Hi, I'm getting unresolved symbols from the following under kernel
2.4.18, using iptables v. 1.2.5.
I ran the iptables installation per the INSTALL file, remade the kernel
and modules.
modprobe ip_tables
/lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_tables.o: unresolved
symbol
Hello to all.
you think it's possible to make a BLOCK target that works like DROP, but
remember the IP and deny any access for a configured time?
Ciao,_
/_)
/ier
+-+
| Piergiorgio Ghezzo [PJ]|
Hi all,
I have a question which may have been asked before but I will ask it anyway!
When I start iptables I get the following messages:
ip_conntrack (1011 buckets, 8088 max)
What exactly does bucket mean? and does the 8088 max mean that concurrent
8088 stateful connection at one time! Can
Hi all,
I have iptables and freeswan VPN working in my lab but a very interesting
thing is happening and not sure if someone else has seen this:
When I start my ipsec client from my windows2000 to my iptables servers
which is running NAT too works perfectly fine. It's when i logoff my ipsec
On Wed, 2002-05-22 at 16:28, [EMAIL PROTECTED] wrote:
I'm using a 2.4.x series kernel, but due to time constraints lately, I'm
using the ipchains compatability module and our old ipchains scripts.
Unfortunately, I have yet to find how to get active ftp connections
working through this. The
On Tuesday 21 May 2002 9:53 pm, [EMAIL PROTECTED] wrote:
hello all,
this is my first time posting to this board. i am having trouble
with my iptables rules.
the problem i am having is that the internal private subnet
(192.168.1.0/24) on my network is unable to bring up sites that
have
Hi all,
I have iptables and freeswan VPN working in my lab but a very interesting
thing is happening and not sure if someone else has seen this:
When I start my ipsec client from my windows2000 to my iptables servers
which is running NAT too works perfectly fine. It's when i logoff my
ipsec
On Fri, May 31, 2002 at 11:11:15PM +0200, Sascha Reissner wrote:
Two issues, first issue is a simple question:
[root] iptables -h
...
--check -C chainTest this packet on chain
...
[root] iptables --check
iptables v1.2.6a: Unknown arg `--check'
What's up with
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
Hi I'm Luigi.Where I
can find material on sk_buff?
Thank
you
Hi All:
I am having some problems with WinMX through a iptables firewall.
It doesn't seem to like the way WinMX uses UDP packets. Is there a helper
module for this, or can anyone suggest some rules. WinMX is running on
multiple machines behind the firewall. So, I just can't forward the
good evening !
currently i'm trying to set up a ipip-tunnel via two dialup-router.
setup as follws:
host1 -- (DMZ) -- router1 -- (INTERNET-CLOUD) -- router2 -- (DMZ) -- host2
between host1 and host2 i've established the ipip-tunnel. both routers
are set up this way:
iptables -t nat -A
Hi
Does anyone how to use arptables in 2.4.18 pre 19 ?.
I was sucessfully applly two modules into ther ram and what how ?
Is there any doc ?
Tom
Harald, have you just come back from holiday or something, and approved a
whole load of postings to the list ???
It's as much as I can do to keep up reading them, let alone answering them as
well :-)
Antony.
Title: Message
It is
fairly easy -
The
redirect to squid is done in the PREROUTING chain and
SNAT
is done in POSTROUTING...
so if
itis port 80 it will get picked up first, otherwise it will be SNAT'ted in
the POSTROUTING chain:
iptables -t nat -A PREROUTING -i $INTERNAL_INTERFACE -p
Hello
I have constant troubles with nfs mounts on my masquerading
machine. Whenever I use iptables the nfs mounts on the
masquerading machines are destroyed after some time.
Setup consist of nfs server with public IP address and
several clients with private addresses behind masquerading
machine.
Someone know MSN one client ask me to put shit
program to work in iptables proxy if someone know the rules send me a mail
please...
Luiz
I am trying to replace a Checkpoint firewall running on Nokia hardware.
Under the config for the Nokia box I can tell the box to arp for address
other than its own. How do I do this under Linux in a way that will IPtables
can be used to translate the address to its ultimate destination behind
Hi there,
I did setup a classical linux firewall box with two private ip segment, one
for the intranet(192.168.1.0/24), the other one for dmz (10.0.0.0/8).
