrote:
There are some distinguishing characteristics... it is the first packet
sent by the client that is in state ESTABLISHED. it should have ACK
set and no other flags. the tcp data length should be zero.
Isn't that in itself a
1 - 100 of 316 matches
Mail list logo