From myhapwcforever at gmail.com Sat Apr 1 06:28:53 2006 From: myhapwcforever at gmail.com (ludi) Date: Sat Apr 1 06:44:34 2006 Subject: ip_conntrack_ftp and non-standard ports In-Reply-To: <9151ac2a0603301310q19746224yb8d43d26f31a31f6@mail.gmail.com> References: <442B68CB.10005@palaver.net> <9151ac2a0603301310q19746224yb8d43d26f31a31f6@mail.gmail.com> Message-ID: I was also told to edit the source of module. On 3/31/06, Filip Sneppe wrote: > On 3/30/06, Brian Capouch wrote: > > I hope this isn't a FAQ. I've looked around and googled around, and so > > far, it seems from what I've found that such a thing can be done. What > > I don't know is just how to tell iptables to do it. > > > This is done when loading the ip_conntrack_ftp and ip_nat_ftp kernel modules, > eg. > > modprobe ip_conntracl_ftp ports=21,2021,3021 > modprobe ip_nat_ftp ports=21,2021,3021 > > (see "modinfo ip_conntrack_ftp") > > > I hope someone might provide a pointer. > > > Hope this helps... > > Regards, > Filip > > From samueldg at arcoscom.com Sat Apr 1 08:21:07 2006 From: samueldg at arcoscom.com (=?ISO-8859-1?Q?Samuel_D=EDaz_Garc=EDa?=) Date: Sat Apr 1 08:36:52 2006 Subject: iptables: Unknown error 4294967295 In-Reply-To: <442CAEC6.2040808@arcoscom.com> References: <442CAEC6.2040808@arcoscom.com> Message-ID: <442E1BD3.8030700@arcoscom.com> Any idea at least? Samuel D?az Garc?a escribi?: > With: > iptables 1.3.5 > linux 2.6.16.1 and 2.6.16-git8 > today's pom-ng > > I'm having problems with some matches: > connlimit > ipp2p 0.8.1_rc1 > > When compiling, I can see many "signed//unsigned comparision warnings" > (don't remember exactly the warning). > > In dmesg I see things as: > > Mar 31 05:18:04 fraile kernel: [17180340.932000] ip_tables: connlimit > match: invalid size 0 != 16 > Mar 31 05:54:00 fraile kernel: [17182487.628000] ip_tables: ipp2p match: > invalid size 0 != 8 > Mar 31 05:54:00 fraile kernel: [17182487.668000] ip_tables: layer7 > match: invalid size 0 != 8452 > > Any help/patch/suggestion? > > Thanks > -- Samuel D?az Garc?a From samueldg at arcoscom.com Sat Apr 1 08:21:33 2006 From: samueldg at arcoscom.com (=?ISO-8859-1?Q?Samuel_D=EDaz_Garc=EDa?=) Date: Sat Apr 1 08:37:19 2006 Subject: kernel panic In-Reply-To: <442CB08F.9000406@arcoscom.com> References: <442CB08F.9000406@arcoscom.com> Message-ID: <442E1BED.40107@arcoscom.com> Any idea at least? Samuel D?az Garc?a escribi?: > Iptables 1.3.5 > kernel 2.6.15.6 > > Any help? > > Mar 30 00:31:01 fraile kernel: [17181150.312000] ip_nat_pptp version 3.0 > unloaded > Mar 30 00:31:01 fraile kernel: [17181150.492000] ctnetlink: > unregistering from nfnetlink. > Mar 30 00:31:01 fraile kernel: [17181150.524000] ip_conntrack_pptp > version 3.1 unloaded > Mar 30 00:31:01 fraile kernel: [17181150.688000] ctnetlink v0.90: > registering with nfnetlink. > Mar 30 00:31:01 fraile kernel: [17181150.688000] Unable to handle kernel > paging request at virtual address e0c76e54 > Mar 30 00:31:01 fraile kernel: [17181150.688000] printing eip: > Mar 30 00:31:01 fraile kernel: [17181150.688000] c012a309 > Mar 30 00:31:01 fraile kernel: [17181150.688000] *pde = 1c9ac067 > Mar 30 00:31:01 fraile kernel: [17181150.688000] Oops: 0000 [#1] > Mar 30 00:31:01 fraile kernel: [17181150.688000] Modules linked in: > ip_conntrack_netlink ip_conntrack_netbios_ns ip_conntrack_irc > ip_conntrack_h323 ip_conntrack_ftp ip_conntrack_amanda ipt_ipp2p > parport_pc lp parport ipt_mac ipt_connlimit iptable_filter > ipt_MASQUERADE iptable_nat ip_nat ipt_layer7 ipt_state ipt_MARK ipt_mark > ipt_CONNMARK ip_conntrack nfnetlink ipt_comment iptable_mangle ip_tables > police autofs4 it87 hwmon_vid hwmon eeprom i2c_isa bluetooth sunrpc > dm_mod video thermal processor fan container button battery ac ohci_hcd > shpchp i2c_sis630 i2c_sis96x i2c_core snd_intel8x0 snd_ac97_codec > snd_ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq > snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore > snd_page_alloc sis900 8139too 3c59x mii floppy ext3 jbd aacraid sd_mod > scsi_mod > Mar 30 00:31:01 fraile kernel: [17181150.688000] CPU: 0 > Mar 30 00:31:01 fraile kernel: [17181150.688000] EIP: > 0060:[] Tainted: GF VLI > Mar 30 00:31:01 fraile kernel: [17181150.688000] EFLAGS: 00010282 > (2.6.15.6-ArcosCom) > Mar 30 00:31:01 fraile kernel: [17181150.688000] EIP is at > notifier_chain_register+0x19/0x50 > Mar 30 00:31:01 fraile kernel: [17181150.688000] eax: e0c76e4c ebx: > e0c114c0 ecx: ffffffff edx: 00000000 > Mar 30 00:31:01 fraile kernel: [17181150.688000] esi: e0c40e4c edi: > 0805e218 ebp: d174e000 esp: d174ff8c > Mar 30 00:31:02 fraile kernel: [17181150.688000] ds: 007b es: 007b ss: > 0068 > Mar 30 00:31:02 fraile kernel: [17181150.688000] Process modprobe (pid: > 4432, threadinfo=d174e000 task=d363f570) > Mar 30 00:31:02 fraile kernel: [17181150.688000] Stack: 00000000 > 0805e1f8 e0c2a05c e0c3f4c4 e0c2a0db e0c40f00 c0138a87 b7e9c008 > Mar 30 00:31:02 fraile kernel: [17181150.688000] 0805e1f8 > b7e9c008 0805e1f8 c0103055 b7e9c008 00034380 0805e1f8 0805e1f8 > Mar 30 00:31:02 fraile kernel: [17181150.688000] 0805e218 > bfd130b8 ffffffda 0000007b 0000007b 00000080 ffffe410 00000073 > Mar 30 00:31:02 fraile kernel: [17181150.688000] Call Trace: > Mar 30 00:31:02 fraile kernel: [17181150.688000] [] > ctnetlink_init+0x5c/0xdb [ip_conntrack_netlink] > Mar 30 00:31:02 fraile kernel: [17181150.688000] [] > sys_init_module+0xc7/0x1d0 > Mar 30 00:31:02 fraile kernel: [17181150.688000] [] > syscall_call+0x7/0xb > Mar 30 00:31:03 fraile kernel: [17181150.688000] Code: 00 e8 5c 54 24 00 > b8 fe fd ff ff c3 90 90 90 90 90 90 56 89 d6 53 89 c3 b8 18 3c 3d c0 e8 > 70 6b 24 00 8b 03 85 c0 74 1a 8b 56 08 <3b> 50 08 7f 12 89 f6 8d 58 04 > 8b 40 04 85 c0 74 06 39 50 08 7d > Mar 30 00:31:03 fraile kernel: [17181150.688000] ip_conntrack_pptp > version 3.1 loaded > Mar 30 00:31:03 fraile kernel: [17181150.840000] ip_nat_pptp version 3.0 > loaded > Mar 30 00:31:30 fraile kernel: [17181179.176000] ip_nat_pptp version 3.0 > unloaded > Mar 30 00:31:30 fraile kernel: [17181179.388000] ip_conntrack_pptp > version 3.1 unloaded > Mar 30 00:31:30 fraile kernel: [17181179.556000] ip_conntrack_pptp > version 3.1 loaded > > -- Samuel D?az Garc?a From alexandre.rouillac at gmail.com Sat Apr 1 10:44:59 2006 From: alexandre.rouillac at gmail.com (Alexandre Rouillac) Date: Sat Apr 1 11:00:32 2006 Subject: iptables -A INPUT -j LOG does not log anything Message-ID: <442E3D8B.9060804@gmail.com> Hi all, I set my iptables with policy "-P INPUT DROP" and my last line of INPUT chains to "-A INPUT -j LOG". So everything packets not matching my INPUT rules will be LOG and DROP. My problem is that iptables does not log anything to my syslog file. I checked the syslogd configuration (debian default): *.*;auth,authpriv.none -/var/log/syslog kern.* -/var/log/kern.log *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages I checked counters of INPUT chains : 20 3 144 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 But nothing on my logfiles (syslog, messages, kern.log). Does someone can help ? Best Regards, Alexandre From carlos.pastorino at gmail.com Sat Apr 1 22:46:12 2006 From: carlos.pastorino at gmail.com (Carlos Pastorino) Date: Sat Apr 1 23:01:59 2006 Subject: It seems I've found why conntrack blocks some packets In-Reply-To: <442D2C8F.1020505@SCampbell.net> References: <57F9959B46E0FA4D8BA88AEDFBE582901674BC@pxtbenexd01.pxt.primeexalia.com> <442D2C8F.1020505@SCampbell.net> Message-ID: Hi Steven, > Unfortunately, you've needed to obscure the actual ip address (I understand) but I can't match the 'customerip' and 'webserverip' to the ${variables} above because I don't know the actual values for any of them. Well, the customerip is from some unknown Internet user. So it's an external IP, and its connection comes in via $INET_IFACE. The webserverip is in my DMZ, so it matches $DMZ_RANGE or $DMZ_WEBSERVER. > Try to walk through the rules in your forward chain using the ip addresses you've captured and identify the rule you believe should allow these ack packets to go out. Well, it's actually the ACK packets that should come in, and the rule that must match them is the ESTABLISHED,RELATED rule. And it actually does match for more than 3,000 connections a day. But, for 200 or so of them, this odd behavior occurs. Your next e-mail may have shed some light. I'll comment on it. Regards. From carlos.pastorino at gmail.com Sat Apr 1 22:59:43 2006 From: carlos.pastorino at gmail.com (Carlos Pastorino) Date: Sat Apr 1 23:15:32 2006 Subject: It seems I've found why conntrack blocks some packets In-Reply-To: <442D320E.7070301@SCampbell.net> References: <57F9959B46E0FA4D8BA88AEDFBE582901674BC@pxtbenexd01.pxt.primeexalia.com> <442D2C8F.1020505@SCampbell.net> <442D320E.7070301@SCampbell.net> Message-ID: Now, commenting on this message: I actually didn't know that the conntrack table had a limit. Learning something every day. I will check its value on Monday, during peak time. Another thought: if the ACKs that are being blocked are for some reason malformed, wouldn't they be blocked as well by the last rule? > One other thought to this, if I were to presume the ${variables} and ...ip's then I would presume that the RELATED rules should allow these ack's to go through. The only reason I know of for them not do (again, assuming all the addressing is really ok) would be that the conntrack table has filled up. > > To see the maximum connnections that can be tracked: > > # cat /proc/sys/net/ipv4/ip_conntrack_max > 32760 > > To see how many you are using at a given moment > > # wc -l /proc/net/ip_conntrack > 16 /proc/net/ip_conntrack > > > This from my house and there really isn't all that much going on, I would expect far larger counts, you may need to up ip_conntrack_max. This really out in the SWAG arena because I can't see the details of your installation. > > From filip.sneppe at gmail.com Sat Apr 1 23:42:15 2006 From: filip.sneppe at gmail.com (Filip Sneppe) Date: Sat Apr 1 23:58:02 2006 Subject: ip_conntrack_ftp and non-standard ports In-Reply-To: References: <442B68CB.10005@palaver.net> <9151ac2a0603301310q19746224yb8d43d26f31a31f6@mail.gmail.com> Message-ID: <9151ac2a0604011342k4175a1f4o53fc9393b5e447cb@mail.gmail.com> On 4/1/06, ludi wrote: > I was also told to edit the source of module. > No that's not needed (not for any of the conntrack/nat modules I know of). Regards, Filip From Netfilter at SCampbell.net Sun Apr 2 06:08:51 2006 From: Netfilter at SCampbell.net (Steven M Campbell) Date: Sun Apr 2 06:24:37 2006 Subject: It seems I've found why conntrack blocks some packets In-Reply-To: References: <57F9959B46E0FA4D8BA88AEDFBE582901674BC@pxtbenexd01.pxt.primeexalia.com> <442D2C8F.1020505@SCampbell.net> <442D320E.7070301@SCampbell.net> Message-ID: <442F4E53.9060501@SCampbell.net> Carlos Pastorino wrote: > Now, commenting on this message: I actually didn't know that the > conntrack table had a limit. Learning something every day. I will > check its value on Monday, during peak time. A related thought to this, I wonder how many connections are not being closed nicely and then have to hang around in the conntrack table. If you find that you are approaching the limits then you might want to look into the various connection tracking timings. > Another thought: if the ACKs that are being blocked are for some > reason malformed, wouldn't they be blocked as well by the last rule? The last rule is a log-only rule: $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD blocked: " It's the one generating the log messages we see, therefore we are actually falling off the table and taking the default policy which is 'DROP' ($IPTABLES -P FORWARD DROP) Also, there really isn't that much to the syn-ack packets, kinda hard to malform them too much. > >> One other thought to this, if I were to presume the ${variables} and ...ip's then I would presume that the RELATED rules should allow these ack's to go through. The only reason I know of for them not do (again, assuming all the addressing is really ok) would be that the conntrack table has filled up. >> >> To see the maximum connnections that can be tracked: >> >> # cat /proc/sys/net/ipv4/ip_conntrack_max >> 32760 >> >> To see how many you are using at a given moment >> >> # wc -l /proc/net/ip_conntrack >> 16 /proc/net/ip_conntrack >> >> >> This from my house and there really isn't all that much going on, I would expect far larger counts, you may need to up ip_conntrack_max. This really out in the SWAG arena because I can't see the details of your installation. >> >> > From kbukhari at gmail.com Sun Apr 2 15:28:30 2006 From: kbukhari at gmail.com (Kashif Ali Bukhari) Date: Sun Apr 2 15:44:25 2006 Subject: Real ip's behind Firewall In-Reply-To: <3da957060603300530o74205fe9g2067b6c61152da5@mail.gmail.com> References: <3da957060603300530o74205fe9g2067b6c61152da5@mail.gmail.com> Message-ID: you can use bridging on Your firewall it will also known as transparent firewall On 3/30/06, Stephan Higuti wrote: > Hello guys. > Let me explain my situation: > I have a Internet Connection coming in a switch , In this switch , i > have my "Firewall" and some other serevrs that uses Real Ip's, so , > the firewall dont protect the other servers , cause the servers dont > are behind it. > I need to change this , making a Real Firewall , in the front of the servers. > I want to know: > Can i put some servers using real ip's behind my firewall using iptables? > If yes, how can i make this? > > Sorry for my bad english! > > Thank'z > > Cheers > > Stephan > > -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan From sven at hin.de Sun Apr 2 17:34:59 2006 From: sven at hin.de (sven@hin.de) Date: Sun Apr 2 17:50:56 2006 Subject: Update Iptables in order to use String-Match Message-ID: <442FEF23.5040400@hin.de> Hi List! I am running Linux 2.4.32 and an older version of iptables. I'd like to use String-Match. I tried to update with some verions of p-o-m. Nothing helped. I also compiled iptables 1.3.5. successfully. What went wrong? From rob at sterenborg.info Sun Apr 2 19:12:45 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Sun Apr 2 19:28:21 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <442FEF23.5040400@hin.de> Message-ID: <001501c65678$a8c561d0$0101000a@sterenborg.info> > Hi List! > > I am running Linux 2.4.32 and an older version of iptables. > I'd like to use String-Match. I tried to update with some verions of > p-o-m. Nothing helped. I also compiled iptables 1.3.5. successfully. > > What went wrong? Dunno.. The crystal ball is a bit cloudy today. Any error messages ? You have "updated some versions of p-o-m". What do you mean by that ? What have you done exactly ? Have you : - untarred the kernel, - untarred POM, - untarred iptables, - patched both the kernel and iptables with POM, - compiled and installed the kernel and modules, - compiled and installed iptables ? Gr, Rob From sven at hin.de Sun Apr 2 20:07:34 2006 From: sven at hin.de (sven@hin.de) Date: Sun Apr 2 20:23:33 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <001501c65678$a8c561d0$0101000a@sterenborg.info> References: <001501c65678$a8c561d0$0101000a@sterenborg.info> Message-ID: <443012E6.3050204@hin.de> Rob Sterenborg schrieb: > Dunno.. The crystal ball is a bit cloudy today. Any error messages ? oh I 've forgotten: linux:/usr/local/lib/iptables # iptables -m string -h iptables: match `string' v1.3.3 (I'm v1.3.5) > You have "updated some versions of p-o-m". What do you mean by that ? > What have you done exactly ? > > Have you : > - untarred the kernel, > - untarred POM, > - untarred iptables, all yes > - patched both the kernel and iptables with POM, yes, but don't add string-match > - compiled and installed the kernel and modules, yes, but no string-match modul seen in kernel menuconfig > - compiled and installed iptables ? yes From rob at sterenborg.info Sun Apr 2 22:23:46 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Sun Apr 2 22:40:56 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <443012E6.3050204@hin.de> Message-ID: <001701c65693$58272720$0101000a@sterenborg.info> >> Dunno.. The crystal ball is a bit cloudy today. Any error messages ? >> oh I 've forgotten: > > linux:/usr/local/lib/iptables # iptables -m string -h > iptables: match `string' v1.3.3 (I'm v1.3.5) So your iptables isn't installed or installed in a different path than the original. >> You have "updated some versions of p-o-m". What do you mean by that >> ? What have you done exactly ? >> >> Have you : >> - untarred the kernel, >> - untarred POM, >> - untarred iptables, > all yes > >> - patched both the kernel and iptables with POM, > yes, but don't add string-match So that's where things go wrong : if it doesn't show up, you couldn't have patched the kernel for it. The string match is in the Extra repository. Did you run POM with "./runme extra" ? http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra -string >> - compiled and installed the kernel and modules, > yes, but no string-match modul seen in kernel menuconfig See above. >> - compiled and installed iptables ? > yes I think not completely. What does "iptables -V" say ? (Mine says : "iptables v1.3.5-2006xxxx") Gr, Rob From sven at hin.de Sun Apr 2 23:41:24 2006 From: sven at hin.de (sven@hin.de) Date: Sun Apr 2 23:57:23 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <001701c65693$58272720$0101000a@sterenborg.info> References: <001701c65693$58272720$0101000a@sterenborg.info> Message-ID: <44304504.7010808@hin.de> Rob Sterenborg schrieb: > So your iptables isn't installed or installed in a different path than > the original. hmm bad...how do I correct this? > So that's where things go wrong : if it doesn't show up, you couldn't > have patched the kernel for it. > > The string match is in the Extra repository. Did you run POM with > "./runme extra" ? > http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra > -string hmm no, I will do this now... > I think not completely. > What does "iptables -V" say ? (Mine says : "iptables v1.3.5-2006xxxx") iptables v1.3.5 From rob at sterenborg.info Mon Apr 3 00:31:31 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Mon Apr 3 00:47:09 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <44304504.7010808@hin.de> Message-ID: <001b01c656a5$314bc680$0101000a@sterenborg.info> >> So your iptables isn't installed or installed in a different path >> than the original. > hmm bad...how do I correct this? >> iptables: match `string' v1.3.3 (I'm v1.3.5) The last part between the brackets, I suppose iptables wrote it ? (I think I got confused there.) If this is true, you have the string match from 1.3.3 installed (if you already had it, why build a new kernel/iptables ?) and are using iptables 1.3.5. (That means you have iptables-1.3.5 installed but didn't install string match 1.3.5 which would be true, reading below.) >> The string match is in the Extra repository. Did you run POM with >> "./runme extra" ? > > hmm no, I will do this now... I think that will solve your problem. (Remember to also recompile iptables..) Gr, Rob From sven at hin.de Mon Apr 3 00:36:10 2006 From: sven at hin.de (sven@hin.de) Date: Mon Apr 3 00:52:10 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <001b01c656a5$314bc680$0101000a@sterenborg.info> References: <001b01c656a5$314bc680$0101000a@sterenborg.info> Message-ID: <443051DA.5090700@hin.de> Rob Sterenborg schrieb: > The last part between the brackets, I suppose iptables wrote it ? (I > think I got confused there.) > If this is true, you have the string match from 1.3.3 installed (if you > already had it, why build a new kernel/iptables ?) and are using > iptables 1.3.5. (That means you have iptables-1.3.5 installed but didn't > install string match 1.3.5 which would be true, reading below.) When I used String-Match with Hex, I got a Sigfault. > I think that will solve your problem. > (Remember to also recompile iptables..) I will do... From laforge at netfilter.org Mon Apr 3 09:23:51 2006 From: laforge at netfilter.org (Harald Welte) Date: Mon Apr 3 09:40:23 2006 Subject: [ADM] netfilter.org scheduled downtime Message-ID: <20060403072351.GA19925@sunbeam.de.gnumonks.org> Hi! Starting at 10am GMT today, April 1st 2006 netfilter.org/gnumonks.org will experience a multi-hour administrative downtime. All machines ({vishnu,lakshmi,durga}.netfilter.org,ganesha.gnumonks.org} will be moved to a different rack for thermal reasons. In addition, one new machine will be placed (parvati.netfilter.org) next to them in the new rack. For www access, I suggest using one of our many mirrors, reachable under their individual www.CCTLD.netfilter.org or as a round-robin dns record mirror.netfilter.org. svn, bugzilla, mailinglists and other services will be unreachable, sorry. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060403/d8dede0d/attachment.pgp From sven at hin.de Mon Apr 3 15:07:59 2006 From: sven at hin.de (sven@hin.de) Date: Mon Apr 3 19:59:45 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <001b01c656a5$314bc680$0101000a@sterenborg.info> References: <001b01c656a5$314bc680$0101000a@sterenborg.info> Message-ID: <44311E2F.20907@hin.de> Rob Sterenborg schrieb: > The last part between the brackets, I suppose iptables wrote it ? (I > think I got confused there.) > If this is true, you have the string match from 1.3.3 installed (if you > already had it, why build a new kernel/iptables ?) and are using > iptables 1.3.5. (That means you have iptables-1.3.5 installed but didn't > install string match 1.3.5 which would be true, reading below.) > >>> The string match is in the Extra repository. Did you run POM with >>> "./runme extra" ? >> hmm no, I will do this now... > > I think that will solve your problem. > (Remember to also recompile iptables..) The last version of POM does not content String-match! I found it in a version of 2004, is that right? From emailwastefilter-listnetfilter at yahoo.com Mon Apr 3 11:45:23 2006 From: emailwastefilter-listnetfilter at yahoo.com (Johnny Casey) Date: Mon Apr 3 21:01:24 2006 Subject: Lost packets - strange problem In-Reply-To: References: <1143483717.776638.226080@u72g2000cwu.googlegroups.com> Message-ID: <4430EEB3.7040700@yahoo.com> Mart?n Ferrari wrote: > (x-posted in linux-net mailing list) > > Hi! > > I'm having a very strange problem. I have already tested a *lot* of > things before asking, and I still have no clue of what's happening. > > I have 6 linux boxes acting as firewalls/routers. They have been using > similar configurations and netfilter rules for 4 years, when I > installed the first of these. Some of them route more than 10 Mbps > between interfaces, 50000+ connections tracked with netfilter, traffic > shaping, NAT, and stuff, and they don't even blink. > > BUT, two of them started giving headaches, they don't have the highest > usage, but they lose packets (in any interface) up to 80%, sometimes > softirqd eats all the cpu, and you cannot even connect to the boxes. > This does not happen from the very first day, and not all the time! > > The NICs are mostly 3c905*(a mix of them), also some e100 and 3c940 > (sk98lin). The troublesome computers have 3c905 and 3c940, but I do > not find any pattern on hardware. I think the 3c940s are the problem. I have a desktop box which works for a while and then the interface degrades for no apparent reason. No errors appear in the log, or in ifconfig. Bringing down the interface, removing the module works, but not reliably. Sometimes I just reboot. This started happening around kernel 2.6.14-2.6.15 or some such. Maybe we can track it down? The hard to test bit is that it takes a while before the problem starts. > Also, the error count is 0 in the internet interface of the host which > fails the most. same here. ... > Any help would be greatly appreciated! > > -- > Mart?n Ferrari Maybe we can try narrowing the kernel search. Unfortunately I'm also using the Promise-SATA-PATA git from jgarzik... HTH, Johnny From alex at samad.com.au Tue Apr 4 02:24:01 2006 From: alex at samad.com.au (Alexander Samad) Date: Tue Apr 4 02:40:08 2006 Subject: Multi default gateway and 2.4.30 Message-ID: <20060404002401.GE7733@hufpuf.lan1.hme1.samad.com.au> Hi I have just moved my firewall from a 2.6 debian machine to a 2.4.30 openwrt (linksys wrt54gs) box. I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns. Now when i have moved to 2.4.30 I am having problems. Everything else is working fine except when I DNAT packets from the firewall to an internal address, ie my web browser is inside so I DNAT from the external IP to the internal web server. now I am getting time outs, upon investigation what is happening is that packets are coming in, getting DNAT'ed, the web server is returning them, they get un DNAT, but a new call to the routing table is made and it seems to bypass the ip rules rules I have, all traffic that terminates on the external IP is okay and doesn't suffer from the problem. I remember reading about patches for the iproute and the kernel but I haven't kept up to date with those since I started using 2.6 Am i missing a patch ?? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : /pipermail/netfilter/attachments/20060404/5c9af789/attachment.pgp From rob at sterenborg.info Tue Apr 4 07:52:13 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Apr 4 08:08:25 2006 Subject: Update Iptables in order to use String-Match In-Reply-To: <44311E2F.20907@hin.de> Message-ID: <000e01c657ab$ed115cc0$0101000a@sterenborg.info> >> The last part between the brackets, I suppose iptables wrote it ? (I >> think I got confused there.) If this is true, you have the string >> match from 1.3.3 installed (if you already had it, why build a new >> kernel/iptables ?) and are using iptables 1.3.5. (That means you >> have iptables-1.3.5 installed but didn't install string match 1.3.5 >> which would be true, reading below.) >> >>>> The string match is in the Extra repository. Did you run POM with >>>> "./runme extra" ? >>> hmm no, I will do this now... >> >> I think that will solve your problem. >> (Remember to also recompile iptables..) > > The last version of POM does not content String-match! > I found it in a version of 2004, is that right? Hm. I never used it so I never noticed ; it indeed appears to be dropped or something. If you really need it (we don't know what you actually want to do, so maybe there's another/better way), maybe you can use an old POM for just the string match, and a recent POM for the rest.. But I'm not sure if that's such a good idea or even if that will break something : it's up to you. Gr, Rob From thierry.itty at besancon.org Tue Apr 4 10:13:54 2006 From: thierry.itty at besancon.org (thierry itty) Date: Tue Apr 4 10:30:10 2006 Subject: iptables and patch-o-matic compilation errors with fedora core 4 In-Reply-To: <1142344100.2610.3.camel@davila.nicaraguaopensource.com> References: <44169348.7070408@besancon.org> <1142344100.2610.3.camel@davila.nicaraguaopensource.com> Message-ID: <44322AC2.7070503@besancon.org> Hello Jorge and all to make it short, we upgraded the system to the latest fc4 versions the last fc4 kernel (2.6.15 1833) includes the pptp patch we could recompile it for the h323 patch we did not need to recompile iptables so it's now working Jorge Davila a ?crit : >uhm ... I was fighting with the same problem some weeks ago. > >My solution was a vanilla kernel and use gcc 3.3 with iptables 1.3.5. >This for fc4. > >Hope this help. > >Jorge. > >El mar, 14-03-2006 a las 10:56 +0100, thierry itty escribi?: > > >>Hello >>I've an "out-of-the-box" fedora core 4 (standard i686 on either amd or >>pentium) >>I want to apply gre and pptp patches to netfilter >> >>I install the kernel sources and rebuild the binaries : >> >>rpm -Uvh kernel-2.6.11-1.1369_FC4.src.rpm >>rpmbuild -bp --target=i686 /usr/src/redhat/SPECS/kernel-2.6.spec >>cd /usr/src/redhat/BUILD/kernel-2.6.11-1/linux-2.6.11-1 >>cp configs/kernel-2.6.11-1.i686.config ./.config >>make menuconfig (just to check) >>make >> >>the kernel build ok (with some warnings here and there but nothing >>unusual...) >>I make it visible : >>ln -s /usr/src/redhat/BUILD/kernel-2.6.11-1/linux-2.6.11-1 /usr/src/linux >> >>I install the iptables sources >>rpm -Uvh iptables-1.3.0-2.src.rpm >>rpmbuild -bp --target=i686 /usr/src/redhat/SPECS/iptables.spec >> >>when i compile >>cd /usr/src/redhat/BUILD/iptables-1.3.0 >>make >> >>I get the following error several times >>/usr/src/linuc/include/linux/config.h:6:2 error : #error including >>kernel header in userspace; use the glibc headers instead! >> >>After googling a while, I see that some people have solved this by just >>removing the test that triggers the error in >>/usr/src/linux/include/linx/config.h (file which is brought by the >>kernel source package installation + prep by the symlink made just >>before, which should thus be "the right one"), this test reads >>#if !defined (__KERNEL__) && !defined(__KERNGLUE__) >>#error including kernel header in userspace; use the glibc headers instead! >>#endif >> >>I really don't see where's my error, and I wonder wether this is the >>right way for recompiling FC4 packages... >> >>Actually, I do need to do this because we have to handle several pptp >>vpns going throught this machine, and i have to apply pptp and h323 >>helpers patches from patch-o-matic >> >>If I do as I saw (modify the config.h source to remove the test), >>iptables compiles but we are unable to handle pptp vpns (we were used to >>do that with 2.4 kernels and it works fine), modprobe and rmmod go in >>endless loops, and so on... >> >>With a little more googling, I saw that userspace applications (iptables >>in this case) should not use kernel headers, but glibc ones instead, >>hence the error, and since the 2.6 kernel releases, this looks more like >>a mus than a should. So, another solution I found was to remove the >>"-I$(KERNEL_DIR)/include" from iptables' Makefile... >> >>Doing so, iptables begins to compile, but stops quickly after a >>"linux/netfilter_ipv4/ipt_CLUSTERIP.h" missing file error >>I see that the include files iptables uses this way are provided by >>glibc-kernheaders-2.4.-9.1.94, standard version for FC4, but those files >>look three years old and obviously recent netfilter stuff isn't present >>within (to say nothing about the remainder), and making compile to abort >> >>Some more googling, until I find a post which says that to compile >>iptables without using the kernel headers I have to install >>"linux-libc-headers" that are a brand of userspace kernel headers. Ok, >>let's give it a try : I restore iptables' original makefile (with >>-I$(KERNEL_DIR)/include) and export a KERNEL_DIR environment variable >>set to the directory where I untared linux-libc-headers, and I (after a >>make clean) I start a new make. >>Fine, iptables compiles successfully >> >>But now comes the big question : when I'll apply pptp and h323 patches >>from p-o-m, I can direct KERNEL_DIR to either the true kernel source >>directory or to this new "headers only" directory, but obviously not >>both. So I'll get either the kernel sources patched, which is necessary >>to build a patched kernel, or I'll get the headers patched, which is >>necessary to build iptables, but how will I be able to build both ??? >> >>So to conclude and make it short, is there anybody out there who has >>successfully applied pptp and h323 patches on an out-of-the-box fedora >>core 4, and how did he do that ? >>Should I upgrade to a 2.6.15 kernel ? vanilla or fc4 flavour ? >> >>many thanks in advance >> >> >> >> From kritek at gmail.com Mon Apr 3 20:04:13 2006 From: kritek at gmail.com (R Dicaire) Date: Tue Apr 4 14:29:52 2006 Subject: 2.4.32 and libip6t_REJECT Message-ID: Hi...I'm trying to get ipv6 REJECT target match into 2.4.32 kernel, and iptables 1.3.5, according to the netfilter web site that target is part of the POM base, but I see no such patch in patch-o-matic-ng-20060402... Is this even possible to achieve? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u From carlos.pastorino at gmail.com Tue Apr 4 14:36:24 2006 From: carlos.pastorino at gmail.com (Carlos Pastorino) Date: Tue Apr 4 14:52:32 2006 Subject: It seems I've found why conntrack blocks some packets In-Reply-To: <442F4E53.9060501@SCampbell.net> References: <57F9959B46E0FA4D8BA88AEDFBE582901674BC@pxtbenexd01.pxt.primeexalia.com> <442D2C8F.1020505@SCampbell.net> <442D320E.7070301@SCampbell.net> <442F4E53.9060501@SCampbell.net> Message-ID: Hi Steven, > To see how many you are using at a given moment > > # wc -l /proc/net/ip_conntrack > 16 /proc/net/ip_conntrack I checked the conntrack table. I setup a cron job to look at it every minute, for 24 hours. You'll be surprised: the top number, around peak time, is: 255 /proc/net/ip_conntrack So, it can't be the limit on the conntrack table. I've found another clue though. When I first configured this firewall, I enabled rp_filter, with the command below: echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter And I've found this text on the Internet about it: "If instead you decide to enable forwarding, you will also be able to modify the rp_filter setting; something which is often misunderstood by network administrators. The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing. Turning this on, however, has its consequences: If your host has several IP addresses on different interfaces, or if your single interface has multiple IP addresses on it, you'll find that your kernel may end up rejecting valid traffic. It's also important to note that even if you do not enable the rp_filter, protection against broadcast spoofing is always on. Also, the protection it provides is only against spoofed internal addresses; external addresses can still be spoofed.. By default, it is disabled." And that's what's been happening: The firewall has been rejecting a few valid packets. I'll disable it and see what happens, and then I'll let you know. By the way, do you keep rp_filter enabled or disabled? From clist at uah.es Tue Apr 4 14:46:00 2006 From: clist at uah.es (Clist) Date: Tue Apr 4 15:02:09 2006 Subject: ipset command ipporthash anormal behavior Message-ID: <200604041446.01536.clist@uah.es> Hi I have ipsets 2.2.8 All commands using iphash run fine but, all comands from other sets return error, (ipporthas, nethash etc..) Example: The set clients does not exist, so it is ok to create one, Shell Command: ipset -N clients ipporthash --from 192.168.153.206 --to 192.168.153.207 --hashsize 1024 --probes 4 --resize 50 || echo "failure .." it prints : "failure .." But the set got created!!. This is confusing and make my script run bad, if the commnad ran sucessfully, Why it returns error code !=0 to the OS?? -- --------------------------------------------- Clister UAH --------------------------------------------- From alexandre.rouillac at gmail.com Tue Apr 4 16:02:06 2006 From: alexandre.rouillac at gmail.com (Alexandre Rouillac) Date: Tue Apr 4 16:18:19 2006 Subject: iptables -A INPUT -j LOG does not log anything In-Reply-To: <442E3D8B.9060804@gmail.com> References: <442E3D8B.9060804@gmail.com> Message-ID: <44327C5E.4050800@gmail.com> dmesg command give the DROPed packet. Someone can help ? Thanks for help. Alexandre Rouillac wrote: > Hi all, > > I set my iptables with policy "-P INPUT DROP" and my last line of INPUT > chains to "-A INPUT -j LOG". > > So everything packets not matching my INPUT rules will be LOG and DROP. > > My problem is that iptables does not log anything to my syslog file. > > I checked the syslogd configuration (debian default): > > *.*;auth,authpriv.none -/var/log/syslog > > kern.* -/var/log/kern.log > > *.=info;*.=notice;*.=warn;\ > auth,authpriv.none;\ > cron,daemon.none;\ > mail,news.none -/var/log/messages > > > I checked counters of INPUT chains : > 20 3 144 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 4 > > But nothing on my logfiles (syslog, messages, kern.log). > > Does someone can help ? > > Best Regards, > Alexandre > > > From cookie at iacookie.net Tue Apr 4 19:50:52 2006 From: cookie at iacookie.net (cookie) Date: Tue Apr 4 20:07:07 2006 Subject: Odd Behavior patch-o-matic-ng-20060403 and 2.6.17-rc1 Message-ID: Hello- After trying out 2.6.17-rc1 patched with patch-o-matic-ng-20060403 ipp2p TARPIT u32 ipv4options fuzzy I find that when I try and use any of the above I get an error: iptables: Unknown error 4294967295 The kernel log offers me this as additional info: Apr 4 13:47:51 localhost kernel: ip_tables: fuzzy match: invalid size 0 != 32 Apr 4 13:47:51 localhost kernel: ip_tables: ipv4options match: invalid size 0 != 4 Apr 4 13:47:52 localhost kernel: ip_tables: u32 match: invalid size 0 != 2028 Apr 4 13:47:52 localhost kernel: ip_tables: ipp2p match: invalid size 0 != 8 Tarpit seems to work fine though. Below is a copy of the compile if it helps. Thanks Brian gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_ipp2p.o.d -nostdinc - isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign -DMODULE - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_ipp2p)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_ipp2p)" -c -o net/ipv4/netfilter/ ipt_ipp2p.o net/ipv4/netfilter/ipt_ipp2p.c net/ipv4/netfilter/ipt_ipp2p.c:841: warning: initialization from incompatible pointer type net/ipv4/netfilter/ipt_ipp2p.c:842: warning: initialization from incompatible pointer type gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_fuzzy.o.d -nostdinc - isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign -DMODULE - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_fuzzy)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_fuzzy)" -c -o net/ipv4/netfilter/ ipt_fuzzy.o net/ipv4/netfilter/ipt_fuzzy.c net/ipv4/netfilter/ipt_fuzzy.c:169: warning: initialization from incompatible pointer type net/ipv4/netfilter/ipt_fuzzy.c:170: warning: initialization from incompatible pointer type gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_u32.o.d -nostdinc - isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign -DMODULE - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_u32)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_u32)" -c -o net/ipv4/netfilter/ ipt_u32.o net/ipv4/netfilter/ipt_u32.c net/ipv4/netfilter/ipt_u32.c:217: warning: initialization from incompatible pointer type net/ipv4/netfilter/ipt_u32.c:218: warning: initialization from incompatible pointer type gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_ipv4options.o.d - nostdinc -isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include - D__KERNEL__ -Iinclude -include include/linux/autoconf.h -Wall - Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno- common -O2 -fomit-frame-pointer -pipe -msoft-float -mpreferred-stack- boundary=2 -march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm- i386/mach-default -Wdeclaration-after-statement -Wno-pointer-sign - DMODULE -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR (ipt_ipv4options)" -D"KBUILD_MODNAME=KBUILD_STR(ipt_ipv4options)" -c -o net/ipv4/netfilter/ipt_ipv4options.o net/ipv4/netfilter/ ipt_ipv4options.c net/ipv4/netfilter/ipt_ipv4options.c:157: warning: initialization from incompatible pointer type gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_TARPIT.mod.o.d -nostdinc -isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_TARPIT)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_TARPIT)" -DMODULE -c -o net/ipv4/ netfilter/ipt_TARPIT.mod.o net/ipv4/netfilter/ipt_TARPIT.mod.c ld -m elf_i386 -m elf_i386 -r -o net/ipv4/netfilter/ipt_TARPIT.ko net/ipv4/netfilter/ipt_TARPIT.o net/ipv4/netfilter/ipt_TARPIT.mod.o gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_fuzzy.mod.o.d -nostdinc - isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_fuzzy)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_fuzzy)" -DMODULE -c -o net/ipv4/ netfilter/ipt_fuzzy.mod.o net/ipv4/netfilter/ipt_fuzzy.mod.c ld -m elf_i386 -m elf_i386 -r -o net/ipv4/netfilter/ipt_fuzzy.ko net/ipv4/netfilter/ipt_fuzzy.o net/ipv4/netfilter/ipt_fuzzy.mod.o gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_ipp2p.mod.o.d -nostdinc - isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_ipp2p)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_ipp2p)" -DMODULE -c -o net/ipv4/ netfilter/ipt_ipp2p.mod.o net/ipv4/netfilter/ipt_ipp2p.mod.c ld -m elf_i386 -m elf_i386 -r -o net/ipv4/netfilter/ipt_ipp2p.ko net/ipv4/netfilter/ipt_ipp2p.o net/ipv4/netfilter/ipt_ipp2p.mod.o gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_ipv4options.mod.o.d - nostdinc -isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include - D__KERNEL__ -Iinclude -include include/linux/autoconf.h -Wall - Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno- common -O2 -fomit-frame-pointer -pipe -msoft-float -mpreferred-stack- boundary=2 -march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm- i386/mach-default -Wdeclaration-after-statement -Wno-pointer-sign - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_ipv4options)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_ipv4options)" -DMODULE -c -o net/ipv4/ netfilter/ipt_ipv4options.mod.o net/ipv4/netfilter/ipt_ipv4options.mod.c ld -m elf_i386 -m elf_i386 -r -o net/ipv4/netfilter/ ipt_ipv4options.ko net/ipv4/netfilter/ipt_ipv4options.o net/ipv4/ netfilter/ipt_ipv4options.mod.o gcc -m32 -Wp,-MD,net/ipv4/netfilter/.ipt_u32.mod.o.d -nostdinc - isystem /usr/lib/gcc/i386-redhat-linux/4.0.2/include -D__KERNEL__ - Iinclude -include include/linux/autoconf.h -Wall -Wundef -Wstrict- prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -fomit- frame-pointer -pipe -msoft-float -mpreferred-stack-boundary=2 - march=i686 -mtune=pentium3 -ffreestanding -Iinclude/asm-i386/mach- default -Wdeclaration-after-statement -Wno-pointer-sign - D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(ipt_u32)" - D"KBUILD_MODNAME=KBUILD_STR(ipt_u32)" -DMODULE -c -o net/ipv4/ netfilter/ipt_u32.mod.o net/ipv4/netfilter/ipt_u32.mod.c ld -m elf_i386 -m elf_i386 -r -o net/ipv4/netfilter/ipt_u32.ko net/ ipv4/netfilter/ipt_u32.o net/ipv4/netfilter/ipt_u32.mod.o From andykras at hotmail.com Tue Apr 4 23:12:06 2006 From: andykras at hotmail.com (Andrew Kraslavsky) Date: Tue Apr 4 23:28:23 2006 Subject: DNAT/port forward to PPTP server does not work Message-ID: Howdy, Summary: Am I doing something wrong or does iptables not support having a PPTP server behind the firewall where DNAT/port forwarding is required? I am unable to get PPTP clients to successfully connect to my PPTP server that resides behind my iptables/netfilter firewall. As a test, I tried the reverse - having a PPTP client behind the firewall connect to an external PPTP server - and that works fine. So this... WAN PPTP client -> DNAT -> LAN PPTP server ...is no good but this... LAN PPTP client -> SNAT -> WAN PPTP server ...works. For the failed DNAT/port forward case, what I see in network traces taken on both the WAN and LAN sides is that the call ID of the server in GRE packets from the WAN PPTP client are valid on the WAN side but are erroneously showing up as 0 on the LAN side to the PPTP server. The PPTP server does not send any replies and I am guessing that the bad call ID is the reason. The relevant rules I am using for PPTP/GRE to (try to) allow PPTP clients to connect to the PPTP server behind the firewall: iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT --to $PPTPSERVER iptables -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT --to $PPTPSERVER iptables -t filter -A -j ACCEPT -m state --state RELATED,ESTABLISHED iptables -t filter -A FORWARD -i $EXTIF -o $LANIF -d $PPTPSERVER -p tcp --dport 1723 -j ACCEPT iptables -t filter -A FORWARD -i $EXTIF -o $LANIF -d $PPTPSERVER -p 47 -j ACCEPT $EXTIF is the name of the interface from which PPTP clients are trying to connect through the firewall to the PPTP server on $LANIF, the interface to the local network. $PPTPSERVER is the IP address of the PPTP server that resides on the local network. Versions: o Kernel 2.4.20 o ip_conntrack_pptp, ip_nat_pptp, ip_conntrack_proto_gre, ip_nat_proto_gre are all loaded, their source says they are rev 1.11. Miscellaneous observations: o A "TODO" comment at the top of ip_nat_pptp.c says: "Support other NAT scenarios than SNAT of PNS". o I added the DNAT rule for GRE above to see if it helped. Initially I was using only a DNAT rule for TCP port 1723 as that is what the example given in the text for the PPTP patch on the netfilter site said, to wit: "The GRE connection is marked as RELATED to the TCP session on port 1723, so all you need is something like iptables -j ACCEPT -m state --state RELATED,ESTABLISHED iptables -j ACCEPT -d my_pptp_server -p tcp --dport 1723 -m state --state NEW" o Under "limitations" in that same verbiage appears the warning, "can only NAT connections from PNS to PAC" but I am not clear on how PNS and PAC map to PPTP clients and servers (are PNS and client equivalent?). Thank you, - Andrew _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From beunlovable at gmail.com Wed Apr 5 14:56:10 2006 From: beunlovable at gmail.com (David Vogt) Date: Wed Apr 5 15:12:23 2006 Subject: [libnetfilter_queue] Message-ID: <859616420604050556t39a5e7eeled57a3e25ed5d10a@mail.gmail.com> Dear all, I would like to send different packets to different userland applications using libnetfilter_queue. As far as I understand, different queues can be distingusihed using some kind of queue number. How does the appropriate iptables command look like that sends packets to a specific queue? David From eric at inl.fr Wed Apr 5 16:44:01 2006 From: eric at inl.fr (Eric Leblond) Date: Wed Apr 5 17:03:42 2006 Subject: [libnetfilter_queue] In-Reply-To: <859616420604050556t39a5e7eeled57a3e25ed5d10a@mail.gmail.com> References: <859616420604050556t39a5e7eeled57a3e25ed5d10a@mail.gmail.com> Message-ID: <1144248241.4406.11.camel@localhost.localdomain> Le mercredi 05 avril 2006 ? 