Please find my firewall scripts (i ve deleted ip addresses for security
purpose but it's not very important to understand, isn't it ? Sorry
Hi:
Below is my network topology ( n = 60 ):
internet --- linux box - PC1
ADSL(1024k) |
| PC2
|
| PCn
If the linux box only servers as gateway,
Hi all,
I´m trying to find a Linux (kernel 2.4) software module that will allow to
create a firewall cluster based on netfilter/iptables.
- Is there any software to create a high availability firewall solution
based on Linux (netfilter)?
I would like to get something similar to the Nokia
Hi,
I would like to SNAT icmp fragmentation-needed messages that have source
address from private network range (RFC1918), I have tried something like:
iptables -t nat -I POSTROUTING -j SNAT --to real_address -p icmp \
--icmp-type fragmentation-needed -s 192.168.0.0/16
but it does not work.
Firstly, I would like to thank every one on this list, for either your
problems, or your solutions to various situations, which you have put down
literally, to help others, like myself, learn from your experiences.
I hope that this link will save a lot people a lot of time (not to mention
On Wed, Jun 05, 2002 at 09:53:03AM -0400, Ramin Alidousti wrote:
On Wed, Jun 05, 2002 at 01:27:41PM +, Francisco Alfonso Martinez Lopez wrote:
Hi everybody,how I can denied smurf atacks over my host,it's a single
connection to Internet,any possibilitie of denied smurf atack on the
Hi,
The
ip6tables.c:502: `AI_CANONNAME' undeclared (first use in this function)
ip6tables.c:509: warning: implicit declaration of function `getaddrinfo'
ip6tables.c:527: warning: implicit declaration of function `freeaddrinfo'
ip6tables.c:540: `NI_MAXHOST' undeclared (first use in this
Hi,
im running a dns server here and i'm not sure if the following rule is
enough to allow dns queries from everywhere:
$IPTABLES -A INPUT -p udp --destination-port 53 -j ACCEPT
You should also allow TCP port 53. DNS uses both.
As I remember, when clients query the DNS Server
iptables NAT still does not have a conntrack to handle the embedded
netbios addresses for a NATed subnet. Basically you cannot use iptables
NAT if there are MS networking hosts on any NATed subnet. Is anyone
working on this now?
I am very puzzled by this because I find very few networks
The ip contrack h323 modules support more of one
conection at the same time??
Hi there,
I use the sample script given in Linux IP Masquerade HOWTO
(Section 3.4.1) for my Slackware box. I read from netfilter
homepage that it's better to start rc.firewall right after
the network is set up, so I start up the script in rc.inet2
before any network services.
I can ping the box
I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
kernel iptables box. I have been able to setup incoming FTP connections
through my firewall, but no luck on the email. Here's my script...I've
pretty much added alot of extra stuff hoping that something would work and I
Hi,
There is a netfilter/conntrack module in the 2.2
kernel but I cannot find it in the 2.4 kernel.
Where can I get more information about Real
Player NAT issues for netfilter. I cannot find
anything on the netfilter homepage.
MH
__
Do You Yahoo!?
On Thursday 30 May 2002 00:10, Jorge# ./S wrote:
Any ebtables expert can help us solve this:
Can GRE packets be forwarded on a linux box using ebtables?
-- Forwarded Message --
Subject: Re: I can't vpn ! - ebtables can forward GRE?
Date: Thu, 30 May 2002 00:09:11 +0100
we cat the date upon starting the firewall script to a file .buttsave :)
A cronjob runs every minute which checks for the .buttsave file, if it's
present, it will flush the firewall.
So, directly after running the firewall script we have to rm the .buttsave
file.
The cron is called
Hello,
hi! i just visited your site http://www.iptables.org/contact.html#list and
it really did help me a lot. thanks!
but i still have some questions. can you teach me how to configure a
subnetwork in kernel 2.4. im a newbie with Linux networking.
I want to set up a private network in my
I trying to determine if the following can be done. I've searched for a
solution but can not find it... because most people are not forced to
attempt this.
Here is the scenario:
Site A 10.0.0.0/8
||
||
Core Router==Internet
||
||
Site B 10.0.0.0/8
My problem is that the
is there a way apart from rebooting to flush the connections listed in
/proc/sys/ip_conntrack?
stale UNREPLIED connections that is ..
tia
-
NEW to mBox, receive faxes to any email address!
Find out more
Hi,
Thanks for the mail.
I could see the rules properly now.
[root]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere
On Thursday 09 May 2002 5:41 am, Tyler Kemp wrote:
Hey,
I recently installed linux on a spare box I had, in order to share my DSL
connection throughout the house. I've run into a problem with iptables.
