From varun_saa at vsnl.net Fri Jul 1 18:16:58 2005 From: varun_saa at vsnl.net (varun_saa@vsnl.net) Date: Fri Jul 1 18:31:35 2005 Subject: MAC filter group if IPs Message-ID: <421bd79421c0b2.421c0b2421bd79@vsnl.net> Hello, I would like to implement MAC filtering. Is there way to write a rule that will allow or disallow a set of IPs. Say one rule to allow a set of IPs, And another rule to disallow a set of IPs. Thanks Varun From jengelh at linux01.gwdg.de Fri Jul 1 18:21:35 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Fri Jul 1 18:36:05 2005 Subject: MAC filter group if IPs In-Reply-To: <421bd79421c0b2.421c0b2421bd79@vsnl.net> References: <421bd79421c0b2.421c0b2421bd79@vsnl.net> Message-ID: >Hello, > I would like to implement MAC filtering. >Is there way to write a rule that will allow or >disallow a set of IPs. >Say one rule to allow a set of IPs, >And another rule to disallow a set of IPs. MAC is not the same as IP. Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de From lopsch at lopsch.com Fri Jul 1 19:07:51 2005 From: lopsch at lopsch.com (Daniel Lopes) Date: Fri Jul 1 19:15:59 2005 Subject: MAC filter group if IPs In-Reply-To: <421bd79421c0b2.421c0b2421bd79@vsnl.net> References: <421bd79421c0b2.421c0b2421bd79@vsnl.net> Message-ID: <42C57867.3080806@lopsch.com> varun_saa@vsnl.net schrieb: > Hello, > I would like to implement MAC filtering. > Is there way to write a rule that will allow or > disallow a set of IPs. > Say one rule to allow a set of IPs, > And another rule to disallow a set of IPs. > > Thanks > > Varun > > > Have a look at IPSet. From gary at primeexalia.com Fri Jul 1 19:12:25 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Fri Jul 1 19:26:59 2005 Subject: FTP and IPSEC Message-ID: <57F9959B46E0FA4D8BA88AEDFBE582909ED0@pxtbenexd01.pxt.primeexalia.com> Any ideas? ________________________________ From: netfilter-bounces@lists.netfilter.org on behalf of Gary W. Smith Sent: Tue 6/28/2005 10:06 AM To: netfilter@lists.netfilter.org Subject: FTP and IPSEC This is a follow up to a former problem, but unreleated. I have two networks conencted via IPSEC. On each side of the network I have client servers that have SNAT/DNAT to the internet. Everything seems to work well under ISPEC except ftp. Here is what I found. >From location A, a workstation without a static external IP address on the 10.0.10.x can FTP anywhere on the net without problems but CANNOT ftp to a machine at location B using it's internal 10.0.50.x IP. This same workstation CAN ftp without restriction to it's external alias for the same machine at location B using it's external IP 199.199.199.x If I remove ip_nat_ftp and ip_conntrack_ftp it seems to work fine. But the problem is now that we cannot ftp externally from that location. Both locations have ip_nat_ftp loaded but it doesn't seem to matter. When we had a pptp connection between the two locations we didn't have this problem. It only seems to happen with IPSEC. Is there a workaround for this or is there a way to tell ip_nat_ftp to ignore a particular IP range? Gary Smith From edvin.seferovic at kolp.at Fri Jul 1 19:40:15 2005 From: edvin.seferovic at kolp.at (Seferovic Edvin) Date: Fri Jul 1 19:54:52 2005 Subject: Configurationrequest for firewall with temporary ppp0-interface In-Reply-To: <42C3BA1B.6070004@my-mail.ch> Message-ID: Well if you are using NAT then you can say that ppp+ should be NATed to your extern interface.. should be to complicated? :) pppd brings up a new interface and adds a route to it, so you dont have to worry about this. Regards, Edvin Seferovic -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Ruprecht Helms Sent: Donnerstag, 30. Juni 2005 11:24 To: netfilter@lists.netfilter.org Subject: Configurationrequest for firewall with temporary ppp0-interface Hi, I've the problem that I need some rules for a temporary ppp0 interface. This interface is only active then the admin has made a dial-up on the server and has activated a ppp-daemon. In the time the ppp0-Interface is up the connections should be able completely in both directions and through to clients. But this should only alowed for connections via ppp0. Connections via the normal isdn0 should be protected by the normal firewallroules (iptables). How have I to configure. Regards, Ruprecht ---------------------------------------------------------------------------- -------------- Ruprecht Helms IT-Service & Softwareentwicklung Tel./Fax +49[0]7621 16 99 16 Web: htp://www.rheyn.de From christoph.georgi at web.de Fri Jul 1 02:43:21 2005 From: christoph.georgi at web.de (Christoph Georgi) Date: Fri Jul 1 20:42:06 2005 Subject: Configurationrequest for firewall with temporary ppp0-interface In-Reply-To: <42C3BA1B.6070004@my-mail.ch> References: <42C3BA1B.6070004@my-mail.ch> Message-ID: <42C491A9.8070301@web.de> Just create rules specifying ppp0 as incoming and outgoing interface (-i and -o), e.g. $IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT $IPTABLES -A FORWARD -o eth0 -i ppp0 -j ACCEPT christoph Ruprecht Helms wrote: > Hi, > > I've the problem that I need some rules for a temporary ppp0 interface. > This interface is only active then the admin has made a dial-up on the > server and has activated a ppp-daemon. > > In the time the ppp0-Interface is up the connections should be able > completely in both directions and through to clients. But this should > only alowed for connections via ppp0. > > Connections via the normal isdn0 should be protected by the normal > firewallroules (iptables). > > How have I to configure. > > Regards, > Ruprecht > > ------------------------------------------------------------------------------------------ > > Ruprecht Helms IT-Service & Softwareentwicklung > > Tel./Fax +49[0]7621 16 99 16 > Web: htp://www.rheyn.de > > -- Christoph Georgi ----------------------------- email. christoph.georgi@web.de fon. +64 (0)9 815 8259 registered linux user #380268 ubuntu 5.04 (ubuntu.com) From rob0 at gmx.co.uk Fri Jul 1 20:37:16 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Fri Jul 1 20:51:45 2005 Subject: multiple gateways in linux In-Reply-To: <20050630114101.35127.qmail@web53110.mail.yahoo.com> References: <20050630114101.35127.qmail@web53110.mail.yahoo.com> Message-ID: <200507011337.16923.rob0@gmx.co.uk> On Thursday 30 June 2005 06:41, umar draz wrote: > i have 2 DSL connection from diffrent companies. i > attached both DSL modem in my Linux Machine with > different ethernet. http://www.ssi.bg/~ja/ http://www.ssi.bg/~ja/nano.txt -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From marius.mertens at gmx.de Fri Jul 1 21:07:21 2005 From: marius.mertens at gmx.de (Marius Mertens) Date: Fri Jul 1 21:21:40 2005 Subject: NEW "SSH Brute Force " ruleset (20050628.0) References: <42C0F7E4.4060805@riverviewtech.net> Message-ID: <004801c57e70$1fad3890$4206a8c0@loki> Hi everybody, On Tuesday, June 28, 2005 9:10 AM, Taylor, Grant wrote: > [...] > One point of interest would be the use of the "--rttl" option on the > recent matches. I have not tested such tests but plan to do so in > the future. Please reply to the mail list with your experiences. > As always any comments and / or suggestions are most welcome and > appreciated. Definitely a very nice piece of work! Though I personally do not use the longer banning times, since just banning them for a minute has proven long enough to make them move to the next host, I do like the "stacked chains". My use for a second level is to log only the first DROP, so the DROPS won't flood my logs. Speaking of flooding: Does anybody know how long IPs are stored in the recent list, until they are removed again? The requested "any comments / suggestions" section: Maybe also put a timelimit on the whitelist, since IPs added there will be most likely dynamic ones, otherwise they would probably have been added to another permanent whitelist. Possibly strange ideas: If a certain IP makes it to a certain level of blacklisting, drop everything --state NEW from them, not just ssh (dropping also established things might allow a too powerful and easy DOS) Add a host to a special whiltelist after doing something special, like connecting to a certain port, which would lower the risk of a DOS (they can still try, but you can override it) I haven't used the -rttl option either, but I did monitor the TTLs of dropped bruteforce attempts. Most different hosts also had different TTLs, but packets from a single attacker never had different ones, so adding that option should (at least at the moment) not result in significantly more successful connection attempts than without. Marius From dufresne at sysinfo.com Fri Jul 1 21:34:10 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Fri Jul 1 21:43:45 2005 Subject: [Announce] Nulog 1.1.0 is available In-Reply-To: <1120136387.4696.54.camel@localhost.localdomain> References: <1120136387.4696.54.camel@localhost.localdomain> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 considering the history of php, and many php applications and their bi-weekly appearance in the various sec lists for newly discovered vulns, how afe is this application and would one want to place it on or near their main security device? thanks, Ron DuFresne On Thu, 30 Jun 2005, Eric Leblond wrote: > Hi, > > INL is proud to announce the availability of Nulog 1.1.0. > > Nulog, previously known as ulog-php, is a firewall log analysis > interface written in php. Netfilter is able to log selected packets > directly in a database like MySQL or PostgreSQL. Nulog uses this feature > to display security events in real-time on a user-friendly interface. > > It now integrates deeply with NuFW user activities logging and can now > cope with multiples logging tables. Thus, a single NuFW interface can > now be used to managed multiple firewalls or a set of archive tables. > > Nulog is, of course, released under GPL licence. > > Nulog : http://www.inl.fr/article.php3?id_article=36 > NuFW : http://www.nufw.org/ > > BR, > -- > Eric Leblond > > - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCxZq2st+vzJSwZikRAo+SAKCsXdWrA4PSRutH26tymiYg4HiOrwCaAsuB ThBRuEY7+ONTB1aobNeP0ps= =QY3F -----END PGP SIGNATURE----- From marcus at lanhelp.com.br Fri Jul 1 22:31:17 2005 From: marcus at lanhelp.com.br (marcus) Date: Fri Jul 1 22:45:52 2005 Subject: mangle squid packets Message-ID: <42C5A815.8040301@lanhelp.com.br> Hi, I've managed to work a 3 gateway linux router using this mangle rule to mark local net incoming packets: iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -d 0/0 -j MARK --set-mark 3 Works, great. But i cant do the same with squid activated, I'm using transparent proxy: iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 3128 I dont know what mangle rule I need to mark squid transparent packets, I have tried all the following (One at a time): iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -d 0/0 -j MARK --set-mark 3 iptables -A PREROUTING -t mangle -s 127.0.0.1 -d 0/0 -j MARK --set-mark 3 iptables -A PREROUTING -t mangle -p tcp --dport 80 -j MARK --set-mark 3 iptables -A PREROUTING -t mangle -p tcp --dport 3128 -j MARK --set-mark 3 Any ideas?? Thanks. -- Atenciosamente, Marcus Leandro Suporte / Consultoria marcus@lanhelp.com.br From qs.tahmeed at gmail.com Fri Jul 1 07:47:17 2005 From: qs.tahmeed at gmail.com (tahmeed) Date: Fri Jul 1 23:16:02 2005 Subject: A replacement for rp_filter with iptables (config help needed) In-Reply-To: <42C37413.3010504@networker.co.nz> References: <42C37413.3010504@networker.co.nz> Message-ID: hi, i am not an expert in iptables - actually am studying it - one thing - what rules did u set for the new chain MYSQL & SPOOF - unless & untill u set up rules for any NEW chains u create - its not going to work. On 6/30/05, Simon wrote: > Hi There, > > We are debian sarge with two ethernet cards.. To get eth1 (on a seperate > subnet) working correctly, ive had to change > /proc/sys/net/ipv4/conf/eth1/rp_filter to 0. Now i need a simple > solution to protect against spoofing attacks on this interface... I have > an example setup, but i want to make sure i have it correct.. can > someone confirm for me?... > > Note, this was a small script to block the mysql port on the server, but > then enable for certain time/ip dynamically by adding/removing chains. > > iptables -F > iptables -A INPUT -i lo -j ACCEPT > iptables -N MYSQL > iptables -N SPOOF > iptables -A INPUT -p tcp --dport 3306 -j MYSQL > iptables -A SPOOF -i eth1 -j SPOOF > iptables -A INPUT -p tcp --dport 3306 -j REJECT --reject-with tcp-reset > > Is this correct - or have i got it ALL wrong. > > Thanks > > Simon > > -- Happy! If not now never From gary at primeexalia.com Fri Jul 1 00:56:12 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Fri Jul 1 23:18:15 2005 Subject: Crazy portmap request Message-ID: <57F9959B46E0FA4D8BA88AEDFBE58290741D@pxtbenexd01.pxt.primeexalia.com> Hello, I have a new challenge of trying to map some IP's to a single IP but with a static port. Here is a sample. Given 1 externally public IP I need to publish the entire internal class C subnet worth of machines using their internal static IP address but mapping them to different ports. Each workstation has a TCP processing running on a fixed port. For all intents and purposes let's say it's SMTP. What I need to do, using the single static IP address is map out a single port for each server behind it. So, given 10.99.0.x it we want something like this 10.99.0.1:25 = 199.199.80.41:30001 10.99.0.2:25 = 199.199.80.41:30002 ... 10.99.0.250:25 = 199.199.80.41:30250 Is there a simple way to do this? Currently we have a pre/post routing line per entry. Is there a better way? Thanks, Gary Smith From jsullivan at opensourcedevel.com Fri Jul 1 23:55:20 2005 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat Jul 2 00:11:02 2005 Subject: A replacement for rp_filter with iptables (config help needed) In-Reply-To: References: <42C37413.3010504@networker.co.nz> Message-ID: <1120254920.3544.2.camel@localhost> In our default configuration for the ISCS network security management project (http://iscs.sourceforge.net), we generate rules to protect against spoofing from both the outside and the inside (to ensure we are good Internet citizens!). Although the rules are automatically generated, they tend to look something like this: iptables -t mangle -A PREROUTING -i ! eth1 -s 2xx.xx.xxx.224/255.255.255.240 -j DROP iptables -t mangle -A PREROUTING -i eth1 -m ttl --ttl 1 -j DROP iptables -t mangle -A PREROUTING -i eth0 -j ProtectionMangleSpoof iptables -t mangle -A ProtectionMangleSpoof -i eth0 -j DROP iptables -t mangle -A PREROUTING -i ! eth0 -s 10.6.0.0/255.255.0.0 -j DROP iptables -t mangle -A PREROUTING -i ! eth0 -s 10.7.0.0/255.255.0.0 -j DROP iptables -t mangle -I ProtectionMangleSpoof 1 -i eth0 -s 10.6.0.0/255.255.0.0 -j RETURN iptables -t mangle -I ProtectionMangleSpoof 1 -i eth0 -s 10.7.0.0/255.255.0.0 -j RETURN Where eth0 is the private interface and eth1 is the Internet interface. Hope that helps - John On Fri, 2005-07-01 at 11:47 +0600, tahmeed wrote: > hi, > > i am not an expert in iptables - actually am studying it - > > one thing - what rules did u set for the new chain MYSQL & SPOOF - > unless & untill u set up rules for any NEW chains u create - its not > going to work. > > > > On 6/30/05, Simon wrote: > > Hi There, > > > > We are debian sarge with two ethernet cards.. To get eth1 (on a seperate > > subnet) working correctly, ive had to change > > /proc/sys/net/ipv4/conf/eth1/rp_filter to 0. Now i need a simple > > solution to protect against spoofing attacks on this interface... I have > > an example setup, but i want to make sure i have it correct.. can > > someone confirm for me?... > > > > Note, this was a small script to block the mysql port on the server, but > > then enable for certain time/ip dynamically by adding/removing chains. > > > > iptables -F > > iptables -A INPUT -i lo -j ACCEPT > > iptables -N MYSQL > > iptables -N SPOOF > > iptables -A INPUT -p tcp --dport 3306 -j MYSQL > > iptables -A SPOOF -i eth1 -j SPOOF > > iptables -A INPUT -p tcp --dport 3306 -j REJECT --reject-with tcp-reset > > > > Is this correct - or have i got it ALL wrong. > > > > Thanks > > > > Simon > > > > > > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com From kadlec at blackhole.kfki.hu Sat Jul 2 00:10:29 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Sat Jul 2 00:26:13 2005 Subject: A replacement for rp_filter with iptables (config help needed) In-Reply-To: <1120254920.3544.2.camel@localhost> References: <42C37413.3010504@networker.co.nz> <1120254920.3544.2.camel@localhost> Message-ID: Hi, On Fri, 1 Jul 2005, John A. Sullivan III wrote: > In our default configuration for the ISCS network security management > project (http://iscs.sourceforge.net), we generate rules to protect > against spoofing from both the outside and the inside (to ensure we are > good Internet citizens!). Although the rules are automatically > generated, they tend to look something like this: > > iptables -t mangle -A PREROUTING -i ! eth1 -s > 2xx.xx.xxx.224/255.255.255.240 -j DROP If you support 2.6.x kernels, I'd suggest to use the raw table instead: thus the unnecessary load on conntrack could be avoided. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From codeslinger at gmail.com Sat Jul 2 01:22:20 2005 From: codeslinger at gmail.com (Tobias DiPasquale) Date: Sat Jul 2 01:38:08 2005 Subject: CLUSTERIP problems In-Reply-To: <20050630163535.GA11138@packetconsulting.pl> References: <20050628194026.GA2010@packetconsulting.pl> <20050630163535.GA11138@packetconsulting.pl> Message-ID: <876ef97a050701162247540075@mail.gmail.com> On 6/30/05, Piotr Chytla wrote: > On Tue, Jun 28, 2005 at 09:40:26PM +0200, Piotr Chytla wrote: > > I've problem with CLUSTERIP from 2.6.12 kernel, both nodes run debian > > sarge on 2.6.12. > > > > > [..] > > On the first machine I have in logs only this : > > > > hash=1 ct_hash=1 not responsible > > > > ARP mangling patch for 2.6.12 is applied : > > > > http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=2643 > > > Problem was in wrong header file ipt_CLUSTERIP.h that is diffrent > between iptables tree and 2.6.12 kernel . > > It seems that in struct ipt_clusterip_tgt_info, *config pointer > was moved up. > > First file ipt_CLUSTERIP.h.20050630 is from iptables tree second > one from 2.6.12 kernel. > > --- ipt_CLUSTERIP.h.20050630 2005-03-07 15:00:35.000000000 +0100 > +++ ipt_CLUSTERIP.h 2005-06-17 21:48:29.000000000 +0200 > @@ -18,6 +18,7 @@ > struct ipt_clusterip_tgt_info { > > u_int32_t flags; > + struct clusterip_config *config; > > /* only relevant for new ones */ > u_int8_t clustermac[6]; > @@ -26,12 +27,6 @@ > u_int16_t local_nodes[CLUSTERIP_MAX_NODES]; > enum clusterip_hashmode hash_mode; > u_int32_t hash_initval; > - > -#ifdef KERNEL_64_USERSPACE_32 > - u_int64_t config; > -#else > - struct clusterip_config *config; > -#endif > }; > > #endif /*_IPT_CLUSTERIP_H_target*/ You should have used the reverse of this. The header with *config at the bottom and the #ifdef KERNEL_64_USERSPACE_32 is the one to use with the kernel and iptables, both. -- [ Tobias DiPasquale ] 0x636f6465736c696e67657240676d61696c2e636f6d From gary at primeexalia.com Sat Jul 2 03:53:35 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Sat Jul 2 04:08:07 2005 Subject: Is anyone else getting these. Message-ID: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> I have verified my IP's not to on relays.ordb.org. I'm wondering if they blacklisted netfilter.org? FW: Unzustellbar: [SPAM] - Crazy portmap request - Sending mail server found on relays.ordb.org -----Original Message----- From: Systemadministrator [mailto:postmaster@echtzeit.com] Sent: Friday, July 01, 2005 2:11 PM To: Gary W. Smith Subject: Unzustellbar: [SPAM] - Crazy portmap request - Sending mail server found on relays.ordb.org Your message To: netfilter@lists.netfilter.org Subject: [SPAM] - Crazy portmap request - Sending mail server found on relays.ordb.org Sent: Fri, 1 Jul 2005 00:56:12 +0200 did not reach the following recipient(s): phergenhahn@echtzeit.de on Fri, 1 Jul 2005 23:11:28 +0200 Der Name des Empf?ngers wurde nicht erkannt. Die MTS-ID der urspr?nglichen Nachricht ist: c=de;a= ;p=echtzeit gmbh ? ;l=EZMXS0507012111NLNP7YNT MSEXCH:IMS:Echtzeit GmbH & Co. KG:ECHTZEIT:EZMXS 0 (000C05A6) Unbekannter Empf?nger -------------- next part -------------- An embedded message was scrubbed... From: "Gary W. Smith" Subject: [SPAM] - Crazy portmap request - Sending mail server found on relays.ordb.org Date: Thu, 30 Jun 2005 15:56:12 -0700 Size: 1825 Url: /pipermail/netfilter/attachments/20050701/692d4e94/attachment.mht From dleangen at canada.com Sat Jul 2 04:53:12 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 05:08:01 2005 Subject: /etc/sysconfig/iptables does not load on reboot Message-ID: Hello! On FC3, my file /etc/sysconfig/iptables is not being loaded on reboot. For some reason, my iptables is being loaded with some kind of default values. I thought that the file /etc/sysconfig/iptables was supposed to be loaded via iptables-restore (and indeed this appears to be so according to the startup script in /etc/rc.d/init.d/iptables). Is there something that I am not understanding correctly? Thank you! From varun_saa at vsnl.net Sat Jul 2 05:47:14 2005 From: varun_saa at vsnl.net (varun_saa@vsnl.net) Date: Sat Jul 2 06:01:44 2005 Subject: MAC filter group if IPs Message-ID: <42309da42319e7.42319e742309da@vsnl.net> ----- Original Message ----- From: Jan Engelhardt Date: Friday, July 1, 2005 9:51 pm Subject: Re: MAC filter group if IPs > >Hello, > > I would like to implement MAC filtering. > >Is there way to write a rule that will allow or > >disallow a set of IPs. > >Say one rule to allow a set of IPs, > >And another rule to disallow a set of IPs. > > MAC is not the same as IP. > > > Jan Engelhardt > Sorry I meant : Say one rule to allow a set of MAC addresses And another rule to disallow a set of MAC addresses Varun From varun_saa at vsnl.net Sat Jul 2 05:50:46 2005 From: varun_saa at vsnl.net (varun_saa@vsnl.net) Date: Sat Jul 2 06:05:14 2005 Subject: MAC filter group if IPs Message-ID: <4245a994244da0.4244da04245a99@vsnl.net> ----- Original Message ----- From: Daniel Lopes Date: Friday, July 1, 2005 10:37 pm Subject: Re: MAC filter group if IPs > varun_saa@vsnl.net schrieb: > > Hello, > > I would like to implement MAC filtering. > > Is there way to write a rule that will allow or > > disallow a set of IPs. > > Say one rule to allow a set of IPs, > > And another rule to disallow a set of IPs. > > > > Thanks > > > > Varun > > > > > > > > Have a look at IPSet. Sorry I meant : Say one rule to allow a set of MAC addressed And another rule to disallow a set of MAC addressed Varun > > From qs.tahmeed at gmail.com Sat Jul 2 07:44:08 2005 From: qs.tahmeed at gmail.com (tahmeed) Date: Sat Jul 2 07:58:37 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: hello David, after u configure iptables - directly or via a script issue iptables-save > /etc/sysconfig/iptables then ur conf will be saved in the mentioned file & be available while restarting the service or reboot. else the system will use the default conf that have been set up during the installation of the system. and "iptables-restore" :: resets the conf to the system default which means u lost the conf u just did. thanks. On 7/2/05, David Leangen wrote: > > Hello! > > On FC3, my file /etc/sysconfig/iptables is not being loaded on reboot. For > some reason, my iptables is being loaded with some kind of default values. > > I thought that the file /etc/sysconfig/iptables was supposed to be loaded > via iptables-restore (and indeed this appears to be so according to the > startup script in /etc/rc.d/init.d/iptables). Is there something that I am > not understanding correctly? > > > Thank you! > > > -- Happy! If not now never From rob at sterenborg.info Sat Jul 2 07:49:20 2005 From: rob at sterenborg.info (Rob Sterenborg) Date: Sat Jul 2 08:03:52 2005 Subject: Is anyone else getting these. In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> Message-ID: <20050702054820.DE59E8EDCEB@smtp.sterenborg.info> netfilter-bounces@lists.netfilter.org <> scribbled on : > I have verified my IP's not to on relays.ordb.org. I'm > wondering if they blacklisted netfilter.org? Last time I checked I'm not, also netfilter.org wasn't. A few days ago there was a post about this ; even their postmaster@... seems to refuse email. Maybe phergenhahn@echtzeit.de can be removed from the list ?? Gr, Rob > FW: Unzustellbar: [SPAM] - Crazy portmap request - Sending > mail server found on relays.ordb.org > > -----Original Message----- > From: Systemadministrator [mailto:postmaster@echtzeit.com] > Sent: Friday, July 01, 2005 2:11 PM > To: Gary W. Smith > Subject: Unzustellbar: [SPAM] - Crazy portmap request - > Sending mail server found on relays.ordb.org > > Your message > > To: netfilter@lists.netfilter.org > Subject: [SPAM] - Crazy portmap request - Sending mail > server found on relays.ordb.org > Sent: Fri, 1 Jul 2005 00:56:12 +0200 > > did not reach the following recipient(s): > > phergenhahn@echtzeit.de on Fri, 1 Jul 2005 23:11:28 +0200 > Der Name des Empf?ngers wurde nicht erkannt. > Die MTS-ID der urspr?nglichen Nachricht ist: c=de;a= > ;p=echtzeit gmbh ? ;l=EZMXS0507012111NLNP7YNT > MSEXCH:IMS:Echtzeit GmbH & Co. KG:ECHTZEIT:EZMXS 0 > (000C05A6) Unbekannter Empf?nger From dleangen at canada.com Sat Jul 2 07:49:32 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 08:04:16 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: Message-ID: Dear Tahmeed, Thank you. But that's exactly what I'm doing. I am absolutely positive that the correct script is saved to /etc/sysconfig/iptables. I tried with all of the following: - iptables-save - service iptables save If I use 'iptables-restore /etc/sysconfic/iptables' after reboot, then the correct script gets loaded (which also shows that the correct values are in /etc/sysconfig/iptables). My init script IS indeed getting run at system startup. So, what I can't figure out is why the script in /etc/sysconfig/iptables is not being loaded at system startup. Any ideas? Thank you!! > -----Original Message----- > From: tahmeed [mailto:qs.tahmeed@gmail.com] > Sent: 2 July 2005 14:44 > To: dleangen@canada.com > Cc: netfilter@lists.netfilter.org > Subject: Re: /etc/sysconfig/iptables does not load on reboot > > > hello David, > > after u configure iptables - directly or via a script issue > > iptables-save > /etc/sysconfig/iptables > > then ur conf will be saved in the mentioned file & be available while > restarting the service or reboot. > > else the system will use the default conf that have been set up during > the installation of the system. > and > > "iptables-restore" :: resets the conf to the system default which > means u lost the conf u just did. > > thanks. > > On 7/2/05, David Leangen wrote: > > > > Hello! > > > > On FC3, my file /etc/sysconfig/iptables is not being loaded on > reboot. For > > some reason, my iptables is being loaded with some kind of > default values. > > > > I thought that the file /etc/sysconfig/iptables was supposed to > be loaded > > via iptables-restore (and indeed this appears to be so according to the > > startup script in /etc/rc.d/init.d/iptables). Is there > something that I am > > not understanding correctly? > > > > > > Thank you! > > > > > > > > > -- > Happy! If not now never From dleangen at canada.com Sat Jul 2 08:32:35 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 08:47:18 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: Message-ID: Thanks for the follow-up! [root@sannomiya ~]# chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off My /etc/rc.d/init.d/iptables script is the default script installed with FC3. Cheers, Dave > -----Original Message----- > From: Alexey Toptygin [mailto:alexeyt@freeshell.org] > Sent: 2 July 2005 15:03 > To: David Leangen > Subject: RE: /etc/sysconfig/iptables does not load on reboot > > > On Sat, 2 Jul 2005, David Leangen wrote: > > > If I use 'iptables-restore /etc/sysconfic/iptables' after > reboot, then the > > correct script gets loaded (which also shows that the correct > values are in > > /etc/sysconfig/iptables). > > > > My init script IS indeed getting run at system startup. > > Are you sure? What does "chkconfig --list iptables" say? > > Alexey From dleangen at canada.com Sat Jul 2 08:43:23 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 08:58:03 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: Message-ID: > Well, in that case, I have no idea. Did you check the startup logs? > Does the system display [ OK ] on the iptables line when booting? Yep, the system displays [ OK ] and I don't see anything of interest in the logs. That's exactly why I can't figure this out. If at least there were some info in the logs, that would at least point me in some direction. Unless, of course, I'm looking in the wrong place... Cheers, Dave > -----Original Message----- > From: Alexey Toptygin [mailto:alexeyt@freeshell.org] > Sent: 2 July 2005 15:39 > To: David Leangen > Subject: RE: /etc/sysconfig/iptables does not load on reboot > > > On Sat, 2 Jul 2005, David Leangen wrote: > > > [root@sannomiya ~]# chkconfig --list iptables > > iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off > > > > My /etc/rc.d/init.d/iptables script is the default script installed with > > FC3. > > Well, in that case, I have no idea. Did you check the startup logs? Does > the system display [ OK ] on the iptables line when booting? > > Alexey From qs.tahmeed at gmail.com Sat Jul 2 09:35:22 2005 From: qs.tahmeed at gmail.com (tahmeed) Date: Sat Jul 2 09:49:52 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: hello, this is what u should see if iptables starts up successfully during reboot - at least Jul 2 13:00:45 gizmo rc: Starting iptables: succeeded and may be its due some core level probs not due to any misconfiguration or sort of things like that. may be the problem lies in the package. if its possible pls download a fresh package of iptables from www.netfilter.org regards........ On 7/2/05, David Leangen wrote: > > > Well, in that case, I have no idea. Did you check the startup logs? > > Does the system display [ OK ] on the iptables line when booting? > > Yep, the system displays [ OK ] and I don't see anything of interest in the > logs. That's exactly why I can't figure this out. If at least there were > some info in the logs, that would at least point me in some direction. > Unless, of course, I'm looking in the wrong place... > > > Cheers, > Dave > > > > > > -----Original Message----- > > From: Alexey Toptygin [mailto:alexeyt@freeshell.org] > > Sent: 2 July 2005 15:39 > > To: David Leangen > > Subject: RE: /etc/sysconfig/iptables does not load on reboot > > > > > > On Sat, 2 Jul 2005, David Leangen wrote: > > > > > [root@sannomiya ~]# chkconfig --list iptables > > > iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off > > > > > > My /etc/rc.d/init.d/iptables script is the default script installed > with > > > FC3. > > > > Well, in that case, I have no idea. Did you check the startup logs? Does > > the system display [ OK ] on the iptables line when booting? > > > > Alexey > > > -- Happy! If not now never From dleangen at canada.com Sat Jul 2 09:53:36 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 10:08:21 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: Message-ID: Thanks again for the follow up... > and may be its due some core level probs not due to any > misconfiguration or sort of things like that. may be the problem > lies in the package. Sounds like this may be a good guess. I installed a second FC3 system, and I'm not having that problem at all. Everything is working just fine on the second system, including the default iptables installation. I really can't figure out why it works on one machine, but not the other... I'll try a fresh install and see what happens. Thanks again for the advice. Cheers, Dave > -----Original Message----- > From: tahmeed [mailto:qs.tahmeed@gmail.com] > Sent: 2 July 2005 16:35 > To: dleangen@canada.com > Cc: netfilter@lists.netfilter.org > Subject: Re: /etc/sysconfig/iptables does not load on reboot > > > hello, > > this is what u should see if iptables starts up successfully during > reboot - at least > > Jul 2 13:00:45 gizmo rc: Starting iptables: succeeded > > and may be its due some core level probs not due to any > misconfiguration or sort of things like that. may be the problem lies > in the package. > > if its possible pls download a fresh package of iptables from > > www.netfilter.org > > regards........ > > > On 7/2/05, David Leangen wrote: > > > > > Well, in that case, I have no idea. Did you check the startup logs? > > > Does the system display [ OK ] on the iptables line when booting? > > > > Yep, the system displays [ OK ] and I don't see anything of > interest in the > > logs. That's exactly why I can't figure this out. If at least there were > > some info in the logs, that would at least point me in some direction. > > Unless, of course, I'm looking in the wrong place... > > > > > > Cheers, > > Dave > > > > > > > > > > > -----Original Message----- > > > From: Alexey Toptygin [mailto:alexeyt@freeshell.org] > > > Sent: 2 July 2005 15:39 > > > To: David Leangen > > > Subject: RE: /etc/sysconfig/iptables does not load on reboot > > > > > > > > > On Sat, 2 Jul 2005, David Leangen wrote: > > > > > > > [root@sannomiya ~]# chkconfig --list iptables > > > > iptables 0:off 1:off 2:on 3:on 4:on > 5:on 6:off > > > > > > > > My /etc/rc.d/init.d/iptables script is the default script installed > > with > > > > FC3. > > > > > > Well, in that case, I have no idea. Did you check the startup > logs? Does > > > the system display [ OK ] on the iptables line when booting? > > > > > > Alexey > > > > > > > > > -- > Happy! If not now never From navneetkc at gmail.com Sat Jul 2 10:35:06 2005 From: navneetkc at gmail.com (Navneet Choudhary) Date: Sat Jul 2 10:49:35 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: <1dceb01205070201357817da8d@mail.gmail.com> On 7/2/05, David Leangen wrote: > > Thanks again for the follow up... > > > and may be its due some core level probs not due to any > > misconfiguration or sort of things like that. may be the problem > > lies in the package. > > Sounds like this may be a good guess. I installed a second FC3 system, and > I'm not having that problem at all. Everything is working just fine on the > second system, including the default iptables installation. I really can't > figure out why it works on one machine, but not the other... Hey, if want to debug further! Why don't you call your iptables rule via /etc/rc.local eg. vi /etc/rc.local iptables-restore < /root/firewall [Your own iptables rule set which you wants to inforce on your system] lets see whats happen now? > I'll try a fresh install and see what happens. > > > Thanks again for the advice. > > > Cheers, > Dave > > > > > -----Original Message----- > > From: tahmeed [mailto:qs.tahmeed@gmail.com] > > Sent: 2 July 2005 16:35 > > To: dleangen@canada.com > > Cc: netfilter@lists.netfilter.org > > Subject: Re: /etc/sysconfig/iptables does not load on reboot > > > > > > hello, > > > > this is what u should see if iptables starts up successfully during > > reboot - at least > > > > Jul 2 13:00:45 gizmo rc: Starting iptables: succeeded > > > > and may be its due some core level probs not due to any > > misconfiguration or sort of things like that. may be the problem lies > > in the package. > > > > if its possible pls download a fresh package of iptables from > > > > www.netfilter.org > > > > regards........ > > > > > > On 7/2/05, David Leangen wrote: > > > > > > > Well, in that case, I have no idea. Did you check the startup logs? > > > > Does the system display [ OK ] on the iptables line when booting? > > > > > > Yep, the system displays [ OK ] and I don't see anything of > > interest in the > > > logs. That's exactly why I can't figure this out. If at least there > were > > > some info in the logs, that would at least point me in some direction. > > > Unless, of course, I'm looking in the wrong place... > > > > > > > > > Cheers, > > > Dave > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Alexey Toptygin [mailto:alexeyt@freeshell.org] > > > > Sent: 2 July 2005 15:39 > > > > To: David Leangen > > > > Subject: RE: /etc/sysconfig/iptables does not load on reboot > > > > > > > > > > > > On Sat, 2 Jul 2005, David Leangen wrote: > > > > > > > > > [root@sannomiya ~]# chkconfig --list iptables > > > > > iptables 0:off 1:off 2:on 3:on 4:on > > 5:on 6:off > > > > > > > > > > My /etc/rc.d/init.d/iptables script is the default script installed > > > with > > > > > FC3. > > > > > > > > Well, in that case, I have no idea. Did you check the startup > > logs? Does > > > > the system display [ OK ] on the iptables line when booting? > > > > > > > > Alexey > > > > > > > > > > > > > > > -- > > Happy! If not now never > > > From rob0 at gmx.co.uk Sat Jul 2 10:39:58 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Sat Jul 2 10:54:34 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: <200507020339.58492.rob0@gmx.co.uk> On Saturday 02 July 2005 01:43, David Leangen wrote: > some direction. Unless, of course, I'm looking in the wrong place... FWIW you are *asking* in the wrong place. This is an OS problem, not a netfilter / iptables issue. RH/FC and such like to hide information from the user. You can add some shell code to your startup scripts which redirect more verbose output to files. In this case maybe some echo commands to show which file is being fed to iptables-restore. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From dleangen at canada.com Sat Jul 2 10:49:02 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 11:03:41 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: <1dceb01205070201357817da8d@mail.gmail.com> Message-ID: > Hey, if want to debug further! > Why don't you call your iptables rule via /etc/rc.local When I do: $ iptables-restore /etc/sysconfig/iptables Everything is fine. It's only on system startup that it's not working. Cheers, Dave From dleangen at canada.com Sat Jul 2 10:49:24 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 2 11:04:09 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: <200507020339.58492.rob0@gmx.co.uk> Message-ID: Ah, good point! Thanks!! > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of /dev/rob0 > Sent: 2 July 2005 17:40 > To: netfilter@lists.netfilter.org > Subject: Re: /etc/sysconfig/iptables does not load on reboot > > > On Saturday 02 July 2005 01:43, David Leangen wrote: > > some direction. Unless, of course, I'm looking in the wrong place... > > FWIW you are *asking* in the wrong place. This is an OS problem, not a > netfilter / iptables issue. > > RH/FC and such like to hide information from the user. You can add some > shell code to your startup scripts which redirect more verbose output > to files. In this case maybe some echo commands to show which file is > being fed to iptables-restore. > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > From rob0 at gmx.co.uk Sat Jul 2 11:16:26 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Sat Jul 2 11:31:00 2005 Subject: Is anyone else getting these. In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> Message-ID: <42C65B6A.8010503@gmx.co.uk> Gary W. Smith wrote: > I have verified my IP's not to on relays.ordb.org. I'm wondering if > they blacklisted netfilter.org? Vishnu.netfilter.org is not listed in any public block lists TTBOMK. > FW: Unzustellbar: [SPAM] - Crazy portmap request - Sending mail server found > on relays.ordb.org > > -----Original Message----- > From: Systemadministrator [mailto:postmaster@echtzeit.com] > Sent: Friday, July 01, 2005 2:11 PM > To: Gary W. Smith > Subject: Unzustellbar: [SPAM] - Crazy portmap request - Sending mail server found on relays.ordb.org > > Your message > > To: netfilter@lists.netfilter.org > Subject: [SPAM] - Crazy portmap request - Sending mail server found on > relays.ordb.org > Sent: Fri, 1 Jul 2005 00:56:12 +0200 > > did not reach the following recipient(s): > > phergenhahn@echtzeit.de on Fri, 1 Jul 2005 23:11:28 +0200 I got one and looked at the headers. I thought perhaps their braindead Microsoft software was reading the Received: lines and finding something. If so I don't know what it is. More likely, it simply has a faulty test for relays.ordb.org. In Unix terms, something like /bin/true is checking. It always returns a positive result. $ host 62.96.59.178 178.59.96.62.in-addr.arpa domain name pointer h-62.96.59.178.host.de.colt.net. $ host h-62.96.59.178.host.de.colt.net. Host h-62.96.59.178.host.de.colt.net not found: 3(NXDOMAIN) They don't even have proper rDNS set up. Not surprising. This one would be a good candidate for spam blacklisting, and in due time it will be listed in the more aggressive RBL's. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From curby.public at gmail.com Sat Jul 2 19:13:41 2005 From: curby.public at gmail.com (curby .) Date: Sat Jul 2 19:28:14 2005 Subject: NEW "SSH Brute Force " ruleset (20050628.0) In-Reply-To: <004801c57e70$1fad3890$4206a8c0@loki> References: <42C0F7E4.4060805@riverviewtech.net> <004801c57e70$1fad3890$4206a8c0@loki> Message-ID: <5d2f379105070210137e0af6ca@mail.gmail.com> On 7/1/05, Marius Mertens wrote: > Add a host to a special whiltelist after doing something special, like > connecting to a certain port, which would lower the risk of a DOS (they can > still try, but you can override it) I've been considering this too. It's actually a simple form of port knocking that can be implemented exclusively in iptables (without the need of extra tools). The primary goal of port knocking is to foil port scans, but it could be applicable here. To protect against DoS, is there any easy way of requiring that three packets be transferred in an SSH connection before it triggers a recent update? Since someone spoofing source IPs to DoS would be unlikely to continue the connection with the server, such DoS attacks might be foiled more effectively this way than using rttl (which the attacker can just exhaustively try all values for). From qs.tahmeed at gmail.com Sat Jul 2 22:03:41 2005 From: qs.tahmeed at gmail.com (tahmeed) Date: Sat Jul 2 22:18:18 2005 Subject: /dev/rob0 In-Reply-To: <42C65B6A.8010503@gmx.co.uk> References: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> <42C65B6A.8010503@gmx.co.uk> Message-ID: hi! it seems that u r talking about the SPAM warning or in other words returned mail from a specific address. if so i would like to mention that every time i posts to netfilter one such message is arriving within few mins. i wonder what they have done in their conf........ -- Happy! If not now never From bassman0 at gmail.com Sat Jul 2 22:24:08 2005 From: bassman0 at gmail.com (Erik Weber) Date: Sat Jul 2 22:38:43 2005 Subject: patch-o-matic'd TTL, but it's not there Message-ID: Dear Netfilter List, I used patch-o-matic-ng apparently successfully to add the 'TTL' patch (compiled & installed new kernel, modules, and iptables) and yet when I give the command: iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-set 64 I receive the response: iptables: No chain/target/match by that name There are no additional instructions to follow on the Patch-o-matic HOWTO, so I wonder what could be missing? I have verified that the apparently patched kernel is the one I am running and patch-o-matic does not complain. -Erik Weber Geek From laforge at netfilter.org Sun Jul 3 09:16:59 2005 From: laforge at netfilter.org (Harald Welte) Date: Sun Jul 3 09:31:44 2005 Subject: [ADMIN] people.netfilter.org down Message-ID: <20050703071659.GK3186@sunbeam.de.gnumonks.org> Hi! Due to stupid experimentation with mmio_test [1], I've managed to crash durga.netfilter.org (which runs people.netfilter.org) on a Sunday (where no staff is present at the hosting ISP). I expect it to be down until some point on Monday (tomorrow). Sorry. All this just caused because I was too lazy to re-install the Sun Blade 1000 I have in my office. Will not happen again. Cheers, Harald [1] https://svn.gnumonks.org/trunk/mmio_test -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050703/2e76a8c5/attachment.bin From jengelh at linux01.gwdg.de Sun Jul 3 15:56:48 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jul 3 16:11:31 2005 Subject: Configurationrequest for firewall with temporary ppp0-interface In-Reply-To: <42C3BA1B.6070004@my-mail.ch> References: <42C3BA1B.6070004@my-mail.ch> Message-ID: > Hi, > > I've the problem that I need some rules for a temporary ppp0 interface. > This interface is only active then the admin has made a dial-up on the server > and has activated a ppp-daemon. Maybe it's been said, or not: You can have iptables rules for devices even if they do not exist or are turned off (`a la "ip link set down") Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de From jengelh at linux01.gwdg.de Sun Jul 3 16:02:34 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jul 3 16:17:12 2005 Subject: Crazy portmap request In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290741D@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290741D@pxtbenexd01.pxt.primeexalia.com> Message-ID: >Hello, > >I have a new challenge of trying to map some IP's to a single IP but >with a static port. Here is a sample. You can't do that (at least at the same time). This is because: What if the client-in-the-office makes two requests at the same time to the same service? (Classic example: SMB file sharing) Then you would have two distinct packets having the same single-IP-with-static-port on the source side, and IP-PORT on the destination side, e.g. client:1024 -> fileserver:137 client:1025 -> fileserver:137 gets mapped to router:1999 -> fileserver:137 router:1999 -> fileserver:137 and as you know, the uniqueness of a TCP connection is defined by the uniqueness of the tuple (srcip,srcport,dstip,dstport) >Each workstation has a TCP processing running on a fixed port. For all >intents and purposes let's say it's SMTP. What I need to do, using the >single static IP address is map out a single port for each server behind >it. > >So, given 10.99.0.x it we want something like this > >10.99.0.1:25 = 199.199.80.41:30001 >10.99.0.2:25 = 199.199.80.41:30002 >... >10.99.0.250:25 = 199.199.80.41:30250 > >Is there a simple way to do this? Currently we have a pre/post routing >line per entry. Is there a better way? Maybe I did not quite understand, but my first guess is -see above-. For everything else, if it's only one connection at the same time, -t nat -A POSTROUTING -s 10.99.0.1 -p tcp --sport 25 -j SNAT --to-source 199.199.80.41:30001 Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de From jengelh at linux01.gwdg.de Sun Jul 3 16:03:28 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jul 3 16:18:13 2005 Subject: A replacement for rp_filter with iptables (config help needed) In-Reply-To: References: <42C37413.3010504@networker.co.nz> <1120254920.3544.2.camel@localhost> Message-ID: >> iptables -t mangle -A PREROUTING -i ! eth1 -s >> 2xx.xx.xxx.224/255.255.255.240 -j DROP > >If you support 2.6.x kernels, I'd suggest to use the raw table instead: >thus the unnecessary load on conntrack could be avoided. > Why use this sort of replacement for rp_filter anyway? What's bad with rp_filter? (Apart from the problem with asymmetric routing, as is mentioned in net/ipv4/*.) Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de From jengelh at linux01.gwdg.de Sun Jul 3 16:08:26 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jul 3 16:23:05 2005 Subject: Is anyone else getting these. In-Reply-To: <42C65B6A.8010503@gmx.co.uk> References: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> <42C65B6A.8010503@gmx.co.uk> Message-ID: >> I have verified my IP's not to on relays.ordb.org. I'm wondering if >> they blacklisted netfilter.org? No. I even get that SPAM report if I write personally to that address, or anything-you-have-not-imagined-yet. >> phergenhahn@echtzeit.de on Fri, 1 Jul 2005 23:11:28 +0200 > > I got one and looked at the headers. I thought perhaps their braindead > Microsoft software was reading the Received: lines and finding something. If so > I don't know what it is. IIRC I read 'unknown user' account somewhere. Anyway, action should be taken. Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de From gary at primeexalia.com Sun Jul 3 19:56:13 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Sun Jul 3 20:11:16 2005 Subject: Crazy portmap request In-Reply-To: Message-ID: I understand what you are saying for the purposes of outgoing connections. What I am looking for is SNAT the external interface so I can cannect to a single, set port, on all 200 machines from an external workstation. Basically, I'm at home right now and I should be able to walk 200 different ports on the one static IP address and be able to access each of the 200 different machines at the remote office. This is a simplified example. The reality is, there are some 100+ servers running different SOAP objects via a particular port on the end servers that we need to have accessible from an external address. We have a limited number of static IP's and don't really want to waste 100 of them on individual servers. It works with the rules individually, but it ends up being about 800 rules in the file. I was just hoping to trim it down a little. On 7/3/05 7:02 AM, "Jan Engelhardt" wrote: >> Hello, >> >> I have a new challenge of trying to map some IP's to a single IP but >> with a static port. Here is a sample. > > You can't do that (at least at the same time). This is because: > What if the client-in-the-office makes two requests at the same time to the > same service? (Classic example: SMB file sharing) Then you would have two > distinct packets having the same single-IP-with-static-port on the source > side, and IP-PORT on the destination side, e.g. > > client:1024 -> fileserver:137 > client:1025 -> fileserver:137 > > gets mapped to > > router:1999 -> fileserver:137 > router:1999 -> fileserver:137 > > and as you know, the uniqueness of a TCP connection is defined by the > uniqueness of the tuple (srcip,srcport,dstip,dstport) > >> Each workstation has a TCP processing running on a fixed port. For all >> intents and purposes let's say it's SMTP. What I need to do, using the >> single static IP address is map out a single port for each server behind >> it. >> >> So, given 10.99.0.x it we want something like this >> >> 10.99.0.1:25 = 199.199.80.41:30001 >> 10.99.0.2:25 = 199.199.80.41:30002 >> ... >> 10.99.0.250:25 = 199.199.80.41:30250 >> >> Is there a simple way to do this? Currently we have a pre/post routing >> line per entry. Is there a better way? > > Maybe I did not quite understand, but my first guess is -see above-. > > For everything else, if it's only one connection at the same time, > -t nat -A POSTROUTING -s 10.99.0.1 -p tcp --sport 25 -j SNAT > --to-source 199.199.80.41:30001 > > > > Jan Engelhardt > -- > | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, > | Am Fassberg, 37077 Goettingen, www.gwdg.de From eric at inl.fr Sun Jul 3 23:43:15 2005 From: eric at inl.fr (Eric Leblond) Date: Sun Jul 3 23:58:09 2005 Subject: [Announce] Nulog 1.1.0 is available In-Reply-To: References: <1120136387.4696.54.camel@localhost.localdomain> Message-ID: <1120426995.8058.14.camel@localhost.localdomain> Le vendredi 01 juillet 2005 ? 15:34 -0400, R. DuFresne a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > considering the history of php, and many php applications and their > bi-weekly appearance in the various sec lists for newly discovered vulns, > how afe is this application and would one want to place it on or near > their main security device? This application exists since some years now and we have proceed to some code audits and have carefully checked user entries to avoid SQL injection or other problems. The other point is that this application has not to be available for evryone has it contains private information. Thus, it can be protected from "bad people" by authentication or other mean. To be simple, access has to be restricted to admins. An other point is that permissions on the MySQL database should and can be carefully set to have only read-only permission on the table containing the ulogd/NuFW logs. This restricted permissions can assure that the logged datas can not be corrupted. Futhermore, in the case of an Ulogd installation, the logged packets can be duplicated in syslog, thus any hypothetic datas corruption is armless. Finally, as ulogd can log on a database running on a separate host, your firewall is safe as there is no server running on it. BR, -- Eric Leblond From andrex at alumni.utexas.net Mon Jul 4 06:39:35 2005 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Mon Jul 4 06:54:36 2005 Subject: patch-o-matic'd TTL, but it's not there References: Message-ID: > I used patch-o-matic-ng apparently successfully to add the 'TTL' patch > (compiled & installed new kernel, modules, and iptables) and yet when > I give the command: > > iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-set 64 > > I receive the response: > > iptables: No chain/target/match by that name This has happened to me in other cases for two different reasons: (1) My version of iptables didn't support the new target. You may need a more recent iptables. (2) I didn't include all of the necessary other options. For example, -j TARPIT didn't work if I didn't also specify -p tcp. Unfortunately you get the same error message (the one you cited) in both cases, although it's not very descriptive in the second case. From waruiinu at gmail.com Mon Jul 4 09:31:05 2005 From: waruiinu at gmail.com (George Alexandru Dragoi) Date: Mon Jul 4 09:45:53 2005 Subject: patch-o-matic'd TTL, but it's not there In-Reply-To: References: Message-ID: <3063e5050704003167d5528c@mail.gmail.com> I thinnk you should specify the full path to new iptables binary. From kadlec at blackhole.kfki.hu Mon Jul 4 09:39:16 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Mon Jul 4 09:53:55 2005 Subject: A replacement for rp_filter with iptables (config help needed) In-Reply-To: References: <42C37413.3010504@networker.co.nz> <1120254920.3544.2.camel@localhost> Message-ID: On Sun, 3 Jul 2005, Jan Engelhardt wrote: > >> iptables -t mangle -A PREROUTING -i ! eth1 -s > >> 2xx.xx.xxx.224/255.255.255.240 -j DROP > > > >If you support 2.6.x kernels, I'd suggest to use the raw table instead: > >thus the unnecessary load on conntrack could be avoided. > > Why use this sort of replacement for rp_filter anyway? What's bad with > rp_filter? (Apart from the problem with asymmetric routing, as is mentioned > in net/ipv4/*.) Thus one can disable rp_filter and collect the logs together with all the "other" firewall log entries. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From harmuth at mnemon.de Mon Jul 4 11:09:21 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Mon Jul 4 11:25:10 2005 Subject: Is anyone else getting these. In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> Message-ID: <42C8FCC1.7030204@mnemon.de> Gary W. Smith schrieb: > I have verified my IP's not to on relays.ordb.org. I'm wondering if they blacklisted netfilter.org? > > > > FW: Unzustellbar: [SPAM] - Crazy portmap request - Sending mail server found > on relays.ordb.org > > -----Original Message----- > From: Systemadministrator [mailto:postmaster@echtzeit.com] > Sent: Friday, July 01, 2005 2:11 PM > To: Gary W. Smith > Subject: Unzustellbar: [SPAM] - Crazy portmap request - Sending mail server found on relays.ordb.org > > Your message > > To: netfilter@lists.netfilter.org > Subject: [SPAM] - Crazy portmap request - Sending mail server found on > relays.ordb.org > Sent: Fri, 1 Jul 2005 00:56:12 +0200 > > did not reach the following recipient(s): > > phergenhahn@echtzeit.de on Fri, 1 Jul 2005 23:11:28 +0200 > Der Name des Empf?ngers wurde nicht erkannt. I suppose that everyone posting to the list gets this mail - at least I get it ervery time. Like Jason already posted, adding :0 * From.