14:56 +0200, David Vogt a ?crit : > Dear all, > > I would like to send different packets to different userland > applications using libnetfilter_queue. As far as I understand, > different queues can be distingusihed using some kind of queue number. > How does the appropriate iptables command look like that sends packets > to a specific queue? This is : iptables -A .... -j NFQUEUE --queue-num $ID BR, -- ?ric Leblond, eleblond@inl.fr T?l?phone : 01 44 89 46 39, Fax : 01 44 89 45 01 INL, http://www.inl.fr -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= Url : /pipermail/netfilter/attachments/20060405/3ebe445c/attachment.pgp From Netfilter at SCampbell.net Wed Apr 5 16:55:22 2006 From: Netfilter at SCampbell.net (Steven M Campbell) Date: Wed Apr 5 17:11:40 2006 Subject: It seems I've found why conntrack blocks some packets In-Reply-To: References: <57F9959B46E0FA4D8BA88AEDFBE582901674BC@pxtbenexd01.pxt.primeexalia.com> <442D2C8F.1020505@SCampbell.net> <442D320E.7070301@SCampbell.net> <442F4E53.9060501@SCampbell.net> Message-ID: <4433DA5A.8050908@SCampbell.net> Carlos Pastorino wrote: > > By the way, do you keep rp_filter enabled or disabled? > enabled but I'm originally a network geek by trade so my network is very clean with regards to where subnets are so reverse path filters work for me. From mail at davidvogt.de Wed Apr 5 17:03:19 2006 From: mail at davidvogt.de (David Vogt) Date: Wed Apr 5 17:19:33 2006 Subject: [libnetfilter_queue] In-Reply-To: <1144248241.4406.11.camel@localhost.localdomain> References: <859616420604050556t39a5e7eeled57a3e25ed5d10a@mail.gmail.com> <1144248241.4406.11.camel@localhost.localdomain> Message-ID: <859616420604050803s7e4fb7bcv27db8ba810861624@mail.gmail.com> 2006/4/5, Eric Leblond : > Le mercredi 05 avril 2006 ? 14:56 +0200, David Vogt a ?crit : > > Dear all, > > > > I would like to send different packets to different userland > > applications using libnetfilter_queue. As far as I understand, > > different queues can be distingusihed using some kind of queue number. > > How does the appropriate iptables command look like that sends packets > > to a specific queue? > > This is : > > iptables -A .... -j NFQUEUE --queue-num $ID That was pretty much exactly what I am looking for. Thanks, Eric. From jan.ml at denouden.info Wed Apr 5 17:51:02 2006 From: jan.ml at denouden.info (Jan den Ouden (ml)) Date: Wed Apr 5 18:06:56 2006 Subject: bad tcp checksum Message-ID: <4433E766.9080409@denouden.info> Hi, I'm seeing a strange problem with kernel 2.6.12 Xen domain0 with all netfilter options compiled in. I'm trying to do port forwarding to an internal machine from an internet gateway box. What works ok is forwarding from gateway:143 to internalmachine:143. But when I forward from gateway:1000 to internalmachine:143 I get bad TCP checksums on the return packets. These packets are ignored on the client machine on the external internet. Iptables rules: *nat -A PREROUTING -d 213.84.168.6 -i ppp0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.50.3:143 -A PREROUTING -d 213.84.168.6 -i ppp0 -p tcp -m tcp --dport 1001 -j DNAT --to-destination 192.168.50.3:143 -A POSTROUTING -s 192.168.50.0/255.255.255.0 -o ppp0 -j SNAT --to 213.84.168.6 Example trace from client machine: root@host2:/home/jan# tcpdump -vvv -r trace reading from file trace, link-type EN10MB (Ethernet) 12:08:37.271198 IP (tos 0x10, ttl 64, id 48778, offset 0, flags [DF], proto: TCP (6), length: 60) host2.denouden.info.32784 > vdmheen.nl.1001: S, cksum 0xc616 (correct), 3872473067:3872473067(0) win 5840 12:08:37.304060 IP (tos 0x40, ttl 54, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) vdmheen.nl.1001 > host2.denouden.info.32784: S, cksum 0xff8a (correct), 2453556454:2453556454(0) ack 3872473068 win 5792 12:08:37.304101 IP (tos 0x10, ttl 64, id 48779, offset 0, flags [DF], proto: TCP (6), length: 52) host2.denouden.info.32784 > vdmheen.nl.1001: ., cksum 0x2e1e (correct), 1:1(0) ack 1 win 5840 12:08:37.349163 IP (tos 0x40, ttl 54, id 43987, offset 0, flags [DF], proto: TCP (6), length: 209) vdmheen.nl.1001 > host2.denouden.info.32784: P, cksum 0xc246 (incorrect (-> 0xbeec), 1:158(157) ack 1 win 1448 12:08:37.574322 IP (tos 0x40, ttl 54, id 43989, offset 0, flags [DF], proto: TCP (6), length: 209) vdmheen.nl.1001 > host2.denouden.info.32784: P, cksum 0xc22f (incorrect (-> 0xbed5), 1:158(157) ack 1 win 1448 12:08:38.034079 IP (tos 0x40, ttl 54, id 43991, offset 0, flags [DF], proto: TCP (6), length: 209) vdmheen.nl.1001 > host2.denouden.info.32784: P, cksum 0xc201 (incorrect (-> 0xbea7), 1:158(157) ack 1 win 1448 12:08:38.953738 IP (tos 0x40, ttl 54, id 43993, offset 0, flags [DF], proto: TCP (6), length: 209) vdmheen.nl.1001 > host2.denouden.info.32784: P, cksum 0xc1a5 (incorrect (-> 0xbe4b), 1:158(157) ack 1 win 1448 12:08:40.794190 IP (tos 0x40, ttl 54, id 43995, offset 0, flags [DF], proto: TCP (6), length: 209) vdmheen.nl.1001 > host2.denouden.info.32784: P, cksum 0xc0ed (incorrect (-> 0xbd93), 1:158(157) ack 1 win 1448 Does anybody have any idea what's wrong here? I've tried to search on Google for an answer, but I couldn't find any people with similar problems. Thanks, Jan From teastep at shorewall.net Wed Apr 5 18:20:30 2006 From: teastep at shorewall.net (Tom Eastep) Date: Wed Apr 5 18:36:49 2006 Subject: bad tcp checksum In-Reply-To: <4433E766.9080409@denouden.info> References: <4433E766.9080409@denouden.info> Message-ID: <200604050920.31151.teastep@shorewall.net> On Wednesday 05 April 2006 08:51, Jan den Ouden (ml) wrote: > Hi, > > I'm seeing a strange problem with kernel 2.6.12 Xen domain0 with all > netfilter options compiled in. I'm trying to do port forwarding to an > internal machine from an internet gateway box. > > What works ok is forwarding from gateway:143 to internalmachine:143. > > But when I forward from gateway:1000 to internalmachine:143 I get bad > TCP checksums on the return packets. These packets are ignored on the > client machine on the external internet. > I suggest that you search the Xen-users list archives -- this issue has been discussed ad nauseum. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060405/45e92402/attachment.pgp From casey at phantombsd.org Wed Apr 5 18:44:14 2006 From: casey at phantombsd.org (Casey Scott) Date: Wed Apr 5 19:00:27 2006 Subject: Throttling NAT interface Message-ID: <16990133.211144255454469.JavaMail.root@tomcat.phantombsd.org> The gist of what I need to do is restrict the rate of off-network traffic coming in through a host. The host is providing basic NAT to an internal network. I have gotten pretty close to what I need to do with iptables and tc. The problem is that when an interface is throttle with tc, the source of the traffic doesn't matter. I don't want to throttle local traffic, just traffic coming through the machine from a WAN. The next step was to add another NIC to the machine. Something like this: eth0: eth1: eth2: The problem is that even if traffic destined to be routed off network comes into eth2, which is throttle via tc, the return traffic comes back through eth0. Since tc (tbf filter) just controls the transmitting of an interface, I need to force the NAT traffic to use eth2. Traffic that is meant to stay local can use eth0. Is possible to do something like this? How can I this host to only eth2 for NAT even though both eth0 and eth2 are in the same network? eth0 is not throttled, which is why local traffic needs to use it. TIA, Casey From jan.ml at denouden.info Wed Apr 5 19:18:23 2006 From: jan.ml at denouden.info (Jan den Ouden) Date: Wed Apr 5 19:34:43 2006 Subject: bad tcp checksum In-Reply-To: <200604050920.31151.teastep@shorewall.net> References: <4433E766.9080409@denouden.info> <200604050920.31151.teastep@shorewall.net> Message-ID: <4433FBDF.2070701@denouden.info> Yes, you're right, the solution is the use ethtool in the domU domain to disable checksum offloading. I didn't expect it was related to Xen, so that's why I asked here. Thanks for the pointer. Jan Tom Eastep wrote: > On Wednesday 05 April 2006 08:51, Jan den Ouden (ml) wrote: > >> Hi, >> >> I'm seeing a strange problem with kernel 2.6.12 Xen domain0 with all >> netfilter options compiled in. I'm trying to do port forwarding to an >> internal machine from an internet gateway box. >> >> What works ok is forwarding from gateway:143 to internalmachine:143. >> >> But when I forward from gateway:1000 to internalmachine:143 I get bad >> TCP checksums on the return packets. These packets are ignored on the >> client machine on the external internet. >> >> > > I suggest that you search the Xen-users list archives -- this issue has been > discussed ad nauseum. > > -Tom > From undertacker at areanetworking.it Wed Apr 5 19:22:25 2006 From: undertacker at areanetworking.it (Undertacker) Date: Wed Apr 5 19:37:09 2006 Subject: ip6tables flow diagram Message-ID: <4433FCD1.6060307@areanetworking.it> Dear All I?m trying to configure my ip6tables. To understand better how it?s work I need a ip6tablesa flow scheme. I try to search it on google but without success. Can you please tell me if you haw or know where to fine an flow diagram? Best Regards Under From rgrimsha at syr.edu Wed Apr 5 19:27:48 2006 From: rgrimsha at syr.edu (Randy Grimshaw) Date: Wed Apr 5 19:44:35 2006 Subject: Throttling NAT interface Message-ID: Our throttle is really in the other direction but the idea may work for you. iptables [traffic pattern spec] -m limit --limit 40/second --limit-burst 60 -j LEVEL2 LEVEL2 is a user defined chain that specifies other restrictions or in your case NAT translations. The point is that you can match the traffic patterns that you need before applying the limit match. hope this is helpful. <>>> Casey Scott 4/5/2006 12:44 PM >>> The gist of what I need to do is restrict the rate of off-network traffic coming in through a host. The host is providing basic NAT to an internal network. I have gotten pretty close to what I need to do with iptables and tc. The problem is that when an interface is throttle with tc, the source of the traffic doesn't matter. I don't want to throttle local traffic, just traffic coming through the machine from a WAN. The next step was to add another NIC to the machine. Something like this: eth0: eth1: eth2: The problem is that even if traffic destined to be routed off network comes into eth2, which is throttle via tc, the return traffic comes back through eth0. Since tc (tbf filter) just controls the transmitting of an interface, I need to force the NAT traffic to use eth2. Traffic that is meant to stay local can use eth0. Is possible to do something like this? How can I this host to only eth2 for NAT even though both eth0 and eth2 are in the same network? eth0 is not throttled, which is why local traffic needs to use it. TIA, Casey From casey at phantombsd.org Wed Apr 5 19:35:26 2006 From: casey at phantombsd.org (Casey Scott) Date: Wed Apr 5 19:51:40 2006 Subject: Throttling NAT interface Message-ID: <6440356.271144258526830.JavaMail.root@tomcat.phantombsd.org> Thanks for the response. Will using iptables in that manner cause the firewall to just drop the packets that arrived after the limit has been reached? I don't want to have to drop packets that have already used up bandwidth getting to the machine, and making matters worse by requiring the packets to be sent again. Thanks, Casey ----- Original Message ----- From: Randy Grimshaw To: netfilter@lists.netfilter.org, casey@phantombsd.org Sent: Wednesday, April 5, 2006 10:27:48 AM GMT-0800 Subject: Re: Throttling NAT interface Our throttle is really in the other direction but the idea may work for you. iptables [traffic pattern spec] -m limit --limit 40/second --limit-burst 60 -j LEVEL2 LEVEL2 is a user defined chain that specifies other restrictions or in your case NAT translations. The point is that you can match the traffic patterns that you need before applying the limit match. hope this is helpful. <>>> Casey Scott 4/5/2006 12:44 PM >>> The gist of what I need to do is restrict the rate of off-network traffic coming in through a host. The host is providing basic NAT to an internal network. I have gotten pretty close to what I need to do with iptables and tc. The problem is that when an interface is throttle with tc, the source of the traffic doesn't matter. I don't want to throttle local traffic, just traffic coming through the machine from a WAN. The next step was to add another NIC to the machine. Something like this: eth0: eth1: eth2: The problem is that even if traffic destined to be routed off network comes into eth2, which is throttle via tc, the return traffic comes back through eth0. Since tc (tbf filter) just controls the transmitting of an interface, I need to force the NAT traffic to use eth2. Traffic that is meant to stay local can use eth0. Is possible to do something like this? How can I this host to only eth2 for NAT even though both eth0 and eth2 are in the same network? eth0 is not throttled, which is why local traffic needs to use it. TIA, Casey From rgrimsha at syr.edu Wed Apr 5 20:11:16 2006 From: rgrimsha at syr.edu (Randy Grimshaw) Date: Wed Apr 5 20:27:59 2006 Subject: Throttling NAT interface Message-ID: I hope this isn't evasive, but I am still learning this stuff too. The packets that don't match - i.e. exceed the threshold - will continue down the chain. You can do a lot of different things with those packets as you need. You can probably match the behavior of tc if that is what you want. <>>> Casey Scott 4/5/2006 1:35 PM >>> Thanks for the response. Will using iptables in that manner cause the firewall to just drop the packets that arrived after the limit has been reached? I don't want to have to drop packets that have already used up bandwidth getting to the machine, and making matters worse by requiring the packets to be sent again. Thanks, Casey ----- Original Message ----- From: Randy Grimshaw To: netfilter@lists.netfilter.org, casey@phantombsd.org Sent: Wednesday, April 5, 2006 10:27:48 AM GMT-0800 Subject: Re: Throttling NAT interface Our throttle is really in the other direction but the idea may work for you. iptables [traffic pattern spec] -m limit --limit 40/second --limit-burst 60 -j LEVEL2 LEVEL2 is a user defined chain that specifies other restrictions or in your case NAT translations. The point is that you can match the traffic patterns that you need before applying the limit match. hope this is helpful. <>>> Casey Scott 4/5/2006 12:44 PM >>> The gist of what I need to do is restrict the rate of off-network traffic coming in through a host. The host is providing basic NAT to an internal network. I have gotten pretty close to what I need to do with iptables and tc. The problem is that when an interface is throttle with tc, the source of the traffic doesn't matter. I don't want to throttle local traffic, just traffic coming through the machine from a WAN. The next step was to add another NIC to the machine. Something like this: eth0: eth1: eth2: The problem is that even if traffic destined to be routed off network comes into eth2, which is throttle via tc, the return traffic comes back through eth0. Since tc (tbf filter) just controls the transmitting of an interface, I need to force the NAT traffic to use eth2. Traffic that is meant to stay local can use eth0. Is possible to do something like this? How can I this host to only eth2 for NAT even though both eth0 and eth2 are in the same network? eth0 is not throttled, which is why local traffic needs to use it. TIA, Casey From casey at phantombsd.org Wed Apr 5 20:17:41 2006 From: casey at phantombsd.org (Casey Scott) Date: Wed Apr 5 20:33:58 2006 Subject: Throttling NAT interface Message-ID: <19459423.301144261061585.JavaMail.root@tomcat.phantombsd.org> Do you think that REJECTing such packets will cause the sending device to reduce its transmitting speed? Casey ----- Original Message ----- From: Randy Grimshaw To: casey@phantombsd.org Cc: netfilter@lists.netfilter.org Sent: Wednesday, April 5, 2006 11:11:16 AM GMT-0800 Subject: Re: Throttling NAT interface I hope this isn't evasive, but I am still learning this stuff too. The packets that don't match - i.e. exceed the threshold - will continue down the chain. You can do a lot of different things with those packets as you need. You can probably match the behavior of tc if that is what you want. <>>> Casey Scott 4/5/2006 1:35 PM >>> Thanks for the response. Will using iptables in that manner cause the firewall to just drop the packets that arrived after the limit has been reached? I don't want to have to drop packets that have already used up bandwidth getting to the machine, and making matters worse by requiring the packets to be sent again. Thanks, Casey ----- Original Message ----- From: Randy Grimshaw To: netfilter@lists.netfilter.org, casey@phantombsd.org Sent: Wednesday, April 5, 2006 10:27:48 AM GMT-0800 Subject: Re: Throttling NAT interface Our throttle is really in the other direction but the idea may work for you. iptables [traffic pattern spec] -m limit --limit 40/second --limit-burst 60 -j LEVEL2 LEVEL2 is a user defined chain that specifies other restrictions or in your case NAT translations. The point is that you can match the traffic patterns that you need before applying the limit match. hope this is helpful. <>>> Casey Scott 4/5/2006 12:44 PM >>> The gist of what I need to do is restrict the rate of off-network traffic coming in through a host. The host is providing basic NAT to an internal network. I have gotten pretty close to what I need to do with iptables and tc. The problem is that when an interface is throttle with tc, the source of the traffic doesn't matter. I don't want to throttle local traffic, just traffic coming through the machine from a WAN. The next step was to add another NIC to the machine. Something like this: eth0: eth1: eth2: The problem is that even if traffic destined to be routed off network comes into eth2, which is throttle via tc, the return traffic comes back through eth0. Since tc (tbf filter) just controls the transmitting of an interface, I need to force the NAT traffic to use eth2. Traffic that is meant to stay local can use eth0. Is possible to do something like this? How can I this host to only eth2 for NAT even though both eth0 and eth2 are in the same network? eth0 is not throttled, which is why local traffic needs to use it. TIA, Casey From robert at leblancnet.us Wed Apr 5 20:18:50 2006 From: robert at leblancnet.us (Robert LeBlanc) Date: Wed Apr 5 20:34:02 2006 Subject: CLUSTERIP refuses to answer ARP Message-ID: I just compiled a 2.6.16.1 kernel and installed iptables 1.3.5 and CLUSTERIP is still not responding to ARP requests. Am I missing something here? iptables -A INPUT -i eth1 -d 192.168.0.10 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:23:45:67:89:AB --total-nodes 2 --local-node 1 echo "+2" > /proc/net/ipt_CLUSTERIP/192.168.0.10 Robert LeBlanc From admin at sosi.sk Wed Apr 5 22:54:50 2006 From: admin at sosi.sk (Admin on sosi.sk) Date: Wed Apr 5 23:11:05 2006 Subject: Netfilter problem.. References: <20060405173107.74543229166@sosi.sk> Message-ID: <004001c658f3$2e8b34d0$2001a8c0@sosi> Hi all, I have interfaces: eth0 - WAN eth1 - LAN eth2 - free ath0 - Atheros AP Then I have made a bridge br0(192.168.1.1) from ath0(0.0.0.0), eth1(0.0.0.0) because I want wired and wireless metwork in one address range 192.168.1.0 - 192.168.1.255 and I run dhcp server over bridge br0. Over eth1(wired network) works all fine. I can not obtain IP address from dhcp over wifi interface ath0 and I get this message in tcpdump -vv -i br0 ------------------------------------------------------------------------------- br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth1][br0] head:c35d23e0, raw:c35d23fe, data:c35d23fe ------------------------------------------------------------------------------- /var/log/messages ------------------------------------------------------------------------------- Apr 4 22:38:23 sosiba kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:4c:67:66:d6:08:00 SRC=195.46.67.248 DST=255.255.255.255 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=40800 PROTO=UDP SPT=164 DPT=164 LEN=108 Apr 4 22:43:54 sosiba kernel: br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth1][br0] head:c2af95e0, raw:c2af95fe, data:c2af95fe Apr 4 22:44:05 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=540 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 4 22:44:05 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:05 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:10 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=541 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 4 22:44:10 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:10 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:19 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=542 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 4 22:44:19 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:19 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5 via br0 ------------------------------------------------------------------------------- my iptables settings ------------------------------------------------------------------------------- # Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005 *mangle :PREROUTING ACCEPT [1043684:865001650] :INPUT ACCEPT [1041756:864643520] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [892707:425469139] :POSTROUTING ACCEPT [892775:425458561] COMMIT # Completed on Fri Mar 18 11:14:11 2005 # Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005 *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE -A PREROUTING -s 192.168.0.0/16 -i eth0 -j DROP -A PREROUTING -s 172.16.0.0/12 -i eth0 -j DROP -A PREROUTING -s 10.0.0.0/8 -i eth0 -j DROP COMMIT # Completed on Fri Mar 18 11:14:11 2005 # Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :syn_flood - [0:0] -A INPUT -p udp -m udp -m multiport -j LOG --dports 67,68 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP pakety -A INPUT -p icmp -m icmp -i eth0 --icmp-type echo-reply -j ACCEPT -A INPUT -p icmp -m icmp -i eth0 --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp -m icmp -m limit -i eth0 --icmp-type echo-request --limit 1/s --limit-burst 5 -j ACCEPT -A INPUT -p icmp -m icmp -i eth0 --icmp-type time-exceeded -j ACCEPT -A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT -A INPUT -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports 4662,4663,4711 -A INPUT -p udp -m udp -i eth0 --dport 4672 -j ACCEPT # sshd -A INPUT -p tcp -m tcp -s 217.75.72.98 -i eth0 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp -s 62.152.224.131 -i eth0 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp -s 195.46.69.224/29 -i eth0 --dport 22 -j ACCEPT # Prepustim toto na eth0 -A INPUT -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports 20,21,80,443,901,10000 # Prepustim toto na eth1, eth2 -A INPUT -i br0 -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A OUTPUT -p udp -m udp -m multiport -j LOG --dports 67,68 -A OUTPUT -p udp -m udp -m multiport -j LOG --sports 67,68 -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.1.1 -j ACCEPT -A OUTPUT -s 192.168.2.1 -j ACCEPT -A OUTPUT -s 195.46.69.228 -j ACCEPT -A OUTPUT -m limit --limit 3/hour --limit-burst 5 -j LOG -A FORWARD -m state -i br0 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A syn_flood -m limit --limit 1/s --limit-burst 5 -j RETURN -A syn_flood -j DROP # Prepustim toto na eth1 -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp -m multiport -j LOG --dports 67,68 -A INPUT -p tcp -i eth0 -j syn_flood --syn # log DoS -A INPUT -m limit --limit 3/hour --limit-burst 5 -j LOG # Vsetko ostatne zabi! -A INPUT -j DROP -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p udp -m udp -m multiport -j LOG --dports 67,68 -A FORWARD -p udp -m udp -m multiport -j LOG --sports 67,68 COMMIT # Completed on Fri Mar 18 11:14:11 2005 ------------------------------------------------------------------------------- I am runing kernel-2.6.12-17mdk. Please what could be wrong? Robert. From frankabel at tesla.cujae.edu.cu Thu Apr 6 03:38:55 2006 From: frankabel at tesla.cujae.edu.cu (Frank Abel Cancio Bello) Date: Thu Apr 6 04:00:19 2006 Subject: About doc of libnetfilter_queue Message-ID: <200604052138.57149.frankabel@tesla.cujae.edu.cu> Hi all! The question is: where I can read libnetfilter_queue documentation? I have see on Internet some references to "Brad Fisher's documentation of libnetfilter_queue", where are this doc? Salute Frank Abel __________________________________________ XIII Convención Científica de Ingeniería y Arquitectura 28/noviembre al 1/diciembre de 2006 Cujae, Ciudad de la Habana, Cuba http://www.cujae.edu.cu/eventos/convencion From mike.auty at gmail.com Thu Apr 6 05:25:27 2006 From: mike.auty at gmail.com (Mike Auty) Date: Thu Apr 6 05:41:46 2006 Subject: libnetfilter_queue conditions required to rewrite packets... Message-ID: <44348A27.60602@gmail.com> Hi, I appologize if this is a bit of a daft question, but looking through all the documentation I've managed to locate it's never made explicit, and the list archives are rather difficult to use when looking for specific information. I'm trying to make use of the libnetfilter_queue module to intelligently mangle certain packets on their way through certain points in iptables. I think I've got all the code working correctly, and I believe I'm modifying the packet and using a pointer to the modified packet in the nfq_set_verdict call with the new packet length, however from all the tests I've run, the original packet is continuing on, and the new payload seems to be ignored. Are there special conditions under which packet modification will work, or should it work under all circumstances? I've read several things which might help narrow the problem. In one example (for libipq as it turns out), they have a test so that rewriting only happens if the packet's come in from hook 0 (which is PREROUTING). Does this mean that packet modification can only be done in certain chains (for example, PREROUTING and OUTPUT only)? Must the NFQUEUE target be in the mangle table rather than the filter table to perform payload rewriting? I've tried both and I still seem not to be sending out the modified data. I'd also read somewhere that the kernel might silently ignore packets if their checksums had not been calculated correctly. Does this mean invalid packets can't be sent using this method? Would nfq_set_verdict fail if that were the case? Finally if the packet contents can be modified no matter where the hook is, does anyone have any ideas how I could further debug the problem? Last thing I know is I'm passing the right data to the nfq_set_verdict call and I'm getting back a positive response, but the data received always appears to be the original data sent. Is there someway to track what's going on further inside the netlink? Any light anyone can shed on this would be greatly appreciated. Thanks very much... Mike 5:) From beunlovable at gmail.com Thu Apr 6 08:30:43 2006 From: beunlovable at gmail.com (David Vogt) Date: Thu Apr 6 08:47:04 2006 Subject: libnetfilter_queue conditions required to rewrite packets... In-Reply-To: <44348A27.60602@gmail.com> References: <44348A27.60602@gmail.com> Message-ID: <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> 2006/4/6, Mike Auty : > from all the tests I've run, the original packet is continuing on, and > the new payload seems to be ignored. Same here, just ported an libipq application (which was working fine) to libnetfilter_queue and encountered the same problem. I will post to the list, once I found out anything. Any advice would be highly appreciated. David From eric at inl.fr Thu Apr 6 08:51:30 2006 From: eric at inl.fr (Eric Leblond) Date: Thu Apr 6 09:07:30 2006 Subject: About doc of libnetfilter_queue In-Reply-To: <200604052138.57149.frankabel@tesla.cujae.edu.cu> References: <200604052138.57149.frankabel@tesla.cujae.edu.cu> Message-ID: <4434BA72.8080300@inl.fr> Frank Abel Cancio Bello wrote: > Hi all! > > The question is: where I can read libnetfilter_queue documentation? > > I have see on Internet some references to "Brad Fisher's documentation of > libnetfilter_queue", where are this doc? Maybe there : http://archives.free.net.ph/message/20060208.171235.186dce08.en.html BR, -- Eric Leblond From kadlec at blackhole.kfki.hu Thu Apr 6 11:54:00 2006 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Thu Apr 6 12:09:27 2006 Subject: ipset command ipporthash anormal behavior In-Reply-To: <200604041446.01536.clist@uah.es> References: <200604041446.01536.clist@uah.es> Message-ID: Hi, On Tue, 4 Apr 2006, Clist wrote: > ipset -N clients ipporthash --from 192.168.153.206 --to 192.168.153.207 > --hashsize 1024 --probes 4 --resize 50 || echo "failure .." > > it prints : > > "failure .." > > But the set got created!!. > > This is confusing and make my script run bad, if the commnad ran sucessfully, > > Why it returns error code !=0 to the OS?? That's a small bug: the set specific parse function returns 1 when it could parse the command line successfully and this return value is not erased later, but used as the final return value of the ipset command. There'll be a new release somewhere in this month: until then you can use the attached patch. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -------------- next part -------------- diff -urN ipset-2.2.8/ipset.c ipset-2.2.9/ipset.c --- ipset-2.2.8/ipset.c 2005-11-24 10:08:57.000000000 +0100 +++ ipset-2.2.9/ipset.c 2006-04-06 11:51:28.000000000 +0200 @@ -2099,7 +2099,8 @@ exit_error(PARAMETER_PROBLEM, "Unknown arg `%s'", argv[optind - 1]); - + + res = 0; } DP("next arg"); From eddy.linux at yahoo.com Thu Apr 6 12:27:36 2006 From: eddy.linux at yahoo.com (Eddy Kvetny) Date: Thu Apr 6 12:44:56 2006 Subject: Huge impact of the conntrack mechanism on routing performance (30% with a single conntrack entry) Message-ID: <20060406102736.72495.qmail@web38411.mail.mud.yahoo.com> Netfilter gurus, Could someone shed light on pretty strange problem of a huge impact of the conntrack mechanism on routing performance ? The configuration is as follows: - the ARM9E-based (500Mhz) board with Linux 2.6.12 - 2 GbE interfaces connected to the traffic generator tool (Smartbit) - Smartbit injects UDP packets to the device via 1st network interface, then the devices routes these packets back to Smartbit via the 2nd interface When only plain routing without any netfilter stuff (conntrack, NAT, filter modules) is done, 40K packets per second are processed and returned to Smartbit giving about 485Mbps througput (40000 packets x 8 bit x 1518 byte/packet) Right after "insmod ip_conntrack.ko" the throughput drastically falls to 28 kpps (-12 kpps or -30% !!!). I know that "conntrack" mechanism has some overhead but 30% is still seems to be too much, especially when in my case there is only 1 connection in the conntrack table and as far as I know most of the "conntrack" processing is done for the 1st packet of each connection only. Then this connection is put in the "conntrack" hash table and it is supposed to be very quickly found for successive packets belonging to the same connection After "insmod iptable_filter.ko" throughput is 25 kpps (-3 kpps) and after "insmod iptable_nat.ko" (NAT mechanism) throughput is 23 kpps (-2 kpps). Insertion of additional modules (like ipt_state.ko, ip_conntrack_ftp.ko etc.) and configuring rules for firewall/NAT (not talking about hundreds or more rules) has no significant impact on throughput So, I am wondering whether there is some logic explanation for this huge impact of the conntrack mechanism on routing performance. I would appreciate any information in this regard Thanks in advance Regards, Eddy P.S. I found a couple of similar observations in Internet >From http://lwn.net/Articles/103858/ ....... 13.3. Netfilter benchmarking by HW ..... Lose 30% of performance (850kpps to 500kpps) ... Initial rate (forwarding only) 800kpps insmod ip_conntrack -200 kpps load IPtable (even empty) 25% oprofile (non-halted) everything in ip_tables (3%) static compiling makes 5% difference full test (nat, mangle, filter, ip_conntrack): down to 350kpps .................... ================================================ >From http://lkml.org/lkml/2004/9/8/235 ................................................. I'm sure others here have far better examples, but one post to the netfilter-devel list last December provided an example of a firewall that could process 580kpps with netfilter/conntrack turned off. Granted, the post noted that adding netfilter brought that down to 450kpps, and adding conntrack on top of that brought it down to 295kpps,but all three of those numbers are well over the claimed 100kpps. .................................................. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From frankabel at tesla.cujae.edu.cu Thu Apr 6 14:22:10 2006 From: frankabel at tesla.cujae.edu.cu (Frank Abel Cancio Bello) Date: Thu Apr 6 14:41:50 2006 Subject: About doc of libnetfilter_queue In-Reply-To: <4434BA72.8080300@inl.fr> References: <200604052138.57149.frankabel@tesla.cujae.edu.cu> <4434BA72.8080300@inl.fr> Message-ID: <200604060822.12116.frankabel@tesla.cujae.edu.cu> Thanks Eric! and Thanks Brad! I follow the tread at https://lists.netfilter.org/pipermail/netfilter-devel/2006-February/023490.html Brad say "so I have updated my notes since I sent the previous message" and latter "If anyone is interested, I'll be glad to send them a copy" So can anybody send me this updates? Thanks in advances Salute Frank Abel On Thursday 06 April 2006 2:51 am, you wrote: > Frank Abel Cancio Bello wrote: > > Hi all! > > > > The question is: where I can read libnetfilter_queue documentation? > > > > I have see on Internet some references to "Brad Fisher's documentation of > > libnetfilter_queue", where are this doc? > > Maybe there : > http://archives.free.net.ph/message/20060208.171235.186dce08.en.html > > BR, > -- > Eric Leblond __________________________________________ XIII Convenci?n Cient?fica de Ingenier?a y Arquitectura 28/noviembre al 1/diciembre de 2006 Cujae, Ciudad de la Habana, Cuba http://www.cujae.edu.cu/eventos/convencion From sergiomdgomes at gmail.com Thu Apr 6 15:28:10 2006 From: sergiomdgomes at gmail.com (=?iso-8859-1?q?S=E9rgio_Gomes?=) Date: Thu Apr 6 15:44:34 2006 Subject: Adding a routing header to IPv6 TCP packets Message-ID: <200604061428.10350.sergiomdgomes@gmail.com> Hello everyone, I have a machine running kernel 2.6, with an Apache webserver. It's connected to a small test network that only uses IPv6. Now, what I'd like to do is add the optional IPv6 Routing Header to all TCP packets being sent from Apache, because I need to set up one compulsory hop the route must have. Is this at all possible with netfilter/iptables, and if so, how do I do it? The alternative, hacking the Apache source, is a bit intimidating... Thanks, S?rgio Gomes From carlos.pastorino at gmail.com Thu Apr 6 20:33:01 2006 From: carlos.pastorino at gmail.com (Carlos Pastorino) Date: Thu Apr 6 20:49:24 2006 Subject: It seems I've found why conntrack blocks some packets In-Reply-To: <4433DA5A.8050908@SCampbell.net> References: <57F9959B46E0FA4D8BA88AEDFBE582901674BC@pxtbenexd01.pxt.primeexalia.com> <442D2C8F.1020505@SCampbell.net> <442D320E.7070301@SCampbell.net> <442F4E53.9060501@SCampbell.net> <4433DA5A.8050908@SCampbell.net> Message-ID: Well, disabling it didn't work. I'll enable it back. I'm sorta giving up on this. Thanks a lot for your attention and help. Regards. On 4/5/06, Steven M Campbell wrote: > Carlos Pastorino wrote: > > > > > By the way, do you keep rp_filter enabled or disabled? > > > > enabled but I'm originally a network geek by trade so my network is very clean with regards to where subnets are so reverse path filters work for me. > From mjclark1 at gmail.com Fri Apr 7 00:32:57 2006 From: mjclark1 at gmail.com (Matthew Clark) Date: Fri Apr 7 00:49:19 2006 Subject: Routing directed broadcast Message-ID: <780c228e0604061532va42dac9qcba87516672ae045@mail.gmail.com> Hi List, I am wondering if there is any way to route directed broadcast packets through a linux box using iptables. So far I have tried (through a friends suggestion) to mark the packet in the mangle table of the PREROUTING chain, change the packet to be a packet that will route and then change it back to a broadcast on the OUTPUT chain. i.e. Broadcasting to 10.200.172.255 Packets are coming in to eth0 (10.14.172.250/24) Packets need to go out eth1 (10.200.172.250/24) Have tried iptables -t mangle -A PREROUTING -i eth0 -d 10.200.172.255 -j MARK --set-mark 0x10 iptables -t nat -A PREROUTING -i eth0 -d 10.200.172.255 -j DNAT --to-dest 10.200.172.254 iptables -v -t nat -A OUTPUT -d 10.200.172.254 --match mark --mark 0x10 -j DNAT --to-dest 10.200.172.255 But the problem I find is that whilst matching in the mangle table Chain PREROUTING (policy ACCEPT 246K packets, 35M bytes) pkts bytes target prot opt in out source destination 79687 19M MARK all -- eth0 * 0.0.0.0/0 10.200.172.255 MARK set 0x10 The packets don't make it to the nat table Chain PREROUTING (policy ACCEPT 9014 packets, 567K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- eth0 * 0.0.0.0/0 10.200.172.255 to:10.200.172.254 Why are the packets not making to the nat PREROUTING chain? Is there a better way of doing this? Thanks in advance, Matt. Apologies if this email arrived twice, but I received an email saying my first post failed because my source email address was not from a subscribed member (rectified). From marcio at ciasc.gov.br Fri Apr 7 12:18:14 2006 From: marcio at ciasc.gov.br (Márcio Magnus dos Santos) Date: Fri Apr 7 12:34:43 2006 Subject: PREROUTING problem Message-ID: <007201c65a2c$9513ee10$0201a8c0@COSTAO> Hi, I am with DNAT problem. Somebody can help me? I use iptables since 2002. But now with fedora 5 and iptables v1.3.5 only the PREROUTING rules (DNAT) do not function, these rules had been copied of a Fedora 4 with iptables v1.3.0 where everything functioned. Márcio From casey at phantombsd.org Wed Apr 5 17:22:43 2006 From: casey at phantombsd.org (Casey Scott) Date: Fri Apr 7 14:16:58 2006 Subject: Throttling NAT interface Message-ID: <11059611.61144250563153.JavaMail.root@tomcat.phantombsd.org> The gist of what I need to do is restrict the rate of off-network traffic coming in through a host. The host is providing basic NAT to an internal network. I have gotten pretty close to what I need to do with iptables and tc. The problem is that when an interface is throttle with tc, the source of the traffic doesn't matter. I don't want to throttle local traffic, just traffic coming through the machine from a WAN. The next step was to add another NIC to the machine. Something like this: eth0: eth1: eth2: The problem is that even if traffic destined to be routed off network comes into eth2, which is throttle via tc, the return traffic comes back through eth0. Since tc (tbf filter) just controls the transmitting of an interface, I need to force the NAT traffic to use eth2. Traffic that is meant to stay local can use eth0. Is possible to do something like this? How can I this host to only eth2 for NAT even though both eth0 and eth2 are in the same network? eth0 is not throttled, which is why local traffic needs to use it. TIA, Casey From mjclark1 at gmail.com Thu Apr 6 08:44:34 2006 From: mjclark1 at gmail.com (Matthew Clark) Date: Fri Apr 7 14:17:02 2006 Subject: Routing directed broadcast Message-ID: <780c228e0604052344u60f9321k790e1313a54e016b@mail.gmail.com> Hi List, I am wondering if there is any way to route directed broadcast packets through a linux box using iptables. So far I have tried (through a friends suggestion) to mark the packet in the mangle table of the PREROUTING chain, change the packet to be a packet that will route and then change it back to a broadcast on the OUTPUT chain. i.e. Broadcasting to 10.200.172.255 Packets are coming in to eth0 (10.14.172.250/24) Packets need to go out eth1 (10.200.172.250/24) Have tried iptables -t mangle -A PREROUTING -i eth0 -d 10.200.172.255 -j MARK --set-mark 0x10 iptables -t nat -A PREROUTING -i eth0 -d 10.200.172.255 -j DNAT --to-dest 10.200.172.254 iptables -v -t nat -A OUTPUT -d 10.200.172.254 --match mark --mark 0x10 -j DNAT --to-dest 10.200.172.255 But the problem I find is that whilst matching in the mangle table Chain PREROUTING (policy ACCEPT 246K packets, 35M bytes) pkts bytes target prot opt in out source destination 79687 19M MARK all -- eth0 * 0.0.0.0/0 10.200.172.255 MARK set 0x10 The packets don't make it to the nat table Chain PREROUTING (policy ACCEPT 9014 packets, 567K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- eth0 * 0.0.0.0/0 10.200.172.255 to:10.200.172.254 Why are the packets not making to the nat PREROUTING chain? Is there a better way of doing this? Thanks in advance, Matt. From vasudevan at multitech.co.in Fri Apr 7 06:39:08 2006 From: vasudevan at multitech.co.in (vasudevan@multitech.co.in) Date: Fri Apr 7 14:17:06 2006 Subject: please ...Clarify me Regarding "PPTP PASS THRU" with 4 modules Loaded Message-ID: <33434.192.168.51.71.1144384748.squirrel@192.168.10.1> Hi, Can you please mention me how are these modules loaded help me in "PPTP PASS THROUGH". The modules as stated below. Can you please explain the usage of these modules in Connection tracking and NAT support for PPTP. The loaded modules are as follows ip_conntrack_proto_gre ip_conntrack_pptp ip_nat_proto_gre ip_nat_pptp Thanks in advance, Vasudevan N. From beunlovable at gmail.com Fri Apr 7 15:55:41 2006 From: beunlovable at gmail.com (David Vogt) Date: Fri Apr 7 16:12:08 2006 Subject: libnetfilter_queue conditions required to rewrite packets... In-Reply-To: <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> References: <44348A27.60602@gmail.com> <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> Message-ID: <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> For testing purposes I simply rewrote the nfq_test.c application in libnetfilter_queue/utils, such that the reinjected packet should have the ttl field modified. 1) receive original payload and length with nfq_get_payload 2) modify payload 3) call nfq_set_verdict(qh, id, NF_ACCEPT, len, modified_payload) I tried to find a place where things go wrong, but as far as I can see, everything looks fine all the way down to the actual sendmsg call on the netlink socket (i.e. nfnl_sendiov() in libnfnetlink.c). On the "receiver" side I checked nfqnl_recv_verdict(), which is part of nfnetlink_queue module (linux-2.6.16/net/netfilter/nfnetlink_queue.c). The check if (nfqa[NFQA_PAYLOAD-1]) { // call nfqnl_mangle } fails. However, a raw dump of the skb that nfqnl_recv_verdict() operates, reveals that the payload IS there, WITH the modifications that have been applied. I haven't gain enought insight into the *nfqa[] stuff, yet, so any help would be appreciated. Maybe I'm looking for a solution in all the wrong places. What do I do wrong? David From bernd.wellhoefer at email.de Fri Apr 7 16:39:43 2006 From: bernd.wellhoefer at email.de (=?iso-8859-1?Q?Bernhard_Wellh=F6fer?=) Date: Fri Apr 7 16:56:14 2006 Subject: Routing port 80 to 8080 for one of two IPs Message-ID: <003501c65a51$1c709970$73ffa8c0@gaiagroup.local> Hello, my Linux machine has one physical interface eth0 and additionally one logically interface eth0:1 : $ ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:BA:EE:B4:35 inet addr:192.168.255.25 Bcast:192.168.