The symptoms:
The linux box connects properly to my DSL service, and can see
Title: RE: PPTP/GRE + Newnat Issues
Hi,
What happens if you explicitly allow the GRE protocol ?
iptables -A FORWARD -p 47 -j ACCEPT
It shouldn't be needed if you let through RELATED connections though...
Regards,
Filip
-Original Message-
From: SoulBlazer [mailto:[EMAIL
On Thursday 16 May 2002 12:26 am, Julio Gruskin - PWeb ONline! wrote:
I built the iptables ruleset (/etc/sysconfig/iptables) in my RH7.2. It
seems to work okay when booting my system as it shows when 'iptables -L -n'
but some rules are not okay, I can't connect to the internet from my
On Thursday 16 May 2002 12:12 am, Adrian Hobbs wrote:
I am wondering what is the best way to specify an odd group of hosts. For
example, I want to allow managment hosts access to 192.168.0.5. The
managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.
eg:
iptables -A FORWARD -p tcp -d
Hi,
After fiddling with iptables a lot and with a looot of help from list I
finally managed to get it working.
I did,
#modprobe iptable_nat
#echo 1 /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Now my client machines can ping and browse the network.
On Monday 10 June 2002 10:12 pm, Felix D. Cat wrote:
I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
kernel iptables box. I have been able to setup incoming FTP connections
through my firewall, but no luck on the email. Here's my script...
#for POP3 and SMTP mail
On Monday 03 June 2002 5:11 pm, Craig Smith wrote:
I am trying to replace a Checkpoint firewall running on Nokia hardware.
Under the config for the Nokia box I can tell the box to arp for address
other than its own. How do I do this under Linux in a way that will
IPtables can be used to
After limit-burst has been reached, how do I
manually completely recharge it? The following did NOT work:
iptables -F
iptables -X
--Bob SimonTNE Services Delivery Mgr.
-- UNO Tech Park504-304-0299
My default policy in this test environment is ACCEPT for all chains and
tables (should this matter?).
(~)# : iptables -t nat -L -nv |grep policy
Chain PREROUTING (policy ACCEPT 17915 packets, 2673K bytes)
Chain POSTROUTING (policy ACCEPT 9 packets, 471 bytes)
Chain OUTPUT (policy ACCEPT 9
On Thursday 13 June 2002 7:55 pm, [EMAIL PROTECTED] wrote:
hi:
i use snat for lan(192.168.10.0/24) to dmz(172.16.10.0/24),
but i found that way lan PC will become only one ip to dmz server.
so i think if i can bound another ip (eg: 192.168.10.2) to firewall,
and use dnat for lan
This is what I did ... write a script! You could have several parts,
one for accepted hosts, etc... I actually had certain ports that I had a
bunch of eggdrops allowed access on... listed the rules for the ports
and added the IPs to the first line ...
for i in a.b.c.d e.f.g.h i.j.k.l
do
On Tue, 28 May 2002, Stephen Frost wrote:
* Thomas Heinz ([EMAIL PROTECTED]) wrote:
Netfilter supports arbitrary netmasks for IP addresses which is more
powerful than just those IP/x (0 = x = 32) expressions.
For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work
Hi Joost
You wrote:
But something like IP/255.255.255.192 is still valid and is probably used
quite a lot. At least i use it. It's easy to use a $NETMASK variable in
scripts for this.
IP/255.255.255.192 == IP/26
Thomas
I usually use:
iptables -A FORWARD -s 0.0.0.255/0.0.0.255 -j DROP
iptables -A FORWARD -d 0.0.0.255/0.0.0.255 -j DROP
iptables -A FORWARD -s 0.0.0.0/0.0.0.255 -j DROP
iptables -A FORWARD -d 0.0.0.0/0.0.0.255 -j DROP
to stop routing of broadcasted packets. This works assuming you only have
256
Which is not generally a valid thing to assume.. the .255 and/or .0
address may be in use on larger networks, especially if addresses are
assigned dynamically using a large DHCP scope..
On Tuesday 28 May 2002 16:07, Filipe Almeida wrote:
I usually use:
iptables -A FORWARD -s
True.
I attach interface (-i/-o) matches so I will only filter my networks. I
wrote those lines of the top of my head so I forgot the -i/-o.
At 20:45 28-05-2002 +0200, Henrik Nordstrom wrote:
Which is not generally a valid thing to assume.. the .255 and/or .0
address may be in use on larger
Hi Eric,
I was hoping have a SNAT rule for each incoming interface in the
prerouting
chain on the Core router but you can't do SNAT in prerouting with
iptables.
The problem lies in routing NAT'ed traffic back to it's respective
device. If the devices have the same IP address there
Title: RE: newbie problem? Compilation error:ll_proto.c:36: `ETH_P_ECHO' undeclared
Hi,
Has anyone already answered this ?
Actually you are trying to compile iproute2, which is not netfilter/
iptables related.
However, your compile error can be fixed by commenting out line
36 of
Although the TCP sequence numbers may get sent to the log file (if
logging is turned on for a rule), if it not present in the state table
(/proc/net/ip_conntrack), then it is not used to maintain state.
However, I cannot verify that Firewall-1 does this as well (although any
good firewall
On Wed, 29 May 2002, Blesson Paul wrote:
Hi all
I am trying to use iptables as firewall. Now I want to filter
the
packets which are Masqueraded. In one of the tutorial, there is written
that filtering is not done in POSTROUTING chain since certain packets will
bypass
Hi,
Can anyone tell me if this is possible, we upgraded our internet access from isdn
(small isp) to broadband (telstra). We had a static ip of eg:210.20.20.20 from our
small isp on the isdn, with the new cable connection we get dhcp ip address which
makes it hard for mail routing. Ok the big
Hello,
On Friday 24 May 2002 10:39, Takuya Satoh wrote:
iptables-1.2.6a-cvs020520:
cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/
-DNETFILTER_VERSIO N=\1.2.7\ -fPIC -o extensions/libipt_REJECT_sh.o -c
extensions/libipt_REJECT.c
extensions/libipt_REJECT.c: In function `init':
On Sunday 02 June 2002 22:10, Luigi Cartuccia wrote:
Hi I'm Luigi.Where I can find material on sk_buff?
Thank you
Hello,
Harald has written a document probably describing what you need :
http://www.gnumonks.org/ftp/pub/doc/skb-doc.html
Have a nice day,
Fabrice.
--
Fabrice MARIE
Senior RD
On Tuesday 11 June 2002 23:36, Alistair Tonner wrote:
Hi folks:
I suspect this should be directed to a specific developer, but
I felt that it should
be tossed out there for general review.
I've just been playing with 1.2.6a and kernel 2.4.18 and have
been applying and poking at
different
On Thursday 23 May 2002 12:51, Marc SCHAEFER wrote:
Hi,
I have the following setup:
external_net_1 \
firewall internal_net
external_net_2 /
the machine on the internal_net only has one IP address (in this case
193.72.186.6, could be e.g.
Hello list,
I have a userprocess using libipq. It stores packets comming in through
traget -j QUEUE,
delay them for a while, and send them out via verdict NF_ACCEPT. That
works fine.
But when I quit the process normaly (use ipq_destroy_handle()) and not
all packets have
been send out again, I
On Thu, 13 Jun 2002, [ISO-8859-15] Tassilo Schütz wrote:
Hello list,
I would like to know, if I have to do anything else, before quit my
userprocess? Is there
maybe a flush_queue() call or term_queue() call? I thought about,
because of Queue flushing
and Queue terminate in
On Wednesday 12 June 2002 21:02, Martin Josefsson wrote:
It adds a new parameter to ip_ct_refresh called force, if set to
non-zero a timer update will be forced.
Hmm.. this may be a little hard to enforce at all times..
Why don't you make the filter simply filter out any timer updates that
On Thu, 13 Jun 2002, Henrik Nordstrom wrote:
On Thursday 13 June 2002 13:50, James Morris wrote:
Nothing to worry about, there is currentl no way for the ip_queue
module to know that the user process has exited (unless another
process starts using the queue).
The kernel module also
On Wed, Jun 12, 2002 at 03:57:12PM +0200, Maciej Soltysiak wrote:
Hello,
as suggested by Jozsef, i moved my IP unused bit check to the Unclean
module.
Here is the patch to netfilter root directory.
thanks, applied.
Regards,
Maciej Soltysiak
--
Live long and prosper
- Harald Welte /
On Tue, Jun 11, 2002 at 02:49:40PM +0200, Cédric de Launois wrote:
Hi,
Here is the patch against the current CVS tree to include the new
target 'ROUTE'. The patches have been tested, they work fine for me.
Doing
patch -p0 ROUTE.cvs.patch
in the same directory as netfilter/ should
101 - 169 of 169 matches
Mail list logo