*postmaster@echtzeit.com /dev/null to my .procmailrc solved this and mekes me feel better :) Have a nice time, Joerg From umar_draz at yahoo.com Mon Jul 4 12:39:08 2005 From: umar_draz at yahoo.com (umar draz) Date: Mon Jul 4 12:53:56 2005 Subject: help me Message-ID: <20050704103908.15589.qmail@web53106.mail.yahoo.com> hi dear members! i have one interface card in my linux machine now i attache DSL modem with this interface now i want block all incoming traffic. but i want i can access every thing. how i can do it regards Umar Draz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From christoph.georgi at web.de Mon Jul 4 12:47:15 2005 From: christoph.georgi at web.de (Christoph Georgi) Date: Mon Jul 4 13:04:43 2005 Subject: help me In-Reply-To: <20050704103908.15589.qmail@web53106.mail.yahoo.com> References: <20050704103908.15589.qmail@web53106.mail.yahoo.com> Message-ID: <42C913B3.8010202@web.de> make the default policy of the incoming chain (input) drop, but allow established and related traffic, and allow all outgoing traffic by setting the default policy to allow for the output chain (although it's adviced to specify the outgoing traffic further..) # drops all traffic $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # allow established an related incoming traffic $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT christoph umar draz wrote: > hi dear members! > > i have one interface card in my linux machine > > now i attache DSL modem with this interface now i > want block all incoming traffic. > > but i want i can access every thing. > > how i can do it > > regards > > Umar Draz > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- Christoph Georgi ----------------------------- email. christoph.georgi@web.de fon. +64 (0)9 815 8259 registered linux user #380268 ubuntu 5.04 (ubuntu.com) From dleangen at canada.com Mon Jul 4 13:13:25 2005 From: dleangen at canada.com (David Leangen) Date: Mon Jul 4 13:28:25 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: Message-ID: Hello! > > RH/FC and such like to hide information from the user. You can add > > some shell code to your startup scripts which redirect more verbose > > output to files. In this case maybe some echo commands to show > > which file is being fed to iptables-restore. Well, I did little more digging. Although I see more and more what's going on, I'm understanding less and less. I have two machines on which I freshly installed FC3, in the exaclty the same way, with minimal packages. Since I installed FC3 exactly the same way, it should behave the same way on both systems, right? Well, not so. That's the first point I do not understand. On one machine ("goodhost"), everything works exactly as expected. On the misbehaving machine, however, ("badhost"), I noticed that contrary to what I mentioned in my previous posts, /etc/sysconfig/iptables does indeed appear to get loaded at system startup. However, IT DOES NOT GET LOADED THE SAME WAY!! Why is that? Why would the same file not get loaded the same way on startup as it does when running iptables-restore afterward? And why does it work on one machine, but not on another with the same installation? I've tried on a few different firewall rules files, and the same thing always seems to happen. I even tried with the default RedHat firewall rules. The diff of 'iptables-L' between the two (firewall loaded at startup vs. firewall loaded afterward with iptables-restore) is below. Any ideas about this very strange situation? Any help would be most appreciated! < RH-Firewall-1-INPUT all -- anywhere anywhere --- > DROP tcp -- anywhere anywhere tcp dpts:0:1023 > DROP udp -- anywhere anywhere udp dpts:0:1023 > DROP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN > DROP icmp -- anywhere anywhere icmp echo-request 5c8 < Chain FORWARD (policy ACCEPT) --- > Chain FORWARD (policy DROP) 7d9 < RH-Firewall-1-INPUT all -- anywhere anywhere 12c14 < Chain RH-Firewall-1-INPUT (2 references) --- > Chain RH-Firewall-1-INPUT (0 references) From chaitanya at rocsys.com Mon Jul 4 13:37:18 2005 From: chaitanya at rocsys.com (krishna chaitanya) Date: Mon Jul 4 13:45:05 2005 Subject: newbie to netfilters Message-ID: <1120477039.11255.8.camel@Krishna> Hi, I am a newbie to netfilters.Can any one help me in understanding of what int (*okfn)(struct sk_buff *) function pointer does in the hook function of netfilters. Thanks in Advance From chaitanya at rocsys.com Mon Jul 4 14:57:52 2005 From: chaitanya at rocsys.com (krishna chaitanya) Date: Mon Jul 4 15:05:44 2005 Subject: newbie to netfilters In-Reply-To: <200507040828.j5UDblrl003631@rocsys.com> References: <200507040828.j5UDblrl003631@rocsys.com> Message-ID: <1120481873.935.4.camel@Krishna> Hi, I am newbie to netfilters.I want some help in understanding the necessity of "int (*okfn)(struct sk_buff *)" function pointer in netfilter hook function. Thanks in advance From rob0 at gmx.co.uk Mon Jul 4 15:39:02 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 15:53:56 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: <200507040839.02705.rob0@gmx.co.uk> On Monday 04 July 2005 06:13, David Leangen wrote: > > > add some shell code to your startup scripts which redirect more > > > verbose output to files. In this case maybe some echo commands to > > > show which file is being fed to iptables-restore. > > Well, I did little more digging. Although I see more and more what's > going on, I'm understanding less and less. > > I have two machines on which I freshly installed FC3, in the exaclty > the same way, with minimal packages. Since I installed FC3 exactly > the same way, it should behave the same way on both systems, right? > Well, not so. That's the first point I do not understand. Same kernel? > On one machine ("goodhost"), everything works exactly as expected. > > On the misbehaving machine, however, ("badhost"), I noticed that > contrary to what I mentioned in my previous posts, > /etc/sysconfig/iptables does indeed appear to get loaded at system > startup. > > However, IT DOES NOT GET LOADED THE SAME WAY!! Please define that. > Why is that? Why would the same file not get loaded the same way on > startup as it does when running iptables-restore afterward? And why A custom kernel on the badhost might explain it, at least in part. > does it work on one machine, but not on another with the same > installation? I've tried on a few different firewall rules files, and > the same thing always seems to happen. I even tried with the default > RedHat firewall rules. The diff of 'iptables-L' between the two > (firewall loaded at startup vs. firewall loaded afterward with > iptables-restore) is below. > > Any ideas about this very strange situation? Any help would be most > appreciated! 1. It's hard to glean useful information out of iptables -L, even with -v. It's harder when filtered through diff(1) and when we don't have the original iptables-restore file to see. If you want help you should post: a. The complete but uncommented iptables-restore file b. iptables-save(8) output after the boot, but before .. c. iptables-save(8) output after manual restoring. d. Bank and credit card account information, mother's maiden name. e. Debugging output as described below. f. What have you changed from default? Kernel? Patch-o-matic? > < RH-Firewall-1-INPUT all -- anywhere anywhere > --- > > > DROP tcp -- anywhere anywhere tcp dpts:0:1023 2. This looks like one of those useless RH default firewalls, in the style of ipchains. Get a real firewall script to generate your rules. It is a waste of time to fix this one. (But it's possible the same problem would exist with a better firewall.) 3. My guess is that the --protocol match extensions, tcp, udp and icmp, are failing to load at boot. Something which differs between your login environment and the environment of init(8) enables the automatic loading of netfilter modules. 4. Shell debugging code. Redirect both stdout and stderr of the iptables-restore(8) command at boot time to a file. Read the files. Your stderr file will probably tell you what went wrong. It wouldn't hurt to put in a "set > /root/init-env" too. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From rob0 at gmx.co.uk Mon Jul 4 15:45:27 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 15:59:54 2005 Subject: help me In-Reply-To: <42C913B3.8010202@web.de> References: <20050704103908.15589.qmail@web53106.mail.yahoo.com> <42C913B3.8010202@web.de> Message-ID: <200507040845.27832.rob0@gmx.co.uk> On Monday 04 July 2005 05:47, Christoph Georgi wrote: > make the default policy of the incoming chain (input) drop, but allow > established and related traffic, and allow all outgoing traffic by > setting the default policy to allow for the output chain (although > it's adviced to specify the outgoing traffic further..) Why, and by whom, is that advised? > umar draz wrote: > > [snip] > > how i can do it All this is clearly described in the Packet Filtering HOWTO. Or you can use one of many ready-made scripts without bothering to learn how firewalls work. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From viriketo at gmail.com Mon Jul 4 16:15:30 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Mon Jul 4 16:30:15 2005 Subject: Problem with routing decisions, and multihop Message-ID: <45219fb00507040715442f52cf@mail.gmail.com> Hi! I have many problems getting this thing to work. There's a host with two network interfaces, where there are two routers to Internet in two separated networks. The host uses multihop routing for deciding to which router send the packets... but the routing decision is wrong made. Some packets with source address of one NIC, go to other network. I have a host with three NICs in it: eth0 - LAN, 192.168.0.0/20 eth1 192.168.16.1 - subnetwork 192.168.16.0/28, with a router (192.168.16.2) to internet eth2 192.168.17.1 - subnetwork 192.168.17.0/28, with another router (192.168.17.2) to internet The routing rules are: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 iif eth2 lookup 201 202: from 192.168.16.0/28 iif eth1 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default The table 'main': 192.168.17.0/28 dev eth2 proto kernel scope link src 192.168.17.1 192.168.16.0/28 dev eth1 proto kernel scope link src 192.168.16.1 192.168.0.0/20 dev eth0 proto kernel scope link src 192.168.1.2 The table '201': default via 192.168.17.2 dev eth2 proto static src 192.168.17.1 prohibit default proto static metric 1 The table '202': default via 192.168.16.2 dev eth1 proto static src 192.168.16.1 prohibit default proto static metric 1 The table '222', where there is the multihop gateway specification: default equalize nexthop via 192.168.16.2 dev eth1 weight 1 nexthop via 192.168.17.2 dev eth2 weight 1 I've added the following packet LOG lines into 'mangle' table, for knowing when the "WRONG INTERFACE" decision is being made: Chain POSTROUTING (policy ACCEPT 329K packets, 93M bytes) pkts bytes target prot opt in out source destination 2 80 LOG all -- any eth1 192.168.17.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' 0 0 LOG all -- any eth2 192.168.16.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' (Don't look at counters; right now, for getting good internet access, I'm not using multihop) So, often appears in the kernel log, specially with 'ftp' and 'ssh' connections (and rarely with www connections): Jul 4 15:50:14 thecrow WRONG IFACE: IN= OUT=eth2 SRC=192.168.16.1 DST=216.165.191.52 LE N=72 TOS=0x00 PREC=0x00 TTL=64 ID=9582 DF PROTO=TCP SPT=56528 DPT=6667 WINDOW=18824 RES= 0x00 ACK PSH URGP=0 Jul 4 16:01:29 thecrow WRONG IFACE: IN= OUT=eth1 SRC=192.168.17.1 DST=130.206.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=66 DF PROTO=TCP SPT=33820 DPT=21 WINDOW=0 RES=0x00 RST URGP=0 Even though, when I use 'tcpdump' for catching the wrong packets (that is: tcpdump -i eth1 host 192.168.17.1 _or_ tcpdump -i eth2 host 192.168.16.1 ) results that _A LOT MORE PACKETS_ are BADLY ROUTED, than sent to the LOG target. My conclusion: iptables 'matching' doesn't work; also does the route decision part. I absolutely don't know what more to do... I'm running iptables v1.2.11, and kernel 2.6.11-gentoo-r11. Exactly same happened with kernel 2.4.28-gentoo. :( I even attach the scripts I use for doing the routing and the NAT for the LAN. Please, help! -------------- next part -------------- A non-text attachment was scrubbed... Name: masquerading.multi-eth Type: application/octet-stream Size: 3879 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050704/0536b628/masquerading-0001.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: routing.multi-eth Type: application/octet-stream Size: 1538 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050704/0536b628/routing-0001.obj From dleangen at canada.com Mon Jul 4 16:17:09 2005 From: dleangen at canada.com (David Leangen) Date: Mon Jul 4 16:32:02 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: <200507040839.02705.rob0@gmx.co.uk> Message-ID: Thanks for all the helpful hints! > Same kernel? goodhost=2.6.9-1.667smp badhost=2.6.9-1.667 Not sure what the "smp" is. I will try loading on badhost the version with the same kernel on goodhost and see if that fixes the problem. > > However, IT DOES NOT GET LOADED THE SAME WAY!! > > Please define that. I just meant that the output from 'iptables -L' does not show the same thing. The rules are correctly applied when running 'iptables-restore' later on, but not all the rules are correctly applied at startup. > If you want help you should post: > a. The complete but uncommented iptables-restore file > b. iptables-save(8) output after the boot, but before .. > c. iptables-save(8) output after manual restoring. > d. Bank and credit card account information, mother's maiden name. > e. Debugging output as described below. > f. What have you changed from default? Kernel? Patch-o-matic? Now that you've helped me to realise that I'm not using the same kernel, I'll try that first, and if the problem persits go on to all your other helpful suggestions. My only problem is that I won't have physical access to the server again until later this week. Here is my credit card info: Visa - 5515 2363 5124 1234 exp 04/06 Mother's maiden name: Ima Galible Just let me know if you need my social security number, too. For security reasons, I'd rather mail that to you privately. Thanks again! :-) From viriketo at gmail.com Mon Jul 4 16:21:49 2005 From: viriketo at gmail.com (Lluis Batle) Date: Mon Jul 4 16:36:36 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <45219fb00507040715442f52cf@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> Message-ID: <45219fb0050704072120d198ff@mail.gmail.com> Hi! I have many problems getting this thing to work. There's a host with two network interfaces, where there are two routers to Internet in two separated networks. The host uses multihop routing for deciding to which router send the packets... but the routing decision is wrong made. Some packets with source address of one NIC, go to other network. I have a host with three NICs in it: eth0 - LAN, 192.168.0.0/20 eth1 192.168.16.1 - subnetwork 192.168.16.0/28, with a router (192.168.16.2) to internet eth2 192.168.17.1 - subnetwork 192.168.17.0/28, with another router (192.168.17.2) to internet The routing rules are: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 iif eth2 lookup 201 202: from 192.168.16.0/28 iif eth1 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default The table 'main': 192.168.17.0/28 dev eth2 proto kernel scope link src 192.168.17.1 192.168.16.0/28 dev eth1 proto kernel scope link src 192.168.16.1 192.168.0.0/20 dev eth0 proto kernel scope link src 192.168.1.2 The table '201': default via 192.168.17.2 dev eth2 proto static src 192.168.17.1 prohibit default proto static metric 1 The table '202': default via 192.168.16.2 dev eth1 proto static src 192.168.16.1 prohibit default proto static metric 1 The table '222', where there is the multihop gateway specification: default equalize nexthop via 192.168.16.2 dev eth1 weight 1 nexthop via 192.168.17.2 dev eth2 weight 1 I've added the following packet LOG lines into 'mangle' table, for knowing when the "WRONG INTERFACE" decision is being made: Chain POSTROUTING (policy ACCEPT 329K packets, 93M bytes) pkts bytes target prot opt in out source destination 2 80 LOG all -- any eth1 192.168.17.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' 0 0 LOG all -- any eth2 192.168.16.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' (Don't look at counters; right now, for getting good internet access, I'm not using multihop) So, often appears in the kernel log, specially with 'ftp' and 'ssh' connections (and rarely with www connections): Jul 4 15:50:14 thecrow WRONG IFACE: IN= OUT=eth2 SRC=192.168.16.1 DST=216.165.191.52 LE N=72 TOS=0x00 PREC=0x00 TTL=64 ID=9582 DF PROTO=TCP SPT=56528 DPT=6667 WINDOW=18824 RES= 0x00 ACK PSH URGP=0 Jul 4 16:01:29 thecrow WRONG IFACE: IN= OUT=eth1 SRC=192.168.17.1 DST=130.206.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=66 DF PROTO=TCP SPT=33820 DPT=21 WINDOW=0 RES=0x00 RST URGP=0 Even though, when I use 'tcpdump' for catching the wrong packets (that is: tcpdump -i eth1 host 192.168.17.1 _or_ tcpdump -i eth2 host 192.168.16.1 ) results that _A LOT MORE PACKETS_ are BADLY ROUTED, than sent to the LOG target. My conclusion: iptables 'matching' doesn't work; also does the route decision part. I absolutely don't know what more to do... I'm running iptables v1.2.11, and kernel 2.6.11-gentoo-r11. Exactly same happened with kernel 2.4.28-gentoo. :( I even attach the scripts I use for doing the routing and the NAT for the LAN. Please, help! -------------- next part -------------- A non-text attachment was scrubbed... Name: masquerading.multi-eth Type: application/octet-stream Size: 3879 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050704/bf55498e/masquerading.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: routing.multi-eth Type: application/octet-stream Size: 1538 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050704/bf55498e/routing.obj From jsassojr at nycap.rr.com Mon Jul 4 16:25:14 2005 From: jsassojr at nycap.rr.com (John Sasso) Date: Mon Jul 4 16:40:06 2005 Subject: Problem w/ iptables on FC3 Message-ID: <1120487114.7207.10.camel@localhost.localdomain> I am desperately trying to get the version of iptables that comes default on Fedora Core 3 to work, even with a simple configuration. The version of iptables is 1.2.11. The simple script is shown below, followed by the 'iptables -L' output and interface configuration. My system is single-homed, and starting off simple I am trying to allow outgoing pings. After running the script, when I try to ping anything I get: ping: sendmsg: Operation not permitted What is going on here? I've followed closely the guidelines given in several books on iptables and a variety of online docs, but to no avail. Is this a bug? --john -------------------------------------------- # Initialize all the chains by removing all the rules tied to them iptables --flush iptables -t nat --flush iptables -t mangle --flush # Now that the chains have been initialized, remove the user-defined # chains. We will recreate them afterwards iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain # If a packet does not match any of the built-in chains, then the policy # should be to drop it. # If the firewall has only one interface, the FORWARD policy is not necessary. # However, defining a FORWARD policy is a precaution for future use. iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o eth0 -s 192.168.50.100 -p icmp --icmp-type echo- request -j ACCEPT iptables -A INPUT -i eth0 -d 192.168.50.100 -p icmp --icmp-type echo- reply -j ACCEPT -------------------------------------------- -------------------------------------------- # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere 192.168.50.100 icmp echo- reply Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- 192.168.50.100 anywhere icmp echo- request -------------------------------------------- # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:20:78:07:BE:45 inet addr:192.168.50.100 Bcast:192.168.50.255 Mask:255.255.255.0 inet6 addr: fe80::220:78ff:fe07:be45/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:160 errors:0 dropped:0 overruns:0 frame:0 TX packets:144 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:25140 (24.5 KiB) TX bytes:14039 (13.7 KiB) Interrupt:11 Base address:0x2000 From viriketo at gmail.com Mon Jul 4 16:32:47 2005 From: viriketo at gmail.com (Lluis Batle) Date: Mon Jul 4 16:47:34 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <45219fb00507040715442f52cf@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> Message-ID: <45219fb00507040732192b77e0@mail.gmail.com> Hi! I have many problems getting this thing to work. There's a host with two network interfaces, where there are two routers to Internet in two separated networks. The host uses multihop routing for deciding to which router send the packets... but the routing decision is wrong made. Some packets with source address of one NIC, go to other network. I have a host with three NICs in it: eth0 - LAN, 192.168.0.0/20 eth1 192.168.16.1 - subnetwork 192.168.16.0/28, with a router (192.168.16.2) to internet eth2 192.168.17.1 - subnetwork 192.168.17.0/28, with another router (192.168.17.2) to internet The routing rules are: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 iif eth2 lookup 201 202: from 192.168.16.0/28 iif eth1 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default The table 'main': 192.168.17.0/28 dev eth2 proto kernel scope link src 192.168.17.1 192.168.16.0/28 dev eth1 proto kernel scope link src 192.168.16.1 192.168.0.0/20 dev eth0 proto kernel scope link src 192.168.1.2 The table '201': default via 192.168.17.2 dev eth2 proto static src 192.168.17.1 prohibit default proto static metric 1 The table '202': default via 192.168.16.2 dev eth1 proto static src 192.168.16.1 prohibit default proto static metric 1 The table '222', where there is the multihop gateway specification: default equalize nexthop via 192.168.16.2 dev eth1 weight 1 nexthop via 192.168.17.2 dev eth2 weight 1 I've added the following packet LOG lines into 'mangle' table, for knowing when the "WRONG INTERFACE" decision is being made: Chain POSTROUTING (policy ACCEPT 329K packets, 93M bytes) pkts bytes target prot opt in out source destination 2 80 LOG all -- any eth1 192.168.17.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' 0 0 LOG all -- any eth2 192.168.16.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' (Don't look at counters; right now, for getting good internet access, I'm not using multihop) So, often appears in the kernel log, specially with 'ftp' and 'ssh' connections (and rarely with www connections): Jul 4 15:50:14 thecrow WRONG IFACE: IN= OUT=eth2 SRC=192.168.16.1 DST=216.165.191.52 LE N=72 TOS=0x00 PREC=0x00 TTL=64 ID=9582 DF PROTO=TCP SPT=56528 DPT=6667 WINDOW=18824 RES= 0x00 ACK PSH URGP=0 Jul 4 16:01:29 thecrow WRONG IFACE: IN= OUT=eth1 SRC=192.168.17.1 DST=130.206.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=66 DF PROTO=TCP SPT=33820 DPT=21 WINDOW=0 RES=0x00 RST URGP=0 Even though, when I use 'tcpdump' for catching the wrong packets (that is: tcpdump -i eth1 host 192.168.17.1 _or_ tcpdump -i eth2 host 192.168.16.1 ) results that _A LOT MORE PACKETS_ are BADLY ROUTED, than sent to the LOG target. My conclusion: iptables 'matching' doesn't work; also does the route decision part. I absolutely don't know what more to do... I'm running iptables v1.2.11, and kernel 2.6.11-gentoo-r11. Exactly same happened with kernel 2.4.28-gentoo. :( For example, here is a test. I want to ftp to "ftp.rediris.es". I look which would be the route: # ip route get 130.206.1.5 130.206.1.5 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 I try the ftp: # ftp ftp.rediris.es And in the kernel log appears: Jul 4 16:19:25 thecrow WRONG IFACE: IN= OUT=eth1 SRC=192.168.17.1 DST=130.206.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43245 DF PROTO=TCP SPT=49828 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Please, help... I'm desperate. From rob0 at gmx.co.uk Mon Jul 4 16:37:25 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 16:51:52 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: <200507040937.25404.rob0@gmx.co.uk> On Monday 04 July 2005 09:17, David Leangen wrote: > Thanks for all the helpful hints! > > > Same kernel? > > goodhost=2.6.9-1.667smp > badhost=2.6.9-1.667 > > Not sure what the "smp" is. Probably "symmetric multi-processor", a kernel enabled for multiple CPU's. It could be that you have found a Fedora bug. > I will try loading on badhost the version with the same kernel on > goodhost and see if that fixes the problem. If badhost only has one CPU it's wasteful to have SMP support, but as implied above, it could be a kernel configuration bug relating to the non-SMP kernel. > Now that you've helped me to realise that I'm not using the same > kernel, I'll try that first, and if the problem persits go on to all > your other helpful suggestions. My only problem is that I won't have I'm sticking to my guess. The rules which did not load (if I read it correctly from the diff) all used --protocol extensions. I know little of netfilter / iptables internals. I don't know where those extensions load from ... [WHAM] ouch, I was just hit by an inspiration. Firewall loads before mount -a; probably at that point only the root filesystem is mounted. If the match extensions are on /usr, we can't get to them. I bet badhost has a separate /usr partition and goodhost has /usr on the rootfs. If so, yes, this is an OS bug. And don't just write set to a file, do "mount > /root/firewall-mounted-fs" too. (I hope /root isn't a symlink or otherwise on a different FS.) > Mother's maiden name: Ima Galible :) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From rob0 at gmx.co.uk Mon Jul 4 16:49:36 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 17:04:03 2005 Subject: Problem w/ iptables on FC3 In-Reply-To: <1120487114.7207.10.camel@localhost.localdomain> References: <1120487114.7207.10.camel@localhost.localdomain> Message-ID: <200507040949.36383.rob0@gmx.co.uk> On Monday 04 July 2005 09:25, John Sasso wrote: > avail. Is this a bug? Not likely. > iptables --policy OUTPUT DROP Don't do this. How do you think it will help? Do you have untrusted local shell users? If so, you are doomed anyway. They will find an opening, get root, and get out as they wish. If it's just you on the machine, OUTPUT filtering is silly. Use self-control, not netfilter. iptables -P OUTPUT ACCEPT For the return packets, go stateful. An example is posted in the thread earlier today, Subject: help me. It's also given and explained in the Packet Filtering HOWTO. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From viric at vicerveza.homeunix.net Mon Jul 4 16:52:45 2005 From: viric at vicerveza.homeunix.net (=?iso-8859-1?B?TGx1w61z?= Batlle i Rossell) Date: Mon Jul 4 17:07:31 2005 Subject: Problem with routing decisions, and multihop Message-ID: <20050704145245.GB10315@vicerveza> Hi! I have many problems getting this thing to work. There's a host with two network interfaces, where there are two routers to Internet in two separated networks. The host uses multihop routing for deciding to which router send the packets... but the routing decision is wrong made. Some packets with source address of one NIC, go to other network. I have a host with three NICs in it: eth0 - LAN, 192.168.0.0/20 eth1 192.168.16.1 - subnetwork 192.168.16.0/28, with a router (192.168.16.2) to internet eth2 192.168.17.1 - subnetwork 192.168.17.0/28, with another router (192.168.17.2) to internet The routing rules are: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 iif eth2 lookup 201 202: from 192.168.16.0/28 iif eth1 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default The table 'main': 192.168.17.0/28 dev eth2 proto kernel scope link src 192.168.17.1 192.168.16.0/28 dev eth1 proto kernel scope link src 192.168.16.1 192.168.0.0/20 dev eth0 proto kernel scope link src 192.168.1.2 The table '201': default via 192.168.17.2 dev eth2 proto static src 192.168.17.1 prohibit default proto static metric 1 The table '202': default via 192.168.16.2 dev eth1 proto static src 192.168.16.1 prohibit default proto static metric 1 The table '222', where there is the multihop gateway specification: default equalize nexthop via 192.168.16.2 dev eth1 weight 1 nexthop via 192.168.17.2 dev eth2 weight 1 I've added the following packet LOG lines into 'mangle' table, for knowing when the "WRONG INTERFACE" decision is being made: Chain POSTROUTING (policy ACCEPT 329K packets, 93M bytes) pkts bytes target prot opt in out source destination 2 80 LOG all -- any eth1 192.168.17.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' 0 0 LOG all -- any eth2 192.168.16.1 anywhere LOG level warning ip-options prefix `WRONG IFACE: ' (Don't look at counters; right now, for getting good internet access, I'm not using multihop) So, often appears in the kernel log, specially with 'ftp' and 'ssh' connections (and rarely with www connections): Jul 4 15:50:14 thecrow WRONG IFACE: IN= OUT=eth2 SRC=192.168.16.1 DST=216.165.191.52 LE N=72 TOS=0x00 PREC=0x00 TTL=64 ID=9582 DF PROTO=TCP SPT=56528 DPT=6667 WINDOW=18824 RES= 0x00 ACK PSH URGP=0 Jul 4 16:01:29 thecrow WRONG IFACE: IN= OUT=eth1 SRC=192.168.17.1 DST=130.206.1.5 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=66 DF PROTO=TCP SPT=33820 DPT=21 WINDOW=0 RES=0x00 RST URGP=0 Even though, when I use 'tcpdump' for catching the wrong packets (that is: tcpdump -i eth1 host 192.168.17.1 _or_ tcpdump -i eth2 host 192.168.16.1 ) results that _A LOT MORE PACKETS_ are BADLY ROUTED, than sent to the LOG target. My conclusion: iptables 'matching' doesn't work; also does the route decision part. I absolutely don't know what more to do... I'm running iptables v1.2.11, and kernel 2.6.11-gentoo-r11. Exactly same happened with kernel 2.4.28-gentoo. :( For example, here is a test. I want to ftp to "ftp.rediris.es". I look which would be the route: # ip route get 130.206.1.5 130.206.1.5 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 I try the ftp: # ftp ftp.rediris.es And in the kernel log appears: Jul 4 16:19:25 thecrow WRONG IFACE: IN= OUT=eth1 SRC=192.168.17.1 DST=130.206.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43245 DF PROTO=TCP SPT=49828 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Please, help... I'm desperate. -- In its laws, society makes its mightiest collective effort to impose predictability upon human behavior. - S. I. Hayakawa, "Language in thought and action" From dleangen at canada.com Mon Jul 4 16:54:57 2005 From: dleangen at canada.com (David Leangen) Date: Mon Jul 4 17:09:47 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: <200507040937.25404.rob0@gmx.co.uk> Message-ID: > Firewall loads before mount -a; probably at that point only the > root filesystem is mounted. If the match extensions are on /usr, > we can't get to them. I bet badhost has a separate /usr partition > and goodhost has /usr on the rootfs. Well, it's true that /usr is mounted on a different partitition, but this is the case for both goodhost and badhost. Indeed, this is how I mounted my partitions on badhost: Filesystem Mounted on /dev/hda2 / /dev/hda1 /boot /dev/hda8 /home /dev/hda6 /tmp /dev/hda3 /usr /dev/hda7 /var And this is goodhost: /dev/sda2 / /dev/sda1 /boot /dev/sda3 /data /dev/sda5 /home /dev/sda8 /tmp /dev/sda7 /usr /dev/sda9 /var /dev/sda10 /var/lib/pgsql > If so, yes, this is an OS bug. And don't just write set to a file, > do "mount > /root/firewall-mounted-fs" too. (I hope /root isn't a > symlink or otherwise on a different FS.) Sorry, I don't follow this last bit... Thanks so much for helping me through this!!! :-) From rob0 at gmx.co.uk Mon Jul 4 17:07:06 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 17:21:34 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <45219fb00507040732192b77e0@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> <45219fb00507040732192b77e0@mail.gmail.com> Message-ID: <200507041007.06513.rob0@gmx.co.uk> On Monday 04 July 2005 09:32, Lluis Batle wrote: > I have many problems getting this thing to work. There's a host with > two network interfaces, where there are two routers to Internet in > two separated networks. The host uses multihop routing for deciding > to which router send the packets... but the routing decision is wrong Does your kernel have the routes patch by Julian Anastasov? http://www.ssi.bg/~ja/ > Please, help... I'm desperate. You'll be more likely to get help on the LARTC mailing list. Why RFC 1918 addresses on these interfaces? Do you have extra router equipment between you and the Internet? Are multiple "ip route get ip.add.re.ss" commands in sequence showing routes out the same interface? -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From rob0 at gmx.co.uk Mon Jul 4 17:10:13 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 17:24:39 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <200507041007.06513.rob0@gmx.co.uk> References: <45219fb00507040715442f52cf@mail.gmail.com> <45219fb00507040732192b77e0@mail.gmail.com> <200507041007.06513.rob0@gmx.co.uk> Message-ID: <200507041010.13653.rob0@gmx.co.uk> On Monday 04 July 2005 10:07, I wrote: > Are multiple "ip route get ip.add.re.ss" commands in sequence showing > routes out the same interface? for X in `seq 10` ; do /sbin/ip route get $X.$X.$X.$X ; done -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From laforge at netfilter.org Mon Jul 4 17:14:26 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 4 17:29:16 2005 Subject: [ADMIN] people.netfilter.org down In-Reply-To: <20050703071659.GK3186@sunbeam.de.gnumonks.org> References: <20050703071659.GK3186@sunbeam.de.gnumonks.org> Message-ID: <20050704151426.GA20465@sunbeam.de.gnumonks.org> On Sun, Jul 03, 2005 at 09:16:59AM +0200, Harald Welte wrote: > Due to stupid experimentation with mmio_test [1], I've managed to crash > durga.netfilter.org (which runs people.netfilter.org) on a Sunday (where > no staff is present at the hosting ISP). I expect it to be down until > some point on Monday (tomorrow). machine is up and running again. if something isn't working as expected, please contact me. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050704/63c78ec8/attachment.bin From viriketo at gmail.com Mon Jul 4 17:32:40 2005 From: viriketo at gmail.com (Lluis Batle) Date: Mon Jul 4 17:47:28 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <45219fb005070408323197bfa4@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> <45219fb00507040732192b77e0@mail.gmail.com> <200507041007.06513.rob0@gmx.co.uk> <200507041010.13653.rob0@gmx.co.uk> <45219fb005070408323197bfa4@mail.gmail.com> Message-ID: <45219fb0050704083253774af5@mail.gmail.com> No, everything is right in its output: 1.1.1.1 via 192.168.16.2 dev eth1 src 192.168.16.1 cache mtu 1500 advmss 1460 metric10 64 2.2.2.2 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 3.3.3.3 via 192.168.16.2 dev eth1 src 192.168.16.1 cache mtu 1500 advmss 1460 metric10 64 4.4.4.4 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 5.5.5.5 via 192.168.16.2 dev eth1 src 192.168.16.1 cache mtu 1500 advmss 1460 metric10 64 6.6.6.6 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 7.7.7.7 via 192.168.16.2 dev eth1 src 192.168.16.1 cache mtu 1500 advmss 1460 metric10 64 8.8.8.8 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 9.9.9.9 via 192.168.16.2 dev eth1 src 192.168.16.1 cache mtu 1500 advmss 1460 metric10 64 10.10.10.10 via 192.168.17.2 dev eth2 src 192.168.17.1 cache mtu 1500 advmss 1460 metric10 64 About the 16.x and 17.x addresses... yes, there are other routers, which make NAT (192.168.16.2 and 192.168.17.2) to internet. On 7/4/05, /dev/rob0 wrote: > On Monday 04 July 2005 10:07, I wrote: > > Are multiple "ip route get ip.add.re.ss" commands in sequence showing > > routes out the same interface? > > for X in `seq 10` ; do /sbin/ip route get $X.$X.$X.$X ; done > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > > From rob0 at gmx.co.uk Mon Jul 4 18:33:35 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 18:48:03 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <45219fb0050704083253774af5@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> <45219fb005070408323197bfa4@mail.gmail.com> <45219fb0050704083253774af5@mail.gmail.com> Message-ID: <200507041133.35774.rob0@gmx.co.uk> > On 7/4/05, /dev/rob0 wrote: > > On Monday 04 July 2005 10:07, I wrote: > > > Are multiple "ip route get ip.add.re.ss" commands in sequence > > > showing routes out the same interface? > > > > for X in `seq 10` ; do /sbin/ip route get $X.$X.$X.$X ; done On Monday 04 July 2005 10:32, Lluis Batle wrote: > No, everything is right in its output: > 1.1.1.1 via 192.168.16.2 dev eth1 src 192.168.16.1 > cache mtu 1500 advmss 1460 metric10 64 > 2.2.2.2 via 192.168.17.2 dev eth2 src 192.168.17.1 > cache mtu 1500 advmss 1460 metric10 64 >>="masquerading.multi-eth" (misnamed: it does no masquerading) >>NE1=192.168.16.0/28 >>NE2=192.168.17.0/28 Let's see, those are .0-.15 on the last quad. >>NLOCAL=192.168.0.0/20 And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1 and $NE2. Try 192.168.16.0/23. It would not hurt for you to brush up on TCP/IP and subnetting basics. >> $IPTABLES -t nat -F PREROUTING >> $IPTABLES -t nat -F POSTROUTING >> $IPTABLES -t nat -F OUTPUT >> $IPTABLES -t filter -F INPUT >> $IPTABLES -t filter -F FORWARD >> $IPTABLES -t filter -F OUTPUT >> $IPTABLES -t filter -F keep_state >&/dev/null >> $IPTABLES -t filter -X keep_state >&/dev/null >> $IPTABLES -t nat -F keep_state >&/dev/null >> $IPTABLES -t nat -X keep_state >&/dev/null Could be rewritten as: iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X >> $IPTABLES -t filter -N keep_state >> $IPTABLES -t filter -A keep_state -m state \ >> --state RELATED,ESTABLISHED -j ACCEPT >> $IPTABLES -t filter -A keep_state -j RETURN >> >> $IPTABLES -t nat -N keep_state >> $IPTABLES -t nat -A keep_state -m state \ >> --state RELATED,ESTABLISHED -j ACCEPT >> $IPTABLES -t nat -A keep_state -j RETURN 1. IMO it's confusing to give chains the same name in different tables. 2. The RETURN rules are pointless. That's what happens at the end of a chain, anyway. 3. --state in -t nat? Is that possible? Does it work? Does it break anything? > About the 16.x and 17.x addresses... yes, there are other routers, > which make NAT (192.168.16.2 and 192.168.17.2) to internet. This seems odd to me. I prefer to use external IP directly, for many reasons. It also eliminates other potential points of failure. It's even more odd considering that you're doing DNAT on the already- NAT'ed Linux machine. Why not do the DNAT in the external routers? Also, those DNAT rules refer to other RFC 1918 netblocks. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From viriketo at gmail.com Mon Jul 4 18:54:50 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Mon Jul 4 19:09:40 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <200507041133.35774.rob0@gmx.co.uk> References: <45219fb00507040715442f52cf@mail.gmail.com> <45219fb005070408323197bfa4@mail.gmail.com> <45219fb0050704083253774af5@mail.gmail.com> <200507041133.35774.rob0@gmx.co.uk> Message-ID: <45219fb005070409543f229ddd@mail.gmail.com> Thanks :) I answer between lines... On 7/4/05, /dev/rob0 wrote: > >>="masquerading.multi-eth" (misnamed: it does no masquerading) Ok. I tried with MASQUERADE, but by now I use SNAT. > > >>NE1=192.168.16.0/28 > >>NE2=192.168.17.0/28 > > Let's see, those are .0-.15 on the last quad. > > >>NLOCAL=192.168.0.0/20 > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1 and > $NE2. Try 192.168.16.0/23. It would not hurt for you to brush up on > TCP/IP and subnetting basics. Oh. Is it wrong? I don't understand what's "IOW". Where should I try your proposed subnet? why? > > >> $IPTABLES -t nat -F PREROUTING > >> $IPTABLES -t nat -F POSTROUTING > >> $IPTABLES -t nat -F OUTPUT > >> $IPTABLES -t filter -F INPUT > >> $IPTABLES -t filter -F FORWARD > >> $IPTABLES -t filter -F OUTPUT > >> $IPTABLES -t filter -F keep_state >&/dev/null > >> $IPTABLES -t filter -X keep_state >&/dev/null > >> $IPTABLES -t nat -F keep_state >&/dev/null > >> $IPTABLES -t nat -X keep_state >&/dev/null > > Could be rewritten as: > iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X Ok :) > > >> $IPTABLES -t filter -N keep_state > >> $IPTABLES -t filter -A keep_state -m state \ > >> --state RELATED,ESTABLISHED -j ACCEPT > >> $IPTABLES -t filter -A keep_state -j RETURN > >> > >> $IPTABLES -t nat -N keep_state > >> $IPTABLES -t nat -A keep_state -m state \ > >> --state RELATED,ESTABLISHED -j ACCEPT > >> $IPTABLES -t nat -A keep_state -j RETURN > > 1. IMO it's confusing to give chains the same name in different tables. I agree... but by now does that matter? > 2. The RETURN rules are pointless. That's what happens at the end of a > chain, anyway. Ok. That's what I thought > 3. --state in -t nat? Is that possible? Does it work? Does it break > anything? It seems it's possible. I get no error from those commands. Anyway, I've thought that happens double application of that rule, through filter and nat tables. I've removed everything about 'keep_state' in the nat table. Everything is still working bad. Even from the computer itself (local processes). Routing doesn't work, even without any "NAT"-related chain/rule. > > > About the 16.x and 17.x addresses... yes, there are other routers, > > which make NAT (192.168.16.2 and 192.168.17.2) to internet. > > This seems odd to me. I prefer to use external IP directly, for many > reasons. It also eliminates other potential points of failure. I agree :) but it's hard for me to configure the routers, so they give to me the public addresses. I think that double-NAT should not break anything. :) > > It's even more odd considering that you're doing DNAT on the already- > NAT'ed Linux machine. Why not do the DNAT in the external routers? > Also, those DNAT rules refer to other RFC 1918 netblocks. mmm I've never read RFC 1918. :) I'll take a look at it. Thanks! - I finish the working time in few minutes. Tomorrow morning I'll keep on with this. From matt at darcy.demon.co.uk Mon Jul 4 19:07:27 2005 From: matt at darcy.demon.co.uk (matt) Date: Mon Jul 4 19:22:37 2005 Subject: [Announce] Nulog 1.1.0 is available In-Reply-To: <1120426995.8058.14.camel@localhost.localdomain> Message-ID: The Nulog 1.1.0 release has a bug. The mysql dumpfile does not contain the conntrack_ulog table. This has been reported to the nulog email account. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Eric Leblond Sent: 03 July 2005 22:43 To: R. DuFresne Cc: netfilter@lists.netfilter.org Subject: Re: [Announce] Nulog 1.1.0 is available Le vendredi 01 juillet 2005 ? 15:34 -0400, R. DuFresne a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > considering the history of php, and many php applications and their > bi-weekly appearance in the various sec lists for newly discovered vulns, > how afe is this application and would one want to place it on or near > their main security device? This application exists since some years now and we have proceed to some code audits and have carefully checked user entries to avoid SQL injection or other problems. The other point is that this application has not to be available for evryone has it contains private information. Thus, it can be protected from "bad people" by authentication or other mean. To be simple, access has to be restricted to admins. An other point is that permissions on the MySQL database should and can be carefully set to have only read-only permission on the table containing the ulogd/NuFW logs. This restricted permissions can assure that the logged datas can not be corrupted. Futhermore, in the case of an Ulogd installation, the logged packets can be duplicated in syslog, thus any hypothetic datas corruption is armless. Finally, as ulogd can log on a database running on a separate host, your firewall is safe as there is no server running on it. BR, -- Eric Leblond -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/37 - Release Date: 01/07/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/37 - Release Date: 01/07/2005 From rob0 at gmx.co.uk Mon Jul 4 20:06:08 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 20:20:38 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <45219fb005070409543f229ddd@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> <200507041133.35774.rob0@gmx.co.uk> <45219fb005070409543f229ddd@mail.gmail.com> Message-ID: <200507041306.08626.rob0@gmx.co.uk> On Monday 04 July 2005 11:54, Llu?s Batlle wrote: > Thanks :) I answer between lines... Thank you. > On 7/4/05, /dev/rob0 wrote: > > >>="masquerading.multi-eth" (misnamed: it does no masquerading) > > Ok. I tried with MASQUERADE, but by now I use SNAT. Right. MASQUERADE will not work with multiple routing. > > >>NE1=192.168.16.0/28 > > >>NE2=192.168.17.0/28 > > > > Let's see, those are .0-.15 on the last quad. > > > > >>NLOCAL=192.168.0.0/20 > > > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1 > > and $NE2. Try 192.168.16.0/23. It would not hurt for you to brush > > up on TCP/IP and subnetting basics. > > Oh. Is it wrong? I don't understand what's "IOW". Where should I try > your proposed subnet? why? IOW="in other words", a common Internet shorthand. 192.168.0.0/20, set as $NLOCAL in your iptables script, excludes your IP addresses and networks. No packet hitting the rules which refer to that value will match, so the rules are ignored. The rules to which I am referring: $IPTABLES -t nat -A POSTROUTING -o eth1 -s $NLOCAL -j SNAT --to $IPE1 $IPTABLES -t nat -A POSTROUTING -o eth2 -s $NLOCAL -j SNAT --to $IPE2 Your SNAT rules. Change "NLOCAL=192.168.0.0/20" to "NLOCAL=192.168.0.0/16", or as previously suggested, "NLOCAL=192.168.16.0/23". I suppose you could even omit the source specification altogether: $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to $IPE1 $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to $IPE2 > > 1. IMO it's confusing to give chains the same name in different > > tables. > > I agree... but by now does that matter? Simply a point of style. You can give chains any names you wish, no matter how confusing they might be in context: ### Kids, don't try this at home. Professional stunt driver on a ### closed track. iptables -N InputLogDrop iptables -N ForwardAllow iptables -A InputLogDrop -j ACCEPT iptables -A FORWARD -j InputLogDrop iptables -A ForwardAllow -j LOG iptables -A ForwardAllow -p tcp -j REJECT iptables -A ForwardAllow -j DROP iptables -A INPUT -j ForwardAllow ### For my next trick, I will campaign to be elected Prime Minister. ### Thank you for your support in the polls. > > 3. --state in -t nat? Is that possible? Does it work? Does it break > > anything? > > It seems it's possible. I get no error from those commands. Anyway, Perhaps it doesn't break anything, but I have read here that only packets of --state NEW hit the -t nat PREROUTING chain. I don't know about the relationship between connection tracking and NAT. > I've thought that happens double application of that rule, through > filter and nat tables. I've removed everything about 'keep_state' in > the nat table. Everything is still working bad. Even from the Likely because of NLOCAL in your script. If that's not the case it's beyond my limited understanding, and once again I'll suggest you take it to LARTC. Some people in LARTC know more about this than I do. > > already-NAT'ed Linux machine. Why not do the DNAT in the external > > routers? Also, those DNAT rules refer to other RFC 1918 netblocks. > > mmm I've never read RFC 1918. :) I'll take a look at it. "RFC 1918 netblocks" is simply another form of shorthand to refer to IPv4 ranges which are reserved for private use, namely 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. I rarely read RFC's myself (but I must confess to a fondness for RFC 1149. :) ) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From gtaylor at riverviewtech.net Mon Jul 4 20:30:03 2005 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Mon Jul 4 20:45:01 2005 Subject: Is anyone else getting these. In-Reply-To: <42C8FCC1.7030204@mnemon.de> References: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> <42C8FCC1.7030204@mnemon.de> Message-ID: <42C9802B.3000503@riverviewtech.net> Yes, such a client side filter will prevent end users (us) from seeing such emails. But being the email administrator (postmaster) that I am I feel that such a solution is a patch and a poor one at that. Why don't we resolve the real problem, that being to remove the problem email address from the mail list. Grant. . . . > I suppose that everyone posting to the list gets this mail - at least I > get it ervery time. Like Jason already posted, adding > > :0 > * From.*postmaster@echtzeit.com > /dev/null > > to my .procmailrc solved this and mekes me feel better :) > > Have a nice time, > > Joerg From jsassojr at nycap.rr.com Mon Jul 4 20:36:03 2005 From: jsassojr at nycap.rr.com (John Sasso Jr) Date: Mon Jul 4 20:51:43 2005 Subject: Problem w/ iptables on FC3 In-Reply-To: <200507040949.36383.rob0@gmx.co.uk> Message-ID: <001701c580c7$3c53cfa0$644ba8c0@sassoj> Thank-you for the helpful response! I'm curious - for the sample configuration I gave in my original posting, why would: iptables -A OUTPUT -o eth0 -s 192.168.50.100 -p icmp --icmp-type echo-request -j ACCEPT fail to permit a packet originating from my system out? I understand what "iptables -P OUTPUT ACCEPT" does, and I am not arguing the logic behind using that instead for my situation, but I'm wondering if packet filtering operates differently for traffic originated by a firewall as opposed to traversing a firewall. I looked through the Packet Filtering HOWTO, as well as Ziegler's "Linux Firewalls" book but could not find an answer. Thanks! --john > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of /dev/rob0 > Sent: Monday, July 04, 2005 10:50 AM > To: netfilter@lists.netfilter.org > Subject: Re: Problem w/ iptables on FC3 > > > On Monday 04 July 2005 09:25, John Sasso wrote: > > avail. Is this a bug? > > Not likely. > > > iptables --policy OUTPUT DROP > > Don't do this. How do you think it will help? Do you have untrusted > local shell users? If so, you are doomed anyway. They will find an > opening, get root, and get out as they wish. If it's just you on the > machine, OUTPUT filtering is silly. Use self-control, not netfilter. > > iptables -P OUTPUT ACCEPT > > For the return packets, go stateful. An example is posted in > the thread > earlier today, Subject: help me. It's also given and explained in the > Packet Filtering HOWTO. > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > > From jengelh at linux01.gwdg.de Mon Jul 4 21:17:04 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 4 21:31:53 2005 Subject: Implicit SNAT gone Message-ID: Hi, In ip_nat_rule.c (and my syslog! apprently) I see: /* Before 2.6.11 we did implicit source NAT if required. Warn about change. */ printk("NAT: no longer support implicit source local NAT\n"); printk("NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n", NIPQUAD(srcip), NIPQUAD(dstip)); So, how do I get the feature back with 2.6.12 logic? (Or do I have to forwardport that feature?) Jan Engelhardt -- From rob0 at gmx.co.uk Mon Jul 4 21:32:59 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 4 21:47:33 2005 Subject: Problem w/ iptables on FC3 In-Reply-To: <001701c580c7$3c53cfa0$644ba8c0@sassoj> References: <001701c580c7$3c53cfa0$644ba8c0@sassoj> Message-ID: <200507041432.59605.rob0@gmx.co.uk> On Monday 04 July 2005 13:36, John Sasso Jr wrote: > I'm curious - for the sample configuration I gave in my original > posting, why would: > > iptables -A OUTPUT -o eth0 -s 192.168.50.100 -p icmp --icmp-type > echo-request -j ACCEPT > > fail to permit a packet originating from my system out? I understand Try inserting a LOG rule ahead of that ... iptables -I OUTPUT -o eth0 -j LOG and watch your kernel logs while trying to ping. Check the counters, with "iptables -vnL". Are they incremented for each ping sent? If so, they matched the rule, if not, they didn't. Maybe the replies aren't matching. Repeat the above steps for INPUT. Soon enough you will find out why it didn't work. Or not. Actually I bet you will find that no pings were sent. What do you have for "ls -l `which ping`"? Is it SUID? $ v `which ping` -rws--x--x 1 root bin 29232 2004-11-03 22:55 /bin/ping ^ That little "s" there is necessary for non-root users. > what "iptables -P OUTPUT ACCEPT" does, and I am not arguing the logic > behind using that instead for my situation, but I'm wondering if > packet filtering operates differently for traffic originated by a > firewall as opposed to traversing a firewall. OUTPUT is the chain that sees the packets which originated on the firewall machine. Packet matching follows the same principle in all tables and chains. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From viriketo at gmail.com Tue Jul 5 07:52:52 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Tue Jul 5 08:07:44 2005 Subject: Problem with routing decisions, and multihop In-Reply-To: <200507041306.08626.rob0@gmx.co.uk> References: <45219fb00507040715442f52cf@mail.gmail.com> <200507041133.35774.rob0@gmx.co.uk> <45219fb005070409543f229ddd@mail.gmail.com> <200507041306.08626.rob0@gmx.co.uk> Message-ID: <45219fb00507042252343deced@mail.gmail.com> Again between lines... On 7/4/05, /dev/rob0 wrote: > On Monday 04 July 2005 11:54, Llu?s Batlle wrote: > > > >>NE1=192.168.16.0/28 > > > >>NE2=192.168.17.0/28 > > > > > > Let's see, those are .0-.15 on the last quad. > > > > > > >>NLOCAL=192.168.0.0/20 > > > > > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1 > > > and $NE2. Try 192.168.16.0/23. It would not hurt for you to brush > > > up on TCP/IP and subnetting basics. > > > > Oh. Is it wrong? I don't understand what's "IOW". Where should I try > > your proposed subnet? why? > > IOW="in other words", a common Internet shorthand. > > 192.168.0.0/20, set as $NLOCAL in your iptables script, excludes your > IP addresses and networks. No packet hitting the rules which refer to > that value will match, so the rules are ignored. Why? in the LAN (eth0, 192.168.0.0/20) there are many computers... if I change it to 192.168.0.0/16, eth1 and eth2 _won't_ be appart subnetworks! It's important to them to be excluded. IOW, there must be no intersection between the networks of the different NICs. > > The rules to which I am referring: > $IPTABLES -t nat -A POSTROUTING -o eth1 -s $NLOCAL -j SNAT --to $IPE1 > $IPTABLES -t nat -A POSTROUTING -o eth2 -s $NLOCAL -j SNAT --to $IPE2 > Your SNAT rules. > > Change "NLOCAL=192.168.0.0/20" to "NLOCAL=192.168.0.0/16", or as > previously suggested, "NLOCAL=192.168.16.0/23". I suppose you could > even omit the source specification altogether: > $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to $IPE1 > $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to $IPE2 Will, that way, the kernel maintain connection-tables for SNAT even for local connections? > ### Kids, don't try this at home. Professional stunt driver on a > ### closed track. > iptables -N InputLogDrop > iptables -N ForwardAllow > iptables -A InputLogDrop -j ACCEPT > iptables -A FORWARD -j InputLogDrop > iptables -A ForwardAllow -j LOG > iptables -A ForwardAllow -p tcp -j REJECT > iptables -A ForwardAllow -j DROP > iptables -A INPUT -j ForwardAllow > ### For my next trick, I will campaign to be elected Prime Minister. > ### Thank you for your support in the polls. :))) > Perhaps it doesn't break anything, but I have read here that only > packets of --state NEW hit the -t nat PREROUTING chain. I don't know > about the relationship between connection tracking and NAT. Can you give a link about that? > > "RFC 1918 netblocks" is simply another form of shorthand to refer to > IPv4 ranges which are reserved for private use, namely 10.0.0.0/8, > 172.16.0.0/12, and 192.168.0.0/16. I rarely read RFC's myself (but I > must confess to a fondness for RFC 1149. :) ) Hahaha :) From hidden at balabit.hu Tue Jul 5 09:22:13 2005 From: hidden at balabit.hu (KOVACS Krisztian) Date: Tue Jul 5 09:37:08 2005 Subject: Implicit SNAT gone In-Reply-To: References: Message-ID: <1120548134.5268.4.camel@nienna.balabit> Hi, 2005-07-04, h keltez?ssel 21.17-kor Jan Engelhardt ezt ?rta: > In ip_nat_rule.c (and my syslog! apprently) I see: > > /* Before 2.6.11 we did implicit source NAT if required. Warn about change. */ > printk("NAT: no longer support implicit source local NAT\n"); > printk("NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n", > NIPQUAD(srcip), NIPQUAD(dstip)); > > So, how do I get the feature back with 2.6.12 logic? > (Or do I have to forwardport that feature?) Forward porting that "feature" is nearly impossible without backing out all the NAT-related changes. However, you can usually solve the problem itself instead of reintroducing such tricks. Why exactly do you need this feature? -- Regards, Krisztian Kovacs From viriketo at gmail.com Tue Jul 5 09:46:29 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Tue Jul 5 10:01:23 2005 Subject: Problem with routing decisions, and multihop (solved) In-Reply-To: <45219fb00507042252343deced@mail.gmail.com> References: <45219fb00507040715442f52cf@mail.gmail.com> <200507041133.35774.rob0@gmx.co.uk> <45219fb005070409543f229ddd@mail.gmail.com> <200507041306.08626.rob0@gmx.co.uk> <45219fb00507042252343deced@mail.gmail.com> Message-ID: <45219fb005070500469fee3c9@mail.gmail.com> Argh. Stupid me.............. The tables 201 and 202, who decide the route for packets with already defined source addres were in the rules that way: The routing rules are: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 iif eth2 lookup 201 202: from 192.168.16.0/28 iif eth1 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default Look at the terrible "iif ethx"!!!!!!!!! The packets were routed _at random_ by the 'equalizing routing decision', even if with decided address. Argh. Solution: there should not be "if ethx" in the routing rule matching Now it works. Even though, I'd prefer to get the Julian's patches working. When I try them, all packets go to the same interface (the first hop). I'll keep on working... Always, always, there is the deadly "user fault". :))) Thanks for your support! From harmuth at mnemon.de Tue Jul 5 10:59:46 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Tue Jul 5 11:15:25 2005 Subject: Is anyone else getting these. In-Reply-To: <42C9802B.3000503@riverviewtech.net> References: <57F9959B46E0FA4D8BA88AEDFBE58290741F@pxtbenexd01.pxt.primeexalia.com> <42C8FCC1.7030204@mnemon.de> <42C9802B.3000503@riverviewtech.net> Message-ID: <42CA4C02.8090404@mnemon.de> Taylor, Grant schrieb: > Yes, such a client side filter will prevent end users (us) from seeing > such emails. But being the email administrator (postmaster) that I am I > feel that such a solution is a patch and a poor one at that. Why don't > we resolve the real problem, that being to remove the problem email > address from the mail list. I agree, but unfortunately I'm not in the position to do this and thus just have to "live" with it... Have a nice time, Joerg > > Grant. . . . > > >> I suppose that everyone posting to the list gets this mail - at least I >> get it ervery time. Like Jason already posted, adding >> >> :0 >> * From.*postmaster@echtzeit.com >> /dev/null >> >> to my .procmailrc solved this and mekes me feel better :) >> >> Have a nice time, >> >> Joerg > > From rob at sterenborg.info Tue Jul 5 12:53:06 2005 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Jul 5 13:10:41 2005 Subject: Is anyone else getting these. In-Reply-To: <42CA4C02.8090404@mnemon.de> Message-ID: <20050705105442.926388EDCEB@smtp.sterenborg.info> > > Yes, such a client side filter will prevent end users (us) > from seeing > > such emails. But being the email administrator > (postmaster) that I am > > I feel that such a solution is a patch and a poor one at that. Why > > don't we resolve the real problem, that being to remove the problem > > email address from the mail list. > > I agree, but unfortunately I'm not in the position to do this > and thus just have to "live" with it... Is there no listmaster we can reach ? Maybe postmaster@netfilter.org or netfilter-request@lists.netfilter.org ? Gr, Rob From jengelh at linux01.gwdg.de Tue Jul 5 13:20:33 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 5 13:35:57 2005 Subject: Implicit SNAT gone In-Reply-To: <1120548134.5268.4.camel@nienna.balabit> References: <1120548134.5268.4.camel@nienna.balabit> Message-ID: >> In ip_nat_rule.c (and my syslog! apprently) I see: >> >> /* Before 2.6.11 we did implicit source NAT if required. Warn about change. */ >> printk("NAT: no longer support implicit source local NAT\n"); >> printk("NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n", >> NIPQUAD(srcip), NIPQUAD(dstip)); >> >> So, how do I get the feature back with 2.6.12 logic? >> (Or do I have to forwardport that feature?) > > Forward porting that "feature" is nearly impossible without backing >out all the NAT-related changes. However, you can usually solve the >problem itself instead of reintroducing such tricks. Why exactly do you >need this feature? telnet 127.0.0.1 1234 should redirect to a different host. Previously, this was possible using iptables -t nat -A OUTPUT -j DNAT -p tcp --dport 1234 --to-dest 192.168.17.2:1234 Jan Engelhardt -- From jengelh at linux01.gwdg.de Tue Jul 5 13:21:27 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 5 13:36:27 2005 Subject: Is anyone else getting these. In-Reply-To: <20050705105442.926388EDCEB@smtp.sterenborg.info> References: <20050705105442.926388EDCEB@smtp.sterenborg.info> Message-ID: >Is there no listmaster we can reach ? >Maybe postmaster@netfilter.org or netfilter-request@lists.netfilter.org I did not get any responses from netfilter-owner@lists.netfilter.org yet; and I was told that Harald Welte is responsible for list management.. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From jengelh at linux01.gwdg.de Tue Jul 5 13:44:08 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 5 13:59:06 2005 Subject: multiple gateways in linux In-Reply-To: <200507011337.16923.rob0@gmx.co.uk> References: <20050630114101.35127.qmail@web53110.mail.yahoo.com> <200507011337.16923.rob0@gmx.co.uk> Message-ID: >> i have 2 DSL connection from diffrent companies. i >> attached both DSL modem in my Linux Machine with >> different ethernet. > >http://www.ssi.bg/~ja/ >http://www.ssi.bg/~ja/nano.txt Using -j ROUTE, it's a lot simpler. At least in theory, as I have not yet tried ROUTE. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From jengelh at linux01.gwdg.de Tue Jul 5 13:49:46 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 5 14:04:47 2005 Subject: mangle squid packets In-Reply-To: <42C5A815.8040301@lanhelp.com.br> References: <42C5A815.8040301@lanhelp.com.br> Message-ID: >I dont know what mangle rule I need to mark squid transparent packets, I >have tried all the following (One at a time): Because Squid practically starts a new connection, you need special help from squid itself to mark outgoing packets based on incoming ones. This is done by TPROXY, a netfilter module from Balabit.com. Unfortunately, they do not have a version for 2.6.11 and up yet. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From latze at iam.unibe.ch Mon Jul 4 16:09:30 2005 From: latze at iam.unibe.ch (Carolin Latze) Date: Tue Jul 5 14:11:05 2005 Subject: Using the userlevel queue via the iptables command Message-ID: <42C9431A.1050800@iam.unibe.ch> Hello everybody, I want to modify every packet, which is addressed to a host, which is generated by this host and which is forwarded by this host using libipq. First of all I set a hook for the outgoing packets: iptables -A OUTPUT -o wlan0 -j QUEUE With that hook, I can modify the outgoing packets (I have it already successfully tested). Afterwards I also wanted to filter the incoming packets (addressed for this host): iptables -A INPUT -i wlan0 -j QUEUE But, these packets do never pass my program. I have only one program in the userspace, which has one handle to the userlevel queue. Is there any possibility to have different handles or do I only have the possibility to filter either incoming traffic or outgoing traffic? Regards, Carolin From bclark at eccotours.dyndns.org Tue Jul 5 14:13:39 2005 From: bclark at eccotours.dyndns.org (Brent Clark) Date: Tue Jul 5 14:22:33 2005 Subject: (no subject) Message-ID: <42CA7973.302@eccotours.dyndns.org> Hi List I seem to have a problem whereby if I type the following commonds, I get the following output gate:~# netstat-nat Proto NATed Address Foreign Address State gate:~# or when I use conntrack-viewer.pl gate:~# conntrack-viewer.pl Active Connections according to /proc/net/ip_conntrack Proto Source Address Remote Address Service State Masq Name Resolution Use of uninitialized value in getservbyport at /usr/sbin/conntrack-viewer.pl line 114. Use of uninitialized value in getservbyport at /usr/sbin/conntrack-viewer.pl line 115. Use of uninitialized value in length at /usr/sbin/conntrack-viewer.pl line 128. if I use iptstate (this seems to work) IPTables - State Top Version: 1.3 Sort: SrcIP s to change sorting Source Destination Proto State TTL 192.168.111.10,1114 192.168.111.11,53 udp 0:01:33 192.168.111.10,1118 192.168.111.11,53 udp 0:01:06 192.168.111.11,51146 213.133.106.29,35520 tcp ESTABLISHED 98:43:17 I had a brief look at the /dev/net/ip_conntrack, and all seems fine there. If anyone has any tips or advice, it would be most appreciated. Kind Regards Brent Clark From jengelh at linux01.gwdg.de Tue Jul 5 15:01:35 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 5 15:16:32 2005 Subject: Crazy portmap request In-Reply-To: References: Message-ID: >Basically, I'm at home right now and I should be able to walk 200 different >ports on the one static IP address and be able to access each of the 200 >different machines at the remote office. This is a simplified example. So you've got a "frontend" node with a ton of DNAT entries. Fine. >It works with the rules individually, but it ends up being about 800 rules >in the file. I was just hoping to trim it down a little. You could possible write yourself an enhanced DNAT that operates the way you want, i.e. dstaddr = 123.45.67.89 dstport = 8000-9000 DNAT to: dstaddr = 10.0.0.[s-port] dstport = 7000 Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From hidden at balabit.hu Tue Jul 5 15:56:34 2005 From: hidden at balabit.hu (KOVACS Krisztian) Date: Tue Jul 5 16:11:29 2005 Subject: Implicit SNAT gone In-Reply-To: References: <1120548134.5268.4.camel@nienna.balabit> Message-ID: <1120571795.5268.11.camel@nienna.balabit> Hi, 2005-07-05, k keltez?ssel 13.20-kor Jan Engelhardt ezt ?rta: > >> In ip_nat_rule.c (and my syslog! apprently) I see: > >> > >> /* Before 2.6.11 we did implicit source NAT if required. Warn about change. */ > >> printk("NAT: no longer support implicit source local NAT\n"); > >> printk("NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n", > >> NIPQUAD(srcip), NIPQUAD(dstip)); > >> > >> So, how do I get the feature back with 2.6.12 logic? > >> (Or do I have to forwardport that feature?) > > > > Forward porting that "feature" is nearly impossible without backing > >out all the NAT-related changes. However, you can usually solve the > >problem itself instead of reintroducing such tricks. Why exactly do you > >need this feature? > > telnet 127.0.0.1 1234 should redirect to a different host. Previously, this > was possible using iptables -t nat -A OUTPUT -j DNAT -p tcp --dport 1234 > --to-dest 192.168.17.2:1234 OK, I see, but what's the point in redirecting a local connection? Why can't you simply telnet to the real destination instead of doing such tricks? -- Regards, Krisztian Kovacs From carlos.cruells at betybyte.com Tue Jul 5 16:50:32 2005 From: carlos.cruells at betybyte.com (Carlos Cruells) Date: Tue Jul 5 17:04:06 2005 Subject: Outgoing NAT problem. Message-ID: <19b901c58170$e51cd740$1e0c0a0a@betybyte.local> Regards from Madrid, Spain. I am configuring a Iptables firewall on the office, but i have problems with the navigation from LAN to Internet. My configuration is the next: - eth0 --> LAN Interface - eth1 --> WAN Interface I enter the next command: iptables -t nat -A POSTROUTING -s 10.10.12.30 -o eth1 -j SNAT --to 62.93.44.116 The configuration results: ===================================================== Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.10.12.30 anywhere to:62.93.44.116 ===================================================== Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ===================================================== IP_forward --> 1 ===================================================== All policies are in ACCEPT position, but it doesn't works. /proc/sys/net/ipv4/ip_forward = 1 When i do a simple ping test from LAN --> Internet, it fails, but if i repeat the same test from firewall, it does ok. IP_LAN -------(ping)--------> IP www.cisco.com = Not OK Firewall -------(ping)--------> IP www.cisco.com = OK Anybody can help me? P.D: I know it. My english is not very good. :D From rob0 at gmx.co.uk Tue Jul 5 17:00:47 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Tue Jul 5 17:15:58 2005 Subject: Outgoing NAT problem. In-Reply-To: <19b901c58170$e51cd740$1e0c0a0a@betybyte.local> References: <19b901c58170$e51cd740$1e0c0a0a@betybyte.local> Message-ID: <200507051000.47435.rob0@gmx.co.uk> On Tuesday 05 July 2005 09:50, Carlos Cruells wrote: > iptables -t nat -A POSTROUTING -s 10.10.12.30 -o eth1 -j SNAT --to > 62.93.44.116 If a packet has a source IP of 10.10.12.30 and is routed out the eth1 interface, rewrite the source IP to 62.93.44.116. > When i do a simple ping test from LAN --> Internet, it fails, but if Don't do it from anywhere on the LAN. Only do it from 10.10.12.30. It won't work from any other IP. Perhaps you wanted to use a different source specification, like "-s 10.10.12.0/24" or "-s 10.0.0.0/8"? > i repeat the same test from firewall, it does ok. > > IP_LAN -------(ping)--------> IP www.cisco.com = Not OK > Firewall -------(ping)--------> IP www.cisco.com = OK DNS might also be a factor. Only the firewall machine and 10.10.12.30 would be able to get out to any external resolvers with that rule. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From carlos.cruells at betybyte.com Tue Jul 5 17:16:31 2005 From: carlos.cruells at betybyte.com (Carlos Cruells) Date: Tue Jul 5 17:30:44 2005 Subject: Outgoing NAT problem. References: <19b901c58170$e51cd740$1e0c0a0a@betybyte.local> <200507051000.47435.rob0@gmx.co.uk> Message-ID: <19f501c58174$9d4177b0$1e0c0a0a@betybyte.local> Yes, sorry, the source IP where i do my tests is "10.10.12.30" of course. You wrote... > If a packet has a source IP of 10.10.12.30 and is routed out the eth1 > interface, rewrite the source IP to 62.93.44.116. ...but it doesn't works and i don't know why. :( It is correct, isn't it?--> iptables -t nat -A POSTROUTING -s 10.10.12.30 -o eth1 -j SNAT --to 62.93.44.116 Regards. ----- Original Message ----- From: "/dev/rob0" To: Sent: Tuesday, July 05, 2005 5:00 PM Subject: Re: Outgoing NAT problem. > On Tuesday 05 July 2005 09:50, Carlos Cruells wrote: >> iptables -t nat -A POSTROUTING -s 10.10.12.30 -o eth1 -j SNAT --to >> 62.93.44.116 > > If a packet has a source IP of 10.10.12.30 and is routed out the eth1 > interface, rewrite the source IP to 62.93.44.116. > >> When i do a simple ping test from LAN --> Internet, it fails, but if > > Don't do it from anywhere on the LAN. Only do it from 10.10.12.30. It > won't work from any other IP. Perhaps you wanted to use a different > source specification, like "-s 10.10.12.0/24" or "-s 10.0.0.0/8"? > >> i repeat the same test from firewall, it does ok. >> >> IP_LAN -------(ping)--------> IP www.cisco.com = Not OK >> Firewall -------(ping)--------> IP www.cisco.com = OK > > DNS might also be a factor. Only the firewall machine and 10.10.12.30 > would be able to get out to any external resolvers with that rule. > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > > From viriketo at gmail.com Tue Jul 5 17:16:23 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Tue Jul 5 17:31:20 2005 Subject: Wrong behaviour in policy routing In-Reply-To: <45219fb005070508021de1a7c2@mail.gmail.com> References: <45219fb005070508021de1a7c2@mail.gmail.com> Message-ID: <45219fb005070508163261595c@mail.gmail.com> Hi! I get this strange behaviour... I don't know how some packets get into wrong rules. My rules are those: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 lookup 201 202: from 192.168.16.0/28 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default Table main has: 192.168.17.0/28 dev eth2 proto kernel scope link src 192.168.17.1 192.168.16.0/28 dev eth1 proto kernel scope link src 192.168.16.1 192.168.0.0/20 dev eth0 proto kernel scope link src 192.168.1.2 Table 201: default via 192.168.17.2 dev eth2 proto static src 192.168.17.1 prohibit default proto static metric 1 Table 202: default via 192.168.16.2 dev eth1 proto static src 192.168.16.1 prohibit default proto static metric 1 The problem: Even though, some packets with source address 192.168.16.1 get out through the interface eth2, and some with src address 192.168.17.1 get out through the interface eth1. Only some. It happens only with packets of nat connections maintained by the connection tracker (Already established/related). Afaik, the source address for SNAT is set in the PREROUTING chain of the "nat" table. That is, _BEFORE_ taking the routing decision. Isn't it? So, the only rules I have in my iptables are: iptables -t nat -I POSTROUTING -o eth1 -s 192.168.0.0/20 -j SNAT --to 192.168.16.1 iptables -t nat -I POSTROUTING -o eth2 -s 192.168.0.0/20 -j SNAT --to 192.168.17.1 ... which set up the IP for packets which start a new connection to an internet host. Those rules, as they are of the nat/POSTROUTING chain, can match only when the state is NEW (i.e. for tcp connections). And my problems appear when the connections are already set. Here I show tcpdump output for a ssh connection from internal 192.168.4.9 to external 93.Red-80-32-214.pooles.rima-tde.net: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 16:55:45.928819 IP 192.168.16.1.33919 > 93.Red-80-32-214.pooles.rima-tde.net.ssh: P 3748099314:3748099362(48) ack 3121813679 win 10800 I cannot understand, how can a packet from 16.1 go through eth2, with that routing policy. In fact the problem appears only in 'long' connections with low data flow (ssh, ftp), specially after the password login. With http connections from browsers, everything's fine. Strange. I don't know when _exactly_ the routing decisions are made. afaik, it's somewhere between the nat/PREROUTING and nat/POSTROUTING. But it seems the route rule applied for the conntrack'ed packets is wrong. Thanks in advance... -Lluis From lunz at falooley.org Tue Jul 5 17:46:07 2005 From: lunz at falooley.org (Jason Lunz) Date: Tue Jul 5 18:03:28 2005 Subject: REDIRECT changes DST address of the packet References: <20050630072934.80040.qmail@web60815.mail.yahoo.com> Message-ID: mesg2nari@yahoo.com said: > I am new to this mailing list sorry If I ask any thing wrong. > > My question is if I use REDIRECT action in PREROUTINg rule is it > going to change the tcp packet DST address. > > If I lose original DST address, how can I persist that value in that > packet. I think you're looking for the SO_ORIGINAL_DST sockopt. Jason From askarali at gmail.com Tue Jul 5 20:18:16 2005 From: askarali at gmail.com (Askar) Date: Tue Jul 5 20:33:21 2005 Subject: mangle squid packets In-Reply-To: References: <42C5A815.8040301@lanhelp.com.br> Message-ID: Before marking squid packets you have to define route with "ip" iproute2 command more info could be find on www.lartc.org , below is an example of iproute + iptables for your firewall machine. echo 112 squid.out >> /etc/iproute2/rt_tables ip rule add fwmark 3 table squid.out ip route add default via xxx.xxx.xxx.xx dev eth0 table squid.out ip route flush cache # repacle xxx.xxx.xx with squid server ip ##### here is iptables part iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark 3 regards Askar hope this would helps On 7/5/05, Jan Engelhardt wrote: > > >I dont know what mangle rule I need to mark squid transparent packets, I > >have tried all the following (One at a time): > > Because Squid practically starts a new connection, you need special help > from squid itself to mark outgoing packets based on incoming ones. > > This is done by TPROXY, a netfilter module from Balabit.com. > Unfortunately, they do not have a version for 2.6.11 and up yet. > > > > Jan Engelhardt > -- > | Alphagate Systems, http://alphagate.hopto.org/ > > > -- I love deadlines. I like the whooshing sound they make as they fly by. Douglas Adams From jengelh at linux01.gwdg.de Tue Jul 5 22:32:39 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 5 22:48:35 2005 Subject: mangle squid packets In-Reply-To: References: <42C5A815.8040301@lanhelp.com.br> Message-ID: >Before marking squid packets you have to define route with "ip" >iproute2 command more info could be find on www.lartc.org , below is >an example of iproute + iptables for your firewall machine. As for my part, I (plan to) go with an ebtables solution, which does not involve all the bothering with routing. Of course, you need to need to know etherbridges :) From glaucius at gmail.com Wed Jul 6 03:57:23 2005 From: glaucius at gmail.com (Glaucius Djalma Pereira Junior) Date: Wed Jul 6 04:12:22 2005 Subject: TOS target and IPSEC Message-ID: hi guys I was reading about TOS target in mangle table, and all documentation or papers are talking to use TOS with --dport or --sport (OUTPUT and INPUT), so I would like to know if does TOS work with IPSEC destination ports, and what exactly would be those ports ? tanks best regards !!! -- Glaucius Djalma Pereira Junior glaucius@gmail.com From glaucius at gmail.com Wed Jul 6 04:00:13 2005 From: glaucius at gmail.com (Glaucius Djalma Pereira Junior) Date: Wed Jul 6 04:24:35 2005 Subject: tos and ipsec Message-ID: I was reading about TOS target in mangle table, and all documentation or papers are talking to use TOS with --dport or --sport (OUTPUT and INPUT), so I would like to know if does TOS work with IPSEC destination ports, and what exactly would be those ports ? tanks best regards !!! -- Glaucius Djalma Pereira Junior glaucius@gmail.com From viriketo at gmail.com Wed Jul 6 10:57:40 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Wed Jul 6 11:12:38 2005 Subject: About routing, nat, the FORWARD chain, and a bit of Julian's patches Message-ID: <45219fb005070601577205f256@mail.gmail.com> Hi! I'm still trying to solve the problem, about which I already posted in these lists... I've been trying to understand where packet routing and NAT is being done. The schemes are quite clear, when it's about the _first_ packet of a NAT connection (when it enters the NAT table). But it isn't that clear about the packets NAT'ed by the connection tracker. Concretely about tcp connections, I've noticed that: 1. _no_ packet matches any chain of the 'nat' table, unless it's a SYN tcp packet (start of connection). For the rest of the packets, they don't match any chain of the 'nat' table. 2. The routing is done _before_ applying the rules of the FORWARD chain. So, logging NAT connections (already made), shows that the packets already have an output device. Example: "iptables -A FORWARD -j LOG -o eth2", with example result: Jul 6 10:18:29 thecrow IN=eth0 OUT=eth2 SRC=192.168.4.20 DST=62.57.136.215 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=46487 DF PROTO=TCP SPT=33967 DPT=80 WINDOW=63712 RES=0x00 ACK URGP=0 3. The NAT applied by the connection tracker (not by 'nat' table) is done _after_ the FORWARD chain of the filter table. I SNAT all starting connections packets (table nat, chain POSTROUTING) to 192.168.16.1/24 or 192.168.17.1/24, and you may see in the last example that the source address still is that of the LAN (192.168.4.4/20). 4. I can say the same as in the third point about the chain FORWARD of the 'mangle' table. So.... I don't know how people do "multihop routing + NAT" without Julian's patches. It's obvious that: 1. The connection tracker doesn't keep information about the devices involved in the connection. 2. The routing policy database is asked BEFORE the FORWARD or POSTROUTING chains. In fact, that's why the 'nat'/POSTROUTING chains know to which IP change the source address (that is, according to the selected output device by, for instance, the 'equalize' of a multihop route). May someone clarify, how people do that kind of multihop routing + NAT without any patch? I've read that some people does that. IMO, those configurations don't work fine. Can someone suggest any patch, in order to get routing _after_ the connection tracking NAT is made? Am I wrong in something? Thanks in advance! From viriketo at gmail.com Wed Jul 6 11:17:49 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Wed Jul 6 11:32:49 2005 Subject: More on conntrack + NAT + mangle/nat tables Message-ID: <45219fb00507060217450a89ee@mail.gmail.com> I already understood that a packet enters chains in the 'nat' table only if it is the _first_ packet of a connection. In that case, we may do SNAT in the POSTROUTING chain of the 'nat' table. So, the packets arrive to the POSTROUTING chain of the 'mangle' table with the source IP address changed (if it's said by the rules of the 'nat' table). BUT, for the rest of the packets (not the first ones) of a connection, packets enter the POSTROUTING chain of the 'mangle' table _without_ a changed source IP address. Is this the expected behaviour of netfilter/conntrack? To me, it's quite strange. - I'm learning about the whole netfilter/policy router these days :) So I write a lot about that, which sounds strange to me. I hope I'm not annoying to the list. Thanks a lot. - Llu?s From harmuth at mnemon.de Wed Jul 6 12:09:22 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Wed Jul 6 12:25:27 2005 Subject: More on conntrack + NAT + mangle/nat tables In-Reply-To: <45219fb00507060217450a89ee@mail.gmail.com> References: <45219fb00507060217450a89ee@mail.gmail.com> Message-ID: <42CBADD2.8040106@mnemon.de> Llu?s Batlle schrieb: > I already understood that a packet enters chains in the 'nat' table > only if it is the _first_ packet of a connection. In that case, we may > do SNAT in the POSTROUTING chain of the 'nat' table. > So, the packets arrive to the POSTROUTING chain of the 'mangle' table > with the source IP address changed (if it's said by the rules of the > 'nat' table). No. According to the picture found at http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html packet flow is: ... --> [mangle:POSTROUTING] --> [nat:POSTROUTING] So, all packets arrive in mangle:POSTROUTING with their source address unchanged. DNAT - if configured - is already applied to the packet. If I'm telling old stories now, forget it, but you can modify this script to fit your needs: http://iptables-tutorial.frozentux.net/scripts/rc.test-iptables.txt Following the log (and /proc/net/ip_conntrack) you see the packet flow in detail. And you see when [S|D]NAT ist applied. > - I'm learning about the whole netfilter/policy router these days :) > So I write a lot about that, which sounds strange to me. I hope I'm > not annoying to the list. I can only speak for myself - no, you aren't :) Have a nice time, Joerg From viriketo at gmail.com Wed Jul 6 12:20:49 2005 From: viriketo at gmail.com (=?ISO-8859-1?Q?Llu=EDs_Batlle?=) Date: Wed Jul 6 12:35:50 2005 Subject: More on conntrack + NAT + mangle/nat tables In-Reply-To: <42CBADD2.8040106@mnemon.de> References: <45219fb00507060217450a89ee@mail.gmail.com> <42CBADD2.8040106@mnemon.de> Message-ID: <45219fb0050706032038dca0e8@mail.gmail.com> Oh, my fault. :) I mislooked at the diagram :) Everything is fine, so, about nat + mangle tables. So, I think conntrack NAT happens after the mangle POSTROUTING chain. So, after routing. Thanks :) On 7/6/05, J?rg Harmuth wrote: > packet flow is: > > ... --> [mangle:POSTROUTING] --> [nat:POSTROUTING] > > So, all packets arrive in mangle:POSTROUTING with their source address > unchanged. DNAT - if configured - is already applied to the packet. > > If I'm telling old stories now, forget it, but you can modify this > script to fit your needs: > > http://iptables-tutorial.frozentux.net/scripts/rc.test-iptables.txt > > Following the log (and /proc/net/ip_conntrack) you see the packet flow > in detail. And you see when [S|D]NAT ist applied. From bclark at eccotours.dyndns.org Wed Jul 6 13:19:51 2005 From: bclark at eccotours.dyndns.org (Brent Clark) Date: Wed Jul 6 13:29:33 2005 Subject: cant ping fw Message-ID: <42CBBE57.5060802@eccotours.dyndns.org> Hi list I soo close to pulling my hair out on this I have a webserver with the following ruleset (default policy of drop) $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: " --log-tcp-options --log-ip-options $IPT -t filter -A INPUT -m state --state INVALID -j DROP $IPT -t filter -A INPUT -d 217.199.186.255 -j DROP $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT #$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT $IPT -N SSH_Brute_Force $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -j SSH_Brute_Force $IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT $IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j ACCEPT $IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: " $IPT -A SSH_Brute_Force -p tcp -j DROP $IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-host-unreachable $IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP $IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT $IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT $IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT DROP]: " --log-tcp-options --log-ip-options $IPT -t filter -A INPUT -j DROP and for the likes on my I cant work out why I cant ping the machine even localhost, does not return anything Kind Regards Brent Clark From gneamob at yahoo.com Wed Jul 6 13:22:00 2005 From: gneamob at yahoo.com (Scott) Date: Wed Jul 6 13:37:07 2005 Subject: cant ping fw In-Reply-To: <42CBBE57.5060802@eccotours.dyndns.org> Message-ID: <20050706112200.28316.qmail@web54310.mail.yahoo.com> Brent, Have you tried specifying an interface or address range explicitly? such as.... $IPT -t filter -A INPUT -i lo -p icmp --icmp-type echo-request -j ACCEPT or.... $IPT -t filter -A INPUT -d 127.0.0.0/255.0.0.0 -p icmp --icmp-type echo-request -j ACCEPT perhaps even combining those.. good luck! -Scott --- Brent Clark wrote: > Hi list > > I soo close to pulling my hair out on this > > I have a webserver with the following ruleset > (default policy of drop) > [snip] > $IPT -t filter -A INPUT -p icmp --icmp-type > source-quench -j ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type > parameter-problem -j ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type > destination-unreachable -j > ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type > time-exceeded -j ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type > echo-request -j ACCEPT > #$IPT -t filter -A INPUT -p icmp --icmp-type ! > echo-request -j LOG > $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT > DROP]: " > --log-tcp-options --log-ip-options > $IPT -t filter -A INPUT -j DROP > > and for the likes on my I cant work out why I cant > ping the machine > even localhost, does not return anything __________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html From harmuth at mnemon.de Wed Jul 6 13:37:25 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Wed Jul 6 13:55:26 2005 Subject: cant ping fw In-Reply-To: <42CBBE57.5060802@eccotours.dyndns.org> References: <42CBBE57.5060802@eccotours.dyndns.org> Message-ID: <42CBC275.2090003@mnemon.de> Brent Clark schrieb: > Hi list > > I soo close to pulling my hair out on this > > I have a webserver with the following ruleset (default policy of drop) > > $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix > "INVALID input: " --log-tcp-options --log-ip-options > $IPT -t filter -A INPUT -m state --state INVALID -j DROP > $IPT -t filter -A INPUT -d 217.199.186.255 -j DROP > $IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT > $IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT > $IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT > $IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT > #$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT > $IPT -N SSH_Brute_Force > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name > SSH --set --rsource -j SSH_Brute_Force > $IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT > $IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 > --name SSH --rsource -j ACCEPT > $IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: " > $IPT -A SSH_Brute_Force -p tcp -j DROP > > $IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT > $IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with > icmp-host-unreachable > $IPT -t filter -A INPUT -p tcp -m multiport --dport 135,137,139 -j DROP > $IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j > ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT > $IPT -t filter -A INPUT -p icmp --icmp-type echo-request -j ACCEPT > #$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG > $IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT DROP]: " > --log-tcp-options --log-ip-options > $IPT -t filter -A INPUT -j DROP > > and for the likes on my I cant work out why I cant ping the machine > even localhost, does not return anything Is this really the complete rule set ? No rules in OUTPUT and FORWARD, but policy set to DROP ? Anyway. There is no rule for lo. Add $IPT - INPUT -i lo -j ACCEPT $IPT - OUTPUT -o lo -j ACCEPT and for echo reply add $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT This should work. Have a nice time, Joerg From bclark at eccotours.dyndns.org Wed Jul 6 14:04:09 2005 From: bclark at eccotours.dyndns.org (Brent Clark) Date: Wed Jul 6 14:13:54 2005 Subject: cant ping fw In-Reply-To: <42CBC275.2090003@mnemon.de> References: <42CBBE57.5060802@eccotours.dyndns.org> <42CBC275.2090003@mnemon.de> Message-ID: <42CBC8B9.8090605@eccotours.dyndns.org> J?rg_Harmuth wrote: > Is this really the complete rule set ? No rules in OUTPUT and FORWARD, > but policy set to DROP ? Anyway. > There is no rule for lo. Add > $IPT - INPUT -i lo -j ACCEPT > $IPT - OUTPUT -o lo -j ACCEPT > and for echo reply add > $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT > This should work. > Have a nice time, > Joerg Hi Joerg here is my OUTPUT $IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: " --log-tcp-options --log-ip-options $IPT -t filter -A OUTPUT -m state --state INVALID -j DROP $IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT $IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: " --log-tcp-options --log-ip-options $IPT -t filter -A OUTPUT -j DROP and for my lo $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT From keseruk at freemail.hu Tue Jul 5 20:00:44 2005 From: keseruk at freemail.hu (=?ISO-8859-2?Q?Keser=FB_Korn=E9l?=) Date: Wed Jul 6 14:18:01 2005 Subject: SNAT rule in the POSTROUTING chain ignored? Message-ID: Dear List members, I'm using iptables to rewrite the source address of UDP packets sent out from a Debian machine. I use iptables 1.2.11. For this purpose I setup one single rule in the nat table in the POSTROUTING chain. I have a java application which sends UDP packets to another machine. With this application the rewriting of the source address works fine. But I have another C application that sends UDP from the same IP address and port (than the java application did) and in this case the source address is not rewritten. How is it possible? I tried to debug the things in /var/log/kern.log and I found, that some debug lines appear when the java application sends something, but nothing appears when the C application sends. Do you have any idea why iptables can not work for packets of the C application altough it works for a java application? Thank you for your help in advance. Best regards, Kornel Keseru ________________________________________________________________________________ [freemail] extra 1GB-os postafi?kkal, ?nnek m?r van? http://freemail.hu From andy at roweboat.net Wed Jul 6 04:17:52 2005 From: andy at roweboat.net (Andy Rowe) Date: Wed Jul 6 14:18:04 2005 Subject: cvs password Message-ID: <001401c581d0$ea21ee00$0a00a8c0@rowehost.com> i can not get the cvs password " cvs " listed at http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-2.html when i run the commands below wich are listed at the website address above i get a connection refused. Am i doing something wrong? cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace netfilter/patch-o-matic any help you can offer would be great, andy andy@roweboat.net From echo29 at gmail.com Wed Jul 6 12:48:06 2005 From: echo29 at gmail.com (Dennis Eng) Date: Wed Jul 6 14:18:05 2005 Subject: What version of linux? Message-ID: <4c25221d05070603482ee3dbee@mail.gmail.com> hi there, i would like to ask whether can i use netfilter on linux 2.6.5 . Though from the website, it state that netfilter can be implemented in linux 2.6.XX version but when i click on the download, it all for linux 2.4.XX. I cannot find nettfilter that work in linux 2.6.XX. Thank for the answering my Q in advance!! Regard, Dennis From gneamob at yahoo.com Wed Jul 6 14:16:25 2005 From: gneamob at yahoo.com (Scott) Date: Wed Jul 6 14:31:26 2005 Subject: cvs password In-Reply-To: <001401c581d0$ea21ee00$0a00a8c0@rowehost.com> Message-ID: <20050706121626.24915.qmail@web54304.mail.yahoo.com> I get the same error. You're doing nothing wrong. The CVS server is not functional right now, someone will likely have it back up soon, I hope. --- Andy Rowe wrote: > i can not get the cvs password " cvs " listed at > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-2.html > > when i run the commands below wich are listed at the > website address above i > get a connection refused. Am i doing something > wrong? > > cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic > login > cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic > co netfilter/userspace > netfilter/patch-o-matic > > > any help you can offer would be great, > > andy > andy@roweboat.net > > > > > ____________________________________________________ Sell on Yahoo! Auctions ? no fees. Bid on great items. http://auctions.yahoo.com/ From gneamob at yahoo.com Wed Jul 6 14:27:20 2005 From: gneamob at yahoo.com (Scott) Date: Wed Jul 6 14:42:27 2005 Subject: Netfilter uses SVN, not CVS anymore (was Re: cvs password) In-Reply-To: <20050706121626.24915.qmail@web54304.mail.yahoo.com> Message-ID: <20050706122720.5233.qmail@web54303.mail.yahoo.com> Sorry for that quick reply, I went and dug at the site a bit and discovered that they're no longer using CVS, but SVN (SubVersioN). http://www.netfilter.org/downloads.html#svn --- Scott wrote: > I get the same error. You're doing nothing wrong. > The CVS server is not functional right now, someone > will likely have it back up soon, I hope. > > --- Andy Rowe wrote: > > > i can not get the cvs password " cvs " listed at > > > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-2.html > > > > when i run the commands below wich are listed at > the > > website address above i > > get a connection refused. Am i doing something > > wrong? > > > > cvs -d > :pserver:cvs@pserver.netfilter.org:/cvspublic > > login > > cvs -d > :pserver:cvs@pserver.netfilter.org:/cvspublic > > co netfilter/userspace > > netfilter/patch-o-matic > > > > > > any help you can offer would be great, > > > > andy > > andy@roweboat.net > > > > > > > > > > > > > > > ____________________________________________________ > Sell on Yahoo! Auctions ? no fees. Bid on great > items. > http://auctions.yahoo.com/ > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From haegar at sdinet.de Wed Jul 6 14:27:40 2005 From: haegar at sdinet.de (Sven-Haegar Koch) Date: Wed Jul 6 14:42:49 2005 Subject: cvs password In-Reply-To: <001401c581d0$ea21ee00$0a00a8c0@rowehost.com> References: <001401c581d0$ea21ee00$0a00a8c0@rowehost.com> Message-ID: On Tue, 5 Jul 2005, Andy Rowe wrote: > i can not get the cvs password " cvs " listed at > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-2.html > > when i run the commands below wich are listed at the website address above i > get a connection refused. Am i doing something wrong? > > cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login > cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace > netfilter/patch-o-matic The docs are outdated. CVS has been replaced by subversion, the pserver has been shut down. Current docs: http://www.netfilter.org/downloads.html#svn c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/) From harmuth at mnemon.de Wed Jul 6 14:29:12 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Wed Jul 6 14:45:46 2005 Subject: cant ping fw In-Reply-To: <42CBC8B9.8090605@eccotours.dyndns.org> References: <42CBBE57.5060802@eccotours.dyndns.org> <42CBC275.2090003@mnemon.de> <42CBC8B9.8090605@eccotours.dyndns.org> Message-ID: <42CBCE98.2050004@mnemon.de> Hi Brent, Brent Clark schrieb: > here is my OUTPUT > > $IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix > "INVALID output: " --log-tcp-options --log-ip-options > $IPT -t filter -A OUTPUT -m state --state INVALID -j DROP > $IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT > $IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: " > --log-tcp-options --log-ip-options > $IPT -t filter -A OUTPUT -j DROP > > and for my lo > > $IPT -A INPUT -i lo -j ACCEPT > $IPT -A OUTPUT -o lo -j ACCEPT Looking closer to your rules, I see these possibilities: 1.) For some reasons echo-request are considered INVALID. This should show up in your logs. 2.) You ping 217.199.186.255 :) 3.) Your client doesn't find fw 4.) /proc/sys/net/ipv4/icmp_echo_ignore_all is set to 1 echo-replies are in state ESTABLISHED, so there is no problem with your OUTPUT chain. I don't know the real reason, but I have a feeling, that 4.) is the best bet. HTH and have nice time, Joerg From bclark at eccotours.dyndns.org Wed Jul 6 14:43:22 2005 From: bclark at eccotours.dyndns.org (Brent Clark) Date: Wed Jul 6 14:53:10 2005 Subject: cant ping fw In-Reply-To: <42CBCE98.2050004@mnemon.de> References: <42CBBE57.5060802@eccotours.dyndns.org> <42CBC275.2090003@mnemon.de> <42CBC8B9.8090605@eccotours.dyndns.org> <42CBCE98.2050004@mnemon.de> Message-ID: <42CBD1EA.2020500@eccotours.dyndns.org> J?rg_Harmuth wrote: > Hi Brent, > 4.) /proc/sys/net/ipv4/icmp_echo_ignore_all is set to 1 AAHH you the man [root@ns root]# cat /proc/sys/net/ipv4/icmp_echo_ignore_all 1 [root@ns root]# oops thanks for this Brent From hidden at balabit.hu Wed Jul 6 15:05:38 2005 From: hidden at balabit.hu (KOVACS Krisztian) Date: Wed Jul 6 15:20:39 2005 Subject: SNAT rule in the POSTROUTING chain ignored? In-Reply-To: References: Message-ID: <1120655138.5642.15.camel@nienna.balabit> Hi, 2005-07-05, k keltez?ssel 20.00-kor Keser? Korn?l ezt ?rta: > I tried to debug the things in /var/log/kern.log and I found, that some > debug lines appear when the java application sends something, but > nothing appears when the C application sends. > Do you have any idea why iptables can not work for packets of the C > application altough it works for a java application? > Thank you for your help in advance. Could you please tell us what those debug lines are? Probably that would help a lot. -- Regards, Krisztian Kovacs From hidden at balabit.hu Wed Jul 6 16:07:35 2005 From: hidden at balabit.hu (KOVACS Krisztian) Date: Wed Jul 6 16:22:36 2005 Subject: SNAT rule in the POSTROUTING chain ignored? In-Reply-To: References: Message-ID: <1120658855.5642.24.camel@nienna.balabit> Hi, 2005-07-06, sze keltez?ssel 15.37-kor Keser? Korn?l ezt ?rta: > When I send packet with the problematic application, no lines appear in > kern.log. [...] > My SNAT rule looks like this: > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > SNAT all -- anywhere anywhere to:10.10.2.222 > > So I think, the rule is general enough. I tried to filter on interface, > source address, protocol, etc. but no effect... > > Can an application somehow specify that iptables shouldn't have any > effect on its outgoing packets? No, unless it runs as root, uses PF_PACKET sockets and does full packet assembly "by hand". If you don't have access to the source code you could try using strace to find out what kind of sockets the given application opens. -- Regards, Krisztian Kovacs From bryan.christ at hp.com Wed Jul 6 16:24:21 2005 From: bryan.christ at hp.com (Christ, Bryan) Date: Wed Jul 6 16:39:27 2005 Subject: What version of linux? Message-ID: Netfilter is already in the 2.6.x kernel. If you do a "make menuconfig" you will see it under Device Drivers -> Networking Support -> Networking Options -> Network Packet Filterting -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Dennis Eng Sent: Wednesday, July 06, 2005 5:48 AM To: netfilter@lists.netfilter.org Subject: What version of linux? hi there, i would like to ask whether can i use netfilter on linux 2.6.5 . Though from the website, it state that netfilter can be implemented in linux 2.6.XX version but when i click on the download, it all for linux 2.4.XX. I cannot find nettfilter that work in linux 2.6.XX. Thank for the answering my Q in advance!! Regard, Dennis From rob0 at gmx.co.uk Wed Jul 6 16:56:28 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Wed Jul 6 17:11:34 2005 Subject: What version of linux? In-Reply-To: <4c25221d05070603482ee3dbee@mail.gmail.com> References: <4c25221d05070603482ee3dbee@mail.gmail.com> Message-ID: <200507060956.28982.rob0@gmx.co.uk> On Wednesday 06 July 2005 05:48, Dennis Eng wrote: > i would like to ask whether can i use netfilter on linux 2.6.5 . I don't know why not. > Though from the website, it state that netfilter can be implemented What Website is that? > in linux 2.6.XX version but when i click on the download, it all for What download? > linux 2.4.XX. I cannot find nettfilter that work in linux 2.6.XX. I've got numerous 2.6.x kernels using netfilter. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From curby.public at gmail.com Wed Jul 6 21:54:55 2005 From: curby.public at gmail.com (curby .) Date: Wed Jul 6 22:10:02 2005 Subject: Defeating NMAP Null scans (and Nessus scans). In-Reply-To: References: Message-ID: <5d2f37910507061254293f83de@mail.gmail.com> On 6/23/05, Jan Engelhardt wrote: > Read closely. It uses -m random to switch between REJECT/DROP. > Try that rulesets and then nmap yourself with "nmap -r localhost -p 1-2500". > Count the time, and compare to a pure DROP based approach. > (iptables -F; iptables -P INPUT DROP; nothing more) There's a good chance that TARPIT and not REJECT is the thing slowing down scans. You might want to check replacing TARPIT with DROP/REJECT; I think you'll see nonTARPIT scans take the same amount of time regardless of whether the firewall uses DROP or REJECT. I didn't test this though. Here are some rules I've used when testing out ways to catch nmap scans. If anyone knows what the SYN,RST SYN,RST match is for, please let me know. # Xmas scan, caught nmap v3.00 $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP || die 05 81 # Generic Xmas scan, haven't checked if nmap triggers this $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP || die 05 83 # Null scan, nmap v3.00 Null scan is caught by INVALID match above, so this is commented out #$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP || die 05 85 # Misc scan - everyone tests for this, but what scan does it match? $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP || die 05 87 # FIN scan, nmap v3.0 sends ACK,FIN FIN # SYN,FIN SYN,FIN does not match nmap # FIN FIN gets false positives when using SSH TARPIT $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state --state NEW -j DROP || die 05 89 From harmuth at mnemon.de Thu Jul 7 09:13:35 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Thu Jul 7 09:35:33 2005 Subject: Defeating NMAP Null scans (and Nessus scans). In-Reply-To: <5d2f37910507061254293f83de@mail.gmail.com> References: <5d2f37910507061254293f83de@mail.gmail.com> Message-ID: <42CCD61F.4000701@mnemon.de> curby . schrieb: [SNIP] > Here are some rules I've used when testing out ways to catch nmap > scans. If anyone knows what the SYN,RST SYN,RST match is for, please > let me know. > [SNIP] > # Misc scan - everyone tests for this, but what scan does it match? > $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j > DROP || die 05 87 > "--tcp-flags SYN,RST SYN,RST" means "watch TCP flags SYN and RST and match if out of the watched flags SYN and RST are set". Ok you knew that already :) According to RFC793 sending a SYN means "hey guy, I wanna talk to to you, let's SYNchronize our sequence numbers". The only flag that is allowed to be sent along with a SYN is ACK, and this only in the 2nd packet of the 3-way-handshake. Sending RST means "oohps, there's something wrong, ReSeT the connection". So, sending SYN in conjunction with RST means, that a connection shall be opened and aborted at the same time. This is 1.) A violation of RFC793 2.) Absolutely senseless in terms of a real connection Thus, chances are good that someone is scanning you. Hum, cold coffee too. nmap doesn't generate this scan, and in fact I don't know which scanner does. But it is possible to generate these packet with packet injection tools like nemesis. So it is possible that these packets come to your firewall (although they shouldn't) and you don't want them to pass. That's why I probe for this. Have a nice time, Joerg From jengelh at linux01.gwdg.de Thu Jul 7 12:49:56 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu Jul 7 13:05:12 2005 Subject: SNAT rule in the POSTROUTING chain ignored? In-Reply-To: References: Message-ID: >and in this case the source address is not rewritten. How is it possible? >I tried to debug the things in /var/log/kern.log and I found, that some >debug lines appear when the java application sends something, but >nothing appears when the C application sends. >[...] You could look at the entry counters (`iptables -L -t nat -v`) and check which counters are [not] increasing. Jan Engelhardt -- From keseruk at freemail.hu Wed Jul 6 15:37:07 2005 From: keseruk at freemail.hu (=?ISO-8859-2?Q?Keser=FB_Korn=E9l?=) Date: Thu Jul 7 14:06:38 2005 Subject: SNAT rule in the POSTROUTING chain ignored? In-Reply-To: <1120655138.5642.15.camel@nienna.balabit> Message-ID: Hello, when I send packets with the java program, lines like the following one appear in the kern.log, and iptables rules have the expected effect. Jul 5 18:59:48 localhost kernel: IN= OUT=eth0 SRC=10.10.2.122 DST=10.10.2.28 LEN=39 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5060 DPT=5060 LEN=19 When I send packet with the problematic application, no lines appear in kern.log. In the meantime I developed another C application that sends UDP packets from the same IP and port (5060) and it works as weel. But I cannot understand why iptables doesn't have any effect on the packets of the other C application (developed by other people). The problematic application sends SIP (UDP) messages, while my application sends only dummy UDP packets. But I think, this is the only difference. My SNAT rule looks like this: Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- anywhere anywhere to:10.10.2.222 So I think, the rule is general enough. I tried to filter on interface, source address, protocol, etc. but no effect... Can an application somehow specify that iptables shouldn't have any effect on its outgoing packets? Bye, Kornel Keseru KOVACS Krisztian ?rta: > > Hi, > > 2005-07-05, k keltez?ssel 20.00-kor Keser? Korn?l ezt ?rta: > > I tried to debug the things in /var/log/kern.log and I found, that some > > debug lines appear when the java application sends something, but > > nothing appears when the C application sends. > > Do you have any idea why iptables can not work for packets of the C > > application altough it works for a java application? > > Thank you for your help in advance. > > Could you please tell us what those debug lines are? Probably that > would help a lot. > > -- > Regards, > Krisztian Kovacs > > ________________________________________________________________________________ [freemail] extra 1GB-os postafi?kkal, ?nnek m?r van? http://freemail.hu From varun_saa at vsnl.net Thu Jul 7 14:04:29 2005 From: varun_saa at vsnl.net (varun_saa@vsnl.net) Date: Thu Jul 7 14:26:33 2005 Subject: block traffic between two subnets Message-ID: <478753d47892be.47892be478753d@vsnl.net> Hello, I have two subnets : eth1 192.168.0.0/24 eth2 192.168.21.0/24 I would like block all traffic between eth1 and eth2. How to write a rule ? Thanks Varun From jengelh at linux01.gwdg.de Thu Jul 7 14:27:12 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu Jul 7 14:42:24 2005 Subject: block traffic between two subnets In-Reply-To: <478753d47892be.47892be478753d@vsnl.net> References: <478753d47892be.47892be478753d@vsnl.net> Message-ID: >Hello, > I have two subnets : > >eth1 192.168.0.0/24 >eth2 192.168.21.0/24 > >I would like block all traffic between eth1 and eth2. > >How to write a rule ? iptables -A INPUT -j REJECT -i eth1 -o eth2 iptables -A INPUT -j REJECT -i eth2 -o eth1 Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From jengelh at linux01.gwdg.de Thu Jul 7 14:29:19 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu Jul 7 14:44:26 2005 Subject: block traffic between two subnets In-Reply-To: References: <478753d47892be.47892be478753d@vsnl.net> Message-ID: >>eth1 192.168.0.0/24 >>eth2 192.168.21.0/24 >>I would like block all traffic between eth1 and eth2. >>How to write a rule ? > >iptables -A INPUT -j REJECT -i eth1 -o eth2 >iptables -A INPUT -j REJECT -i eth2 -o eth1 Should have been -A FORWARD ... From primero at fastwebnet.it Thu Jul 7 18:43:38 2005 From: primero at fastwebnet.it (Francesco Ciocchetti) Date: Thu Jul 7 19:00:17 2005 Subject: Developing with libiptc ... little problem with matches Message-ID: <42CD5BBA.6070800@fastwebnet.it> Hi all ML. I'm coding a little apps , just for fun , that uses libiptc API to interact with Netfilter. I'm writing now my functions to insert new rules in netfilter tables but i'm experiencing a problem i've not been able to solve by myself yet. i've got a structure that represents my firewall rule , it is a very simple structure derived from libdnet: struct fw_rule { char fw_device[INTF_NAME_LEN]; /* interface name NOTE device=chain!!!!!*/ uint8_t fw_op; /* operation ALLOW/BLOCK*/ uint8_t fw_dir; /* direction USELESS REMOVED!!!!!!*/ uint8_t fw_proto; /* IP protocol */ struct addr fw_src; /* src address / net */ struct addr fw_dst; /* dst address / net */ uint16_t fw_sport[2]; /* range / ICMP type */ uint16_t fw_dport[2]; /* range / ICMP code */ }; i'm in a big trouble while tryng to convert my rule to an ipt_entry struct when i arrive to create the 'match structure'. here is a part of my code: /*tcp udp Match*/ pr=getprotobynumber(fr->fw_proto); if ((pr->p_proto==IP_PROTO_TCP)||(pr->p_proto==IP_PROTO_UDP)) { size_t size; char * port_string; m=find_match(pr->p_name,TRY_LOAD,&matches); if (m) printf("%i",m->size); else printf("CAZZO"); size = IPT_ALIGN(sizeof(struct ipt_entry_match))+m->size; if ((m->m = calloc(1, size))==NULL) { fprintf(stderr,"iptables:calloc failed"); exit(1); } m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->init(m->m,&e->nfcache); /*sport (1)*/ if (fr->fw_sport[0]==fr->fw_sport[1]) strcpy(port_string,(char *)&fr->fw_sport[0]); else { strcat(port_string,(char *)&fr->fw_sport[0]); strcat(port_string,":"); strcat(port_string,(char *)&fr->fw_sport[1]); } for (matchp=matches;matchp;matchp=matchp->next) { if(matchp->match->parse(1,&port_string,(int)NULL,&matchp->match->mflags,e,&e->nfcache,&matchp->match->m)) break; } m = matchp ? matchp->match : NULL; /*dport (2)*/ if (fr->fw_dport[0]==fr->fw_dport[1]) strcpy(port_string,(char *)&fr->fw_dport[0]); else { strcat(port_string,(char *)&fr->fw_dport[0]); strcat(port_string,":"); strcat(port_string,(char *)&fr->fw_dport[1]); } for (matchp=matches;matchp;matchp=matchp->next) { if(matchp->match->parse(2,&port_string,(int)NULL,&matchp->match->mflags,e,&e->nfcache,&matchp->match->m)) break; } m = matchp ? matchp->match : NULL; for (matchp=matches;matchp;matchp=matchp->next) matchp->match->final_check(matchp->match->mflags); } my problem resides here: m=find_match(pr->p_name,TRY_LOAD,&matches); when the program reach this instruction i get a not so nice Segmentation Fault. So i started to try to understand what was happening, i copied "find_match" function from itpables.c to my program and what i discovered is that for (ptr = iptables_matches; ptr; ptr = ptr->next) { if (strcmp(name, ptr->name) == 0) break; } i get no "ptr" ... i think i should register or init the "iptables extensions" at start of my program to populate the linked list referred by iptables_matches , but i really don't know how to do it. Then i think that even passing the TRY_LOAD arg the extensions are maybe not loaded ... how should i do such a thing? I hope i've been clear and gave enough infos. Any help will be REALLY REALLY appreciated :) Bye Francesco I'm sorry for both my english and my code ... none of them are my 'Natural Language' ;) From jeff.rasmussen at gmail.com Thu Jul 7 20:18:32 2005 From: jeff.rasmussen at gmail.com (Jeff Rasmussen) Date: Thu Jul 7 20:45:57 2005 Subject: FTP and IPSEC References: <57F9959B46E0FA4D8BA88AEDFBE582909ED0@pxtbenexd01.pxt.primeexalia.com> Message-ID: Gary W. Smith primeexalia.com> writes: > > Any ideas? > > ________________________________ > > From: netfilter-bounces lists.netfilter.org on behalf of Gary W. Smith > Sent: Tue 6/28/2005 10:06 AM > To: netfilter lists.netfilter.org > Subject: FTP and IPSEC > > This is a follow up to a former problem, but unreleated. > > I have two networks conencted via IPSEC. On each side of the network I have client servers that have > SNAT/DNAT to the internet. Everything seems to work well under ISPEC except ftp. Here is what I found. > > >From location A, a workstation without a static external IP address on the 10.0.10.x can FTP anywhere on > the net without problems but CANNOT ftp to a machine at location B using it's internal 10.0.50.x IP. This > same workstation CAN ftp without restriction to it's external alias for the same machine at location B > using it's external IP 199.199.199.x > > If I remove ip_nat_ftp and ip_conntrack_ftp it seems to work fine. But the problem is now that we cannot ftp > externally from that location. Both locations have ip_nat_ftp loaded but it doesn't seem to matter. > > When we had a pptp connection between the two locations we didn't have this problem. It only seems to happen > with IPSEC. > > Is there a workaround for this or is there a way to tell ip_nat_ftp to ignore a particular IP range? > > Gary Smith > > I'm seeing this same problem under the new Debian Sarge release. I've upgraded from Debian Woody to Sarge and now am using a 2.6.8 kernel with Openswan and Shorewall. The VPN tunnel works great for all other traffic except ftp. I keep getting the error messages below. kernel: FTP_NAT: partial packet 2087393185/21 in 787/863 kernel: FTP_NAT: partial packet 2087393185/21 in 788/844 kernel: FTP_NAT: partial packet 2087393185/21 in 789/849 kernel: FTP_NAT: partial packet 2087393185/21 in 790/838 I have both ip_ftp_nat and ip_conntrack_ftp loaded. I am using one-to-one NAT (same as before) to translate the foreign network to a local ip address. I can log into the ftp server but when I try to list the directory it fails in either active or passive modes. The last communication with the ftp server requests the active ports to use. I've seen two links on the web, one that says that their is a conflict between IPSEC and iptables. The other that had a firewall rule on the other end of the tunnel that was preventing the connection. http://lists.shorewall.net/pipermail/shorewall-users/2004-June/012969.html http://msgs.securepoint.com/cgi-bin/get/netfilter-0506/123.html I'll try taking out the modules ip_ftp_nat and ip_conntrack_ftp to see if that has the same behavior. Jeff Rasmussen GPG public key 0x9686C12F From jeff.rasmussen at gmail.com Thu Jul 7 20:42:58 2005 From: jeff.rasmussen at gmail.com (Jeff Rasmussen) Date: Thu Jul 7 20:59:05 2005 Subject: FTP and IPSEC References: <57F9959B46E0FA4D8BA88AEDFBE582909ED0@pxtbenexd01.pxt.primeexalia.com> Message-ID: Jeff Rasmussen gmail.com> writes: I was able to recreate your same behavior by removing the modules mentioned above. It looks like the modules ip_ftp_nat and ip_conntrack_ftp cannot differentiate between the vpn traffic and the public Internet traffic going through the same interface. However, the only side-effect will be that I won't be able to use my server as an ftp client through NAT. I can live with that. Is this something that should be reported as a bug? Jeff Rasmussen GPG public key 0x9686C12F From dmorris at metaloft.com Thu Jul 7 21:56:16 2005 From: dmorris at metaloft.com (Dirk Morris) Date: Thu Jul 7 22:11:36 2005 Subject: REDIRECT in 2.6.12.2 not working Message-ID: <42CD88E0.3050209@metaloft.com> I tried this on the devel list, but didnt get much response, so I'll try here. I've been using REDIRECT to transparently capture TCP traffic (like squid), but after upgrading to 2.6.12.2 I'm running into some issues. My understanding is (in anything from 2.4.x up to 2.6.8.1) the SYN came in (from alice) and was redirected to whatever port (on eve), the SYN/ACK was sent back from that port and it matchs conntrack which 'fixes' the packet to look like it was coming from the original destination (bob). This works great 2.4.x and the early 2.6 <2.6.8.1). I havent tried 2.6.9 - 2.6.11 because we were having some reset problems under load, but now we are trying 2.6.12.2. Here is the 2.6.8.1 output (which is expected): setup: [alice] <----> [eve] <----> [bob] all tcpdump are on the alice <----> eve segment. eve is a bridge. (maybe thats why no one else has experienced this?) [dmorris @ eve] ~ # uname -a Linux cartman 2.6.8.1 #1 SMP Fri Apr 29 18:35:22 PDT 2005 i686 GNU/Linux [dmorris @ alice] ~ # s tcpdump "not port 22 or icmp" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 06:27:28.053491 arp who-has bob tell alice 06:27:28.053635 arp reply bob is-at 00:13:20:3d:a7:74 06:27:28.053640 IP alice.33026 > bob.echo: S 1284341781:1284341781(0) win 5840 06:27:28.070878 arp who-has bob tell eve 06:27:28.071684 IP bob.echo > alice.33026: S 1135117817:1135117817(0) ack 1284341782 win 5792 06:27:28.071700 IP alice.33026 > bob.echo: . ack 1 win 5840 [dmorris @ eve] ~ # s cat /proc/net/ip_conntrack | grep "port=7" tcp 6 431996 ESTABLISHED src=192.168.2.1 dst=192.168.2.3 sport=33030 dport=7 src=192.168.2.2 dst=192.168.2.1 sport=9500 dport=33030 [ASSURED] use=1 Now in 2.6.12.2 the SYN/ACK doesnt seem to get "fixed, " and so all connections are immediately reset: [dmorris @ eve] ~ # uname -a Linux cartman 2.6.12.2 #1 SMP Sun Jul 3 17:21:45 PDT 2005 i686 GNU/Linux [dmorris @ alice] ~ # s tcpdump "not port 22 or icmp" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 06:16:00.981041 arp who-has bob tell alice 06:16:00.981117 arp reply bob is-at 00:13:20:3d:a7:74 06:16:00.981122 IP alice.33022 > bob.echo: S 574776601:574776601(0) win 5840 06:16:00.983896 arp who-has bob tell eve 06:16:00.984228 IP eve.9500 > alice.33022: S 551400716:551400716(0) ack 574776602 win 5792 06:16:00.984249 IP alice.33022 > eve.9500: R 574776602:574776602(0) win 0 ~ # s cat /proc/net/ip_conntrack | grep "port=7" [dmorris @ cartman] tcp 6 58 SYN_RECV src=192.168.2.1 dst=192.168.2.3 sport=33028 dport=7 packets=1 bytes=60 src=192.168.2.2 dst=192.168.2.1 sport=9500 dport=33028 packets=1 bytes=56 use=1 notice how the syn/ack comes from eve instead of bob, and it only matches 1 packet (the SYN I assume) I suspect the syn/ack isnt matching in the conntrack table for some reason? I tried again with a simple iptables rule redirecting to netcat listening on port 1234 with a vanilla kernel, and it also happens so should be easy to reproduce: eve: iptables -t nat -A PREROUTING -p tcp --destination-port 1234 -j REDIRECT --to-port 1234 eve: netcat -l -p 1234 alice: telnet bob 1234 (doesnt connect, tcpdump shows packet from eve coming back) Any ideas? Thanks, -Dirk more info: [dmorris @ eve] ~ # s iptables -t nat -nL [dmorris @ cartman] Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 MARK match !0x1000000/0x1000000 redir ports 9500-9627 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ~ # s cat /proc/net/ip_conntrack | grep "port=7" [dmorris @ cartman] tcp 6 58 SYN_RECV src=192.168.2.1 dst=192.168.2.3 sport=33028 dport=7 packets=1 bytes=60 src=192.168.2.2 dst=192.168.2.1 sport=9500 dport=33028 packets=1 bytes=56 mark=0 use=1 From vishamr2000 at gmail.com Fri Jul 8 07:34:20 2005 From: vishamr2000 at gmail.com (Visham Ramsurrun) Date: Fri Jul 8 07:49:36 2005 Subject: Starting a fw Message-ID: <9927912d0507072234673f1aa0@mail.gmail.com> Hi to all, I was once told that in order to start a firewall automatically when a machine boots, we must make sure that the init process calls the script by making a symbolic link to that file in the /etc/rc.d/rcX.d directories. I have found that there is a file called S08iptables (kernel 2.4.20-8) containing startup commands for iptables service. Do i delete it and then put the symbolic link to my script there or just leave it? Let's say I have a firewall script called fw.sh with the following rules in it: #!