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:34819 errors:0 dropped:0 overruns:0 frame:0 TX packets:33864 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5948119 (5.6 MiB) TX bytes:3104279 (2.9 MiB) Interrupt:10 Base address:0xb400 eth0:1 Link encap:Ethernet HWaddr 00:50:BA:EE:B4:35 inet addr:192.168.255.81 Bcast:192.168.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0xb400 I have a Java program serving as web server that binds itself to port 8080 for the logically interface eth0:1 - since I do not want to start the Java web server as root. Therefore I want to add a right iptables rule to redirect port 80 to port 8080 for eth0:1. It is important that port 80 for eth0 is not redirected. What is the correct rule here? I tried /sbin/iptables -t nat -I PREROUTING -p tcp --dst 192.168.255.81 --dport 80 -j REDIRECT --to-port 8080 and /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0:1 --dport 80 -j REDIRECT --to-port 8080 (results in a warning) but without success. Who can help me here? Thanks in advance, Bernd From mike.auty at gmail.com Sat Apr 8 03:50:00 2006 From: mike.auty at gmail.com (Mike Auty) Date: Sat Apr 8 04:06:32 2006 Subject: libnetfilter_queue conditions required to rewrite packets... In-Reply-To: <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> References: <44348A27.60602@gmail.com> <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> Message-ID: <443716C8.3060409@gmail.com> Looks as though, The code in the subversion repository's quite different, so I've checked out a copy of that and I'm gonna give it a test when I next get a chance. It requires >=libnfnetlink-0.0.16, so that's also gonna have to be built from subversion. The changes include incrementing the size of the structure to include the size of the payload, and also the structure holding the payload is defined outside the conditional statement. These I think, should mean the packet's better formed and hopefully will do the actual mangling... I'm not sure how far away those packages are from becoming releases, but it seems they have some definite enhancements in them... Mike 5:) From mlist at ratel.ru Sat Apr 8 10:21:21 2006 From: mlist at ratel.ru (vlad f halilow) Date: Sat Apr 8 10:37:54 2006 Subject: iptables and mac filtering Message-ID: <44377281.60706@ratel.ru> Hi there. Please help with strange issuse. I have debian woody with 2.6.12 kernel + iptables.1.3.3. (unstable) under vmware workstation. I try to block connection to my PPPoE server (rp-pppoe) by mac-address of client. something like #iptables -I INPUT -m mac --mac-source blablag -j DROP . Line inserted showed by iptables -L -v -n but not block any IP-less requests from address specified. Ping or any IP protocols blocking success, but pppoe discovery, exchange and traffic pass the filter wthout any problem with no rule countr increment. How i can fix this thing? Or what i to do wrong? From rnicholsNOSPAM at comcast.net Sat Apr 8 18:14:44 2006 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Sat Apr 8 18:31:27 2006 Subject: iptables and mac filtering In-Reply-To: <44377281.60706@ratel.ru> References: <44377281.60706@ratel.ru> Message-ID: vlad f halilow wrote: > > Hi there. Please help with strange issuse. I have debian woody with > 2.6.12 kernel + iptables.1.3.3. (unstable) under vmware workstation. I > try to block connection to my PPPoE server (rp-pppoe) by mac-address of > client. something like > > #iptables -I INPUT -m mac --mac-source blablag -j DROP > > . Line inserted showed by iptables -L -v -n but not block any IP-less > requests from address specified. Ping or any IP protocols blocking > success, but pppoe discovery, exchange and traffic pass the filter > wthout any problem with no rule countr increment. How i can fix this > thing? Or what i to do wrong? You said it yourself. These are IP-less requests. They never make it up to the protocol levels where iptables operates. Yes, iptables can match on MAC addresses, but if the packet is handled entirely at the Data Link layer (MAC sublevel), iptables will never see it. -- Bob Nichols Yes, "NOSPAM" is really part of my email address. From mailinglists at lucassen.org Sat Apr 8 19:40:58 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sat Apr 8 19:57:31 2006 Subject: NATed packets only enter the default routing table Message-ID: <20060408194058.71fa3e09.mailinglists@lucassen.org> (copy from lartc mailinglist) I set up this config: +------+ -+ ISP1 +--+ +------+ | +-------+ +--+ linux | +------+ | +-------+ -+ ISP2 +--+ +------+ No problem. Standard setup with two ISP's. Both routed subnets. Default gateway is ISP1. No magic here. Now I put a server behind the Linux box. I want the server to be reachable on an /extra/ IP in the routed subnet of ISP2. +------+ -+ ISP1 +--+ +------+ | +-------+ +-----------------+ +--+ linux +--+ server 10.0.0.2 | +------+ | +-------+ +-----------------+ -+ ISP2 +--+ +------+ router ISP2: 1.2.3.1/24 dev ISP2: eth1 Linux box eth1: 1.2.3.2/24 external ip ISP2 for server 10.0.0.2: 1.2.3.3 arp -s 1.2.3.3 aa:bb:cc:dd:ee:ff pub ip route add 1.2.3.3 via 10.0.0.2 iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.3 -j DNAT --to 10.0.0.2 When pinging 1.2.3.3, the packets get in through eth1 (ok), but the replies are following the default routing table through eth0 (wrong) Even a ip rule add from 1.2.3.3 lookup table_eth1 doesn't change this behaviour. It is working ok when I add the address 1.2.3.3 directly to eth1 (without NAT): ip a a 1.2.3.3 dev eth1 Why is this? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From jeroen at elebaut.com Sun Apr 9 15:56:02 2006 From: jeroen at elebaut.com (Jeroen Elebaut) Date: Sun Apr 9 16:12:43 2006 Subject: NATed packets only enter the default routing table In-Reply-To: <20060408194058.71fa3e09.mailinglists@lucassen.org> References: <20060408194058.71fa3e09.mailinglists@lucassen.org> Message-ID: <200604091556.02586.jeroen@elebaut.com> Hi, i had a similar problem with our setup. The problem is i think that the routing decision on the linux box is made before the address in the packet is changed back to 1.2.3.3. So it doesn't use the source policy routing entry. I solved this by using the connmark module from iptables and then do routing based on the mark. The following should work in your setup: iptables -t mangle -I PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark iptables -t mangle -I PREROUTING -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1 ip rule add fwmark 1 lookup eth1_up This will route everything that entered via eth1 back via eth1. Greetings, jeroen From vherva at vianova.fi Sun Apr 9 09:43:13 2006 From: vherva at vianova.fi (Ville Herva) Date: Sun Apr 9 17:10:44 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <44388908.6070602@trash.net> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> Message-ID: <20060409074313.GZ15954@vianova.fi> On Sun, Apr 09, 2006 at 06:09:44AM +0200, you [Patrick McHardy] wrote: > Ville Herva wrote: > > I upgraded from 2.6.15-rc7 to 2.6.17-rc1. rc1 seems nice other than that > > iptables stopped working: > > > > failed iptables v1.3.5: can't initialize iptables table filter: iptables > > who? (do you need to insmod?) > > Perhaps iptables or your kernel needs to be upgraded. > > > > iptables is compiled in the kernel, not a module: > > CONFIG_NETFILTER=y > > > > I can even do "modprobe iptable_nat" successfully (iptable_nat is module), > > but iptables refuses to work. iptables is of version iptables-1.3.5-1.2. > > > > The kernel config is copied with make oldconfig from 2.6.15-rc7 (which > > worked), not much else has changed. I just booted back to 2.6.15-rc7 and > > verified it works. Any ideas? > > Most likely you didn't enable the new xtables options. Please post your > full config. The full .config is here http://www.iki.fi/v/tmp/2.6.17-rc1.config I indeed do not have xfilter enabled (I was unaware that such thing had been introduced :): --8<----------------------------------------------------------------------- ... CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set # # Core Netfilter Configuration # # CONFIG_NETFILTER_NETLINK is not set # CONFIG_NETFILTER_XTABLES is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m # CONFIG_IP_NF_CT_ACCT is not set # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_NETBIOS_NS is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_PPTP is not set # CONFIG_IP_NF_H323 is not set # CONFIG_IP_NF_QUEUE is not set ... --8<----------------------------------------------------------------------- I'll try building a new kernel with CONFIG_NETFILTER_XTABLES enabled and report back. Thanks! -- v -- v@iki.fi From vherva at vianova.fi Sun Apr 9 16:44:16 2006 From: vherva at vianova.fi (Ville Herva) Date: Sun Apr 9 17:10:45 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <20060409074313.GZ15954@vianova.fi> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> Message-ID: <20060409144416.GO1686@vianova.fi> On Sun, Apr 09, 2006 at 10:43:13AM +0300, you [Ville Herva] wrote: > > > > Most likely you didn't enable the new xtables options. Please post your > > full config. > > The full .config is here > http://www.iki.fi/v/tmp/2.6.17-rc1.config Now "iptables -L" works, but I still get > iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport http -m state --state NEW,ESTABLISHED -j ACCEPT iptables: Unknown error 4294967295 from about half of the iptables rules. My current config is here: http://www.iki.fi/v/tmp/2.6.17-rc1.config.new The following modules are loaded: iptable_nat 6948 1 ip_nat 14860 1 iptable_nat ip_conntrack 43188 2 iptable_nat,ip_nat ipt_REJECT 4704 0 iptable_filter 2784 0 and CONFIG_NETFILTER=y CONFIG_NETFILTER_XTABLES=y CONFIG_IP_NF_IPTABLES=y are compiled in statically. I just realized # CONFIG_NETFILTER_XT_MATCH_STATE is not set should probably be set. I'm building a new kernel now... -- v -- v@iki.fi From vherva at vianova.fi Sun Apr 9 16:45:35 2006 From: vherva at vianova.fi (Ville Herva) Date: Sun Apr 9 17:10:47 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <20060409144416.GO1686@vianova.fi> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> Message-ID: <20060409144534.GN29797@vianova.fi> On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote: > I just realized > # CONFIG_NETFILTER_XT_MATCH_STATE is not set > should probably be set. I'm building a new kernel now... Ok, that seems to do it. Thanks for the help, and sorry for the noise. I hope not too many people hit the same glitch while upgrading... -- v -- v@iki.fi From ps.m at gmx.net Fri Apr 7 18:28:35 2006 From: ps.m at gmx.net (Peter S. Mazinger) Date: Sun Apr 9 17:13:16 2006 Subject: iptables-1.3.4/5 and 2.4.32 Message-ID: Hello! I am running 2.4.32 kernel w/ pom patches applied (tried the last pom-ng that has the 2.4 related files, also combined this w/ the newer pom-ng by replacing the old files w/ the new ones). Independently of the pom-ng version, if I use iptables-1.3.3 my rules (mainly NAT and some incoming filters) work, but iptables-1.3.4 and 1.3.5 work only for about 10 minutes, then the firewall begans to drop packages weirdly, nothing shows up in the logs and the natting breaks within 15 minutes (forward chain does not forward anymore), the input/output chains work. I haven't found any related messages, but it seems that the newer iptables concentrate on 2.6 series, even pom was stripped to add only what is missing from 2.6. Should this be interpreted as "2.4 is not supported anymore, stick w/ 1.3.3"? Thanks, Peter P.S. Please CC me. -- Peter S. Mazinger ID: 0xA5F059F2 Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 From davem at davemloft.net Fri Apr 7 23:28:29 2006 From: davem at davemloft.net (David S. Miller) Date: Sun Apr 9 17:13:18 2006 Subject: Huge impact of the conntrack mechanism on routing performance (30% with a single conntrack entry) In-Reply-To: <20060405140305.9637.qmail@web33801.mail.mud.yahoo.com> References: <20060405140305.9637.qmail@web33801.mail.mud.yahoo.com> Message-ID: <20060407.142829.87870703.davem@davemloft.net> From: Eddy Kvetny Date: Wed, 5 Apr 2006 07:03:05 -0700 (PDT) > Right after "insmod ip_conntrack.ko" the throughput > drastically falls to 28 kpps (-12 kpps or -30% !!!). Yes, this is pretty much what the cost of netfilter is for a router. This has been known and well understood for a long time, and solutions to this problem are not easy which is why there hasn't been any progress in this area to date. From xsov at mail.ru Sat Apr 8 11:39:39 2006 From: xsov at mail.ru (Oleg) Date: Sun Apr 9 17:13:20 2006 Subject: iptables and mac filtering In-Reply-To: <44377281.60706@ratel.ru> References: <44377281.60706@ratel.ru> Message-ID: <200604081339.40244.xsov@mail.ru> > . Line inserted showed by iptables -L -v -n but not block any IP-less > requests from address specified. Ping or any IP protocols blocking > success, but pppoe discovery, exchange and traffic pass the filter > wthout any problem with no rule countr increment. How i can fix this > thing? Or what i to do wrong? IPTables is IP filtering tool, you should look at arptables for any 3 layer protocol MAC-filtering. -- Best regards, Oleg From mailinglists at lucassen.org Sat Apr 8 17:07:24 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sun Apr 9 17:13:22 2006 Subject: NATed packets only enter the default routing table Message-ID: <20060408170724.4fd8a877.mailinglists@lucassen.org> (copy from lartc mailinglist) I set up this config: +------+ -+ ISP1 +--+ +------+ | +-------+ +--+ linux | +------+ | +-------+ -+ ISP2 +--+ +------+ No problem. Standard setup with two ISP's. Both routed subnets. Default gateway is ISP1. No magic here. Now I put a server behind the Linux box. I want the server to be reachable on an /extra/ IP in the routed subnet of ISP2. +------+ -+ ISP1 +--+ +------+ | +-------+ +-----------------+ +--+ linux +--+ server 10.0.0.2 | +------+ | +-------+ +-----------------+ -+ ISP2 +--+ +------+ router ISP2: 1.2.3.1/24 dev ISP2: eth1 Linux box eth1: 1.2.3.2/24 external ip ISP2 for server 10.0.0.2: 1.2.3.3 arp -s 1.2.3.3 aa:bb:cc:dd:ee:ff pub ip route add 1.2.3.3 via 10.0.0.2 iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.3 -j DNAT --to 10.0.0.2 When pinging 1.2.3.3, the packets get in through eth1 (ok), but the replies are following the default routing table through eth0 (wrong) Even a ip rule add from 1.2.3.3 lookup table_eth1 doesn't change this behaviour. It is working ok when I add the address 1.2.3.3 directly to eth1 (without NAT): ip a a 1.2.3.3 dev eth1 Why is this? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From clan at dominationtime.com Sun Apr 9 06:34:37 2006 From: clan at dominationtime.com (clan@dominationtime.com) Date: Sun Apr 9 17:13:23 2006 Subject: Redirecting packets based on source+destination ip's Message-ID: <4840.68.94.225.167.1144557277.squirrel@webmail.dominationtime.com> I have been trying to find a way with iptables to redirect a packet created on a server to be sent to 1.1.1.1 instead of 2.2.2.2 but only if the packet is coming from 3.3.3.3. With the help of linuxquestions.org I have gotten to the point of using DNAT where the packet redirects, but the determining factor is destination address. Not source. Since this is a shared server(each user has a different ip) it would be nice to only redirect certain ip's, but leave the others alone. In case I didn't make it understandable what I want to do here is what I am trying to accomplish, I rent a server for running a battlefield 2 server. This is of course shared, so there are other battlefield instances running next to mine albeit on different ip's. I want to run a stats program that requires redirecting bf2web.gamespy.com to 212.77.171.103 so that when my server sends out stats they go to ABR instead of EA. The usual way of doing this is with a hosts file, but that effects all ip's on the server, and causes some pretty big problems with the other servers on the machine. Here is what the guy at linuxquestions.org gave me to work with iptables -t nat -A PREROUTING -t nat -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 2.2.2.2 To make it work I had to change PREROUTING to OUTPUT. So is there a way for that to only effect certain source ip's? Thank you so much, Fourthbean From babyangel at skydsl.com.ph Sun Apr 9 08:48:55 2006 From: babyangel at skydsl.com.ph (Dexter) Date: Sun Apr 9 17:13:30 2006 Subject: iptables setting problem Message-ID: <4438AE57.6060706@skydsl.com.ph> Dear Sir, I encounter the problem of setting the iptables. I manually set eth0 210.21.47.32 netmask 255.255.255.0 gateway 210.21.47.1 and eth1 192.168.1.1 netmask 255.255.255.0 and setting of Lan computer is 192.168.1.2 255.255.255.0 192.168.1.1 from the computer in Lan I can ping both the address of eth0 and eth1, but I can not ping the default gateway that ISP assigned to me. I did the following: iptables -A FORWARD -i eth1 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward but didn't work, then I did follow: iptables -t nat -A PREROUTING -d $210.21.47.32/24 -i eth0 -j DNAT --to-destination 192.168.1.0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source $210.21.47.32 but still didn't work. something wring with my setting. Thanks. Best Regards, Dexter Co From kaber at trash.net Sun Apr 9 18:37:47 2006 From: kaber at trash.net (Patrick McHardy) Date: Sun Apr 9 18:57:01 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <87psjqg2nt.fsf@hades.wkstn.nix> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> Message-ID: <4439385B.6010908@trash.net> Nix wrote: > On 9 Apr 2006, Ville Herva yowled: > >>On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote: >> >>>I just realized >>># CONFIG_NETFILTER_XT_MATCH_STATE is not set >>>should probably be set. I'm building a new kernel now... >> >>Ok, that seems to do it. >> >>Thanks for the help, and sorry for the noise. I hope not too many people hit >>the same glitch while upgrading... > > > I cetainly did. A simple `make oldconfig' ends up zapping pretty much > all the old iptables CONFIG_ options, so you end up with not much of > iptables or netfilter left. But it does show you all the new options. Admittedly, it would have been better to automatically select the new options when needed, but probably not worth changing it now, it has been like this for two releases I think. > I must admit not quite understanding why the xtables stuff is needed: > I thought that was needed for userspace connection tracking, which > while it sounds cool isn't something I'm using yet. Its a unification of the matches and targets that are address family independant. From mailinglists at lucassen.org Sun Apr 9 20:30:58 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sun Apr 9 20:47:39 2006 Subject: NATed packets only enter the default routing table In-Reply-To: <200604091556.02586.jeroen@elebaut.com> References: <20060408194058.71fa3e09.mailinglists@lucassen.org> <200604091556.02586.jeroen@elebaut.com> Message-ID: <20060409203058.6e375d70.mailinglists@lucassen.org> On Sun, 9 Apr 2006 15:56:02 +0200 Jeroen Elebaut wrote: > i had a similar problem with our setup. The problem is i think that > the routing decision on the linux box is made before the address in > the packet is changed back to 1.2.3.3. So it doesn't use the source > policy routing entry. I solved this by using the connmark module from > iptables and then do routing based on the mark. The following should > work in your setup: > > iptables -t mangle -I PREROUTING -m conntrack --ctstate > ESTABLISHED,RELATED -j CONNMARK --restore-mark > iptables -t mangle -I PREROUTING -i eth1 -m conntrack --ctstate NEW > -j CONNMARK --set-mark 1 > > ip rule add fwmark 1 lookup eth1_up I already found out this: iptables -t mangle -A PREROUTING -i eth1 -d 192.168.201.3 \ -j CONNMARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth2 -s 10.0.2.1 \ -j CONNMARK --restore-mark > This will route everything that entered via eth1 back via eth1. And indeed that was the solution. Thnx! R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From alex at samad.com.au Mon Apr 10 00:00:23 2006 From: alex at samad.com.au (Alexander Samad) Date: Mon Apr 10 00:17:11 2006 Subject: NATed packets only enter the default routing table In-Reply-To: <20060409203058.6e375d70.mailinglists@lucassen.org> References: <20060408194058.71fa3e09.mailinglists@lucassen.org> <200604091556.02586.jeroen@elebaut.com> <20060409203058.6e375d70.mailinglists@lucassen.org> Message-ID: <20060409220023.GG7764@hufpuf.lan1.hme1.samad.com.au> On Sun, Apr 09, 2006 at 08:30:58PM +0200, richard lucassen wrote: > On Sun, 9 Apr 2006 15:56:02 +0200 > Jeroen Elebaut wrote: > > > i had a similar problem with our setup. The problem is i think that > > the routing decision on the linux box is made before the address in > > the packet is changed back to 1.2.3.3. So it doesn't use the source > > policy routing entry. I solved this by using the connmark module from > > iptables and then do routing based on the mark. The following should > > work in your setup: > > > > iptables -t mangle -I PREROUTING -m conntrack --ctstate > > ESTABLISHED,RELATED -j CONNMARK --restore-mark > > iptables -t mangle -I PREROUTING -i eth1 -m conntrack --ctstate NEW > > -j CONNMARK --set-mark 1 > > > > ip rule add fwmark 1 lookup eth1_up > > I already found out this: > > iptables -t mangle -A PREROUTING -i eth1 -d 192.168.201.3 \ > -j CONNMARK --set-mark 1 > > iptables -t mangle -A PREROUTING -i eth2 -s 10.0.2.1 \ > -j CONNMARK --restore-mark > > > This will route everything that entered via eth1 back via eth1. > > And indeed that was the solution. Thnx! > > R. Are the kernel patches from here http://www.ssi.bg/~ja/ the ones that fix this problem as well. > > -- > ___________________________________________________________________ > It is better to remain silent and be thought a fool, than to speak > aloud and remove all doubt. > > +------------------------------------------------------------------+ > | Richard Lucassen, Utrecht | > | Public key and email address: | > | http://www.lucassen.org/mail-pubkey.html | > +------------------------------------------------------------------+ > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : /pipermail/netfilter/attachments/20060410/de9ef7d8/attachment.pgp From isaiah at medcol.mw Mon Apr 10 09:19:14 2006 From: isaiah at medcol.mw (Isaiah Makwakwa) Date: Mon Apr 10 09:39:08 2006 Subject: IP masquerade + squid problem Message-ID: <51851.192.168.2.7.1144653554.squirrel@mail2.medcol.mw> Dear list, I have a problem with my squid + ip masquerading setup. My box has two interfaces one internal one external. I masquerade all internal traffic on this box which also runs squid proxy. When my iptables runs, and I point my client to the proxy on this box I do not seem to get anywhere even though the squid box accepts and logs a request. When I go direct I can get the page. My gut feeling is that the squid box does get the request, processses but due to some nating problem fails to identify the client which made the request. Could anyone help to arrest the rot? Regards, Isaiah, Malawi -- Linux System/Network Administrator, College of Medicine, P/Bag 360, Chichiri, Blantyre 3. From phelios at naver.com Mon Apr 10 09:34:33 2006 From: phelios at naver.com (=?utf-8?B?IuyLoOyEne2YhCI=?=) Date: Mon Apr 10 09:51:22 2006 Subject: I have some problem on CentOS 4.3(kernel:2.6.9-34) Message-ID: <443A0A89.000001.26468@i4j049> i have install bridge firewall in my office. i wanna to use string match filtering.... but i cant patch-o-matic-ng on my kernel.. kernel 2.6.x.... can't do that? sorry my poor english... ------------------------------------------------------------------------ NAVER :: Korea's No.1 search portal www.naver.com From mailings at netzwerk.cc Mon Apr 10 10:57:20 2006 From: mailings at netzwerk.cc (Mailings'AT'netzwerk.cc) Date: Mon Apr 10 11:14:08 2006 Subject: iptables match bits per second Message-ID: <443A1DF0.70704@netzwerk.cc> Hi list, I am searching for an iptables target/match to account/measure the bits per second on two different lines. I've got 2 WAN connections with traffic shaping. Now I need to differentiate how much the network load is on line a, so i can switch to line b if it is above xx/mbit/s. I've got kernel 2.6.14.4 with iptables 1.2.11. I found "iptables connbyte", but it is only for 2.4 kernels. I found "iptables connrate", which is exactly what I need, but it is only designed for kernel <= 2.6.5? (I got rejects in ip_conntrack_standalone.c). It seems like the code in kernel 2.6.14 and in the diff is on an absolutly different base. Does anybody have got an idea how I could measure the bytes ? Thanks From realoneone at gmail.com Mon Apr 10 13:23:33 2006 From: realoneone at gmail.com (Real Oneone) Date: Mon Apr 10 13:40:20 2006 Subject: kernel crashed after sending a packet with my own wrapping iphdr Message-ID: <84d7d9cf0604100423g54a98026u30dc76dfa2d7b338@mail.gmail.com> Hi! I'm using Fedoro Core 4 with the default kernel version of 2.6.11-1. I simply want to wrap certain ip packets with a new iphdr, and then send it out. So, I decided to plug a hook function at NF_IP_POST_ROUTING with the priority of NF_IP_PRI_FILTER-1. What I did in the hook function is : 1. check if it is a ip packet 1. 'copy_and_expand' the skbuff 2. 'skb_set_owner_w' for the new skbuff 3. move the older iphdr and data to the new skbuff, of couse I moved two copy of the iphdr 4. 'kfree' the older skbuff and set the pointer once pointing to it to the new skbuff 5. set the members of new iphdr and do 'ip_send_check' for it 6. 'ip_select_ident' for the new skbuff 7. return NF_ACCEPT Then I'm confused what's wrong? I've been trapped by these error for over a week and I'll be really thankful if you could point out some possible reseasons for my stupid error. Here is the main code: (The kernel crashed on the time of a ping command, I can't get those error msg logged even when I killed klogd and 'cat /proc/kmsg > logfile', so what I can show you of the error msg is the function stack printed on the screen telling ' delay_pmtmr ... __delay... panic... die... do_page_fault... recalc_task_prio... __delay... qdisc_restart... do_page_fault... error_code... force_sog_specific ... ') /* hook option */ static struct nf_hook_ops kernel_ops[] = { { .hook = kernel_hook_out, #ifdef KERNEL26 .owner = THIS_MODULE, #endif .pf = PF_INET, .hooknum = NF_IP_POST_ROUTING, .priority = NF_IP_PRI_FILTER-1, }, }; static unsigned int kernel_hook_out(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn) (struct sk_buff *)) { struct iphdr *iph = (*skb)->nh.iph; if (iph == NULL) { return NF_ACCEPT; } ip_pkt_encapsulate(*skb); return NF_ACCEPT; } int ip_pkt_encapsulate(struct sk_buff *skb) { struct iphdr *iph; /* old iph and new outer iph */ struct iphdr *iiph; /* new inner iph */ struct sk_buff *nskb; /* new socket buffer */ iph = skb->nh.iph; nskb = skb_copy_expand(skb, skb_headroom(skb), skb_tailroom(skb) + (iph->ihl << 2), GFP_ATOMIC); if (nskb == NULL) { kfree_skb(skb); return -1; } /* Set old owner */ if (skb->sk != NULL) skb_set_owner_w(nskb, skb->sk); skb_put(nskb, iph->ihl << 2); /* Move the IP header, and make a copy at the front of the data part */ memcpy(nskb->data, skb->data, (iph->ihl << 2)); memcpy(nskb->data + (iph->ihl << 2), skb->data, (iph->ihl << 2)); /* Move the data */ memcpy(nskb->data + 2 * (iph->ihl << 2), skb->data + (iph->ihl << 2), skb->len - (iph->ihl << 2)); kfree_skb(skb); skb = nskb; /* Update pointers */ iph = skb->nh.iph = (struct iphdr *)(skb->data); iiph = (struct iphdr *)(skb->data + (iph->ihl << 2)); ip_send_check(iiph); iph->tot_len = htons(ntohs(iph->tot_len) + ((iph->ihl) << 2) ); iph->protocol = 17; ip_send_check(iph); if (skb->nh.iph->id == 0) { ip_select_ident(skb->nh.iph, skb->dst, NULL); printk(KERN_EMERG "skb->nh.iph->id == 0\n"); } return 0; } Thanks again for read over these code! Gu, Xinxing From nix at esperi.org.uk Sun Apr 9 18:00:06 2006 From: nix at esperi.org.uk (Nix) Date: Mon Apr 10 14:12:06 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <20060409144534.GN29797@vianova.fi> (Ville Herva's message of "9 Apr 2006 15:47:23 +0100") References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> Message-ID: <87psjqg2nt.fsf@hades.wkstn.nix> On 9 Apr 2006, Ville Herva yowled: > On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote: >> I just realized >> # CONFIG_NETFILTER_XT_MATCH_STATE is not set >> should probably be set. I'm building a new kernel now... > > Ok, that seems to do it. > > Thanks for the help, and sorry for the noise. I hope not too many people hit > the same glitch while upgrading... I cetainly did. A simple `make oldconfig' ends up zapping pretty much all the old iptables CONFIG_ options, so you end up with not much of iptables or netfilter left. I must admit not quite understanding why the xtables stuff is needed: I thought that was needed for userspace connection tracking, which while it sounds cool isn't something I'm using yet. -- `On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only because bringing Windows into the picture rescaled "brokenness" by a factor of 10.' --- Peter da Silva From andre at tomt.net Sun Apr 9 18:23:42 2006 From: andre at tomt.net (Andre Tomt) Date: Mon Apr 10 14:12:07 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <87psjqg2nt.fsf@hades.wkstn.nix> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> Message-ID: <4439350E.4060306@tomt.net> Nix wrote: > I cetainly did. A simple `make oldconfig' ends up zapping pretty much > all the old iptables CONFIG_ options, so you end up with not much of > iptables or netfilter left. > > I must admit not quite understanding why the xtables stuff is needed: > I thought that was needed for userspace connection tracking, which > while it sounds cool isn't something I'm using yet. > Beeing bitten by such issues in the past, I always diff the old and the new config and look for anything suspicious going down. -- Andr? Tomt From nix at esperi.org.uk Sun Apr 9 18:53:54 2006 From: nix at esperi.org.uk (Nix) Date: Mon Apr 10 14:12:09 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <4439385B.6010908@trash.net> (Patrick McHardy's message of "Sun, 09 Apr 2006 18:37:47 +0200") References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> <4439385B.6010908@trash.net> Message-ID: <87hd52g065.fsf@hades.wkstn.nix> On Sun, 09 Apr 2006, Patrick McHardy murmured woefully: > Nix wrote: >>>Thanks for the help, and sorry for the noise. I hope not too many people hit >>>the same glitch while upgrading... >> >> >> I cetainly did. A simple `make oldconfig' ends up zapping pretty much >> all the old iptables CONFIG_ options, so you end up with not much of >> iptables or netfilter left. > > But it does show you all the new options. Admittedly, it would > have been better to automatically select the new options when > needed, but probably not worth changing it now, it has been > like this for two releases I think. Oh, yes, it did, and I thought they were userspace-matching related and left them off. The real problem is that oldconfig doesn't mention when options you *had* enabled disappear. >> I must admit not quite understanding why the xtables stuff is needed: >> I thought that was needed for userspace connection tracking, which >> while it sounds cool isn't something I'm using yet. > > Its a unification of the matches and targets that are address family > independant. Ah, hence the ipv6-matching stuff turning up in 2.6.16. I see. -- `On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only because bringing Windows into the picture rescaled "brokenness" by a factor of 10.' --- Peter da Silva From vherva at vianova.fi Sun Apr 9 19:10:28 2006 From: vherva at vianova.fi (Ville Herva) Date: Mon Apr 10 14:12:10 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <87hd52g065.fsf@hades.wkstn.nix> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> <4439385B.6010908@trash.net> <87hd52g065.fsf@hades.wkstn.nix> Message-ID: <20060409171028.GC15954@vianova.fi> On Sun, Apr 09, 2006 at 05:53:54PM +0100, you [Nix] wrote: > On Sun, 09 Apr 2006, Patrick McHardy murmured woefully: > >> I cetainly did. A simple `make oldconfig' ends up zapping pretty much > >> all the old iptables CONFIG_ options, so you end up with not much of > >> iptables or netfilter left. > > > > But it does show you all the new options. Admittedly, it would > > have been better to automatically select the new options when > > needed, but probably not worth changing it now, it has been > > like this for two releases I think. > > Oh, yes, it did, and I thought they were userspace-matching related and > left them off. The real problem is that oldconfig doesn't mention when > options you *had* enabled disappear. Likewise for me. Perhaps iptables could point to a document or a webpage (in case kernel is newer than the userspace iptables, and has introduced new requirements) that lists the kernel options that need to be enabled, instead of saying failed iptables v1.3.5: can't initialize iptables table filter: iptables who? (do you need to insmod?) Such verbosity might not be unixy, but during Old Unix times, thousands of people weren't following -rc kernels... -- v -- v@iki.fi From james.harper at bendigoit.com.au Mon Apr 10 06:18:55 2006 From: james.harper at bendigoit.com.au (James Harper) Date: Mon Apr 10 14:12:12 2006 Subject: MAC address SNAT Message-ID: I am trying to find a way of doing virtual MAC addresses under Linux, and it occurred to me that it could be done with netfilter based on the following pieces of the puzzle: 1. a way of responding to arp requests with the new MAC address (arptables to mangle the MAC address in the arp response) 2. a way of accepting packets with the different MAC address (promisc mode on the interface) 3. a way of SNAT-ing the MAC address in outgoing packets (the missing piece) In fact, #3 almost wouldn't be required if hosts on the network didn't mind ip packets coming at them with a different MAC addresses to what was in their arp tables. Unfortunately the device I'm trying to talk to uses the source MAC address on the arp-reply packet, not the MAC address in the packet itself. Clearly my device is broken, but I'm stuck with it. I originally thought ebtables might be able to do what I want, but I'm not using a bridge and it can't SNAT OUTPUT packets anyway. Could a SNAT MAC address target be written for iptables, or does iptables 'finish' too early in the packet traversal for the MAC address to be decided on yet? Suggestions? Thanks James From b52 at entrap.de Mon Apr 10 14:01:16 2006 From: b52 at entrap.de (b52@entrap.de) Date: Mon Apr 10 14:18:04 2006 Subject: recent module Message-ID: <52994.212.77.162.22.1144670476.squirrel@www.entrap.de> Hi folks, maybe somebody could give me an advice with the iptables recent module. I need a list of 100 ip addresses which have special rights as long as the last packet of this ip was recieved within the last 300 seconds. If this source ip is not in that list and the list is not full include this ip in that list. If this source ip is not in that list and the list is full redirect that connection. If this source ip is in that list and the last packet is less than 300 seconds ago update the timestamp in the list. If this source ip is in that list and the last packet is more than 300 seconds ago treat it as it is not in the list. I thought this will be simple, but the list will be completely filled anytime with connections older than 300 seconds. How can I tell recent to forget an entry or overwrite it if the timestamp is more than 300 seconds old? There is an example at the programers page http://www.snowman.net/projects/ipt_recent/ which confuses me even more: Example #3: # iptables -A FORWARD -d 192.168.1.1/32 -p tcp --dport 25 -m recent --set --rsource --name SMTP_RELAY_IN -j ACCEPT # iptables -A FORWARD -d 192.168.1.1/32 -p tcp --dport 113 -m recent --rcheck --rsource --seconds 15 --name SMTP_RELAY_OUT -j ACCEPT if I use this rules the list will be filled after some time, because I never remove entries out of that list.. Any help would be appreciated. Thanks, b52 From lists at steffen-heil.de Mon Apr 10 14:10:53 2006 From: lists at steffen-heil.de (Steffen Heil) Date: Mon Apr 10 14:27:35 2006 Subject: complex bridge and nat problem Message-ID: <00b101c65c97$d1224920$0b4613ac@shs1> Hi I have problems with nat. My rather complex setup is as follows: I use a server (running xen), which has two bridges in on linux kernel: physical eth0 (renamed to peth0) is connected to the first bridge (xenbr0). veth0 (renamed to eth0) is connceted to the first bridge (xenbr0). I call this first bridge the gateway-bridge, it has no ip address. I call this domain (=VM) my gateway. It has a public ip and is connected to xenbr0, which is connected to the physical ethernet card, which is connected to my isps router... Then I have another bridge (xenbr1), which has a ip-address on it's own in my $clientnet. The client domain (=VM) has a virtual network interface which is connected to that bridge. So my bridge setup is as: bridge name bridge id STP enabled - xenbr0 8000.feffffffffff no interfaces - peth0 == physical interface - vif0.0 == gateways eth0 bridge name bridge id STP enabled - xenbr1 8000.feffffffffff no interfaces - vif22.0 == clients eth0 Finally I have the following SNAT rule (ip4_forward is enabled.) Chain POSTROUTING (policy ACCEPT 113K packets, 18M bytes) pkts bytes target prot opt in out source destination 23 1380 SNAT all -- * eth0 $clientnet/24 0.0.0.0/0 to:$gateway This somehow works: If I try to reach my outside ssh server (by ip), I get: GI = Gateway Interface [tcpdump -nni peth0 host $server] GB = Gateway Bridge [tcpdump -nni xenbr0 host $server] CI = Client Interface [tcpdump -nni vif22.0 host $server] CB = Client Bridge [tcpdump -nni xenbr1 host $server] SI = Server [tcpdump -nni eth0 host $gateway] CI> 11:40:00.770005 IP $client.2958 > $server.22: S 3227338208:3227338208(0) win 5840 CB> 11:40:00.770250 IP $client.2958 > $server.22: S 3227338208:3227338208(0) win 5840 GB> 11:40:00.770416 IP $gateway.2958 > $server.22: S 3227338208:3227338208(0) win 5840 GI> 11:40:00.770571 IP $gateway.2958 > $server.22: S 3227338208:3227338208(0) win 5840 SI> 13:40:01.108827 IP $gateway.2958 > $server.22: S 3227338208:3227338208(0) win 5840 SI> 13:40:01.108863 IP $server.22 > $gateway.2958: S 1070006580:1070006580(0) ack 3227338209 win 5792 GI> 11:40:00.779428 IP $server.22 > $gateway.2958: S 1070006580:1070006580(0) ack 3227338209 win 5792 So the client sends the SYN, the client bridge passes this to the gateway, the gateway does SNAT and forwards it to the gateway bridge, the gateway bridge sends this through the physical interface. The ssh-Server responds with SYN ACK, and this arrives at the gateway's physical interface. However, it doesn't make it till the first bridge. I would expect it at leat to reach the gateway bridge and then the gateway. I even hoped SNAT would do it's job, rewrite the address and forward it to the client over the client bridge. But it DOES NEVER reach the gateway bridge. Can someone tell me, why packets that where SNATed earlier don't make it up to the gateway bridge? The gateway itself (and other domains connected to the gateway bridge work just fine. Regards, Steffen begin 666 smime.p7s M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$' M`0``H(((XC""`FHP@@'3H ,"`0("`P]Z%# -!@DJADB&]PT!`00%`#!B,0LP M"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D@ M3'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E,0TP"P8# M500$$P1(96EL,1 P#@8#500J$P=3=&5F9F5N,14P$P8#500#$PQ3=&5F9F5N M($AE:6PQ)# B!@DJADB&]PT!"0$6%6QI]).H36NM*T'\& MB2P,C(C/>37W'*JK3>F*$:N_"7&B`8;Y^K:F$E[4E[!R,->\!EK^2_3+<"SR MW:F[TC(3D1[Y_' >KRHIS9^,(<>[,8]Z&FV<9DFZLH)^Q+?A25U*'0Z0BQC)Y^5>TOO?AF''8;JH]VYSI9D&L(4;D2L?.:/Z$T/<1] M.*8`HX=X]OF4AEZMZL!>=NO9%*-=;GI\#*5+57\&&2E_GIHFU6J[."0(:IC' ML=JCF)']>=OE6L0L1RG?G9A>TFQ@<5RBK-QYX^=N`$:,!U!'"=W^G_HQ[LOA0Y:4G7],(;CX-A^J+9\V+\#T'% @DW \_:WA86+# MV3H9?H2QF1L`Q1H+@G2>)5"48L?;)W%7)8W=J9PYCHP@3V5?E=KW]X?6Q@A. MKO;J-.40&ELU37?C5B%X@MPA&37>)+'3'4;_75]E3S&"`L\P@@++`@$!,&DP M8C$+, D&`U4$!A,"6D$Q)3 C!@-5! H3'%1H87=T92!#;VYS=6QT:6YG("A0 M='DI($QT9"XQ+# J!@-5! ,3(U1H87=T92!097)S;VYA;"!&A0P"08%*PX#`AH%`*""`;PP& 8)*H9(AO<-`0D#,0L& M"2J&2(;W#0$'`3 8)*P8!! &"-Q $,6LP:3!B,0LP"08#500&$P):03$E,",&`U4$"A,< M5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D@3'1D+C$L,"H&`U4$`Q,C5&AA=W1E M(%!EA0P#08)*H9(AO<-`0$!!0`$@8 KCT'& MO\I]6Z*!7:ZK4 FV;GLX(7#T^7['<6%[YG=?*CKCA]CUK#2:7NZ(I0J",DO) MPEQ"O-_:AEQB$*\04Q)4P)S%3:W;[#KQQ 9>YC.-@7R8F/GU!K94=)F5'X,& H#@B#:Q-*.C2T$ZG%=V7;04E)U0S]6 ":6_Z332\67G">10`````````` ` end From ian.t7 at hotmail.co.uk Mon Apr 10 15:19:03 2006 From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull) Date: Mon Apr 10 15:35:56 2006 Subject: patch-o-matic ROUTE Message-ID: Hi folks, can I request some help please. I would like to know if the patch-o-matic ROUTE -tee function works and if so could someone please tell me how/when I apply the patch. I mean how does one tell the Kernel make to include just this one extra patch? Sorry if this has been explained earlier. I attempted to search the mailing list archives but couldn't find a search capability. Thanks, Ian t _________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://join.msn.com/messenger/overview From aleksander at krediidiinfo.ee Mon Apr 10 16:04:13 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Mon Apr 10 16:21:01 2006 Subject: Redirecting packets based on source+destination ip's In-Reply-To: <4840.68.94.225.167.1144557277.squirrel@webmail.dominationtime.com> References: <4840.68.94.225.167.1144557277.squirrel@webmail.dominationtime.com> Message-ID: <443A65DD.6050607@krediidiinfo.ee> clan@dominationtime.com wrote: > To make it work I had to change PREROUTING to OUTPUT. So is there a way > for that to only effect certain source ip's? If the packet originated from localhost, then OUTPUT is correct. -s is source and -d is destination ip. iptables -t nat -A OUTPUT -s 3.3.3.3 -d 1.1.1.1 -p tcp -m tcp --dport 80 -j DNAT --to 2.2.2.2 Should work for you. Remove your previously inserted rule first though. Please read the manual page of iptables and/or http://iptables-tutorial.frozentux.net/iptables-tutorial.html HTH, Alex From mailings at netzwerk.cc Mon Apr 10 17:04:25 2006 From: mailings at netzwerk.cc (Mailings'AT'netzwerk.cc) Date: Mon Apr 10 17:21:15 2006 Subject: patch-o-matic ROUTE In-Reply-To: References: Message-ID: <443A73F9.6050508@netzwerk.cc> Ian stuart Turnbull wrote: > Hi folks, > can I request some help please. I would like to know if the > patch-o-matic ROUTE -tee function works and if so could someone please > tell me how/when I apply the patch. I mean how does one tell the Kernel > make to include just this one extra patch? > Sorry if this has been explained earlier. I attempted to search the > mailing list archives but couldn't find a search capability. > Thanks, > Ian t > > _________________________________________________________________ > Are you using the latest version of MSN Messenger? Download MSN > Messenger 7.5 today! http://join.msn.com/messenger/overview > > > Hey dude :), take a look at the pom2patch file in your patch-o-matic directory. i think you have to call it like "pom2patch kernel-source patch" you should get a normal kernel diff file. cheers From peter.marshall at caris.com Mon Apr 10 18:38:05 2006 From: peter.marshall at caris.com (Peter Marshall) Date: Mon Apr 10 18:54:08 2006 Subject: Skype Message-ID: <443A89ED.1090800@caris.com> I keep getting articles on my desk, and reading news posts about how *bad* skype is. I just wanted to here what everyone here thinks of skype. Do any pf you allow it on your network ? Thanks Peter From nathaniel.d.hall at gmail.com Mon Apr 10 20:02:12 2006 From: nathaniel.d.hall at gmail.com (Nathaniel Hall) Date: Mon Apr 10 20:18:54 2006 Subject: Change outbound ICMP source Message-ID: <443A9DA4.30801@gmail.com> I have been trying to figure out how to change the source IP address of an ICMP packet that originates from the firewall. Here is my application. Instead of dropping a packet I reject it with ICMP host unreachable messages. I would like to make it appear that the firewall isn't there, so I would like to change the source IP address to be that of our upstream router. How would I go about doing this? -- Nathaniel Hall, GSEC GCFW GCIA From rob at sterenborg.info Mon Apr 10 20:43:35 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Mon Apr 10 21:00:26 2006 Subject: IP masquerade + squid problem In-Reply-To: <51851.192.168.2.7.1144653554.squirrel@mail2.medcol.mw> Message-ID: <000c01c65cce$ad299640$0101000a@sterenborg.info> > Dear list, > > I have a problem with my squid + ip masquerading setup. My box has two > interfaces one internal one external. I masquerade all internal traffic > on this box which also runs squid proxy. > > When my iptables runs, and I point my client to the proxy on this box > I do not seem to get anywhere even though the squid box accepts and > logs a request. So your INPUT rules seem to be fine for your LAN. > When I go direct I can get the page. > > My gut feeling is that the squid box does get the request, > processses but due to some nating problem fails to identify the client > which made the request. Could anyone help to arrest the rot? Well, you could start by adding iptables LOG rules to see what happens. - Does squid actually try to perform the request (try a tcpdump or something) ? - Is the request getting through your (OUTPUT) rules (hence the logging) ? - Is the reply being allowed ? - What have you looked at / what have you tried ? - Maybe some rules we need to look at ? If you don't have any logging yet, add a rule to the bottom of your OUTPUT ruleset saying something like : $ipt -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "_ipt_OUTPUT: " and see if it's logging http requests from squid. If it is and your OUTPUT policy is DROP, the requests are most likely not getting out of your box. But since you didn't tell much about your setup and what you tried, that's only a wild guess. Gr, Rob From mh+netfilter at zugschlus.de Mon Apr 10 22:01:22 2006 From: mh+netfilter at zugschlus.de (Marc Haber) Date: Mon Apr 10 22:18:09 2006 Subject: Skype In-Reply-To: <443A89ED.1090800@caris.com> References: <443A89ED.1090800@caris.com> Message-ID: <20060410200122.GA15786@torres.l21.ma.zugschlus.de> On Mon, Apr 10, 2006 at 01:38:05PM -0300, Peter Marshall wrote: > I keep getting articles on my desk, and reading news posts about how > *bad* skype is. I just wanted to here what everyone here thinks of > skype. Do any pf you allow it on your network ? One customer of mine, a multinational enterprise with like 11K employees in Germany alone, has completely banned Skype from the network. I don't know what happened, but judging from the grade people go ballistic if you even dare to mention "VoIP" or "Softphone", it was something really really bad. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 From dufresne at sysinfo.com Mon Apr 10 22:05:31 2006 From: dufresne at sysinfo.com (R. DuFresne) Date: Mon Apr 10 22:18:21 2006 Subject: Change outbound ICMP source In-Reply-To: <443A9DA4.30801@gmail.com> References: <443A9DA4.30801@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 10 Apr 2006, Nathaniel Hall wrote: > I have been trying to figure out how to change the source IP address of an > ICMP packet that originates from the firewall. Here is my application. > > Instead of dropping a packet I reject it with ICMP host unreachable messages. > I would like to make it appear that the firewall isn't there, so I would like > to change the source IP address to be that of our upstream router. How would > I go about doing this? > > by blocking the ICMP's at that upstream router. Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEOrqOst+vzJSwZikRAuLvAJ4xoqhQ7URdwmnuie+bsB7XLqz5WwCfYzBQ 7xiEJTytpedk3pYCnKSGnkQ= =rfrz -----END PGP SIGNATURE----- From nathaniel.d.hall at gmail.com Mon Apr 10 22:18:18 2006 From: nathaniel.d.hall at gmail.com (Nathaniel Hall) Date: Mon Apr 10 22:35:05 2006 Subject: Change outbound ICMP source In-Reply-To: References: <443A9DA4.30801@gmail.com> Message-ID: <443ABD8A.7080002@gmail.com> R. DuFresne wrote: > On Mon, 10 Apr 2006, Nathaniel Hall wrote: > >> I have been trying to figure out how to change the source IP address of an >> ICMP packet that originates from the firewall. Here is my application. >> >> Instead of dropping a packet I reject it with ICMP host unreachable messages. >> I would like to make it appear that the firewall isn't there, so I would like to >> change the source IP address to be that of our upstream router. How would >> I go about doing this? > > by blocking the ICMP's at that upstream router. That doesn't achieve what I want. If a TCP connection is rejected at the firewall, then blocking ICMP at the upstream router will block the host-unreachable from going out, not make it seem as if the router is the source. -- Nathaniel Hall, GSEC GCFW GCIA From bealach at gmail.com Mon Apr 10 22:39:58 2006 From: bealach at gmail.com (Bealach Na Bo) Date: Mon Apr 10 22:56:45 2006 Subject: IPinIP ipencap with iptables Message-ID: Hello folks, I'm new to iptables and have got most things to work on my Debian FW machine using iptables. What I'm really struggling with is finding the iptables equivalent of my current ipfw rules for IPinIP. These are very simple in ipfw and allow me to connect to my work machine. # Allow bi-directional IPinIP traffic ipfw add 300 allow ipencap from 192.168.0.0/24 to 193.0.252.50 ipfw add 301 allow ipencap from 192.168.0.0/24 to 193.0.252.52 ipfw add 310 allow ipencap from 193.0.252.50 to 192.168.0.0/24 ipfw add 311 allow ipencap from 193.0.252.52 to 192.168.0.0/24 Any help would be very much appreciated. Regards, Bealach From sven at hin.de Tue Apr 11 00:12:33 2006 From: sven at hin.de (sven@hin.de) Date: Tue Apr 11 00:32:07 2006 Subject: Change outbound ICMP source In-Reply-To: <443ABD8A.7080002@gmail.com> References: <443A9DA4.30801@gmail.com> <443ABD8A.7080002@gmail.com> Message-ID: <443AD851.1050006@hin.de> > That doesn't achieve what I want. If a TCP connection is rejected at > the firewall, then blocking ICMP at the upstream router will block the > host-unreachable from going out, not make it seem as if the router is > the source. You want to do SNAT? From nathaniel.d.hall at gmail.com Tue Apr 11 00:20:35 2006 From: nathaniel.d.hall at gmail.com (Nathaniel Hall) Date: Tue Apr 11 00:37:30 2006 Subject: Change outbound ICMP source In-Reply-To: <443AD851.1050006@hin.de> References: <443A9DA4.30801@gmail.com> <443ABD8A.7080002@gmail.com> <443AD851.1050006@hin.de> Message-ID: <443ADA33.4010304@gmail.com> sven@hin.de wrote: >>That doesn't achieve what I want. If a TCP connection is rejected at >>the firewall, then blocking ICMP at the upstream router will block the >>host-unreachable from going out, not make it seem as if the router is >>the source. >> >> > >You want to do SNAT? > Yes, but it isn't SNAT because it isn't being routed. It would be on the OUTPUT chain since it is originating from the firewall. -- Nathaniel Hall, GSEC GCFW GCIA From spyderlinuxadm at itelefonica.com.br Tue Apr 11 05:18:41 2006 From: spyderlinuxadm at itelefonica.com.br (Rodrigo) Date: Tue Apr 11 05:35:33 2006 Subject: blocked dhcpd Message-ID: <443B2011.1080504@itelefonica.com.br> I configured the server with dhcp to moor mac to ips that I determined OK when I bind estacao pra to test dhcp it nao I catch the IP, so I catch the IP when I liberate firewall leaving the rules of it as ACCEPT I leaving the politica as DROP for INPUT and FORWARD does not go. or either firewall you barring. As to make. Alguem would have some rule From laforge at netfilter.org Tue Apr 11 11:03:56 2006 From: laforge at netfilter.org (Harald Welte) Date: Tue Apr 11 11:30:30 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <4439385B.6010908@trash.net> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> <4439385B.6010908@trash.net> Message-ID: <20060411090356.GJ5167@rama.linbit> On Sun, Apr 09, 2006 at 06:37:47PM +0200, Patrick McHardy wrote: > But it does show you all the new options. Admittedly, it would > have been better to automatically select the new options when > needed, I spent a long time trying to do this with Kconfig, including suggestions from Rusty, but couldn't get it to work at all. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060411/6e5828cc/attachment.pgp From calvin.hubble at gmail.com Tue Apr 11 11:16:49 2006 From: calvin.hubble at gmail.com (Calvin Hubble) Date: Tue Apr 11 11:33:43 2006 Subject: libipq, packet mangling and checksum calculations Message-ID: <3f0dd8f80604110216v7b2f858r4cb352211b6670be@mail.gmail.com> I am having issues with libipq and checksum calculations, I apologize if this has been explored space. I am using libipq along with iptables to mangle incoming/outgoing packets in an attempt to write a watered-down user-level nat. For an outgoing packet I change the source address and recalculate both the IP and TCP checksums. Now here is the weird thing, I don't seem to have a problem with connection startup (SYN/SYN-ACK/ACK). I am tcpdumping on my outgoing link and see no errors. When I send an outgoing packet with actual data (i.e. an HTTP request), then tcpdump keeps telling me I have a bad checksum. For example : [bad tcp cksum 2072 (->768d)!] Howerver, I verified my checksum calculation as well as the value inside the payload which I pass back to the kernel using ipq_set_verdict and in all cases the checksum value I have is correctly set at 0x768d (in this case). What is going on here? Again, this is only for TCP checksum calculations on data packets, I do not see this issue with IP checksums or TCP syn/syn-ack/ack packets. Thank you for the help. -Calvin From eric at inl.fr Tue Apr 11 11:52:25 2006 From: eric at inl.fr (Eric Leblond) Date: Tue Apr 11 12:12:59 2006 Subject: Nuface 1.0, firewall configuration interface Message-ID: <1144749145.21344.11.camel@localhost.localdomain> Hi, INL is proud to announce the availability of the Nuface 1.0 branch (latest release 1.0.3). Nuface is an intuitive firewall configuration interface for EdenWall/NuFW as well as for Netfilter. It lets you use high level objects, agglomerate objects into ACLs, and deals with generating Netfilter rules as well as LDAP Acls for NuFW. Nuface uses an XML abstraction of filtering rules, as well as an XML definition of the network topology. This leads to automatic auti-spoofing rules (ie, the web interface does not show the notion of physical network interface to the admins, but deals with it internally). Nuface is distributed under the terms of the GPL v2 license. You can test nuface at the Nuface demo site : https://nuface.inl.fr/ Of course you won?t be able to generate or apply firewall rules on this demo. Happy filtering to all, -- Eric Leblond for the INL development team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= Url : /pipermail/netfilter/attachments/20060411/402d0612/attachment.pgp From mailings at netzwerk.cc Tue Apr 11 12:37:15 2006 From: mailings at netzwerk.cc (mailings@netzwerk.cc) Date: Tue Apr 11 12:50:28 2006 Subject: patch-o-matic ROUTE In-Reply-To: References: <443A73F9.6050508@netzwerk.cc> Message-ID: <3295.212.185.171.7.1144751835.squirrel@web.tansas.de> > Hmmm! I can't find a patch-o-matic directory. I use Mandriva Linux > vanilla. > Do I therefore have to install everything in patch-o-matic to get this > directory? > Sorry to appear thick & stupid, but I am in this area. > Thanks > > >>From: "Mailings'AT'netzwerk.cc" >>To: Ian stuart Turnbull >>CC: netfilter@lists.netfilter.org >>Subject: Re: patch-o-matic ROUTE >>Date: Mon, 10 Apr 2006 17:04:25 +0200 >>MIME-Version: 1.0 >>Received: from netzwerk.cc ([81.169.129.79]) by >>bay0-pamc1-f3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); >> Mon, >>10 Apr 2006 08:04:31 -0700 >>Received: from localhost (localhost [127.0.0.1])by netzwerk.cc (Postfix) >>with ESMTP id 07A6B196684;Mon, 10 Apr 2006 17:08:06 +0200 (CEST) >>Received: from netzwerk.cc ([127.0.0.1])by localhost (mail.netzwerk.cc >>[127.0.0.1]) (amavisd-new, port 10024)with ESMTP id 09956-04; Mon, 10 Apr >>2006 17:08:02 +0200 (CEST) >>Received: from [192.168.0.5] (p508B5441.dip.t-dialin.net >>[80.139.84.65])(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 >>bits))(No client certificate requested)by netzwerk.cc (Postfix) with >> ESMTP >>id 35628196683;Mon, 10 Apr 2006 17:08:02 +0200 (CEST) >>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8= >>User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) >>X-Accept-Language: en-us, en >>References: >>X-Virus-Scanned: Debian amavisd-new at netzwerk.cc >>Return-Path: mailings@netzwerk.cc >>X-OriginalArrivalTime: 10 Apr 2006 15:04:31.0798 (UTC) >>FILETIME=[1251AD60:01C65CB0] >> >>Ian stuart Turnbull wrote: >>>Hi folks, >>>can I request some help please. I would like to know if the >>> patch-o-matic >>>ROUTE -tee function works and if so could someone please tell me >>> how/when >>>I apply the patch. I mean how does one tell the Kernel make to include >>>just this one extra patch? >>>Sorry if this has been explained earlier. I attempted to search the >>>mailing list archives but couldn't find a search capability. >>>Thanks, >>>Ian t >>> >>>_________________________________________________________________ >>>Are you using the latest version of MSN Messenger? Download MSN >>> Messenger >>>7.5 today! http://join.msn.com/messenger/overview >>> >>> >>> >> >>Hey dude :), >> >>take a look at the pom2patch file in your patch-o-matic directory. >> >>i think you have to call it like "pom2patch kernel-source patch" >> >>you should get a normal kernel diff file. >> >>cheers > > _________________________________________________________________ > Are you using the latest version of MSN Messenger? Download MSN Messenger > 7.5 today! http://join.msn.com/messenger/overview > > > Hey, please always reply to the list too. sorry dont know what you mean. take a look at a patch-o-matic snapshot on www.netfilter.org good luck From mike.auty at gmail.com Tue Apr 11 12:58:57 2006 From: mike.auty at gmail.com (Mike Auty) Date: Tue Apr 11 13:15:50 2006 Subject: libnetfilter_queue conditions required to rewrite packets... In-Reply-To: <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> References: <44348A27.60602@gmail.com> <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> Message-ID: <443B8BF1.2090907@gmail.com> Ok, So yesterday I needed to use a small program to rewrite packets flowing through my transparent bridge. I started using the an ipq implementation and after a bit of jiggery pokery fixing up all the checksums, it seemed to be working a treat. I then knocked up an nfqueue implementation using the code I'd been writing that did exactly the same job, and using the the subversion copies of libnetfilter_queue (0.0.12) and libnfnetlink (0.0.16), I did manage to mangle the packets successfully... I still don't seem to be able to send out packets with a broken checksum, but I haven't yet verified whether that's the target end dropping them or the linux kernel killing them before they get on the wire. I hope this helps... Mike 5:) From syrius.ml at no-log.org Tue Apr 11 12:55:43 2006 From: syrius.ml at no-log.org (syrius.ml@no-log.org) Date: Tue Apr 11 13:17:02 2006 Subject: NF_CONNTRACK & NAT Message-ID: <874q10mlk1.873bgkmlk1@871ww4mlk1.message.id> Hi there, I've realized i can't use NF_CONNTRACK and NAT. Am I doing something wrong or is it a known limitation ? I'd like to be able to use NF_CONNTRACK (for ipv6 & ipv4) and being able to use nat for ipv4. is there a solution ? Cheers -- From bealach at gmail.com Mon Apr 10 22:19:44 2006 From: bealach at gmail.com (Bealach Na Bo) Date: Tue Apr 11 14:17:27 2006 Subject: IPinIP ipencap with iptables Message-ID: Hello folks, I'm new to iptables and have got most things to work on my Debian FW machine using iptables. What I'm really struggling with is finding the iptables equivalent of my current ipfw rules for IPinIP. These are very simple in ipfw and allow me to connect to my work machine. # Allow bi-directional IPinIP traffic ipfw add 300 allow ipencap from 192.168.0.0/24 to 193.0.252.50 ipfw add 301 allow ipencap from 192.168.0.0/24 to 193.0.252.52 ipfw add 310 allow ipencap from 193.0.252.50 to 192.168.0.0/24 ipfw add 311 allow ipencap from 193.0.252.52 to 192.168.0.0/24 Any help would be very much appreciated. Regards, Bealach From Stuart.Flowers at bmw.de Tue Apr 11 12:01:58 2006 From: Stuart.Flowers at bmw.de (Stuart Flowers) Date: Tue Apr 11 14:17:29 2006 Subject: Is Netfilter the correct tool for filtering out problem packets Message-ID: Hello, We have the following problem: Our WebApplication occasionally sends 1 Byte packets, containing just a "v", as part of the response to an http request. Unfortunately our load balancer (F5 BigIP) reacts to this unexpected "v" by closing the http1.1 Pipes, and the user sees an error message (generated by the apache Webservers that sit in front of the BigIP). Naturally we are trying to stop the application generating these problematic "v"s (which it should only use to communicate between it's own processes across the 6 Application servers), but in the meantime we thought that we could perhaps filter them out, before the BigIP sees them. So the question. Is NetFilter the right place to do this filtering ??? Rule would have to be something like: If Destination is BigIP and PacketSize = 1 Byte and PacketContent is a "v" then dump the packet. The whole communication is done in https, if that makes any difference. <-"v" --------- ------- -------- ------- ------------ | Browser |->| Load |->| Apache |->| Load |->|Application | | | | Bal 1 | | x 2 | | Bal 2 | |(Linux x 6) | --------- ------- -------- ------- ------------ Thanks in anticipation Stuart ------------------------------------------ BMW Group Stuart Flowers TG-40 Telefon: +49-89-382-28572 Fax: +49-89-382-49166 mailto: Stuart.Flowers@bmw.de Url: http://www.bmwgroup.com ------------------------------------------ From jengelh at linux01.gwdg.de Tue Apr 11 13:27:36 2006 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue Apr 11 14:17:31 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <4439350E.4060306@tomt.net> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> <4439350E.4060306@tomt.net> Message-ID: > > Beeing bitten by such issues in the past, I always diff the old and the new > config and look for anything suspicious going down. > My way: gzip -cd /proc/config.gz >.config make The configurator will stop at any new config option, which includes xtables. :) Jan Engelhardt -- From mail at davidvogt.de Tue Apr 11 16:49:36 2006 From: mail at davidvogt.de (David Vogt) Date: Tue Apr 11 17:06:31 2006 Subject: libnetfilter_queue conditions required to rewrite packets... In-Reply-To: <443B8BF1.2090907@gmail.com> References: <44348A27.60602@gmail.com> <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> <443B8BF1.2090907@gmail.com> Message-ID: <859616420604110749g158d9c56x98c1a87112a4a341@mail.gmail.com> 2006/4/11, Mike Auty : > Ok, > So yesterday I needed to use a small program to rewrite packets flowing > through my transparent bridge. I started using the an ipq > implementation and after a bit of jiggery pokery fixing up all the > checksums, it seemed to be working a treat. I then knocked up an > nfqueue implementation using the code I'd been writing that did exactly > the same job, and using the the subversion copies of libnetfilter_queue > (0.0.12) and libnfnetlink (0.0.16), I did manage to mangle the packets > successfully... That's good news. I took a holiday this week, so I haven't been working on this issue anymore, but will try to check if the subversion copies solve my problems as well. Thank you very much! David From mvolaski at aecom.yu.edu Tue Apr 11 19:14:30 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Tue Apr 11 19:32:04 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: <200604111452.k3BEpxdo019103@mailgw.aecom.yu.edu> References: <200604111452.k3BEpxdo019103@mailgw.aecom.yu.edu> Message-ID: I just incorporated kernel 2.6.16.1 into my Gentoo system. The firewall script no longer functions properly. Standard iptables calls return iptables: unknown error 18446744073709551615 Posted in bugzilla as https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467 -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From mvolaski at aecom.yu.edu Tue Apr 11 21:13:12 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Tue Apr 11 21:30:11 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: <876ef97a0604111146m742d75f0gb8240e82ba7426f1@mail.gmail.com> References: <200604111452.k3BEpxdo019103@mailgw.aecom.yu.edu> <876ef97a0604111146m742d75f0gb8240e82ba7426f1@mail.gmail.com> Message-ID: Thank you for your reply. >On 4/11/06, Maurice Volaski wrote: >> I just incorporated kernel 2.6.16.1 into my Gentoo system. >> >> The firewall script no longer functions properly. Standard iptables >> calls return >> iptables: unknown error 18446744073709551615 >> >> Posted in bugzilla as > > https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467 > >Lemme guess: AMD64, right? 18446744073709551615 is -1 being cast as an >unsigned long on a 64-bit platform. Correct. >We can't really assist you however if you don't provide some >information on the firewall rules used, modules loaded, kernel >configuration, etc. Thanks. > Examples of rules that give the error are 1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT 2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT 3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT Example of a rule that does not give the error: 1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s 129.98.90.13/32 -j ACCEPT The computer is using IPv4 and not IPv6, which has not been compiled into the kernel. iptables is version 1.3.5. Kernel configuration related to iptables follows: CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CONNTRACK_NETLINK=m # CONFIG_IP_NF_CT_PROTO_SCTP is not set CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_NETBIOS_NS is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_PPTP is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_FILTER=m # CONFIG_IP_NF_TARGET_REJECT is not set CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m # CONFIG_IP_NF_NAT is not set CONFIG_IP_NF_MANGLE=m # CONFIG_IP_NF_TARGET_TOS is not set # CONFIG_IP_NF_TARGET_ECN is not set # CONFIG_IP_NF_TARGET_DSCP is not set # CONFIG_IP_NF_TARGET_TTL is not set # CONFIG_IP_NF_TARGET_CLUSTERIP is not set # CONFIG_IP_NF_RAW is not set CONFIG_IP_NF_ARPTABLES=m # CONFIG_IP_NF_ARPFILTER is not set # CONFIG_IP_NF_ARP_MANGLE is not set CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m # CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m lsmod shows xt_state 4480 0 ipt_LOG 8512 0 ip_conntrack_ftp 9424 0 ip_conntrack 52412 2 xt_state,ip_conntrack_ftp nfnetlink 7624 1 ip_conntrack iptable_filter 5120 0 ip_tables 13720 1 iptable_filter x_tables 13704 3 xt_state,ipt_LOG,ip_tables -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From davidsen at tmr.com Tue Apr 11 21:10:02 2006 From: davidsen at tmr.com (Bill Davidsen) Date: Tue Apr 11 23:49:10 2006 Subject: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter In-Reply-To: <87psjqg2nt.fsf@hades.wkstn.nix> References: <20060408200915.GN1686@vianova.fi> <44388908.6070602@trash.net> <20060409074313.GZ15954@vianova.fi> <20060409144416.GO1686@vianova.fi> <20060409144534.GN29797@vianova.fi> <87psjqg2nt.fsf@hades.wkstn.nix> Message-ID: <443BFF0A.7050303@tmr.com> Nix wrote: > On 9 Apr 2006, Ville Herva yowled: >> On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote: >>> I just realized >>> # CONFIG_NETFILTER_XT_MATCH_STATE is not set >>> should probably be set. I'm building a new kernel now... >> Ok, that seems to do it. >> >> Thanks for the help, and sorry for the noise. I hope not too many people hit >> the same glitch while upgrading... > > I cetainly did. A simple `make oldconfig' ends up zapping pretty much > all the old iptables CONFIG_ options, so you end up with not much of > iptables or netfilter left. > > I must admit not quite understanding why the xtables stuff is needed: > I thought that was needed for userspace connection tracking, which > while it sounds cool isn't something I'm using yet. > I think the root of the problem is that "make oldconfig" doesn't give any warning when options are removed. So there's no warning that iptables is gone, because the help for the new options doesn't tell you "replaces XXXX" even if you as for help. Suggestion: how hard would it be to have some extra value like y/n/m which says print the help even though the option is gone? That would be a reasonable thing to do for a version or two after things go away, and certainly lower cost than having testers ask questions, rebuild kernels, or just go away mad. From jesseg at nikola.com Wed Apr 12 07:46:29 2006 From: jesseg at nikola.com (Jesse Gordon) Date: Wed Apr 12 08:03:42 2006 Subject: Strange need to reboot to clear iptables of ESP rule or lack thereof? Message-ID: <096b01c65df4$720d5e80$5e00800a@printserver> I have a Cisco PIX 501 vpn endpoint appliance sitting behind a natting (linux 2.4.26) iptables (v1.3.3) and I have two remote offices happily connecting to my PIX vpn endpoint. I just forward the correct UDP ports in, and it all works. Today I tried to add a third, but found that instead of forwarding packets like before, my iptables box would just reply to the remote office with this: icmp 104: Jesse's_Public_Ip protocol 50 unreachable (According to TCPDUMP on a separate host running as a packet analyzer on a "hub".)(Span on a fancy switch, actually.) I found that in addition to forwarding UDP ports 50,500, and a few others, in order to make this third VPN client work, I had to also forward ESP: iptables -t nat -A PREROUTING -p ESP -i eth1 -d Iptables_Box_Public_IP -j DNAT --to 10.x.x.4 Then the packets are correctly forwarded. But here's what I don't understand: My firewall script is just a simple bash script -- really a list of iptables commands like the one shown above. It is started from /etc/rc.d/rc.local (A bash script which gets run as root once on every startup.) If I put the above mentioned ESP rule in my firewall script and reboot, then it takes effect and works. But if I just type the rule at the command line as root, it enters into iptables without error -- but the packets are still refused with "protocol 50 unreachable." And if I boot with the ESP rule in my startup script, then the packets are forwarded, and manually removing the ESP rule doesn't seem to stop the packages from being forwarded. I did this experiment with the ESP rule as the last command in the script. I cannot understand why it makes a difference whether the ESP rule is added as the last rule in my bootup script, or a few seconds later by my keying it in on the console. In other words, if the ESP rule was in the script at boot, then the system works as it should regardless of whether I leave or remove the rule from the running iptables. But if the rule is not in the script at bootup, then the packets are rejected with "protocol 50 unreachable" regardless of whether the ESP rule is manually added to the running iptables or not. I seem to have to reboot to change it. My firewall script does flush everything empty before setting up any rules: iptables -F iptables -Z iptables -X iptables -F -t nat iptables -Z -t nat iptables -X -t nat iptables -F -t mangle iptables -Z -t mangle iptables -X -t mangle And after those commands, iptables-save shows it as having no rules at all. I would be most grateful for any comments on the topic! Thanks very much, Jesse Gordon Nikola Engineering Inc. 224 W. Washington St. Suite 104 Sequim, WA 98382-3371 Tel (360)582-1051 Fax (360)582-1104 From isaiah at medcol.mw Wed Apr 12 10:33:11 2006 From: isaiah at medcol.mw (Isaiah Makwakwa) Date: Wed Apr 12 10:53:32 2006 Subject: IP masquerade + squid problem In-Reply-To: <000c01c65cce$ad299640$0101000a@sterenborg.info> References: <51851.192.168.2.7.1144653554.squirrel@mail2.medcol.mw> <000c01c65cce$ad299640$0101000a@sterenborg.info> Message-ID: <2853.192.168.2.224.1144830791.squirrel@mail2.medcol.mw> Hie Rob et al, Sorry that I could be dumping my whole file to the list but here is my iptables script. Everything else works apart from the fact that at first I could not access my external website also on the same machine and squid could not be accessible. I solved the external website by configuring view in my DNS but it seems there is no easy way for the squid box. Regards, Isaiah. >> Dear list, >> >> I have a problem with my squid + ip masquerading setup. My box has two >> interfaces one internal one external. I masquerade all internal > traffic >> on this box which also runs squid proxy. >> >> When my iptables runs, and I point my client to the proxy on this box >> I do not seem to get anywhere even though the squid box accepts and >> logs a request. > > So your INPUT rules seem to be fine for your LAN. > >> When I go direct I can get the page. >> >> My gut feeling is that the squid box does get the request, >> processses but due to some nating problem fails to identify the client >> which made the request. Could anyone help to arrest the rot? > > Well, you could start by adding iptables LOG rules to see what happens. > - Does squid actually try to perform the request (try a tcpdump or > something) ? > - Is the request getting through your (OUTPUT) rules (hence the logging) > ? > - Is the reply being allowed ? > - What have you looked at / what have you tried ? > - Maybe some rules we need to look at ? > > If you don't have any logging yet, add a rule to the bottom of your > OUTPUT ruleset saying something like : > $ipt -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "_ipt_OUTPUT: > " > and see if it's logging http requests from squid. If it is and your > OUTPUT policy is DROP, the requests are most likely not getting out of > your box. > But since you didn't tell much about your setup and what you tried, > that's only a wild guess. > > > Gr, > Rob -- Linux System/Network Administrator, College of Medicine, P/Bag 360, Chichiri, Blantyre 3. -------------- next part -------------- A non-text attachment was scrubbed... Name: iptables Type: application/octet-stream Size: 2676 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060412/3f8d5460/iptables.obj From rob at sterenborg.info Wed Apr 12 12:03:09 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Wed Apr 12 12:14:43 2006 Subject: IP masquerade + squid problem In-Reply-To: <2853.192.168.2.224.1144830791.squirrel@mail2.medcol.mw> References: <51851.192.168.2.7.1144653554.squirrel@mail2.medcol.mw> <000c01c65cce$ad299640$0101000a@sterenborg.info> <2853.192.168.2.224.1144830791.squirrel@mail2.medcol.mw> Message-ID: <64653.193.173.147.3.1144836189.squirrel@webmail.sterenborg.info> On Wed, April 12, 2006 10:33, Isaiah Makwakwa wrote: > Hie Rob et al, > > Sorry that I could be dumping my whole file to the list but here is my > iptables script. > > Everything else works apart from the fact that at first I could not access > my external website also on the same machine and squid could not be > accessible. I solved the external website by configuring view in my DNS > but it seems there is no easy way for the squid box. You don't provide logging information of where packets in fact are or are not going, but I'll give it a try. > # Flush all rules > $IPTABLES -A INPUT -j DROP > $IPTABLES -A OUTPUT -j DROP > $IPTABLES -A FORWARD -j DROP This is not flushing. In fact, I don't see any flushing rules at all. "$IPTABLES -F ..." is flushing. > # Remove the complete blocks > $IPTABLES -D INPUT 1 > $IPTABLES -D OUTPUT 1 > $IPTABLES -D FORWARD 1 Sooo... Why not this : # Stop forwarding until rules are setup. # echo 0 > /proc/sys/net/ipv4/ip_forward # Drop everything you don't want to allow. # (Which is what you want to do, looking at your rules) # $ipt -P INPUT DROP $ipt -P OUTPUT DROP $ipt -P FORWARD DROP # Flush the chains. # $ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD Now you're ready to add rules to your liking without anything getting through unintended. # ALlow forwarding. # echo 1 > /proc/sys/net/ipv4/ip_forward > #$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j ACCEPT > #$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3033 -j ACCEPT Packets for squid are directed to the firewall box so they are not NATed and you don't need these rules. (They are commented out I see ; just delete them.) > $IPTABLES -A FORWARD -s 127.0.0.1 -j local-fwd ... > $IPTABLES -A local-fwd -p tcp --dport 110 -j ACCEPT > $IPTABLES -A local-fwd -p tcp --dport 80 -j ACCEPT > $IPTABLES -A local-fwd -p tcp --dport 21 -j ACCEPT > $IPTABLES -A local-fwd -p tcp --dport 53 -j ACCEPT > $IPTABLES -A local-fwd -p tcp --dport 443 -j ACCEPT > $IPTABLES -A local-fwd -p udp --dport 53 -j ACCEPT I can't imagine forwarding packets with source IP 127.0.0.1 to be correct. Are you trying to forward from the internet to your LAN ? Or... What ? > $IPTABLES -A local -p tcp --dport 3128 -j ACCEPT > $IPTABLES -A local -p tcp --dport 3033 -j ACCEPT Is this to be squid's ICP port ? IMO you don't really need it for basic web proxying. > $IPTABLES -A local -p tcp --dport 8080 -j ACCEPT What port is your squid listening on (default 3128) ? Just open up that one. > $IPTABLES -A ext -p tcp --dport 53 -j ACCEPT > $IPTABLES -A ext -p udp --dport 53 -j ACCEPT Are external DNS servers setting up connections to you ? Normally your box sends a DNS request and the server answers. That answer would be accepted by a RELATED,ESTABLISHED rule. > # Allow OUTPUT from local Machine & local net > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -d 127.0.0.1 -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -o $INTIF -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -o $EXTIF -j ACCEPT You are allowing everything out. Why not flush the OUTPUT chain, set it's policy to ACCEPT and be done with it ? $ipt -F OUTPUT $ipt -P OUTPUT ACCEPT The above probably doesn't solve your problem, but I wouldn't write it this way. Maybe you can add logging rules that might show where packets are or are not going. Gr, Rob From pommnitz at yahoo.com Tue Apr 11 17:23:21 2006 From: pommnitz at yahoo.com (Joerg Pommnitz) Date: Wed Apr 12 14:00:52 2006 Subject: How to catch packets to the broadcast address (aka dhcp requests)? Message-ID: <20060411152321.77514.qmail@web51410.mail.yahoo.com> Hello all, I'm seriously puzzled by the behaviour of iptables in plain Linux-2.6.12. I have the following rules: Chain INPUT (policy ACCEPT) target prot opt source destination HiMoNN-ACL-ath0 all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination HiMoNN-ACL-ath0 all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain HiMoNN-ACL-ath0 (2 references) target prot opt source destination DROP all -- anywhere anywhere Every incoming packet should be unconditionally dropped by the rule in chain HiMoNN-ACL-ath0. Unfortunately this is not what I see. External devices are still able to obtain IP addresses. DHCP requests (e.g. broadcast addressed packets) are not blocked. What am I doing wrong? This should be straight forward but proves itself to be a hard nut to crack. Just in case you wonder: The HiMoNN-ACL-ath0 chain is supposed to hold a white list of MAC addresses that are allowed in. If there is a better way to do this, I would like to learn about it. Just in case it helps, here is the iptables-save output that creates the above rules: # Generated by iptables-save v1.2.11 on Tue Apr 11 17:11:01 2006 *filter :INPUT ACCEPT [434:49608] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [740:64416] :HiMoNN-ACL-ath0 - [0:0] -A INPUT -i ath0 -j HiMoNN-ACL-ath0 -A FORWARD -i ath0 -j HiMoNN-ACL-ath0 -A HiMoNN-ACL-ath0 -j DROP COMMIT # Completed on Tue Apr 11 17:11:01 2006 -- Thanks in advance and kind regards Joerg From mwinkler at netuxsolutions.com Tue Apr 11 23:07:59 2006 From: mwinkler at netuxsolutions.com (Matthew Winkler) Date: Wed Apr 12 14:00:54 2006 Subject: Information Message-ID: I was given this email address as the most likely contact for getting help with an IPTables problem.? I am attempting to set up a linux router with eth0, ppp0, and ppp1.? eth0 is the internal nic and ppp0 and ppp1 are both external internet connections.? I have the local network set up in the 192.168.1.x fashion with the router at 192.168.1.1 and the 6 computers within the network from 192.168.1.100 through 192.168.1.105.? I would like to route all outbound traffic from 192.168.1.100, 192.168.1.101, and 192.168.1.102 through ppp0 and all other outbound traffic through ppp1.? All of the guides I have found to this point walk me through steps and configuration settings that end up with one of two possibilities.? The first is that all outbound traffic is still being routed through only 1 of the two connections and the second is the problem that I may not be able to get any data to get outside the network.? I hope that this message has found a person who will be able to help me and I also hope that you are able to send me some information back regarding this issue.? If this email address is not correct, please forward this or let me know who I should be getting in touch with. Thank you, Matt Winkler Netux Solutions LLC From laforge at netfilter.org Wed Apr 12 15:10:09 2006 From: laforge at netfilter.org (Harald Welte) Date: Wed Apr 12 15:27:12 2006 Subject: Could you please update the Netfilter Extensions HOWTO ? In-Reply-To: References: Message-ID: <20060412131009.GF31616@sunbeam.de.gnumonks.org> On Wed, Apr 12, 2006 at 02:34:54PM +0200, Ing. BcA. Ivan Dolezal wrote: > this may sound stupid but could you please update the Netfilter > Extensions HOWTO? It says something about using CVS which doesn't work. I > found somewhere in a mailing list that I should use Subversion. When I > downloaded the stuff, I was confused from more patch-o-matics. It all made > me quite disgusted... > > I do appreciate your work, but its usefulness goes down with smoothness > of usage. The extensions HOWTO (which was contributed to netfilter.org) was abandoned by its original author, as it seems. A volunteer project lives from contributions by volunteers. The netfilter core team is mostly busy with development tasks and with keeping the project running. There's no time left for any kind of documentation, I fear. We don't even have a webmaster - the core developers themselves are taking care of that (involuntarily). The only non-technical project member we have is Travis, our listmaster. > Did you guys think of transfering docs to wiki? A wiki needs somebody who takes care of the maintenance. Otherwise you get problems with inaccurate information, spam and the like. So whether a wiki or old-style HOWTOS: Somebody needs to take care. Unless we see more people volunteering in the area of documentation, I don't think this is going to change, sorry. Cheers, -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060412/8219dc62/attachment.pgp From laforge at netfilter.org Wed Apr 12 16:34:27 2006 From: laforge at netfilter.org (Harald Welte) Date: Wed Apr 12 16:51:27 2006 Subject: Could you please update the Netfilter Extensions HOWTO ? In-Reply-To: References: <20060412131009.GF31616@sunbeam.de.gnumonks.org> Message-ID: <20060412143427.GK31616@sunbeam.de.gnumonks.org> On Wed, Apr 12, 2006 at 03:39:57PM +0200, Ing. BcA. Ivan Dolezal wrote: > Do you think there is something that a total non-developer can do for the > documentatiton project (in exchange for the prestigious e-mail > @netfilter.org) ? well, documentation can actually be written by any user who has managed to successfully use the particular to-be-documented software. So every (power-)user is a potential candidate for writing/maintaining/updating documentation. Patches against the XML/SGLM master documents in the 'documentation' subtree of svn.netfilter.org are _always_ welcome. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060412/ffdaa5cc/attachment.pgp From kaber at trash.net Wed Apr 12 17:41:44 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed Apr 12 18:01:24 2006 Subject: 2.6.17rc1 PANIC related to IP masquerading In-Reply-To: <20060412152703.GD3405@ranger.ah.taprogge.wh> References: <20060412152703.GD3405@ranger.ah.taprogge.wh> Message-ID: <443D1FB8.6020504@trash.net> jlt_lk@shamrock.dyndns.org wrote: > Kernel 2.6.17-rc1 panics as soon as IP packets are forwarded using the > below config. ICMP packets seem to be forwarded fine. > > A photograph of the panic can be found at: > http://shamrock.dyndns.org/~ln/kernel/2.6.17rc1_panic.jpg . This is already fixed in Linus' current tree by this patch. -------------- next part -------------- commit 8bf4b8a1083694d5aac292f92705ddd3aec29be6 tree a8bbf0bb32b7e286659eae12326c54671430560f parent 67644726317a8274be4a3d0ef85b9ccebaa90304 author Herbert Xu Wed, 05 Apr 2006 02:51:05 -0700 committer David S. Miller Mon, 10 Apr 2006 12:25:22 -0700 [IPSEC]: Check x->encap before dereferencing it We need to dereference x->encap before dereferencing it for encap_type. If it's absent then the encap_type is zero. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller net/ipv4/xfrm4_input.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index e1b8f4b..7a0b952 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c @@ -90,7 +90,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, if (unlikely(x->km.state != XFRM_STATE_VALID)) goto drop_unlock; - if (x->encap->encap_type != encap_type) + if ((x->encap ? x->encap->encap_type : 0) != encap_type) goto drop_unlock; if (x->props.replay_window && xfrm_replay_check(x, seq)) From ian.t7 at hotmail.co.uk Wed Apr 12 17:44:20 2006 From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull) Date: Wed Apr 12 18:03:06 2006 Subject: patch-o-matic no password for the samba.org ftp using cvs Message-ID: I'm sorry if this is not the correct place to post. http://www.collaborium.org/onsite/benin/docs/services/NETFILTER_RELATED/netfilter-extensions/netfilter-extensions-HOWTO-2.html the above HOWTO says to use cvs to get the latest patch-o-matic tree. Unfortunately it now requires a user password. Can anyone tell me where else I can get the p-o-m or the password please thanks _________________________________________________________________ Be the first to hear what's new at MSN - sign up to our free newsletters! http://www.msn.co.uk/newsletters From robert at leblancnet.us Wed Apr 12 19:10:21 2006 From: robert at leblancnet.us (Robert LeBlanc) Date: Wed Apr 12 19:26:01 2006 Subject: SNAT will not work for Linux clients when using an alias as the gatway address Message-ID: I am working on a project to build a failover gateway system. I have heartbeat installed to ipfailover the gateway address eth1:0: 10.0.0.1 and it works great. Windows and Mac machines are able to get through the gateway and receive responses like they should. Linux machines on the other hand, don't seem to get a response back from the gateway. It's really odd as I am using DHCP for all the machines. If I set the Linux gateway to the actual address of the gateway (eth1: 10.0.0.251) it work fine, but if that machine goes down, the Linux computer can no longer get through to the rest of the network. Please help as we have to present this project tomorrow and it's the last problem to overcome. Thank you, Robert LeBlanc From rob at sterenborg.info Wed Apr 12 21:58:12 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Wed Apr 12 22:15:15 2006 Subject: patch-o-matic no password for the samba.org ftp using cvs In-Reply-To: Message-ID: <001201c65e6b$6ea0c760$0101000a@sterenborg.info> > I'm sorry if this is not the correct place to post. > > http://www.collaborium.org/onsite/benin/docs/services/NETFILTE > R_RELATED/netfilter-extensions/netfilter-extensions-HOWTO-2.html > > the above HOWTO says to use cvs to get the latest patch-o-matic tree. > Unfortunately it now requires a user password. Can anyone > tell me where else I can get the p-o-m or the password please ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ I had a quick look at the HOWTO and it's not really up-to-date I think. POM has been followed up by POM-ng. Further, the HOWTO talks about "make patch-o-matic" and AFAIK that's not in use anymore. You can now patch the kernel and iptables source like this : KERNEL_DIR="/path/to/kernel_src" \ IPTABLES_DIR="path/to/iptables_src" \ ./runme Gr, Rob From Jason.Sigurdur at aspenview.org Wed Apr 12 22:51:29 2006 From: Jason.Sigurdur at aspenview.org (Jason Sigurdur) Date: Wed Apr 12 23:08:34 2006 Subject: routing question Message-ID: <648A21EA469E3848922D9860785CD5EF23D496@aspen-mail01.aspenview.org> I have the following scenario: Two subnets, two ipsec vpn servers using openswan. Vpn server 1 192.168.10.1,10.10.1.1 Vpn Server 2 192.168.30.1, 10.30.1.1 I can ping 192.168.10.1 -> 30.1, but cannot ping 10.10.1.1 -> 10.30/16 , but can ping from 10.30.1.10 {any system not the vpn box} to 10.10.1.1} Is this how the SA dictates the vpn or is it a routing thing. I noticed that if I ping from 10.10.1.1 to an 10.30/16 address, the packets are sent over the ipsecX but with an 192.168.10.1 as a source address. I should I see this, I thought the SA would only tunnel 10.10/16 <-> 10.30/16 traffic? Is there a way I can allow for the vpn systems to use its internal source address? Thx jason conn S1toS16 left=192.168.10.1 leftnexthop=192.168.10.254 leftsubnet=10.10.0.0/16 right=192.168.30.1 rightnexthop=192.168.30.254 rightsubnet=10.30.0.0/16 auto = start From jlt_lk at shamrock.dyndns.org Wed Apr 12 17:27:03 2006 From: jlt_lk at shamrock.dyndns.org (jlt_lk@shamrock.dyndns.org) Date: Thu Apr 13 14:19:26 2006 Subject: 2.6.17rc1 PANIC related to IP masquerading Message-ID: <20060412152703.GD3405@ranger.ah.taprogge.wh> Hello. Kernel 2.6.17-rc1 panics as soon as IP packets are forwarded using the below config. ICMP packets seem to be forwarded fine. A photograph of the panic can be found at: http://shamrock.dyndns.org/~ln/kernel/2.6.17rc1_panic.jpg . Best Regards Jens Taprogge -------------- next part -------------- A non-text attachment was scrubbed... Name: config-2.6.17-rc1.gz Type: application/octet-stream Size: 11071 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060412/d641c3d5/config-2.6.17-rc1-0001.obj From robb.bossley at gmail.com Thu Apr 13 16:43:33 2006 From: robb.bossley at gmail.com (Robb Bossley) Date: Thu Apr 13 17:00:44 2006 Subject: Could you please update the Netfilter Extensions HOWTO ? In-Reply-To: <20060412143427.GK31616@sunbeam.de.gnumonks.org> References: <20060412131009.GF31616@sunbeam.de.gnumonks.org> <20060412143427.GK31616@sunbeam.de.gnumonks.org> Message-ID: <5c6851530604130743r1b09c42fwdba43759cb031964@mail.gmail.com> I would be willing to help some. I am no expert at programming, but I usually can figure things out with a little time and effort. (And I use netfilter with a couple of extensions.) Just point me in the right direction and I would be glad to help as I get time. Robb Bossley On 4/12/06, Harald Welte wrote: > > Do you think there is something that a total non-developer can do for the > > documentatiton project (in exchange for the prestigious e-mail > > @netfilter.org) ? > > well, documentation can actually be written by any user who has managed > to successfully use the particular to-be-documented software. From mvolaski at aecom.yu.edu Fri Apr 14 01:19:27 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Fri Apr 14 01:36:30 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 Message-ID: Some more info, the buggy netfilter in 2.6.16.1 is also present in 2.6.17-rc1. Here's tail end of output from strace on executing iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT in 2.6.17-rc1 open("/lib64/iptables/libipt_standard.so", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \4\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=3112, ...}) = 0 mmap(NULL, 1050528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2ac9564a1000 mprotect(0x2ac9564a2000, 1044480, PROT_NONE) = 0 mmap(0x2ac9565a1000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2ac9565a1000 close(3) = 0 socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3 getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\377\0\0\0\0\0\0\0\0(\235v\361\0\201\377\377\241"..., [84]) = 0 getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0\200\336(V\311*\0\0M\215@\0\0\0\0\0\1\0\0\0\0"..., [672]) = 0 setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 928) = -1 ENOENT (No such file or directory) write(2, "iptables: Unknown error 18446744"..., 45iptables: Unknown error 18446744073709551615 ) = 45 exit_group(1) = ? -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From diegolacerda at gmail.com Fri Apr 14 01:41:58 2006 From: diegolacerda at gmail.com (Diego Lacerda) Date: Fri Apr 14 01:59:06 2006 Subject: Fixup protocol Message-ID: Hi people, Someone can help me? I'm searching for solution about the Cisco PIX fixup protocol (application inspection) in Linux OS. This solution ensures the secure use of applications and services, by enabling Adaptative Security Algorithm. Best regards, Diego Lacerda. From rob at sterenborg.info Fri Apr 14 08:18:58 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Fri Apr 14 08:36:11 2006 Subject: Fixup protocol In-Reply-To: Message-ID: <001a01c65f8b$50f7d570$0101000a@sterenborg.info> > Hi people, > > Someone can help me? > > I'm searching for solution about the Cisco PIX fixup protocol > (application inspection) in Linux OS. The only PIX fixup results I have seen were for smtp and those are not so good. The PIX smtp fixup is considered quite brain-dead by many (it doesn't speak ESMTP), so I don't know if using it is such a good idea. (The other fixup's may be better, though.) Anyway, you want to configure Cisco PIX fixup in Linux or what ? AFAIK this is a PIX solution only. Gr, Rob From arik.funke at gmx.de Fri Apr 14 12:42:28 2006 From: arik.funke at gmx.de (Arik Funke) Date: Fri Apr 14 12:59:59 2006 Subject: Probes on Ports 6446,24976 Message-ID: <443F7C94.6020604@gmx.de> Hello, I a finding a LOT of probes on the ports 6446 and 24976. I have looked around a bit but cannot find out what they are looking for on my net. Can anybody enlighten me? Cheers, Arik From xsov at mail.ru Fri Apr 14 06:14:24 2006 From: xsov at mail.ru (Oleg) Date: Fri Apr 14 14:21:35 2006 Subject: Fixup protocol In-Reply-To: References: Message-ID: <200604140814.24600.xsov@mail.ru> > I'm searching for solution about the Cisco PIX fixup protocol > (application inspection) in Linux OS. > This solution ensures the secure use of applications and services, by > enabling Adaptative Security Algorithm. Take a look at the unclean module, it supports TCP, UDP, ICMP, IP. -- Best regards, Oleg From diegolacerda at gmail.com Fri Apr 14 16:40:50 2006 From: diegolacerda at gmail.com (Diego Lacerda) Date: Fri Apr 14 16:58:03 2006 Subject: Fixup protocol Message-ID: >> Hi people, >> >> Someone can help me? >> >> I'm searching for solution about the Cisco PIX fixup protocol >> (application inspection) in Linux OS. >The only PIX fixup results I have seen were for smtp and those are not >so good. The PIX smtp fixup is considered quite brain-dead by many (it >doesn't speak ESMTP), so I don't know if using it is such a good idea. >(The other fixup's may be better, though.) >Anyway, you want to configure Cisco PIX fixup in Linux or what ? AFAIK >this is a PIX solution only. I want to configure something similar to Cisco PIX fixup in Linux. Thanks, Diego Lacerda. From izghitu at gmail.com Sat Apr 15 10:57:46 2006 From: izghitu at gmail.com (o omida parasita) Date: Sat Apr 15 11:15:06 2006 Subject: Problem with iptables/geoip Message-ID: <948a6d890604150157o41fae766l3c344ef5bcef7e26@mail.gmail.com> Hello, I compiled successfuly iptables with geoip support using the guide from here: http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-1.html The problem is when I do the following for example:iptables -A INPUT -m geoip ! --src-cc CA -j DROP I receive the following error: iptables: Unknown error 4294967295 I did all this on FC4 with a 2.6 kernel Please help Thank you From gary at primeexalia.com Sat Apr 15 19:34:00 2006 From: gary at primeexalia.com (Gary W. Smith) Date: Sat Apr 15 19:51:21 2006 Subject: Restrict based on time of day Message-ID: <57F9959B46E0FA4D8BA88AEDFBE5829016756E@pxtbenexd01.pxt.primeexalia.com> Hello, I was asked today by a client if we can configure the firewall to restrict outgoing traffic between certain time frames from certain IP's. Basically they have had issues with people using the system in appropriately after hours. We have policy restrictions in place that prevent people from logging into the domain after hours but they have their own laptops which causes a problem. We have a set of servers that will need access so we don't want to block everything. The network is segmented into two subnets, one for servers and the other for workstations. We just want to block the workstations from going out. Is there a module for doing this? Gary Smith From gtaylor at riverviewtech.net Sat Apr 15 19:52:24 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Apr 15 20:21:37 2006 Subject: Restrict based on time of day In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE5829016756E@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE5829016756E@pxtbenexd01.pxt.primeexalia.com> Message-ID: <444132D8.5080908@riverviewtech.net> > I was asked today by a client if we can configure the firewall to > restrict outgoing traffic between certain time frames from certain IP's. > Basically they have had issues with people using the system in > appropriately after hours. We have policy restrictions in place that > prevent people from logging into the domain after hours but they have > their own laptops which causes a problem. Gary, this could easily be done with the IPTables "Time" match. Take a look at "http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-time", I think you will find it very interesting and help full. Grant. . . . From gary at primeexalia.com Sat Apr 15 20:59:37 2006 From: gary at primeexalia.com (Gary W. Smith) Date: Sat Apr 15 21:17:00 2006 Subject: Restrict based on time of day Message-ID: <57F9959B46E0FA4D8BA88AEDFBE5829016756F@pxtbenexd01.pxt.primeexalia.com> Does this one require a kernel recompile or can you link it externally? > -----Original Message----- > From: Grant Taylor [mailto:gtaylor@riverviewtech.net] > Sent: Saturday, April 15, 2006 10:52 AM > To: Gary W. Smith > Cc: netfilter@lists.netfilter.org > Subject: Re: Restrict based on time of day > > > I was asked today by a client if we can configure the firewall to > > restrict outgoing traffic between certain time frames from certain IP's. > > Basically they have had issues with people using the system in > > appropriately after hours. We have policy restrictions in place that > > prevent people from logging into the domain after hours but they have > > their own laptops which causes a problem. > > Gary, this could easily be done with the IPTables "Time" match. Take a > look at "http://www.netfilter.org/projects/patch-o-matic/pom- > base.html#pom-base-time", I think you will find it very interesting and > help full. > > > > Grant. . . . From bigone at qon.lao.net Sun Apr 16 19:09:25 2006 From: bigone at qon.lao.net (big one) Date: Sun Apr 16 19:26:56 2006 Subject: TCPFlags Option Error Message-ID: <20060416100925.9B4B33F0@resin04.mta.everyone.net> Hi, I had installed new kernel 2.6.16.5 on Debian knoppix 3.4 with all IP Tables kernel options enabled. The setup is one interface: one PC with one external ethernet modem. I use: Shorewall 3.0.6, IPTables: 1.3.5 Everything is ok, except TCPFlags option at /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS #net eth0 detect norfc1918,routefilter,dhcp,blacklist net eth0 detect norfc1918,routefilter,dhcp,blacklist,tcpflags If I delete tcpflags, the shorewall started succesfully. If I use tcpflags options: (from trace / debug output): + run_iptables -A logflags -j REJECT --reject-with tcp-reset + '[' -n '' ']' + '[' -n Yes ']' + '[' -f /tmp/shorewall.SaCWSI/iprange ']' + /sbin/iptables -A logflags -j REJECT --reject-with tcp-reset iptables: Unknown error 4294967295 + '[' -z '' ']' + error_message 'ERROR: Command "/sbin/iptables -A' logflags -j REJECT --reject-with 'tcp-reset" Failed' + echo ' ERROR: Command "/sbin/iptables -A' logflags -j REJECT --reject-with 'tcp-reset" Failed' ERROR: Command "/sbin/iptables -A logflags -j REJECT --reject-with tcp-reset" Failed + stop_firewall + '[' -n /var/lib/shorewall/shorewall.JIpwiX ']' + rm -f /var/lib/shorewall/shorewall.JIpwiX + set +x How to solve this problem? Thank you _____________________________________________________________ = You want FREE web-based email ? = You want your own @qon.lao.net address?? = Then you want LaoNet's WebMail ! = Get it at http://webmail.lao.net !! From smokefat at gmail.com Mon Apr 17 04:05:16 2006 From: smokefat at gmail.com (BTP) Date: Mon Apr 17 04:22:52 2006 Subject: iptables, eth0, snort, ARP packets problem Message-ID: <42ad30bb0604161905m2d8450c3p941f5e8c93550ada@mail.gmail.com> Hello, I have this strange problem that I can't figure out, and I'm not an expert in this area yet so I was wondering if someone could shed some light on this for me. I am hooked up to a cable modem, whose activity light is always flashing and turns out to be sending my directly hooked up laptop ARP packets, averaging 11Kb/s (who-has xxx.xxx.xxx.xxx tell xxx.xxx.xxx.xxx) - whether connected or not. In Windows XP Pro when I run snort, I can log this incoming stream all the time. On my Linux system, it is possible to also receive this stream (and snort logs it into the database for me as "BAD-TRAFFIC" - loopback) or not to receive this stream, depending on the _order_ in which I invoke snort, eth0 (the only interface), and iptables. [start snort] [ifup eth0] [invoke iptables firewall rules] ** ** As soon as I invoke iptables, snort begins to record all this traffic as alerts into my database. [ifup eth0] [start snort] [invoke iptables firewall rules] The preceding order of commands does NOT make snort log all this traffic log to the database. After my hard drive is going crazy filling up the database, it does not matter if I play around with bringing up/down my interface eth0 or changing the rules in iptables (I just set all Policies to accept, as I don't know how to unload the whole program modules from memory). However, running 'ifconfig' will display as my eth0 and lo interfaces to be constantly receiving approximately 11Kb/s. Sometimes if eth0 is down, lo receives all the traffic. Sometimes they both do, and sometimes just eth0. I have been experimenting for a while, but dealing with three variables and constantly rebooting to notice changes is time consuming. Why am I getting this constant flow of ARP packets? but more importantly, what is the order in which iptables and snort see traffic?? They're both hooked up to the same interface and I'm just using iptables as a firewall. I believe snort does not rely on iptables/netfilter's behaviour in order to see traffic unless snort is running with the 'inline' option, which isn't the case here. Although, I am confused. Is there something I should know about how snort and iptables behave in relation to eachother and the order of bring up the interface?? Thanks Bart From gtaylor at riverviewtech.net Mon Apr 17 05:21:01 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Apr 17 05:50:40 2006 Subject: Restrict based on time of day In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE5829016756F@pxtbenexd01.pxt.primeexalia.com> References: <57F9959B46E0FA4D8BA88AEDFBE5829016756F@pxtbenexd01.pxt.primeexalia.com> Message-ID: <4443099D.5020702@riverviewtech.net> > Does this one require a kernel recompile or can you link it externally? Well, I always recompile my kernel. I suppose you could compile it in as a module. That is if there are not other internal structures that change when you introduce the new feature. Are you opposed to recompiling the kernel? If so, can I ask why? Grant. . . . From higuti.sam at gmail.com Mon Apr 17 14:25:52 2006 From: higuti.sam at gmail.com (Stephan Higuti) Date: Mon Apr 17 14:43:24 2006 Subject: Let Real Ip's behind Firewall Message-ID: <3da957060604170525q177719cfy3f3347f3061cf411@mail.gmail.com> Hello guys, Anybody have an idea of how i can let my servers with real ip's behind of my firewall running iptables? Use i forward? Can i do this? Cheers Stephan From nunesb at gmail.com Mon Apr 17 15:13:33 2006 From: nunesb at gmail.com (Bruno Nunes) Date: Mon Apr 17 15:31:07 2006 Subject: same ip to multiple hostnames block Message-ID: <52837e3e0604170613v2a6903fey50f0e983e5a04924@mail.gmail.com> Hi, I have: intranet.xxxxxxxxxxx.com -> ip A zeus.xxxxxxxxxxx.com. -> ip A both are redirections made with iptables to make ip A (local) accessed by world wide. When someone tries to access zeus or intranet by the hostname the host machine running IIS knows which website the user is trying to access. my problem is: how to block intranet.xxxxxxxx.com to be accessed by worldwide if it has the same ip as zeus.xxxxxxx.com? can i block by hostnames instead of an ip address?? thanks From dashnu at gmail.com Mon Apr 17 15:17:18 2006 From: dashnu at gmail.com (Brett Curtis) Date: Mon Apr 17 15:34:54 2006 Subject: Let Real Ip's behind Firewall In-Reply-To: <3da957060604170525q177719cfy3f3347f3061cf411@mail.gmail.com> References: <3da957060604170525q177719cfy3f3347f3061cf411@mail.gmail.com> Message-ID: <735664E7-68FB-4F5D-8B24-79947815D435@gmail.com> If I understand what you are asking you can use iproute to set up your nic for multiple external ips. Then use prerouting.. /sbin/iptables -t nat -A PREROUTING -d -p tcp --dport 25 \ -j DNAT --to-destination :25 Brett On Apr 17, 2006, at 8:25 AM, Stephan Higuti wrote: > Hello guys, > > Anybody have an idea of how i can let my servers with real ip's behind > of my firewall running iptables? > Use i forward? > Can i do this? > > Cheers > > Stephan > From lhotskyb at grc.nia.nih.gov Mon Apr 17 17:41:44 2006 From: lhotskyb at grc.nia.nih.gov (Brad Lhotsky) Date: Mon Apr 17 17:59:21 2006 Subject: same ip to multiple hostnames block In-Reply-To: <52837e3e0604170613v2a6903fey50f0e983e5a04924@mail.gmail.com> References: <52837e3e0604170613v2a6903fey50f0e983e5a04924@mail.gmail.com> Message-ID: <4443B738.8030102@grc.nia.nih.gov> That sounds like you're doing something similar to Apache's Name Based Virtual Hosting on the IIS Server. I've never run IIS, so I have no idea. But this is not a Network level issue, it's a web server issue. Apache would have something like this: ServerName zeus.xxxxxxxxxx.com DocumentRoot /www/zeus/html Order deny,allow Allow from all ServerName intranet.xxxxxxxxx.com DocumentRoot /www/intranet/html Order deny,allow Deny from all Allow from 1.2.3.0/24 # OUR LOCAL SUBNET So not a Layer 3 or 4 decision here. This is a Layer 7 issue. Bruno Nunes wrote: > Hi, > > I have: > > intranet.xxxxxxxxxxx.com -> ip A > zeus.xxxxxxxxxxx.com. -> ip A > > both are redirections made with iptables to make ip A (local) accessed > by world wide. When someone tries to access zeus or intranet by the > hostname the host machine running IIS knows which website the user is > trying to access. > > my problem is: > > how to block intranet.xxxxxxxx.com to be accessed by worldwide if it > has the same ip as zeus.xxxxxxx.com? can i block by hostnames instead > of an ip address?? > > thanks -- Brad Lhotsky NCTS Computer Specialist Phone: 410.558.8006 From gary at primeexalia.com Mon Apr 17 18:09:45 2006 From: gary at primeexalia.com (Gary W. Smith) Date: Mon Apr 17 18:27:25 2006 Subject: Restrict based on time of day Message-ID: <57F9959B46E0FA4D8BA88AEDFBE58290167572@pxtbenexd01.pxt.primeexalia.com> I also recompile the kernel on many of my boxes but this isn't my box nor my configuration and I don't want to break anything in their environment at this time. Overall, I'm just gathering information for them so I can propose their options. > -----Original Message----- > From: Grant Taylor [mailto:gtaylor@riverviewtech.net] > Sent: Sunday, April 16, 2006 8:21 PM > To: Gary W. Smith > Cc: netfilter@lists.netfilter.org > Subject: Re: Restrict based on time of day > > > Does this one require a kernel recompile or can you link it externally? > > Well, I always recompile my kernel. I suppose you could compile it in as > a module. That is if there are not other internal structures that change > when you introduce the new feature. Are you opposed to recompiling the > kernel? If so, can I ask why? > > > > > Grant. . . . From michael at grife.net Tue Apr 18 06:02:06 2006 From: michael at grife.net (michael@grife.net) Date: Tue Apr 18 05:19:43 2006 Subject: SNAT/MASQ question Message-ID: Hi, At the moment I use MASQ to share my DSL connection. I've switched ISPs recently and now have a static IP address (my old ISP only gave out dynamic ones) Is there any advantage in updating my firewall to use SNAT now? regards, Michael michael@grife.net From dallas.clarke at elgas.com.au Tue Apr 18 07:48:41 2006 From: dallas.clarke at elgas.com.au (Dallas Clarke) Date: Tue Apr 18 14:08:54 2006 Subject: udp clients Message-ID: <44447DB9.4080409@elgas.com.au> Hello All, I am running a udp client behind an iptables firewall, I can open a socket, send from the socket, but I can only receive one packet back from the server - all other packets are blocked. Is this the standard way netfilter works, have I configured something wrong (straight out of the box fedora core 5). This is a real problem from me since I can't expect every user to drop their firewall so they can use our client software. Thanks Dallas. From standel at info.ucl.ac.be Tue Apr 18 13:58:22 2006 From: standel at info.ucl.ac.be (Sebastien Tandel) Date: Tue Apr 18 14:16:34 2006 Subject: udp clients In-Reply-To: <44447DB9.4080409@elgas.com.au> References: <44447DB9.4080409@elgas.com.au> Message-ID: <4444D45E.604@info.ucl.ac.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Can you give some more precision? What's the physical network configuration? how are the network interfaces configured? then iptables -L -v -n iptables -t nat -v -n route -n thx Dallas Clarke wrote: > Hello All, > > I am running a udp client behind an iptables firewall, I can open a > socket, send from the socket, but I can only receive one packet back > from the server - all other packets are blocked. > > Is this the standard way netfilter works, have I configured something > wrong (straight out of the box fedora core 5). > > This is a real problem from me since I can't expect every user to drop > their firewall so they can use our client software. > > Thanks > > Dallas. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFERNRew76McB8jGxkRAnsLAJ0eiuyMB+gfnDtQknHuuregF4yKHgCfZRtt BhSwQ6TuK5s/5wEVcNIwj5k= =st47 -----END PGP SIGNATURE----- From michael at grife.net Tue Apr 18 15:02:31 2006 From: michael at grife.net (michael@grife.net) Date: Tue Apr 18 14:20:15 2006 Subject: udp clients In-Reply-To: <44447DB9.4080409@elgas.com.au> References: <44447DB9.4080409@elgas.com.au> Message-ID: Hi, > Is this the standard way netfilter works, have I configured something wrong How have you configured the firewall? Something like the output of "iptables -L" from the command line is good. Michael michael@grife.net From netfilter at schuetter.org Tue Apr 18 20:58:11 2006 From: netfilter at schuetter.org (=?ISO-8859-15?Q?J=F6rg_Sch=FCtter?=) Date: Tue Apr 18 21:15:53 2006 Subject: connection tracking of ipv6 Message-ID: <20060418205811.70fa7908@pluto.priv.schuetter.org> Hi I'm still having problems with connection tracking of ipv6. It looks like none of the packets is detected as a port of a established connection. Can someone please show me what I'm doing wrong. lsmod | grep -E '(ip6_|ip_|xp_|ip_|x_|iptable|ip6table)' ip6table_filter 1984 1 ip6_tables 9880 1 ip6table_filter iptable_filter 2112 1 ip_tables 8792 1 iptable_filter ip_conntrack 39352 2 xt_state,xt_conntrack nfnetlink 4440 1 ip_conntrack x_tables 8388 6 ipt_REJECT,xt_tcpudp,ip6_tables,ip_tables,xt_state,xt_conntrack ip6tables -L INPUT -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 596 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT icmpv6 sixxs * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 0 0 DROP tcp sixxs * ::/0 ::/0 tcp dpts:1:1024 78 42071 ACCEPT tcp sixxs * ::/0 ::/0 tcp dpts:1025:65535 3 384 ACCEPT all eth2 * ::/0 ::/0 uname -a Linux pluto 2.6.16.7-0 #1 Tue Apr 18 15:49:36 CEST 2006 i686 GNU/Linux J?rg -- J?rg Sch?tter http://www.schuetter.org/joerg joerg@schuetter.org http://www.lug-untermain.de/ From mlody at elpec.com Thu Apr 20 08:38:14 2006 From: mlody at elpec.com (robee) Date: Thu Apr 20 08:55:55 2006 Subject: packets loging Message-ID: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> when i use -j LOG target, netfilter writes so many information to syslog. what can i use to write only IN and OUT interface, SRC and DST host? robee From yasuyuki.kozakai at toshiba.co.jp Thu Apr 20 10:27:33 2006 From: yasuyuki.kozakai at toshiba.co.jp (Yasuyuki KOZAKAI) Date: Thu Apr 20 10:45:29 2006 Subject: connection tracking of ipv6 In-Reply-To: <20060418205811.70fa7908@pluto.priv.schuetter.org> References: <20060418205811.70fa7908@pluto.priv.schuetter.org> Message-ID: <200604200827.k3K8RY3g019153@toshiba.co.jp> From: J?rg Sch?tter Date: Tue, 18 Apr 2006 20:58:11 +0200 > I'm still having problems with connection tracking of ipv6. It > looks like none of the packets is detected as a port of a > established connection. > Can someone please show me what I'm doing wrong. > > lsmod | grep -E '(ip6_|ip_|xp_|ip_|x_|iptable|ip6table)' > ip6table_filter 1984 1 > ip6_tables 9880 1 ip6table_filter > iptable_filter 2112 1 > ip_tables 8792 1 iptable_filter > ip_conntrack 39352 2 xt_state,xt_conntrack > nfnetlink 4440 1 ip_conntrack > x_tables 8388 6 ipt_REJECT,xt_tcpudp,ip6_tables,ip_tables,xt_state,xt_conntrack Please build and use nf_conntrack and nf_conntrack_ipv6 instead of ip_conntrack. You need to say n on IP_NF_CONNTRACK and say y or m on NF_CONNTRACK and NF_CONNTRACK_IPV6. And please note that nf_conntrack has not supported IPv4 NAT yet, though. -- Yasuyuki Kozakai From beunlovable at gmail.com Thu Apr 20 14:56:52 2006 From: beunlovable at gmail.com (David Vogt) Date: Thu Apr 20 15:14:48 2006 Subject: libnetfilter_queue conditions required to rewrite packets... In-Reply-To: <443B8BF1.2090907@gmail.com> References: <44348A27.60602@gmail.com> <859616420604052330gc251080q95738ef1d112b465@mail.gmail.com> <859616420604070655n35ced2eau5c6968f5d2e3f029@mail.gmail.com> <443B8BF1.2090907@gmail.com> Message-ID: <859616420604200556x6e9011beyda90d65d93c2be88@mail.gmail.com> 2006/4/11, Mike Auty : > Ok, > So yesterday I needed to use a small program to rewrite packets flowing > through my transparent bridge. I started using the an ipq > implementation and after a bit of jiggery pokery fixing up all the > checksums, it seemed to be working a treat. I then knocked up an > nfqueue implementation using the code I'd been writing that did exactly > the same job, and using the the subversion copies of libnetfilter_queue > (0.0.12) and libnfnetlink (0.0.16), I did manage to mangle the packets > successfully... For the sake of completeness. After Amin Azez helped me (thanks again) to compile the current library version from the svn trunk and installing them, I gave it a quick shot and my application seems to work fine as well. Thank you as well, Mike. David From casey at phantombsd.org Thu Apr 20 17:13:15 2006 From: casey at phantombsd.org (Casey Scott) Date: Thu Apr 20 17:31:12 2006 Subject: iptables throttle via tc Message-ID: <4435274.01145545995631.JavaMail.root@tomcat.phantombsd.org> Is it possible for iptables to use a TC tbf bucket to throttle a connection? I have a machine with 2 NICs being used as a gateway for an internal network. I'd like to throttle the rate the internal interface will send packets into the local network that originated off network (Internet). I don't want to use iptables to drop the packets because bandwidth is still consumed by the dropped packets. Regards, Casey From matmailinglist at gmail.com Thu Apr 20 18:14:00 2006 From: matmailinglist at gmail.com (Matthieu N) Date: Thu Apr 20 18:32:01 2006 Subject: ipsec policy match support Message-ID: <4447B348.1090604@gmail.com> Hi, Could you give me the best way to verify if my configuration is "policy match" ready? My OS is Debian: Kernel is 2.6.16 (unstable arg...) own compiled iptables 1.3.5 --> my shorewall still display "Your kernel and/or iptables does not support policy match: ipsec" :-( thanks a lot! Matthieu ps: sorry for my english From mariounixuser at yahoo.com.mx Thu Apr 20 22:47:08 2006 From: mariounixuser at yahoo.com.mx (Mario) Date: Thu Apr 20 21:49:01 2006 Subject: packets loging In-Reply-To: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> Message-ID: <4447F34C.6030500@yahoo.com.mx> robee wrote: > when i use -j LOG target, netfilter writes so many information to > syslog. what can i use to write only IN and OUT interface, SRC and DST > host? > > robee > > $myLoglevel=info ... iptables -A _____ -i $intif -s $Src -o $outif -d $Dest ________ -j LOG --log-prefix "xxxxxxx" --log-level $myLoglevel and a little change in syslog.conf... like: kern.=info /var/log/kern.info.log .... __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ?gratis! Reg?strate ya - http://correo.yahoo.com.mx/ From casey at phantombsd.org Thu Apr 20 20:59:34 2006 From: casey at phantombsd.org (Casey Scott) Date: Fri Apr 21 06:27:50 2006 Subject: iptables throttle via tc cont. Message-ID: <7838526.31145559574402.JavaMail.root@tomcat.phantombsd.org> After working some more on my original post, I've come up with this. It doesn't work, though I think it should. I am trying to throttle incoming connections from the Internet. Since tc filters work on transmit, the best place to restrict seems to be from eth1 to eth0 (FORWARD). That way, the restriction imposed on the trasmit of eth1 won't apply to a connection from the internal network going out (like an file upload). The box in question has eth0 in an internal network and eth1 on the WAN link. iptables -t mangle -A FORWARD -i eth0 -j MARK --set-mark 1 iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 2 tc qdisc del dev eth0 root 2>/dev/null tc qdisc add dev eth0 root handle 1:0 htb default 1 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2kbit tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 2 fw classid 1:1 Though I see packets being caught by the iptables rules, they never seem to get the tc filters applied to them. Thanks, Casey From casey at phantombsd.org Fri Apr 21 06:16:50 2006 From: casey at phantombsd.org (Casey Scott) Date: Fri Apr 21 06:34:49 2006 Subject: iptables throttle via tc cont. Message-ID: <13823905.31145593010041.JavaMail.root@tomcat.phantombsd.org> For the mailling list record. This works: Iptables: -A FORWARD -s 192.168.1.0/24 -j MARK --set-mark 3 -A POSTROUTING -s ! 192.168.1.0/24 -d 192.168.1.0/24 -j MARK --set-mark 4 TC: tc qdisc add dev eth0 root handle 11: cbq bandwidth 100Mbit avpkt 1000 mpu 64 tc class add dev eth0 parent 11:0 classid 11:1 cbq rate 2000kbit weight 15kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth0 parent 11:0 protocol ip handle 4 fw flowid 11:1 tc qdisc add dev eth1 root handle 10: cbq bandwidth 10Mbit avpkt 1000 mpu 64 tc class add dev eth1 parent 10:0 classid 10:1 cbq rate 500kbit weight 2kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth1 parent 10:0 protocol ip handle 3 fw flowid 10:1 This configuration restricts downloads on internal clients to 2000KB, and uploads to 500KB while not effecting the host. Casey ----- Original Message ----- From: Casey Scott To: netfilter@lists.netfilter.org Sent: Thursday, April 20, 2006 11:59:34 AM GMT-0800 Subject: iptables throttle via tc cont. After working some more on my original post, I've come up with this. It doesn't work, though I think it should. I am trying to throttle incoming connections from the Internet. Since tc filters work on transmit, the best place to restrict seems to be from eth1 to eth0 (FORWARD). That way, the restriction imposed on the trasmit of eth1 won't apply to a connection from the internal network going out (like an file upload). The box in question has eth0 in an internal network and eth1 on the WAN link. iptables -t mangle -A FORWARD -i eth0 -j MARK --set-mark 1 iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 2 tc qdisc del dev eth0 root 2>/dev/null tc qdisc add dev eth0 root handle 1:0 htb default 1 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2kbit tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 2 fw classid 1:1 Though I see packets being caught by the iptables rules, they never seem to get the tc filters applied to them. Thanks, Casey From mvolaski at aecom.yu.edu Fri Apr 21 08:21:17 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Fri Apr 21 08:39:15 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 Message-ID: At least since 2.6.1.16.1, many calls to iptables no longer function at least under 64-bit x86, presumably due to a bug in the netfilter kernel code. The problem is still present in 2.6.17-rc2. The error from iptables is iptables: unknown error 18446744073709551615 Examples of rules that give the error are 1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT 2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT 3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT Example of a rule that does not give the error: 1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s 129.98.90.13/32 -j ACCEPT The computer is using IPv4 and not IPv6, which has not been compiled into the kernel. iptables is version 1.3.5. Kernel configuration related to iptables follows: CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CONNTRACK_NETLINK=m # CONFIG_IP_NF_CT_PROTO_SCTP is not set CONFIG_IP_NF_FTP=m # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_NETBIOS_NS is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_AMANDA is not set # CONFIG_IP_NF_PPTP is not set # CONFIG_IP_NF_H323 is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_FILTER=m # CONFIG_IP_NF_TARGET_REJECT is not set CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m # CONFIG_IP_NF_NAT is not set CONFIG_IP_NF_MANGLE=m # CONFIG_IP_NF_TARGET_TOS is not set # CONFIG_IP_NF_TARGET_ECN is not set # CONFIG_IP_NF_TARGET_DSCP is not set # CONFIG_IP_NF_TARGET_TTL is not set # CONFIG_IP_NF_TARGET_CLUSTERIP is not set CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m # CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_ESP=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m lsmod shows xt_state 4928 0 ipt_LOG 8960 0 ip_conntrack_ftp 10000 0 ip_conntrack 57880 2 xt_state,ip_conntrack_ftp nfnetlink 8520 1 ip_conntrack iptable_filter 5440 0 ip_tables 22168 1 iptable_filter x_tables 17800 3 xt_state,ipt_LOG,ip_tables This issue has been posted to netfilter bugzilla as https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467 and to kernel bugzilla as http://bugzilla.kernel.org/show_bug.cgi?id=6420 -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From mlody at elpec.com Fri Apr 21 08:34:09 2006 From: mlody at elpec.com (robee) Date: Fri Apr 21 08:51:55 2006 Subject: packets loging References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> <4447F34C.6030500@yahoo.com.mx> Message-ID: <000d01c6650d$99afe6e0$0e01050a@CyberAdmin> ----- Original Message ----- From: "Mario" To: "robee" Cc: Sent: Thursday, April 20, 2006 10:47 PM Subject: Re: packets loging > robee wrote: >> when i use -j LOG target, netfilter writes so many information to syslog. >> what can i use to write only IN and OUT interface, SRC and DST host? >> robee > $myLoglevel=info ... > iptables -A _____ -i $intif -s $Src -o $outif -d $Dest ________ -j > LOG --log-prefix "xxxxxxx" --log-level $myLoglevel > and a little change in syslog.conf... like: kern.=info > /var/log/kern.info.log .... > __________________________________________________ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ?gratis! Reg?strate > ya - http://correo.yahoo.com.mx/ my rules looks like this: iptables -I FORWARD -p tcp -i ! eth0 --dport 80 -m state --state NEW -j LOG --log-prefix HTTP_ --log-level info and i get something like this in /var/log/kernel Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57962 DF PROTO=TCP SPT=3636 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 but i want only this: Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 any sugestion? robee From rob at sterenborg.info Fri Apr 21 09:22:15 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Fri Apr 21 09:33:57 2006 Subject: packets loging In-Reply-To: <000d01c6650d$99afe6e0$0e01050a@CyberAdmin> References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> <4447F34C.6030500@yahoo.com.mx> <000d01c6650d$99afe6e0$0e01050a@CyberAdmin> Message-ID: <60102.193.173.147.3.1145604135.squirrel@webmail.sterenborg.info> On Fri, April 21, 2006 08:34, robee wrote: > my rules looks like this: > iptables -I FORWARD -p tcp -i ! eth0 --dport 80 -m state --state NEW -j > LOG --log-prefix HTTP_ --log-level info > > and i get something like this in /var/log/kernel > Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 > DST=213.54.82.29 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57962 DF PROTO=TCP > SPT=3636 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 > > but i want only this: > Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 > DST=213.54.82.29 > > > any sugestion? AFAIK that isn't possible. Why would you want to anyway ? Gr, Rob From mlody at elpec.com Fri Apr 21 09:36:06 2006 From: mlody at elpec.com (robee) Date: Fri Apr 21 09:53:52 2006 Subject: packets loging References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin><4447F34C.6030500@yahoo.com.mx><000d01c6650d$99afe6e0$0e01050a@CyberAdmin> <60102.193.173.147.3.1145604135.squirrel@webmail.sterenborg.info> Message-ID: <002801c66516$40ff0ae0$0e01050a@CyberAdmin> ----- Original Message ----- From: "Rob Sterenborg" To: Sent: Friday, April 21, 2006 9:22 AM Subject: Re: packets loging > On Fri, April 21, 2006 08:34, robee wrote: >> my rules looks like this: >> iptables -I FORWARD -p tcp -i ! eth0 --dport 80 -m state --state >> NEW -j LOG --log-prefix HTTP_ --log-level info >> and i get something like this in /var/log/kernel >> Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 >> DST=213.54.82.29 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57962 DF PROTO=TCP >> SPT=3636 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 >> but i want only this: >> Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 >> DST=213.54.82.29 >> any sugestion? > AFAIK that isn't possible. > Why would you want to anyway ? > Gr, > Rob less data to write, less disk load robee From rob at sterenborg.info Fri Apr 21 09:57:38 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Fri Apr 21 10:09:13 2006 Subject: packets loging In-Reply-To: <002801c66516$40ff0ae0$0e01050a@CyberAdmin> References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin><4447F34C.6030500@yahoo.com.mx><000d01c6650d$99afe6e0$0e01050a@CyberAdmin> <60102.193.173.147.3.1145604135.squirrel@webmail.sterenborg.info> <002801c66516$40ff0ae0$0e01050a@CyberAdmin> Message-ID: <51316.193.173.147.3.1145606258.squirrel@webmail.sterenborg.info> On Fri, April 21, 2006 09:36, robee wrote: >>> but i want only this: >>> Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 >>> DST=213.54.82.29 >>> any sugestion? >> AFAIK that isn't possible. >> Why would you want to anyway ? >> Gr, >> Rob > > > less data to write, less disk load It must be a really busy box if this is going to hog your disk space|IO. If you use the limit match ("-m limit --limit 1/sec" or something) your logging will also be less. Gr, Rob From mlody at elpec.com Fri Apr 21 10:52:45 2006 From: mlody at elpec.com (robee) Date: Fri Apr 21 11:10:28 2006 Subject: packets loging References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin><4447F34C.6030500@yahoo.com.mx><000d01c6650d$99afe6e0$0e01050a@CyberAdmin><60102.193.173.147.3.1145604135.squirrel@webmail.sterenborg.info><002801c66516$40ff0ae0$0e01050a@CyberAdmin> <51316.193.173.147.3.1145606258.squirrel@webmail.sterenborg.info> Message-ID: <004401c66520$f6286880$0e01050a@CyberAdmin> ----- Original Message ----- From: "Rob Sterenborg" To: Sent: Friday, April 21, 2006 9:57 AM Subject: Re: packets loging > On Fri, April 21, 2006 09:36, robee wrote: >>>> but i want only this: >>>> Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 >>>> DST=213.54.82.29 >>>> any sugestion? >>> AFAIK that isn't possible. >>> Why would you want to anyway ? >>> Gr, >>> Rob >> less data to write, less disk load > It must be a really busy box if this is going to hog your disk space|IO. > If you use the limit match ("-m limit --limit 1/sec" or something) your > logging will also be less. > Gr, > Rob disk space is not a problem but disk usage increased 10 times during loging dstport 80 only. it is a gateway for large network. When i use limit module is it possible that loging system miss some significant connection? or it has influence to particular destination host? ex: log like: Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 ... Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=82.140.223.12 ... Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=112.212.123.2 ... Apr 21 04:09:21 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 ... Apr 21 04:09:22 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 ... Apr 21 04:09:23 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 ... Apr 21 04:09:24 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 ... turns to: Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=213.54.82.29 ... Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=82.140.223.12 ... Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 DST=112.212.123.2 ... robee From ayqazi at gmail.com Fri Apr 21 11:24:40 2006 From: ayqazi at gmail.com (Asfand Yar Qazi) Date: Fri Apr 21 11:42:39 2006 Subject: Check my firewall please? Message-ID: <79328ea80604210224ja7c5bffl1c56a97ae13374c6@mail.gmail.com> Sorry if you get so many of these posts, but I'd be grateful if you could check my firewall/NAT rules on my box which now acts as an ADSL router: #!/bin/bash MYADDR=89.145.208.16 function pppnat() { # Source NAT on ppp0 - change source address of packets sent # out to the address on interface ppp0 # The following iptables command should only be used to change # the source IP for dynamically allocated IP addresses, as it # forgets existing connections if the link goes down. # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE || klear iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to ${MYADDR} # Port-forward 22 onto big (so ssh works). iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 \ -j DNAT --to 10.0.0.1 # Port-forward 12003 onto suhaib (so azureus works properly). iptables -t nat -A PREROUTING -p tcp --dport 12003 -i ppp0 \ -j DNAT --to 10.0.0.3 } function pppfilter() { iptables -N pppfilter || klear # Accept connections that do not originate from ppp0 iptables -A pppfilter -m state --state NEW -i ! ppp0 -j ACCEPT || klear # Accept packets from ppp0 for connections that already exist iptables -A pppfilter -m state --state ESTABLISHED,RELATED \ -j ACCEPT || klear # Log NEW ssh connect attempts from ppp0 iptables -A pppfilter -p tcp --dport 22 \ -m state --state NEW \ -i ppp0 \ -j LOG --log-prefix="[ssh] " || klear # Accept ssh packets from ppp0 # TODO: only accept ssh packets from work IP iptables -A pppfilter -p tcp --dport 22 -j ACCEPT || klear # Log all new connection attempts # Not needed really, is it?... # iptables -A pppfilter -m state --state NEW \ # -m limit --limit 10/minute -i ppp0 \ # -j LOG --log-prefix="[block addr] " || klear # Reject everything not already accepted iptables -A pppfilter -j REJECT || klear # Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j pppfilter || klear iptables -A FORWARD -j pppfilter || klear } pppnat pppfilter From rob at sterenborg.info Fri Apr 21 13:15:46 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Fri Apr 21 13:27:27 2006 Subject: packets loging In-Reply-To: <004401c66520$f6286880$0e01050a@CyberAdmin> References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin><4447F34C.6030500@yahoo.com.mx><000d01c6650d$99afe6e0$0e01050a@CyberAdmin><60102.193.173.147.3.1145604135.squirrel@webmail.sterenborg.info><002801c66516$40ff0ae0$0e01050a@CyberAdmin> <51316.193.173.147.3.1145606258.squirrel@webmail.sterenborg.info> <004401c66520$f6286880$0e01050a@CyberAdmin> Message-ID: <52345.193.173.147.3.1145618146.squirrel@webmail.sterenborg.info> On Fri, April 21, 2006 10:52, robee wrote: > disk space is not a problem but disk usage increased 10 times during loging > dstport 80 only. it is a gateway for large network. If it's so large, maybe you can setup a log-server and do remote logging. (Have you also looked at ULOG ?) To me, logging *all* packets to dport 80 seems to be overkill but that's up to you. > When i use limit module is it possible that loging system miss some > significant connection? Yes, you *will* miss packets when limiting LOG (as you have a busy network). I think the most important packet is the first one in a connection so you can also choose to just log the NEW packets : $ipt -A INPUT -m state --state NEW -p tcp --dport 80 \ -j LOG --log-level <...> --log-prefix "<...>" Gr, Rob From laforge at netfilter.org Fri Apr 21 13:15:30 2006 From: laforge at netfilter.org (Harald Welte) Date: Fri Apr 21 14:20:26 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: References: Message-ID: <20060421111530.GE5286@rama> Hi Maurice. Didn't you report this bug already to bugzilla.netfilter.org (and maybe eben to the bugme.osdl.org)? Reporting a bug in three distinct places, even though it has been replied to at one place is not really going to use developer resources efficiently, don't you think? On Fri, Apr 21, 2006 at 02:21:17AM -0400, Maurice Volaski wrote: > At least since 2.6.1.16.1, many calls to iptables no longer function at least under 64-bit x86, > presumably due to a bug in the netfilter kernel code. It probably was since 2.6.16 then, that was when the x_tables patches were merged, the code most likely to have affected any such incompatibility of the binary interface. It was tested thoroughlt, especially on x86_64, whihc is my main development platform. However, your problem seems to be something different. I suspect that all rules with '-p tcp' or '-p udp' don't work, whereas others do. You seem to be missing the xt_tcpudp.ko module, which implements that feature in 2.6.17-rcX kernels. Please refer to https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467 -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060421/8932c349/attachment.pgp From tony at games-master.co.uk Fri Apr 21 14:31:35 2006 From: tony at games-master.co.uk (Tony) Date: Fri Apr 21 14:49:38 2006 Subject: Allow traffic through a server using iptables. Message-ID: <200604211228.k3LCSXBP006402@main.games-master.co.uk> I need some advice on allowing traffic to just pass through a server. The traffic is all web traffic from users connected to our network. What we have is a Cisco 7204 terminating DSL connections and we force all web traffic to our squid proxy server. The proxy server has the following iptables entries to forward port 80 to the squid port 3128. /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE /sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.1.0/20 --dport 80 -j DNAT --to :3128 Requests from the Cisco come in on eth0 and we have another IP address on eth1 that Squid listens on. This all works fine and users can browse web. However because of a couple of problems with some web sites, some that user NTLM authentication that squid can't handle so the site fails and some gaming sites, some users need to bypass the proxy. Now I could do this via the Cisco by adding an entry for each IP address that needs to be forwarded to squid and not add one for those that don't. However that would be a lot of config to put on the router and will create a lot of load as each packet will have to be inspected to see if it matches an IP address in the access-list. Where at the moment it doesn't care what the source IP address is and just forwards all web traffic to the squid server. The best way to do this is on the squid server using iptables, but my knowledge of iptables is limited and I can't find out how to do this. How do I tell iptables that IP address should just be passed through the server and not sent to squid? Currently if I take an IP address out of the ip rule for forwarding to squid the web requests from that IP address just fail since the server doesn't run web and doesn't know that it should just forwarded out into the Internet. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mvolaski at aecom.yu.edu Fri Apr 21 16:22:27 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Fri Apr 21 16:40:30 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: <20060421111530.GE5286@rama> References: <20060421111530.GE5286@rama> Message-ID: Thank you for your reply. >Hi Maurice. > >Didn't you report this bug already to bugzilla.netfilter.org (and maybe >eben to the bugme.osdl.org)? Reporting a bug in three distinct places, >even though it has been replied to at one place is not really going to >use developer resources efficiently, don't you think? Sorry, to post it multiple times. Actually, two places netfilter and then kernel bugzilla. I made the second report after it appeared there'd would be no feedback to the first one and another kernel revision had been issued with the problem still evident. (The first feedback on the netfilter report crossed in the mail with the kernel report.) >However, your problem seems to be something different. I suspect that >all rules with '-p tcp' or '-p udp' don't work, whereas others do. You >seem to be missing the xt_tcpudp.ko module, which implements that >feature in 2.6.17-rcX kernels. Yep, that's it. How could one know that there is such a module called xt_tcpudp.ko, especially since there is no corresponding config option? Wouldn't up-to-date and complete documentation explain how to set up the kernel config and indicate which modules should be loaded? On the other hand, shouldn't this module be loading automatically? -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From rabbtux at gmail.com Fri Apr 21 21:01:31 2006 From: rabbtux at gmail.com (rabbtux rabbtux) Date: Fri Apr 21 21:19:32 2006 Subject: one rule to create per IP connlimits? Message-ID: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> All, Is there anyway I could create a rule that would create a tcp connection limit (say 20) for traffic from say 10.10.2.96/27 that would apply to each of the 32 IPs. That is each address, 10.10.2.96-127 would be limited to 20 connections?? Or do I need to make up one iptables rule per address? It sure would be nice if I could do this with one rule per address block, as I have several hundred addresses to limit! Thanks in advance - marshall From kbukhari at gmail.com Fri Apr 21 21:18:48 2006 From: kbukhari at gmail.com (Kashif Ali Bukhari) Date: Fri Apr 21 21:36:53 2006 Subject: Check my firewall please? In-Reply-To: <79328ea80604210224ja7c5bffl1c56a97ae13374c6@mail.gmail.com> References: <79328ea80604210224ja7c5bffl1c56a97ae13374c6@mail.gmail.com> Message-ID: its cool ( i think) whats wrong in your point of view ? On 4/21/06, Asfand Yar Qazi wrote: > Sorry if you get so many of these posts, but I'd be grateful if you > could check my firewall/NAT rules on my box which now acts as an ADSL > router: > > #!/bin/bash > > MYADDR=89.145.208.16 > > function pppnat() > { > # Source NAT on ppp0 - change source address of packets sent > # out to the address on interface ppp0 > > # The following iptables command should only be used to change > # the source IP for dynamically allocated IP addresses, as it > # forgets existing connections if the link goes down. > # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE || klear > > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to ${MYADDR} > > # Port-forward 22 onto big (so ssh works). > iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 \ > -j DNAT --to 10.0.0.1 > > # Port-forward 12003 onto suhaib (so azureus works properly). > iptables -t nat -A PREROUTING -p tcp --dport 12003 -i ppp0 \ > -j DNAT --to 10.0.0.3 > } > > function pppfilter() > { > > iptables -N pppfilter || klear > > # Accept connections that do not originate from ppp0 > iptables -A pppfilter -m state --state NEW -i ! ppp0 -j ACCEPT || klear > > # Accept packets from ppp0 for connections that already exist > iptables -A pppfilter -m state --state ESTABLISHED,RELATED \ > -j ACCEPT || klear > > # Log NEW ssh connect attempts from ppp0 > iptables -A pppfilter -p tcp --dport 22 \ > -m state --state NEW \ > -i ppp0 \ > -j LOG --log-prefix="[ssh] " || klear > > # Accept ssh packets from ppp0 > # TODO: only accept ssh packets from work IP > iptables -A pppfilter -p tcp --dport 22 -j ACCEPT || klear > > # Log all new connection attempts > # Not needed really, is it?... > # iptables -A pppfilter -m state --state NEW \ > # -m limit --limit 10/minute -i ppp0 \ > # -j LOG --log-prefix="[block addr] " || klear > > # Reject everything not already accepted > iptables -A pppfilter -j REJECT || klear > > > # Jump to that chain from INPUT and FORWARD chains. > iptables -A INPUT -j pppfilter || klear > iptables -A FORWARD -j pppfilter || klear > } > > pppnat > pppfilter > > -- Syed Kashif Ali Bukhari +92-300-4295604 Network Engineer Beaconhouse IT Services, Lahore Pakistan From pommnitz at yahoo.com Thu Apr 20 13:42:14 2006 From: pommnitz at yahoo.com (Joerg Pommnitz) Date: Fri Apr 21 22:48:12 2006 Subject: DHCP-Daemon bypasses Linux iptables Message-ID: <20060420114214.85156.qmail@web51410.mail.yahoo.com> Hello all, I was seriously puzzled why iptables could not stop dhcp requests from reaching ISC dhcpd. Now I found the reason: instead of listening on a UDP socket dhcpd installs a LPF similar to tcpdump or ethereal. This bypasses the protection from the firewall. What can I do to regain that protection? -- Regards Joerg From nick.warne at gmail.com Fri Apr 21 20:26:31 2006 From: nick.warne at gmail.com (Nick Warne) Date: Fri Apr 21 22:48:13 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: References: <20060421111530.GE5286@rama> Message-ID: <7c3341450604211126g7e431307q251f9ea49c0ebf91@mail.gmail.com> I also ask the same - this 'config' problem/option has been posted on the list previously, I believe. I was about to update my gateway box to 2.6.16.9 this weekend, and I do not build modules on that - so what do I need to do to ensure this xt_tcpudp is built in? Is '> make oldconfig' enough to pull this in? Nick On 21/04/06, Maurice Volaski wrote: > Thank you for your reply. > > >Hi Maurice. > > > >Didn't you report this bug already to bugzilla.netfilter.org (and maybe > >eben to the bugme.osdl.org)? Reporting a bug in three distinct places, > >even though it has been replied to at one place is not really going to > >use developer resources efficiently, don't you think? > > Sorry, to post it multiple times. Actually, two places netfilter and > then kernel bugzilla. I made the second report after it appeared > there'd would be no feedback to the first one and another kernel > revision had been issued with the problem still evident. (The first > feedback on the netfilter report crossed in the mail with the kernel > report.) > > >However, your problem seems to be something different. I suspect that > >all rules with '-p tcp' or '-p udp' don't work, whereas others do. You > >seem to be missing the xt_tcpudp.ko module, which implements that > >feature in 2.6.17-rcX kernels. > > Yep, that's it. How could one know that there is such a module called > xt_tcpudp.ko, especially since there is no corresponding config > option? Wouldn't up-to-date and complete documentation explain how to > set up the kernel config and indicate which modules should be loaded? > > On the other hand, shouldn't this module be loading automatically? > -- > > Maurice Volaski, mvolaski@aecom.yu.edu > Computing Support, Rose F. Kennedy Center > Albert Einstein College of Medicine of Yeshiva University > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > From codeslinger at gmail.com Sat Apr 22 00:44:25 2006 From: codeslinger at gmail.com (Toby DiPasquale) Date: Sat Apr 22 01:02:27 2006 Subject: one rule to create per IP connlimits? In-Reply-To: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> Message-ID: <876ef97a0604211544m5d0731f2o1b9607c975e669ed@mail.gmail.com> On 4/21/06, rabbtux rabbtux wrote: > All, > > Is there anyway I could create a rule that would create a tcp > connection limit (say 20) for traffic from say 10.10.2.96/27 that > would apply to each of the 32 IPs. That is each address, > 10.10.2.96-127 would be limited to 20 connections?? Or do I need to > make up one iptables rule per address? One rule per address. > It sure would be nice if I could do this with one rule per address > block, as I have several hundred addresses to limit! Sure would. -- Toby DiPasquale 0x636f6465736c696e67657240676d61696c2e636f6d From mlody at elpec.com Sat Apr 22 12:10:35 2006 From: mlody at elpec.com (robee) Date: Sat Apr 22 12:28:28 2006 Subject: one rule to create per IP connlimits? References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> Message-ID: <006201c665f5$00205670$0e01050a@CyberAdmin> ----- Original Message ----- From: "rabbtux rabbtux" To: Sent: Friday, April 21, 2006 9:01 PM Subject: one rule to create per IP connlimits? > All, > Is there anyway I could create a rule that would create a tcp > connection limit (say 20) for traffic from say 10.10.2.96/27 that > would apply to each of the 32 IPs. That is each address, > 10.10.2.96-127 would be limited to 20 connections?? Or do I need to > make up one iptables rule per address? > It sure would be nice if I could do this with one rule per address > block, as I have several hundred addresses to limit! > Thanks in advance - marshall maybe this way: iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m connlimit --connlimit-above 20 -j REJECT or iptables -I FORWARD -p tcp --syn -m iprange --src-range 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT robee From codeslinger at gmail.com Sat Apr 22 15:15:01 2006 From: codeslinger at gmail.com (Toby DiPasquale) Date: Sat Apr 22 15:33:10 2006 Subject: one rule to create per IP connlimits? In-Reply-To: <006201c665f5$00205670$0e01050a@CyberAdmin> References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> <006201c665f5$00205670$0e01050a@CyberAdmin> Message-ID: <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> On 4/22/06, robee wrote: > maybe this way: > > iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m > connlimit --connlimit-above 20 -j REJECT > > or > > iptables -I FORWARD -p tcp --syn -m iprange --src-range > 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT Those both still allow one IP to use up all the connections, leaving none for the others. To do this, the connlimit module would have to keep track of individual conntracks, not just aggregate numbers. It doesn't right now, but it could be made to do so. -- Toby DiPasquale 0x636f6465736c696e67657240676d61696c2e636f6d From vnulllists at pcnet.com.pl Sat Apr 22 15:47:31 2006 From: vnulllists at pcnet.com.pl (Jakub Wartak) Date: Sat Apr 22 16:03:50 2006 Subject: packets loging In-Reply-To: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> References: <002d01c66445$01dd28f0$0e01050a@CyberAdmin> Message-ID: <200604221547.31612.vnulllists@pcnet.com.pl> Dnia czwartek, 20 kwietnia 2006 08:38, robee napisa?: > when i use -j LOG target, netfilter writes so many information to syslog. > what can i use to write only IN and OUT interface, SRC and DST host? Get a syslog-ng up && running. Create filter to match only entries you are interested in ( iptables --log-prefix "something-unique" + filter { } definition in syslog-ng.conf ) Try to catch this "prefix" and direct it into pipe ( you can feed some SQL backend with it or write small daemon/script that will read this pipe line by line and extract information that you want to store/you are interested in ). And also try NOT to log netfilter messages info messages/kernel and so on ( performance reasons ). This can be achived by using "not match(somestring)" in log {} section. -- Jakub Wartak -vnull Abstrakcyjna plciowosc szczekoczulek Konstantego. http://vnull.pcnet.com.pl/ From mlody at elpec.com Sat Apr 22 17:35:24 2006 From: mlody at elpec.com (robee) Date: Sat Apr 22 17:53:37 2006 Subject: one rule to create per IP connlimits? In-Reply-To: <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> <006201c665f5$00205670$0e01050a@CyberAdmin> <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> Message-ID: <1145720124.2502.2.camel@robee.mars.cyberbajt.pl> Dnia 22-04-2006, sob o godzinie 09:15 -0400, Toby DiPasquale napisa?(a): > On 4/22/06, robee wrote: > > maybe this way: > > > > iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m > > connlimit --connlimit-above 20 -j REJECT > > > > or > > > > iptables -I FORWARD -p tcp --syn -m iprange --src-range > > 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT > > Those both still allow one IP to use up all the connections, leaving > none for the others. > > To do this, the connlimit module would have to keep track of > individual conntracks, not just aggregate numbers. It doesn't right > now, but it could be made to do so. > > -- > Toby DiPasquale > 0x636f6465736c696e67657240676d61696c2e636f6d > do you mean it shoud be indyvidual rule for each IP separatelly? robee From codeslinger at gmail.com Sat Apr 22 20:48:34 2006 From: codeslinger at gmail.com (Toby DiPasquale) Date: Sat Apr 22 21:06:44 2006 Subject: one rule to create per IP connlimits? In-Reply-To: <1145720124.2502.2.camel@robee.mars.cyberbajt.pl> References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> <006201c665f5$00205670$0e01050a@CyberAdmin> <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> <1145720124.2502.2.camel@robee.mars.cyberbajt.pl> Message-ID: <876ef97a0604221148t6d68337ex3862a3a641d68674@mail.gmail.com> On 4/22/06, robee wrote: > do you mean it shoud be indyvidual rule for each IP separatelly? Yes, that's right. So, instead of this: iptables -A FORWARD -p tcp --syn -s 10.10.2.96/27 -m connlimit --connlimit-above 20 -j REJECT which will not do what you want, you'd instead use something this: for i in `seq 97 126`; do iptables -A FORWARD \ -p tcp --syn \ -s 10.10.2.${i} \ -m connlimit --connlimit-above 20 \ -j REJECT done -- Toby DiPasquale 0x636f6465736c696e67657240676d61696c2e636f6d From ayqazi at gmail.com Sun Apr 23 13:51:39 2006 From: ayqazi at gmail.com (Asfand Yar Qazi) Date: Sun Apr 23 14:09:52 2006 Subject: Adaptive stealthing/unstealthing of port 113 Message-ID: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> Hi, On Steve Gibson's site, I had a few interesting things to read about the ZoneAlarm firewall: (quote) Even after many years, the (free) ZoneAlarm personal firewall from Zone Labs is the only personal firewall to "adaptively" stealth port 113. Unlike any other firewall or NAT router (any of which could also do the same) this allows port 113 to be stealthed to any passing Internet scanners or probes, but "unstealthed" for any valid IDENT connection attempts originating from remote servers with which the user's computer is attempting to connect. (Since this could easily be done by any personal firewall or even NAT routers, I am hopeful that this feature might yet appear in other products.) "Adaptive Stealthing" means that when a TCP SYN packet arrives to request a connection to your machine's port 113, ZoneAlarm checks, on the fly, to see whether your machine currently has any sort of "relationship" with the remote machine (such as a pending outgoing connection attempt). If so, the remote machine is considered to be "friendly" and its IDENT request packet is allowed to pass through ZoneAlarm's firewall. But if the IDENT originating machine is not known to ZoneAlarm as a "friendly" machine, the connection requesting packet is dropped and discarded, rendering port 113 stealth to all unknown port scanners. It's very slick. (end quote) I wanna do it on my ADSL firewall! How can I do this? I realise I could just write a custom module in C, but you guys probably know of a way to do it with the existing tools. Thanks From johndecot at yahoo.com Sun Apr 23 16:19:29 2006 From: johndecot at yahoo.com (john decot) Date: Sun Apr 23 16:37:43 2006 Subject: how to filter Message-ID: <20060423141929.41864.qmail@web37707.mail.mud.yahoo.com> Hi all, i wish any one help me on filtering syn-flood for the forward packets. as i have used iptables with limit: $IPTABLES -N syn-flood $IPTABLES -A FORWARD -p tcp --syn -j syn-flood $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP i have faced problem with surfing when there are lots of subscribers. when i increased limit rule then again it gives problem during less no. of subscribers. Could any one help me out from this sort of problem. Any help will be apprieciated. Rgrds, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From 1w4y.m4rt4 at gmail.com Sun Apr 23 16:49:12 2006 From: 1w4y.m4rt4 at gmail.com (I Wayan Marta S) Date: Sun Apr 23 17:07:27 2006 Subject: fin flood Message-ID: <544b37590604230749l5e64b48aq9bcc02dadf1945e0@mail.gmail.com> Anyone. how to block fin flood action? From lukas at tank.eu.org Sun Apr 23 17:04:34 2006 From: lukas at tank.eu.org (lukas@tank.eu.org) Date: Sun Apr 23 17:23:41 2006 Subject: Not NATed packets Message-ID: Hi there I have strange problem with NAT. I have kernel 2.6.14.7-5 and iptables-1.3.3-6@2.6.14.7_5 and I use nat to share my home network on one public ip. NAT configuration is simple but some packets are not NATed - on my public interface packets with source address of my internal (NATed) network appears and i have no clue what is wrong. I tryed: - to use SNAT instead of MASQUERADE - diferent network cards - diferent PC - diferent kernel - many diferent iptables configuration Is anyone have a idea what can be wrong ? tcpdump -i eth0 -n -vvv |grep 10.10.10 16:30:39.015880 IP (tos 0x0, ttl 127, id 28594, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, cksum 0x1623 (correct), 3885889894:3885889894(0) ack 3151418643 win 65535 16:32:14.987691 IP (tos 0x0, ttl 127, id 55701, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, cksum 0x1623 (correct), 0:0(0) ack 1 win 65535 16:34:14.996658 IP (tos 0x0, ttl 127, id 6582, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, cksum 0x1623 (correct), 0:0(0) ack 1 win 65535 16:36:50.209347 IP (tos 0x0, ttl 127, id 29938, offset 0, flags [DF], proto: TCP (6), length: 612) 10.10.10.104.3779 > 62.195.80.212.6881: FP 4211640358:4211640930(572) ack 4076174940 win 65467 16:41:02.531491 IP (tos 0x0, ttl 127, id 12374, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.106.1224 > 217.96.89.139.80: R, cksum 0x7e36 (correct), 1532046053:1532046053(0) ack 3047309971 win 0 17:03:00.361901 IP (tos 0x0, ttl 127, id 28252, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.106.1044 > 64.152.73.140.80: R, cksum 0x6dba (correct), 2101015522:2101015522(0) ack 3552965504 win 0 17:08:21.299312 IP (tos 0x0, ttl 127, id 23907, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.4201 > 62.43.9.255.8601: F, cksum 0x13b8 (correct), 3283228993:3283228993(0) ack 1610246617 win 65535 17:23:05.771272 IP (tos 0x0, ttl 127, id 54404, offset 0, flags [DF], proto: TCP (6), length: 612) 10.10.10.104.4388 > 80.224.86.144.11510: FP 2712689086:2712689658(572) ack 3966653462 win 65467 17:41:30.080404 IP (tos 0x0, ttl 127, id 35623, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.4593 > 83.20.178.58.6881: F, cksum 0x8e61 (correct), 545571229:545571229(0) ack 4264072226 win 65467 17:43:30.086802 IP (tos 0x0, ttl 127, id 40899, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.4593 > 83.20.178.58.6881: F, cksum 0x8e61 (correct), 0:0(0) ack 1 win 65467 17:57:20.784291 IP (tos 0x0, ttl 127, id 12161, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.4836 > 81.232.66.10.27015: F, cksum 0x0f8a (correct), 1396937025:1396937025(0) ack 1135013016 win 65535 18:31:54.537480 IP (tos 0x0, ttl 127, id 39418, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.1324 > 81.232.66.10.27015: F, cksum 0xd48a (correct), 1916158042:1916158042(0) ack 1661945819 win 65535 18:51:11.680846 IP (tos 0x0, ttl 127, id 4651, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.112.1035 > 208.174.60.61.80: R, cksum 0xec56 (correct), 877644103:877644103(0) win 0 18:51:11.680908 IP (tos 0x0, ttl 127, id 4652, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.112.1036 > 208.175.188.61.80: R, cksum 0xef09 (correct), 885278103:885278103(0) win 0 18:53:16.394703 IP (tos 0x0, ttl 127, id 33468, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.1566 > 80.224.86.144.11510: F, cksum 0x99b3 (correct), 3140707125:3140707125(0) ack 2527136685 win 65467 19:32:18.666316 IP (tos 0x0, ttl 127, id 13515, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.2041 > 84.77.24.199.4663: F, cksum 0xf208 (correct), 248022218:248022218(0) ack 2303565438 win 65535 19:33:33.908501 IP (tos 0x0, ttl 127, id 17092, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.104.2041 > 84.77.24.199.4663: F, cksum 0xf208 (correct), 0:0(0) ack 1 win 65535 03:54:45.613606 IP (tos 0x0, ttl 63, id 23506, offset 0, flags [DF], proto: TCP (6), length: 52) 10.10.10.2.2770 > 217.149.246.5.21: R, cksum 0xe969 (correct), 3284961714:3284961714(0) ack 4025764409 win 1989 03:54:45.614335 IP (tos 0x0, ttl 63, id 27118, offset 0, flags [DF], proto: TCP (6), length: 52) 10.10.10.2.2208 > 217.153.11.26.2121: R, cksum 0x1c13 (correct), 2275106033:2275106033(0) ack 1233749439 win 1728 10:57:22.429824 IP (tos 0x0, ttl 127, id 2151, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1180 > 212.191.130.194.80: R, cksum 0x1aad (correct), 4150758452:4150758452(0) ack 3914748052 win 0 11:08:30.449915 IP (tos 0x0, ttl 127, id 3167, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1223 > 213.251.163.98.80: R, cksum 0xf015 (correct), 3114778154:3114778154(0) ack 666642057 win 0 11:08:30.450689 IP (tos 0x0, ttl 127, id 3168, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1257 > 213.251.163.213.80: R, cksum 0x2dd7 (correct), 769668751:769668751(0) ack 3053022552 win 0 11:08:30.469383 IP (tos 0x0, ttl 127, id 3169, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1222 > 213.251.163.213.80: R, cksum 0x0c96 (correct), 1485272056:1485272056(0) ack 3014076670 win 0 11:08:30.470110 IP (tos 0x0, ttl 127, id 3170, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1224 > 213.251.163.213.80: R, cksum 0x3d03 (correct), 2078528536:2078528536(0) ack 3018683596 win 0 11:08:30.470767 IP (tos 0x0, ttl 127, id 3171, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1226 > 213.251.163.213.80: R, cksum 0x6073 (correct), 4121342605:4121342605(0) ack 3017472308 win 0 11:08:30.471835 IP (tos 0x0, ttl 127, id 3172, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1220 > 213.251.134.64.80: R, cksum 0x2fcf (correct), 2946854746:2946854746(0) ack 1919357468 win 0 11:08:30.472480 IP (tos 0x0, ttl 127, id 3173, offset 0, flags [DF], proto: TCP (6), length: 40) 10.10.10.110.1225 > 213.251.134.64.80: R, cksum 0xed5c (correct), 1448158471:1448158471(0) ack 1917843528 win 0 Network conf ip r 10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.1 200.200.200.0/24 dev eth0 proto kernel scope link src 200.200.200.200 default via 200.200.200.10 dev eth0 onlink my iptables configuration is : iptables -F iptables -X iptables -Z iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -t nat -F iptables -t nat -X iptables -t nat -Z modprobe ipt_state modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_nat_ftp iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j DROP iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 20 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p udp --dport 21 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -i eth1 -s 10.10.10.2 -j ACCEPT iptables -A INPUT -p tcp --dport 2222 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p udp --dport 25 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p udp --dport 53 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 110 -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p icmp -i eth0 -d 200.200.200.200 -j ACCEPT iptables -A INPUT -p tcp --dport 2222 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p udp --dport 25 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p udp --dport 53 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p tcp --dport 110 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p udp --dport 110 -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A INPUT -p icmp -i eth1 -d 10.10.10.1 -j ACCEPT iptables -A FORWARD -s 10.10.10.2 -j ACCEPT iptables -A FORWARD -s 10.10.10.103 -j ACCEPT iptables -A FORWARD -s 10.10.10.104 -m mac --mac-source 00:04:00:b3:3d:b2 -j ACCEPT iptables -A FORWARD -s 10.10.10.105 -m mac --mac-source 00:40:00:8e:2c:8c -j ACCEPT iptables -A FORWARD -s 10.10.10.106 -m mac --mac-source 00:0a:00:04:c2:bc -j ACCEPT iptables -A FORWARD -s 10.10.10.107 -m mac --mac-source 00:4f:00:13:70:7a -j ACCEPT iptables -A FORWARD -s 10.10.10.108 -m mac --mac-source 00:40:00:6d:ea:34 -j ACCEPT iptables -A FORWARD -s 10.10.10.109 -m mac --mac-source 00:40:00:cf:16:9c -j ACCEPT iptables -A FORWARD -s 10.10.10.110 -m mac --mac-source 00:4F:00:60:72:4E -j ACCEPT iptables -A FORWARD -s 10.10.10.111 -j ACCEPT iptables -A FORWARD -s 10.10.10.112 -m mac --mac-source 00:10:00:A2:98:1F -j ACCEPT iptables -A FORWARD -d 10.10.10.2 -j ACCEPT iptables -A FORWARD -d 10.10.10.103 -j ACCEPT iptables -A FORWARD -d 10.10.10.104 -j ACCEPT iptables -A FORWARD -d 10.10.10.105 -j ACCEPT iptables -A FORWARD -d 10.10.10.106 -j ACCEPT iptables -A FORWARD -d 10.10.10.107 -j ACCEPT iptables -A FORWARD -d 10.10.10.108 -j ACCEPT iptables -A FORWARD -d 10.10.10.109 -j ACCEPT iptables -A FORWARD -d 10.10.10.110 -j ACCEPT iptables -A FORWARD -d 10.10.10.111 -j ACCEPT iptables -A FORWARD -d 10.10.10.112 -j ACCEPT Please Help Lukas From cbrenton at chrisbrenton.org Sun Apr 23 17:19:44 2006 From: cbrenton at chrisbrenton.org (Chris Brenton) Date: Sun Apr 23 17:48:31 2006 Subject: Adaptive stealthing/unstealthing of port 113 In-Reply-To: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> References: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> Message-ID: <1145805584.7476.355.camel@siren.chrisbrenton.org> On Sun, 2006-04-23 at 11:51 +0000, Asfand Yar Qazi wrote: > > "Adaptive Stealthing" means that when a TCP SYN packet arrives to > request a connection to your machine's port 113, ZoneAlarm checks, on > the fly, to see whether your machine currently has any sort of > "relationship" with the remote machine > I wanna do it on my ADSL firewall! IMHO IDENT is pretty much a dead protocol. Kind of dumb to trust the connecting system to give you an honest answer about the owner of an application. I rarely see TCP/113 anymore but in the rare cases where I do, rejecting with a TCP reset keeps the original connection from getting stalled. I know this does not really answer your question, just trying to ssave you some work in an effort that's not really needed. HTH, Chris From gregoriandres at yahoo.com.ar Sun Apr 23 19:42:28 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Sun Apr 23 20:00:36 2006 Subject: ip_conntrack_sip Message-ID: Hi somebody has tried IP_CONNTRACK_SIP ? What I want is MARK or CONNMARK voip ( SIP and RTF ) traffic in order to put in a highest class in my HTB tree. best regards Andres From netfilter at rlworkman.net Sun Apr 23 20:11:26 2006 From: netfilter at rlworkman.net (Robby Workman) Date: Sun Apr 23 20:29:47 2006 Subject: Adaptive stealthing/unstealthing of port 113 In-Reply-To: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> References: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> Message-ID: <444BC34E.3040407@rlworkman.net> Asfand Yar Qazi wrote: > > I wanna do [Adaptive Stealthing] on my ADSL firewall! > > How can I do this? I realise I could just write a custom module in C, > but you guys probably know of a way to do it with the existing tools. Well, I'm far from an expert on this, and I'm aware of at least one other individual who's been (casually) working on doing something along those lines, but here's what I've worked up: It (relatively) trivial to do this on a box that's directly connected to the internet with something like this: > # Put an entry in /proc/net/ipt_recent/IDENT with the destination address of > # outgoing SYN packets to SMTP (25 & 587) and IRC (6660:6670 & 7000) > # Adjust port numbers as needed > iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 -m multiport --dports 25,587,6660:6670,7000 \ > --syn -m state --state NEW -m recent --set --rdest --name IDENT -j ACCEPT > > # Check incoming traffic on port 113 to see if the source address matches the > # one recorded on outgoing requests, and that it arrives within ten seconds > # If so, accept it; othewise, hit next rule and progress toward chain POLICY > iptables -A INPUT -i eth0 -p tcp --dport 113 -m state --state NEW --syn -m recent \ > --rcheck --rsource --seconds 10 --name IDENT -j ACCEPT That would essentially open port 113 for ten seconds, but only for the address to which a packet was sent that might require it to be opened. To do this on a firewall/gateway, I'm just about convinced that there's not a (good) way to do it without coding a (or adding to an existing) helper module. I know someone on this list has done some preliminary work on one, but I don't know if he wants it made public, so I'll let him decide whether to make himself known. Anyway, to do this without a helper module, you could use a combination of the above rules and midentd (or some other identd daemon that behaves similarly). With all that said, I do wonder this: why are you so insistent upon having the illusion of stealth? RW -- http://rlworkman.net From 526715 at celes.unizar.es Sun Apr 23 20:24:35 2006 From: 526715 at celes.unizar.es (Jorge Salamero Sanz) Date: Sun Apr 23 20:43:22 2006 Subject: howto monitor marked packets Message-ID: <200604232024.36068.526715@celes.unizar.es> hi all, i'm debugging some policy routing stuff based on marks made with iptables. how can i monitor which packets are marked ? maybe i could add some -j LOG but is there any app where i could see them in realtime ? thank you in advance. From petr.pisar at atlas.cz Sun Apr 23 22:35:13 2006 From: petr.pisar at atlas.cz (Petr Pisar) Date: Sun Apr 23 22:58:33 2006 Subject: Not NATed packets In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lukas@tank.eu.org wrote: > I have strange problem with NAT. Me too. > I have kernel 2.6.14.7-5 and iptables-1.3.3-6@2.6.14.7_5 and I use nat Tested with 2.6.11 and 2.6.16.4. > NAT configuration is simple but some packets are not NATed - on my > public interface packets with source address of my internal (NATed) > network appears and i have no clue what is wrong. I have very simple rules too. nat/PREROUTING is empty and nat/POSTROUTING contains only one rule with MASQUARADE target on interface with public IP (Policies are ACCEPT). I don't use ROUTE target anywhere. > 16:30:39.015880 IP (tos 0x0, ttl 127, id 28594, offset 0, flags [DF], > proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, > cksum 0x1623 (correct), 3885889894:3885889894(0) ack 3151418643 win 65535 Exactly. I can see only FIN packets which are not translated. After looking into conntrack table, I think MASQ ignores FIN packets that are missing in conntrack table (Is it INVALID or NEW state?). Very strange behaviour have counters too. These strange packets are not loggable after MASQ rule. It seems like a bug. - -- Petr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFES+UBuR4f4nEwzHIRArlUAKCQ9d9+f8bpcsboqoJOih6zndijEACfWOcV E/15jUu11M4BE0mfuZztTtk= =h4uY -----END PGP SIGNATURE----- From c-d.hailfinger.devel.2006 at gmx.net Mon Apr 24 02:54:18 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Apr 24 03:13:17 2006 Subject: Adaptive stealthing/unstealthing of port 113 In-Reply-To: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> References: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> Message-ID: <444C21BA.90800@gmx.net> Hi, Asfand Yar Qazi schrieb: > > "Adaptive Stealthing" means that when a TCP SYN packet arrives to > request a connection to your machine's port 113, ZoneAlarm checks, on > the fly, to see whether your machine currently has any sort of > "relationship" with the remote machine (such as a pending outgoing > connection attempt). > > I wanna do it on my ADSL firewall! Why? Just don't drop connects to port 113 but reject them with RST instead. "Adaptive stealthing" is just crap. If your machine is active on the net, it can be detected (there are exceptions, but they do NOT apply to ADSL connections and for sophisticated attackers these exceptions almost always don't apply). If your machine is switched off, you do not care. So "adaptive stealthing" gives you two chances in bullshit bingo, but not anything useful. Regards, Carl-Daniel -- http://www.hailfinger.org/ From c-d.hailfinger.devel.2006 at gmx.net Mon Apr 24 03:41:16 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Apr 24 04:00:10 2006 Subject: one rule to create per IP connlimits? In-Reply-To: <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> <006201c665f5$00205670$0e01050a@CyberAdmin> <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> Message-ID: <444C2CBC.7010804@gmx.net> Hi, Toby DiPasquale schrieb: > To do this, the connlimit module would have to keep track of > individual conntracks, not just aggregate numbers. It doesn't right > now, but it could be made to do so. Do you have any plans to change that? If no, do you know if anybody is maintaining connlimit right now? I'd like a combination of hashlimit and connlimit which also works for UDP so I can limit the number of simultaneous connections per IP to avoid overflowing the conntrack table of upstream firewalls. Regards, Carl-Daniel -- http://www.hailfinger.org/ From isp at cgscomm.net Mon Apr 24 06:36:36 2006 From: isp at cgscomm.net (isp@cgscomm.net) Date: Mon Apr 24 06:55:11 2006 Subject: about dettecting different TTL value Message-ID: <1161.202.22.193.97.1145853396.squirrel@202.22.193.97> Hello, I am new here. I am working in an ISP. I like to know that how can I prevent user to use multiple computer with single internet connection? I have searched on the web and found nothing. I think it is only possible by detecting different TTL value that comes from same IP address. And I didn't get any thing from the web. I like to know that is it possible to do with IPTABLES? Please someone help me on this matter. Thanks. Hasan Syed Jowhor. From rcs at malibyte.net Mon Apr 24 07:15:57 2006 From: rcs at malibyte.net (Bob Sully) Date: Mon Apr 24 07:34:35 2006 Subject: about dettecting different TTL value In-Reply-To: <1161.202.22.193.97.1145853396.squirrel@202.22.193.97> References: <1161.202.22.193.97.1145853396.squirrel@202.22.193.97> Message-ID: <32804.192.168.1.3.1145855757.squirrel@www.malibyte.net> This isn't an answer to your question...it's another question. Sorry if it's off-topic. WHY would you want to do this??? If I had a choice between your ISP and another, I certainly would NOT choose yours, given the fact that you are trying to limit use in this way. Someone should enlighten your employer. Just my $0.02 USD worth (= 1.4 Taka) Bob isp@cgscomm.net wrote: > Hello, > > I am new here. I am working in an ISP. I like to know that how can I > prevent user to use multiple computer with single internet connection? I > have searched on the web and found nothing. > > I think it is only possible by detecting different TTL value that comes > from same IP address. And I didn't get any thing from the web. I like to > know that is it possible to do with IPTABLES? > > Please someone help me on this matter. > > Thanks. > > Hasan Syed Jowhor. > > -- ________________________________________ Bob Sully - Simi Valley, California, USA http://www.malibyte.net http://www.malibyte.com From curby.public at gmail.com Mon Apr 24 11:44:46 2006 From: curby.public at gmail.com (Curby) Date: Mon Apr 24 12:03:04 2006 Subject: about dettecting different TTL value In-Reply-To: <1161.202.22.193.97.1145853396.squirrel@202.22.193.97> References: <1161.202.22.193.97.1145853396.squirrel@202.22.193.97> Message-ID: <5d2f37910604240244r3aa5980ere262fa2e766a42c8@mail.gmail.com> On 4/23/06, isp@cgscomm.net wrote: > Hello, > > I am new here. I am working in an ISP. I like to know that how can I > prevent user to use multiple computer with single internet connection? I > have searched on the web and found nothing. > > I think it is only possible by detecting different TTL value that comes > from same IP address. And I didn't get any thing from the web. I like to > know that is it possible to do with IPTABLES? It is possible but a flawed solution for several reasons: 1) You can use an iptables patch to mangle/reset the TTL of all outgoing packets (even those of NATed machines), rendering such a check useless. 2) Your subscribers could spoof packets with varying TTL values to get other subscribers in trouble. 3) There are cases where a single computer would send outgoing packets with varying TTL values: traceroutes, sensitive/custom protocols, etc. Regarding the "problem" itself, remember that increasingly, more and more households will have wireless laptops in addition to desktop computers, separate computers for children, networked gaming consoles, etc. IMHO it would be preferable to adjust your pricing so you are profitable instead of cutting off an ever-growing demographic of multi-machine households. --Curby From lukas at tank.eu.org Mon Apr 24 11:55:34 2006 From: lukas at tank.eu.org (lukas@tank.eu.org) Date: Mon Apr 24 12:15:01 2006 Subject: Not NATed packets In-Reply-To: References: Message-ID: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > lukas@tank.eu.org wrote: >> I have strange problem with NAT. > Me too. > >> I have kernel 2.6.14.7-5 and iptables-1.3.3-6@2.6.14.7_5 and I use nat > Tested with 2.6.11 and 2.6.16.4. > >> NAT configuration is simple but some packets are not NATed - on my >> public interface packets with source address of my internal (NATed) >> network appears and i have no clue what is wrong. > I have very simple rules too. nat/PREROUTING is empty and > nat/POSTROUTING contains only one rule with MASQUARADE target on > interface with public IP (Policies are ACCEPT). I don't use ROUTE target > anywhere. > >> 16:30:39.015880 IP (tos 0x0, ttl 127, id 28594, offset 0, flags [DF], >> proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, >> cksum 0x1623 (correct), 3885889894:3885889894(0) ack 3151418643 win 65535 > Exactly. I can see only FIN packets which are not translated. After > looking into conntrack table, I think MASQ ignores FIN packets that are > missing in conntrack table (Is it INVALID or NEW state?). > > Very strange behaviour have counters too. These strange packets are not > loggable after MASQ rule. It seems like a bug. I test it also on kernel 2.4.32-6 and its bad too. From alessandro.suardi at gmail.com Sat Apr 22 02:05:12 2006 From: alessandro.suardi at gmail.com (Alessandro Suardi) Date: Mon Apr 24 14:23:04 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: <7c3341450604211126g7e431307q251f9ea49c0ebf91@mail.gmail.com> References: <20060421111530.GE5286@rama> <7c3341450604211126g7e431307q251f9ea49c0ebf91@mail.gmail.com> Message-ID: <5a4c581d0604211705k6fa253at658fe8c321f1bc13@mail.gmail.com> On 4/21/06, Nick Warne wrote: > I also ask the same - this 'config' problem/option has been posted on > the list previously, I believe. > > I was about to update my gateway box to 2.6.16.9 this weekend, and I > do not build modules on that - so what do I need to do to ensure this > xt_tcpudp is built in? > > Is '> make oldconfig' enough to pull this in? > > Nick Hmm, let's see: [asuardi@donkey src]$ grep tcpudp linux-2.6.17-rc1-git4/net/netfilter/Makefile obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o OK, I recall configuring this a while ago when still using FC3, as I was bitten too by iptables complaining with the bogus error code which I eventually tracked back to the XTABLES stuff (no - make oldconfig didn't do it for me and I had to go through the config options by hand enabling what I thought was useful). That was since... [asuardi@donkey src]$ grep -i XTABLES /fc3/usr/src/.config-2.6.1[0-7]* /fc3/usr/src/.config-2.6.15-git10:CONFIG_NETFILTER_XTABLES=m /fc3/usr/src/.config-2.6.15-git11:CONFIG_NETFILTER_XTABLES=m /fc3/usr/src/.config-2.6.16-rc1-git4:CONFIG_NETFILTER_XTABLES=m /fc3/usr/src/.config-2.6.16-rc2-git7:CONFIG_NETFILTER_XTABLES=m And without any special tricks, my bittorrent box (which also has peerguardian running) loads xt_tcpudp automatically, as it should be... [asuardi@donkey src]$ lsmod Module Size Used by xt_tcpudp 3200 0 iptable_filter 3072 1 ip_tables 13960 1 iptable_filter x_tables 14468 2 xt_tcpudp,ip_tables sd_mod 18000 2 usb_storage 35588 1 scsi_mod 101064 2 sd_mod,usb_storage floppy 58052 0 ehci_hcd 30984 0 uhci_hcd 22792 0 psmouse 38280 0 parport_pc 28644 0 parport 26496 1 parport_pc 8139too 25920 0 8139cp 21824 0 > On 21/04/06, Maurice Volaski wrote: > > Thank you for your reply. > > > > >Hi Maurice. > > > > > >Didn't you report this bug already to bugzilla.netfilter.org (and maybe > > >eben to the bugme.osdl.org)? Reporting a bug in three distinct places, > > >even though it has been replied to at one place is not really going to > > >use developer resources efficiently, don't you think? > > > > Sorry, to post it multiple times. Actually, two places netfilter and > > then kernel bugzilla. I made the second report after it appeared > > there'd would be no feedback to the first one and another kernel > > revision had been issued with the problem still evident. (The first > > feedback on the netfilter report crossed in the mail with the kernel > > report.) > > > > >However, your problem seems to be something different. I suspect that > > >all rules with '-p tcp' or '-p udp' don't work, whereas others do. You > > >seem to be missing the xt_tcpudp.ko module, which implements that > > >feature in 2.6.17-rcX kernels. > > > > Yep, that's it. How could one know that there is such a module called > > xt_tcpudp.ko, especially since there is no corresponding config > > option? Wouldn't up-to-date and complete documentation explain how to > > set up the kernel config and indicate which modules should be loaded? > > > > On the other hand, shouldn't this module be loading automatically? --alessandro "Dreamer ? Each one of us is a dreamer. We just push it down deep because we are repeatedly told that we are not allowed to dream in real life" (Reinhold Ziegler) From m at rtij.nl Sun Apr 23 14:13:26 2006 From: m at rtij.nl (Martijn Lievaart) Date: Mon Apr 24 14:23:06 2006 Subject: Adaptive stealthing/unstealthing of port 113 In-Reply-To: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> References: <79328ea80604230451w61a266f3w59da83ef8dce2540@mail.gmail.com> Message-ID: <444B6F66.1020404@rtij.nl> Asfand Yar Qazi wrote: >Hi, > >On Steve Gibson's site, I had a few interesting things to read about >the ZoneAlarm firewall: > >(quote) >Even after many years, the (free) ZoneAlarm personal firewall from >Zone Labs is the only personal firewall to "adaptively" stealth port >113. Unlike any other firewall or NAT router (any of which could also >do the same) this allows port 113 to be stealthed to any passing >Internet scanners or probes, but "unstealthed" for any valid IDENT >connection attempts originating from remote servers with which the >user's computer is attempting to connect. (Since this could easily be >done by any personal firewall or even NAT routers, I am hopeful that >this feature might yet appear in other products.) > >"Adaptive Stealthing" means that when a TCP SYN packet arrives to >request a connection to your machine's port 113, ZoneAlarm checks, on >the fly, to see whether your machine currently has any sort of >"relationship" with the remote machine (such as a pending outgoing >connection attempt). If so, the remote machine is considered to be >"friendly" and its IDENT request packet is allowed to pass through >ZoneAlarm's firewall. But if the IDENT originating machine is not >known to ZoneAlarm as a "friendly" machine, the connection requesting >packet is dropped and discarded, rendering port 113 stealth to all >unknown port scanners. It's very slick. >(end quote) > >I wanna do it on my ADSL firewall! > >How can I do this? I realise I could just write a custom module in C, >but you guys probably know of a way to do it with the existing tools. > > > I use the recent module for this. -A FORWARD -i ppp0 -p tcp -m tcp --dport 113 -j AUTHHACK -A FORWARD -o ppp0 -p tcp -m tcp ! --dport 113 -j TCPOUT -A AUTHHACK -j ULOG --ulog-prefix "Checking auth/recent : " -A AUTHHACK -m recent --rcheck --seconds 100 --name tcpout --rsource -j RJAUTH -A RJ -p tcp -j REJECT --reject-with tcp-reset -A RJ -j REJECT --reject-with icmp-port-unreachable -A RJAUTH -j ULOG --ulog-prefix "Reject auth: " -A RJAUTH -j RJ -A TCPOUT -j ULOG --ulog-prefix "Add to tcpout: " -A TCPOUT -m recent --set --name tcpout --rdest Note that many (ftp) servers with multiple ip addresses (common on webservers that offer ftp for uploading content) send the ident request from a different ip that the ftp session is going out to, so it does not work as often as you would like. (Also note that the RJ chain above is generic, we know in this case it is tcp so we could have rejected directly with a tcp-reset). M4 From m at rtij.nl Sun Apr 23 14:17:32 2006 From: m at rtij.nl (Martijn Lievaart) Date: Mon Apr 24 14:23:08 2006 Subject: Allow traffic through a server using iptables. In-Reply-To: <200604211228.k3LCSXBP006402@main.games-master.co.uk> References: <200604211228.k3LCSXBP006402@main.games-master.co.uk> Message-ID: <444B705C.9050709@rtij.nl> Tony wrote: >The best way to do this is on the squid server using iptables, but my >knowledge of iptables is limited and I can't find out how to do this. >How do I tell iptables that IP address should just be passed through the >server and not sent to squid? >Currently if I take an IP address out of the ip rule for forwarding to squid >the web requests from that IP address just fail since the server doesn't run >web and doesn't know that it should just forwarded out into the Internet. > > > > Maybe something like: /sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.1.0/20 --dport 80 -j SQUID /sbin/iptables -A SQUID -d -j RETURN /sbin/iptables -A SQUID -d -j RETURN /sbin/iptables -A SQUID -d -j RETURN /sbin/iptables -A SQUID -j DNAT --to :3128 does what you want? M4 From skarda at uni-freiburg.de Mon Apr 24 14:59:29 2006 From: skarda at uni-freiburg.de (Martin Skarda) Date: Mon Apr 24 15:17:51 2006 Subject: DHCP-Daemon bypasses Linux iptables In-Reply-To: <20060420114214.85156.qmail@web51410.mail.yahoo.com> References: <20060420114214.85156.qmail@web51410.mail.yahoo.com> Message-ID: Hi Joerg, you could try to bind your dhcpd on a pseudo bridge interface and filter with ebtables. The syntax is quite the same as the usage of iptables... kind ragards, Martin On Thu, 20 Apr 2006, Joerg Pommnitz wrote: > Hello all, > I was seriously puzzled why iptables could not stop dhcp requests from reaching ISC dhcpd. Now I found the reason: instead of listening on a UDP socket dhcpd installs a LPF similar to tcpdump or ethereal. This bypasses the protection from the firewall. What can I do to regain that protection? > > -- Regards > Joerg > > > > > > From codeslinger at gmail.com Mon Apr 24 15:20:31 2006 From: codeslinger at gmail.com (Toby DiPasquale) Date: Mon Apr 24 15:38:52 2006 Subject: one rule to create per IP connlimits? In-Reply-To: <444C2CBC.7010804@gmx.net> References: <5cc9c8f90604211201keda9583yf0026180cbfe9a75@mail.gmail.com> <006201c665f5$00205670$0e01050a@CyberAdmin> <876ef97a0604220615g530bd141uffe611fec9759a8e@mail.gmail.com> <444C2CBC.7010804@gmx.net> Message-ID: <876ef97a0604240620y66c868bfk6fc51c8e03704882@mail.gmail.com> On 4/23/06, Carl-Daniel Hailfinger wrote: > Do you have any plans to change that? OK, so apparently I was wrong. I just checked the source code and this is fact what connlimit does now. It keeps a hash of conntrack entries and counts them up when it gets fired. Therefore, the original rule proposed by robee would in fact work as rabbtux thought: iptables -A FORWARD -p tcp --syn -s 10.10.2.96/27 -m connlimit --connlimit-above 20 -j REJECT What this is really saying is: If the IP is between 10.10.2.97 and 10.10.2.126 and we find more than 20 connections from this IP right now in our internal table, jump to the REJECT target. You can specify the --connlimit-mask option to tell it to limit based on something more than a /32, but if you don't specify, /32 is the default. The rule should still probably be used with "-j REJECT --reject-with tcp-reset", though. Here's the information on the usage of the rule from netfilter.org: This adds an iptables match which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \ --connlimit-mask 24 -j REJECT > I'd like a combination of hashlimit and connlimit which also works > for UDP so I can limit the number of simultaneous connections per > IP to avoid overflowing the conntrack table of upstream firewalls. connlimit was designed with TCP in mind and will refuse to be loaded with anything other than -p tcp. This is because it wants to make sure you're using --syn to only operate on the first packet of a connection, and also b/c it will dump some conntrack entries in its hashtable if the TCP state indicates that the connection is terminated. As well, I'm not so sure the combination of the two would be a good idea. I think you'd want the connlimit rules fronting for the hashlimit rules. Having both in one module makes changes to the ruleset more coarse-grained, which could potentially lead to requiring bigger changes to do what you want to do later on down the road. Sorry about my initial confusion on this whole thing: I was thinking of a different, older *limit rule. -- Toby DiPasquale 0x636f6465736c696e67657240676d61696c2e636f6d From andrex at alumni.utexas.net Mon Apr 24 17:40:48 2006 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Mon Apr 24 18:00:53 2006 Subject: condition patch with kernel 2.6.16 Message-ID: I've been successfully using the condition patch with 2.6-series kernels, up through kernel 2.6.15. It was simple to make it work: I just removed the line 'Requires: linux < 2.6.0' from the condition/info file, and then the patch applied and worked just fine. Now I'm trying to do the same with kernel 2.6.16, and the patch fails: # ./runme --kernel-path=/usr/src/linux --iptables-path=/usr/src/netfilter/iptables-1.3.1 --batch condition unable to find ladd slot in src /tmp/pom-6145/net/ipv6/netfilter/Makefile (./patchlets/condition/linux/./net/ipv6/netfilter/Makefile.ladd) Obviously something has changed, but I don't know what. Can someone suggest a fix? The condition patch seems like a very important and useful one, and simple in principle. 2.6 kernels have been in production use for well over a year. Is "condition" ever going to be definitively ported to 2.6? Thanks, Andrew. From max at nucleus.it Mon Apr 24 18:23:02 2006 From: max at nucleus.it (Massimiliano Hofer) Date: Mon Apr 24 18:41:43 2006 Subject: condition patch with kernel 2.6.16 In-Reply-To: References: Message-ID: <200604241823.02998.max@nucleus.it> On Monday 24 April 2006 5:40 pm, Andrew Schulman wrote: > I've been successfully using the condition patch with 2.6-series kernels, > up through kernel 2.6.15. It was simple to make it work: I just removed > the line 'Requires: linux < 2.6.0' from the condition/info file, and then > the patch applied and worked just fine. I did too and it worked, but on closer inspection of the code I saw that it worked by chance. > Now I'm trying to do the same with kernel 2.6.16, and the patch fails: > > # ./runme --kernel-path=/usr/src/linux > --iptables-path=/usr/src/netfilter/iptables-1.3.1 --batch condition 2.6.16 needs some minor changes on a few function declarations, anyway I just finished a more extensive rework of the code so that it's really supposed to work for 2.6. Stephane (the original author) told me he never had the time to update it and was glad to hand it down to some else. > The condition patch seems like a very important and useful one, and simple > in principle. 2.6 kernels have been in production use for well over a > year. Is "condition" ever going to be definitively ported to 2.6? There are different views on its usufulness. I agree with you, but other people think that influencing packet filtering from /proc is a hack. I can see their argument, but think the alternatives are worse. Anyway this is mostly subjective, so I don't want to start a flame war or blame anyone. I'll set up a repository in a few days and it will be linked as an external project. Meanwhile I'll send a copy of my latest patch to you privately. You are encouraged to test it. -- Saluti, Massimiliano Hofer Nucleus From andrex at alumni.utexas.net Mon Apr 24 18:38:28 2006 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Mon Apr 24 18:57:35 2006 Subject: condition patch with kernel 2.6.16 References: <200604241823.02998.max@nucleus.it> Message-ID: > On Monday 24 April 2006 5:40 pm, Andrew Schulman wrote: > > > I've been successfully using the condition patch with 2.6-series kernels, > > up through kernel 2.6.15. It was simple to make it work: I just removed > > the line 'Requires: linux < 2.6.0' from the condition/info file, and then > > the patch applied and worked just fine. > > I did too and it worked, but on closer inspection of the code I saw that it > worked by chance. OK, that's good to know. > > Now I'm trying to do the same with kernel 2.6.16, and the patch fails: > > > > # ./runme --kernel-path=/usr/src/linux > > --iptables-path=/usr/src/netfilter/iptables-1.3.1 --batch condition > > 2.6.16 needs some minor changes on a few function declarations, anyway I just > finished a more extensive rework of the code so that it's really supposed to > work for 2.6. Stephane (the original author) told me he never had the time to > update it and was glad to hand it down to some else. OK, that's very good. I'll be glad to test it. I need to upgrade to kernel 2.6.16 to try to solve some other problems, and right now the condition patch is holding me back. I could rewrite my firewall without it, but I'd rather just have a working condition patch. > > The condition patch seems like a very important and useful one, and simple > > in principle. 2.6 kernels have been in production use for well over a > > year. Is "condition" ever going to be definitively ported to 2.6? > > There are different views on its usufulness. I agree with you, but other > people think that influencing packet filtering from /proc is a hack. > I can see their argument, but think the alternatives are worse. Well I wasn't aware of that argument. I think the condition functionality is sensible and useful. When a condition value changes, I have a choice of either (1) cleaning out and rebuilding my whole firewall; (2) finding and changing the specific affected iptables rules; or (3) changing a value in /proc/net/ipt_condition. Of these I find (3) to be the most convenient and natural. Thanks, Andrew. From dsylvesteriii at yahoo.com Mon Apr 24 20:22:25 2006 From: dsylvesteriii at yahoo.com (Davis Sylvester) Date: Mon Apr 24 20:40:49 2006 Subject: DNAT Problems Message-ID: <20060424182225.9464.qmail@web54710.mail.yahoo.com> Greeting All: I have what I think is a simple firewall configuration. All our hosts reside on the internal side of our network and we punch holes to allow access to servers that provide internet-based content (i.e. Web servers, e-mail servers, and Database server). For some reason my firewall was working fine until a reboot and now none of the DNAT is working. The most important thing is that the e-mail server is not receiving mail, it sends just fine. Also no one can access squirrel mail, again works fine internally. Here is my configuration any help is appreciated. Thanks in advance IPTABLES Gurus. ------------------------------------------------------ # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *raw :PREROUTING ACCEPT [69187:15784837] :OUTPUT ACCEPT [46891:5730774] COMMIT # Completed on Sat Apr 8 02:03:03 2006 # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *nat :PREROUTING ACCEPT [6384:872118] :POSTROUTING ACCEPT [156:10133] :OUTPUT ACCEPT [1681:126170] -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 25 -j DNAT --to-destination 192.168.150.20 -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 110 -j DNAT --to-destination 192.168.150.20 -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 143 -j DNAT --to-destination 192.168.150.20 -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -j DNAT --to-destination 192.168.150.200 -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -o eth1 -j MASQUERADE -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT # Completed on Sat Apr 8 02:03:03 2006 # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *mangle :PREROUTING ACCEPT [69187:15784837] :INPUT ACCEPT [48202:5793791] :FORWARD ACCEPT [18360:9358860] :OUTPUT ACCEPT [46891:5730774] :POSTROUTING ACCEPT [65251:15089634] COMMIT # Completed on Sat Apr 8 02:03:03 2006 # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *filter :INPUT ACCEPT [5310:385325] :FORWARD ACCEPT [2955:564452] :OUTPUT ACCEPT [43086:5176570] :openvpn - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 220.193.98.15 -j DROP -A INPUT -s 82.127.9.42 -j DROP -A INPUT -s 82.226.217.40 -j DROP -A INPUT -s 207.212.29.73 -j DROP -A INPUT -s 213.154.72.195 -j DROP -A INPUT -s 221.169.125.102 -j DROP -A INPUT -s 218.202.223.238 -j DROP -A INPUT -s 213.175.92.222 -j DROP -A INPUT -s 210.228.173.152 -j DROP -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP -A INPUT -s 210.0.0.0/255.0.0.0 -j DROP -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP -A FORWARD -i tun0 -j openvpn -A FORWARD -i eth0 -j ACCEPT -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 110 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 143 -m state --state NEW -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From ivan.gustin at pu.t-com.hr Mon Apr 24 21:23:38 2006 From: ivan.gustin at pu.t-com.hr (Ivan Gustin) Date: Mon Apr 24 21:42:00 2006 Subject: Rerouting remote users to VPN channel Message-ID: <444D25BA.6040505@pu.t-com.hr> Hi, I have one specific routing situation that I still can't handle, so I am asking for some help. I have Linux server, one eth interface and 2 DSL links. One DSL is VPN link to another site's Web Intranet application. VPN link itself is realised via DSL line and CISCO router. Local users can work with that application. Another DSL is Internet gateway for local users, and incomming channel for accessing server from outside (there is Siemens DSL router). I want to provide that external remote users can connect to that server from Internet and use that Intranet application via another DSL and VPN channel. Route table: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.30.9 192.168.93.65 255.255.255.255 UGH 0 0 0 eth0 192.168.93.64 0.0.0.0 255.255.255.192 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.93.122 0.0.0.0 UG 0 0 0 eth0 ...93.64/26 is LAN, ...93.65 is VPN gateway to Intranet Web server on another site, ...93.122 is Internet gateway, ...30.9 is Intranet Web server with The Application on remote site. Local users can go to Internet and on Intranet app on remote site, and that works fine. I need rules that Internet users comming from public IP using http://mysite.dyndns.biz:myport through ...93.122 can go to http://192.168.30.9:80. I succesfully set forwarding on DSL router so incomming packets comes to server on port 'myport' (I can't reroute/rewrite packets on DSL router itself). I tried with one PREROUTING rule, but I can't rewrite both source and destination address, so obviusly I need two rules? Thank anyone for any help, GI From marcoshack at gmail.com Mon Apr 24 22:04:16 2006 From: marcoshack at gmail.com (Marcos Hack) Date: Mon Apr 24 22:22:40 2006 Subject: DNAT Problems In-Reply-To: <20060424182225.9464.qmail@web54710.mail.yahoo.com> References: <20060424182225.9464.qmail@web54710.mail.yahoo.com> Message-ID: <842e837b0604241304k7a7952a2r4a8cee046b0d90bb@mail.gmail.com> nat PREROUTING is ok. filter FORWARD is ok. Well, rules sounds good to me. You said that all was working fine before a reboot. Do you install some hardware in this machine? All interfaces (eth0, eth1) was correctly configured after reboot? And try to follow traffic using tcpdump on interfaces eth0 and eth1. On 4/24/06, Davis Sylvester wrote: > > For some reason my firewall was working fine until a > reboot and now none of the DNAT is working. The most > important thing is that the e-mail server is not > receiving mail, it sends just fine. Also no one can > access squirrel mail, again works fine internally. > > *nat > :PREROUTING ACCEPT [6384:872118] > :POSTROUTING ACCEPT [156:10133] > :OUTPUT ACCEPT [1681:126170] > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 25 -j DNAT --to-destination > 192.168.150.20 > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 110 -j DNAT > --to-destination 192.168.150.20 > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 143 -j DNAT > --to-destination 192.168.150.20 > -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 80 -j DNAT --to-destination > 192.168.150.200 > :FORWARD ACCEPT [2955:564452] > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 25 -m state --state NEW > -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 110 -m state --state > NEW -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 143 -m state --state > NEW -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth1 -o eth0 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp > -m tcp --sport 1024:65535 --dport 80 -m state --state > NEW -j ACCEPT From mbarclay at openfbo.com Tue Apr 25 09:29:38 2006 From: mbarclay at openfbo.com (Matt Barclay) Date: Tue Apr 25 09:48:06 2006 Subject: DNAT Problems In-Reply-To: <20060424182225.9464.qmail@web54710.mail.yahoo.com> References: <20060424182225.9464.qmail@web54710.mail.yahoo.com> Message-ID: Hi Davis, Are the packet counters on any of the NAT rules incrementing? Try running: watch -d -n 1 iptables -L -vnt nat Then try making connections to the webserver from outside your network. You should see the packet counters increasing when you make the connection. Also, it doesn't look like you are dropping packets anywhere in your firewall (other than those INPUT rules). Usually, you set the filter::INPUT and FORWARD policies to DROP and use rules in those chains to allow traffic that meets your security requirements. Set policies with the command: iptables -P INPUT DROP iptables -P FORWARD DROP Don't make this change yet! Figure out the DNAT problem first. If the counters aren't increasing, try inserting a more generic rule like: iptables -t nat -A PREROUTING -d 1.1.1.25 (Notice no -j TARGET, its just a packet counting rule) If that matches, make it more complex: iptables -t nat -A PREROUTING -d 1.1.1.25 -p tcp --dport 25 And so on... Good Luck! Matt On 4/24/06, Davis Sylvester wrote: > Greeting All: > > I have what I think is a simple firewall > configuration. All our hosts reside on the internal > side of our network and we punch holes to allow access > to servers that provide internet-based content (i.e. > Web servers, e-mail servers, and Database server). > > For some reason my firewall was working fine until a > reboot and now none of the DNAT is working. The most > important thing is that the e-mail server is not > receiving mail, it sends just fine. Also no one can > access squirrel mail, again works fine internally. > > Here is my configuration any help is appreciated. > Thanks in advance IPTABLES Gurus. > > ------------------------------------------------------ > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *raw > :PREROUTING ACCEPT [69187:15784837] > :OUTPUT ACCEPT [46891:5730774] > COMMIT > # Completed on Sat Apr 8 02:03:03 2006 > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *nat > :PREROUTING ACCEPT [6384:872118] > :POSTROUTING ACCEPT [156:10133] > :OUTPUT ACCEPT [1681:126170] > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 25 -j DNAT --to-destination > 192.168.150.20 > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 110 -j DNAT > --to-destination 192.168.150.20 > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 143 -j DNAT > --to-destination 192.168.150.20 > -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 80 -j DNAT --to-destination > 192.168.150.200 > -A POSTROUTING -o lo -j ACCEPT > -A POSTROUTING -o eth1 -j MASQUERADE > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o eth0 -j ACCEPT > COMMIT > # Completed on Sat Apr 8 02:03:03 2006 > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *mangle > :PREROUTING ACCEPT [69187:15784837] > :INPUT ACCEPT [48202:5793791] > :FORWARD ACCEPT [18360:9358860] > :OUTPUT ACCEPT [46891:5730774] > :POSTROUTING ACCEPT [65251:15089634] > COMMIT > # Completed on Sat Apr 8 02:03:03 2006 > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *filter > :INPUT ACCEPT [5310:385325] > :FORWARD ACCEPT [2955:564452] > :OUTPUT ACCEPT [43086:5176570] > :openvpn - [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -i tun+ -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j > ACCEPT > -A INPUT -i eth0 -j ACCEPT > -A INPUT -s 220.193.98.15 -j DROP > -A INPUT -s 82.127.9.42 -j DROP > -A INPUT -s 82.226.217.40 -j DROP > -A INPUT -s 207.212.29.73 -j DROP > -A INPUT -s 213.154.72.195 -j DROP > -A INPUT -s 221.169.125.102 -j DROP > -A INPUT -s 218.202.223.238 -j DROP > -A INPUT -s 213.175.92.222 -j DROP > -A INPUT -s 210.228.173.152 -j DROP > -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 210.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP > -A FORWARD -i tun0 -j openvpn > -A FORWARD -i eth0 -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 25 -m state --state NEW > -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 110 -m state --state > NEW -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 143 -m state --state > NEW -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth1 -o eth0 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp > -m tcp --sport 1024:65535 --dport 80 -m state --state > NEW -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o eth0 -j ACCEPT > COMMIT > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > From mbarclay at openfbo.com Tue Apr 25 09:56:09 2006 From: mbarclay at openfbo.com (Matt Barclay) Date: Tue Apr 25 10:14:37 2006 Subject: Rerouting remote users to VPN channel In-Reply-To: <444D25BA.6040505@pu.t-com.hr> References: <444D25BA.6040505@pu.t-com.hr> Message-ID: Hi Ivan, Yes, you need SNAT and DNAT rules. Something like this ought to work (note: this should be on your Internet Gateway's Firewall, otherwise you have to forward port 80 traffic from the Gateway to your linux server. You are running linux on your internet gateway, right? ;) iptables -t mangle -A PREROUTING -d -p tcp --dport 80 -j MARK --set-mark 80 iptables -t nat -A PREROUTING -m mark --mark 80 -j DNAT --to 192.168.30.9 iptables -A FORWARD -m mark --mark 80 -j ACCEPT iptables -t nat -A POSTROUTING -m mark --mark 80 -j SNAT --to assumes the internet gateway has a route to 192.168.30.9 If you have to run this on a different linux machine, replace with If this doesn't work or doesn't make sense, be sure to post a network diagram in your email. Good Luck, Matt On 4/24/06, Ivan Gustin wrote: > Hi, > > I have one specific routing situation that I still can't handle, so I am > asking for some help. > > I have Linux server, one eth interface and 2 DSL links. One DSL is VPN > link to another site's Web Intranet application. VPN link itself is > realised via DSL line and CISCO router. Local users can work with that > application. Another DSL is Internet gateway for local users, and > incomming channel for accessing server from outside (there is Siemens > DSL router). > > I want to provide that external remote users can connect to that server > from Internet and use that Intranet application via another DSL and VPN > channel. > > Route table: > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.30.9 192.168.93.65 255.255.255.255 UGH 0 0 > 0 eth0 > 192.168.93.64 0.0.0.0 255.255.255.192 U 0 0 0 > eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 192.168.93.122 0.0.0.0 UG 0 0 0 > eth0 > > ...93.64/26 is LAN, > ...93.65 is VPN gateway to Intranet Web server on another site, > ...93.122 is Internet gateway, > ...30.9 is Intranet Web server with The Application on remote site. > > Local users can go to Internet and on Intranet app on remote site, and > that works fine. I need rules that Internet users comming from public IP > using http://mysite.dyndns.biz:myport through ...93.122 can go to > http://192.168.30.9:80. I succesfully set forwarding on DSL router so > incomming packets comes to server on port 'myport' (I can't > reroute/rewrite packets on DSL router itself). > > I tried with one PREROUTING rule, but I can't rewrite both source and > destination address, so obviusly I need two rules? > > Thank anyone for any help, > GI > > From ivan.gustin at pu.t-com.hr Tue Apr 25 10:21:07 2006 From: ivan.gustin at pu.t-com.hr (Ivan Gustin) Date: Tue Apr 25 10:39:36 2006 Subject: Rerouting remote users to VPN channel In-Reply-To: References: <444D25BA.6040505@pu.t-com.hr> Message-ID: <444DDBF3.6050500@pu.t-com.hr> Matt Barclay: > Yes, you need SNAT and DNAT rules. Something like this ought to work Thank you, Matt, for answering. > iptables -t mangle -A PREROUTING -d -p tcp --dport 80 > -j MARK --set-mark 80 > iptables -t nat -A PREROUTING -m mark --mark 80 -j DNAT --to 192.168.30.9 > iptables -A FORWARD -m mark --mark 80 -j ACCEPT > iptables -t nat -A POSTROUTING -m mark --mark 80 -j SNAT --to > Yes, I set up something like this few hours ago, and it worked. But, unfortunately, Intranet Web application uses absolute private IP addresses, so that can't work. Application starts, but when user clicks on some option connection hangs trying to open http://192.168.30.9/.... :-( I can't change third-party Web app. I don't see any other solution but setting up VPN so users have private routeable IP addresses. Thanks anyway. GI From christophe.thiebaud at francetelecom.com Tue Apr 25 10:45:36 2006 From: christophe.thiebaud at francetelecom.com (THIEBAUD Christophe ROSI/DPS) Date: Tue Apr 25 11:04:13 2006 Subject: Use case NetFilter Message-ID: <64B84B6DA4DD894EB9D0ABA9F1C1F14EF7FEFF@PUEXCBJ0.nanterre.francetelecom.fr> Hi, I have a question about NetFilter using. Here a part of my configuration : ... iptables -A INPUT -m state --state NEW -j LOG --log-prefix "NEW SSH : " iptables -A INPUT -m state --state ESTABLISHED -j LOG --log-prefix "ESTABLISHED SSH : " iptables -A INPUT -d $IPADDR_ADMIN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -s $IPADDR_ADMIN -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT ... When I send this kind of packet (avec Ftester tools) : 1 - 10.170.225.0:1025 > 10.64.19.212:22 AP TCP 0 I have this trace : Apr 25 09:46:39 unzs148 kernel: NEW SSH input : IN=eth0 OUT= MAC=00:0d:60:9a:30:9a:00:0d:60:d5:1a:f0:08:00 SRC=10.170.225.0 DST=10.64.19.212 LEN=55 TOS=0x00 PREC=0x00 TTL=200 ID=1 DF PROTO=TCP SPT=1025 DPT=22 WINDOW=65535 RES=0x00 ACK PSH URGP=0 And the packet have passed the FW !!! The FW see the packet as a "new connection" (state NEW), and I have never send packek with SYN flag !!! I'm surprise of this result. My configuration is false ? Thank you. Best regards. Christophe Thi?baud France Telecom ROSI/DPS/IEP From rob at sterenborg.info Tue Apr 25 11:42:21 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Apr 25 11:54:08 2006 Subject: Use case NetFilter In-Reply-To: <64B84B6DA4DD894EB9D0ABA9F1C1F14EF7FEFF@PUEXCBJ0.nanterre.franceteleco m.fr> References: <64B84B6DA4DD894EB9D0ABA9F1C1F14EF7FEFF@PUEXCBJ0.nanterre.francetelecom.fr> Message-ID: <64777.193.173.147.3.1145958141.squirrel@webmail.sterenborg.info> On Tue, April 25, 2006 10:45, THIEBAUD Christophe ROSI/DPS wrote: > Hi, > > I have a question about NetFilter using. > > Here a part of my configuration : > ... > iptables -A INPUT -m state --state NEW -j LOG --log-prefix "NEW SSH : " Your logging rule is wrong. This is not NEW SSH. This is NEW SSH: $ipt -A INPUT -m state --state NEW -p tcp --dport 22 \ -j LOG --log-prefix "NEW SSH : " > iptables -A INPUT -m state --state ESTABLISHED -j LOG --log-prefix > "ESTABLISHED SSH : " This rule is not ESTABLISHED SSH. Add "-p tcp --dport 22" to the rule. > iptables -A INPUT -d $IPADDR_ADMIN -p tcp --dport 22 -m state --state > NEW,ESTABLISHED -j ACCEPT What is $IPADDR_ADMIN ? > iptables -A OUTPUT -s $IPADDR_ADMIN -p tcp --sport > 22 -m state --state ESTABLISHED -j ACCEPT ... What is $IPADDR_ADMIN ? IF $IPADDR_ADMIN is the IP address of your admin workstation, you have reversed the -d and -s parameters in both rules above. > When I send this kind of packet (avec Ftester tools) : > > 1 - 10.170.225.0:1025 > 10.64.19.212:22 AP TCP 0 > > I have this trace : > > Apr 25 09:46:39 unzs148 kernel: NEW SSH input : IN=eth0 OUT= > MAC=00:0d:60:9a:30:9a:00:0d:60:d5:1a:f0:08:00 SRC=10.170.225.0 > DST=10.64.19.212 LEN=55 TOS=0x00 PREC=0x00 TTL=200 ID=1 DF PROTO=TCP SPT=1025 > DPT=22 WINDOW=65535 RES=0x00 ACK PSH URGP=0 > > And the packet have passed the FW !!! > > The FW see the packet as a "new connection" (state NEW), and I have never > send packek with SYN flag !!! Your logging will give a false result because it logs MUCH more than (I think) you want to. And, again, if my presumption is correct, I think you have reversed -d and -s in the INPUT and OUTPUT chain. In the INPUT chain, you want to accept with *source ip* (-s) and in the OUTPUT chain, you want to accept with *destination ip* (-d). Gr, Rob From s.ravi at phoenixlogin.com Tue Apr 25 13:21:12 2006 From: s.ravi at phoenixlogin.com (Ravi Kumar) Date: Tue Apr 25 13:39:42 2006 Subject: IPTABLES and outlook express Message-ID: <444E0628.3070002@phoenixlogin.com> Hi GUYS, Please help me setup iptables to access pop and smtp ( outlook express) when going through squid proxy server. -- Warm Regards, Ravi Kumar. S Sr. Systems & Network Administrator Phoenix Login Solutions Pvt Ltd. 55/c, 1st Floor, 40th Cross, 8th Block, Jayanagar, Bangalore 560 082 INDIA Ph: +91(80) 26538658 / 26637369 Fax: +91(80) 26537212 Mobile: +91 9886047708 E-mail: s.ravi@phoenixlogin.com Web: http://www.phoenixlogin.com From pmwecowski at mediatrix.com Mon Apr 24 20:43:59 2006 From: pmwecowski at mediatrix.com (Pierre-Marie Wecowski) Date: Tue Apr 25 14:02:39 2006 Subject: Netfilter journey of a locally generated packet? Message-ID: <6C7A33B8773A2E4C9BDF935D13FA3E71630D4D@MAIL1.mediatrix.com> Hi, Is there an exact and complete diagram of a packet journey inside netfilter? I have found something strange that may require some explanation: I am running Linux 2.6.11 on a device with two network interfaces. When I generate locally (local process) a packet (UDP for instance) with a source address of one interface and a destination address of the other, the packet go through PREROUTING chain in the mangle table but not in the nat table. Is there a reason behind this behaviour? Thank you. Pierre-Marie Wecowski Software Designer Mediatrix Telecom From rob at sterenborg.info Tue Apr 25 14:05:15 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Apr 25 14:17:00 2006 Subject: IPTABLES and outlook express In-Reply-To: <444E0628.3070002@phoenixlogin.com> References: <444E0628.3070002@phoenixlogin.com> Message-ID: <51025.193.173.147.3.1145966715.squirrel@webmail.sterenborg.info> On Tue, April 25, 2006 13:21, Ravi Kumar wrote: > Hi GUYS, > > Please help me setup iptables to access pop and smtp ( outlook express) > when going through squid proxy server. When using smtp and pop I don't think you'll be using Squid. And if you would, this would be the wrong mailinglist for asking support. You fail to say what your setup is and what you have tried already but I guess you need this : $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT $ipt -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT You can read up on Netfilter at : http://iptables-tutorial.frozentux.net/iptables-tutorial.html Gr, Rob From rob at sterenborg.info Tue Apr 25 14:07:34 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Apr 25 14:19:19 2006 Subject: Netfilter journey of a locally generated packet? In-Reply-To: <6C7A33B8773A2E4C9BDF935D13FA3E71630D4D@MAIL1.mediatrix.com> References: <6C7A33B8773A2E4C9BDF935D13FA3E71630D4D@MAIL1.mediatrix.com> Message-ID: <61019.193.173.147.3.1145966854.squirrel@webmail.sterenborg.info> On Mon, April 24, 2006 20:43, Pierre-Marie Wecowski wrote: > Hi, > > Is there an exact and complete diagram of a packet journey inside > netfilter? > > I have found something strange that may require some explanation: > > I am running Linux 2.6.11 on a device with two network interfaces. > > When I generate locally (local process) a packet (UDP for instance) with > a source address of one interface and a destination address of the > other, the packet go through PREROUTING chain in the mangle table but > not in the nat table. > > Is there a reason behind this behaviour? Because the IP is not NAT-ed, just routed ?? Gr, Rob From t.luettgert at pressestimmen.de Tue Apr 25 16:10:27 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Tue Apr 25 16:27:01 2006 Subject: problems with accouting via ULOG Message-ID: <1145974227.8032.9.camel@scaramouche.combox.de> Hello, I want to setup traffic accounting with ulog-acctd and the ULOG target. The server I'm using has 2 interfaces, eth1 is connected to the mirror port of the master switch. I put eth1 promisc up without an address, and packets are streaming in all right. But they don't arrive at any netfilter hook (except for multicasts and broadcasts), so I can't queue them to the accounting daemon. Searching the docs, I found that "promisc receives" don't enter the netfilter system at all. I could now bind the nets I want to account to eth1, but then my box wouldn't be able to talk to those hosts, and that'd be a bad thing(tm) especially because it's the name server :-P Any advice, anyone? I'm feeling quite screwed up right now. Thanks in advance, Torsten From Josh at NetworkMedics.Com Tue Apr 25 16:11:32 2006 From: Josh at NetworkMedics.Com (Joshua C. Clark) Date: Tue Apr 25 16:30:02 2006 Subject: How do I get off the list Message-ID: <40378.65.220.104.16.1145974292.squirrel@webmail.networkmedics.com> I love the help but there are way to many emails to keep up with.. From rob at sterenborg.info Tue Apr 25 16:38:37 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Apr 25 16:50:24 2006 Subject: How do I get off the list In-Reply-To: <40378.65.220.104.16.1145974292.squirrel@webmail.networkmedics.com> References: <40378.65.220.104.16.1145974292.squirrel@webmail.networkmedics.com> Message-ID: <64733.193.173.147.3.1145975917.squirrel@webmail.sterenborg.info> On Tue, April 25, 2006 16:11, Joshua C. Clark wrote: > I love the help but there are way to many emails to keep up with.. Nah, this list is not high volume.. Looking in the mail headers I see 2 ways to unsubscribe: ... List-Unsubscribe: , ... Gr, Rob From netfilter at laotseu.org Tue Apr 25 21:37:50 2006 From: netfilter at laotseu.org (Alex 'LaoTseu' DE DOMMELIN) Date: Tue Apr 25 21:58:13 2006 Subject: Iptables and ActiveX Message-ID: <20060425193750.GB16312@localhost.localdomain> Hi. I've got some problems with a web based application using some ActiveX and iptables. My app is in a DMZ and should be accessible through the port 81. It works well (is see the login page, 100% HTML) but the next page which contains activeX doesn't work. There's no log about something blocked by the firewall. Any idea or hint ? Thanks. Alex -- DE DOMMELIN Alexandre Key Fingerprint = E5CE 70D2 CAD6 3146 68D4 53FD 17DE 15BA FC73 63E4 LRU : #405714 From rob at sterenborg.info Tue Apr 25 22:01:28 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Tue Apr 25 22:20:05 2006 Subject: Iptables and ActiveX In-Reply-To: <20060425193750.GB16312@localhost.localdomain> Message-ID: <001901c668a3$0ab882a0$0101000a@sterenborg.info> > Hi. > > I've got some problems with a web based application using some > ActiveX and iptables. My app is in a DMZ and should be accessible > through the port 81. > It works well (is see the login page, 100% HTML) but the next > page which > contains activeX doesn't work. > There's no log about something blocked by the firewall. > > Any idea or hint ? I'm pretty sure that iptables is not causing your ActiveX control to fail, as an ActiveX control only runs on Windows and iptables/netfilter only on Linux. Unless it uses some network connection that you didn't add a rule for to allow it. Gr, Rob From philip at trans.net Wed Apr 26 10:43:15 2006 From: philip at trans.net (Philip Westphal) Date: Wed Apr 26 11:01:50 2006 Subject: FORWARD-chain packets go through INPUT-chain ? Message-ID: <444F32A3.7050900@trans.net> Hi everybody, i think my problem is quit simple, but i?m a little bit under pressure, and google didn?t help. i have a firewall machine, with ip6tables running on it, and behind this firewall there is a webserver with apache2 running. the network looks like this: ______________________________________________________________________________________________ | LAPTOP | | ipv6-addr: 2001:4100:1:1:204:dff:fe2b:4f1e/64 gw: 2001:4100:1:1:207:8dff:fef0:a900/64 | ---------------------------------------------------------------------------------------------- | | | | | | ______________________________________|_____|_______________________________ | fasteth0/0 ipv6-addr: 2001:4100:1:1:207:8dff:fef0:a900/64 | | CISCO | | fasteth1/0 ipv6-addr: 2001:4200:2:1:231:b5ff:fe67:8900/64 | ---------------------------------------------------------------------------- | | | | | | ______________________________________|_____|____________________________________________________ | eth0 ipv6-addr: 2001:4200:2:1:20b:4eff:fe5e:c69d/64 gw: 2001:4200:2:1:231:b5ff:fe67:8900 | | FIREWALL | | eth1 ipv6-addr: 2001:4200:3:1:203:75ff:fee8:3275/64 + route 2001:4200:3:1::/48 -> eth1 | ------------------------------------------------------------------------------------------------- | | | | | | ______________________________________|_____|___________________________________________________ | eth0 ipv6-addr: 2001:4200:3:1:204:b4ff:fec7:faa4/64 gw: 2001:4200:3:1:203:75ff:fee8:3275 | | APACHE | ------------------------------------------------------------------------------------------------ routing is fine, without ip6tables everything works. my problem is, that packets from the LAPTOP to the APACHE (and vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD. if i don?t make any rules, i have to set all 3 chains to ACCEPT to get packets through. if i have INPUT and OUTPUT on drop (FORWARD is all the time on ACCEPT), i need to allow especially packets to or from port 80 or icmpv6 on the INPUT and OUTPUT chain. when i set one of these both chains to DROP, without any special rule, nothing works, not the http-request or even the icmpv6. i thought all the time that the INPUT and OUTPUT chains are just for packets which are for or from the local machine. could it be that the firewall threats packets like this, because the APACHE is in the same net on a connected interface? when i allow packets to the APACHE in the INPUT chain (lets assume the firewall routes packets through this chain because itself is in the same net) (default policy is drop) and set the OUTPUT and FORWARD chains to ACCEPT, it still doesn?t work. as i understand the http://netfilter.org/documentation/HOWTO/de/packet-filtering-HOWTO-6.html normaly packets, which are not destinated to the machine itself just go through the FORWARD-chain. it?s also under point #3 in this howto: If forwarding is enabled, and the packet is destined for another network interface (if you have another one), then the packet goes rightwards on our diagram to the FORWARD chain. If it is ACCEPTed, it will be sent out. If you have ANY questions about the net, or the routingtables on special machines, please ask. I don?t get it, any idea, HOWTO-link, explanation, or solution *g* would be very nice. i?m willing to RTFM, but i don?t know where this man is. Thanks in advance. Philip From kadlec at blackhole.kfki.hu Wed Apr 26 11:34:20 2006 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Wed Apr 26 11:51:55 2006 Subject: FORWARD-chain packets go through INPUT-chain ? In-Reply-To: <444F32A3.7050900@trans.net> References: <444F32A3.7050900@trans.net> Message-ID: On Wed, 26 Apr 2006, Philip Westphal wrote: > i think my problem is quit simple, but i?m a little bit under pressure, > and google didn?t help. i have a firewall machine, with ip6tables > running on it, and behind this firewall there is a webserver with > apache2 running. the network looks like this: [...] > my problem is, that packets from the LAPTOP to the APACHE (and > vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD. if i > don?t make any rules, i have to set all 3 chains to ACCEPT to get > packets through. if i have INPUT and OUTPUT on drop (FORWARD is all the > time on ACCEPT), i need to allow especially packets to or from port 80 > or icmpv6 on the INPUT and OUTPUT chain. IPv6 is not just IPv4 with bumped up address space: ARP is replaced by ND (Neighbour Discovery), which is performed over ICMPv6. So if you block ICMPv6 completely in INPUT/OUTPUT, you actually disable IPv6. Have a look at the IETF draft 'Best Current Practice for Filtering ICMPv6 Messages in Firewalls': http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-bcp-01.txt Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From stratism at gmail.com Tue Apr 25 15:14:59 2006 From: stratism at gmail.com (Stratos Margaritis) Date: Wed Apr 26 13:54:07 2006 Subject: Why is this not working??? Message-ID: <200604251615.03991.stratism@gmail.com> Can someone help me find out why is this rule does not work? *filter :INPUT DROP [1803:271102] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d yyy.yyy.yyy.yyy -j ACCEPT -A FORWARD -j LOG Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact the server yyy.yyy.yyy.yyy both of which are having real IP's. -- Stratos stratism@gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060425/2ec2d8f6/attachment.pgp From samueldg at arcoscom.com Wed Apr 26 13:42:26 2006 From: samueldg at arcoscom.com (Samuel =?iso-8859-1?Q?D=EDaz_Garc=EDa?=) Date: Wed Apr 26 14:01:00 2006 Subject: Why is this not working??? In-Reply-To: <200604251615.03991.stratism@gmail.com> References: <200604251615.03991.stratism@gmail.com> Message-ID: <52275.195.55.244.106.1146051746.squirrel@www.arcoscom.com> Perhaps did you need something as: -A FORWARD -m state --state RELATED,ESTABLISHED \ -j ACCEPT -A FORWARD -m state --state NEW \ -p tcp \ -i eth0 -s xxx.xxx.xxx.xxx/28 \ -o eth1 -d yyy.yyy.yyy.yyy \ -j ACCEPT ? Take care in "FORWARD" chain and the "-m state" in the second rule. -- Samuel D?az Garc?a ArcosCom Wireless, S.L.L. CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz http://www.arcoscom.com mailto:samueldg@arcoscom.com msn: samueldg@arcoscom.com Tlfn.: 956 70 13 15 Fax: 956 70 34 83 El Mar, 25 de Abril de 2006, 15:14, Stratos Margaritis escribi?: > Can someone help me find out why is this rule does not work? > > *filter > :INPUT DROP [1803:271102] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d yyy.yyy.yyy.yyy > -j > ACCEPT > -A FORWARD -j LOG > > Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact > the > server yyy.yyy.yyy.yyy both of which are having real IP's. > > > -- > Stratos > stratism@gmail.com > From rob at sterenborg.info Wed Apr 26 13:49:33 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Wed Apr 26 14:01:20 2006 Subject: Why is this not working??? In-Reply-To: <200604251615.03991.stratism@gmail.com> References: <200604251615.03991.stratism@gmail.com> Message-ID: <64056.193.173.147.3.1146052173.squirrel@webmail.sterenborg.info> On Tue, April 25, 2006 15:14, Stratos Margaritis wrote: > Can someone help me find out why is this rule does not work? > > *filter > :INPUT DROP [1803:271102] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d yyy.yyy.yyy.yyy -j > ACCEPT > -A FORWARD -j LOG > > Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact the > server yyy.yyy.yyy.yyy both of which are having real IP's. And exactly *what* is not working ? Error messages ? AFAICS you set OUTPUT to drop but you don't allow ESTABLISHED and RELATED connections out. -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Gr, Rob From blancher at cartel-securite.fr Wed Apr 26 13:44:09 2006 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Wed Apr 26 14:02:57 2006 Subject: Why is this not working??? In-Reply-To: <200604251615.03991.stratism@gmail.com> References: <200604251615.03991.stratism@gmail.com> Message-ID: <1146051849.5244.38.camel@anduril.intranet.cartel-securite.net> 1. You have INPUT rules, but no OUTPUT ones for returning packets. 2. You have a FORWARD rule in one way, but nothing on the other. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From realoneone at gmail.com Wed Apr 26 14:37:03 2006 From: realoneone at gmail.com (Real Oneone) Date: Wed Apr 26 14:55:35 2006 Subject: How to re-send out the packets captured by my hook function at NF_IP_PRE_ROUTING Message-ID: <84d7d9cf0604260537v54db80fdoadbd3cc6785f3122@mail.gmail.com> Hi, I tried to captured all the packets at NF_IP_PRE_ROUTING, made some changes to some of them, and invoked skb->dev->hard_start_xmit to send them out directly. However, the kernel crashed before I could get any printked information. If you have any idea of how to send the received packets out, please tell me. Thank you in advance. Best regards, Gu, Xinxing From debsec at tucows.com Wed Apr 26 14:57:26 2006 From: debsec at tucows.com (Aj Mirani) Date: Wed Apr 26 15:16:47 2006 Subject: Why is this not working??? In-Reply-To: <200604251615.03991.stratism@gmail.com> References: <200604251615.03991.stratism@gmail.com> Message-ID: <20060426125726.GI5568@orbitor.ops.internal.tucows.com> Why not put something like this into your INPUT chain: -A INPUT -p tcp -m tcp --dport 22 -s xxx.xxx.xxx.xxx/28 -d yyy.yyy.yyy.yyy -j ACCEPT Also for your line: -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT This is a server wide limit not a per host limit which depending on what you're trying to prevent may not be the best way to do it. If you are trying to prevent a syn attack but still want the server to respond to legitimate requests try something like this: -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name SYNATTACK --rsource -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --update --seconds 20 --hitcount 10 --name SYNATTACK --rsource -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT This dynamically put hosts on a 'blacklist' who are trying to connect too fast (more that 10 times in a 20 second period.) with the use of --update it will keep them blacklisted as long as they continue to send packets too fast. On Tue, Apr 25, 2006 at 04:14:59PM +0300, Stratos Margaritis wrote: > Can someone help me find out why is this rule does not work? > > *filter > :INPUT DROP [1803:271102] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d yyy.yyy.yyy.yyy -j > ACCEPT > -A FORWARD -j LOG > > Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact the > server yyy.yyy.yyy.yyy both of which are having real IP's. > > > -- > Stratos > stratism@gmail.com -- Aj Mirani Network Operations Tucows.com Inc From dleske at uvic.ca Wed Apr 26 19:33:51 2006 From: dleske at uvic.ca (Drew Leske) Date: Wed Apr 26 19:53:45 2006 Subject: Login load balancing Message-ID: <444FAEFF.1040100@uvic.ca> Hi all, I'm looking for a solution (and I'm not afraid of devving one if necessary) to load-balance SSH logins over several mostly identical systems. So far the closest I have come is a solution using iptables, but I'm not sure it will work, and I may well be overlooking some other solution. Any ideas would be appreciated. My research has so far turned up little. We have several systems that are, from a user's perspective, identical. Their home directories are network mounted, libraries are synchronised, and so on, so they don't really care which system they log in to. Their work on these systems can be quite intensive and may consume quite a few resources, but must remain interactive (so a batch system running on a cluster won't do it). For the users it's a guessing game as to which of the machines they should log in to at any point. They may log in to the first and find it's heavily loaded, and so log in to another, until they find the best. A second difficulty with this is the users have be aware of which machines are available--and they are named, due to historical reasons, using a non-contiguous numbering scheme. So instead of the users logging in to bob3, bob6 or bob8, I'd like for them to be able to simply log in to "bob" and be directed to the least-loaded machine. Round-robining on the switch won't do it, because if one of the systems is absolutely pinned, every Nth login will still wind up there. Determining which machines are least loaded will not be a problem. The metrics may be gathered using SNMP or some other means from the participating hosts. The problem is entirely in the redirection from 'bob' to 'bob3', 'bob6', 'bob8'. Logins are exclusively through SSH. There is no need, and I don't anticipate one (which means there will be some fantastic new request coming in tomorrow) to support other protocols in this manner. The only half-solution I have come up with so far is to define a 'director' box with the 'bob' alias, and then periodically grab load metrics from the participating hosts, determine of the 'bob's which is the least loaded, and then *cough* update a DNAT rule to redirect requests coming in for 'bob' to the least-loaded 'bobX'. The last part feels horky, and I'm not even sure it will work, since later packets coming in may be DNAT'ed to a different machine. Also, the director then routes all the packets for logins to all the boxes. I can't see any way to redirect the initial connection that won't cause all sorts of problems with the client's firewalls. Any ideas? Thanks, Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From mailings at netzwerk.cc Wed Apr 26 20:03:52 2006 From: mailings at netzwerk.cc (Mailings'AT'netzwerk.cc) Date: Wed Apr 26 20:22:43 2006 Subject: Login load balancing In-Reply-To: <444FAEFF.1040100@uvic.ca> References: <444FAEFF.1040100@uvic.ca> Message-ID: <444FB608.10009@netzwerk.cc> Drew Leske wrote: > Hi all, > > I'm looking for a solution (and I'm not afraid of devving one if necessary) > to load-balance SSH logins over several mostly identical systems. So far > the closest I have come is a solution using iptables, but I'm not sure it > will work, and I may well be overlooking some other solution. Any ideas > would be appreciated. My research has so far turned up little. > > We have several systems that are, from a user's perspective, identical. > Their home directories are network mounted, libraries are synchronised, and > so on, so they don't really care which system they log in to. Their work on > these systems can be quite intensive and may consume quite a few resources, > but must remain interactive (so a batch system running on a cluster won't do > it). > > For the users it's a guessing game as to which of the machines they should > log in to at any point. They may log in to the first and find it's heavily > loaded, and so log in to another, until they find the best. A second > difficulty with this is the users have be aware of which machines are > available--and they are named, due to historical reasons, using a > non-contiguous numbering scheme. > > So instead of the users logging in to bob3, bob6 or bob8, I'd like for them > to be able to simply log in to "bob" and be directed to the least-loaded > machine. > > Round-robining on the switch won't do it, because if one of the systems is > absolutely pinned, every Nth login will still wind up there. > > Determining which machines are least loaded will not be a problem. The > metrics may be gathered using SNMP or some other means from the > participating hosts. The problem is entirely in the redirection from 'bob' > to 'bob3', 'bob6', 'bob8'. > > Logins are exclusively through SSH. There is no need, and I don't > anticipate one (which means there will be some fantastic new request coming > in tomorrow) to support other protocols in this manner. > > The only half-solution I have come up with so far is to define a 'director' > box with the 'bob' alias, and then periodically grab load metrics from the > participating hosts, determine of the 'bob's which is the least loaded, and > then *cough* update a DNAT rule to redirect requests coming in for 'bob' to > the least-loaded 'bobX'. > > The last part feels horky, and I'm not even sure it will work, since later > packets coming in may be DNAT'ed to a different machine. Also, the director > then routes all the packets for logins to all the boxes. I can't see any > way to redirect the initial connection that won't cause all sorts of > problems with the client's firewalls. > > Any ideas? > > Thanks, > Drew. > Hi Drew, maybe you should take a look on "iptables random" - target. Something like iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ -m random --average $[100/$howmuchserveryouvegot] \ -j DNAT --to $server1 iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ -m random --average $[100/$howmuchserveryouvegot] \ -j DNAT --to $server2 ... Only one idea, but remember "the last rule should realy match" ;-) Hope this is the right syntax. Best Sven From pablo at blueoakdb.com Wed Apr 26 20:20:36 2006 From: pablo at blueoakdb.com (Pablo Sanchez) Date: Wed Apr 26 20:39:18 2006 Subject: Login load balancing In-Reply-To: <444FAEFF.1040100@uvic.ca> Message-ID: <017e01c6695e$1e77d550$0419a8c0@fly> > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Drew Leske > Sent: Wednesday, April 26, 2006 1:34 PM > To: netfilter@lists.netfilter.org > Subject: Login load balancing > > The only half-solution I have come up with so far is to define a 'director' > box with the 'bob' alias, and then periodically grab load metrics from the > participating hosts, determine of the 'bob's which is the least loaded, and > then *cough* update a DNAT rule to redirect requests coming in for 'bob' to > the least-loaded 'bobX'. Hi Drew, I believe the above is what you'll want to implement. As your research has probably already shown, the load balancers in the market are for HTTP. A good load balancer will need to communicate with the backend clients so it has data on load and other metrics necessary for it to make a decision on which server to serve. You could use wget to fetch metrics from all the servers (include a timestamp so you know when your data is stale) and have the director consider this information when it punches down new IPTABLEs rules. Cheers, -pablo From dleske at uvic.ca Wed Apr 26 20:27:51 2006 From: dleske at uvic.ca (Drew Leske) Date: Wed Apr 26 20:47:44 2006 Subject: Login load balancing In-Reply-To: <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> Message-ID: <444FBBA7.2020501@uvic.ca> >> I'm looking for a solution (and I'm not afraid of devving one if necessary) >> to load-balance SSH logins over several mostly identical systems. > > This sounds like a job for LVS. Have a look at > http://www.linuxvirtualserver.org/ Thanks Sebastian. I should have mentioned however that I have looked at this and I'd like to avoid it. I'm not afraid of compiling my own kernel or software, but here at work we avoid using anything but our distribution's standard kernel package. If it comes down to the choice between using LVS and not providing the load-balancing service at all, I will probably have to choose the latter. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From dleske at uvic.ca Wed Apr 26 20:40:10 2006 From: dleske at uvic.ca (Drew Leske) Date: Wed Apr 26 21:00:05 2006 Subject: Login load balancing In-Reply-To: <017e01c6695e$1e77d550$0419a8c0@fly> References: <017e01c6695e$1e77d550$0419a8c0@fly> Message-ID: <444FBE8A.7080803@uvic.ca> Hi Pablo, Pablo Sanchez wrote: >> The only half-solution I have come up with so far is to define a 'director' >> box with the 'bob' alias, and then periodically grab load metrics from the >> participating hosts, determine of the 'bob's which is the least loaded, and >> then *cough* update a DNAT rule to redirect requests coming in for 'bob' to >> the least-loaded 'bobX'. > > I believe the above is what you'll want to implement. As your research has > probably already shown, the load balancers in the market are for HTTP. A > good load balancer will need to communicate with the backend clients so it > has data on load and other metrics necessary for it to make a decision on > which server to serve. You're right about load-balancing HTTP. Everybody and their dog wants to load-balance HTTP for some reason. ;) But my dog insists on load-balancing SSH. I have also found something called LVS, but as I've mentioned in another post this is unsuitable for us. Grabbing the load data as I've said is no problem--the default SNMP daemon provides CPU load I believe by default, and it's no problem at all to provide for additional information. This part is trivial since I've already implemented SNMP elsewhere. > You could use wget to fetch metrics from all the servers (include a > timestamp so you know when your data is stale) and have the director > consider this information when it punches down new IPTABLEs rules. SNMP would be faster and more lightweight I believe; wget implies I'd have either an HTTP or FTP service running on each of those machines. Plus, these connections would be subject to TCP timeouts, so if one of the machines is down, my metric-gathering script would take forever timing out on it. SNMP fails a lot faster. Also, there'd be quite a bit less parsing to do of the results. Thanks for your response! Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From thomasinaz at gmail.com Wed Apr 26 21:37:45 2006 From: thomasinaz at gmail.com (Tom Hurst) Date: Wed Apr 26 21:56:23 2006 Subject: unwanted rule showing in various chains Message-ID: <3cea46bd0604261237h18efa3ebr989526a378d29876@mail.gmail.com> Hello, I'm having some trouble setting up my tables the way I would like them. What I'm trying to do is; 1) allow ssh into the router on the $WAN interface 2) allow vnc in to various internal machines 3) allow http, https, ftp, and dns (to the ISP Name Servers) out in a statefull manor from all internal PC's 4) allow ssh from the router to select internal PC's 5) block everything else. I believe it to be almost complete but there are rules in various places to "ACCEPT all from anywhere" and I dont know whats causing them. Any help would be greatly appreciated. Thank you, Tom ################################################## iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN input_rule all -- anywhere anywhere ACCEPT all -- anywhere anywhere DROP udp -- anywhere anywhere DROP icmp -- anywhere anywhere DROP gre -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DROP all -- anywhere anywhere state INVALID TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED forwarding_rule all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED output_rule all -- anywhere anywhere DROP icmp -- anywhere anywhere DROP gre -- anywhere anywhere DROP udp -- anywhere anywhere DROP all -- anywhere anywhere Chain forwarding_rule (1 references) target prot opt source destination ACCEPT tcp -- anywhere 192.168.5.170 tcp dpt:5900 Chain input_rule (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:22 ACCEPT tcp -- anywhere anywhere tcp dpt:5900 DROP icmp -f anywhere anywhere DROP icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp time-exceeded Chain output_rule (1 references) target prot opt source destination ACCEPT udp -- (ISP DNS Server) anywhere udp spt:53 state NEW,ESTABLISHED ACCEPT udp -- (ISP DNS Server) anywhere udp spt:53 state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:80 state NEW,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:443 state NEW,ESTABLISHED ################################################## /etc/init.d/S45firewall #!/bin/sh ## Please make changes in /etc/firewall.user . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) ## CLEAR TABLES for T in filter nat; do iptables -t $T -F iptables -t $T -X done iptables -N input_rule iptables -N output_rule iptables -N forwarding_rule iptables -t nat -N prerouting_rule iptables -t nat -N postrouting_rule ### INPUT ### (connections with the router as destination) # base case iptables -P INPUT DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP # # insert accept rule or to jump to new accept-check table here # iptables -A INPUT -j input_rule # allow iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces iptables -A INPUT -p icmp -j DROP # allow ICMP iptables -A INPUT -p gre -j DROP # allow GRE # reject (what to do with anything not allowed earlier) iptables -A INPUT -p tcp -j DROP iptables -A INPUT -j DROP iptables -P INPUT DROP ### OUTPUT ### (connections with the router as source) # base case iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state INVALID -j DROP # # insert accept rule or to jump to new accept-check table here # iptables -A OUTPUT -j output_rule # reject (what to do with anything not allowed earlier) iptables -A OUTPUT -p tcp -j DROP iptables -A OUTPUT -j DROP iptables -P OUTPUT DROP ### FORWARDING ### (connections routed through the router) # base case iptables -P FORWARD DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # # insert accept rule or to jump to new accept-check table here # iptables -A FORWARD -j forwarding_rule # allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT # reject (what to do with anything not allowed earlier) # uses the default -P DROP iptables -P FORWARD DROP ### MASQ iptables -t nat -A PREROUTING -j prerouting_rule iptables -t nat -A POSTROUTING -j postrouting_rule iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE ###################################################### USER RULES /etc/firewall WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) WIFI=$(nvram get wifi_ifname) iptables -F input_rule iptables -F output_rule iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule ######PREROUTING####### #Allow SSH on the WAN interface iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT #Allow VNC on WAN interface iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5900 -j ACCEPT #QOS For FTP iptables -A prerouting_rule -t mangle -p tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -A prerouting_rule -t mangle -p tcp --sport 20 -j TOS --set-tos Maximize-Throughput #VNC iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5900 -j DNAT --to (Internal PC):5900 #######INPUT####### #######(connections with the router as destination) #Allow SSH on the WAN interface iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT #Allow VNC on WAN interface iptables -A input_rule -i $WAN -p tcp --dport 5900 -j ACCEPT # Allow all LAN traffic to router" #iptables -A input_rule -i br0 -s $LAN -m state --state NEW -j ACCEPT # icmp_packets # # This chain is for inbound (from the Internet) icmp packets only. # Type 8 (Echo Request) is not accepted by default # Enable it if you want remote hosts to be able to reach you. # 11 (Time Exceeded) is the only one accepted # that would not already be covered by the established # connection rule. Applied to INPUT on the external interface. # # Note that the stateful settings allow replies to ICMP packets. # These rules allow new packets of the specified types. # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. iptables -A input_rule -i $WAN --fragment -p ICMP -j DROP # By default, however, drop pings without logging. Blaster # and other worms have infected systems blasting pings. # Comment the line below if you want pings logged, but it # will likely fill your logs. iptables -A input_rule -i $WAN -p ICMP -s 0/0 --icmp-type 8 -j DROP # Time Exceeded iptables -A input_rule -i $WAN -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #Default INPUT Drop #iptables -P INPUT DROP #######OUTPUT####### #######(connections with the router as source) #########TEST############## #Allow DNS iptables -A output_rule --source (ISP DNS Server) -p udp --source-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A output_rule --source (ISP DNS Server) -p udp --source-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT ## http iptables -A output_rule -o $WAN -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ## https iptables -A output_rule -o $WAN -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT #########TEST############## #######FORWARDING####### #######(connections routed thru the router) #VNC iptables -A forwarding_rule -i $WAN -p tcp --dport 5900 -d (Internal PC) -j ACCEPT #Default FORWARD Drop #iptables -P FORWARD DROP From c-d.hailfinger.devel.2006 at gmx.net Wed Apr 26 23:37:57 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Wed Apr 26 23:57:36 2006 Subject: Login load balancing In-Reply-To: <444FAEFF.1040100@uvic.ca> References: <444FAEFF.1040100@uvic.ca> Message-ID: <444FE835.2010007@gmx.net> Hi Drew, what about using a DNS CNAME for bob to bob[368]? If you set the TTL low enough and update your DNS server with the latest data from your SNMP agents continuously, you will achieve exactly what you want without any iptables trickery. Such a solution is running here and it works fine. Regards, Carl-Daniel -- http://www.hailfinger.org/ From dleske at uvic.ca Wed Apr 26 23:56:35 2006 From: dleske at uvic.ca (Drew Leske) Date: Thu Apr 27 00:16:33 2006 Subject: Login load balancing In-Reply-To: <444FE835.2010007@gmx.net> References: <444FAEFF.1040100@uvic.ca> <444FE835.2010007@gmx.net> Message-ID: <444FEC93.6070101@uvic.ca> Hi Carl, Carl-Daniel Hailfinger wrote: > what about using a DNS CNAME for bob to bob[368]? If you set the > TTL low enough and update your DNS server with the latest data > from your SNMP agents continuously, you will achieve exactly what > you want without any iptables trickery. > Such a solution is running here and it works fine. That's an interesting solution. I like it. Unfortunately we don't control the DNS--another group here has responsibility for that. I'll chat with them and see if they have provision for remote updates. Thanks, Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From jesseg at nikola.com Thu Apr 27 02:18:06 2006 From: jesseg at nikola.com (Jesse Gordon) Date: Thu Apr 27 02:36:49 2006 Subject: IP port over 65535 ?! Message-ID: <013701c66990$0e9cc500$5e00800a@printserver> I sometimes see a port number like this in Tcpdump: 10.0.0.76.2049 > 64.x.x.5.796094310: reply ERR 394 64.7.197.5.791752241 > 10.0.0.76.2049: 1460 proc-170106.. Ever seen anything like this? I'm a small natting ISP -- all of the above looks good except that port number of 791752241.. Thanks! -Jesse Gordon Nikola Engineering Inc. 224 W. Washington St. Suite 104 Sequim, WA 98382-3371 Tel (360)582-1051 Fax (360)582-1104 From mvolaski at aecom.yu.edu Thu Apr 27 03:12:38 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Thu Apr 27 03:30:57 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: <200604210738.k3L7cBGO010103@mailgw.aecom.yu.edu> References: <200604210738.k3L7cBGO010103@mailgw.aecom.yu.edu> Message-ID: Automatic kernel module loading! That is an option and it's off by default. When it's off, attempts to load kernel modules are ignored internally, and that's why iptables was failing. It tried to load xt_tcpudp, but was ignored by the kernel. > >At least since 2.6.1.16.1, many calls to iptables no longer function >at least under 64-bit x86, presumably due to a bug in the netfilter >kernel code. > >The problem is still present in 2.6.17-rc2. > >The error from iptables is >iptables: unknown error 18446744073709551615 > >Examples of rules that give the error are > >1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT >2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT >3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT > >Example of a rule that does not give the error: >1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s >129.98.90.13/32 -j ACCEPT > >The computer is using IPv4 and not IPv6, which has not been compiled into the >kernel. > >iptables is version 1.3.5. > >Kernel configuration related to iptables follows: > >lsmod shows >xt_state 4928 0 >ipt_LOG 8960 0 >ip_conntrack_ftp 10000 0 >ip_conntrack 57880 2 xt_state,ip_conntrack_ftp >nfnetlink 8520 1 ip_conntrack >iptable_filter 5440 0 >ip_tables 22168 1 iptable_filter >x_tables 17800 3 xt_state,ipt_LOG,ip_tables > -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From admin at ntt.lt Thu Apr 27 09:51:23 2006 From: admin at ntt.lt (Antanas Masevicius) Date: Thu Apr 27 10:10:03 2006 Subject: asymmetric port translation? Message-ID: <004c01c669cf$60e9a730$2c00a8c0@Elfas> Hello, while trying to run SIP client under linux NAT i see following ip_conntrack table: udp 17 174 src=192.168.10.10 dst=84.12.0.18 sport=5060 dport=5060 packets=1551 bytes=1075989 src=84.12.0.18 dst=84.12.134.21 sport=5060 dport=5060 packets=3665 bytes=1067143 [ASSURED] mark=0 use=1 udp 17 173 src=192.168.10.10 dst=84.12.0.18 sport=23192 dport=36048 packets=168 bytes=10220 src=84.12.0.18 dst=84.12.134.21 sport=36048 dport=1024 packets=114 bytes=8810 [ASSURED] mark=0 use=1 udp 17 27 src=84.12.0.18 dst=84.12.134.21 sport=36048 dport=23192 packets=40 bytes=2610 [UNREPLIED] src=84.12.134.21 dst=84.12.0.18 sport=23192 dport=36048 packets=0 bytes=0 mark=0 use=1 sport 5060 gets mapped to sport 5060 on outgoing IP 84.12.134.21, but in next line sport 23192 gets mapped to 1024 port, later, when my rtpproxy 84.12.0.18 tries to send to 23192 - gets UNREPLIED. my box: linux version: 2.6.16.9 iptables v1.2.11 natting is performed with: iptables -A POSTROUTING -s 192.168.10.0/24 -d 0/0 -p all -t nat -j SNAT --to-source 84.12.134.21 is it a normal PAT behaviour? I am not sure, but it seems that older versions of linux/iptables didn't exposed such behaviour. Is there workaround for such thing? Maybe it is related with usage of higher ports - strange that 5060 always gets mapped correctly. This box isn't loaded so there is no port shortage. regards, Antanas Masevicius From arnt at c2i.net Thu Apr 27 12:16:19 2006 From: arnt at c2i.net (Arnt Karlsen) Date: Thu Apr 27 12:34:58 2006 Subject: Login load balancing In-Reply-To: <444FBBA7.2020501@uvic.ca> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> Message-ID: <20060427121619.3e2bf426.arnt@c2i.net> On Wed, 26 Apr 2006 11:27:51 -0700, Drew wrote in message <444FBBA7.2020501@uvic.ca>: > >> I'm looking for a solution (and I'm not afraid of devving one if > >necessary) > to load-balance SSH logins over several mostly identical > >systems. > > > > This sounds like a job for LVS. Have a look at > > http://www.linuxvirtualserver.org/ > > Thanks Sebastian. I should have mentioned however that I have looked > at this and I'd like to avoid it. I'm not afraid of compiling my own > kernel or software, but here at work we avoid using anything but our > distribution's standard kernel package. If it comes down to the > choice between using LVS and not providing the load-balancing service > at all, I will probably have to choose the latter. ..check out sdm and sdm-terminal, if you wanna provide X logins over ssh, the user sees a menu to choose from and you should be able to "pile up the good boxes" on top of that menu listing: arnt@a45:~ $ apt-cache search sdm bsdmainutils - collection of more utilities from FreeBSD bsdutils - Basic utilities from 4.4BSD-Lite cfv - versatile file checksum creator and verifier sdm - Secure Display Manager - secure remote access to X11 sdm-terminal - Secure Display Manager - terminal files turqstat - Fidonet and Usenet statistics program xturqstat - Fidonet and Usenet statistics program for X arnt@a45:~ $ apt-cache show sdm sdm-terminal Package: sdm Priority: optional Section: x11 Installed-Size: 124 Maintainer: Jonas Smedegaard Architecture: all Version: 0.4.0b-3 Depends: openssh-server | ssh | ssh-server, dash, xbase-clients, x11-common | xfree86-common Recommends: xdialog Suggests: wmanager, selectwm, icewm | x-window-manager, xterm | x-terminal-emulator Filename: pool/main/s/sdm/sdm_0.4.0b-3_all.deb Size: 14108 MD5sum: 0fdab9298ea0f4e42426d67ccb31b9c4 Description: Secure Display Manager - secure remote access to X11 sdm is an X11 display manager similar to xdm, gdm and kdm, but unlike those it wraps the X11 traffic within an ssh tunnel to provide a secure login mechanism for remote X sessions. sdm provides access only through SSH, not locally. It is technically possible to access an sdm server from same host, but probably a waste of CPU power. . This package should be installed on any server acting as SDM server. . Homepage: http://www.lessdisks.net/ Tag: interface::daemon, interface::x11, role::sw:server, use::login, x11::display-manager Package: sdm-terminal Priority: optional Section: x11 Installed-Size: 108 Maintainer: Jonas Smedegaard Architecture: all Source: sdm Version: 0.4.0b-3 Depends: openssh-client | ssh | ssh-client, dash, xserver-xorg | xserver-xfree86 | xserver, xbase-clients Recommends: xdialog Filename: pool/main/s/sdm/sdm-terminal_0.4.0b-3_all.deb Size: 13692 MD5sum: 93ad42913ddf30c04da3a2a4c239c49d Description: Secure Display Manager - terminal files sdm is an X11 display manager similar to xdm, gdm and kdm, but unlike those it wraps the X11 traffic within an ssh tunnel to provide a secure login mechanism for remote X sessions. sdm provides access only through SSH, not locally. It is technically possible to access an sdm server from same host, but probably a waste of CPU power. . This package contains helper files for a terminal to connect to an sdm server, and should be installed on any computer accessing an sdm server. . Homepage: http://www.lessdisks.net/ Tag: admin::login, role::content:data, security::authentication, use::login, x11::display-manager arnt@a45:~ $ -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. From michael at grife.net Thu Apr 27 12:31:45 2006 From: michael at grife.net (michael@grife.net) Date: Thu Apr 27 12:50:28 2006 Subject: Login load balancing In-Reply-To: <444FEC93.6070101@uvic.ca> References: <444FAEFF.1040100@uvic.ca> <444FE835.2010007@gmx.net> <444FEC93.6070101@uvic.ca> Message-ID: On Wed, 26 Apr 2006, Drew Leske wrote: > Unfortunately we don't control the DNS--another group here has > responsibility for that. I'll chat with them and see if they have provision > for remote updates. There is another possibility you could consider. Instead of having them enable remote updates, get them to delegate a new zone for you. All you would need to do then is setup some bind servers. You would then have direct access to update the A records. -- Michael michael@grife.net From stratism at gmail.com Thu Apr 27 09:13:15 2006 From: stratism at gmail.com (Stratos Margaritis) Date: Thu Apr 27 14:16:04 2006 Subject: Why is this not working??? In-Reply-To: <20060426125726.GI5568@orbitor.ops.internal.tucows.com> References: <200604251615.03991.stratism@gmail.com> <20060426125726.GI5568@orbitor.ops.internal.tucows.com> Message-ID: <200604271013.18777.stratism@gmail.com> Well I am trying to forward packets from the outside world to some machines inside. All machines have real IP's and when I use: -A FORWARD -j ACCEPT everything works fine. But what I want to do is to also filter packets as well as who has access to my internal machines. On Wed 26 Apr 2006 15:57, Aj Mirani wrote: > Why not put something like this into your INPUT chain: > > -A INPUT -p tcp -m tcp --dport 22 -s xxx.xxx.xxx.xxx/28 -d yyy.yyy.yyy.yyy > -j ACCEPT > > Also for your line: > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > > This is a server wide limit not a per host limit which depending on what > you're trying to prevent may not be the best way to do it. > > If you are trying to prevent a syn attack but still want the server to > respond to legitimate requests try something like this: > -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name > SYNATTACK --rsource -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m > recent --update --seconds 20 --hitcount 10 --name SYNATTACK --rsource -j > DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT > > This dynamically put hosts on a 'blacklist' who are trying to connect > too fast (more that 10 times in a 20 second period.) with the use of > --update it will keep them blacklisted as long as they continue to send > packets too fast. > > On Tue, Apr 25, 2006 at 04:14:59PM +0300, Stratos Margaritis wrote: > > Can someone help me find out why is this rule does not work? > > > > *filter > > > > :INPUT DROP [1803:271102] > > :FORWARD DROP [0:0] > > :OUTPUT DROP [0:0] > > > > -A INPUT -i lo -j ACCEPT > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > -A INPUT -p icmp -j ACCEPT > > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > > -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d > > yyy.yyy.yyy.yyy -j ACCEPT > > -A FORWARD -j LOG > > > > Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact > > the server yyy.yyy.yyy.yyy both of which are having real IP's. > > > > > > -- > > Stratos > > stratism@gmail.com -- Stratos stratism@gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060427/92df6472/attachment.pgp From laforge at netfilter.org Thu Apr 27 15:51:19 2006 From: laforge at netfilter.org (Harald Welte) Date: Thu Apr 27 16:27:39 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: References: <200604210738.k3L7cBGO010103@mailgw.aecom.yu.edu> Message-ID: <20060427135119.GB5177@rama> On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote: > Automatic kernel module loading! That is an option and it's off by > default. When it's off, attempts to load kernel modules are ignored > internally, and that's why iptables was failing. It tried to load > xt_tcpudp, but was ignored by the kernel. What do you mean by "it's an option" and "is off by default". I would claim that any major linux distribution that I've seen in the last ten years has support for module auto loading (enabled by default). There are many userspace programs that try to autoload modules, such as device-mapper, ipsec, etc. If you disable module autoloading, it's your own responsibility to load modules manually. So the only thing that I really consider a bug is that bogus error message of iptables. This has been fixed in SVN, case closed. -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060427/46cd1258/attachment.pgp From debsec at tucows.com Thu Apr 27 16:30:27 2006 From: debsec at tucows.com (Aj Mirani) Date: Thu Apr 27 16:49:45 2006 Subject: Why is this not working??? In-Reply-To: <200604271013.18777.stratism@gmail.com> References: <200604251615.03991.stratism@gmail.com> <20060426125726.GI5568@orbitor.ops.internal.tucows.com> <200604271013.18777.stratism@gmail.com> Message-ID: <20060427143027.GS5568@orbitor.ops.internal.tucows.com> Ah, I see... I believe what you need to do is put these rules in the PREROUTING chain. something like: iptables -t nat -A PREROUTING -p tcp -s xxx.xxx.xxx.xxx/28 -d yyy.yyy.yyy.yyy -j ACCEPT Check out this iptables flow chart - it should help clear things up a little about how packets traverse the different chains: http://cs.senecac.on.ca/~selmys/subjects/sec830-051/iptables.gif -aj On Thu, Apr 27, 2006 at 10:13:15AM +0300, Stratos Margaritis wrote: > Well I am trying to forward packets from the outside world to some machines > inside. All machines have real IP's and when I use: > -A FORWARD -j ACCEPT > everything works fine. But what I want to do is to also filter packets as well > as who has access to my internal machines. > > On Wed 26 Apr 2006 15:57, Aj Mirani wrote: > > Why not put something like this into your INPUT chain: > > > > -A INPUT -p tcp -m tcp --dport 22 -s xxx.xxx.xxx.xxx/28 -d yyy.yyy.yyy.yyy > > -j ACCEPT > > > > Also for your line: > > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > > > > This is a server wide limit not a per host limit which depending on what > > you're trying to prevent may not be the best way to do it. > > > > If you are trying to prevent a syn attack but still want the server to > > respond to legitimate requests try something like this: > > -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m recent --set --name > > SYNATTACK --rsource -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m > > recent --update --seconds 20 --hitcount 10 --name SYNATTACK --rsource -j > > DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT > > > > This dynamically put hosts on a 'blacklist' who are trying to connect > > too fast (more that 10 times in a 20 second period.) with the use of > > --update it will keep them blacklisted as long as they continue to send > > packets too fast. > > > > On Tue, Apr 25, 2006 at 04:14:59PM +0300, Stratos Margaritis wrote: > > > Can someone help me find out why is this rule does not work? > > > > > > *filter > > > > > > :INPUT DROP [1803:271102] > > > :FORWARD DROP [0:0] > > > :OUTPUT DROP [0:0] > > > > > > -A INPUT -i lo -j ACCEPT > > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > > > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT > > > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > > > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > > -A INPUT -p icmp -j ACCEPT > > > -A INPUT -p tcp -j REJECT --reject-with tcp-reset > > > -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT > > > -A FORWARD -p tcp -i eth0 -s xxx.xxx.xxx.xxx/28 -o eth1 -d > > > yyy.yyy.yyy.yyy -j ACCEPT > > > -A FORWARD -j LOG > > > > > > Where xxx.xxx.xxx.xxx is a real network that should be allowed to contact > > > the server yyy.yyy.yyy.yyy both of which are having real IP's. > > > > > > > > > -- > > > Stratos > > > stratism@gmail.com > > -- > Stratos > stratism@gmail.com -- Aj Mirani Network Operations Tucows.com Inc From mvolaski at aecom.yu.edu Thu Apr 27 17:41:40 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Thu Apr 27 17:59:58 2006 Subject: iptables is complaining with bogus unknown error 18446744073709551615 In-Reply-To: <20060427135119.GB5177@rama> References: <200604210738.k3L7cBGO010103@mailgw.aecom.yu.edu> <20060427135119.GB5177@rama> Message-ID: >On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote: >> Automatic kernel module loading! That is an option and it's off by >> default. When it's off, attempts to load kernel modules are ignored >> internally, and that's why iptables was failing. It tried to load >> xt_tcpudp, but was ignored by the kernel. > >What do you mean by "it's an option" and "is off by default". I would >claim that any major linux distribution that I've seen in the last ten >years has support for module auto loading (enabled by default). > Distribution vendors are free to change it to whatever they want, I guess, but it's OFF by default in the official kernel (.config). -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From dleske at uvic.ca Thu Apr 27 19:34:52 2006 From: dleske at uvic.ca (Drew Leske) Date: Thu Apr 27 19:55:05 2006 Subject: Login load balancing In-Reply-To: <20060427121619.3e2bf426.arnt@c2i.net> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> <20060427121619.3e2bf426.arnt@c2i.net> Message-ID: <445100BC.1080907@uvic.ca> > ..check out sdm and sdm-terminal, if you wanna provide X logins over > ssh, the user sees a menu to choose from and you should be able to > "pile up the good boxes" on top of that menu listing: Interesting, and I might find this useful elsewhere, but for this issue I need to support console logins as well. Thanks though! Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From dleske at uvic.ca Thu Apr 27 19:37:58 2006 From: dleske at uvic.ca (Drew Leske) Date: Thu Apr 27 19:58:25 2006 Subject: Login load balancing In-Reply-To: References: <444FAEFF.1040100@uvic.ca> <444FE835.2010007@gmx.net> <444FEC93.6070101@uvic.ca> Message-ID: <44510176.7020108@uvic.ca> michael@grife.net wrote: > On Wed, 26 Apr 2006, Drew Leske wrote: > >> Unfortunately we don't control the DNS--another group here has >> responsibility for that. I'll chat with them and see if they have >> provision >> for remote updates. > > There is another possibility you could consider. Instead of having them > enable remote updates, get them to delegate a new zone for you. > > All you would need to do then is setup some bind servers. You would then > have direct access to update the A records. I considered that, but then I'm implementing a service provided by experts in another group. (I provide a BIND server internally for our cluster, but not one with public access.) This is, shall we say, "discouraged" (for good reason--it's one more thing to be an expert in and we've already got experts elsewhere). Thanks! Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From dleske at uvic.ca Thu Apr 27 19:42:17 2006 From: dleske at uvic.ca (Drew Leske) Date: Thu Apr 27 20:02:17 2006 Subject: Login load balancing In-Reply-To: <444FAEFF.1040100@uvic.ca> References: <444FAEFF.1040100@uvic.ca> Message-ID: <44510279.5040409@uvic.ca> A big thanks to everybody who took the time to consider my problem and especially to those who responded. I got a lot of great suggestions. I'll see what I come up with and if I find one that works using iptables I'll let you all know--it just might be useful to somebody else as well. Cheers, Drew. Drew Leske wrote: > Hi all, > > I'm looking for a solution (and I'm not afraid of devving one if necessary) > to load-balance SSH logins over several mostly identical systems. So far > the closest I have come is a solution using iptables, but I'm not sure it > will work, and I may well be overlooking some other solution. Any ideas > would be appreciated. My research has so far turned up little. > > We have several systems that are, from a user's perspective, identical. > Their home directories are network mounted, libraries are synchronised, and > so on, so they don't really care which system they log in to. Their work on > these systems can be quite intensive and may consume quite a few resources, > but must remain interactive (so a batch system running on a cluster won't do > it). > > For the users it's a guessing game as to which of the machines they should > log in to at any point. They may log in to the first and find it's heavily > loaded, and so log in to another, until they find the best. A second > difficulty with this is the users have be aware of which machines are > available--and they are named, due to historical reasons, using a > non-contiguous numbering scheme. > > So instead of the users logging in to bob3, bob6 or bob8, I'd like for them > to be able to simply log in to "bob" and be directed to the least-loaded > machine. > > