Try
changing your NEW statement to NEW, ESTABLISHED, RELATED and see if that helps
your situation.
Stu
-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Big Daddy
Sent: July 8, 2002 12:38 PM
To: [EMAIL PROTECTED]
Subject: HTTP Port
Perhaps you should publish your entire rule set. Trying to help you with
piecemeal rules is pretty tough.
The order of the rules is important. Logging is also useful as recommended
in an earlier post. What does
a TCPDUMP show for port 80 on the External and Internal Interfaces. Also,
what are you
Hi Antony:
Nothing like that has come through here.
You must just be lucky. :)
Stu..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Antony Stone
Sent: July 7, 2002 6:23 PM
To: netfilter
Subject: Spam: How to find a firewall project
Hmmm. I don't know, but I would think it would be like comparing apples
to oranges. I have, and continue to use both. The Linksys is quick and
easy to set up, and can be looked after by someone with a reasonable
amount of knowledge. It is great for small offices and homes where there
are only a
Nevin:
Have you looked at iptstate?
It shows real time connection information similar to top.
Stu
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Nevin Swan
Sent: June 20, 2002 4:18 PM
To: NetFilter IPtables (E-mail)
Subject: Current NAT
Hi Christoph:
I am still running iptables 1.24. However, in that version I
don't think it supported the ! negation on multiport. Later versions
may have added that capability. Perhaps one of the members of
the list has a more definitive answer.
Stu...
-Original
Eugene:
I made a couple of changes to your script. I added the ip_conntrack module.
I rewrote your forwarding rules near the end. I would recommend that you
make all
Your default policies drop, and then open up what you need to. Try those
changes.
If they don't work do a iptables -v -L
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
HI:
I have set up iptables firewalls for several personal LAN's with
anywhere from 2 to 10 computers on them. Some were on ADSL and
some were on ADSL. I have used Pentium 100's with 48 MB of 72 pin
Ram to 486DX2-100 with 48 MB of 72 pin Ram, and even a 486DX2-66
with 24 MB of RAM.
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
Hi:
You are half way there.
Rule 1 is ok. However you need to change rule 2.
Rule 1 means - If a packet is received from the desired ip destined for
the external ip for telnet. DNAT it to the internal telnet server address.
However the packet is still sitting at the
]]On Behalf Of Roar Bjørgum Rotvik
Sent: May 27, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: RE: Can't block DHCP with iptables?
On Mon, 27 May 2002, Stewart Thompson wrote:
Normally the iptables script runs after the interfaces have been
brought up
by the system.
By that time blocking DHCP
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of SB CH
Sent: May 28, 2002 2:21 AM
To: [EMAIL PROTECTED]
Subject: iptables rule order
Hello, netfilters!
I read that the iptables rule order is important.
In linux firewalls 2nd edition writeen by ziegler
I
can understand your frustration. I am assuming you have other things working on
this firewall.
Perhaps
you could post a sanitized printout of iptables v L and your Kernel and
iptables version for the
Group so
they can see what is happening. Also, it has been my experience that tcpdump
28, 2002 10:21 AM
To: Stewart Thompson
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Can't block DHCP with iptables?
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote:
Roar:
You are absolutely right. I just tried on one of my machines.
It still manages to get an ip
Thanks for the excellent description Evan.
-Original Message-
From: Evan Cofsky [mailto:[EMAIL PROTECTED]]
Sent: May 28, 2002 9:34 AM
To: Stewart Thompson; [EMAIL PROTECTED]
Subject: Re: Can't block DHCP with iptables?
Derrik Pates touched on this earlier in the thread, but I'll try
Julz:
According to the man page tos is only valid in the mangle table.
Try:
iptables -t mangle -A OUTPUT -p tcp -d 0.0.0.0/0 --destination-port 22 -j
TOS \
--set-tos Minimize-Delay
Stu.
-Original Message-
From: [EMAIL PROTECTED]
Roar:
Normally the iptables script runs after the interfaces have been brought up
by the system.
By that time blocking DHCP is kind of irrelevant. A default policy of drop
should block everything
all right, but it is kind of closing the barn door after the horse has left.
Why not just
Ken:
Try it with the adjustments below. Also make sure you also have a rule to
allow the machine to
get back out from the Internal Network to the Internet. Also if there are
other rules in your script, make
sure the packet isn't dropped by a preceding rule before it reaches your
DNAT
Harald:
Does this apply to all versions of Kernels and iptables? Or did it creep in
on an
upgrade or patch along the way. For example, I am running kernel 2.4.9-31
and iptables
1.24 which is the last version released by Redhat. Does it go that far back?
Regards,
Stu...
Tyler:
I think most people on the list would recommend a drop all
Policy on all chains, and then open up what is required to achieve
your goals. After all the whole purpose of a firewall is to give your
system as much as possible.
Ramin:
My version of the syn rule allows 5/s
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Stewart Thompson
Sent: May 9, 2002 5:08 PM
To: Tyler Kemp; Ramin Alidousti
Cc: [EMAIL PROTECTED]
Subject: RE: (no subject)
Tyler:
I think most people on the list would recommend a drop all
Policy
compromising security.
Hope that helps.
Stu..
-Original Message-
From: Ramin Alidousti [mailto:[EMAIL PROTECTED]]
Sent: May 9, 2002 5:34 PM
To: Stewart Thompson
Cc: Tyler Kemp; [EMAIL PROTECTED]
Subject: Re: (no subject)
On Thu, May 09, 2002 at 05:08:09PM -0700, Stewart Thompson
I happened to be Norwegian myself, and this is absolutely hillarious.
:-D
Arne
On Mon, 2002-04-29 at 17:15, Tony Earnshaw wrote:
man, 2002-04-29 kl. 20:05 skrev Stewart Thompson:
Maybe your cats should set up a consulting business. :)
RE: www.lansrus.net Update
Thing is, I have
Carlos:
Every
situation has different requirements. There are a number of
examples
here.
http://www.linuxguruz.org/iptables/
Check out
the multilingual netfilter documentation page.
http://netfilter.samba.org/documentation/index.html
HTML Man
Pages.
I think you are in the wrong list. This is the iptables list.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mike Black
Sent: April 29, 2002 6:59 AM
To: netfilter
Subject: Adding workstation to PDC
Use current CVS version as of 4/29/02
Trying to
You could also try putting set -xv at the beginning of your script. This
gives you
a lot of output though. I usually just put marker echo commands so that I
have
a reference as to where I am in the script.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Hi Tony:
Maybe your cats should set up a consulting business. :)
Stu.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tony Earnshaw
Sent: April 29, 2002 10:37 AM
To: hard__ware
Cc: [EMAIL PROTECTED]
Subject: Re: www.lansrus.net Update
Huh?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tony Earnshaw
Sent: April 29, 2002 2:16 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: www.lansrus.net Update
man, 2002-04-29 kl. 20:05 skrev Stewart Thompson:
Maybe your
Chris:
Wouldn't multiple IP's on the External Interface with corresponding DNS
entries
be a lot more effective way to deal with this. Then each server could have
an
associated DNAT and FORWARD rule. Just a thought. I don't know what your
limitations are.
Stu.
-Original
Chris:
The
information you give is a little sketchy for any of us to give you a good
answer.
In general
the order of the rules is important. If the packet traverses a rule which
accepts it
before it
reaches your ban rule, it will make it through every time. Review your rules
Chasper:
If you want outside machines to be able to establish ftp connections.
You will have to add NEW to your forward rule as well. Something like.
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 21 -j
DNAT --to $FTPSERVER
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o
Erik:
It would be useful to see the rules you are actually using.
Do you have a Forward rule to match the prerouting DNAT rule?
The latest Redhat 7.2 Kernel is 2.4.9-31 and iptables is 1.2.4.
It wouldn't hurt to upgrade.
Stu
-Original Message-
From: [EMAIL PROTECTED]
Hi All:
In reviewing my Firewall Logs, I see lots of IGMP dropped packets.
These are from recognized servers from my ISP, Name Servers etc. I have
been seeing lots of bad things about ICMP packets, and they seem to be
related. Does anyone have any comment regarding security risks
Hi All:
In reviewing my Firewall Logs, I see
lots of IGMP dropped packets.
These are from recognized servers from my ISP, Name Servers etc. I have
been seeing lots of bad things about ICMP packets, and they seem to be
related. Does anyone have any comment regarding security risks
Thanks for the Reply.
-Original Message-
From: Ramin Alidousti [mailto:[EMAIL PROTECTED]]
Sent: April 26, 2002 1:48 PM
To: Stewart Thompson
Cc: [EMAIL PROTECTED]
Subject: Re: IGMP Packets - Addenum:
On Fri, Apr 26, 2002 at 01:25:20PM -0700, Stewart Thompson wrote:
Hi All
It depends
on how your system is set up. With Redhat 7.2 with loglevel set to info, they
are logged to /var/log/messages.
-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Cellule Internet EAI
Sent: April 24, 2002 12:35 AM
To: [EMAIL PROTECTED]
I think the syntax is --dport 2090:2098. You can forward to a range of
contiguous IP addresses,.
But I don't think you can forward to a bunch of non contiguous IP addresses.
Check the man pages.
Unless you specifically tell it to, iptables shouldn't change the
destination port. So if you don't
Hi All:
Can anyone tell me the rules to allow Linux Traceroute, and DOS
tracert from inside
the firewall. The default policy is to drop all. I am not sure of the exact
ports and protocols to
open up. Using Redhat 7.20 Kernel 2.4.9 and iptables 1.24. Thanks.
Stu...
Hi Mark:
One way of approaching it is to set up user defined chains to handle all
the different situations you want to log. Then send the matches to them.
Each one
could also have a different log prefix and log level at your discretion.
Stu..
-Original Message-
From:
Hi Maciek:
I am running Redhat 7.2 with Kernel 2.4.9-31. I should have mentioned that,
All though I thought the question was general enough. I don't seem to have
that
Path, although I have found some documentation under /usr/share/doc.
What documentation I have found keeps
Jeffrey:
Are
you trying to use port 22 for both? How are the rules going to differentiate
between where you really want to go? Have you tried setting up a different port
for one of
them? Say port forwarded to port 22 on the internal machine. Something
along the lines of the
Brian:
On your Firewall Machine something like this should work.
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $ANYWHERE -j ACCEPT
On your client machine something like this to allow outputting
Connections to the PDC.
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
Ron:
I
think there should be a link from this site to a sample script.
http://www.linuxguruz.org/iptables/
Stu.
-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Ron
Sent: April 10, 2002 7:05 PM
To: [EMAIL PROTECTED]
Subject: Re:
Hi Mike:
If I understand you correctly, there are several machines with connections
to
the Internet as well as the Internal LAN. Thus an external PPP0 or Ethernet
and an
Ethernet card on the Internal LAN. Assuming the above assumptions are
correct.
This is the line I have in my firewall
47 matches
Mail list logo