/bin/bash IPT=/sbin/iptables $IPT -F $IPT -X $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo request -j ACCEPT $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo reply -j ACCEPT What steps (where to create symbolic links, at which runlevel, etc) should I take in order to have this script be started automatically when PC boots up. How can I make sure that it is this firewall script that is running and all packets are being checked against these rules? Thx in advance.. Warm regards, Visham From vangelr at rfgt.net Fri Jul 8 07:47:16 2005 From: vangelr at rfgt.net (Robert Vangel) Date: Fri Jul 8 08:02:39 2005 Subject: Starting a fw In-Reply-To: <9927912d0507072234673f1aa0@mail.gmail.com> References: <9927912d0507072234673f1aa0@mail.gmail.com> Message-ID: <42CE1364.9020006@rfgt.net> Visham Ramsurrun wrote: > Hi to all, > > I was once told that in order to start a firewall automatically when a > machine boots, we must make sure that the init process calls the > script by making a symbolic link to that file in the /etc/rc.d/rcX.d > directories. > > I have found that there is a file called S08iptables (kernel 2.4.20-8) > containing startup commands for iptables service. Do i delete it and > then put the symbolic link to my script there or just leave it? Leave that. You can use this to do your firewalling. > > Let's say I have a firewall script called fw.sh with the following rules in it: > > #!/bin/bash > IPT=/sbin/iptables > > $IPT -F > $IPT -X > $IPT -P INPUT DROP > $IPT -P OUTPUT DROP > $IPT -P FORWARD DROP > > $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 > -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo > request -j ACCEPT > > $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 > -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo > reply -j ACCEPT > > What steps (where to create symbolic links, at which runlevel, etc) > should I take in order to have this script be started automatically > when PC boots up. How can I make sure that it is this firewall script > that is running and all packets are being checked against these rules? > > Thx in advance.. > > Warm regards, > Visham > What distro? I am going to take a stab at it and choose RH/Fedora. I am also going to take a stab at it (I don't use Fedora) and say that default runlevel is 4? If my memory serves me well (I hope it does), the file we need to look at is /etc/sysconfig/iptables. The contents of this file match the output of a `iptables-save'. Basically what the init script does is `iptables-restore < /etc/sysconfig/iptables'. All you need to do is edit the /etc/sysconfig/iptables file to match your needs and then restart the iptables service. That said, if you aren't using RH or Fedora... I'm probably way off -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3166 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/netfilter/attachments/20050708/4fda1433/smime.bin From mesg2nari at yahoo.com Fri Jul 8 08:00:46 2005 From: mesg2nari at yahoo.com (Venkata Narayana) Date: Fri Jul 8 08:16:01 2005 Subject: Starting a fw In-Reply-To: <42CE1364.9020006@rfgt.net> Message-ID: <20050708060046.80653.qmail@web60820.mail.yahoo.com> >Visham Ramsurrun wrote: > Hi to all, > > > > I was once told that in order to start a firewall > automatically when a > > machine boots, we must make sure that the init > process calls the > > script by making a symbolic link to that file in > the /etc/rc.d/rcX.d > > directories. > > > > I have found that there is a file called > S08iptables (kernel 2.4.20-8) > > containing startup commands for iptables service. > Do i delete it and > > then put the symbolic link to my script there or > just leave it? > > Leave that. You can use this to do your firewalling. > > > > > Let's say I have a firewall script called fw.sh > with the following rules in it: > > > > #!/bin/bash > > IPT=/sbin/iptables > > > > $IPT -F > > $IPT -X > > $IPT -P INPUT DROP > > $IPT -P OUTPUT DROP > > $IPT -P FORWARD DROP > > > > $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 > -d 192.168.10.0/24 > > -m state --state NEW,ESTABLISHED,RELATED -p icmp > --icmp-type echo > > request -j ACCEPT > > > > $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 > -d 192.168.10.0/24 > > -m state --state NEW,ESTABLISHED,RELATED -p icmp > --icmp-type echo > > reply -j ACCEPT > > > > What steps (where to create symbolic links, at > which runlevel, etc) > > should I take in order to have this script be > started automatically > > when PC boots up. How can I make sure that it is > this firewall script > > that is running and all packets are being checked > against these rules? > > > > Thx in advance.. > > > > Warm regards, > > Visham > > Option 1: You can do by adding the stuff to rc.local script in your redhat based distributions. There you just call your fw.sh file. Option 2: Use chkconfig tool to make it as init script. option 3: creats SXXXXXXX link to the fw.sh file in appropriate run-levels. Mostly for runlevel 3. Thanks, Venkat. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rob0 at gmx.co.uk Fri Jul 8 15:12:08 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Fri Jul 8 15:27:27 2005 Subject: Starting a fw In-Reply-To: <9927912d0507072234673f1aa0@mail.gmail.com> References: <9927912d0507072234673f1aa0@mail.gmail.com> Message-ID: <42CE7BA8.30704@gmx.co.uk> Visham Ramsurrun wrote: > I was once told that in order to start a firewall automatically when a > machine boots, we must make sure that the init process calls the > script by making a symbolic link to that file in the /etc/rc.d/rcX.d > directories. This is not an iptables / netfilter issue. Different distros do this in different ways. Take this up in your distro's documentation or an appropriate forum. That said ... I agree with what Robert told you. > Let's say I have a firewall script called fw.sh with the following rules in it: This IS a netfilter issue. > $IPT -F > $IPT -X > $IPT -P INPUT DROP > $IPT -P OUTPUT DROP > $IPT -P FORWARD DROP > > $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 > -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo > request -j ACCEPT > > $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24 > -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo > reply -j ACCEPT You are only planning to relay pings on your eth0 subnet, 192.168.10.0/24. All INPUT and OUTPUT packets are dropped, including loopback. This machine won't be performing any useful network service. I strongly suspect that your FORWARD rules will never be hit. Are other machines on 192.168.10.0/24 (eth0) routing through this one somehow? -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From dreher at interage.com.br Fri Jul 8 21:00:23 2005 From: dreher at interage.com.br (Rafael Dreher) Date: Fri Jul 8 21:15:43 2005 Subject: Unable to add rule on Chain with 28 characters. Message-ID: <42CECD47.5050003@interage.com.br> Hi, I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 characters. The chain have bee added without any problem, but when I add the rule, iptables says that it's unable do find the chain. If I reduce the chain to 25 characters, it works. I'm trying to migrate a set of rules form iptables-1.2.11 to 1.3.1, and I don't want to rewrite the rules. Someone can help me? My iptables version: 1.3.1 My kernel version: 2.4.31 POM-Patches: CLASSIFY SAME comment NETMAP iprange quota time IPMARK ROUTE account h323-conntrack-nat ipp2p l7-filter-pom-1.4 mms-conntrack-nat msnp-conntrack-nat pptp-conntrack-nat quake3-conntrack-nat string mport Thanks in advance. -- Rafael Dreher -:: Red Hat Certified Engineer ::- -:: Nr: 807303498507617 ::- http://www.redhat.com/training/certification/verify From opie at 817west.com Fri Jul 8 21:50:49 2005 From: opie at 817west.com (Jason Opperisano) Date: Fri Jul 8 22:08:26 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <42CECD47.5050003@interage.com.br> References: <42CECD47.5050003@interage.com.br> Message-ID: <20050708195049.GA7221@bender.817west.com> On Fri, Jul 08, 2005 at 04:00:23PM -0300, Rafael Dreher wrote: > Hi, > > I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 > characters. my guess is you're leaving out the '-t nat' as custom chains only exist in the table they're created in: # iptables -t nat -N GqKOJUpUAOboDEbYcaVUCDqprFy # iptables -t nat -A GqKOJUpUAOboDEbYcaVUCDqprFy -j ACCEPT # iptables -t nat -A PREROUTING -j GqKOJUpUAOboDEbYcaVUCDqprFy # iptables -t nat -vnxL Chain GqKOJUpUAOboDEbYcaVUCDqprFy (1 references) pkts bytes target prot opt in out source destination 1 78 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 78 GqKOJUpUAOboDEbYcaVUCDqprFy all -- * * 0.0.0.0/0 0.0.0.0/0 <--- snip ---> # iptables -V && uname -r iptables v1.3.1 2.6.11.4-21.7-default i also tested this on: # iptables -V && uname -r iptables v1.2.11 2.4.27-2-386 alas--i have no 2.4 + 1.3.1 combo i can test on; so i cannot say there isn't some weird interaction between those two that causes your issue to crop up. -j -- "Brian: Whose leg do I have to hump to get a dry martini around here?" --Family Guy From dreher at interage.com.br Fri Jul 8 22:01:03 2005 From: dreher at interage.com.br (Rafael Dreher) Date: Fri Jul 8 22:16:23 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <20050708195049.GA7221@bender.817west.com> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> Message-ID: <42CEDB7F.3060609@interage.com.br> >>Hi, >> >>I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 >>characters. > > > my guess is you're leaving out the '-t nat' as custom chains only exist > in the table they're created in: > Hi, again. I guess no. :) [root@ward] [16:55:58] [~]#iptables -t nat -N ecommerce-internet@POSTROUTING [root@ward] [16:56:01] [~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING iptables: No chain/target/match by that name [root@ward] [16:56:19] [~]# Am I crazy? :) This chain has 30 characters... the max.. if I reduce it to 28, it's added wihtout any problem. Thank's -- Rafael Dreher -:: Red Hat Certified Engineer ::- -:: Nr: 807303498507617 ::- http://www.redhat.com/training/certification/verify From rkemp at ip3.com Fri Jul 8 22:10:57 2005 From: rkemp at ip3.com (Royce Kemp) Date: Fri Jul 8 22:25:53 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <42CEDB7F.3060609@interage.com.br> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> Message-ID: <6.0.1.1.2.20050708131029.01f2b9a8@insight.ip3.com> I have run into this problem as well. Learn to stick to 28 characters. -r At 01:01 PM 7/8/2005, Rafael Dreher wrote: >>>Hi, >>> >>>I'm trying do add a rule on a user-defined chain, on the NAT table, with >>>28 characters. >> >>my guess is you're leaving out the '-t nat' as custom chains only exist >>in the table they're created in: > >Hi, again. > >I guess no. :) > >[root@ward] [16:55:58] >[~]#iptables -t nat -N ecommerce-internet@POSTROUTING > >[root@ward] [16:56:01] >[~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING >iptables: No chain/target/match by that name > >[root@ward] [16:56:19] >[~]# > >Am I crazy? :) > >This chain has 30 characters... the max.. if I reduce it to 28, it's added >wihtout any problem. > >Thank's > >-- >Rafael Dreher > >-:: Red Hat Certified Engineer ::- >-:: Nr: 807303498507617 ::- >http://www.redhat.com/training/certification/verify From opie at 817west.com Fri Jul 8 22:09:38 2005 From: opie at 817west.com (Jason Opperisano) Date: Fri Jul 8 22:27:13 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <42CEDB7F.3060609@interage.com.br> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> Message-ID: <20050708200937.GA7325@bender.817west.com> On Fri, Jul 08, 2005 at 05:01:03PM -0300, Rafael Dreher wrote: > >>Hi, > >> > >>I'm trying do add a rule on a user-defined chain, on the NAT table, with > >>28 characters. > > > > > >my guess is you're leaving out the '-t nat' as custom chains only exist > >in the table they're created in: > > > > Hi, again. > > I guess no. :) provide more info next time and i won't have to guess. :-D > [root@ward] [16:55:58] > [~]#iptables -t nat -N ecommerce-internet@POSTROUTING > > [root@ward] [16:56:01] > [~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING > iptables: No chain/target/match by that name > > [root@ward] [16:56:19] > [~]# > > Am I crazy? :) > > This chain has 30 characters... the max.. if I reduce it to 28, it's added > wihtout any problem. (note: your OP said the error was with the 28 char chain) it looks like 29 characters is the max: 30 char chain name: # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKWB # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKWB iptables: No chain/target/match by that name 29 char chain name: # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKW # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKW # -j -- "Peter: This party couldn't be better if Jesus was here. Jesus: For my next miracle, I will turn water... into FUNK." --Family Guy From opie at 817west.com Fri Jul 8 22:11:57 2005 From: opie at 817west.com (Jason Opperisano) Date: Fri Jul 8 22:29:31 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <20050708200937.GA7325@bender.817west.com> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> <20050708200937.GA7325@bender.817west.com> Message-ID: <20050708201157.GA7361@bender.817west.com> On Fri, Jul 08, 2005 at 04:09:37PM -0400, Jason Opperisano wrote: > it looks like 29 characters is the max: > > 30 char chain name: > > # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKWB > # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKWB > iptables: No chain/target/match by that name > > 29 char chain name: > > # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKW > # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKW > # stupid off-by-one math. subtract 1 from everything i said... -j -- "Peter: Hey, Brian. If cops are pigs, does that make you a Snausage? Brian: Clever, Peter. Did you stay up all night writing that? Peter: No, I got to bed around two, two-thirty." --Family Guy From changwilly at gmail.com Fri Jul 8 23:18:33 2005 From: changwilly at gmail.com (Willy Chang) Date: Fri Jul 8 23:33:51 2005 Subject: dhcrelay still responds dropped inbound offer packets from iptables Message-ID: <673fb82305070814186036ce2f@mail.gmail.com> Folks, I am running a dhrelay service and using iptables to be a firewall to block packets from dhcp server on the inbound side, eth0, of my Liunx. The reason to do this is to avoid generating duplicated packets from my machine to dhcp client on the same subnet. For some reasons, I am unable to block these packets. I have a simple rule setting below to simply block all incoming UDP packets where it should block dhcp package as well. iptables -A INPUT -p UDP -i eth0 -j DROP dhcp client are still able to receive duplicated packets, one is from dhcp server and another is from my machine while dhcp relay agent is relaying packets. Any people see this before? Any comments or suggestions are welcome. Thanks, Willy From nfcan.x.jimlaur at dfgh.net Fri Jul 8 23:37:49 2005 From: nfcan.x.jimlaur at dfgh.net (Jim Laurino) Date: Fri Jul 8 23:53:15 2005 Subject: dhcrelay still responds dropped inbound offer packets from iptables (nfcan: addressed to exclusive sender for this address) In-Reply-To: <673fb82305070814186036ce2f@mail.gmail.com> (from +nfcan+jimlaur+7a8d75f853.changwilly#gmail.com@spamgourmet.com on Fri, Jul 08, 2005 at 17:18:33 -0400) References: <673fb82305070814186036ce2f@mail.gmail.com> Message-ID: <20050708213749.GC17745@salty> On 2005.07.08 17:18, Willy Chang - changwilly@gmail.com wrote: > Folks, > > I am running a dhrelay service and using iptables to be a > firewall to block packets from dhcp server on the inbound side, eth0, > of my Liunx. The reason to do this is to avoid generating duplicated > packets from my machine to dhcp client on the same subnet. > For some reasons, I am unable to block these packets. I have a > simple rule setting below to simply block all incoming UDP packets > where it should block dhcp package as well. > > iptables -A INPUT -p UDP -i eth0 -j DROP I see two things to comment on. First, if you add (-A) a rule like this at the end, the packets in question might have already been accepted by an earlier rule. For a case like this, you might want to insert at the top (-I) instead. Second, INPUT affects filtering of packets bound for the firewall host itself. FORWARD rules affect packets bound for other hosts. I think those are the packets you are trying to block. -- Jim Laurino nfcan.x.jimlaur@dfgh.net Please reply to the list. Only mail from the listserver reaches this address. From daniel at dgd.no-ip.com Sat Jul 9 05:36:18 2005 From: daniel at dgd.no-ip.com (Daniel) Date: Sat Jul 9 05:54:53 2005 Subject: ipt_recent entries appearing without matching rules Message-ID: <42CF4632.10009@dgd.no-ip.com> I'm having a strange problem with -m recent: my iptables setup uses 4 ipt_recent entries, and I have noticed that sometimes when an address is added to one of the chains, it appears on the /proc/net/ipt_recent/* list for the other entries. I am using Debian unstable, kernel 2.6.11-686-smp and iptables v1.3.1 The relevant rules are: -A INPUT -m recent --update --hitcount 2 --name BANME --rsource --seconds 3600 -j DROP -A INPUT -m recent -p tcp --dport 22 --rcheck --name SSHGO --rsource --seconds 300 -j loga -A INPUT -m recent -p tcp --dport 22 --rcheck --name SSHOPEN --rsource -j loga -A INPUT -m recent -p tcp --dport 12349 --set --name SSHGO --rsource -j logd -A INPUT -m recent -p tcp --dport 12342 --set --name SSHOPEN --rsource -j logd -A INPUT -m recent -p tcp --dport 22 --set --name SSHTRY --rsource -j logd #more rules to allow access to services etc. -A INPUT -m recent --set --name BANME --rsource -j DROP -A loga -j ULOG --ulog-qthreshold 1 --ulog-prefix A -A loga -j ACCEPT -A logd -j ULOG --ulog-qthreshold 1 --ulog-prefix D -A logd -j DROP $ cat /proc/net/ipt_recent/BANME src=192.228.79.200 ttl: 51 last_seen: 754299 oldest_pkt: 4 last_pkts: 4294710297, 4294722481, 4294722488, 754299 src=192.228.79.203 ttl: 51 last_seen: 4294722473 oldest_pkt: 2 last_pkts: 4294710304, 4294722473 src=200.37.124.195 ttl: 110 last_seen: 870857 oldest_pkt: 3 last_pkts: 861797, 864823, 870857 $ cat /proc/net/ipt_recent/SSHGO src=200.37.124.195 ttl: 110 last_seen: 861797 oldest_pkt: 1 last_pkts: 861797 src=60.213.3.18 ttl: 110 last_seen: 3510943 oldest_pkt: 1 last_pkts: 3510943 $ sudo iptables -vL pkts bytes target prot opt in out source destination ... 6 1668 DROP all -- any any anywhere anywhere recent: UPDATE seconds: 3600 hit_count: 2 name: BANME side:source 0 0 loga tcp -- any any anywhere anywhere recent: CHECK seconds: 300 name: SSHGO side: source tcp dpt:ssh 0 0 loga tcp -- any any anywhere anywhere recent: CHECK name: SSHOPEN side: source tcp dpt:ssh 0 0 logd tcp -- any any anywhere anywhere recent: SET name: SSHGO side: source tcp dpt:12349 0 0 logd tcp -- any any anywhere anywhere recent: SET name: SSHOPEN side: source tcp dpt:12342 1 48 logd tcp -- any any anywhere anywhere recent: SET name: SSHTRY side: source tcp dpt:ssh ... 3 706 DROP all -- any any anywhere anywhere recent: SET name: BANME side: source - Daniel From jengelh at linux01.gwdg.de Sat Jul 9 12:23:00 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jul 9 12:38:25 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <20050708200937.GA7325@bender.817west.com> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> <20050708200937.GA7325@bender.817west.com> Message-ID: >> This chain has 30 characters... the max.. if I reduce it to 28, it's added >> wihtout any problem. > >(note: your OP said the error was with the 28 char chain) > >it looks like 29 characters is the max: It's documented: --log-prefix prefix Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs. So I guess there's more places with the 30 limit (read: 1 for the '\0' char). Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From jengelh at linux01.gwdg.de Sat Jul 9 12:30:59 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jul 9 12:46:27 2005 Subject: Defeating NMAP Null scans (and Nessus scans). In-Reply-To: <5d2f37910507061254293f83de@mail.gmail.com> References: <5d2f37910507061254293f83de@mail.gmail.com> Message-ID: >There's a good chance that TARPIT and not REJECT is the thing slowing >down scans. You might want to check replacing TARPIT with >DROP/REJECT; I think you'll see nonTARPIT scans take the same amount Not at all: shanghai:~ # iptables -I INPUT -p tcp -j TARPIT shanghai:~ # nmap lo -p 1-512 -sF -v -v -r -T Insane Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-09 12:24 CEST Initiating FIN Scan against localhost (127.0.0.1) [512 ports] at 12:24 The FIN Scan took 7.30s to scan 512 total ports. Host localhost (127.0.0.1) appears to be up ... good. All 512 scanned ports on localhost (127.0.0.1) are: open|filtered Nmap finished: 1 IP address (1 host up) scanned in 7.441 seconds Raw packets sent: 1026 (41KB) | Rcvd: 1026 (41KB) shanghai:~ # iptables -D INPUT 1 # remove tarpit shanghai:~ # !nmap [...] Nmap finished: 1 IP address (1 host up) scanned in 116.691 seconds Raw packets sent: 2411 (96.4KB) | Rcvd: 2900 (130KB) >of time regardless of whether the firewall uses DROP or REJECT. I >didn't test this though. > >Here are some rules I've used when testing out ways to catch nmap >scans. If anyone knows what the SYN,RST SYN,RST match is for, please >let me know.[...] Mine, and it's basically just one (or two, depending on how you look at it) rules for all non-RFC-compliant scans/connections: ... allow -m state --state ESTABLISHED,RELATED ... HANDLE_PORTSCAN; ... function HANDLE_PORTSCAN() { iptables -N scan_chk; # ACK,RST: rfc 793 page 65 ==> iptables -A scan_chk -j RETURN -p tcp --tcp-flags ALL ACK,RST; iptables -A scan_chk -j REJECT --reject-with host-unreach -m random \ --average 10; iptables -A scan_chk -j DROP; ==> iptables -A INPUT -j scan_chk -p tcp ! --syn -m state --state INVALID; } Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From dleangen at canada.com Sat Jul 9 18:20:07 2005 From: dleangen at canada.com (David Leangen) Date: Sat Jul 9 18:35:57 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: Message-ID: Thanks again for all the support so far... > > Firewall loads before mount -a; probably at that point only the > > root filesystem is mounted. If the match extensions are on /usr, > > we can't get to them. I bet badhost has a separate /usr partition > > and goodhost has /usr on the rootfs. Actually, I don't believe this is the case. Also, I don't believe (no 100% confirmation) that the kernel version makes a difference, so I doubt this is a kernel bug, at least the way you suggested. After a lot of playing around, I was finally able to figure out when the problem occurs. As long as I do not set up an ADSL connection using adsl-setup, everything works fine. However, after having setup my connection, that's when my firewall goes wack. The same is true whether or not the cable is actually plugged in. This happens after having run adsl-setup. Any ideas why setting up an ADSL connection would cause problems? Any ideas how to work around this? Again, thank you for all the help!!! Dave From curby.public at gmail.com Sun Jul 10 04:40:09 2005 From: curby.public at gmail.com (curby .) Date: Sun Jul 10 04:55:38 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: References: Message-ID: <5d2f37910507091940101bfd5a@mail.gmail.com> On 7/9/05, David Leangen wrote: > This happens after having run adsl-setup. What is adsl-setup doing for you? Are you using an internal dsl modem, or is it external/usb or external/cat5? Especially if you use a network cable to connect to an external DSL modem, you should be able to configure your network card directly using ifconfig or /etc/sysconfig thus getting rid of the need for adsl-setup at all. That said, it would be nice to figure out why this is causing a conflict. Perhaps Fedora experts would understand what exactly adsl-setup is doing, and/or why it would be conflicting with the reload of iptables rules. From dleangen at canada.com Sun Jul 10 12:06:41 2005 From: dleangen at canada.com (David Leangen) Date: Sun Jul 10 12:22:32 2005 Subject: /etc/sysconfig/iptables does not load on reboot In-Reply-To: <5d2f37910507091940101bfd5a@mail.gmail.com> Message-ID: Hi! Thanks for the follow-up. > What is adsl-setup doing for you? Are you using an internal dsl modem, > or is it external/usb or external/cat5? Especially if you use a > network cable to connect to an external DSL modem, you should be able > to configure your network card directly using ifconfig or > /etc/sysconfig thus getting rid of the need for adsl-setup at all. Ok, thanks! Your suggestion to look directly at the config script allowed the solution to jump out at me. I simply never thought to look at my ppp0 device. I looked into this further and found that the adsl-* scripts, depending on the configuration, actually add some junk to iptables. The file /etc/sysconfig/network-scripts/ppp0 looks something like this: USERCTL=no BOOTPROTO=dialup NAME=DSLppp0 DEVICE=ppp0 TYPE=xDSL ONBOOT=yes PIDFILE=/var/run/pppoe-adsl.pid FIREWALL=MASQUERADE PING=. PPPOE_TIMEOUT=80 LCP_FAILURE=3 LCP_INTERVAL=20 CLAMPMSS=1412 CONNECT_POLL=6 CONNECT_TIMEOUT=60 DEFROUTE=yes SYNCHRONOUS=no ETH=eth0 PROVIDER=DSLppp0 USER=memyselfandi@somewhere PEERDNS=no DEMAND=no If the entry "FIREWALL" is anything other than "NONE", then, when the related script (don't know which one) is invoked at runtime, it "interferes" with the firewall by adding some extra stuff. I didn't realise this before. Once again, by loading with 'iptables-restore /etc/sysconfig/iptables', the extra stuff is not added. That's essentially why my firewall at boot time and the one I really wanted were different. Problem solved! Thank you all so much for your help through this. :-D From rafael at interage.com.br Fri Jul 8 20:53:21 2005 From: rafael at interage.com.br (Rafael Dreher) Date: Sun Jul 10 16:51:49 2005 Subject: Unable to add rule on Chain with 28 characters Message-ID: <42CECBA1.7090306@interage.com.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 characters. The chain have bee added without any problem, but when I add the rule, iptables says that it's unable do find the chain. If I reduce the chain to 25 characters, it works. I'm trying to migrate a set of rules form iptables-1.2.11 to 1.3.1, and I don't want to rewrite the rules. Someone can help me? My iptables version: 1.3.1 My kernel version: 2.4.31 POM-Patches: CLASSIFY SAME comment NETMAP iprange quota time IPMARK ROUTE account h323-conntrack-nat ipp2p l7-filter-pom-1.4 mms-conntrack-nat msnp-conntrack-nat pptp-conntrack-nat quake3-conntrack-nat string mport Thanks in advance. - -- Rafael Dreher - -:: Red Hat Certified Engineer ::- - -:: Nr: 807303498507617 ::- http://www.redhat.com/training/certification/verify -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCzsuhGgX4r17upEoRAiSEAKCFXiQwYyYFZY9RbIMsUAdI8gkGmgCgorWt 2bTPgyVCPQhkP6IJNSyVlZQ= =vz3q -----END PGP SIGNATURE----- From coreteam at netfilter.org Sun Jul 10 17:05:48 2005 From: coreteam at netfilter.org (Netfilter Core Team) Date: Sun Jul 10 17:21:23 2005 Subject: [ANNOUNCE] Release of iptables-1.3.2 Message-ID: <20050710150548.GK20465@sunbeam.de.gnumonks.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050710/f339e8cd/attachment.bin From laforge at netfilter.org Mon Jul 11 09:32:47 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:48:23 2005 Subject: dhcrelay still responds dropped inbound offer packets from iptables In-Reply-To: <673fb82305070814186036ce2f@mail.gmail.com> References: <673fb82305070814186036ce2f@mail.gmail.com> Message-ID: <20050711073247.GD15121@sunbeam.de.gnumonks.org> On Fri, Jul 08, 2005 at 05:18:33PM -0400, Willy Chang wrote: > Folks, > > I am running a dhrelay service and using iptables to be a > firewall to block packets from dhcp server on the inbound side, eth0, > of my Liunx. The reason to do this is to avoid generating duplicated > packets from my machine to dhcp client on the same subnet. > For some reasons, I am unable to block these packets. I have a > simple rule setting below to simply block all incoming UDP packets > where it should block dhcp package as well. iptables works in the IP stack. Applications using PACKET sockets don't use the IP stack and therefore are not affected by iptables. My guess is that dhrelay uses PACKET sockets. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/209a288a/attachment.bin From laforge at netfilter.org Mon Jul 11 09:36:01 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:51:37 2005 Subject: removing entries from conntrack table In-Reply-To: References: Message-ID: <20050711073601.GE15121@sunbeam.de.gnumonks.org> On Tue, Jun 28, 2005 at 05:16:18PM +0200, massiblue@libero.it wrote: > so i need a way to > _selectively_ delete > conntrack entries! ctnetlink from pom-ng and the 'conntrack' program are your friends. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/7d1b1d2a/attachment.bin From laforge at netfilter.org Mon Jul 11 09:37:31 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:53:05 2005 Subject: How to get Patch-o-matic In-Reply-To: References: Message-ID: <20050711073731.GF15121@sunbeam.de.gnumonks.org> On Sun, Jun 26, 2005 at 07:06:29PM -0700, Erik Weber wrote: > Dear List, > > The neither the cvs nor the svn access to the patch-o-matic archives > work with the commands/passwords supplied on the netfilter.org site. > How can I get it really? I run Mandrake 9.2 and need the TTL patch > (stinking ISPs). for svn you don't even need a password! it's svn-over-webdav-over-http(s). Which URL did you try (that failed)? -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/8d3d30a1/attachment.bin From laforge at netfilter.org Mon Jul 11 09:38:19 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:53:54 2005 Subject: Broadcast Traffic Control!!! In-Reply-To: References: Message-ID: <20050711073819.GG15121@sunbeam.de.gnumonks.org> On Sun, Jun 26, 2005 at 03:22:44AM +0600, tahmeed wrote: > is it possible to filter BC packets using IPTABLES or in any other methods. ARP packets are not IP packets. Therefore you need to use arptables, not iptables. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/0f5de4a7/attachment-0001.bin From laforge at netfilter.org Mon Jul 11 09:38:40 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:54:18 2005 Subject: packet shping In-Reply-To: <20050625050845.19498.qmail@web53107.mail.yahoo.com> References: <20050625050845.19498.qmail@web53107.mail.yahoo.com> Message-ID: <20050711073840.GH15121@sunbeam.de.gnumonks.org> On Fri, Jun 24, 2005 at 10:08:45PM -0700, umar draz wrote: > Hi Dear Members! > > i have a 5MB up and 5MB down internet link attached > with my linux machine which is working as a router. > > now i want 128/128 bandwidth on my client through my > linux router so please help how i can do it with > iptables This is off-topic. Please see http://www.lartc.org/ -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/937f1819/attachment.bin From laforge at netfilter.org Mon Jul 11 09:40:36 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:56:10 2005 Subject: netfilter on ia64 In-Reply-To: <200506230707.56224.mueller@rz.uni-karlsruhe.de> References: <200506230707.56224.mueller@rz.uni-karlsruhe.de> Message-ID: <20050711074036.GI15121@sunbeam.de.gnumonks.org> On Thu, Jun 23, 2005 at 07:07:55AM +0200, Matthias Mueller wrote: > Hi, > > I'm currently setting up a natting router (simple setup: 1:1 for about 25 > host, routing the other traffic, no filters) and got an itanium 2 box for > that job. ouch, ia64 is probably the most expensive overkill you can get for a firewall. I personally don't have any ia64 experience. But since iptables works fine on x86_64 and ppc64, I don't think ia64 should have any problems. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/1cd01271/attachment.bin From laforge at netfilter.org Mon Jul 11 09:42:07 2005 From: laforge at netfilter.org (Harald Welte) Date: Mon Jul 11 09:57:41 2005 Subject: Fragments and connection tracking In-Reply-To: <1119465338.5378.4.camel@jasiiitosh.nexusmgmt.com> References: <1119465338.5378.4.camel@jasiiitosh.nexusmgmt.com> Message-ID: <20050711074206.GJ15121@sunbeam.de.gnumonks.org> On Wed, Jun 22, 2005 at 02:35:37PM -0400, John A. Sullivan III wrote: > We are working to use an iptables based VPN for a client where teh > certificates do not fit into a single packet. Thus we have a > fragmentation problem. We normally drop all fragments on the Internet > interfaces in our rule sets. We are a little hesitant to stop doing so. > > Does connection tracking make it safe to do so or does it make it more > dangerous? I understand that connection tracking will reassemble the > fragments. If someone is trying to attack by sending lots of non-head > fragments, will connection tracking drop those as invalid or will this > produce a denial of service attack as connection tracking tries to match > a flood of fragments without first fragments? Thanks - John Connection tracking just uses the normal ip_defrag() code, so it would behave exactly like the fragment cache of a linux end host. And no, conntrack cannot make fragment-based attacks safe. IP fragmentation on the open internet is a serious flaw and introduces many security risks. Please see my signature ;) -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050711/13f8ee6e/attachment.bin From vangelr at rfgt.net Mon Jul 11 09:35:15 2005 From: vangelr at rfgt.net (Robert Vangel) Date: Mon Jul 11 10:10:47 2005 Subject: Starting a fw In-Reply-To: <9927912d05071022336896dbb@mail.gmail.com> References: <9927912d0507072234673f1aa0@mail.gmail.com> <9927912d05071022336896dbb@mail.gmail.com> Message-ID: <42D22133.3020909@rfgt.net> Please try to keep the discussion on-list. Thanks. Visham Ramsurrun wrote: > Hi Robert, > > First of, many thx for the reply.. > > >>What distro? I am going to take a stab at it and choose RH/Fedora. I am also going to take a stab at it (I don't use Fedora) and say that default runlevel is 4? > > > Yes, i'm using Red Hat 9 with an upgraded kernel of 2.6.11.7 > > >>If my memory serves me well (I hope it does), the file we need to look at is /etc/sysconfig/iptables. The contents of this file match the output of a `iptables-save'. Basically what the init script does is `iptables-restore < /etc/sysconfig/iptables'. > > >>All you need to do is edit the /etc/sysconfig/iptables file to match your needs and then restart the iptables service. > > > Do I delete the lines that are written inthe file and then paste the > contents of my fiewall script? You don't just paste the contents line for line. It needs to be changed a little. Take a look at http://zilla.id.au/netfilter/iptables & http://zilla.id.au/netfilter/shell The first file is what I call `iptables syntax'. It is the file outputted by running `iptables-save' and can be read by using `iptables-restore < file' The second is simply a shell script, executing iptables each time and appending each rule. Hopefully the two files above will help you in converting your shell script into the iptables syntax one to put in /etc/sysconfig/iptables. > > Hope to hear from you soon.. > > Warm regards, > Visham > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3166 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/netfilter/attachments/20050711/b8885656/smime.bin From jsullivan at opensourcedevel.com Mon Jul 11 12:57:38 2005 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon Jul 11 13:13:25 2005 Subject: Unable to add rule on Chain with 28 characters In-Reply-To: <42CECBA1.7090306@interage.com.br> References: <42CECBA1.7090306@interage.com.br> Message-ID: <1121079458.3045.6.camel@localhost> On Fri, 2005-07-08 at 15:53 -0300, Rafael Dreher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 characters. > > The chain have bee added without any problem, but when I add the rule, iptables says that it's unable do find the chain. > > If I reduce the chain to 25 characters, it works. I'm trying to migrate a set of rules form iptables-1.2.11 to 1.3.1, > and I don't want to rewrite the rules. > > Someone can help me? > I don't have a direct solution for you. From what I recall, the chain name length is hard-coded at 32 characters. That bit us on the ISCS network security management project (http://iscs.sourceforge.net) where we had very long names due to the hierarchical structure of groups and the inheritance model. We switched to automatically generating chain names based upon incrementing numbers. I do not know if the size of the name field has changed with subsequent iptables versions. Wish I could be of more help - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com From jengelh at linux01.gwdg.de Mon Jul 11 13:14:40 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 13:30:18 2005 Subject: dhcrelay still responds dropped inbound offer packets from iptables In-Reply-To: <20050711073247.GD15121@sunbeam.de.gnumonks.org> References: <673fb82305070814186036ce2f@mail.gmail.com> <20050711073247.GD15121@sunbeam.de.gnumonks.org> Message-ID: >My guess is that dhrelay uses PACKET sockets. About everything with DHCP from ISC uses AF_PACKET, as far as I can see. And I guess it's not only ISC. Simply because DHCP needs to play with "normally unroutable" addresses like 0.0.0.0 and 255.255.255.255. In the earlier days, one could poke on the kernel's routing tables, today this is not as easy anymore and we're all better off using PACKET sockets. Er, this does not help the problem. Dang. Surprisingly however is, that despite PACKET bypasses the firewall, that I was able to drop incoming dhcp packets and dhcpd got nothin... Jan Engelhardt -- From jengelh at linux01.gwdg.de Mon Jul 11 13:15:43 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 13:31:21 2005 Subject: Broadcast Traffic Control!!! In-Reply-To: <20050711073819.GG15121@sunbeam.de.gnumonks.org> References: <20050711073819.GG15121@sunbeam.de.gnumonks.org> Message-ID: >> is it possible to filter BC packets using IPTABLES or in any other methods. > >ARP packets are not IP packets. Therefore you need to use arptables, >not iptables. Or ebtables while you're at fun with bridges. :) Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From dreher at interage.com.br Mon Jul 11 15:11:54 2005 From: dreher at interage.com.br (Rafael Dreher) Date: Mon Jul 11 15:27:44 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <6.0.1.1.2.20050708131029.01f2b9a8@insight.ip3.com> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> <6.0.1.1.2.20050708131029.01f2b9a8@insight.ip3.com> Message-ID: <42D2701A.4030205@interage.com.br> So, that's a BUG. Why iptbles let me add a chain with 30 characters, if I can't use this chain? [root@ward] [10:07:54] [~]#iptables -t nat -N 123456789012345678901234567890 [root@ward] [10:08:05] [~]#iptables -t nat -A POSTROUTING -j 123456789012345678901234567890 iptables: No chain/target/match by that name Hey, gurus, can anyone help me? :) Thank's Royce Kemp wrote: > I have run into this problem as well. Learn to stick to 28 characters. > > -r > > At 01:01 PM 7/8/2005, Rafael Dreher wrote: > >>>> Hi, >>>> >>>> I'm trying do add a rule on a user-defined chain, on the NAT table, >>>> with 28 characters. >>> >>> >>> my guess is you're leaving out the '-t nat' as custom chains only exist >>> in the table they're created in: >> >> >> Hi, again. >> >> I guess no. :) >> >> [root@ward] [16:55:58] >> [~]#iptables -t nat -N ecommerce-internet@POSTROUTING >> >> [root@ward] [16:56:01] >> [~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING >> iptables: No chain/target/match by that name >> >> [root@ward] [16:56:19] >> [~]# >> >> Am I crazy? :) >> >> This chain has 30 characters... the max.. if I reduce it to 28, it's >> added wihtout any problem. >> >> Thank's >> >> -- >> Rafael Dreher >> >> -:: Red Hat Certified Engineer ::- >> -:: Nr: 807303498507617 ::- >> http://www.redhat.com/training/certification/verify > > > > -- Rafael Dreher -:: Interage Integradora ::- -:: Pesquisa e Desenvolvimento ::- -:: www.gatepro.com.br || www.interage.com.br ::- -:: Red Hat Certified Engineer ::- -:: Nr: 807303498507617 ::- http://www.redhat.com/training/certification/verify From jengelh at linux01.gwdg.de Mon Jul 11 15:15:53 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 15:31:37 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: <42D2701A.4030205@interage.com.br> References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> <6.0.1.1.2.20050708131029.01f2b9a8@insight.ip3.com> <42D2701A.4030205@interage.com.br> Message-ID: > So, that's a BUG. > Why iptbles let me add a chain with 30 characters, if I can't use this chain? > > [root@ward] [10:07:54] > [~]#iptables -t nat -N 123456789012345678901234567890 > > [root@ward] [10:08:05] > [~]#iptables -t nat -A POSTROUTING -j 123456789012345678901234567890 > iptables: No chain/target/match by that name Try iptables -t nat -N 123456789012345678901234567890 iptables -t nat -A POSTROUTING -j 1234567890123456789012345678 (Maybe add a '9' to the last.) If that's the case, then this is not really a bug, but some code silently truncates the -N request. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From dreher at interage.com.br Mon Jul 11 15:22:34 2005 From: dreher at interage.com.br (Rafael Dreher) Date: Mon Jul 11 15:38:36 2005 Subject: Unable to add rule on Chain with 28 characters. In-Reply-To: References: <42CECD47.5050003@interage.com.br> <20050708195049.GA7221@bender.817west.com> <42CEDB7F.3060609@interage.com.br> <6.0.1.1.2.20050708131029.01f2b9a8@insight.ip3.com> <42D2701A.4030205@interage.com.br> Message-ID: <42D2729A.2050509@interage.com.br> No, that's not the case. I'm still thinking that's a bug. [root@ward] [10:18:30] [~]#iptables -t nat -N 123456789012345678901234567890 [root@ward] [10:18:38] [~]#iptables -t nat -A POSTROUTING -j 1234567890123456789012345678 iptables v1.3.2: Couldn't load target `1234567890123456789012345678':/usr/local/lib/iptables/libipt_1234567890123456789012345678.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. [root@ward] [10:18:41] [~]# Any idea? Thank 's Jan Engelhardt wrote: >>So, that's a BUG. >>Why iptbles let me add a chain with 30 characters, if I can't use this chain? >> >>[root@ward] [10:07:54] >>[~]#iptables -t nat -N 123456789012345678901234567890 >> >>[root@ward] [10:08:05] >>[~]#iptables -t nat -A POSTROUTING -j 123456789012345678901234567890 >>iptables: No chain/target/match by that name > > > Try > iptables -t nat -N 123456789012345678901234567890 > iptables -t nat -A POSTROUTING -j 1234567890123456789012345678 > > (Maybe add a '9' to the last.) If that's the case, then this is not really a > bug, but some code silently truncates the -N request. > > > > Jan Engelhardt -- Rafael Dreher -:: Red Hat Certified Engineer ::- -:: Nr: 807303498507617 ::- http://www.redhat.com/training/certification/verify From azeem81 at msn.com Mon Jul 11 16:58:15 2005 From: azeem81 at msn.com (azeem ahmad) Date: Mon Jul 11 17:13:53 2005 Subject: MAC SOURCE Message-ID: hi list here is a script that i want to use to block unauthorized MACs on my network. but the problem is that its not blocking all other MACs that r not specified in the script. plz help me out n telll wots the reaon of this ######################################################## iptables -A INPUT -m mac --mac-source $MAC -j ACCEPT iptables -A FORWARD -m mac --mac-source $MAC -j ACCEPT iptables -A INPUT -m mac --mac-source ! 11:22:33:44:55:66 -j DROP iptables -A FORWARD -m mac --mac-source ! 11:22:33:44:55:66 -j DROP iptables -t nat -A POSTROUTING -i eth1 -j MASQUERADE ################################################### even now it is MASQUERADING all the macs that r not specified in the script. waiting for ur response Regards Azeem _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From opie at 817west.com Mon Jul 11 17:05:44 2005 From: opie at 817west.com (Jason Opperisano) Date: Mon Jul 11 17:24:09 2005 Subject: MAC SOURCE In-Reply-To: References: Message-ID: <20050711150544.GA16345@bender.817west.com> On Mon, Jul 11, 2005 at 07:58:15PM +0500, azeem ahmad wrote: > hi list > here is a script that i want to use to block unauthorized MACs on my > network. but the problem is that its not blocking all other MACs that r > not specified in the script. plz help me out n telll wots the reaon of this > ######################################################## > iptables -A INPUT -m mac --mac-source $MAC -j ACCEPT > iptables -A FORWARD -m mac --mac-source $MAC -j ACCEPT > iptables -A INPUT -m mac --mac-source ! 11:22:33:44:55:66 -j DROP > iptables -A FORWARD -m mac --mac-source ! 11:22:33:44:55:66 -j DROP > iptables -t nat -A POSTROUTING -i eth1 -j MASQUERADE > ################################################### > even now it is MASQUERADING all the macs that r not specified in the script. > waiting for ur response > Regards i would do it this way: iptables -N check_mac iptables -A check_mac -m mac --mac-source $MAC1 -j RETURN iptables -A check_mac -m mac --mac-source $MAC2 -j RETURN # iptables -A check_mac -j LOG --log-prefix "INVALID MAC: " iptables -A check_mac -j DROP iptables -A INPUT -j check_mac iptables -A FORWARD -j check_mac and then put your regular filter rules in INPUT and FORWARD after the jump to check_mac; as only packets with either $MAC1 or $MAC2 will ever make it out of the check_mac chain. -j -- "Lois: I'm sorry that Stewie ruined your books. Here, I brought you some of Peter's. Brian: "Mr. T" by Mr. T. "T and Me" by George Poppard. "For The Last Time, I'm Not Mr. T" by Ving Rhames." --Family Guy From jengelh at linux01.gwdg.de Mon Jul 11 17:00:31 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 17:26:21 2005 Subject: MAC SOURCE In-Reply-To: References: Message-ID: > hi list > here is a script that i want to use to block unauthorized MACs on my network. > but the problem is that its not blocking all other MACs that r not specified > in the script. plz help me out n telll wots the reaon of this you did not tell iptables to drop "all others". 11:22:33:44:55:66 is just _one_ MAC. Note, that it's enough to say iptables -P INPUT DROP iptables -A INPUT -j ACCEPT -m mac --mac-source $MAC (and the same for FORWARD) Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From payal-netfilter at scriptkitchen.com Mon Jul 11 17:18:30 2005 From: payal-netfilter at scriptkitchen.com (Payal Rathod) Date: Mon Jul 11 17:34:08 2005 Subject: dnatting Message-ID: <20050711151830.GA26670@tranquility.scriptkitchen.com> Hi, I have a rule on my friend's broadband connection to redirect traffic from outside to an internal machine like, iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ --to-destination 192.168.10.10:80 But she complained that people from inside the network cannot do http://1.2.3.4 in their browser and see the site. Is she correct? What is wrong with my rule because I can see the site from outside? Thanks in advance. With warm regards, -Payal From jengelh at linux01.gwdg.de Mon Jul 11 17:20:43 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 17:36:23 2005 Subject: dnatting In-Reply-To: <20050711151830.GA26670@tranquility.scriptkitchen.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> Message-ID: >Hi, >I have a rule on my friend's broadband connection to redirect traffic >from outside to an internal machine like, > >iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ >--to-destination 192.168.10.10:80 > >But she complained that people from inside the network cannot do >http://1.2.3.4 in their browser and see the site. Is she correct? >What is wrong with my rule because I can see the site from outside? The packet must pass the machine the DNAT rule is on to make the dnat effective. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From gneamob at yahoo.com Mon Jul 11 17:24:29 2005 From: gneamob at yahoo.com (Scott) Date: Mon Jul 11 17:40:07 2005 Subject: dnatting In-Reply-To: <20050711151830.GA26670@tranquility.scriptkitchen.com> Message-ID: <20050711152429.77154.qmail@web54306.mail.yahoo.com> You may need to install, additionally, a web proxy, such as squid and tell iptables to use it as a transparent proxy for all internal machines, like this: iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.255.0 -i ethX -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.1:3128 where ethX is the interface on the internal network. -Scott --- Payal Rathod wrote: > Hi, > I have a rule on my friend's broadband connection to > redirect traffic > from outside to an internal machine like, > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp > --dport 80 -j DNAT \ > --to-destination 192.168.10.10:80 > > But she complained that people from inside the > network cannot do > http://1.2.3.4 in their browser and see the site. Is > she correct? > What is wrong with my rule because I can see the > site from outside? > > Thanks in advance. > With warm regards, > -Payal > > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From azeem81 at msn.com Mon Jul 11 17:28:07 2005 From: azeem81 at msn.com (azeem ahmad) Date: Mon Jul 11 17:43:45 2005 Subject: MAC SOURCE In-Reply-To: <20050711150544.GA16345@bender.817west.com> Message-ID: >From: Jason Opperisano >To: netfilter@lists.netfilter.org >Subject: Re: MAC SOURCE >Date: Mon, 11 Jul 2005 11:05:44 -0400 > >On Mon, Jul 11, 2005 at 07:58:15PM +0500, azeem ahmad wrote: > > hi list > > here is a script that i want to use to block unauthorized MACs on my > > network. but the problem is that its not blocking all other MACs that r > > not specified in the script. plz help me out n telll wots the reaon of >this > > ######################################################## > > iptables -A INPUT -m mac --mac-source $MAC -j ACCEPT > > iptables -A FORWARD -m mac --mac-source $MAC -j ACCEPT > > iptables -A INPUT -m mac --mac-source ! 11:22:33:44:55:66 -j DROP > > iptables -A FORWARD -m mac --mac-source ! 11:22:33:44:55:66 -j DROP > > iptables -t nat -A POSTROUTING -i eth1 -j MASQUERADE > > ################################################### > > even now it is MASQUERADING all the macs that r not specified in the >script. > > waiting for ur response > > Regards > >i would do it this way: > > iptables -N check_mac > iptables -A check_mac -m mac --mac-source $MAC1 -j RETURN > iptables -A check_mac -m mac --mac-source $MAC2 -j RETURN > # iptables -A check_mac -j LOG --log-prefix "INVALID MAC: " > iptables -A check_mac -j DROP > > iptables -A INPUT -j check_mac > iptables -A FORWARD -j check_mac > >and then put your regular filter rules in INPUT and FORWARD after the >jump to check_mac; as only packets with either $MAC1 or $MAC2 will ever >make it out of the check_mac chain. > >-j > >-- >"Lois: I'm sorry that Stewie ruined your books. Here, I brought > you some of Peter's. > Brian: "Mr. T" by Mr. T. "T and Me" by George Poppard. "For The Last > Time, I'm Not Mr. T" by Ving Rhames." > --Family Guy thanx a lot can u explain this rule set in some details Regards Azeem _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From gopalsachin at gmail.com Mon Jul 11 19:45:51 2005 From: gopalsachin at gmail.com (Sachin) Date: Mon Jul 11 20:01:57 2005 Subject: Icons Freeze on debian, connected online. Message-ID: <7833b03c050711104546009611@mail.gmail.com> Hi Everybody I am new to IPTABLES and recently put my debian sarge online with firestarter as the firewall. As soon as i connect the desktop icons are inaccesible and freeze as if SLEEP mode is activated. If i am logging to virtual terminal lot of output starts on the screen and it seems somebody is scanning me. As i am a newbie i am not able to decrypt whats goin on the background. I am posting the output of the dmesg which also flows down on the virtual terminal when i login. Is there a way to stop it. I assume the icons freeze because of this and so i cannot browse the local file system once online. Snip -- IN=ppp0 OUT= MAC= SRC=83.88.20.210 DST=220.226.22.163 LEN=168 TOS=0x00 PREC=0x00 TTL=242 ID=30185 PROTO=ICMP TYPE=11 CODE=0 [SRC=220.226.22.163 DST=158.36.2.10 LEN=40 TOS=0x00 PREC=0x00 TTL=5 ID=36362 PROTO=UDP SPT=36179 DPT=33617 LEN=20 ] IN=ppp0 OUT= MAC= SRC=146.188.8.145 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=220.226.22.163 DST=80.97.24.3 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=36370 PROTO=UDP SPT=36179 DPT=33625 LEN=20 ] IN=ppp0 OUT= MAC= SRC=195.249.1.154 DST=220.226.22.163 LEN=168 TOS=0x00 PREC=0x00 TTL=244 ID=5797 PROTO=ICMP TYPE=11 CODE=0 [SRC=220.226.22.163 DST=194.71.11.70 LEN=40 TOS=0x00 PREC=0x00 TTL=5 ID=36382 PROTO=UDP SPT=36179 DPT=33637 LEN=20 ] IN=ppp0 OUT= MAC= SRC=163.13.240.201 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0x00 TTL=54 ID=15028 PROTO=ICMP TYPE=3 CODE=3 [SRC=220.226.22.163 DST=163.13.240.201 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=36391 PROTO=UDP SPT=36179 DPT=33646 LEN=20 ] IN=ppp0 OUT= MAC= SRC=140.109.251.49 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0xC0 TTL=248 ID=1622 PROTO=ICMP TYPE=11 CODE=0 [SRC=220.226.22.163 DST=140.112.30.75 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=36392 PROTO=UDP SPT=36179 DPT=33647 LEN=20 ] IN=ppp0 OUT= MAC= SRC=62.221.40.170 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0x00 TTL=239 ID=13510 PROTO=ICMP TYPE=11 CODE=0 [SRC=220.226.22.163 DST=213.186.192.209 LEN=40 TOS=0x14 PREC=0x20 TTL=1 ID=36401 PROTO=UDP SPT=36179 DPT=33656 LEN=20 ] IN=ppp0 OUT= MAC= SRC=140.127.160.194 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0xC0 TTL=244 ID=32707 PROTO=ICMP TYPE=11 CODE=0 [SRC=220.226.22.163 DST=140.127.220.114 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=36397 PROTO=UDP SPT=36179 DPT=33652 LEN=20 ] IN=ppp0 OUT= MAC= SRC=220.226.36.161 DST=220.226.22.163 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7263 DF PROTO=TCP SPT=2260 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 IN=ppp0 OUT= MAC= SRC=220.226.36.161 DST=220.226.22.163 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7801 DF PROTO=TCP SPT=2260 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 IN=ppp0 OUT= MAC= SRC=194.12.255.250 DST=220.226.22.163 LEN=68 TOS=0x00 PREC=0x00 TTL=49 ID=30663 PROTO=ICMP TYPE=3 CODE=3 [SRC=220.226.22.163 DST=194.12.255.250 LEN=40 TOS=0x00 PREC=0x20 TTL=1 ID=36263 PROTO=UDP SPT=36179 DPT=33518 LEN=20 ] IN=ppp0 OUT= MAC= SRC=220.226.11.73 DST=220.226.22.163 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=9949 DF PROTO=TCP SPT=1984 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 IN=ppp0 OUT= MAC= SRC=220.226.11.73 DST=220.226.22.163 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=10094 DF PROTO=TCP SPT=1984 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 IN=ppp0 OUT= MAC= SRC=130.239.18.142 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0x00 TTL=235 ID=4538 PROTO=ICMP TYPE=3 CODE=3 [SRC=220.226.22.163 DST=130.239.18.142 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=36187 PROTO=UDP SPT=36179 DPT=33442 LEN=20 ] IN=ppp0 OUT= MAC= SRC=203.127.221.98 DST=220.226.22.163 LEN=68 TOS=0x00 PREC=0xC0 TTL=53 ID=34365 PROTO=ICMP TYPE=3 CODE=3 [SRC=220.226.22.163 DST=203.127.221.98 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=36193 PROTO=UDP SPT=36179 DPT=33448 LEN=20 ] IN=ppp0 OUT= MAC= SRC=130.239.18.142 DST=220.226.22.163 LEN=56 TOS=0x00 PREC=0x00 TTL=235 ID=56644 PROTO=ICMP TYPE=3 CODE=3 [SRC=220.226.22.163 DST=130.239.18.142 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=36407 PROTO=UDP SPT=36179 DPT=33662 LEN=20 ] IN=ppp0 OUT= MAC= SRC=220.226.7.193 DST=220.226.22.163 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=24030 DF PROTO=TCP SPT=2492 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 --- Thanks for your time and patience Sachin From payal-netfilter at scriptkitchen.com Mon Jul 11 20:21:58 2005 From: payal-netfilter at scriptkitchen.com (Payal Rathod) Date: Mon Jul 11 20:37:37 2005 Subject: dnatting In-Reply-To: References: <20050711151830.GA26670@tranquility.scriptkitchen.com> Message-ID: <20050711182158.GA31027@tranquility.scriptkitchen.com> On Mon, Jul 11, 2005 at 05:20:43PM +0200, Jan Engelhardt wrote: > > >Hi, > >I have a rule on my friend's broadband connection to redirect traffic > >from outside to an internal machine like, > > > >iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > >--to-destination 192.168.10.10:80 > > > >But she complained that people from inside the network cannot do > >http://1.2.3.4 in their browser and see the site. Is she correct? > >What is wrong with my rule because I can see the site from outside? > > The packet must pass the machine the DNAT rule is on to make the dnat > effective. > So what do I do exactly? With warm regards, -Payal From jengelh at linux01.gwdg.de Mon Jul 11 20:37:02 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 20:52:39 2005 Subject: [OT] Re: rp_filtering In-Reply-To: <1121106844.5236.16.camel@anduril.intranet.cartel-securite.net> References: <1121105149.5236.5.camel@anduril.intranet.cartel-securite.net> <1121106844.5236.16.camel@anduril.intranet.cartel-securite.net> Message-ID: >> Whoops, meant srcip=192.168.222.34 > >This won't be possible as well, because in this case, rp_filtering will >work. This source is routed via eth0, so no packet sourced from this IP >will not be allowed on ippp0. Ok I messed it all up, noone's seen anything, all go home. Everything's fine. From opie at 817west.com Mon Jul 11 20:35:32 2005 From: opie at 817west.com (Jason Opperisano) Date: Mon Jul 11 20:53:49 2005 Subject: MAC SOURCE In-Reply-To: References: <20050711150544.GA16345@bender.817west.com> Message-ID: <20050711183532.GA17128@bender.817west.com> On Mon, Jul 11, 2005 at 08:28:07PM +0500, azeem ahmad wrote: > thanx a lot > can u explain this rule set in some details sure: # create a new user-defined chain called "check_mac" in the filter # table iptables -N check_mac # append a rule to the "check_mac" chain that returns packets from # $MAC1 to the calling chain (where we jumped from) iptables -A check_mac -m mac --mac-source $MAC1 -j RETURN # append a rule to the "check_mac" chain that returns packets from # $MAC2 to the calling chain (where we jumped from) iptables -A check_mac -m mac --mac-source $MAC2 -j RETURN # a commented-out rule the would log all other packets that are about # to get DROP-ed by the rule that comes afterwards # iptables -A check_mac -j LOG --log-prefix "INVALID MAC: " # drop any packet that makes it to this rule iptables -A check_mac -j DROP # jump to the check_mac chain from the INPUT chain. packets that hit # the RETURN target in check_mac will come back to INPUT to traverse # the remaining rules in INPUT iptables -A INPUT -j check_mac # jump to the check_mac chain from the FORWARD chain. packets that hit # the RETURN target in check_mac will come back to FORWARD to traverse # the remaining rules in FORWARD iptables -A FORWARD -j check_mac -j -- "Meg: Guess what I am. Stewie: Hmm, let me see. The end result of a drunken backseat grope-fest and a damaged prophylactic?" --Family Guy From rob0 at gmx.co.uk Mon Jul 11 20:38:39 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 11 20:54:27 2005 Subject: dnatting In-Reply-To: References: <20050711151830.GA26670@tranquility.scriptkitchen.com> Message-ID: <42D2BCAF.4040906@gmx.co.uk> Jan Engelhardt wrote: >>I have a rule on my friend's broadband connection to redirect traffic >>from outside to an internal machine like, > >>iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ >>--to-destination 192.168.10.10:80 >> >>But she complained that people from inside the network cannot do >>http://1.2.3.4 in their browser and see the site. Is she correct? >>What is wrong with my rule because I can see the site from outside? > > The packet must pass the machine the DNAT rule is on to make the dnat > effective. And then there should be a filter table rule to ACCEPT those packets, or at least nothing to DROP or otherwise not accept them. With a typical (Packet-Filtering-HOWTO-inspired) firewall with default DROP policy in FORWARD, you need a corresponding ACCEPT rule in FORWARD for every DNAT. In crafting such rules remember that the destination has already been rewritten in nat/PREROUTING. The Web proxy suggestion has me puzzled. :) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From jengelh at linux01.gwdg.de Mon Jul 11 20:42:26 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 20:58:09 2005 Subject: dnatting In-Reply-To: <42D2BCAF.4040906@gmx.co.uk> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> <42D2BCAF.4040906@gmx.co.uk> Message-ID: > The Web proxy suggestion has me puzzled. :) "me2", because given that 1.2.3.4 is a valid internet-wide IP (e.g. ppp0), 10.x.y.z is the local net (eth0) and a client is 10.0.0.1 on eth0, there should not be any problem to connect from 10.0.0.1 to 1.2.3.4:80 and get it DNAT'ed. Or do you mean that `telnet 127.0.0.1 80` on the DNAT-rulebox itself does not work [anymore]? Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From opie at 817west.com Mon Jul 11 20:45:20 2005 From: opie at 817west.com (Jason Opperisano) Date: Mon Jul 11 21:03:35 2005 Subject: dnatting In-Reply-To: <20050711151830.GA26670@tranquility.scriptkitchen.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> Message-ID: <20050711184520.GA17202@bender.817west.com> On Mon, Jul 11, 2005 at 11:18:30AM -0400, Payal Rathod wrote: > Hi, > I have a rule on my friend's broadband connection to redirect traffic > from outside to an internal machine like, > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > --to-destination 192.168.10.10:80 > > But she complained that people from inside the network cannot do > http://1.2.3.4 in their browser and see the site. Is she correct? > What is wrong with my rule because I can see the site from outside? 1) client; say 192.168.10.100, sends TCP SYN to 1.2.3.4 2) iptables machine receives packet destined for 1.2.3.4, DNAT's it to 192.168.10.10 and forwards the packet out the internal interface 3) 192.168.10.10 receives TCP SYN from 192.168.10.100 and replies directly to 192.168.10.100 with a SYN/ACK 4) client; 192.168.10.100, receives SYN/ACK from 192.168.10.10 and discards it, as it matches no connection in the SYN_SENT state (recall that our SYN was sent to 1.2.3.4). that the why. the proper way to avoid this is to have people on the inside connect to 192.168.10.10. i will leave all the half-assed work-arounds and kludges as an exercise for the reader and other posters. -j -- "Peter: This party couldn't be better if Jesus was here. Jesus: For my next miracle, I will turn water... into FUNK." --Family Guy From innocent.evil at inbox.com Mon Jul 11 20:54:09 2005 From: innocent.evil at inbox.com (Innocent Evil) Date: Mon Jul 11 21:09:53 2005 Subject: size of recent blacklist Message-ID: <41DFFDDA1C6.000004DBinnocent.evil@inbox.com> Hello, Currently, I don't see my recent blacklist is more than 100. Was it coded this way? If so, would you please suggest how to increase this size.. Also, I have 'feature request' It would be nicer to able to see the blacklist by a command like: iptables -m recent --blacklist Thanks From rob0 at gmx.co.uk Mon Jul 11 20:54:32 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 11 21:10:20 2005 Subject: Icons Freeze on debian, connected online. In-Reply-To: <7833b03c050711104546009611@mail.gmail.com> References: <7833b03c050711104546009611@mail.gmail.com> Message-ID: <42D2C068.1000404@gmx.co.uk> Sachin wrote: > I am new to IPTABLES and recently put my debian sarge online with > firestarter as the firewall. As soon as i connect the desktop icons > are inaccesible and freeze as if SLEEP mode is activated. "Firestarter" tells me nothing. Is there a firestarter help forum? Try asking there. There's probably something dreadfully wrong in your iptables rules. I would have to see them (hint: iptables-save(8)) to know what it is, although I do have a theory. > If i am logging to virtual terminal lot of output starts on the > screen and it seems somebody is scanning me. Why do you think that somebody is scanning you? > As i am a newbie i am not able to decrypt whats > goin on the background. And this is precisely why you should not jump to conclusions about being scanned or attacked. Newbie paranoia is not good. When you see something you don't understand, think, "Here is something I don't understand," not "Oh no! Something terrible is happening!!" Then look it up and find out what it is. > I am posting the output of the dmesg which also flows > down on the virtual terminal when i login. Is there a way to stop it. My theory: rampant LOG rules. Delete all LOG rules. Only use LOG for specific purposes, and generally in conjunction with -m limit. > I assume the icons freeze because of this and so i cannot browse the > local file system once online. It is quite reasonable to think that LOG rules could bring a system to a crawl. > Snip -- > > IN=ppp0 OUT= MAC= SRC=83.88.20.210 DST=220.226.22.163 LEN=168 TOS=0x00 > PREC=0x00 TTL=242 ID=30185 PROTO=ICMP TYPE=11 CODE=0 Now, let's work on understanding these. IN= gives the name of the incoming interface, if appropriate. OUT=, outgoing. SRC=, the source IP, DST=, destination. After that you'll usually be most interested in PROTO and in this case being ICMP, it's a type 11. http://www.faqs.org/docs/iptables/icmptypes.html > [SRC=220.226.22.163 DST=158.36.2.10 LEN=40 TOS=0x00 PREC=0x00 TTL=5 > ID=36362 PROTO=UDP SPT=36179 DPT=33617 LEN=20 ] Here's the UDP packet that generated the ICMP one. SPT=, source port, DPT=, destination port. (Those also apply to PROTO=TCP.) I'd have to look it up to be sure, but I think that might be a traceroute. You are getting a lot of ICMP 11's. Here's a type 3: > IN=ppp0 OUT= MAC= SRC=163.13.240.201 DST=220.226.22.163 LEN=56 > TOS=0x00 PREC=0x00 TTL=54 ID=15028 PROTO=ICMP TYPE=3 CODE=3 > [SRC=220.226.22.163 DST=163.13.240.201 LEN=40 TOS=0x00 PREC=0x00 TTL=1 > ID=36391 PROTO=UDP SPT=36179 DPT=33646 LEN=20 ] And here's a TCP SYN packet: > IN=ppp0 OUT= MAC= SRC=220.226.36.161 DST=220.226.22.163 LEN=48 > TOS=0x00 PREC=0x00 TTL=123 ID=7263 DF PROTO=TCP SPT=2260 DPT=1433 > WINDOW=16384 RES=0x00 SYN URGP=0 I bet if you delete your LOG rules all will be well. Why would you want to have logs you cannot interpret? Again, and I've said this on this list before, I rarely use LOG. When I am looking for something in particular I turn them on. I don't care about logging what I've dropped, in most cases. Why bother? (Yes, yes, I know that there might be cases in which it's worth the bother. In those cases you'd have some kind of monitoring software, though.) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From jengelh at linux01.gwdg.de Mon Jul 11 20:54:48 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 21:10:30 2005 Subject: dnatting In-Reply-To: <20050711184520.GA17202@bender.817west.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> <20050711184520.GA17202@bender.817west.com> Message-ID: >4) client; 192.168.10.100, receives SYN/ACK from 192.168.10.10 and > discards it, as it matches no connection in the SYN_SENT state > (recall that our SYN was sent to 1.2.3.4). Now I get the point of problem. Well, there was *once* implicit SNAT in netfilter (at least in conjunction with IP_NF_NAT_LOCAL) >that the why. the proper way to avoid this is to have people on the >inside connect to 192.168.10.10. From george.john at ch.easynet.net Mon Jul 11 20:47:14 2005 From: george.john at ch.easynet.net (george.john@ch.easynet.net) Date: Mon Jul 11 21:10:49 2005 Subject: George John out of office Message-ID: <20050711184714.70933.qmail@mx2.mail.ch.easynet.net> Hello! Please be informed that I am on holidays during the coming weeks and I will be back in the office only on 8th of August 2005. You can reach our customer care team through e-mail: support@ch.easynet.net or via tel No. 0848 000 884 During my holidays Mr. Di Cicco will be backing me up and you can reach him via e-mail: vito.dicicco@ch.easynet.net With best regards George K. John Network & support Engineer Easynet AG Hardturmstrasse 135 8005 Zurich From gary at primeexalia.com Mon Jul 11 21:09:44 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Mon Jul 11 21:25:25 2005 Subject: dnatting Message-ID: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> Payal, You need to add a second simple entry: Look at the entries below. I'm mapping an entire IP but this would be simple to just to a single port. The second POSTROUTING line is what made everything work for my typical firewalls. # Completed on Mon Jul 11 10:58:27 2005 # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 *nat :PREROUTING ACCEPT [2547:176804] :POSTROUTING ACCEPT [633:40896] :OUTPUT ACCEPT [40:4518] -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT --to-source 81.45.25.50 -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 COMMIT # Completed on Mon Jul 11 10:58:27 2005 > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter- > bounces@lists.netfilter.org] On Behalf Of Payal Rathod > Sent: Monday, July 11, 2005 8:19 AM > To: Netfilter ML > Subject: dnatting > > Hi, > I have a rule on my friend's broadband connection to redirect traffic > from outside to an internal machine like, > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > --to-destination 192.168.10.10:80 > > But she complained that people from inside the network cannot do > http://1.2.3.4 in their browser and see the site. Is she correct? > What is wrong with my rule because I can see the site from outside? > > Thanks in advance. > With warm regards, > -Payal > > From s_lojic at hotmail.com Mon Jul 11 21:37:31 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Mon Jul 11 21:53:10 2005 Subject: DNS and NAT Message-ID: Does DNS work with iptables NAT or I need some kind of ALG to get DNS answers translated? I am using Mandrake Linux 10.0. I have two way NAT going on and I am trying to get DNS requests through the NAT. I got FTP, HTTP and SMTP working through the NAT, but DNS is not working properly, DNS answer is not getting translated. Source and Destination addresses in DNS message are properly translated, but the actual answer (the ip address embedded in the message) is not translated. Thanks _________________________________________________________________ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From opie at 817west.com Mon Jul 11 21:41:13 2005 From: opie at 817west.com (Jason Opperisano) Date: Mon Jul 11 21:59:52 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: <20050711194113.GA17435@bender.817west.com> On Mon, Jul 11, 2005 at 12:37:31PM -0700, Suzana Lojic-Skoric wrote: > Does DNS work with iptables NAT or I need some kind of ALG to get DNS > answers translated? > > I am using Mandrake Linux 10.0. I have two way NAT going on and I am trying > to get DNS requests through the NAT. I got FTP, HTTP and SMTP working > through the NAT, but DNS is not working properly, DNS answer is not getting > translated. nor should it be. > Source and Destination addresses in DNS message are properly > translated, but the actual answer (the ip address embedded in the message) > is not translated. which is exactly how it's supposed to work. how the $%#@ is iptables supposed to know what to rewrite the answer to? if you are using BIND, look into the functionality offered by "views." -j -- "Peter: You know, I oughta just give you some beer. Goes straight through you. Stewie: Wonderful. And while we're at it, we can light up a doobie and watch porn. Peter: Eh... yeah?" --Family Guy From s_lojic at hotmail.com Mon Jul 11 22:33:34 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Mon Jul 11 22:49:12 2005 Subject: DNS and NAT In-Reply-To: <20050711194113.GA17435@bender.817west.com> Message-ID: OK, thanks I was not sure what is the proper behavior regarding iptables and DNS. If answer is not translated then how do I get DNS to work with two way NAT? My internal network does not understand any of the ip addresses that belong to outside. So if the request for a page that is sent from internal network comes back from outside with an answer (ip address) that is not getting translated then I can't resolve the page since my internal network doesn't understand it and can't route to it. Is there a way around this problem? How do I get DNS to work in the type of environment I described? Thanks >From: Jason Opperisano >To: netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Mon, 11 Jul 2005 15:41:13 -0400 > >On Mon, Jul 11, 2005 at 12:37:31PM -0700, Suzana Lojic-Skoric wrote: > > Does DNS work with iptables NAT or I need some kind of ALG to get DNS > > answers translated? > > > > I am using Mandrake Linux 10.0. I have two way NAT going on and I am >trying > > to get DNS requests through the NAT. I got FTP, HTTP and SMTP working > > through the NAT, but DNS is not working properly, DNS answer is not >getting > > translated. > >nor should it be. > > > Source and Destination addresses in DNS message are properly > > translated, but the actual answer (the ip address embedded in the >message) > > is not translated. > >which is exactly how it's supposed to work. how the $%#@ is iptables >supposed to know what to rewrite the answer to? > >if you are using BIND, look into the functionality offered by "views." > >-j > >-- >"Peter: You know, I oughta just give you some beer. Goes straight > through you. > Stewie: Wonderful. And while we're at it, we can light up a doobie and > watch porn. > Peter: Eh... yeah?" > --Family Guy > _________________________________________________________________ Designer Mail isn't just fun to send, it's fun to receive. Use special stationery, fonts and colors. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From opie at 817west.com Mon Jul 11 22:44:21 2005 From: opie at 817west.com (Jason Opperisano) Date: Mon Jul 11 23:02:42 2005 Subject: DNS and NAT In-Reply-To: References: <20050711194113.GA17435@bender.817west.com> Message-ID: <20050711204421.GA17661@bender.817west.com> On Mon, Jul 11, 2005 at 01:33:34PM -0700, Suzana Lojic-Skoric wrote: > OK, thanks I was not sure what is the proper behavior regarding iptables > and DNS. > > If answer is not translated then how do I get DNS to work with two way NAT? > My internal network does not understand any of the ip addresses that belong > to outside. So if the request for a page that is sent from internal network > comes back from outside with an answer (ip address) that is not getting > translated then I can't resolve the page since my internal network doesn't > understand it and can't route to it. > Is there a way around this problem? How do I get DNS to work in the type of > environment I described? with what is called "split DNS." essentially: requests from the internal network get internal IP's as responses, requests from the outside networks get external IP's as responses. like i said in my first reply; with BIND, this is accomplished through the use of "views." i am not familiar with how other DNS servers handle this. a more complete explanation of BIND views and an example of using views for split DNS can be found at: http://www.zytrax.com/books/dns/ch7/view.html -j -- "Chris: Dad, what's the blowhole for? Peter: I'll tell you what it's not for. And when I do, you'll understand why I can never go back to Sea World." --Family Guy From rob0 at gmx.co.uk Mon Jul 11 23:25:20 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Jul 11 23:41:01 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: <42D2E3C0.1030405@gmx.co.uk> Please don't top-post. Thank you. Suzana Lojic-Skoric wrote: > OK, thanks I was not sure what is the proper behavior regarding > iptables and DNS. The usual situation is that clients are NAT'ed out, like what you're describing. > If answer is not translated then how do I get DNS to work with two way NAT? What does not work? Two-way NAT is fine. You go on to say you're not really talking about two-way NAT: > My internal network does not understand any of the ip addresses that > belong to outside. So if the request for a page that is sent from > internal network comes back from outside with an answer (ip address) > that is not getting translated then I can't resolve the page since my > internal network doesn't understand it and can't route to it. Clients need to have a default route through the NAT gateway, which does SNAT or MASQUERADE. How is it two-way if the clients can't route out? > Is there a way around this problem? How do I get DNS to work in the type > of environment I described? If you don't want to allow NAT clients out for some reason, you might check into running proxy servers, such as squid for HTTP/FTP. Only the services you are proxying can be used by internal clients. SOCKS proxy servers can handle multiple protocols, but I don't know anything more about it than just that fact. Proxy servers are a good choice in some circumstances; you maintain maximum control over what clients can and cannot do (unless users have shell access to the proxy server, perhaps.) But proxying is far more resource-intensive than NAT. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From jengelh at linux01.gwdg.de Mon Jul 11 23:36:57 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 11 23:52:36 2005 Subject: DNS and NAT In-Reply-To: <42D2E3C0.1030405@gmx.co.uk> References: <42D2E3C0.1030405@gmx.co.uk> Message-ID: > Proxy servers are a good choice in some circumstances; you maintain maximum > control over what clients can and cannot do (unless users have shell access to > the proxy server, perhaps.) But proxying is far more resource-intensive than > NAT. Not hard either. Just catch any non-squid packets and redir them to lo. In iptables words: -A OUTPUT -j DNAT -p tcp --dport {80|3128} --to-dest 127.0.0.1:80 \ -m owner ! --uid-owner squid {80,3128} depending on whether you want transparent(80) proxying or intercepted(3128) proxying. Since squid usually listens on an unprivilegued port (3128), the socket creation can be deferred until after the setuid from root to squid; therefore, the socket belongs to "squid" and thus, --uid-owner can match. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From dufresne at sysinfo.com Tue Jul 12 06:05:49 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Tue Jul 12 06:15:46 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 11 Jul 2005, Suzana Lojic-Skoric wrote: > OK, thanks I was not sure what is the proper behavior regarding iptables and > DNS. > > If answer is not translated then how do I get DNS to work with two way NAT? > My internal network does not understand any of the ip addresses that belong > to outside. So if the request for a page that is sent from internal network > comes back from outside with an answer (ip address) that is not getting > translated then I can't resolve the page since my internal network doesn't > understand it and can't route to it. > Is there a way around this problem? How do I get DNS to work in the type of > environment I described? You could always just push /etc/hosts files out with the inside addresses there, if you have troubles with DNS setup. Slow, crude, yet effective. The poorman's way... Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC00Ghst+vzJSwZikRAiPtAKCN0xJK03V94Z/tqhLH2BH/0j6EhACgvJna jvGcXe/gClTpOpIyXwzwP+4= =1FJ3 -----END PGP SIGNATURE----- From payal-netfilter at scriptkitchen.com Tue Jul 12 09:34:07 2005 From: payal-netfilter at scriptkitchen.com (Payal Rathod) Date: Tue Jul 12 09:49:51 2005 Subject: dnatting In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> Message-ID: <20050712073407.GA30567@tranquility.scriptkitchen.com> On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote: > Payal, > > You need to add a second simple entry: [...] Thanks this solved it. Thanks again. Now I am curious why Jason didn't suggest this. With warm regards, -Payal > > Look at the entries below. I'm mapping an entire IP but this would be > simple to just to a single port. The second POSTROUTING line is what > made everything work for my typical firewalls. > > # Completed on Mon Jul 11 10:58:27 2005 > # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 > *nat > :PREROUTING ACCEPT [2547:176804] > :POSTROUTING ACCEPT [633:40896] > :OUTPUT ACCEPT [40:4518] > -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 > -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT > --to-source 81.45.25.50 > > -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 > -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > COMMIT > # Completed on Mon Jul 11 10:58:27 2005 > > > > -----Original Message----- > > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter- > > bounces@lists.netfilter.org] On Behalf Of Payal Rathod > > Sent: Monday, July 11, 2005 8:19 AM > > To: Netfilter ML > > Subject: dnatting > > > > Hi, > > I have a rule on my friend's broadband connection to redirect traffic > > from outside to an internal machine like, > > > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > > --to-destination 192.168.10.10:80 > > > > But she complained that people from inside the network cannot do > > http://1.2.3.4 in their browser and see the site. Is she correct? > > What is wrong with my rule because I can see the site from outside? > > > > Thanks in advance. > > With warm regards, > > -Payal > > > > > From afshinlamei at gmail.com Tue Jul 12 12:26:07 2005 From: afshinlamei at gmail.com (afshin lamei) Date: Tue Jul 12 12:42:57 2005 Subject: mport or multiport? Message-ID: <3115d56e05071203266e32e178@mail.gmail.com> Dear all, "iptables -A INPUT -p tcp -m mport --ports 20:23,80 -j DROP " from patch-o-matic is perfect, but what is that: Source port or Destination port? I know that with "multiport" i can detrmine source ans dest ports, but it is not so good because it doesn't accept ranges (eg: 20:50). From blancher at cartel-securite.fr Tue Jul 12 12:47:29 2005 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Tue Jul 12 13:03:41 2005 Subject: mport or multiport? In-Reply-To: <3115d56e05071203266e32e178@mail.gmail.com> References: <3115d56e05071203266e32e178@mail.gmail.com> Message-ID: <1121165249.5328.34.camel@anduril.intranet.cartel-securite.net> Le mardi 12 juillet 2005 ? 14:56 +0430, afshin lamei a ?crit : > "iptables -A INPUT -p tcp -m mport --ports 20:23,80 -j DROP " from > patch-o-matic is perfect, but what is that: Source port or Destination > port? Sorry, but RTFM :) $iptables --version iptables v1.3.1 $ man iptables [...] mport This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp. --source-ports port[,port[,port...]] Match if the source port is one of the given ports. The flag --sports is a convenient alias for this option. --destination-ports port[,port[,port...]] Match if the destination port is one of the given ports. The flag --dports is a convenient alias for this option. --ports port[,port[,port...]] Match if the both the source and destination ports are equal to each other and to one of the given ports. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From opie at 817west.com Tue Jul 12 13:59:18 2005 From: opie at 817west.com (Jason Opperisano) Date: Tue Jul 12 14:17:53 2005 Subject: dnatting In-Reply-To: <20050712073407.GA30567@tranquility.scriptkitchen.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> <20050712073407.GA30567@tranquility.scriptkitchen.com> Message-ID: <20050712115918.GA19792@bender.817west.com> On Tue, Jul 12, 2005 at 03:34:07AM -0400, Payal Rathod wrote: > Thanks this solved it. Thanks again. > Now I am curious why Jason didn't suggest this. no need for curiosity--re-read the last sentence of my post. -j -- "Peter: At least they don't put their feminine ointments next to the mustard, Lois. That was the worst hot dog I ever ate." --Family Guy From jengelh at linux01.gwdg.de Tue Jul 12 14:48:12 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 12 15:03:57 2005 Subject: mport or multiport? In-Reply-To: <1121165249.5328.34.camel@anduril.intranet.cartel-securite.net> References: <3115d56e05071203266e32e178@mail.gmail.com> <1121165249.5328.34.camel@anduril.intranet.cartel-securite.net> Message-ID: > --ports port[,port[,port...]] > Match if the both the source and destination ports are > equal to each other and to one of the given ports. There are few daemons which bind to the portnumber they are listening on. BIND could be configured to use a fixed port (e.g. 53) as the source port, and thus would be a possible use for --ports, because most destination ports for dns are 53, _too_. From payal-netfilter at scriptkitchen.com Tue Jul 12 14:50:01 2005 From: payal-netfilter at scriptkitchen.com (Payal Rathod) Date: Tue Jul 12 15:05:45 2005 Subject: dnatting In-Reply-To: <20050712115918.GA19792@bender.817west.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> <20050712073407.GA30567@tranquility.scriptkitchen.com> <20050712115918.GA19792@bender.817west.com> Message-ID: <20050712125001.GA2921@tranquility.scriptkitchen.com> On Tue, Jul 12, 2005 at 07:59:18AM -0400, Jason Opperisano wrote: > On Tue, Jul 12, 2005 at 03:34:07AM -0400, Payal Rathod wrote: > > Thanks this solved it. Thanks again. > > Now I am curious why Jason didn't suggest this. > > no need for curiosity--re-read the last sentence of my post. I had already did that and was wondering why the solution posted is not agreed upon by. Why do you call it half-baked? Payal > > -j > > -- > "Peter: At least they don't put their feminine ointments next to the > mustard, Lois. That was the worst hot dog I ever ate." > --Family Guy > From gary at primeexalia.com Tue Jul 12 16:05:32 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Tue Jul 12 16:21:17 2005 Subject: dnatting Message-ID: <57F9959B46E0FA4D8BA88AEDFBE58290742D@pxtbenexd01.pxt.primeexalia.com> Not sure. Multiple people keep telling me this isn't necessary but I found that if I don't use these entries then accesses from other local machines on the same network become unreliable. Adding the extra line solves that problem. > -----Original Message----- > From: Payal Rathod [mailto:payal-netfilter@scriptkitchen.com] > Sent: Tuesday, July 12, 2005 12:34 AM > To: Gary W. Smith > Cc: Netfilter ML > Subject: Re: dnatting > > On Mon, Jul 11, 2005 at 12:09:44PM -0700, Gary W. Smith wrote: > > Payal, > > > > You need to add a second simple entry: > [...] > > Thanks this solved it. Thanks again. > Now I am curious why Jason didn't suggest this. > > With warm regards, > -Payal > > > > > Look at the entries below. I'm mapping an entire IP but this would be > > simple to just to a single port. The second POSTROUTING line is what > > made everything work for my typical firewalls. > > > > # Completed on Mon Jul 11 10:58:27 2005 > > # Generated by iptables-save v1.2.11 on Mon Jul 11 10:58:27 2005 > > *nat > > :PREROUTING ACCEPT [2547:176804] > > :POSTROUTING ACCEPT [633:40896] > > :OUTPUT ACCEPT [40:4518] > > -A PREROUTING -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > > > -A POSTROUTING -s 10.94.16.50 -o eth0 -j SNAT --to-source 81.45.25.50 > > -A POSTROUTING -s 10.94.16.50 -d 10.94.16.0/255.255.255.0 -j SNAT > > --to-source 81.45.25.50 > > > > -A POSTROUTING -o eth0 -p ! ipv6-crypt -j SNAT --to-source 81.45.25.50 > > -A OUTPUT -d 81.45.25.50 -j DNAT --to-destination 10.94.16.50 > > COMMIT > > # Completed on Mon Jul 11 10:58:27 2005 > > > > > > > -----Original Message----- > > > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter- > > > bounces@lists.netfilter.org] On Behalf Of Payal Rathod > > > Sent: Monday, July 11, 2005 8:19 AM > > > To: Netfilter ML > > > Subject: dnatting > > > > > > Hi, > > > I have a rule on my friend's broadband connection to redirect traffic > > > from outside to an internal machine like, > > > > > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > > > --to-destination 192.168.10.10:80 > > > > > > But she complained that people from inside the network cannot do > > > http://1.2.3.4 in their browser and see the site. Is she correct? > > > What is wrong with my rule because I can see the site from outside? > > > > > > Thanks in advance. > > > With warm regards, > > > -Payal > > > > > > > > From nolivier at alphalink.fr Tue Jul 12 18:20:25 2005 From: nolivier at alphalink.fr (Nicolas Olivier) Date: Tue Jul 12 18:36:12 2005 Subject: ip_conntrack_ftp trouble with active connection Message-ID: <42D3EDC9.1060201@alphalink.fr> Hi, I previously posted a message related to this trouble, but I think the architecture was kind of weird, and so I tried to simplify it. So I've got a machine with two interfaces. - eth0: 10.10.50.1 network 10.10.50.0/24 - eth1: 10.0.44.99 network 10.0.44.0/24 - the default gateway for this machine is 10.0.44.1 An OpenVPN daemon is running on this machine, and the only peer connected for the moment arrives with the IP 172.16.0.1. All the traffic from this peer is routed via the gateway 10.10.50.4 (routes are isolated via: "ip rule add from 172.16.0.1 lookup table 1" and "ip route add default via 10.10.50.4 table 1"). The machine 10.10.50.4 does its own stuff, and then sends back some traffic masqueraded. Finally, the traffic is sent to the default gateway 10.0.44.1. The problem is for ftp connections from the OpenVPN peer: - with passive ftp connections: works like a charm - with active ftp connections: the first attempt fails, but entries are created in ip_conntrack table and on the second attempt the connection succeeds Here is the output for an active ftp connection: First attempt: tcp 6 117 TIME_WAIT src=10.10.50.4 dst=192.168.0.1 sport=37241 dport=21 src=192.168.0.1 dst=10.0.44.99 sport=21 dport=37241 [ASSURED] use=1 mark=0 tcp 6 117 TIME_WAIT src=172.16.0.1 dst=192.168.0.1 sport=37241 dport=21 src=192.168.0.1 dst=172.16.0.1 sport=21 dport=37241 [ASSURED] use=1 mark=0 EXPECTING: - use=1 proto=6 src=192.168.0.1 dst=172.16.0.1 sport=0 dport=37242 The ftp client (lftp) waits 30s and tries a second attempt, which succeeds: tcp 6 87 TIME_WAIT src=10.10.50.4 dst=192.168.0.1 sport=37241 dport=21 src=192.168.0.1 dst=10.0.44.99 sport=21 dport=37241 [ASSURED] use=1 mark=0 tcp 6 431997 ESTABLISHED src=10.10.50.4 dst=192.168.0.1 sport=37243 dport=21 src=192.168.0.1 dst=10.0.44.99 sport=21 dport=37243 [ASSURED] use=2 mark=0 tcp 6 117 TIME_WAIT src=172.16.0.1 dst=192.168.0.1 sport=37244 dport=32803 src=192.168.0.1 dst=172.16.0.1 sport=32803 dport=37244 [ASSURED] use=1 mark=0 tcp 6 431997 ESTABLISHED src=172.16.0.1 dst=192.168.0.1 sport=37243 dport=21 src=192.168.0.1 dst=172.16.0.1 sport=21 dport=37243 [ASSURED] use=2 mark=0 tcp 6 117 TIME_WAIT src=10.10.50.4 dst=192.168.0.1 sport=37244 dport=32803 src=192.168.0.1 dst=10.0.44.99 sport=32803 dport=37244 [ASSURED] use=1 mark=0 tcp 6 87 TIME_WAIT src=172.16.0.1 dst=192.168.0.1 sport=37241 dport=21 src=192.168.0.1 dst=172.16.0.1 sport=21 dport=37241 [ASSURED] use=1 mark=0 EXPECTING: - use=1 proto=6 src=192.168.0.1 dst=172.16.0.1 sport=0 dport=37242 If anyone has an advice, it would be greatly appreciated. Sincerely, Nicolas Olivier From Netfilter at SCampbell.net Tue Jul 12 23:03:12 2005 From: Netfilter at SCampbell.net (Steven M Campbell) Date: Tue Jul 12 23:19:00 2005 Subject: dnatting In-Reply-To: <20050712125001.GA2921@tranquility.scriptkitchen.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742C@pxtbenexd01.pxt.primeexalia.com> <20050712073407.GA30567@tranquility.scriptkitchen.com> <20050712115918.GA19792@bender.817west.com> <20050712125001.GA2921@tranquility.scriptkitchen.com> Message-ID: <42D43010.3050406@SCampbell.net> Payal Rathod wrote: >On Tue, Jul 12, 2005 at 07:59:18AM -0400, Jason Opperisano wrote: > >>On Tue, Jul 12, 2005 at 03:34:07AM -0400, Payal Rathod wrote: >> >>>Thanks this solved it. Thanks again. >>>Now I am curious why Jason didn't suggest this. >>> >>no need for curiosity--re-read the last sentence of my post. >> > >I had already did that and was wondering why the solution posted is >not agreed upon by. Why do you call it half-baked? >Payal > I'll jump in :) What we have done here is natted the connections in both directions. If you could imagine walking from your living room to your bedroom by going out the garage and coming back in the front door first you start to feel the sillyness of this datapath. Here's a few issues this technique raises: * Increased utilization of the firewall The firewall has to handle all the traffic which would normally just be switched internally, this makes the connection slower for the user and may impact other users as it uses resources on the firewall. This is also true of the network path in general, for instance: Say you put a gigabit card into the server, if you firewall only has 100mb card then your server really cannot use the GB card to any capacity, in fact it is limited to whatever bandwidth is left on the firewall interface. You spend good money on switches and network design, utilize them. * Dependency on the firewall to reach local traffic Turn off you firewall and your users can't reach this server! Maintenance becomes an issue. * Masquerading of the source computer If you have a problem with a user it will be more fun tracking it because the source IP address will now always appear to be the firewall and, if this is after the fact, the connection may be long gone from the connection table leaving you unable to trace the problem. Also, you can't use and IP based permissions on the server as, again, everyone will appear to be from the firewall * Increased firewall rule complexity Everytime another server is added in this fashion you need to maintain firewall rules, add lots of servers and it becomes real messy really fast. One of the keys to having a secure firewall is having clean rules, the more cruft that gets in there the more likely a mistake will be made creating a hole in your firewall system. So, having put a few of these negative forth allow me to suggest an alternative. Split DNS, with split dns you will create a name, for example theserver.myplace.com and have a split view of it, that is, folks on the inside will get the inside address and folks on the outside will get the outside address. No special routing is then required and you can use the server internally without any of the above issues. I totally agree with Jason in suggesting that you investigate your name server rather than doing this bi-directional NAT. From gary at primeexalia.com Wed Jul 13 01:19:59 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Wed Jul 13 01:35:46 2005 Subject: dnatting Message-ID: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> I agree with everything that has been said BUT I must also interject. A lot small business and many home users who get one or two IP's usually don't have a second DNS floating around. For larger organizations I would definitely use the split DNS. We do that at a couple locations when we can. As for this case, I think it's completely acceptable. Since this does indeed work I think it should be documented as a viable solution (which I think it's in the fine print on one of the docs that I read before). > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter- > bounces@lists.netfilter.org] On Behalf Of Steven M Campbell > Sent: Tuesday, July 12, 2005 2:03 PM > To: Netfilter ML > Subject: Re: dnatting > > > So, having put a few of these negative forth allow me to suggest an > alternative. Split DNS, with split dns you will create a name, for > example theserver.myplace.com and have a split view of it, that is, > folks on the inside will get the inside address and folks on the outside > will get the outside address. No special routing is then required and > you can use the server internally without any of the above issues. I > totally agree with Jason in suggesting that you investigate your name > server rather than doing this bi-directional NAT. > > From fajarpri at arinet.org Wed Jul 13 04:52:46 2005 From: fajarpri at arinet.org (Fajar Priyanto) Date: Wed Jul 13 05:08:52 2005 Subject: rules for skype In-Reply-To: <1115106657.14622.62.camel@jasiiitosh.nexusmgmt.com> References: <20050502150901.DAEF39E9F4@dd6816.kasserver.com> <002401c54fb0$33cdc950$2604a8c0@ndchunk> <1115106657.14622.62.camel@jasiiitosh.nexusmgmt.com> Message-ID: <200507130952.46615.fajarpri@arinet.org> On Tuesday 03 May 2005 14:50, John A. Sullivan III wrote: > On Tue, 2005-05-03 at 15:17 +0800, Victor Yeo wrote: > > > - Use *tc* to choke the skype traffic. I have a list of apps to allow > > > through the network. The rest go into a default pipe of 2 Kbps. This > > > deteriorates the performance of the application. I think text chatting I've blocked tcp 443, but it seems that skype can go through tcp 80? http://www.skype.com/help/guides/firewall.html This is really annoying an unethical, don't you think? -- Fajar Priyanto | Reg'd Linux User #327841 | http://linux2.arinet.org Ubuntu Hoary 5.0.4 public key: https://www.arinet.org/fajar-pub.key From donaldm314 at gmail.com Wed Jul 13 05:21:43 2005 From: donaldm314 at gmail.com (Donald Murray) Date: Wed Jul 13 05:37:29 2005 Subject: dnatting In-Reply-To: <20050711184520.GA17202@bender.817west.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> <20050711184520.GA17202@bender.817west.com> Message-ID: <12984bb0050712202131980c46@mail.gmail.com> On 7/11/05, Jason Opperisano wrote: > On Mon, Jul 11, 2005 at 11:18:30AM -0400, Payal Rathod wrote: > > Hi, > > I have a rule on my friend's broadband connection to redirect traffic > > from outside to an internal machine like, > > > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > > --to-destination 192.168.10.10:80 > > > > But she complained that people from inside the network cannot do > > http://1.2.3.4 in their browser and see the site. Is she correct? > > What is wrong with my rule because I can see the site from outside? > > 1) client; say 192.168.10.100, sends TCP SYN to 1.2.3.4 > > 2) iptables machine receives packet destined for 1.2.3.4, DNAT's it to > 192.168.10.10 and forwards the packet out the internal interface > > 3) 192.168.10.10 receives TCP SYN from 192.168.10.100 and replies > directly to 192.168.10.100 with a SYN/ACK > > 4) client; 192.168.10.100, receives SYN/ACK from 192.168.10.10 and > discards it, as it matches no connection in the SYN_SENT state > (recall that our SYN was sent to 1.2.3.4). > > that the why. the proper way to avoid this is to have people on the > inside connect to 192.168.10.10. i will leave all the half-assed > work-arounds and kludges as an exercise for the reader and other > posters. > > -j > > -- > "Peter: This party couldn't be better if Jesus was here. > Jesus: For my next miracle, I will turn water... into FUNK." > --Family Guy > > Because the destination server is on the same subnet, users on the inside could indeed connect directly to that machine. Alternatively this could be handled via DNS. However, if the destination server is inside a DMZ, the firewall needs to DNAT in PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to the DMZ, the SNAT allows it back. Something like: iptables --table nat -A PREROUTING -p tcp -i $LAN_INTERFACE --dport http \ -d $INTERNET_IP -j DNAT --to-destination $DMZ_HTTP_IP iptables --table nat -A POSTROUTING -d $DMZ_HTTP_IP -s $LAN_IP_RANGE \ -p tcp --dport http -j SNAT --to-source $LAN_IP From brainbugnj at yahoo.com Wed Jul 13 05:35:50 2005 From: brainbugnj at yahoo.com (Steve Turner) Date: Wed Jul 13 05:51:30 2005 Subject: DNAT and TCP RST Message-ID: Here is my issues: I want to be able to take a request from the internet thru the linksys router which has 192.168.1.161 setup as its DMZ. Then from 192.168.1.161:8000 use DNAT to send over to 192.168.1.172:80. As a test I have a 3rd internal machine so we can rule out the linksys - 192.168.1.163 all test conducted behind linksys. Chart: Internet | | Linksys DMZ defined 192.168.1.161 | | | | |192.168.1.161| |192.168.1.172| |192.168.1.163| All machines default gateway set 192.168.1.1 All static IPs 192.168.1.161, 172 - RH9 with kernel 2.4 192.168.1.163 - Mac OSX 192.168.1.161 has the below PREROUTING Line: /sbin/iptables -t nat -A PREROUTING -p tcp -d 192.168.1.161 --dport 81 -j DNAT --to 192.168.1.172:81 192.168.1.161 TCPDUMP shows: 20:29:31.597999 192.168.1.163.56063 > 192.168.1.161.8000: S 1238979630:1238979630(0) win 65535 (DF) [tos 0x10] 20:29:31.598485 192.168.1.163.56063 > 192.168.1.172.81: S 1238979630:1238979630(0) win 65535 (DF) [tos 0x10] So the request is being mangled by 192.168.1.161 as requested. 192.168.1.172 TCPDUMP shows: 20:30:23.713734 192.168.1.163.56179 > 192.168.1.172.81: S 2663332042:2663332042(0) win 65535 (DF) [tos 0x10] 20:30:23.713784 192.168.1.172.81 > 192.168.1.163.56179: S 3973936785:3973936785(0) ack 2663332043 win 5792 (DF) 20:30:23.716981 192.168.1.163.56179 > 192.168.1.172.81: R 2663332043:2663332043(0) win 0 (DF) It appears that the request is arriving - 192.168.1.172 is responding (SYN/ACK) then origin 192.168.1.163 is sending back a RST. From opie at 817west.com Wed Jul 13 06:48:48 2005 From: opie at 817west.com (Jason Opperisano) Date: Wed Jul 13 07:07:28 2005 Subject: dnatting In-Reply-To: <12984bb0050712202131980c46@mail.gmail.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> <20050711184520.GA17202@bender.817west.com> <12984bb0050712202131980c46@mail.gmail.com> Message-ID: <20050713044848.GA22255@bender.817west.com> On Tue, Jul 12, 2005 at 09:21:43PM -0600, Donald Murray wrote: > Because the destination server is on the same subnet, users on the inside > could indeed connect directly to that machine. Alternatively this could be > handled via DNS. > > > However, if the destination server is inside a DMZ, the firewall needs > to DNAT in > PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to > the DMZ, the SNAT allows it back. Something like: no--it doesn't. if by "the destination server is inside a DMZ" you mean the web server is on a different layer3 subnet than the client, routed through the firewall. you are applying the half-assed SNAT solution where it's not even needed. this is worse than the SNAT for the OP's scenario; at least there the SNAT serves to create some semblance of functionality. NAT is the duct tape of networking; if you can route, route. -j -- "Peter: I'm going to microwave a bagel and have sex with it. Quagmire: Butter's in the fridge." --Family Guy From opie at 817west.com Wed Jul 13 06:54:33 2005 From: opie at 817west.com (Jason Opperisano) Date: Wed Jul 13 07:13:09 2005 Subject: DNAT and TCP RST In-Reply-To: <20050713033311.F099D885@mail.817west.com> References: <20050713033311.F099D885@mail.817west.com> Message-ID: <20050713045433.GA22311@bender.817west.com> On Tue, Jul 12, 2005 at 08:35:50PM -0700, Steve Turner wrote: > Here is my issues: <-- snip the whole damn post --> please read the "dnatting" thread from monday, 7/11 through today. i admit that sometimes expecting people to search the archives before posting a question might be too much to ask, but this is ridiculous. i am in hell. -j -- "Peter: No, no, no. It's "step right, step LEFT." Are you TRYING to piss off the volcano?" --Family Guy From Chandra.Vempali at infineon.com Wed Jul 13 11:05:28 2005 From: Chandra.Vempali at infineon.com (Chandra.Vempali@infineon.com) Date: Wed Jul 13 11:22:14 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work Message-ID: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> Hi all, For me, ip_conntrack_ftp does not work for PASSIVE ftp. In the firewall rules, I blocked everything and put the following rules, iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT And when I try to ftp, the control channel goes through firwall, but data channel fails to pass through. Is there any thing else I should add to the firewall rules to allow ftp data through firwall. Any help will be highly appreciated. Regards, Chandra *Disclaimer* "This e-mail and any attachments are confidential and may contain trade secrets or privileged or undisclosed information. They may also be subject to copyright protection. Please do not copy, distribute or forward this email to anyone unless authorised. If you are not a named addressee, you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. If you have received this email by mistake please notify the sender immediately by return email and destroy/delete all copies of the email." From mingching.tiew at redtone.com Wed Jul 13 11:36:53 2005 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed Jul 13 11:55:44 2005 Subject: h323 over nat firewall - queries Message-ID: <054501c5878e$676f7270$1280a8c0@newlife> I have a case where I have H323 VoIP equipments located behind Linux nat-box running ip_h323_nat and ip_conntrack_h323. We have various combination of traffic and some of them deemed successful and some of them I experience some weird problems such as not able to hear to voice and/or chopping voice. Upon troubleshooting and narrowing down the problem, I suspect that the modules might have some limitation and so I am posting here to see if anyone enlighten me on this subject. I remember certain conntrack modules only allow one client to be behind nat, so I am asking :- If I have one H323 VoIP equipment going to multiple H323 counter parts on the internet at the same time, via the Linux nat conntrack module, if it is going to work correctly ? ie I have one source private IP, but going to multiple destination public IPs via the H323 conntrack module, is this a supported configuration ? How about the case where I have multiple source (private) IPs and going to multiple destination public IPs, is it able to work ? Appreciate your input. From harmuth at mnemon.de Wed Jul 13 11:38:36 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Wed Jul 13 11:56:18 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work In-Reply-To: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> References: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> Message-ID: <42D4E11C.2080100@mnemon.de> Chandra.Vempali@infineon.com schrieb: > Hi all, > > For me, ip_conntrack_ftp does not work for PASSIVE ftp. > > In the firewall rules, I blocked everything and put the following rules, > iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j > ACCEPT > iptables -A OUTPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > And when I try to ftp, the control channel goes through firwall, but > data channel fails to pass through. So, your firewall connects to the FTP server, why not. First of all make sure that ip_conntrack_ftp is compiled into the kernel or as a module. If compiled as a module, make sure it is loaded. As your firewall connects to the FTP server and your OUTPUT policy seems to be DROP or REJECT, you need rules like these: iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 --syn -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Hmm, many people, including myself, think, that filtering in OUTPUT is pointless. More troublesome than usefull. If you decide to set OUTPUT policy to ACCEPT, you don't need the first two rules. Up to you. Have a nice time, Joerg From Chandra.Vempali at infineon.com Wed Jul 13 12:00:37 2005 From: Chandra.Vempali at infineon.com (Chandra.Vempali@infineon.com) Date: Wed Jul 13 12:18:34 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work Message-ID: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> Hi Thanks for your reply. My ip_conntrack_ftp module gets loaded properly. If I keep a rule like "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" It means that traffic is allowed to pass through for all ports which should not be done for security reasons. As for passive FTP, I added two rules to allow traffic thru only 21 port. iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT So, control messages goes thru firwall successfully. But for the data, now both server and client work on random ports. ip_conntrack_ftp module should read this PASSIVE port from FTP message and then it should create an expectation. In my case, it is creating an expectation too. But when data starts flowing, firewall does not allow even through it is expectation. Any help will be highly appreciated ... Chandra P.S : I guess there is some patch for this problem. Can anybody please point me to such patch and how to get it -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of J?rg Harmuth Sent: Wednesday, July 13, 2005 3:09 PM To: netfilter@lists.netfilter.org Subject: Re: Ip_conntrack_ftp with PASSIVE FTP does not work Chandra.Vempali@infineon.com schrieb: > Hi all, > > For me, ip_conntrack_ftp does not work for PASSIVE ftp. > > In the firewall rules, I blocked everything and put the following > rules, iptables -A INPUT -p tcp --sport 21 -m state --state > ESTABLISHED,NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m > state --state NEW,ESTABLISHED,RELATED -j ACCEPT > And when I try to ftp, the control channel goes through firwall, but > data channel fails to pass through. So, your firewall connects to the FTP server, why not. First of all make sure that ip_conntrack_ftp is compiled into the kernel or as a module. If compiled as a module, make sure it is loaded. As your firewall connects to the FTP server and your OUTPUT policy seems to be DROP or REJECT, you need rules like these: iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 --syn -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Hmm, many people, including myself, think, that filtering in OUTPUT is pointless. More troublesome than usefull. If you decide to set OUTPUT policy to ACCEPT, you don't need the first two rules. Up to you. Have a nice time, Joerg From jengelh at linux01.gwdg.de Wed Jul 13 12:14:51 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed Jul 13 12:30:41 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work In-Reply-To: <42D4E11C.2080100@mnemon.de> References: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> <42D4E11C.2080100@mnemon.de> Message-ID: >> iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j >> ACCEPT >> iptables -A OUTPUT -p tcp --dport 21 -m state --state >> NEW,ESTABLISHED,RELATED -j ACCEPT If using passive ftp, the host you are connecting to does not necessarily send from port 21. >Hmm, many people, including myself, think, that filtering in OUTPUT is >pointless. More troublesome than usefull. If you decide to set OUTPUT >policy to ACCEPT, you don't need the first two rules. Up to you. Not at all. Because certains things can not happen in certain environments, e.g. I read/write mail by logging into a mail server via SSH / no sendmail running, I can exclude certain things. In netfilter parlance: -P OUTPUT ACCEPT (same for FORWARD, btw) -A OUTPUT -j REJECT -p tcp --dport 25 This stops users that also have access to my machine to not spam smtp servers, should they find an open one. Jan Engelhardt -- From jengelh at linux01.gwdg.de Wed Jul 13 12:39:46 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed Jul 13 12:55:38 2005 Subject: dnatting In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> Message-ID: >I agree with everything that has been said BUT I must also interject. A >lot small business and many home users who get one or two IP's usually >don't have a second DNS floating around. It is required to have two [external] DNS servers. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From lopsch at lopsch.com Wed Jul 13 12:53:56 2005 From: lopsch at lopsch.com (Daniel Lopes) Date: Wed Jul 13 13:03:55 2005 Subject: rules for skype In-Reply-To: <200507130952.46615.fajarpri@arinet.org> References: <20050502150901.DAEF39E9F4@dd6816.kasserver.com> <002401c54fb0$33cdc950$2604a8c0@ndchunk> <1115106657.14622.62.camel@jasiiitosh.nexusmgmt.com> <200507130952.46615.fajarpri@arinet.org> Message-ID: <42D4F2C4.9020706@lopsch.com> Fajar Priyanto schrieb: > On Tuesday 03 May 2005 14:50, John A. Sullivan III wrote: > >>On Tue, 2005-05-03 at 15:17 +0800, Victor Yeo wrote: >> >>>>- Use *tc* to choke the skype traffic. I have a list of apps to allow >>>>through the network. The rest go into a default pipe of 2 Kbps. This >>>>deteriorates the performance of the application. I think text chatting > > > I've blocked tcp 443, but it seems that skype can go through tcp 80? > http://www.skype.com/help/guides/firewall.html > > This is really annoying an unethical, don't you think? You can send all port 80 traffic through a proxy like Squid this should prevent Skype from getting through port 80. From liyasmm at gmail.com Wed Jul 13 12:52:36 2005 From: liyasmm at gmail.com (liyas_m m) Date: Wed Jul 13 13:08:26 2005 Subject: firewall ignore the rule Message-ID: <2452665f0507130352544ab556@mail.gmail.com> I hv iptables 1.2.7 installed on my firewall The problem is when i try to block traffic from certain address , it just does not work e.g iptables -A INPUT -s 10.5.33.22 -j DROP but when i run iptraf , there are still traffic sent from the source address Any idea why? From liyasmm at gmail.com Wed Jul 13 12:53:07 2005 From: liyasmm at gmail.com (liyas_m m) Date: Wed Jul 13 13:09:01 2005 Subject: firewall just ignore the rule Message-ID: <2452665f05071303531a55fbf@mail.gmail.com> I hv iptables 1.2.7 installed on my firewall The problem is when i try to block traffic from certain address , it just does not work e.g iptables -A INPUT -s 10.5.33.22 -j DROP but when i run iptraf , there are still traffic sent from the source address Any idea why? From jengelh at linux01.gwdg.de Wed Jul 13 12:54:19 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed Jul 13 13:10:10 2005 Subject: firewall ignore the rule In-Reply-To: <2452665f0507130352544ab556@mail.gmail.com> References: <2452665f0507130352544ab556@mail.gmail.com> Message-ID: >iptables -A INPUT -s 10.5.33.22 -j DROP Make sure that traffic is not ACCEPTed before. >but when i run iptraf , there are still traffic sent from the source address >Any idea why? Iptraf bypasses netfilter and so sees _all_ packets. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From blancher at cartel-securite.fr Wed Jul 13 13:08:15 2005 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Wed Jul 13 13:24:15 2005 Subject: firewall ignore the rule In-Reply-To: <2452665f0507130352544ab556@mail.gmail.com> References: <2452665f0507130352544ab556@mail.gmail.com> Message-ID: <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> Le mercredi 13 juillet 2005 ? 18:52 +0800, liyas_m m a ?crit : > The problem is when i try to block traffic from certain address , it > just does not work > e.g > iptables -A INPUT -s 10.5.33.22 -j DROP If your work on routed traffic, then you have to put this rule on FORWARD chaine : iptables -A FORWARD -s 10.5.33.22 -j DROP -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From harmuth at mnemon.de Wed Jul 13 13:38:48 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Wed Jul 13 13:56:15 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work In-Reply-To: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> References: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> Message-ID: <42D4FD48.5050100@mnemon.de> Chandra.Vempali@infineon.com schrieb: > My ip_conntrack_ftp module gets loaded properly. > > If I keep a rule like "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" > It means that traffic is allowed to pass through for all ports which should not be done for security reasons. No, it means that any packet on any port with any protocol that is in state ESTABLISHED or RELATED is allowed to pass. Not *all* packets. Especially SYN packets (in state NEW) don't hit this rule. So, if you set policy to DROP and allow no NEW packets, no communication can be established at all. On the other hand, if you allow NEW packets to a certain port, ofcourse you also want the ESTABLISHED packets and sometimes the RELATED packets (in case of FTP). So, I don't think this is a security risc. If I'm wrong, somebody correct me, please. > As for passive FTP, I added two rules to allow traffic thru only 21 port. > iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j ACCEPT > iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT As Jan pointed out, when using passive FTP the source port is not necessarily 21 - commonly both sides use high ports. I think, the reason is that your rules are "bound" to port 21, where no RELATED connection can be established. Thus the rule doesn't match and you hit the DROP policy. Give iptables -I [IN | OUT]PUT [-p tcp] -m state \ --state RELATED,ESTABLISHED -j ACCEPT a chance for testing. I would bet, it works. Have a nice time, Joerg From opie at 817west.com Wed Jul 13 16:40:43 2005 From: opie at 817west.com (Jason Opperisano) Date: Wed Jul 13 16:59:24 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work In-Reply-To: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> References: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> Message-ID: <20050713144042.GA23898@bender.817west.com> On Wed, Jul 13, 2005 at 03:30:37PM +0530, Chandra.Vempali@infineon.com wrote: > Hi > Thanks for your reply. > > My ip_conntrack_ftp module gets loaded properly. > > If I keep a rule like "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" > It means that traffic is allowed to pass through for all ports which should not be done for security reasons. that's not what it means at all, but your rules as written make no sense whatsoever, so something's going to have to change. > As for passive FTP, I added two rules to allow traffic thru only 21 port. > iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j ACCEPT the only src port tcp 21 traffic are the replies from the server to the client on the control channel connection. these packets will never be NEW. so let's go with: iptables -A INPUT -p tcp --sport 21 \ -m state --state ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > So, control messages goes thru firwall successfully. dst port 21 traffic will never be related to anything, they will only be NEW or ESTABLISHED: iptables -A OUTPUT -p tcp --dport 21 \ -m state --state NEW,ESTABLISHED -j ACCEPT > But for the data, now both server and client work on random ports. > ip_conntrack_ftp module should read this PASSIVE port from FTP message and then it should create an expectation. it does, and it marks those packets as RELATED, which you have not allowed in your rules, because you do not trust the conntrack mechanism because you are smarter than it. > In my case, it is creating an expectation too. But when data starts flowing, firewall does not allow > even through it is expectation. the "proper" solution to this is just to use the conntrack functionality as it was intended: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT but for what ever reason; this is not acceptable to you, so let's HIPPA them up a bit: # allow packets related to FTP connections in iptables -A INPUT -p tcp --dport 1024: -m helper --helper ftp \ -m state --state RELATED -j ACCEPT # allow packets related to FTP connections out iptables -A OUTPUT -p tcp --dport 1024: -m helper --helper ftp \ -m state --state RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m helper --helper ftp \ -m state --state RELATED -j ACCEPT those rules give the appearance of more security. if you think that the conntrack mechanism in netfilter actually works--they offer no security and simply create administrative and computational overhead. HTH... -j -- "Stewie: Baby needs to suck ash. Baby needs to suck ash. Not ass, you pervert. Save it for the interns." --Family Guy From rob0 at gmx.co.uk Wed Jul 13 16:45:50 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Wed Jul 13 17:01:44 2005 Subject: OUTPUT filtering (was: Re: Ip_conntrack_ftp ...) In-Reply-To: References: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> <42D4E11C.2080100@mnemon.de> Message-ID: <42D5291E.7090308@gmx.co.uk> Jan Engelhardt wrote: >>Hmm, many people, including myself, think, that filtering in OUTPUT is >>pointless. More troublesome than usefull. If you decide to set OUTPUT >>policy to ACCEPT, you don't need the first two rules. Up to you. > > Not at all. Because certains things can not happen in certain environments, > e.g. I read/write mail by logging into a mail server via SSH / no sendmail > running, I can exclude certain things. In netfilter parlance: > > -P OUTPUT ACCEPT (same for FORWARD, btw) > -A OUTPUT -j REJECT -p tcp --dport 25 > > This stops users that also have access to my machine to not spam smtp servers, > should they find an open one. (Be sure you also restrict access to any sendmail(1)-style mail injection binary in that case, if there's an MTA running.) True, you have illustrated one example of sane OUTPUT filtering. The OP's use of OUTPUT filtering was not in this category. Note that OUTPUT filtering only controls non-root users. A root user can disable or bypass it. If you have local shell users who cannot be trusted, and if you didn't already understand all this, chances are those users already have rooted you. :) I agree with Joerg above. I don't think you have contradicted his general point. Netfilters should: 1. Learn to walk before they try to run Rule of thumb: if you need to post here to try to get explanations of what your rules are doing, you're not ready for OUTPUT filters. 2. Only experiment with carefully-crafted OUTPUT rules 3. Generally not attempt "iptables -P OUTPUT DROP" (see #1.) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From Netfilter at SCampbell.net Wed Jul 13 16:50:08 2005 From: Netfilter at SCampbell.net (Steven M Campbell) Date: Wed Jul 13 17:06:00 2005 Subject: dnatting In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> Message-ID: <42D52A20.3090709@SCampbell.net> Gary W. Smith wrote: >I agree with everything that has been said BUT I must also interject. A >lot small business and many home users who get one or two IP's usually >don't have a second DNS floating around. For larger organizations I >would definitely use the split DNS. We do that at a couple locations >when we can. > Split DNS can be implemented on a single DNS server, check your DNS servers manual. The basics are that you create views of your domain structure based on the ip address of the requester, if they are inside (for instance 10.0.0.0/8) you give them the inside answers, otherwise you give them the outside answers. You should not need multiple DNS servers although you should have multiple servers for other reasons. >As for this case, I think it's completely acceptable. > >Since this does indeed work I think it should be documented as a viable >solution (which I think it's in the fine print on one of the docs that I >read before). > > FWIW from me I would not accept the answer 'it works so it must be okay', that's been the downfall of soooo very many computer projects I cannot even begin to count them (a particularily bad attitude for programmers). We'll certainly not argue (and we aren't), it's your network and your rules. My advice is use split DNS from the experience that I used to do the sort of thing that you are doing here and I found out that it was a bad idea and only created trouble later and I don't like trouble, especially if it can be pinned on me! From gary at primeexalia.com Wed Jul 13 18:28:05 2005 From: gary at primeexalia.com (Gary W. Smith) Date: Wed Jul 13 18:43:58 2005 Subject: dnatting Message-ID: <57F9959B46E0FA4D8BA88AEDFBE582907432@pxtbenexd01.pxt.primeexalia.com> I still don't agree with your statement. For people who have single IP's that need simple DNAT/SNAT'ing for the scenario provided (which was a single port mapped) your process would be overkill and just as cumbersome as adding an additional rule to iptables. Gary > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter- > bounces@lists.netfilter.org] On Behalf Of Steven M Campbell > Sent: Wednesday, July 13, 2005 7:50 AM > Cc: Netfilter ML > Subject: Re: dnatting > FWIW from me I would not accept the answer 'it works so it must be > okay', that's been the downfall of soooo very many computer projects I > cannot even begin to count them (a particularily bad attitude for > programmers). We'll certainly not argue (and we aren't), it's your > network and your rules. My advice is use split DNS from the experience > that I used to do the sort of thing that you are doing here and I found > out that it was a bad idea and only created trouble later and I don't > like trouble, especially if it can be pinned on me! > From Netfilter at SCampbell.net Wed Jul 13 18:40:52 2005 From: Netfilter at SCampbell.net (Steven M Campbell) Date: Wed Jul 13 18:56:35 2005 Subject: dnatting In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE582907432@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE582907432@pxtbenexd01.pxt.primeexalia.com> Message-ID: <42D54414.1090702@SCampbell.net> Gary W. Smith wrote: >I still don't agree with your statement. For people who have single >IP's that need simple DNAT/SNAT'ing for the scenario provided (which was >a single port mapped) your process would be overkill and just as >cumbersome as adding an additional rule to iptables. > > Okay, you have my advice, your network your rules. From donaldm314 at gmail.com Wed Jul 13 18:33:48 2005 From: donaldm314 at gmail.com (Donald Murray) Date: Wed Jul 13 19:12:06 2005 Subject: dnatting In-Reply-To: <42D52A20.3090709@SCampbell.net> References: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> <42D52A20.3090709@SCampbell.net> Message-ID: <12984bb00507130933624dd6e4@mail.gmail.com> On 7/13/05, Steven M Campbell wrote: > Gary W. Smith wrote: > >I agree with everything that has been said BUT I must also interject. A > >lot small business and many home users who get one or two IP's usually > >don't have a second DNS floating around. For larger organizations I > >would definitely use the split DNS. We do that at a couple locations > >when we can. > > > Split DNS can be implemented on a single DNS server, check your DNS > servers manual. The basics are that you create views of your domain > structure based on the ip address of the requester, if they are inside > (for instance 10.0.0.0/8) you give them the inside answers, otherwise > you give them the outside answers. You should not need multiple DNS > servers although you should have multiple servers for other reasons. > > >As for this case, I think it's completely acceptable. > > > >Since this does indeed work I think it should be documented as a viable > >solution (which I think it's in the fine print on one of the docs that I > >read before). > > > > > FWIW from me I would not accept the answer 'it works so it must be > okay', that's been the downfall of soooo very many computer projects I > cannot even begin to count them (a particularily bad attitude for > programmers). We'll certainly not argue (and we aren't), it's your > network and your rules. My advice is use split DNS from the experience > that I used to do the sort of thing that you are doing here and I found > out that it was a bad idea and only created trouble later and I don't > like trouble, especially if it can be pinned on me! > > > Almost finished a piece of humble pie here. If the webserver is on the internal LAN, split DNS should resolve differently for internal versus external users. Because the internal users receive an IP for the internal LAN, the firewall is bypassed. No DNAT or SNAT duct tape required. If the webserver is in a DMZ... split DNS should again resolve differently for internal vs external users. Because the internal users receive an IP on a different subnet, their webserver traffic is routed through the firewall. Again, no DNAT/SNAT duct tape required. Does this sound correct? From s_lojic at hotmail.com Wed Jul 13 19:10:34 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Wed Jul 13 19:26:28 2005 Subject: DNS and NAT Message-ID: >From: /dev/rob0 >To: netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Mon, 11 Jul 2005 16:25:20 -0500 > >Please don't top-post. Thank you. > >Suzana Lojic-Skoric wrote: >>OK, thanks I was not sure what is the proper behavior regarding >>iptables and DNS. > >The usual situation is that clients are NAT'ed out, like what you're >describing. > >>If answer is not translated then how do I get DNS to work with two way >>NAT? > >What does not work? Two-way NAT is fine. You go on to say you're not really >talking about two-way NAT: > >>My internal network does not understand any of the ip addresses that >>belong to outside. So if the request for a page that is sent from internal >>network comes back from outside with an answer (ip address) that is not >>getting translated then I can't resolve the page since my internal network >>doesn't understand it and can't route to it. > >Clients need to have a default route through the NAT gateway, which does >SNAT or MASQUERADE. How is it two-way if the clients can't route out? > I have an internal network that has one set of addresses and outside network that has a different set of addresses. I am using NAT for the sole purpose of translation. Both inside and outside network have DNS servers, mail servers,.... Both networks need to talk to each other, send mail and request web pages... I have a control of inside network but not the outside ntw. When the client from outside sends a DNS query to the inside ntw I guess I can implement split DNS as Jason Opperisano suggested and get it working that way. The outside world will get a web page from external view and will have answer from global outside address, the inside world will get answer from internal view with inside global ip. The problem is I don't understand how it is supposed to work when the client is inside and sending a request for a page whose server happens to be outside... I have a default route through the NAT, so when a client on the inside network sends a DNS query it goes out through the NAT, in my case both source and destination gets translated and forwarded to outside DNS server.( I have to translate the destination as well because the clients on internal network send a request to an internal DNS server with the internal IP address as destination. So the request gets forwarded to the outside world through the NAT and both SNAT-ed and DNAT-ed.) When the answer comes back to NAT, the outside source and destination IP gets translated back to the internal addresses, but the actual IP that resolves the requested page is embedded in the message, and it does not get translated ( it is outside IP) When the client gets the answer, it processes it, gets the outside IP from the message and try talk to it. But this is outside IP and inside clients can't route to it. I am trying to understand how is this supposed to work. I can't quite use the wisdom from masquerade because masquerade is simpler, masquerade messages are only SNAT-ed, meaning only source address is translated and when the request comes back it is then DNAT-ed to internal network, meaning destination is translated so the message can find your machine. But you don't care that google.com resolved as 216.239.39.99 because your NAT is one way NAT in you can talk to 216.239.39.99. In my case, I have to translate the 216.239.39.99 to something else (for example 10.1.1.1) so that the inside network can talk to it. And then on the exit through the nat 10.1.1.1 will be translated back to 216.239.39.99. The problem is I have no way of translating the 216.239.39.99 to 10.1.1.1 because iptables NAT does not inspect the payload of the DNS answer and does not translate it. ... and this is how iptables is supposed to work. I have both DNAT and SNAT happening both ways, when the message goes out and comes back in. All messages on inside network mast have both source and destination from the inside IP address range. Also I can't advertise my inside addresses to the outside world. >>Is there a way around this problem? How do I get DNS to work in the type >>of environment I described? > >If you don't want to allow NAT clients out for some reason, you might check >into running proxy servers, such as squid for HTTP/FTP. Only the services >you are proxying can be used by internal clients. SOCKS proxy servers can >handle multiple protocols, but I don't know anything more about it than >just that fact. > >Proxy servers are a good choice in some circumstances; you maintain maximum >control over what clients can and cannot do (unless users have shell access >to the proxy server, perhaps.) But proxying is far more resource-intensive >than NAT. >-- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header > _________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From dufresne at sysinfo.com Wed Jul 13 23:15:16 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Wed Jul 13 23:25:34 2005 Subject: Ip_conntrack_ftp with PASSIVE FTP does not work In-Reply-To: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> References: <04EE7AD0450F7B498BA216312943A1A102937F40@blrse201.ap.infineon.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 13 Jul 2005 Chandra.Vempali@infineon.com wrote: > Hi > Thanks for your reply. > > My ip_conntrack_ftp module gets loaded properly. > > If I keep a rule like "iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" > It means that traffic is allowed to pass through for all ports which should not be done for security reasons. no, it means that traffic that is started from the FW is allowed back to the FW from whatever system the fw was trying to communicate with to begin with. If you require something more secure then this, then there should be no network card in the system to begin with. > > As for passive FTP, I added two rules to allow traffic thru only 21 port. > iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j ACCEPT > iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > NEW is the problem you though you were abvoiding in the first comment, should not be required. Not unless something totally insecure like allowing folks to ftp to the fw from outside. The rules provied in the prior post which you are commenting on her, would require that the fw box innitiate the ftp, here you are trying to do something less secure and allow anyone to ftp to the fw. Certainly it is highly unlikly you intend to allow that. rtfm might help, the concepts of NEW, ESTABLISHED and RELATED semm to have you confuzzeled. Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC1YRnst+vzJSwZikRAu5OAJwJcFX31ZGYx4tkq2HhGBsPeyqbzwCg2ETL 4P5PUgKa9KiTBZitSWs/ANQ= =qnTq -----END PGP SIGNATURE----- From dufresne at sysinfo.com Wed Jul 13 23:19:29 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Wed Jul 13 23:29:47 2005 Subject: dnatting In-Reply-To: References: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 13 Jul 2005, Jan Engelhardt wrote: > >> I agree with everything that has been said BUT I must also interject. A >> lot small business and many home users who get one or two IP's usually >> don't have a second DNS floating around. > > It is required to have two [external] DNS servers. > Since when have requirements ever gotten in the way of *progress* or *production*? more like best practises, or recommendations, but, requirements? on the internet? One might have assumed there were requirements when the internet was closed and sightly controlled, but, not in the public openess of this day... Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFC1YVkst+vzJSwZikRAriTAKDViPU5Pbf7OVCzeTbTienNBIbawwCXbda7 U51eHzG9tnssqQptRxt+4w== =G8vu -----END PGP SIGNATURE----- From jinhyung at gmail.com Thu Jul 14 00:24:28 2005 From: jinhyung at gmail.com (JinHyung Park) Date: Thu Jul 14 00:41:15 2005 Subject: I wanna make a new target like SNAT.. Message-ID: <9b2a1cff05071315243f973f68@mail.gmail.com> hi.. i want to make a new target that works like SNAT, but M:N SNAT.. i mean, there are 50 computers and each has a private ip like 192.168.0.x.. 10 computers need a specific ip of my 50 real ip. so, i want that computers to give given range IPs, and another computers follow anoter iptables rule. for example, i have 1.1.1.1~1.1.1.50 ip, and 1.1.1.1~1.1.1.10 is special IPs.. and my 50 computers has a private network, 192.168.0.1~192.168.0.50, some computer that need specific IP assign ( range 1.1.1.1~1.1.1.10 ) and another 40 computers just follow other iptables rule.. (like, iptables -t nat -A POSTROUTING -d 192.168.0.1-192.168.0.50 -j NEWTARGET --to 1.1.1.1-1.1.1.10 and, if all 1.1.1.1-1.1.1.10 are used, other private computer follow another rule.. ) i checked ipt_NETMAP.c, just my thought, make a newtarget likes NETMAP with idea like ip pool, but i don know how to pass the next rule if all 1.1.1.1-1.1.1.10 are used. if there is no IP, just return NF_ACCEPT ? ;; does I make a sense? please help me... -- ----------------------------- +82-10-3161-0419 (Korea,South) jinhyung@gmail.com ----------------------------- From opie at 817west.com Thu Jul 14 01:20:42 2005 From: opie at 817west.com (Jason Opperisano) Date: Thu Jul 14 01:39:31 2005 Subject: I wanna make a new target like SNAT.. In-Reply-To: <9b2a1cff05071315243f973f68@mail.gmail.com> References: <9b2a1cff05071315243f973f68@mail.gmail.com> Message-ID: <20050713232042.GA25550@bender.817west.com> On Thu, Jul 14, 2005 at 07:24:28AM +0900, JinHyung Park wrote: > hi.. > i want to make a new target that works like SNAT, but M:N SNAT.. > i mean, there are 50 computers and each has a private ip like 192.168.0.x.. > 10 computers need a specific ip of my 50 real ip. > so, i want that computers to give given range IPs, and another computers > follow anoter iptables rule. > for example, i have 1.1.1.1~1.1.1.50 ip, and 1.1.1.1~1.1.1.10 is special > IPs.. > and my 50 computers has a private network, 192.168.0.1~192.168.0.50, > some computer that need specific IP assign ( range 1.1.1.1~1.1.1.10 ) and > another 40 computers just follow other iptables rule.. > (like, > iptables -t nat -A POSTROUTING -d 192.168.0.1-192.168.0.50 -j NEWTARGET --to > 1.1.1.1-1.1.1.10 > and, if all 1.1.1.1-1.1.1.10 are used, other private computer follow > another rule.. ) > i checked ipt_NETMAP.c, just my thought, make a newtarget likes NETMAP with > idea like ip pool, but i don know how to pass the next rule if all > 1.1.1.1-1.1.1.10 are used. if there is no IP, just return NF_ACCEPT ? ;; > does I make a sense? > please help me... i am surely unclear on what you're trying to do, but if the situation is that 192.168.0.1 - 192.168.0.10 need to be statically mapped to 1.1.1.1 - 1.1.1.10, and the rest of the network should be mapped to the remaining pool of public addresses, 1.1.1.11 - 1.1.1.50, you could just use SNAT rules: # one-to-one mappings for .1 - .10 for i in `seq 1 10`; do iptables -t nat -A POSTROUTING -s 192.168.0.${i} \ -j SNAT --to-source 1.1.1.${i} done # SNAT pool for remaining IP's iptables -t nat -A POSTROUTING \ -m iprange --src-range 192.168.0.11-192.168.0.254 \ -j SNAT --to-source 1.1.1.11-1.1.1.50 i'm sure i've missed the point, but who knows--maybe not. -j -- "Stewie: Now look here...Jo-LENE. I have an army to raise and I must get to Managua at once. I require a window seat and an in-flight Happy Meal. BUT NO PICKLES. OH, GOD HELP YOU IF I FIND PICKLES." --Family Guy From liyasmm at gmail.com Thu Jul 14 03:55:23 2005 From: liyasmm at gmail.com (liyas_m m) Date: Thu Jul 14 04:11:18 2005 Subject: firewall ignore the rule In-Reply-To: <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> Message-ID: <2452665f05071318551f788f42@mail.gmail.com> i have done that and checked with ethereal..still that source address is not blocked. It is still broadcasting ARP packets..a lot. On 7/13/05, Cedric Blancher wrote: > Le mercredi 13 juillet 2005 ? 18:52 +0800, liyas_m m a ?crit : > > The problem is when i try to block traffic from certain address , it > > just does not work > > e.g > > iptables -A INPUT -s 10.5.33.22 -j DROP > > If your work on routed traffic, then you have to put this rule on > FORWARD chaine : > > iptables -A FORWARD -s 10.5.33.22 -j DROP > > > -- > http://sid.rstack.org/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > >> Hi! I'm your friendly neighbourhood signature virus. > >> Copy me to your signature file and help me spread! > From opie at 817west.com Thu Jul 14 04:01:55 2005 From: opie at 817west.com (Jason Opperisano) Date: Thu Jul 14 04:20:49 2005 Subject: firewall ignore the rule In-Reply-To: <2452665f05071318551f788f42@mail.gmail.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> Message-ID: <20050714020155.GA26028@bender.817west.com> On Thu, Jul 14, 2005 at 09:55:23AM +0800, liyas_m m wrote: > i have done that and checked with ethereal..still that source address > is not blocked. It is still broadcasting ARP packets..a lot. iptables/netfilter operates at layer 3. therefore, packets generated or received at layer 2 cannot be blocked with iptables/netfilter. ethereal/iptraf operate at the BPF layer (layer 2), and arp packets are layer 2 as well. iptables/netfilter is not at fault; you have an invalid testing methodology. -j -- "Peter: Brian, there's a message in my Alpha Bits. It says "OOOOOO". Brian: Peter, those are Cheerios." --Family Guy From liyasmm at gmail.com Thu Jul 14 04:10:30 2005 From: liyasmm at gmail.com (liyas_m m) Date: Thu Jul 14 04:26:24 2005 Subject: firewall ignore the rule In-Reply-To: <20050714020155.GA26028@bender.817west.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> Message-ID: <2452665f0507131910300b00de@mail.gmail.com> so how do i block that source from transmitting/broadcasting packet? On 7/14/05, Jason Opperisano wrote: > On Thu, Jul 14, 2005 at 09:55:23AM +0800, liyas_m m wrote: > > i have done that and checked with ethereal..still that source address > > is not blocked. It is still broadcasting ARP packets..a lot. > > iptables/netfilter operates at layer 3. therefore, packets generated or > received at layer 2 cannot be blocked with iptables/netfilter. > ethereal/iptraf operate at the BPF layer (layer 2), and arp packets are > layer 2 as well. > > iptables/netfilter is not at fault; you have an invalid testing > methodology. > > -j > > -- > "Peter: Brian, there's a message in my Alpha Bits. It says "OOOOOO". > Brian: Peter, those are Cheerios." > --Family Guy > > From opie at 817west.com Thu Jul 14 04:10:32 2005 From: opie at 817west.com (Jason Opperisano) Date: Thu Jul 14 04:29:20 2005 Subject: firewall ignore the rule In-Reply-To: <2452665f0507131910300b00de@mail.gmail.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> Message-ID: <20050714021032.GA26090@bender.817west.com> On Thu, Jul 14, 2005 at 10:10:30AM +0800, liyas_m m wrote: > so how do i block that source from transmitting/broadcasting packet? use something that operates at layer 2. arptables and ebtables come to mind. -j -- "Stewie: What the hell is this? Lois: Stewie that's tuna salad. Stewie: Really? I could have sworn it was cat food." --Family Guy From liyasmm at gmail.com Thu Jul 14 04:19:19 2005 From: liyasmm at gmail.com (liyas_m m) Date: Thu Jul 14 04:35:13 2005 Subject: firewall ignore the rule In-Reply-To: <20050714021032.GA26090@bender.817west.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> <20050714021032.GA26090@bender.817west.com> Message-ID: <2452665f0507131919823198c@mail.gmail.com> u mean blocking the MAC address also doesnot do any good. hmm i thought iptables is that powerful. On 7/14/05, Jason Opperisano wrote: > On Thu, Jul 14, 2005 at 10:10:30AM +0800, liyas_m m wrote: > > so how do i block that source from transmitting/broadcasting packet? > > use something that operates at layer 2. arptables and ebtables come to > mind. > > -j > > -- > "Stewie: What the hell is this? > Lois: Stewie that's tuna salad. > Stewie: Really? I could have sworn it was cat food." > --Family Guy > > From opie at 817west.com Thu Jul 14 04:24:09 2005 From: opie at 817west.com (Jason Opperisano) Date: Thu Jul 14 04:42:58 2005 Subject: firewall ignore the rule In-Reply-To: <2452665f0507131919823198c@mail.gmail.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> <20050714021032.GA26090@bender.817west.com> <2452665f0507131919823198c@mail.gmail.com> Message-ID: <20050714022409.GA26148@bender.817west.com> On Thu, Jul 14, 2005 at 10:19:19AM +0800, liyas_m m wrote: > u mean blocking the MAC address also doesnot do any good. hmm i > thought iptables is that powerful. it is that powerful. you are currently incapable of comprehending its power. -j -- "Quagmire: Don't look at me like that. Fat chicks need love too... but they got to pay." --Family Guy From ishwar at pali.cps.cmich.edu Thu Jul 14 04:39:57 2005 From: ishwar at pali.cps.cmich.edu (Ishwar Rattan) Date: Thu Jul 14 04:58:06 2005 Subject: firewall ignore the rule In-Reply-To: <20050714022409.GA26148@bender.817west.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> <20050714021032.GA26090@bender.817west.com> <2452665f0507131919823198c@mail.gmail.com> <20050714022409.GA26148@bender.817west.com> Message-ID: On Wed, 13 Jul 2005, Jason Opperisano wrote: > On Thu, Jul 14, 2005 at 10:19:19AM +0800, liyas_m m wrote: > > u mean blocking the MAC address also doesnot do any good. hmm i > > thought iptables is that powerful. > > it is that powerful. you are currently incapable of comprehending its > power. I like the response. My suggestion would have been to rewrite the tcp/ip stack and block them at layer 1 :-) -ishwar From opie at 817west.com Thu Jul 14 04:45:06 2005 From: opie at 817west.com (Jason Opperisano) Date: Thu Jul 14 05:03:55 2005 Subject: firewall ignore the rule In-Reply-To: References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> <20050714021032.GA26090@bender.817west.com> <2452665f0507131919823198c@mail.gmail.com> <20050714022409.GA26148@bender.817west.com> Message-ID: <20050714024506.GA26226@bender.817west.com> On Wed, Jul 13, 2005 at 10:39:57PM -0400, Ishwar Rattan wrote: > I like the response. My suggestion would have been to rewrite the tcp/ip > stack and block them at layer 1 :-) layer 1 filtering is simplest of all: unplug the cable. -j -- "Peter: Chris, everything I say is a lie. Except that. And that. And that. And that. And that. And that. And that. And that." --Family Guy From jinhyung at gmail.com Thu Jul 14 06:26:01 2005 From: jinhyung at gmail.com (JinHyung Park) Date: Thu Jul 14 06:42:49 2005 Subject: I wanna make a new target like SNAT.. In-Reply-To: <20050713232042.GA25550@bender.817west.com> References: <9b2a1cff05071315243f973f68@mail.gmail.com> <20050713232042.GA25550@bender.817west.com> Message-ID: <9b2a1cff050713212669b7d0e2@mail.gmail.com> first, thank you for your answer :) sorry for my poor English.... ok.. explain again.. i'm administrator of our school's computer lab, i have 50 static real ip. and i have 50 computers.. but some server that we need just allows to connect just 10 static ip. so, i wanna use SNAT, it can be possible any 10 seats can use that server. is it clear? for example, # SNAT pool for remaining IP's iptables -t nat -A POSTROUTING \ -m iprange --src-range 192.168.0.1-192.168.0.50 \ -j SNAT --to-source 1.1.1.1-1.1.1.10 and rest of 40 private ip ( any ip, it can be 192.168.0.1, 192.168.0.8 , 192.168.0.13-192.168.0.50 ) are needed to map 1:1 to 1.1.1.10-1.1.1.50.. but i heard iprange match module, just *match* that rule, so.. it could make NAT to 1.1.1.1:1000 from another private ip although 1.1.1.1 is already connected to 192.168.0.1... ( port nat.. ) could you help me? i made a new target module is similar with NETMAP target, that module get works like this : iptables -t nat -A POSTROUTING -d 192.168.0.1-192.168.0.50 -j SNAT --to 1.1.1.1-1.1.1.10 but i don know how to move the packets the next rule after all static ip are used.. if all 1.1.1.1-1.1.1.10 are connected from 10 ip of 192.168.0.1-192.168.0.50 , another ip's packets are dropped.. sorry again for my poor English.. 2005/7/14, Jason Opperisano : > > On Thu, Jul 14, 2005 at 07:24:28AM +0900, JinHyung Park wrote: > > hi.. > > i want to make a new target that works like SNAT, but M:N SNAT.. > > i mean, there are 50 computers and each has a private ip like > 192.168.0.x.. > > 10 computers need a specific ip of my 50 real ip. > > so, i want that computers to give given range IPs, and another computers > > follow anoter iptables rule. > > for example, i have 1.1.1.1~1.1.1.50 ip, and 1.1.1.1~1.1.1.10 is special > > IPs.. > > and my 50 computers has a private network, 192.168.0.1~192.168.0.50, > > some computer that need specific IP assign ( range 1.1.1.1~1.1.1.10 ) > and > > another 40 computers just follow other iptables rule.. > > (like, > > iptables -t nat -A POSTROUTING -d 192.168.0.1-192.168.0.50 -j NEWTARGET > --to > > 1.1.1.1-1.1.1.10 > > and, if all 1.1.1.1-1.1.1.10 are used, other private computer follow > > another rule.. ) > > i checked ipt_NETMAP.c, just my thought, make a newtarget likes NETMAP > with > > idea like ip pool, but i don know how to pass the next rule if all > > 1.1.1.1-1.1.1.10 are used. if there is no IP, just return NF_ACCEPT ? ;; > > does I make a sense? > > please help me... > > i am surely unclear on what you're trying to do, but if the situation is > that 192.168.0.1 - 192.168.0.10 need to be statically mapped to > 1.1.1.1 > - 1.1.1.10 , and the rest of the network should be mapped > to the > remaining pool of public addresses, 1.1.1.11 - 1.1.1.50, > you could just > use SNAT rules: > > # one-to-one mappings for .1 - .10 > for i in `seq 1 10`; do > iptables -t nat -A POSTROUTING -s 192.168.0.${i} \ > -j SNAT --to-source 1.1.1.${i} > done > > # SNAT pool for remaining IP's > iptables -t nat -A POSTROUTING \ > -m iprange --src-range 192.168.0.11-192.168.0.254 \ > -j SNAT --to-source 1.1.1.11-1.1.1.50 > > i'm sure i've missed the point, but who knows--maybe not. > > -j > > -- > "Stewie: Now look here...Jo-LENE. I have an army to raise and I must > get to Managua at once. I require a window seat and an in-flight Happy > Meal. BUT NO PICKLES. OH, GOD HELP YOU IF I FIND PICKLES." > --Family Guy > > -- ----------------------------- +82-10-3161-0419 (Korea,South) jinhyung@gmail.com ----------------------------- From mingching.tiew at redtone.com Thu Jul 14 09:47:57 2005 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu Jul 14 10:04:06 2005 Subject: h323 over nat firewall - queries Message-ID: <016601c58848$5ab54860$1280a8c0@newlife> From: "Ming-Ching Tiew" > > I have a case where I have H323 VoIP equipments located behind > Linux nat-box running ip_h323_nat and ip_conntrack_h323. > > We have various combination of traffic and some of them deemed > successful and some of them I experience some weird problems > such as not able to hear to voice and/or chopping voice. > > Upon troubleshooting and narrowing down the problem, I suspect > that the modules might have some limitation and so I am posting > here to see if anyone enlighten me on this subject. > > I remember certain conntrack modules only allow one client to be > behind nat, so I am asking :- > > If I have one H323 VoIP equipment going to multiple H323 counter > parts on the internet at the same time, via the Linux nat conntrack > module, if it is going to work correctly ? ie I have one source private > IP, but going to multiple destination public IPs via the H323 conntrack > module, is this a supported configuration ? > I did not get any comments on this ? Upon further checking I found the 2.6 kernel has a difference source from the 2.4 kernel and my problem was seen on 2.4 kernel. By any chance, this "suspected limitation" has been fixed in 2.6 kernel ? Is it worthwhile testing it on 2.6 kernel ? From kadlec at blackhole.kfki.hu Thu Jul 14 09:59:10 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Thu Jul 14 10:15:07 2005 Subject: h323 over nat firewall - queries In-Reply-To: <016601c58848$5ab54860$1280a8c0@newlife> References: <016601c58848$5ab54860$1280a8c0@newlife> Message-ID: On Thu, 14 Jul 2005, Ming-Ching Tiew wrote: > > I have a case where I have H323 VoIP equipments located behind > > Linux nat-box running ip_h323_nat and ip_conntrack_h323. > > > > We have various combination of traffic and some of them deemed > > successful and some of them I experience some weird problems > > such as not able to hear to voice and/or chopping voice. > > > > Upon troubleshooting and narrowing down the problem, I suspect > > that the modules might have some limitation and so I am posting > > here to see if anyone enlighten me on this subject. > > > > I remember certain conntrack modules only allow one client to be > > behind nat, so I am asking :- > > > > If I have one H323 VoIP equipment going to multiple H323 counter > > parts on the internet at the same time, via the Linux nat conntrack > > module, if it is going to work correctly ? ie I have one source private > > IP, but going to multiple destination public IPs via the H323 conntrack > > module, is this a supported configuration ? > > I did not get any comments on this ? > > Upon further checking I found the 2.6 kernel has a difference source > from the 2.4 kernel and my problem was seen on 2.4 kernel. By any > chance, this "suspected limitation" has been fixed in 2.6 kernel ? > > Is it worthwhile testing it on 2.6 kernel ? Definitely yes. The H.323 support was completely rewritten - actually, truly implemented - by Max Kellermann in the 2.6 tree. You should give a try. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From jengelh at linux01.gwdg.de Thu Jul 14 11:40:35 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu Jul 14 11:56:38 2005 Subject: firewall ignore the rule In-Reply-To: <2452665f0507131919823198c@mail.gmail.com> References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> <20050714021032.GA26090@bender.817west.com> <2452665f0507131919823198c@mail.gmail.com> Message-ID: >u mean blocking the MAC address also doesnot do any good. hmm i >thought iptables is that powerful. There is a reason it's called _IP_tables. What iptables can do for you is block *IP* packets with certain MAC addresses. Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From zhangseven at gmail.com Thu Jul 14 12:38:24 2005 From: zhangseven at gmail.com (Steven Zhang) Date: Thu Jul 14 12:55:27 2005 Subject: match for connection lasting time Message-ID: Hi, all: I got an idea to distinguish the different connections by its lasting time (mostly for TCP), eg. which connections have lasted for more than one minute, or even more than one hour? I think this maybe useful in some cases. Is there a existing match for this? or is it possible to do this with netfilter? Thanks in advance. Best regards, Steven Zhang From SCampbell at Analysts.com Wed Jul 13 18:39:55 2005 From: SCampbell at Analysts.com (Steven M Campbell) Date: Thu Jul 14 14:18:28 2005 Subject: dnatting In-Reply-To: <12984bb00507130933624dd6e4@mail.gmail.com> References: <57F9959B46E0FA4D8BA88AEDFBE58290742E@pxtbenexd01.pxt.primeexalia.com> <42D52A20.3090709@SCampbell.net> <12984bb00507130933624dd6e4@mail.gmail.com> Message-ID: <42D543DB.6050002@Analysts.com> Donald Murray wrote: >If the webserver is on the internal LAN, split DNS should resolve >differently for internal versus external users. Because the internal >users receive an IP for the internal LAN, the firewall is bypassed. No >DNAT or SNAT duct tape required. > >If the webserver is in a DMZ... split DNS should again resolve >differently for internal vs external users. Because the internal users >receive an IP on a different subnet, their webserver traffic is routed >through the firewall. Again, no DNAT/SNAT duct tape required. > >Does this sound correct? > I concur. From siegbert.laukas at laukas.com Thu Jul 14 10:52:32 2005 From: siegbert.laukas at laukas.com (Siegbert Laukas) Date: Thu Jul 14 14:18:34 2005 Subject: Couldn't load match `stealth':/usr/local/lib/iptables/libipt_stealth.so Message-ID: <42D627D0.6050503@laukas.com> My System run's with IPTABLES 1.3.x. I have also installed the newest GRSECURITY-patch which enable the stealth-Kernel Module. In the /lib/modules/2.6.11.xx/.. the stealth-ko module ist exists. Also with modprobe ipt_stealth the stealts-module is loading. With running the command "iptables -A INPUT -p tcp -m stealth -j DROP" i receive the following error-message: "iptables v1.3.2: Couldn't load match 'stealth':/usr/local/lib/iptables/libipt_stealth.so: cannot open shared object file: No such file or directory" if anyone know some informations ??? Thanks Siegbert Laukas From harmuth at mnemon.de Thu Jul 14 15:29:37 2005 From: harmuth at mnemon.de (=?ISO-8859-15?Q?J=F6rg_Harmuth?=) Date: Thu Jul 14 15:46:24 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: <42D668C1.4060801@mnemon.de> Suzana Lojic-Skoric schrieb: > I have an internal network that has one set of addresses and outside > network that has > a different set of addresses. I am using NAT for the sole purpose of > translation. Both inside and outside network have DNS servers, mail > servers,.... Both networks need to talk to each other, send mail and > request web pages... I have a control of inside network but not the > outside ntw. > > When the client from outside sends a DNS query to the inside ntw I guess > I can implement split DNS as Jason Opperisano suggested and get it > working that way. The outside world will get a web page from external > view and will have answer from global outside address, the inside world > will get answer from internal view with inside global ip. > > The problem is I don't understand how it is supposed to work when the > client is inside and sending a request for a page whose server happens > to be outside... > I have a default route through the NAT, so when a client on the inside > network > sends a DNS query it goes out through the NAT, in my case both source > and destination gets translated and forwarded to outside DNS server.( I > have to translate the destination as well because the clients on > internal network send a request to an internal DNS server with the > internal IP address as destination. So the request gets forwarded to the > outside world through the NAT and both SNAT-ed and DNAT-ed.) When the > answer comes back to NAT, the outside source and destination IP gets > translated back to the internal addresses, but the actual IP that > resolves the requested page is embedded in the message, and it does not > get translated ( it is outside IP) When the client gets the answer, it > processes it, gets the outside IP from the message and try talk to it. > But this is outside IP and inside clients can't route to it. > > I am trying to understand how is this supposed to work. I can't quite > use the wisdom from masquerade because masquerade is simpler, masquerade > messages are only SNAT-ed, meaning only source address is translated and > when the request comes back it is then DNAT-ed to internal network, > meaning destination is translated so the message can find your machine. > But you don't care that google.com resolved as 216.239.39.99 because > your NAT is one way NAT in you can talk to 216.239.39.99. In my case, I > have to translate the 216.239.39.99 to something else (for example > 10.1.1.1) so that the inside network can talk to it. And then on the > exit through the nat 10.1.1.1 will be translated back to 216.239.39.99. > The problem is I have no way of translating the 216.239.39.99 to > 10.1.1.1 because iptables NAT does not inspect the payload of the DNS > answer and does not translate it. ... and this is how iptables is > supposed to work. If I understand everything correctly, your problem is something alike "How can my clients find google.com ? My clients have non-routable addresses (RFC1918), so they cannot talk to routable addresses". Your szenario: Client starts DNS request for google.com to internal DNS. This box returns 216.239.39.99 to the client and the client doesn't know how to get there. Right ? Hmm, your client already knows how to get to 216.239.39.99, because he has a default route to the nat box (as you said above). The nat box recieves something like src=10.0.0.1 dst=216.239.39.99 spt=22222 dpt=80 This is not local to the nat box, so - if /proc/sys/net/ipv4/ip_forward is set to 1 - the nat box will forward the packet to its default gateway, say via ppp0. If you applied MASQUERADE to ppp0, the source address is rewritten to the (internet) address of ppp0 and the packet reaches google. The return package from google hits your nat box and the connection tracking code automatically "retranslates" (this time the destination address) to 10.0.0.1 and the package reaches your client. That's all. A rule like iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE and everything is as described. As /dev/rob0 pointed out, if you don't want your clients to talk with google directly use proxies. Sorry, if I missed the point. Joerg From lopsch at lopsch.com Thu Jul 14 15:45:27 2005 From: lopsch at lopsch.com (Daniel Lopes) Date: Thu Jul 14 15:55:14 2005 Subject: Couldn't load match `stealth':/usr/local/lib/iptables/libipt_stealth.so In-Reply-To: <42D627D0.6050503@laukas.com> References: <42D627D0.6050503@laukas.com> Message-ID: <42D66C77.2040709@lopsch.com> Siegbert Laukas schrieb: > My System run's with IPTABLES 1.3.x. I have also installed the newest > GRSECURITY-patch which enable the stealth-Kernel Module. > > In the /lib/modules/2.6.11.xx/.. the stealth-ko module ist exists. > Also with modprobe ipt_stealth the stealts-module is loading. > > With running the command "iptables -A INPUT -p tcp -m stealth -j DROP" i > receive the following error-message: > > "iptables v1.3.2: Couldn't load match > 'stealth':/usr/local/lib/iptables/libipt_stealth.so: cannot open shared > object file: No such file or directory" > > if anyone know some informations ??? > > Thanks > Siegbert Laukas > > > I think you will need the iptables patch as well. It can be found on the grsecurity hp. From voyager123bg at gmail.com Thu Jul 14 17:03:03 2005 From: voyager123bg at gmail.com (Nikolai Alexandrov) Date: Thu Jul 14 17:15:55 2005 Subject: firewall ignore the rule In-Reply-To: References: <2452665f0507130352544ab556@mail.gmail.com> <1121252895.11584.6.camel@anduril.intranet.cartel-securite.net> <2452665f05071318551f788f42@mail.gmail.com> <20050714020155.GA26028@bender.817west.com> <2452665f0507131910300b00de@mail.gmail.com> <20050714021032.GA26090@bender.817west.com> <2452665f0507131919823198c@mail.gmail.com> <20050714022409.GA26148@bender.817west.com> Message-ID: <42D67EA7.6070604@gmail.com> You might want to look at this project: http://arpstar.sourceforge.net/. Ishwar Rattan wrote: >On Wed, 13 Jul 2005, Jason Opperisano wrote: > > > >>On Thu, Jul 14, 2005 at 10:19:19AM +0800, liyas_m m wrote: >> >> >>>u mean blocking the MAC address also doesnot do any good. hmm i >>>thought iptables is that powerful. >>> >>> >>it is that powerful. you are currently incapable of comprehending its >>power. >> >> > >I like the response. My suggestion would have been to rewrite the tcp/ip >stack and block them at layer 1 :-) > >-ishwar > > > > From george.john at ch.easynet.net Thu Jul 14 16:52:06 2005 From: george.john at ch.easynet.net (george.john@ch.easynet.net) Date: Thu Jul 14 17:16:50 2005 Subject: George John out of office Message-ID: <20050714145206.35068.qmail@mx2.mail.ch.easynet.net> Hello! Please be informed that I am on holidays during the coming weeks and I will be back in the office only on 8th of August 2005. You can reach our customer care team through e-mail: support@ch.easynet.net or via tel No. 0848 000 884 During my holidays Mr. Di Cicco will be backing me up and you can reach him via e-mail: vito.dicicco@ch.easynet.net With best regards George K. John Network & support Engineer Easynet AG Hardturmstrasse 135 8005 Zurich From curby.public at gmail.com Thu Jul 14 17:17:51 2005 From: curby.public at gmail.com (curby .) Date: Thu Jul 14 17:34:42 2005 Subject: size of recent blacklist In-Reply-To: <41DFFDDA1C6.000004DBinnocent.evil@inbox.com> References: <41DFFDDA1C6.000004DBinnocent.evil@inbox.com> Message-ID: <5d2f379105071408175d0318a5@mail.gmail.com> On 7/11/05, Innocent Evil wrote: > Also, I have 'feature request' > It would be nicer to able to see the blacklist by a command like: > iptables -m recent --blacklist On some Linuxes, to display the members of recent list RLIST, you can run cat /proc/net/ipt_recent/RLIST From azez at ufomechanic.net Thu Jul 14 14:20:46 2005 From: azez at ufomechanic.net (Amin Azez) Date: Thu Jul 14 17:36:45 2005 Subject: OUTPUT filtering In-Reply-To: <42D5291E.7090308@gmx.co.uk> References: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> <42D4E11C.2080100@mnemon.de> <42D5291E.7090308@gmx.co.uk> Message-ID: <42D6589E.5090707@ufomechanic.net> /dev/rob0 wrote: > Note that OUTPUT filtering only controls non-root users. A root user can > disable or bypass it. If you have local shell users who cannot be > trusted, and if you didn't already understand all this, chances are > those users already have rooted you. :) Quite so, but output filtering can also be applied to a firewall/router/bridge with no user accounts. Amin From curby.public at gmail.com Thu Jul 14 17:42:28 2005 From: curby.public at gmail.com (curby .) Date: Thu Jul 14 17:59:08 2005 Subject: dnatting In-Reply-To: <20050711151830.GA26670@tranquility.scriptkitchen.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> Message-ID: <5d2f379105071408426a506986@mail.gmail.com> On 7/11/05, Payal Rathod wrote: > Hi, > I have a rule on my friend's broadband connection to redirect traffic > from outside to an internal machine like, > > iptables -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 80 -j DNAT \ > --to-destination 192.168.10.10:80 > > But she complained that people from inside the network cannot do > http://1.2.3.4 in their browser and see the site. Is she correct? > What is wrong with my rule because I can see the site from outside? The problem is only the initial SYN will go through the expected route. 1) Client 192.168.10.53 > Server 1.2.3.4 2) Router 192.168.10.1 DNATs packet to 192.168.10.10 3) Server 192.168.10.10 sees request from 192.168.10.53 4) Server sends response to 192.168.10.53 5) Client expects response from 1.2.3.4, receives from 192.168.10.10, drops it Instead you want 1) Client 192.168.10.53 > Server 1.2.3.4 2) Router DNATs packet to 192.168.10.10, SNATs packet to 192.168.10.1 3) Server sees request from 192.168.10.1 4) Server sends response to 192.168.10.1 5) Router uses SNAT to relay response to 192.168.10.53 5) Client gets expected response from 1.2.3.4 See here for implementation details: http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html From curby.public at gmail.com Thu Jul 14 17:49:12 2005 From: curby.public at gmail.com (curby .) Date: Thu Jul 14 18:05:50 2005 Subject: dnatting In-Reply-To: <5d2f379105071408426a506986@mail.gmail.com> References: <20050711151830.GA26670@tranquility.scriptkitchen.com> <5d2f379105071408426a506986@mail.gmail.com> Message-ID: <5d2f3791050714084935dc1d83@mail.gmail.com> On 7/14/05, curby . wrote: [snip] > See here for implementation details: > http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html Boy, how embarassing. This has already been discussed to death. =P Re: DNAT+SNAT vs DNS: depends on your network. It's been mentioned that some people don't even have a DNS server... From s_lojic at hotmail.com Thu Jul 14 17:50:18 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Thu Jul 14 18:06:25 2005 Subject: DNS and NAT In-Reply-To: <42D668C1.4060801@mnemon.de> Message-ID: >From: Jörg Harmuth >To: netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Thu, 14 Jul 2005 15:29:37 +0200 > >Suzana Lojic-Skoric schrieb: > > > I have an internal network that has one set of addresses and outside > > network that has > > a different set of addresses. I am using NAT for the sole purpose of > > translation. Both inside and outside network have DNS servers, mail > > servers,.... Both networks need to talk to each other, send mail and > > request web pages... I have a control of inside network but not the > > outside ntw. > > > > When the client from outside sends a DNS query to the inside ntw I guess > > I can implement split DNS as Jason Opperisano suggested and get it > > working that way. The outside world will get a web page from external > > view and will have answer from global outside address, the inside world > > will get answer from internal view with inside global ip. > > > > The problem is I don't understand how it is supposed to work when the > > client is inside and sending a request for a page whose server happens > > to be outside... > > I have a default route through the NAT, so when a client on the inside > > network > > sends a DNS query it goes out through the NAT, in my case both source > > and destination gets translated and forwarded to outside DNS server.( I > > have to translate the destination as well because the clients on > > internal network send a request to an internal DNS server with the > > internal IP address as destination. So the request gets forwarded to the > > outside world through the NAT and both SNAT-ed and DNAT-ed.) When the > > answer comes back to NAT, the outside source and destination IP gets > > translated back to the internal addresses, but the actual IP that > > resolves the requested page is embedded in the message, and it does not > > get translated ( it is outside IP) When the client gets the answer, it > > processes it, gets the outside IP from the message and try talk to it. > > But this is outside IP and inside clients can't route to it. > > > > I am trying to understand how is this supposed to work. I can't quite > > use the wisdom from masquerade because masquerade is simpler, masquerade > > messages are only SNAT-ed, meaning only source address is translated and > > when the request comes back it is then DNAT-ed to internal network, > > meaning destination is translated so the message can find your machine. > > But you don't care that google.com resolved as 216.239.39.99 because > > your NAT is one way NAT in you can talk to 216.239.39.99. In my case, I > > have to translate the 216.239.39.99 to something else (for example > > 10.1.1.1) so that the inside network can talk to it. And then on the > > exit through the nat 10.1.1.1 will be translated back to 216.239.39.99. > > The problem is I have no way of translating the 216.239.39.99 to > > 10.1.1.1 because iptables NAT does not inspect the payload of the DNS > > answer and does not translate it. ... and this is how iptables is > > supposed to work. > >If I understand everything correctly, your problem is something alike >"How can my clients find google.com ? My clients have non-routable >addresses (RFC1918), so they cannot talk to routable addresses". Your >szenario: Client starts DNS request for google.com to internal DNS. This >box returns 216.239.39.99 to the client and the client doesn't know how >to get there. Right ? > >Hmm, your client already knows how to get to 216.239.39.99, because he >has a default route to the nat box (as you said above). The nat box >recieves something like > >src=10.0.0.1 dst=216.239.39.99 spt=22222 dpt=80 > >This is not local to the nat box, so - if /proc/sys/net/ipv4/ip_forward >is set to 1 - the nat box will forward the packet to its default >gateway, say via ppp0. If you applied MASQUERADE to ppp0, the source >address is rewritten to the (internet) address of ppp0 and the packet >reaches google. > >The return package from google hits your nat box and the connection >tracking code automatically "retranslates" (this time the destination >address) to 10.0.0.1 and the package reaches your client. That's all. A >rule like > >iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > >and everything is as described. > Yes, you are right, but the problem is between my inside client and the NAT gateway I have a machine that drops everything that is not 10.x.x.x. I know, I know, it is insane... but my job is to find a solution for DNS in such network. So basically, my inside network can only route 10.x.x.x and everything else is dropped. >As /dev/rob0 pointed out, if you don't want your clients to talk with >google directly use proxies. > I'll check out the proxy idea. Thanks for your input. Suzana >Sorry, if I missed the point. > >Joerg > > > _________________________________________________________________ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From harmuth at mnemon.de Thu Jul 14 17:56:21 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Thu Jul 14 18:16:32 2005 Subject: OUTPUT filtering In-Reply-To: <42D6589E.5090707@ufomechanic.net> References: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com> <42D4E11C.2080100@mnemon.de> <42D5291E.7090308@gmx.co.uk> <42D6589E.5090707@ufomechanic.net> Message-ID: <42D68B25.6010305@mnemon.de> Amin Azez schrieb: > Quite so, but output filtering can also be applied to a > firewall/router/bridge with no user accounts. Definitely this is true. But why would you want to apply output filtering to a firewall,..., without any user account ? I can't see the point in this, if we are talking about general output filtering like having a DROP policy in OUTPUT. Only locally generated packets go through OUTPUT and most likely you want this traffic (proxies,...). Given that there is no config error, if there is unwanted traffic on the box - let's say IRC - chances are best that the box is compromized and as there is no user account, the intruder has root priveleges. So he is perfectly able to circumvent any filtering. So, output filtering didn't help. Ofcourse there are good reason for single OUTPUT rules - this list helped me to remember identd, which caused a responding delay of about 30s - but this is not generally. May be I'm missing important views, but I can't see that output filtering makes sense. Have a nice time, Joerg From primero at fastwebnet.it Thu Jul 14 18:00:59 2005 From: primero at fastwebnet.it (primero) Date: Thu Jul 14 18:17:14 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: <42D68C3B.30002@fastwebnet.it> Suzana Lojic-Skoric wrote: >> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE >> >> and everything is as described. >> > Yes, you are right, but the problem is between my inside client and > the NAT gateway I have a machine that drops everything that is not > 10.x.x.x. I know, I know, it is insane... but my job is to find a > solution for DNS in such network. > > So basically, my inside network can only route 10.x.x.x and everything > else is dropped. > >> As /dev/rob0 pointed out, if you don't want your clients to talk with >> google directly use proxies. >> > > I'll check out the proxy idea. Thanks for your input. > > Suzana > You could use a Proxy but this would not solve your problem of 'have a machine that drops everything that is not 10.x.x.x' ... even with a proxy you would need that at least that machine would be able to access Public Big Internet. Maybe i missed the point ... but if you can not access anything else then 10.x.x.x because something beetween clients and DefaultGW would drop it i don't see any escape other then configuring the proxy on your NAT Device because it should have not problem accessing the Public Internet. Bye Francesco From alex at milivojevic.org Thu Jul 14 19:21:09 2005 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Thu Jul 14 19:37:36 2005 Subject: Netfilter and IPSec interaction Message-ID: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> I'm writing set of firewall rules for IPSec based VPN, and have couple of questions. I know that packets are supposed to go through Netfilter tables twice (as received from the wire, and than as outputed by IPSec module). However, what I noticed is that this seems to be true only for incomming packets. The outgoing packets seems to go through Netfilter tables only once. For example, I've placed bunch of LOG rules in every chain of filter and mangle tables, logging all icmp and esp protocol packets. I've placed them as the very first rules in each chain, so basically they should log everythign that goes on. I've observed this when pinging a host on remote network (over IPSec tunnel): Sending ICMP ping, only one pass: mangle PREROUTING cleartext icmp packet FORWARD cleartext icmp packet filter FORWARD cleartext icmp packet mangle POSTROUTING encrypted esp packet Basically packet went through Netfilter tables only once, with IPSec kicking in somewhere between filter's FORWARD and mangle's POSTROUTING chains. I would expect encrypted packet to also go through filter's and mangle's OUTPUT chains. After all, the esp packet is locally generated. But it never got there, it just went straight to mangle's POSTROUTING chain and hopped onto the wire. On the other hand, the return packet was handled as expected (this part included more as reference): Receiving ICMP pong, first pass: mangle PREROUTING encrypted esp packet INPUT encrypted esp packet filter INPUT encrypted esp packet IPSec kicks in, and we have second pass: mangle PREROUTING cleartext icmp packet FORWARD cleartext icmp packet filter FORWARD cleartext icmp packet mangle POSTROUTING cleartext icmp packet So, my question is, is something going wrong here, or is this asymetry by design? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From porterde at hendrix.edu Thu Jul 14 20:25:31 2005 From: porterde at hendrix.edu (Don Porter) Date: Thu Jul 14 20:41:29 2005 Subject: Delay rejecting packets on OUTPUT chain Message-ID: <1121365531.3241.13.camel@augustine> I have iptables configured with a policy of DROP on the OUTPUT chain, followed by various ACCEPT rules, and then I append a REJECT extension on the chain. I have a simple test application that tries to open a tcp socket to another machine. This application runs in a few tenths of a second when the OUTPUT chain is configured to ACCEPT, even if the packet is rejected on the other machine's INPUT chain. If I DROP and REJECT the traffic on the output chain, however, it consistently takes about 3 seconds to run (and, obviously, even longer without the REJECT). So why is it that it takes so much longer for the test to fail when the packet is rejected on the box than when it goes across the wire and back? Any insights/advice on this would be greatly appreciated. Don Porter From cmmorales at mail.com Thu Jul 14 20:40:51 2005 From: cmmorales at mail.com (Morales Carlos) Date: Thu Jul 14 20:56:54 2005 Subject: Doubt about forwarding. Please, Help me! Message-ID: <20050714184051.CE18E6F027@ws1-5.us4.outblaze.com> Hello. I have a firewall blocking all the traffic from the Internet to my local network, but I need to let an external host (extHOST) to access the port 8888 (for example) of an internal host (intHOST). Is this correct? The external lan adapter is eth1. /sbin/iptables -t nat -A PORTFW -p tcp -i eth1 -s extHOST --dport 8888 -j DNAT --to-destination intHOST:8888 Thaks, please email me to cmmorales@mail.com Carlos -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm From primero at fastwebnet.it Thu Jul 14 20:46:51 2005 From: primero at fastwebnet.it (Francesco Ciocchetti) Date: Thu Jul 14 21:05:18 2005 Subject: Doubt about forwarding. Please, Help me! In-Reply-To: <20050714184051.CE18E6F027@ws1-5.us4.outblaze.com> References: <20050714184051.CE18E6F027@ws1-5.us4.outblaze.com> Message-ID: <42D6B31B.9010902@fastwebnet.it> Morales Carlos wrote: >Hello. I have a firewall blocking all the traffic from the Internet to my local network, but I need to let an external host (extHOST) to access the port 8888 (for example) of an internal host (intHOST). Is this correct? The external lan adapter is eth1. > > /sbin/iptables -t nat -A PORTFW -p tcp -i eth1 -s extHOST --dport 8888 -j DNAT --to-destination intHOST:8888 > >Thaks, please email me to cmmorales@mail.com >Carlos > > > > > > As long as in PREROUTING Chain of nat table there is a JUMP to PORTFW it is ok. What you need is to have a DNAT in nat table PREROUTING chain , and a rule to allow traffic to the DNATTED dst port 8888 in the filter table FORWARD chain. Bye Francesco From cmmorales at mail.com Thu Jul 14 21:11:00 2005 From: cmmorales at mail.com (Morales Carlos) Date: Thu Jul 14 21:26:59 2005 Subject: Doubt about forwarding. Please, Help me! Message-ID: <20050714191101.230C61F50B1@ws1-2.us4.outblaze.com> Thak you Franceso, could you write the lines for that? I'm just beginning with netfilter. I'm LOST. Thaks a lot. Carlos -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm From eduardao at gmail.com Thu Jul 14 21:17:21 2005 From: eduardao at gmail.com (Marcos Eduardo Nunes) Date: Thu Jul 14 21:34:04 2005 Subject: off-toppic file too big Message-ID: <2658c3fc050714121726b7af82@mail.gmail.com> Hi... I have this message at my server: "ls: store.log: Valor muito extenso para o tipo de dados definido total 0" ... I can't delete the file... what could I do??? Eduardo From glaucius at gmail.com Thu Jul 14 21:20:20 2005 From: glaucius at gmail.com (Glaucius Djalma Pereira Junior) Date: Thu Jul 14 21:36:20 2005 Subject: Doubt about forwarding. Please, Help me! In-Reply-To: <20050714191101.230C61F50B1@ws1-2.us4.outblaze.com> References: <20050714191101.230C61F50B1@ws1-2.us4.outblaze.com> Message-ID: iptables -t nat -A PREROUTING -p tcp --dport 8888 -i eth1 -d EXT_IP -j DNAT --to INT_IP and the rule to allow the packet back iptables -t nat -A POSRTOUTING -s INT_IP -p tcp --sport 8888 -j SNAT --to EXT_IP simple, with this two single rules you can redirect the port to your internal host best regards -- Glaucius Djalma Pereira Junior glaucius@gmail.com From sbasurtoj at yahoo.com Thu Jul 14 21:50:26 2005 From: sbasurtoj at yahoo.com (Sergio Basurto Juarez) Date: Thu Jul 14 22:06:26 2005 Subject: Doubt about forwarding. Please, Help me! In-Reply-To: <20050714184051.CE18E6F027@ws1-5.us4.outblaze.com> Message-ID: <20050714195026.4628.qmail@web33004.mail.mud.yahoo.com> --- Morales Carlos wrote: > Hello. I have a firewall blocking all the traffic > from the Internet to my local network, but I need to > let an external host (extHOST) to access the port > 8888 (for example) of an internal host (intHOST). Is > this correct? The external lan adapter is eth1. > > /sbin/iptables -t nat -A PORTFW -p tcp -i eth1 -s > extHOST --dport 8888 -j DNAT --to-destination > intHOST:8888 > > Thaks, please email me to cmmorales@mail.com > Carlos > Your iptables is good, if you are new to iptables may be is better instert your rule in the chain PREROUTING so the rule comes like: iptables -t nat -A PREROUTING -p tcp -i eth1 -s extHOST --dport 8888 -j DNAT --to intHOST:8888 Also remember to enable ip_forwarding with echo "1" /proc/sys/net/ipv4/ip_forward Besides you must have a couple of rules in the FORWARD chain like: # Letting go the traffic from your net to any where iptables -I FORWARD -s $INTNET -d $UNIVERSE -j ACCEPT # Now just letting in only the related traffic to a # connection that begins from your net. iptables -A FORWARD -s $UNIVERSE -d $INTNET -m state \ --state ESTABLISHED,RELATED -j ACCEPT # Finally deny anything else. iptables -A FORWARD -j DROP I don't think you must have to DNATTED the output traffic. I hope this help. Regards. -- Sergio Basurto J. If I have seen further it is by standing on the shoulders of giants. (Isaac Newton) -- __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From s_lojic at hotmail.com Thu Jul 14 22:33:32 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Thu Jul 14 23:07:27 2005 Subject: DNS and NAT In-Reply-To: <42D68C3B.30002@fastwebnet.it> Message-ID: >From: primero >To: Suzana Lojic-Skoric >CC: harmuth@mnemon.de, netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Thu, 14 Jul 2005 18:00:59 +0200 > >Suzana Lojic-Skoric wrote: > >>>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE >>> >>>and everything is as described. >>> >>Yes, you are right, but the problem is between my inside client and the >>NAT gateway I have a machine that drops everything that is not 10.x.x.x. I >>know, I know, it is insane... but my job is to find a solution for DNS in >>such network. >> >>So basically, my inside network can only route 10.x.x.x and everything >>else is dropped. >> >>>As /dev/rob0 pointed out, if you don't want your clients to talk with >>>google directly use proxies. >>> >> >>I'll check out the proxy idea. Thanks for your input. >> >>Suzana >> >You could use a Proxy but this would not solve your problem of 'have a >machine that drops everything that is not 10.x.x.x' ... even with a proxy >you would need that at least that machine would be able to access Public >Big Internet. > >Maybe i missed the point ... but if you can not access anything else then >10.x.x.x because something beetween clients and DefaultGW would drop it i >don't see any escape other then configuring the proxy on your NAT Device >because it should have not problem accessing the Public Internet. > >Bye >Francesco I don't think proxy can help because it is just caching the web pages, it does not change the IP addresses. I'll check if tunneling can help, if not then I'll have to change iptables to inspect DNS answer and replace the IP in the payload. Thanks for help, Suzana _________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From opie at 817west.com Fri Jul 15 00:59:26 2005 From: opie at 817west.com (Jason Opperisano) Date: Fri Jul 15 01:18:32 2005 Subject: off-toppic file too big In-Reply-To: <2658c3fc050714121726b7af82@mail.gmail.com> References: <2658c3fc050714121726b7af82@mail.gmail.com> Message-ID: <20050714225926.GA30194@bender.817west.com> On Thu, Jul 14, 2005 at 04:17:21PM -0300, Marcos Eduardo Nunes wrote: > Hi... > > I have this message at my server: "ls: store.log: Valor muito extenso > para o tipo de dados definido total 0" ... I can't delete the file... > what could I do??? stab in the dark: cat /dev/null > store.log rm store.log -j -- "Joe Swanson: You can't just come over here and annex my pool! Peter: Oh yeah? Well, according to paragraph 7, sentence 3, word 8 of the Geneva Convention..."the." So, tough luck, Swanson." --Family Guy From jengelh at linux01.gwdg.de Fri Jul 15 09:56:33 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Fri Jul 15 10:12:41 2005 Subject: off-toppic file too big In-Reply-To: <20050714225926.GA30194@bender.817west.com> References: <2658c3fc050714121726b7af82@mail.gmail.com> <20050714225926.GA30194@bender.817west.com> Message-ID: >stab in the dark: > > cat /dev/null > store.log /dev/zero... > rm store.log Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From harmuth at mnemon.de Fri Jul 15 10:53:17 2005 From: harmuth at mnemon.de (=?ISO-8859-15?Q?J=F6rg_Harmuth?=) Date: Fri Jul 15 11:16:48 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: <42D7797D.2050203@mnemon.de> Suzana Lojic-Skoric schrieb: > I don't think proxy can help because it is just caching the web pages, > it does not change the IP addresses. I'll check if tunneling can help, > if not then I'll have to change iptables to inspect DNS answer and > replace the IP in the payload. No. Introducing a proxy at the right location, is much more than just caching web sites. It means significant changes to at least to the IP headers. Wether a proxy helps you or not depends totally on where you place the proxy. If you place it on the nat box (like primero said) or between this nasty dropping box and the nat box, everything is probably fine. The requests will then go to 10.x.x.x and the answers will originate from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the *data* part of the 4th packet - not in the headers (headers are src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't scan the packets payload for proxy requests and the like and drops them, everything should work. If, on the other side, it is only possible to place the proxy between the clients and this nasty dropping box, you're out of luck and a proxy helps nothing at all. But as far as I understood - and you provided information - you have access to the nat box. So, this should not be the case. BTW, would you please be so kind and provide sufficient information about your problem in the first posting (introducing this nasty box changes the whole situation) ? This way people who want to help you do not have to feel like the "Oracle of Delphi" ;) Thanks. Have a nice time, Joerg From revelation75214 at yahoo.com Fri Jul 15 04:33:49 2005 From: revelation75214 at yahoo.com (Juan Palacios) Date: Fri Jul 15 14:14:15 2005 Subject: Firewall For XANDROS OC Message-ID: <20050715023349.87338.qmail@web34010.mail.mud.yahoo.com> Hello, I am looking for a simple firewall for xandros open circulation that doesn't require programming, dos, ect.. Just a firewall that's easy to install that will work on xandros open circulation. Point and click interface like SYGATE, ZONE ALARM, ECT..sorry to bother the ip tables guys but i figured that you guys would know best. I mean if you can handle ip tables im sure you guys can handle a interface type firewall with gui. Thanks. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jsullivan at opensourcedevel.com Fri Jul 15 14:30:24 2005 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri Jul 15 14:46:39 2005 Subject: Firewall For XANDROS OC In-Reply-To: <20050715023349.87338.qmail@web34010.mail.mud.yahoo.com> References: <20050715023349.87338.qmail@web34010.mail.mud.yahoo.com> Message-ID: <1121430624.3017.12.camel@localhost> On Thu, 2005-07-14 at 19:33 -0700, Juan Palacios wrote: > Hello, > > I am looking for a simple firewall for xandros > open circulation that doesn't require programming, > dos, ect.. > Just a firewall that's easy to install that will work > on xandros open circulation. Point and click interface > like SYGATE, ZONE ALARM, ECT..sorry to bother the ip > tables guys but i figured that you guys would know > best. I mean if you can handle ip tables im sure you > guys can handle a interface type firewall with gui. You can search the mail list archives for similar discussion. I am aware of fwbuilder (http://www/fwbuilder.org) which is a very powerful rule creator. There was another php based project discussed on this list a while ago but I've forgotten its name. Many seemed to like it because of its simplicity Unlike fwbuilder, it gave direct control over the rule creation process. On the other extreme and yet unfinished is ISCS (http://iscs.sourceforge.net) which isn't a rule configurator at all. It looks at the entire environment, user authentication, access control, VPN, routing, PKI, creates device specific rule sets without conflict for each of the subsystems and automatically distributes them to the end devices. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com From gtaylor at riverviewtech.net Fri Jul 15 16:55:12 2005 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Fri Jul 15 17:15:18 2005 Subject: Netfilter and IPSec interaction In-Reply-To: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> References: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> Message-ID: <42D7CE50.1000904@riverviewtech.net> Aleksandar Milivojevic wrote: > I'm writing set of firewall rules for IPSec based VPN, and have couple of > questions. > > I know that packets are supposed to go through Netfilter tables twice (as > received from the wire, and than as outputed by IPSec module). However, what I > noticed is that this seems to be true only for incomming packets. The outgoing > packets seems to go through Netfilter tables only once. What kernel are you running and have you applied the (4) Patch-o-Matic (NG) IPSec patches that are meant to address this very issue? Word to the wise, I've had problems applying said patches in such that I had to edit the info file inside of the /patchlets/ipsec-0-/ directory and remove the dependencies on other patches. I've found that patch 01 would not apply b/c it was looking for a different patch that does not exist as it has already been applied to the 2.6.10 and 2.6.12.2 (other unknown) kernel. Once patch 01 has been applied 02, and 03 should go ok, but 04 does not see that 03 has been applied. If you remove the dependency (or require word (what ever)) on patch 03 then patch 04 will (test and) apply cleanly to a kernel with patches 01, 02, and 03 already in place. Has any one else experienced such problem with applying the IPSec-0x patches? Grant. . . . From ghenry at suretecsystems.com Fri Jul 15 17:11:51 2005 From: ghenry at suretecsystems.com (Gavin Henry) Date: Fri Jul 15 17:29:20 2005 Subject: Firewall For XANDROS OC In-Reply-To: <1121430624.3017.12.camel@localhost> References: <20050715023349.87338.qmail@web34010.mail.mud.yahoo.com> <1121430624.3017.12.camel@localhost> Message-ID: <35386.193.195.148.66.1121440311.squirrel@webmail.suretecsystems.com> > On Thu, 2005-07-14 at 19:33 -0700, Juan Palacios wrote: >> Hello, >> >> I am looking for a simple firewall for xandros >> open circulation that doesn't require programming, >> dos, ect.. >> Just a firewall that's easy to install that will work >> on xandros open circulation. Point and click interface >> like SYGATE, ZONE ALARM, ECT..sorry to bother the ip >> tables guys but i figured that you guys would know >> best. I mean if you can handle ip tables im sure you >> guys can handle a interface type firewall with gui. > > You can search the mail list archives for similar discussion. I am > aware of fwbuilder (http://www/fwbuilder.org) which is a very powerful > rule creator. There was another php based project discussed on this > list a while ago but I've forgotten its name. Many seemed to like it > because of its simplicity Unlike fwbuilder, it gave direct control over > the rule creation process. On the other extreme and yet unfinished is > ISCS (http://iscs.sourceforge.net) which isn't a rule configurator at > all. It looks at the entire environment, user authentication, access > control, VPN, routing, PKI, creates device specific rule sets without > conflict for each of the subsystems and automatically distributes them > to the end devices. Firestarter is similar to Zone Alarm in most repects: http://www.fs-security.com/ > > Hope this helps - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan@opensourcedevel.com > > Financially sustainable open source development > http://www.opensourcedevel.com > > > From s_lojic at hotmail.com Fri Jul 15 18:30:57 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Fri Jul 15 18:47:03 2005 Subject: DNS and NAT In-Reply-To: <42D7797D.2050203@mnemon.de> Message-ID: >From: Jörg Harmuth >To: netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Fri, 15 Jul 2005 10:53:17 +0200 > >Suzana Lojic-Skoric schrieb: > > > I don't think proxy can help because it is just caching the web pages, > > it does not change the IP addresses. I'll check if tunneling can help, > > if not then I'll have to change iptables to inspect DNS answer and > > replace the IP in the payload. > >No. Introducing a proxy at the right location, is much more than just >caching web sites. It means significant changes to at least to the IP >headers. > >Wether a proxy helps you or not depends totally on where you place the >proxy. If you place it on the nat box (like primero said) or between >this nasty dropping box and the nat box, everything is probably fine. >The requests will then go to 10.x.x.x and the answers will originate >from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the >*data* part of the 4th packet - not in the headers (headers are >src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't >scan the packets payload for proxy requests and the like and drops them, >everything should work. I can put the proxy on the NAT machine. As I said, right now just with the NAT, if I send a DNS request for the google.com from the client 10.0.0.1 behind the nasty dropping box, it will go out through the nasty dropping box and the NAT gateway. NAT will change its 10.x.x.x source and destination from 10.x.x.x to some outside addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source and destination gets translated back to 10.x.x.x and 10.0.0.1 destination, and the google address 216.239.39.99 is within the *data* part. This goes fine through the nasty dropping box back to the client 10.0.0.1. Client then takes the answer from the data part of the message, which is 216.239.39.99 and tries to contact it. It sends an HTTP message to destination 216.239.39.99. This gets dropped on the nasty dropping box since it is not 10.x.x.x (This is what's happening when you type in www.google.com in the browser on the client 10.0.0.1). So the DNS request and answer can get through the internal network, but what I need is to somehow replace the 216.239.39.99 that is embedded in the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is actually 216.239.39.99. to be able to translate it for outside. Do you still think proxy can help? > >If, on the other side, it is only possible to place the proxy between >the clients and this nasty dropping box, you're out of luck and a proxy >helps nothing at all. But as far as I understood - and you provided >information - you have access to the nat box. So, this should not be the >case. > >BTW, would you please be so kind and provide sufficient information >about your problem in the first posting (introducing this nasty box >changes the whole situation) ? This way people who want to help you do >not have to feel like the "Oracle of Delphi" ;) Thanks. I'll do it next time :) I was afraid it would be too long for anybody to read it. Thanks for your help. Suzana > >Have a nice time, > >Joerg > > _________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From dufresne at sysinfo.com Fri Jul 15 18:45:10 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Fri Jul 15 18:55:21 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone checked to see if beside pre/post routing rules this person has added the ip add majik to make NAT more seamless, I'm of course assuming a 1:1 NAT setup for a network rahter than masq. And if they are using masq, perhaps a 1:1 NAT setup would quell their troubles so that it's IP based NAT rather then port based PNAT that is working against em...? Thanks, Ron DuFresne On Fri, 15 Jul 2005, Suzana Lojic-Skoric wrote: > > >> From: J?rg Harmuth >> To: netfilter@lists.netfilter.org >> Subject: Re: DNS and NAT >> Date: Fri, 15 Jul 2005 10:53:17 +0200 >> >> Suzana Lojic-Skoric schrieb: >> >> > I don't think proxy can help because it is just caching the web pages, >> > it does not change the IP addresses. I'll check if tunneling can help, >> > if not then I'll have to change iptables to inspect DNS answer and >> > replace the IP in the payload. >> >> No. Introducing a proxy at the right location, is much more than just >> caching web sites. It means significant changes to at least to the IP >> headers. >> >> Wether a proxy helps you or not depends totally on where you place the >> proxy. If you place it on the nat box (like primero said) or between >> this nasty dropping box and the nat box, everything is probably fine. >> The requests will then go to 10.x.x.x and the answers will originate >> from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the >> *data* part of the 4th packet - not in the headers (headers are >> src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't >> scan the packets payload for proxy requests and the like and drops them, >> everything should work. > > I can put the proxy on the NAT machine. > As I said, right now just with the NAT, if I send a DNS request for the > google.com from the client 10.0.0.1 behind the nasty dropping box, it will go > out through the nasty dropping box and the NAT gateway. NAT will change its > 10.x.x.x source and destination from 10.x.x.x to some outside addresses e.g. > 150.x.x.x. The DNS answer comes back to NAT, it's source and destination gets > translated back to 10.x.x.x and 10.0.0.1 destination, and the google address > 216.239.39.99 is within the *data* part. This goes fine through the nasty > dropping box back to the client 10.0.0.1. Client then takes the answer from > the data part of the message, which is 216.239.39.99 and tries to contact it. > It sends an HTTP message to destination 216.239.39.99. This gets dropped on > the nasty dropping box since it is not 10.x.x.x (This is what's happening > when you type in www.google.com in the browser on the client 10.0.0.1). > So the DNS request and answer can get through the internal network, but what > I need is to somehow replace the 216.239.39.99 that is embedded in the DNS > *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is actually > 216.239.39.99. to be able to translate it for outside. > > Do you still think proxy can help? >> >> If, on the other side, it is only possible to place the proxy between >> the clients and this nasty dropping box, you're out of luck and a proxy >> helps nothing at all. But as far as I understood - and you provided >> information - you have access to the nat box. So, this should not be the >> case. >> >> BTW, would you please be so kind and provide sufficient information >> about your problem in the first posting (introducing this nasty box >> changes the whole situation) ? This way people who want to help you do >> not have to feel like the "Oracle of Delphi" ;) Thanks. > > I'll do it next time :) I was afraid it would be too long for anybody to read > it. Thanks for your help. > > Suzana > >> >> Have a nice time, >> >> Joerg >> >> > > _________________________________________________________________ > Take advantage of powerful junk e-mail filters built on patented Microsoft? > SmartScreen Technology. > http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines > Start enjoying all the benefits of MSN? Premium right now and get the first > two months FREE*. > > - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC1+gast+vzJSwZikRAoIFAKCcx6voNEBSZNMlpZjTJIftXWUplwCcCV4K ETadeRA1YWhhsaNAASuZCsk= =PbUZ -----END PGP SIGNATURE----- From s_lojic at hotmail.com Fri Jul 15 19:04:26 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Fri Jul 15 19:20:37 2005 Subject: DNS and NAT In-Reply-To: Message-ID: >From: "R. DuFresne" >To: Suzana Lojic-Skoric >CC: harmuth@mnemon.de, netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Fri, 15 Jul 2005 12:45:10 -0400 (EDT) > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > > >Has anyone checked to see if beside pre/post routing rules this person has >added the ip add majik to make NAT more seamless, I'm of course assuming a >1:1 NAT setup for a network rahter than masq. And if they are using masq, >perhaps a 1:1 NAT setup would quell their troubles so that it's IP based >NAT rather then port based PNAT that is working against em...? > I have implemented PNAT on inbound direction, means incoming traffic (from outside to the NAT box) is port forwarded to appropriate servers inside. Why would PNAT work against me? Thanks, Suzana >Thanks, > >Ron DuFresne > > >On Fri, 15 Jul 2005, Suzana Lojic-Skoric wrote: > >> >> >>>From: Jörg Harmuth >>>To: netfilter@lists.netfilter.org >>>Subject: Re: DNS and NAT >>>Date: Fri, 15 Jul 2005 10:53:17 +0200 >>> >>>Suzana Lojic-Skoric schrieb: >>> >>> > I don't think proxy can help because it is just caching the web pages, >>> > it does not change the IP addresses. I'll check if tunneling can help, >>> > if not then I'll have to change iptables to inspect DNS answer and >>> > replace the IP in the payload. >>> >>>No. Introducing a proxy at the right location, is much more than just >>>caching web sites. It means significant changes to at least to the IP >>>headers. >>> >>>Wether a proxy helps you or not depends totally on where you place the >>>proxy. If you place it on the nat box (like primero said) or between >>>this nasty dropping box and the nat box, everything is probably fine. >>>The requests will then go to 10.x.x.x and the answers will originate >>>from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the >>>*data* part of the 4th packet - not in the headers (headers are >>>src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't >>>scan the packets payload for proxy requests and the like and drops them, >>>everything should work. >> >>I can put the proxy on the NAT machine. >>As I said, right now just with the NAT, if I send a DNS request for the >>google.com from the client 10.0.0.1 behind the nasty dropping box, it will >>go out through the nasty dropping box and the NAT gateway. NAT will change >>its 10.x.x.x source and destination from 10.x.x.x to some outside >>addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source >>and destination gets translated back to 10.x.x.x and 10.0.0.1 destination, >>and the google address 216.239.39.99 is within the *data* part. This goes >>fine through the nasty dropping box back to the client 10.0.0.1. Client >>then takes the answer from the data part of the message, which is >>216.239.39.99 and tries to contact it. It sends an HTTP message to >>destination 216.239.39.99. This gets dropped on the nasty dropping box >>since it is not 10.x.x.x (This is what's happening when you type in >>www.google.com in the browser on the client 10.0.0.1). >>So the DNS request and answer can get through the internal network, but >>what I need is to somehow replace the 216.239.39.99 that is embedded in >>the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is >>actually 216.239.39.99. to be able to translate it for outside. >> >>Do you still think proxy can help? >>> >>>If, on the other side, it is only possible to place the proxy between >>>the clients and this nasty dropping box, you're out of luck and a proxy >>>helps nothing at all. But as far as I understood - and you provided >>>information - you have access to the nat box. So, this should not be the >>>case. >>> >>>BTW, would you please be so kind and provide sufficient information >>>about your problem in the first posting (introducing this nasty box >>>changes the whole situation) ? This way people who want to help you do >>>not have to feel like the "Oracle of Delphi" ;) Thanks. >> >>I'll do it next time :) I was afraid it would be too long for anybody to >>read it. Thanks for your help. >> >>Suzana >> >>> >>>Have a nice time, >>> >>>Joerg >>> >>> >> >>_________________________________________________________________ >>Take advantage of powerful junk e-mail filters built on patented >>Microsoft® SmartScreen Technology. >>http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines >>Start enjoying all the benefits of MSN® Premium right now and get the >>first two months FREE*. >> >> > >- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior security consultant: sysinfo.com > http://sysinfo.com >Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 > >...We waste time looking for the perfect lover >instead of creating the perfect love. > > -Tom Robbins >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.4 (GNU/Linux) > >iD8DBQFC1+gast+vzJSwZikRAoIFAKCcx6voNEBSZNMlpZjTJIftXWUplwCcCV4K >ETadeRA1YWhhsaNAASuZCsk= >=PbUZ >-----END PGP SIGNATURE----- _________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From eduardao at gmail.com Fri Jul 15 19:38:12 2005 From: eduardao at gmail.com (Marcos Eduardo Nunes) Date: Fri Jul 15 19:54:22 2005 Subject: off-toppic file too big In-Reply-To: <20050714225926.GA30194@bender.817west.com> References: <2658c3fc050714121726b7af82@mail.gmail.com> <20050714225926.GA30194@bender.817west.com> Message-ID: <2658c3fc050715103849eb5400@mail.gmail.com> Thanks!!! So simple, so quick! Best regards, Eduardo :-)) On 7/14/05, Jason Opperisano wrote: > On Thu, Jul 14, 2005 at 04:17:21PM -0300, Marcos Eduardo Nunes wrote: > > Hi... > > > > I have this message at my server: "ls: store.log: Valor muito extenso > > para o tipo de dados definido total 0" ... I can't delete the file... > > what could I do??? > > stab in the dark: > > cat /dev/null > store.log > rm store.log > > -j > > -- > "Joe Swanson: You can't just come over here and annex my pool! > Peter: Oh yeah? Well, according to paragraph 7, sentence 3, word 8 of > the Geneva Convention..."the." So, tough luck, Swanson." > --Family Guy > > > From netfilter at tecnopolis.ca Fri Jul 15 20:36:11 2005 From: netfilter at tecnopolis.ca (Trevor Cordes) Date: Fri Jul 15 20:52:19 2005 Subject: SegFault on flush + IPSec and Nat on 2.6.10 fails In-Reply-To: References: Message-ID: <20050715183611.GB22834@pog.tecnopolis.ca> On Wed, Mar 02, 2005 at 05:21:16PM -0600, Robert Borger wrote: > > 2) I have two IPSec gateways with private subnets behind them. > Both the local gateway and the subnet behind it need secure > access to the subnet behind the remote gateway. I have > verified that the masquerading is working correctly without IPSec. > > The IPSec configuration creates a tunnel between the local > gateway and the subnet behind the remote gateway. > With IPSec active, packets from the local subnet to the remote subnet > are nated, encrypted, and sent out the tunnel. The return ping > packet comes back through the tunnel and is decrypted but doesn't > appear to be de-nated and routed on to the local subnet. It appears > to be destine for the address of the tunnel at the local gateway. > The gateway itself communicates with the remote subnet as intended. This is a known bug. NAT with native linux 2.6 IPSEC is broken/non-existent. There is a patch for 2.6.10, and maybe 2.6.11, that allows NAT to work with native IPSEC. I am using this patch successfully with 2.6.10 on many machines. However, I'm getting clobbered by another bug, probably the conntrack limit bug in 2.6.10. I have not yet gotten a working 2.6.11 NAT/IPSEC patch yet. I am unsure of the status of this situation and its resolution. I have put some good RH bugzilla bugs up for this stuff and anyone interested should CC to it and make some noise. The comments made there are also very interesting as to why the patches aren't in the mainstream kernel yet. ipsec/nat bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374 possible conntrack bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159181 From primero at fastwebnet.it Fri Jul 15 20:52:18 2005 From: primero at fastwebnet.it (Francesco Ciocchetti) Date: Fri Jul 15 21:11:08 2005 Subject: DNS and NAT In-Reply-To: References: Message-ID: <42D805E2.4050004@fastwebnet.it> Suzana Lojic-Skoric wrote: > > >> From: J?rg Harmuth >> To: netfilter@lists.netfilter.org >> Subject: Re: DNS and NAT >> Date: Fri, 15 Jul 2005 10:53:17 +0200 >> >> Suzana Lojic-Skoric schrieb: >> >> > I don't think proxy can help because it is just caching the web pages, >> > it does not change the IP addresses. I'll check if tunneling can help, >> > if not then I'll have to change iptables to inspect DNS answer and >> > replace the IP in the payload. >> >> No. Introducing a proxy at the right location, is much more than just >> caching web sites. It means significant changes to at least to the IP >> headers. >> >> Wether a proxy helps you or not depends totally on where you place the >> proxy. If you place it on the nat box (like primero said) or between >> this nasty dropping box and the nat box, everything is probably fine. >> The requests will then go to 10.x.x.x and the answers will originate >> from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the >> *data* part of the 4th packet - not in the headers (headers are >> src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't >> scan the packets payload for proxy requests and the like and drops them, >> everything should work. > > > I can put the proxy on the NAT machine. > As I said, right now just with the NAT, if I send a DNS request for > the google.com from the client 10.0.0.1 behind the nasty dropping box, > it will go out through the nasty dropping box and the NAT gateway. NAT > will change its 10.x.x.x source and destination from 10.x.x.x to some > outside addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, > it's source and destination gets translated back to 10.x.x.x and > 10.0.0.1 destination, and the google address 216.239.39.99 is within > the *data* part. This goes fine through the nasty dropping box back to > the client 10.0.0.1. Client then takes the answer from the data part > of the message, which is 216.239.39.99 and tries to contact it. It > sends an HTTP message to destination 216.239.39.99. This gets dropped > on the nasty dropping box since it is not 10.x.x.x (This is what's > happening when you type in www.google.com in the browser on the client > 10.0.0.1). > So the DNS request and answer can get through the internal network, > but what I need is to somehow replace the 216.239.39.99 that is > embedded in the DNS *data* with 10.z.z.z. Also my NAT needs to know > that 10.z.z.z is actually 216.239.39.99. to be able to translate it > for outside. > > Do you still think proxy can help? > with a *standard proxy* configured on the browser of client 10.0.0.1 your request for 216.239.39.99 will be in the payload of the proxy request that has the IP address of your proxy machine in the destination address field of the network layer ... it should be good for your nasty dropping box. From there the HTTP request will be managed from your proxy wich will answer to your client with a connection completely inside the 10.x.x.x network. bye From s_lojic at hotmail.com Fri Jul 15 21:10:26 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Fri Jul 15 21:26:32 2005 Subject: DNS and NAT In-Reply-To: <42D805E2.4050004@fastwebnet.it> Message-ID: Thank you, Suzana >From: Francesco Ciocchetti >To: netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Fri, 15 Jul 2005 20:52:18 +0200 > >Suzana Lojic-Skoric wrote: > >> >> >>>From: Jörg Harmuth >>>To: netfilter@lists.netfilter.org >>>Subject: Re: DNS and NAT >>>Date: Fri, 15 Jul 2005 10:53:17 +0200 >>> >>>Suzana Lojic-Skoric schrieb: >>> >>> > I don't think proxy can help because it is just caching the web pages, >>> > it does not change the IP addresses. I'll check if tunneling can help, >>> > if not then I'll have to change iptables to inspect DNS answer and >>> > replace the IP in the payload. >>> >>>No. Introducing a proxy at the right location, is much more than just >>>caching web sites. It means significant changes to at least to the IP >>>headers. >>> >>>Wether a proxy helps you or not depends totally on where you place the >>>proxy. If you place it on the nat box (like primero said) or between >>>this nasty dropping box and the nat box, everything is probably fine. >>>The requests will then go to 10.x.x.x and the answers will originate >>>from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the >>>*data* part of the 4th packet - not in the headers (headers are >>>src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't >>>scan the packets payload for proxy requests and the like and drops them, >>>everything should work. >> >> >>I can put the proxy on the NAT machine. >>As I said, right now just with the NAT, if I send a DNS request for the >>google.com from the client 10.0.0.1 behind the nasty dropping box, it will >>go out through the nasty dropping box and the NAT gateway. NAT will change >>its 10.x.x.x source and destination from 10.x.x.x to some outside >>addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source >>and destination gets translated back to 10.x.x.x and 10.0.0.1 destination, >>and the google address 216.239.39.99 is within the *data* part. This goes >>fine through the nasty dropping box back to the client 10.0.0.1. Client >>then takes the answer from the data part of the message, which is >>216.239.39.99 and tries to contact it. It sends an HTTP message to >>destination 216.239.39.99. This gets dropped on the nasty dropping box >>since it is not 10.x.x.x (This is what's happening when you type in >>www.google.com in the browser on the client 10.0.0.1). >>So the DNS request and answer can get through the internal network, but >>what I need is to somehow replace the 216.239.39.99 that is embedded in >>the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is >>actually 216.239.39.99. to be able to translate it for outside. >> >>Do you still think proxy can help? >> >with a *standard proxy* configured on the browser of client 10.0.0.1 your >request for 216.239.39.99 will be in the payload of the proxy request that >has the IP address of your proxy machine in the destination address field >of the network layer ... it should be good for your nasty dropping box. >From there the HTTP request will be managed from your proxy wich will >answer to your client with a connection completely inside the 10.x.x.x >network. > > >bye > > _________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From netfilter at tecnopolis.ca Fri Jul 15 21:36:10 2005 From: netfilter at tecnopolis.ca (Trevor Cordes) Date: Fri Jul 15 21:52:23 2005 Subject: SNAT and IPSEC In-Reply-To: <1113329293.29536.13.camel@fly.in.iantel.com.uy> References: <1113329293.29536.13.camel@fly.in.iantel.com.uy> Message-ID: <20050715193610.GA24658@pog.tecnopolis.ca> NAT works great over IPSEC with the patches mentioned in previous replies. However, the patches only apply (AFAIK) to 2.6.10 or below. See my RH bugzilla entry and make some noise: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374 I've been using NAT over IPSEC with those patches with 2.6.10 for ages now and it works great, mostly. I sure wish a solution would be found to get this functionality in the mainstream netfilter/kernel code! Everyone who needs this should CC themselves to that bugzilla so we can get enough voices behind the effort. From s_lojic at hotmail.com Fri Jul 15 21:51:44 2005 From: s_lojic at hotmail.com (Suzana Lojic-Skoric) Date: Fri Jul 15 22:07:53 2005 Subject: DNS and NAT In-Reply-To: <42D805E2.4050004@fastwebnet.it> Message-ID: >From: Francesco Ciocchetti >To: netfilter@lists.netfilter.org >Subject: Re: DNS and NAT >Date: Fri, 15 Jul 2005 20:52:18 +0200 > >Suzana Lojic-Skoric wrote: > >> >> >>>From: Jörg Harmuth >>>To: netfilter@lists.netfilter.org >>>Subject: Re: DNS and NAT >>>Date: Fri, 15 Jul 2005 10:53:17 +0200 >>> >>>Suzana Lojic-Skoric schrieb: >>> >>> > I don't think proxy can help because it is just caching the web pages, >>> > it does not change the IP addresses. I'll check if tunneling can help, >>> > if not then I'll have to change iptables to inspect DNS answer and >>> > replace the IP in the payload. >>> >>>No. Introducing a proxy at the right location, is much more than just >>>caching web sites. It means significant changes to at least to the IP >>>headers. >>> >>>Wether a proxy helps you or not depends totally on where you place the >>>proxy. If you place it on the nat box (like primero said) or between >>>this nasty dropping box and the nat box, everything is probably fine. >>>The requests will then go to 10.x.x.x and the answers will originate >>>from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the >>>*data* part of the 4th packet - not in the headers (headers are >>>src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't >>>scan the packets payload for proxy requests and the like and drops them, >>>everything should work. >> >> >>I can put the proxy on the NAT machine. >>As I said, right now just with the NAT, if I send a DNS request for the >>google.com from the client 10.0.0.1 behind the nasty dropping box, it will >>go out through the nasty dropping box and the NAT gateway. NAT will change >>its 10.x.x.x source and destination from 10.x.x.x to some outside >>addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source >>and destination gets translated back to 10.x.x.x and 10.0.0.1 destination, >>and the google address 216.239.39.99 is within the *data* part. This goes >>fine through the nasty dropping box back to the client 10.0.0.1. Client >>then takes the answer from the data part of the message, which is >>216.239.39.99 and tries to contact it. It sends an HTTP message to >>destination 216.239.39.99. This gets dropped on the nasty dropping box >>since it is not 10.x.x.x (This is what's happening when you type in >>www.google.com in the browser on the client 10.0.0.1). >>So the DNS request and answer can get through the internal network, but >>what I need is to somehow replace the 216.239.39.99 that is embedded in >>the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is >>actually 216.239.39.99. to be able to translate it for outside. >> >>Do you still think proxy can help? >> >with a *standard proxy* configured on the browser of client 10.0.0.1 your >request for 216.239.39.99 will be in the payload of the proxy request that >has the IP address of your proxy machine in the destination address field >of the network layer ... it should be good for your nasty dropping box. >From there the HTTP request will be managed from your proxy wich will >answer to your client with a connection completely inside the 10.x.x.x >network. > > >bye > Do you know if split DNS installed on the NAT gateway would do the trick too? Thanks, Suzana > _________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. From netfilter at tecnopolis.ca Sat Jul 16 19:34:03 2005 From: netfilter at tecnopolis.ca (Trevor Cordes) Date: Sat Jul 16 20:05:32 2005 Subject: Netfilter and IPSec interaction In-Reply-To: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> References: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> Message-ID: <20050716173403.GA16509@pog.tecnopolis.ca> On Thu, Jul 14, 2005 at 12:21:09PM -0500, Aleksandar Milivojevic wrote: > I'm writing set of firewall rules for IPSec based VPN, and have couple of > questions. > > I know that packets are supposed to go through Netfilter tables twice (as > received from the wire, and than as outputed by IPSec module). However, what I > noticed is that this seems to be true only for incomming packets. The outgoing > packets seems to go through Netfilter tables only once. It drove me batty when I first ran into it... you are not alone. > So, my question is, is something going wrong here, or is this asymetry by > design? No, it's a serious shortcoming of the design of the NAT/IPSEC code and needs to be addressed in the mainstream kernel yet no one AFAIK knows how to do it cleanly yet. See my RH bugzilla post and make some noise: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374 Grant's post gives an excellent summary. As per his hints, I'm going to try to get the ipsec/nat patches into the latest FC3 kernel (2.6.12) and see if I can get that working. My old patched 2.6.10 is getting long in the tooth and another old 2.6.10 mem leak bug is killing me once in a while. I'll report back. (Grant, are you for sure saying you got the patches to go into 2.6.12 and compile?) From jengelh at linux01.gwdg.de Sat Jul 16 23:21:36 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat Jul 16 23:37:48 2005 Subject: Zeroing chain counters Message-ID: Hi, iptables -Z zeroes all rule counters, but how do I zero the chain counters Chain INPUT (policy DROP 68946 packets, 3380061 bytes)? Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From lopsch at lopsch.com Sat Jul 16 23:40:05 2005 From: lopsch at lopsch.com (Daniel Lopes) Date: Sun Jul 17 00:11:05 2005 Subject: Zeroing chain counters In-Reply-To: References: Message-ID: <42D97EB5.30601@lopsch.com> Jan Engelhardt schrieb: > Hi, > > > iptables -Z zeroes all rule counters, but how do I zero the chain counters > Chain INPUT (policy DROP 68946 packets, 3380061 bytes)? > > > Jan Engelhardt iptables -t filter -Z INPUT From jma at agile.dk Sun Jul 17 12:30:20 2005 From: jma at agile.dk (Jan Andersen) Date: Sun Jul 17 12:47:54 2005 Subject: Martian source with 2 external interfaces Message-ID: <20050717103025.A66F3B1B@agile.dk> Hi I have a setup with 3 interfaces, one for the LAN, one for a cable-modem and one for DSL. What I want (and need) is to have both external interfaces running at the same time. When I one have my LAN and one of the external running then everything is working just fine. But when I turn on both interfaces at the same time my machine is generating a huge amount of martian-source errors in the log. I even tried to turn off the firewall, but with out luck. Why is this happening, and how do I solve this problem? Regards Jan Andersen From jengelh at linux01.gwdg.de Sun Jul 17 12:31:36 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sun Jul 17 12:48:01 2005 Subject: Zeroing chain counters In-Reply-To: <42D97EB5.30601@lopsch.com> References: <42D97EB5.30601@lopsch.com> Message-ID: >> iptables -Z zeroes all rule counters, but how do I zero the chain counters >> Chain INPUT (policy DROP 68946 packets, 3380061 bytes)? > > iptables -t filter -Z INPUT No... Jan Engelhardt -- From afshinlamei at gmail.com Sun Jul 17 13:48:35 2005 From: afshinlamei at gmail.com (afshin lamei) Date: Sun Jul 17 14:04:54 2005 Subject: upgrade iptables Message-ID: <3115d56e0507170448626b208d@mail.gmail.com> hi all, 2 questions: is there any patched source of iptables (with p-o-m), which i can just compile and use? how can i upgrade from iptables 1.2.8 to 1.2.9, 1.3, ... etc? there is a patch named patch-iptables-1.2.8-1.2.9, can i apply it on an installed 1.2.8 one? regards afshin From rob0 at gmx.co.uk Sun Jul 17 14:50:46 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Sun Jul 17 15:07:10 2005 Subject: Martian source with 2 external interfaces In-Reply-To: <20050717103025.A66F3B1B@agile.dk> References: <20050717103025.A66F3B1B@agile.dk> Message-ID: <42DA5426.10108@gmx.co.uk> Jan Andersen wrote: > What I want (and need) is to have both external interfaces running at the > same time. http://www.ssi.bg/~ja/nano.txt -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From waruiinu at gmail.com Sun Jul 17 14:57:15 2005 From: waruiinu at gmail.com (George Alexandru Dragoi) Date: Sun Jul 17 15:13:34 2005 Subject: Martian source with 2 external interfaces In-Reply-To: <20050717103025.A66F3B1B@agile.dk> References: <20050717103025.A66F3B1B@agile.dk> Message-ID: <3063e505071705576be41f03@mail.gmail.com> for i in /proc/sys/net/ipv4/conf/*/log_martians ; do echo 0 > $i done And you are done :). I believe you have the problem because some packets go out to one interface, and comes back to the other, a common thing to asymetric routing. I doubt you have hundred of thousounds routes , so you must use some complicated setup for your load balancing to get those errors. On 7/17/05, Jan Andersen wrote: > Hi > > > > I have a setup with 3 interfaces, one for the LAN, one for a cable-modem and > one for DSL. > > > > What I want (and need) is to have both external interfaces running at the > same time. > > > > When I one have my LAN and one of the external running then everything is > working just fine. But when I turn on both interfaces at the same time my > machine is generating a huge amount of martian-source errors in the log. I > even tried to turn off the firewall, but with out luck. > > > > Why is this happening, and how do I solve this problem? > > > > Regards > > > > Jan Andersen > > > > -- Bla bla From alex at milivojevic.org Mon Jul 18 05:23:58 2005 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Mon Jul 18 05:40:31 2005 Subject: Netfilter and IPSec interaction In-Reply-To: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> References: <20050714122109.bl71ded9gkkoc0c4@www.milivojevic.org> Message-ID: <42DB20CE.5040401@milivojevic.org> Aleksandar Milivojevic wrote: > I'm writing set of firewall rules for IPSec based VPN, and have couple of > questions. > > I know that packets are supposed to go through Netfilter tables twice (as > received from the wire, and than as outputed by IPSec module). However, what I > noticed is that this seems to be true only for incomming packets. The outgoing > packets seems to go through Netfilter tables only once. Thanks to everybody who replied on the list and off-list. I'll just write a short summary. Apperently, this is a known problem and it has been discussed on Netfilter's development lists. There are some patches that solve it, but they are not going to get into mainstream kernel since approach taken in them is problematic (and according to some sources, those patches are abandoned and not maintained anymore). I wasn't able to find why the approach is problematic, but apperently answer to that question is burried somewhere in archives of Netfilter's development list. Seems that correct approach to solve the problem still needs to be found (and once found and implemented will become part of mainstream kernel). From afshinlamei at gmail.com Mon Jul 18 07:41:20 2005 From: afshinlamei at gmail.com (afshin lamei) Date: Mon Jul 18 07:57:44 2005 Subject: how to upgrade an installed iptables? Message-ID: <3115d56e0507172241b07d0bf@mail.gmail.com> hi all, 2 questions: is there any patched source of iptables (with p-o-m), which i can just compile and use? how can i upgrade from iptables 1.2.8 to 1.2.9, 1.3, ... etc? there is a patch named patch-iptables-1.2.8-1.2.9, can i apply it on an installed 1.2.8 one? regards afshin From sadus at swiftbin.net Mon Jul 18 10:15:36 2005 From: sadus at swiftbin.net (Sadus .) Date: Mon Jul 18 11:35:05 2005 Subject: DNATing Windows File Sharing Message-ID: <1121674536.1554.16.camel@sadusbox.hostname> Hello, I would like to enable the right ports and DNAT the requests for File Sharing on a internal windows box. The win2k3 has Active Directory enabled and i want users to type \\domainname.com which will popup a user/pass dialog and let them access the file server. I did the following, but it doesn't seem to work: iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 139 --to 192.168.1.2:139 assuming "139" is NetBios thanks -- Sadus . Swiftbin.net From jengelh at linux01.gwdg.de Mon Jul 18 11:20:49 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 18 11:37:16 2005 Subject: DNATing Windows File Sharing In-Reply-To: <1121674536.1554.16.camel@sadusbox.hostname> References: <1121674536.1554.16.camel@sadusbox.hostname> Message-ID: >Hello, >I would like to enable the right ports and DNAT the requests for File >Sharing on a internal windows box. The win2k3 has Active Directory >enabled and i want users to type \\domainname.com which will popup a >user/pass dialog and let them access the file server. > >I did the following, but it doesn't seem to work: >iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 139 --to >192.168.1.2:139 >assuming "139" is NetBios Also try 445 instead of 139. Then, if that still does not work, you maybe need to forward UDP 137. Jan Engelhardt -- From voyager123bg at gmail.com Mon Jul 18 11:36:43 2005 From: voyager123bg at gmail.com (Nikolai Alexandrov) Date: Mon Jul 18 12:06:25 2005 Subject: how to upgrade an installed iptables? In-Reply-To: <3115d56e0507172241b07d0bf@mail.gmail.com> References: <3115d56e0507172241b07d0bf@mail.gmail.com> Message-ID: <42DB782B.4090802@gmail.com> afshin lamei wrote: >hi all, >2 questions: >is there any patched source of iptables (with p-o-m), which i can just >compile and use? > > Nope. p-o-m is a separate patchset, which in order to use you must have sources of both kernel and iptables. It then do its magic (patching the source :)), and you then need to recompile kernel modules/iptables. >how can i upgrade from iptables 1.2.8 to 1.2.9, 1.3, ... etc? there is >a patch named patch-iptables-1.2.8-1.2.9, can i apply it on an >installed 1.2.8 one? >regards >afshin > > > > Gee, I've no idea. I always get the newest (stable) source, build a package from it, and install... :) works pretty well. Basically... yes. Patches are usually containing some bugfixes/new features, so this may be the case... :) yet I dunno if you could dl patch 1.3.2 (for example) and apply it over the 1.2.8 source, resulting the 1.3.2... I think in order to get this source updated, you have to apply them one by one, till you get where you want to... (again, this might not be the case. I never did it that way). From vangelr at rfgt.net Mon Jul 18 11:50:21 2005 From: vangelr at rfgt.net (Robert Vangel) Date: Mon Jul 18 12:07:00 2005 Subject: DNATing Windows File Sharing In-Reply-To: References: <1121674536.1554.16.camel@sadusbox.hostname> Message-ID: <42DB7B5D.1090506@rfgt.net> Jan Engelhardt wrote: >>Hello, >>I would like to enable the right ports and DNAT the requests for File >>Sharing on a internal windows box. The win2k3 has Active Directory >>enabled and i want users to type \\domainname.com which will popup a >>user/pass dialog and let them access the file server. >> >>I did the following, but it doesn't seem to work: >>iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 139 --to >>192.168.1.2:139 >>assuming "139" is NetBios > > > Also try 445 instead of 139. > > Then, if that still does not work, you maybe need to forward UDP 137. > > > > Jan Engelhardt All of the ports for windows file sharing you want to call it are.. 135/tcp, 137/udp, 138/tcp, 139/udp, 139/tcp, 445/tcp Some of them are for RPC things so you might not actually want them open, but I don't know which specific one(s) they are. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/netfilter/attachments/20050718/379d893e/signature.bin From harmuth at mnemon.de Mon Jul 18 12:14:51 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Mon Jul 18 12:36:55 2005 Subject: how to upgrade an installed iptables? In-Reply-To: <3115d56e0507172241b07d0bf@mail.gmail.com> References: <3115d56e0507172241b07d0bf@mail.gmail.com> Message-ID: <42DB811B.7060404@mnemon.de> afshin lamei schrieb: > how can i upgrade from iptables 1.2.8 to 1.2.9, 1.3, ... etc? there is > a patch named patch-iptables-1.2.8-1.2.9, can i apply it on an > installed 1.2.8 one? I did it with 1.3.1->1.3.2 and it worked well. If you decide to compile your own iptables, you should take care of the paths. E.g. debian has /sbin/iptables and the sources from netfilter.org install in /usr/local/sbin. If you don't want this, edit the Makefile and chnge vars PREFIX, LIBDIR,..., to fit your needs. Have a nice time, Joerg From jengelh at linux01.gwdg.de Mon Jul 18 13:09:01 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 18 13:25:30 2005 Subject: DNATing Windows File Sharing In-Reply-To: <42DB7B5D.1090506@rfgt.net> References: <1121674536.1554.16.camel@sadusbox.hostname> <42DB7B5D.1090506@rfgt.net> Message-ID: >All of the ports for windows file sharing you want to call it are.. > >135/tcp, 137/udp, 138/tcp, 139/udp, 139/tcp, 445/tcp > >Some of them are for RPC things so you might not actually want them >open, but I don't know which specific one(s) they are. epmap 135/tcp # DCE endpoint resolution epmap 135/udp # DCE endpoint resolution netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp # NETBIOS Datagram Service netbios-ssn 139/tcp # NETBIOS Session Service netbios-ssn 139/udp # NETBIOS Session Service microsoft-ds 445/tcp # Microsoft-DS microsoft-ds 445/udp # Microsoft-DS I have never seen epmap on my network, so 135 does not belong to it. 138 traffic is also rare. Jan Engelhardt -- From trevor at tecnopolis.ca Fri Jul 15 21:18:03 2005 From: trevor at tecnopolis.ca (Trevor Cordes) Date: Mon Jul 18 14:13:28 2005 Subject: Using SNAT through a 26sec tunnel In-Reply-To: <00cb01c52eaf$b0981ac0$5001010a@bluereef.local> References: <00cb01c52eaf$b0981ac0$5001010a@bluereef.local> Message-ID: <20050715191803.GC22834@pog.tecnopolis.ca> On Tue, Mar 22, 2005 at 06:20:56PM +1100, Andrew Hall wrote: > Hello, > > I need some clarification on native 26sec packet processing in relation to > NAT with Netfilter, and I'm hoping someone can enlighten me once and for > all. AFAIK SNAT (and DNAT) with 26sec is broken without patches and patches might not be readily available above 2.6.10. See my RH bugzilla and make some noise: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374 From george_esperanza at yahoo.com Mon Jul 18 07:17:37 2005 From: george_esperanza at yahoo.com (George Esperanza) Date: Mon Jul 18 14:13:30 2005 Subject: Port Forwarding Problem Message-ID: <20050718051737.46295.qmail@web31512.mail.mud.yahoo.com> Hello everyone! I have just installed a Slackware Linux 10.1 as my firewall and my Internet gateway and i have a Web server inside my private Network. I'm trying to test if i can forward all incoming http request to my Web server. I've found a simple script and modified it to work for my IP settings, but its not working. I've been searching this for almost 2 days now and still can't make it to work. I have Slackware 9.0 with iptables scripts (running at home) that has forwarding rules which is working perfectly. I tried that script too in Slackware 10.1 but still not working. Please help... George Here's my script: #!/bin/sh IPTPATH="/usr/sbin/iptables" /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects echo "1" > /proc/sys/net/ipv4/conf/all/log_martians $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A OUTPUT -m state --state INVALID -j DROP $IPT -A FORWARD -m state --state INVALID -j DROP $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # eth0 - internal network # eth1 - external network (with static IP) $IPT -A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport \ --dport 80,443 -o eth1 -j ACCEPT $IPT -A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport \ --dport 80,443 -o eth1 -i eth0 -j ACCEPT $IPT -A OUTPUT -o eth1 -j LOG $IPT -A FORWARD -j LOG $IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to X.X.X.X $IPT -t nat -A PREROUTING -i eth1 -p tcp -d X.X.X.X --dport 80 -j DNAT \ --to 192.168.0.10:80 ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From Christian.Andretzky at MB.TU-Chemnitz.DE Mon Jul 18 12:55:50 2005 From: Christian.Andretzky at MB.TU-Chemnitz.DE (Christian Andretzky) Date: Mon Jul 18 14:13:32 2005 Subject: Newbe problem with rpc filtering Message-ID: <42DB8AB6.9080008@MB.TU-Chemnitz.DE> Hi, I'm more or less new with packet filtering an have a problem to get my iptables running with the extensions for rpc filtering under SuSE 9.3 As far as I could see they have installed iptables 1.3.1 and the patch-o-matic extensions for rpc too (the newer one, which supports the syntax '-m rpc --rpcs [list, of, services]') But unfortunately I cannot get it running. If I use '-m rpc --rpcs list, of, services' then I get the response 'Bad argument xxx' for the second parameter in the list of services If I use '-m rpc --rpcs xxx' (wich only one parameter) or "-m rpc' with no '--rpcs' parameter (fallback to old record_rpc style) I get the message 'iptables: No chain/target/match by that name' Is there anybody who can help me to fix that problem TIA, Christian P.S. Please answer to my personal address because I'm not subscribed to the list. From fatihturkmen99 at yahoo.com Mon Jul 18 15:21:09 2005 From: fatihturkmen99 at yahoo.com (Fatih TURKMEN) Date: Mon Jul 18 15:37:36 2005 Subject: ssh connection is not allowed in NAT, SUSE 9.2 Message-ID: <20050718132109.88338.qmail@web50210.mail.yahoo.com> Hi everybody, I am trying to create small NAT network on SUSE 9.2 computers.I don't know what is missing in my iptables policy but I have added three rules for SNAT: 1) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 2) iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATEd,ESTABLISHED -j ACCEPT 3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT I stopped firewalls on local computers, and installed ssh server/client on all computers.I can ssh to local machines from locals.But I can't ssh to nat server.Also I can only ping one computer from NAT Server. When I try to ssh to local clients from NAT server I got either "No route to host" or "Connection refused" although I stopped firewalls on locals and set the NAT server as the default gateway for local clients. Any ideas? What is missing? Thanks in advance. Fatih TURKMEN __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jengelh at linux01.gwdg.de Mon Jul 18 16:04:56 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 18 16:21:23 2005 Subject: RST packets Message-ID: Hi, a simple question, though I could not clearly read it from the TCP RFC... do RST packets always have ACK set? Jan Engelhardt -- From rob at sterenborg.info Mon Jul 18 16:12:53 2005 From: rob at sterenborg.info (Rob Sterenborg) Date: Mon Jul 18 16:30:32 2005 Subject: RST packets In-Reply-To: References: Message-ID: <3544.217.166.67.34.1121695973.squirrel@217.166.67.34> > Hi, > > > a simple question, though I could not clearly read it from the TCP RFC... > do RST packets always have ACK set? It seems that isn't so : (http://www.knowplace.org/netfilter/ip_overview.html) Resetting a connection The four-way handshake is not the only way to tear down an established TCP connection. Sometimes, if either hosts need to tear down the connection quickly (timeout, port or host unreachable, etc.), a RST (Reset) packet is sent. Note that since a RST packet is not necessarily always part of a TCP connection, it can be sent by itself. RST packets that are part of a TCP connection is usually accompanied by the ACK flag as well. Note that RST packets are not acknowledged. Gr, Rob From eric at inl.fr Mon Jul 18 17:23:42 2005 From: eric at inl.fr (Eric Leblond) Date: Mon Jul 18 17:40:20 2005 Subject: [Announce] Nulog 1.1.0 is available Message-ID: <1121700222.27293.20.camel@localhost.localdomain> Le lundi 04 juillet 2005 ? 18:07 +0100, matt a ?crit : > The Nulog 1.1.0 release has a bug. > > The mysql dumpfile does not contain the conntrack_ulog table. > > This has been reported to the nulog email account. Hi, This is related to default value of variables that are badly set (Or at least badly documented). Set $conntrack_enabled="no"; $actif_and_passif=0; in include/config.inc PS : sorry for the delay, I did not see this e-mail till today. BR, -- Eric Leblond From dufresne at sysinfo.com Mon Jul 18 18:39:12 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Mon Jul 18 18:49:27 2005 Subject: RST packets In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 18 Jul 2005, Jan Engelhardt wrote: > Hi, > > > a simple question, though I could not clearly read it from the TCP RFC... > do RST packets always have ACK set? > > Past discussions on this, if I recall have stated, that the RFC is unclear if they should or should not, and thus it is implimentation specific. In other words prepare for both. Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC29s0st+vzJSwZikRAhFhAJ9VrBg8udgLE/rjWj69PZI+xj/J1QCg21bk Nv2IJV8hI5/AhxnInjSMq5Y= =OiGE -----END PGP SIGNATURE----- From kadlec at blackhole.kfki.hu Mon Jul 18 20:27:25 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Mon Jul 18 20:43:54 2005 Subject: RST packets In-Reply-To: References: Message-ID: Hi, On Mon, 18 Jul 2005, Jan Engelhardt wrote: > a simple question, though I could not clearly read it from the TCP RFC... > do RST packets always have ACK set? No, see RFC793 page 64: SEGMENT ARRIVES ... If the state is LISTEN then first check for an RST An incoming RST should be ignored. Return. second check for an ACK Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. The RST should be formatted as follows: Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From rcarlson at kitchenandassociates.com Mon Jul 18 20:42:59 2005 From: rcarlson at kitchenandassociates.com (Rob Carlson) Date: Mon Jul 18 20:59:36 2005 Subject: IPset ports question. Message-ID: <42DBF833.9020505@kitchenandassociates.com> Is there a way to bind an IPSet hash to a port, and if so, what is the syntax? I had a rule for a CIDR block that I bound to a port set and then was able to reject incoming traffic from that CIDR block addressed to specific ports and that worked very well. Now I would like to be able to take an iphash and a nethash (currently blocking all traffic) and reject traffic from the hashed addresses going specifically to port 22 and 25 only. Thanks for any help. -- Rob Carlson, Systems and Network Administrator Kitchen & Associates Architectural Services, PA Architecture - Planning - Interior Design 856.854.1880 From opie at 817west.com Mon Jul 18 23:12:35 2005 From: opie at 817west.com (Jason Opperisano) Date: Mon Jul 18 23:32:38 2005 Subject: DNATing Windows File Sharing In-Reply-To: References: <1121674536.1554.16.camel@sadusbox.hostname> <42DB7B5D.1090506@rfgt.net> Message-ID: <20050718211235.GA11303@bender.817west.com> On Mon, Jul 18, 2005 at 01:09:01PM +0200, Jan Engelhardt wrote: > epmap 135/tcp # DCE endpoint resolution > epmap 135/udp # DCE endpoint resolution > netbios-ns 137/tcp # NETBIOS Name Service > netbios-ns 137/udp # NETBIOS Name Service > netbios-dgm 138/tcp # NETBIOS Datagram Service > netbios-dgm 138/udp # NETBIOS Datagram Service > netbios-ssn 139/tcp # NETBIOS Session Service > netbios-ssn 139/udp # NETBIOS Session Service > microsoft-ds 445/tcp # Microsoft-DS > microsoft-ds 445/udp # Microsoft-DS quoting a services file like it's an RFC is not a great way to write firewall rules. just because a port has been reserved for a service, doesn't mean it's actually used. the obvious example here would be HTTP: http 80/tcp www www-http #World Wide Web HTTP http 80/udp www www-http #World Wide Web HTTP now, we're not all going to run out and open up UDP port 80 so that our web servers function, are we? the safest way to write firewall rules, is by dropping and logging the traffic or by using tcpdump to discover the ports and protocols one by one. that being said, in my experience, the ports used by "windows file sharing" are: TCP 139 TCP 445 UDP 137 UDP 138 that being said, i've also noticed that NAT-ing a windows file server doesn't always work--depending on your network topology. -j -- "Susan Sarandon: I'm Susan Sarandon. Most of you know me as Tim Robbins' mother, but actually I'm his wife!" --Family Guy From jengelh at linux01.gwdg.de Mon Jul 18 23:41:48 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon Jul 18 23:58:19 2005 Subject: DNATing Windows File Sharing In-Reply-To: <20050718211235.GA11303@bender.817west.com> References: <1121674536.1554.16.camel@sadusbox.hostname> <42DB7B5D.1090506@rfgt.net> <20050718211235.GA11303@bender.817west.com> Message-ID: >quoting a services file like it's an RFC is not a great way to write >firewall rules. just because a port has been reserved for a service, >doesn't mean it's actually used. the obvious example here would be So it looks like Win98 does not use 135. If you are not happy with the results, use -m layer7 and go from there. _That's_ safe, across udp, tcp and the whole port range. :) >that being said, i've also noticed that NAT-ing a windows file server >doesn't always work--depending on your network topology. No, I think because it uses broadcasts which ... are normally not propagated across networks unless you utilize userspace proxies. I have recently turned a friend's network(s) into a bridged one to overcome this problem. (Or to evade, depending on the viewpoint.) From hendry at soltecsoftware.com.au Tue Jul 19 04:01:22 2005 From: hendry at soltecsoftware.com.au (Kai Hendry) Date: Tue Jul 19 04:13:47 2005 Subject: DNAT Message-ID: <42DC5EF2.8060002@soltecsoftware.com.au> I have three machines: 192.168.0.1 192.168.0.3 192.168.0.9 On 9 there is service running on port 1199 that I want clients (at 3) to use from 1. With SSH I can get this working from 1 with clients at 1 with: ssh -L 1199:localhost:1199 192.168.0.9 Thought telnet localhost 1199 only works, not telnet 192.168.0.1 1199 Anyway, I don't need encryption. DNAT is what I've been told I need so: http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html $ cat i.sh sudo /sbin/iptables -t nat -F # This alone doesn't work sudo /sbin/iptables -t nat -A PREROUTING -p tcp --dport 1199 -i eth0 -j DNAT --to 192.168.0.9:1199 # I suspect something is wrong here: sudo /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 1199 -j SNAT --to 192.168.0.1:1199 sudo /sbin/iptables -t nat -vnxL --line-numbers It just does not work when from 3: $ telnet 192.168.0.1 1199 Trying 192.168.0.1... Packets do show up: SOLTEC-HDSVR$ sudo /sbin/iptables -t nat -vnxL --line-numbers Chain PREROUTING (policy ACCEPT 6494 packets, 466878 bytes) num pkts bytes target prot opt in out source destination 1 4 240 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1199 to:192.168.0.9:1199 Chain POSTROUTING (policy ACCEPT 2102 packets, 388967 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2102 packets, 388967 bytes) num pkts bytes target prot opt in out source destination Though from 1 not at all: $ telnet 192.168.0.1 1199 Trying 192.168.0.1... telnet: Unable to connect to remote host: Connection refused What am I doing wrong? From kadlec at blackhole.kfki.hu Tue Jul 19 10:42:55 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Tue Jul 19 10:59:23 2005 Subject: IPset ports question. In-Reply-To: <42DBF833.9020505@kitchenandassociates.com> References: <42DBF833.9020505@kitchenandassociates.com> Message-ID: Hi Rob, On Mon, 18 Jul 2005, Rob Carlson wrote: > Is there a way to bind an IPSet hash to a port, > and if so, what is the syntax? The syntax is the same in all cases: ipset -B -b Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From harmuth at mnemon.de Tue Jul 19 11:06:38 2005 From: harmuth at mnemon.de (=?ISO-8859-1?Q?J=F6rg_Harmuth?=) Date: Tue Jul 19 11:27:10 2005 Subject: ssh connection is not allowed in NAT, SUSE 9.2 In-Reply-To: <20050718132109.88338.qmail@web50210.mail.yahoo.com> References: <20050718132109.88338.qmail@web50210.mail.yahoo.com> Message-ID: <42DCC29E.5000603@mnemon.de> Fatih TURKMEN schrieb: > Hi everybody, > I am trying to create small NAT network on SUSE 9.2 > computers.I don't know what is missing in my iptables > policy but I have added three rules for SNAT: > > 1) iptables -t nat -A POSTROUTING -o eth0 -j > MASQUERADE > 2) iptables -A FORWARD -i eth0 -o eth1 -m state > --state RELATEd,ESTABLISHED -j ACCEPT > 3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > > I stopped firewalls on local computers, and installed > ssh server/client on all computers.I can ssh to local > machines from locals.But I can't ssh to nat > server.Also I can only ping one computer from NAT > Server. > When I try to ssh to local clients from NAT server I > got either "No route to host" or "Connection refused" > although I stopped firewalls on locals and set the NAT > server as the default gateway for local clients. Would you mind to provide the full ruleset of your nat box ? Preferably the output of iptables-save ? A description of your network layout could be helpfull too (networks, NICs,...). As there is "No route to host" the routing table could give some enlightment. There are at least two interfaces, so - is ip-forwarding enabled ? What does netstat -tulpn | grep ':22' give on the respective boxes ? When trying to connect via SSH to no avail, what does tcpdump -ni give (try reducing other traffic) ? Questions over questions :) Have a nice time, Joerg From mingching.tiew at redtone.com Tue Jul 19 11:25:27 2005 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Tue Jul 19 11:42:35 2005 Subject: ipt_random Message-ID: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife> It seems that the random patch for patch-o-matic for 2.6 kernel existed long time ago but it is still not inside the latest patch-o-matic snapshot. May I know why ? Cheers From jengelh at linux01.gwdg.de Tue Jul 19 12:17:45 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 19 12:34:19 2005 Subject: ipt_random In-Reply-To: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife> References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife> Message-ID: >It seems that the random patch for patch-o-matic for 2.6 kernel >existed long time ago but it is still not inside the latest patch-o-matic >snapshot. May I know why ? 12:16 linux01:~ > tar -xvjf patch-o-matic-ng-20050718.tar.bz2 | grep random patch-o-matic-ng-20050718/patchlets/random/ patch-o-matic-ng-20050718/patchlets/random/linux/include/linux/netfilter_ipv4/ip t_random.h (output reduced) It's there... Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From dufresne at sysinfo.com Tue Jul 19 16:59:37 2005 From: dufresne at sysinfo.com (R. DuFresne) Date: Tue Jul 19 17:09:40 2005 Subject: ssh connection is not allowed in NAT, SUSE 9.2 In-Reply-To: <42DCC29E.5000603@mnemon.de> References: <20050718132109.88338.qmail@web50210.mail.yahoo.com> <42DCC29E.5000603@mnemon.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 and tpcd is not getting in the way, correct? Thanks, Ron DuFresne On Tue, 19 Jul 2005, J?rg Harmuth wrote: > Fatih TURKMEN schrieb: >> Hi everybody, >> I am trying to create small NAT network on SUSE 9.2 >> computers.I don't know what is missing in my iptables >> policy but I have added three rules for SNAT: >> >> 1) iptables -t nat -A POSTROUTING -o eth0 -j >> MASQUERADE >> 2) iptables -A FORWARD -i eth0 -o eth1 -m state >> --state RELATEd,ESTABLISHED -j ACCEPT >> 3) iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT >> >> I stopped firewalls on local computers, and installed >> ssh server/client on all computers.I can ssh to local >> machines from locals.But I can't ssh to nat >> server.Also I can only ping one computer from NAT >> Server. >> When I try to ssh to local clients from NAT server I >> got either "No route to host" or "Connection refused" >> although I stopped firewalls on locals and set the NAT >> server as the default gateway for local clients. > > Would you mind to provide the full ruleset of your nat box ? Preferably > the output of iptables-save ? A description of your network layout could > be helpfull too (networks, NICs,...). As there is "No route to host" the > routing table could give some enlightment. There are at least two > interfaces, so - is ip-forwarding enabled ? What does > > netstat -tulpn | grep ':22' > > give on the respective boxes ? When trying to connect via SSH to no > avail, what does > > tcpdump -ni > > give (try reducing other traffic) ? Questions over questions :) > > Have a nice time, > > Joerg > > - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC3RVcst+vzJSwZikRAvjjAKCka178a2ROn/HBqff4RVj5PwjSNACdFsGj zdr88jWe/HMxzivNy5u/UfA= =nMTJ -----END PGP SIGNATURE----- From keseruk at freemail.hu Tue Jul 19 19:23:41 2005 From: keseruk at freemail.hu (=?ISO-8859-2?Q?Keser=FB_Korn=E9l?=) Date: Tue Jul 19 19:40:16 2005 Subject: iptables and udp socket Message-ID: Dear List members, I'm quite new to netfilter/iptables, I have been using it for some weeks. I would like to ask if it may lead to undeterministic behaviour of iptables when an udp socket is opened on an IP:port while in parallel iptables rules (NAT) are setup that forward all incoming packets received on that IP:port to a different destination. So I just want to use the socket for sending out packets on it, while incoming packets should be forwarded to other destination. But sometimes the packets are received on the socket, sometimes they are forwarded. So iptables don't have always the expected effect. I use Debian with iptables 1.2.11. What is your opinion? Best regards, Kornel Keseru _______________________________________________________________________ [freemail] extra 1GB-os postafi?kkal, ?nnek m?r van? http://freemail.hu From schachti at rbw.goe.net Tue Jul 19 20:07:59 2005 From: schachti at rbw.goe.net (Michael Schachtebeck) Date: Tue Jul 19 20:24:41 2005 Subject: limit extension Message-ID: <42DD417F.4090804@rbw.goe.net> Hi, I'm trying to redirect some people on my router once a day to a local apache to show them a status page. I'm using the following iptables rule to redirect them: /sbin/iptables -t nat -I PREROUTING -p tcp -s $IP -i $LAN_DEV --sport 1024: --dport 80 --syn -m limit --limit 1/d --limit-burst 1 -j REDIRECT --to-port 5000 At first, I thought everything was fine: I got redirected when trying to open the first page in my browser, and after that, I could surf normally without being redirect. But after about 30 minutes, I got redirected again, and iptables -t nat -vnL PREROUTING said that the rule had matched twice. What am I doing wrong? Why was I redirect a second time? In my opinion, the second redirection should not have happened then, but 1 day (24 hours) later... Any hint is welcome... Michael. -- PGP Public Key: http://www.num.math.uni-goettingen.de/schachte/key.asc Key fingerprint: C474 8B85 17C0 0232 E439 0FBF 2451 E452 293C D798 From rcarlson at kitchenandassociates.com Tue Jul 19 21:13:40 2005 From: rcarlson at kitchenandassociates.com (Rob Carlson) Date: Tue Jul 19 21:30:28 2005 Subject: IPset ports question. In-Reply-To: References: <42DBF833.9020505@kitchenandassociates.com> Message-ID: <42DD50E4.9090800@kitchenandassociates.com> Jozsef, Somehow I'm still blocking all traffic from the iphash entries afrer binding the hash to the port (port 80, for instance). For background purposes, this is how I am blocking traffic with the iphash: iptables -A testset -m set --set testset src -j LTREJECT iptables -I FORWARD 2 -i eth1 -j testset iptables -I INPUT 2 -i eth1 -j testset This works fine for blocking all traffic. However since I now want specifically to only drop port 22 and port 25 entries (that is most of the nuisance traffic) and allow port 80 for example, I did the following: ipset -N ports portmap --from 1 --to 1024 ipset -A ports 22 ipset -A ports 25 ipset -B testset :default: -b ports Now, if I run "ipset -n -L testset", I get the following Name: testset Type: iphash References: 1 Default binding: ports Header: hashsize: 1024 probes: 8 resize: 50 Members: Bindings: In order to test what I have, I added to the hash an address of an external machine (that I can always reach) to see if I could access the web page, but _not_ the ssh port. However, when the address is in the hash, _all_ ports still seem to be blocked-- i.e. no web access OR ssh. Removing the address from the hash fixes this. In order to see if something was cached and blocking the address I tried removing the iptables entry for testset and re-added it. The result is the same. Is there something in the order of what I am doing that causes the LTREJECT to affect traffic to all ports, and not just the ports that I bound to the iphash? Thanks, Rob . Jozsef Kadlecsik wrote: > Hi Rob, > > On Mon, 18 Jul 2005, Rob Carlson wrote: > > >>Is there a way to bind an IPSet hash to a port, >>and if so, what is the syntax? > > > The syntax is the same in all cases: > > ipset -B -b > > Best regards, > Jozsef > - > E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > > -- Rob Carlson, Systems and Network Administrator Kitchen & Associates Architectural Services, PA Architecture - Planning - Interior Design 856.854.1880 From kadlec at blackhole.kfki.hu Tue Jul 19 22:09:28 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Tue Jul 19 22:26:00 2005 Subject: IPset ports question. In-Reply-To: <42DD50E4.9090800@kitchenandassociates.com> References: <42DBF833.9020505@kitchenandassociates.com> <42DD50E4.9090800@kitchenandassociates.com> Message-ID: Hi Rob, On Tue, 19 Jul 2005, Rob Carlson wrote: > iptables -A testset -m set --set testset src -j > LTREJECT > iptables -I FORWARD 2 -i eth1 -j testset > iptables -I INPUT 2 -i eth1 -j testset > > This works fine for blocking all traffic. However > since I now want specifically to only drop port 22 > and port 25 entries (that is most of the nuisance > traffic) and allow port 80 for example, I did the > following: > > ipset -N ports portmap --from 1 --to 1024 > ipset -A ports 22 > ipset -A ports 25 > ipset -B testset :default: -b ports You missed to replace the iptables command above with the one which instruct the SET target to follow bindings. What you need is iptables -A testset -m set --set testset src,dst -j LTREJECT Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From jengelh at linux01.gwdg.de Tue Jul 19 22:13:21 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Jul 19 22:29:56 2005 Subject: limit extension In-Reply-To: <42DD417F.4090804@rbw.goe.net> References: <42DD417F.4090804@rbw.goe.net> Message-ID: >I'm using the following iptables rule to redirect them: > >/sbin/iptables -t nat -I PREROUTING -p tcp -s $IP -i $LAN_DEV --sport >1024: --dport 80 --syn -m limit --limit 1/d --limit-burst 1 -j REDIRECT >--to-port 5000 You could use dstlimit with --dstlimit-mode srcip-dstip and probably save some rules. With dstlimit, you also get an overview of which connections are currently limited, and their burst status, in /proc/net/ipt_dstlimit/DSTLIMIT_NAME It's because I think some burst math allows to have a second packet sneak in. >What am I doing wrong? Why was I redirect a second time? In my opinion, >the second redirection should not have happened then, but 1 day (24 >hours) later... Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ From info at jannic.dk Tue Jul 19 22:31:54 2005 From: info at jannic.dk (Jannic S. Jensen) Date: Tue Jul 19 22:48:31 2005 Subject: Lacking support for icmp : "--icmp-type" Message-ID: <6D811849-6963-4B65-A647-1FCF25A6E07B@jannic.dk> Hi list I'am having some troubles getting iptables working with icmp support. The following: --- root@fw ~# iptables -N AllowICMPs root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type fragmentation- needed -j ACCEPT --- Results in: --- root@fw ~# iptables -N AllowICMPs root@fw ~# iptables -A AllowICMPs -p icmp --icmp-type fragmentation- needed -j ACCEPT iptables v1.3.2: Unknown arg `--icmp-type' Try `iptables -h' or 'iptables --help' for more information. --- Iptables are running on the Trustix 3.0 distribution using Shorewall firewall. I've tried compiling iptables from source and using the rpm from Trustix. RPM is version 1.3.1 of iptables and source is latest - 1.3.2. The kernel is 2.6.12 from Trustix. I've been trying both Shorewall mailinglist and Trustix mailinglist but no success yet :(. It seems like there is no support for icmp in iptables. --- iptables -p icmp --help --- Gives no indication of icmp support. libipt_icmp.so is installed on the system though. Any hints? Thanks. Best regards /Jannic From rcarlson at kitchenandassociates.com Tue Jul 19 22:58:15 2005 From: rcarlson at kitchenandassociates.com (Rob Carlson) Date: Tue Jul 19 23:14:53 2005 Subject: IPset ports question. In-Reply-To: References: <42DBF833.9020505@kitchenandassociates.com> <42DD50E4.9090800@kitchenandassociates.com> Message-ID: <42DD6967.3050700@kitchenandassociates.com> That did it. Thanks again, Joszef Jozsef Kadlecsik wrote: > Hi Rob, > > On Tue, 19 Jul 2005, Rob Carlson wrote: > > >>iptables -A testset -m set --set testset src -j >>LTREJECT >>iptables -I FORWARD 2 -i eth1 -j testset >>iptables -I INPUT 2 -i eth1 -j testset >> >>This works fine for blocking all traffic. However >>since I now want specifically to only drop port 22 >>and port 25 entries (that is most of the nuisance >>traffic) and allow port 80 for example, I did the >>following: >> >>ipset -N ports portmap --from 1 --to 1024 >>ipset -A ports 22 >>ipset -A ports 25 >>ipset -B testset :default: -b ports > > > You missed to replace the iptables command above with the one > which instruct the SET target to follow bindings. What you need is > > iptables -A testset -m set --set testset src,dst -j LTREJECT > > Best regards, > Jozsef > - > E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > > -- Rob Carlson, Systems and Network Administrator Kitchen & Associates Architectural Services, PA Architecture - Planning - Interior Design 856.854.1880 From schachti at rbw.goe.net Tue Jul 19 23:01:21 2005 From: schachti at rbw.goe.net (Michael Schachtebeck) Date: Tue Jul 19 23:17:57 2005 Subject: limit extension In-Reply-To: References: <42DD417F.4090804@rbw.goe.net> Message-ID: <42DD6A21.3090301@rbw.goe.net> Hi. Am 07/19/2005 10:13 PM schrieb Jan Engelhardt: > You could use dstlimit with --dstlimit-mode srcip-dstip > and probably save some rules. > > With dstlimit, you also get an overview of which connections are currently > limited, and their burst status, in /proc/net/ipt_dstlimit/DSTLIMIT_NAME > It's because I think some burst math allows to have a second packet sneak in. Won't I have the same problem with it? According to http://www.netfilter.org/patch-o-matic/pom-obsolete.html#pom-obsolete-dstlimit, it's deprecated by hashlimit, but on http://www.netfilter.org/patch-o-matic/pom-submitted.html#pom-submitted-hashlimit, I can't find any information on how to use it in my case... Do you know where to look for it or do you have an example for how to redirect a single host or a bunch of hosts once a day to the local apache when trying to make their first http connection, similar to /sbin/iptables -t nat -I PREROUTING -p tcp -s $IP -i $LAN_DEV --sport 1024: --dport 80 --syn -m limit --limit 1/d --limit-burst 1 -j REDIRECT --to-port 5000 Michael -- PGP Public Key: http://www.num.math.uni-goettingen.de/schachte/key.asc Key fingerprint: C474 8B85 17C0 0232 E439 0FBF 2451 E452 293C D798 From mingching.tiew at redtone.com Wed Jul 20 03:17:36 2005 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed Jul 20 03:34:36 2005 Subject: ipt_random References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife> Message-ID: <034901c58cc8$d0828650$1280a8c0@newlife> From: "Jan Engelhardt" > > >It seems that the random patch for patch-o-matic for 2.6 kernel > >existed long time ago but it is still not inside the latest patch-o-matic > >snapshot. May I know why ? > > 12:16 linux01:~ > tar -xvjf patch-o-matic-ng-20050718.tar.bz2 | grep random > patch-o-matic-ng-20050718/patchlets/random/ > patch-o-matic-ng-20050718/patchlets/random/linux/include/linux/netfilter_ipv4/ip > t_random.h That's a 2.4 kernel patch. I am referring to 2.6 kernel. Cheers. From postmaster at modular-infotech.com Wed Jul 20 08:22:06 2005 From: postmaster at modular-infotech.com (SWAPNIL) Date: Wed Jul 20 08:40:10 2005 Subject: help for iptables Message-ID: Dear All, Please find the link of my network for your reference. http://downloadftp.modular-infotech.com/common/share/network.gif My client1 PC and client 2 PC will be connected to the internet using proxy and only client 2 pc will be connected to one remote sever or domain or ip using iptables. >From remote location anyone can connect my local web sever through my global DNS server eg. someone must first connected to my global DNS server for resolving host name then he will get routed to my local router and router will connect that remote user to my local webserver on any proto and any port. Also I would like to track each connection session with my websever. what should I do in such scenario ? please help me otherwise my job will be in trouble. Basically I am new in Linux I had tried lot of on iptables rules, but I cant achieve final target. Swapnil K. System Group Modular Infotech Pvt. Ltd. 26 Electronic Co-operative Estate, Pune Satara Road, Pune. 411 009. Maharshtra. INDIA. Ph: +91-20-24226612 Ext. 206. Fax: +91-20-24225896. E-mail: postmaster@modular-infotech.com Website: www.modular-infotech.com From jengelh at linux01.gwdg.de Wed Jul 20 08:25:12 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed Jul 20 09:06:12 2005 Subject: limit extension In-Reply-To: <42DD6A21.3090301@rbw.goe.net> References: <42DD417F.4090804@rbw.goe.net> <42DD6A21.3090301@rbw.goe.net> Message-ID: >> You could use dstlimit with --dstlimit-mode srcip-dstip >> and probably save some rules. >> >> With dstlimit, you also get an overview of which connections are currently >> limited, and their burst status, in /proc/net/ipt_dstlimit/DSTLIMIT_NAME >> It's because I think some burst math allows to have a second packet sneak in. > >Won't I have the same problem with it? Probably, but it helps to diagnose the problem thanks procfs. >http://www.netfilter.org/patch-o-matic/pom-obsolete.html#pom-obsolete-dstlimit, >it's deprecated by hashlimit, but on According to the hashlimit POMng help file and netfilter website |The idea is to have something like 'limit', but either per |destination-ip or per (destip,destport) tuple. it does not look like it can handle (srcip,dstip) tuples. Though, the codebase has flags for SIP, SPT, DIP and DPT, so I guess it maybe can. Someone enlighten me? >/sbin/iptables -t nat -I PREROUTING -p tcp -s $IP -i $LAN_DEV --sport >1024: --dport 80 --syn -m limit --limit 1/d --limit-burst 1 -j REDIRECT >--to-port 5000 -m dstlimit --dstlimit 1/d --dstlimit-burst 1 --dstlimit-mode srcip-dstip --dstlimit-name trafficcontrol Jan Engelhardt -- From jengelh at linux01.gwdg.de Wed Jul 20 08:25:16 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed Jul 20 09:17:53 2005 Subject: ipt_random In-Reply-To: <034901c58cc8$d0828650$1280a8c0@newlife> References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife> <034901c58cc8$d0828650$1280a8c0@newlife> Message-ID: >> >It seems that the random patch for patch-o-matic for 2.6 kernel >> >existed long time ago but it is still not inside the latest patch-o-matic >> >snapshot. May I know why ? >> >> 12:16 linux01:~ > tar -xvjf patch-o-matic-ng-20050718.tar.bz2 | grep random >> patch-o-matic-ng-20050718/patchlets/random/ >> patch-o-matic-ng-20050718/patchlets/random/linux/include/linux/netfilter_ipv4/ip >> t_random.h > >That's a 2.4 kernel patch. I am referring to 2.6 kernel. 07:11 linux01:../random/linux > l net/ipv4/netfilter/ total 24 drwxr-xr-x 2 jengelh users 4096 2005-07-19 23:55 . drwxr-xr-x 3 jengelh users 4096 2005-07-19 23:55 .. -rw-r--r-- 1 jengelh users 172 2003-12-18 19:28 Config.in.ladd -rw-r--r-- 1 jengelh users 2236 2003-12-18 19:28 ipt_random.c -rw-r--r-- 1 jengelh users 326 2004-05-06 15:27 Kconfig.ladd -rw-r--r-- 1 jengelh users 93 2003-12-18 19:28 Makefile.ladd 07:11 linux01:../random/linux > pwd /home/jengelh/patch-o-matic-ng-20050719/patchlets/random/linux Given that there is Kconfig, this patch _is_ also for 2.6. Jan Engelhardt -- From mingching.tiew at redtone.com Wed Jul 20 09:08:43 2005 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed Jul 20 09:26:04 2005 Subject: ipt_random References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife><034901c58cc8$d0828650$1280a8c0@newlife> Message-ID: <058a01c58cf9$dd3d88f0$1280a8c0@newlife> From: "Jan Engelhardt" > > 07:11 linux01:../random/linux > l net/ipv4/netfilter/ > total 24 > drwxr-xr-x 2 jengelh users 4096 2005-07-19 23:55 . > drwxr-xr-x 3 jengelh users 4096 2005-07-19 23:55 .. > -rw-r--r-- 1 jengelh users 172 2003-12-18 19:28 Config.in.ladd > -rw-r--r-- 1 jengelh users 2236 2003-12-18 19:28 ipt_random.c > -rw-r--r-- 1 jengelh users 326 2004-05-06 15:27 Kconfig.ladd > -rw-r--r-- 1 jengelh users 93 2003-12-18 19:28 Makefile.ladd > 07:11 linux01:../random/linux > pwd > /home/jengelh/patch-o-matic-ng-20050719/patchlets/random/linux > > Given that there is Kconfig, this patch _is_ also for 2.6. > Too bad that's not how the patch-o-matic scripts are written. It will not patch the kernel source, if it did not follow certain directory structure. That's how the patch-o-matic 'runme --batch' behaves, if what I have tried is correct. From jengelh at linux01.gwdg.de Wed Jul 20 09:54:13 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed Jul 20 10:10:54 2005 Subject: ipt_random In-Reply-To: <058a01c58cf9$dd3d88f0$1280a8c0@newlife> References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife><034901c58cc8$d0828650$1280a8c0@newlife> <058a01c58cf9$dd3d88f0$1280a8c0@newlife> Message-ID: >Too bad that's not how the patch-o-matic scripts are written. It will not >patch the kernel source, if it did not follow certain directory structure. > >That's how the patch-o-matic 'runme --batch' behaves, if what I have >tried is correct. I usually dont use runme, because I'm almost sure it creates rejectfiles nonetheless given the kernel I use. So I copy the files and merge the *.ladd files by hand. Voil`a. Note that I do use ipt_random actively, so it definitely works on 2.6.x. Jan Engelhardt -- From mingching.tiew at redtone.com Wed Jul 20 10:15:54 2005 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed Jul 20 10:33:01 2005 Subject: ipt_random References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife><034901c58cc8$d0828650$1280a8c0@newlife> <058a01c58cf9$dd3d88f0$1280a8c0@newlife> Message-ID: <061001c58d03$3fdeee00$1280a8c0@newlife> From: "Jan Engelhardt" > > >Too bad that's not how the patch-o-matic scripts are written. It will not > >patch the kernel source, if it did not follow certain directory structure. > > > >That's how the patch-o-matic 'runme --batch' behaves, if what I have > >tried is correct. > > I usually dont use runme, because I'm almost sure it creates rejectfiles > nonetheless given the kernel I use. So I copy the files and merge the *.ladd > files by hand. Voil`a. Note that I do use ipt_random actively, so it > definitely works on 2.6.x. > If you have small work you could copy here and there. As soon as you have a few patches to apply, it will become very laborious and error proned. That's the whole purpose of 'runme'. Any the contrary, I use 'runme' as it guarantees me certain minimum repeatable quality. Anyway, thanks for letting me know about the quality of the ipt_random.c on 2.6 kernel. I actually found another patch, https://lists.netfilter.org/pipermail/ netfilter-devel/2004-November/017491.html Cheers. From kadlec at blackhole.kfki.hu Wed Jul 20 10:32:10 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Wed Jul 20 10:48:48 2005 Subject: ipt_random In-Reply-To: <058a01c58cf9$dd3d88f0$1280a8c0@newlife> References: <02ed01c58c43$cd9c7ed0$1280a8c0@newlife><034901c58cc8$d0828650$1280a8c0@newlife> <058a01c58cf9$dd3d88f0$1280a8c0@newlife> Message-ID: On Wed, 20 Jul 2005, Ming-Ching Tiew wrote: > > Given that there is Kconfig, this patch _is_ also for 2.6. > > Too bad that's not how the patch-o-matic scripts are written. It will not > patch the kernel source, if it did not follow certain directory structure. Actually, it's not the directory structure but the info file which prevents the patch to show up and offered for 2.6 kernels. I've added the missing 2.6 port to the svn tree. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From kadlec at blackhole.kfki.hu Wed Jul 20 11:40:35 2005 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Wed Jul 20 11:57:10 2005 Subject: [ANNOUNCE] ipset 2.2.2 released Message-ID: Hi, I'm happy to announce the new version of ipset. The bugs fixed in this release are - Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen - Compiler warning in the non-SMP case (Marcus Sundberg) - slab cache names shrunk in order to be compatible with 2.4.* (Marcus Sundberg) New features such that negated set feature or new API elements for better external module support were postponed to the next release. You can download the new version from http://ipset.netfilter.org/. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From postmaster at modular-infotech.com Wed Jul 20 07:47:55 2005 From: postmaster at modular-infotech.com (SWAPNIL) Date: Wed Jul 20 14:08:57 2005 Subject: help for IPTABLES Message-ID: Dear All, Please find the link of my network for your reference. http://downloadftp.modular-infotech.com/common/share/network.gif My client1 PC and client 2 PC will be connected to the internet using proxy and only client 2 pc will be connected to one remote sever or domain or ip using iptables. >From remote location anyone can connect my local web sever through my global DNS server eg. someone must first connected to my global DNS server for resolving host name then he will get routed to my local router and router will connect that remote user to my local webserver on any proto and any port. Also I would like to track each connection session with my websever. what should I do in such scenario ? please help me otherwise my job will be in trouble. Basically I am new in Linux I had tried lot of on iptables rules, but I cant achieve final target. Swapnil K. System Group Modular Infotech Pvt. Ltd. 26 Electronic Co-operative Estate, Pune Satara Road, Pune. 411 009. Maharshtra. INDIA. Ph: +91-20-24226612 Ext. 206. Fax: +91-20-24225896. E-mail: postmaster@modular-infotech.com Website: www.modular-infotech.com From schachti at rbw.goe.net Wed Jul 20 16:15:44 2005 From: schachti at rbw.goe.net (Michael Schachtebeck) Date: Wed Jul 20 16:32:31 2005 Subject: limit extension In-Reply-To: <42DD417F.4090804@rbw.goe.net> References: <42DD417F.4090804@rbw.goe.net> Message-ID: <42DE5C90.70603@rbw.goe.net> Am 07/19/2005 08:07 PM schrieb Michael Schachtebeck: > /sbin/iptables -t nat -I PREROUTING -p tcp -s $IP -i $LAN_DEV --sport > 1024: --dport 80 --syn -m limit --limit 1/d --limit-burst 1 -j REDIRECT > --to-port 5000 > > At first, I thought everything was fine: I got redirected when trying to > open the first page in my browser, and after that, I could surf normally > without being redirect. But after about 30 minutes, I got redirected > again, and iptables -t nat -vnL PREROUTING said that the rule had > matched twice. As I could not test the rules that Jan has suggested in his answer to my postings (it's a production machine and I couldn't reboot it with a patched kernel so far), I did some more testing and discovered a very strange behaviour which I believe to be indeed a bug: - I added the above rule to the firewall, got redirected exactly once, and could surf the web for about 40 minutes without being redirected again. - A cron job deleted some rules from the PREROUTING chain and added some new rules to the PREROUTING chain. - I got redirected again (exactly once), directly after the cron job had modified the PREROUTING chain. - I could surf the web for exactly 60 minutes without being redirected again. - The cron job ran again. - I got redirected again (exactly once), directly after the cron job had modified the PREROUTING chain. - I ran the cron job manually. - I got redirected again (exactly once) and could surf the web normally after that. - I ran the cron job manually again. - I got redirected again (exactly once). - ... (I repeated it some times, same result) - I could surf the web for about one hour without being redirected, until... you guess it, until the cron job ran again and modified the PREROUTING chain. The cron job did not touch the rule above I am using to do the redirection, it only deleted some other rules in the PREROUTING chain and added some new rules to the PREROUTING chain. So this seems to be a bug in the kernel's iptables implementation, right? I'm using a 2.6.12.2 vanilla kernel and iptables 1.2.11 (gentoo package net-firewall/iptables-1.2.11-r3). Cheers, Michael. -- PGP Public Key: http://www.num.math.uni-goettingen.de/schachte/key.asc Key fingerprint: C474 8B85 17C0 0232 E439 0FBF 2451 E452 293C D798 From schuster.sven at gmx.de Wed Jul 20 17:01:18 2005 From: schuster.sven at gmx.de (Sven Schuster) Date: Wed Jul 20 17:18:03 2005 Subject: limit extension In-Reply-To: <42DE5C90.70603@rbw.goe.net> References: <42DD417F.4090804@rbw.goe.net> <42DE5C90.70603@rbw.goe.net> Message-ID: <20050720150118.GB15339@zion.homelinux.com> Hi Michael, On Wed, Jul 20, 2005 at 04:15:44PM +0200, Michael Schachtebeck told us: > As I could not test the rules that Jan has suggested in his answer to my > postings (it's a production machine and I couldn't reboot it with a > patched kernel so far), I did some more testing and discovered a very > strange behaviour which I believe to be indeed a bug: ... > So this seems to be a bug in the kernel's iptables implementation, right? I think this is "expected behaviour" and it behaves like that because of the implentation of netfilter. AFAIK, when you add, delete, replace a iptables rule, at first the current rules are "downloaded" from kernel, the changes are made in user space, then the ruleset is "uploaded" again to the kernel. When uploading, I think that all the internal data structures for the matches are deleted and then allocated freshly. That's why you see this behaviour in your testing. When your cronjob runs (or you run it manually) all the data structures get deleted and newly allocated, thus the limit rule matches again. Of course, anybody feel free to correct me if I'm wrong :-) Regards, Sven > > I'm using a 2.6.12.2 vanilla kernel and iptables 1.2.11 (gentoo package > net-firewall/iptables-1.2.11-r3). > > Cheers, > > Michael. -- Linux zion 2.6.13-rc3-mm1 #6 PREEMPT Mon Jul 18 19:42:52 CEST 2005 i686 athlon i386 GNU/Linux 16:59:48 up 1 day, 21:12, 1 user, load average: 0.49, 0.21, 0.07 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20050720/d0b235c5/attachment.bin From schachti at rbw.goe.net Wed Jul 20 17:03:51 2005 From: schachti at rbw.goe.net (Michael Schachtebeck) Date: Wed Jul 20 17:20:30 2005 Subject: limit extension In-Reply-To: <20050720150118.GB15339@zion.homelinux.com> References: <42DD417F.4090804@rbw.goe.net> <42DE5C90.70603@rbw.goe.net> <20050720150118.GB15339@zion.homelinux.com> Message-ID: <42DE67D7.5040804@rbw.goe.net> Am 07/20/2005 04:45 PM schrieb Sven Schuster: > AFAIK, when you add, delete, replace a iptables rule, at first the > current rules are "downloaded" from kernel, the changes are made in > user space, then the ruleset is "uploaded" again to the kernel. > When uploading, I think that all the internal data structures for > the matches are deleted and then allocated freshly. That's why you > see this behaviour in your testing. When your cronjob runs (or you > run it manually) all the data structures get deleted and newly > allocated, thus the limit rule matches again. But on the other hand, the counter correctly shows the number of packets that matched the rule; iptables -t nat -vnL PREROUTING says: 9 540 REDIRECT tcp -- eth1 * 10.10.10.69 0.0.0.0/0 tcp spts:1024:65535 dpt:80 flags:0x16/0x02 limit: avg 1/day burst 1 redir ports 5000 So it would be very strange if the rules were extracted to user space, rewritten/modified, "uploaded" to the kernel with the correct counters for the remaining rules, and then, the rules do not look to this counters. ;-) Why then save and restore the counters, if they are not used by the rules? Michael. -- PGP Public Key: http://www.num.math.uni-goettingen.de/schachte/key.asc Key fingerprint: C474 8B85 17C0 0232 E439 0FBF 2451 E452 293C D798 From hidden at balabit.hu Wed Jul 20 16:36:05 2005 From: hidden at balabit.hu (KOVACS Krisztian) Date: Wed Jul 20 17:21:21 2005 Subject: iptables and udp socket In-Reply-To: References: Message-ID: <1121870165.4056.21.camel@nienna.balabit> Hi Kornel, 2005-07-19, k keltez?ssel 19.23-kor Keser? Korn?l ezt ?rta: > I'm quite new to netfilter/iptables, I have been using it for some weeks. > I would like to ask if it may lead to undeterministic behaviour of iptables > when an udp socket is opened on an IP:port while in parallel iptables > rules (NAT) are setup that forward all incoming packets received on > that IP:port to a different destination. So I just want to use the socket > for sending out packets on it, while incoming packets should be > forwarded to other destination. But sometimes the packets are > received on the socket, sometimes they are forwarded. So iptables > don't have always the expected effect. This probably derives from the internals of Netfilter connection tracking and NAT. In Netfilter, the NAT subsystem is completely based on the conntrack subsystem. That is, when a packet belonging to a currently unknown connection is detected, the conntrack system creates a new connection. Later the NAT subsystem determines the mapping to be applied onto that connection by looking up the appropriate iptables table/chain. The final mapping is then stored in the conntrack entry. Now imagine t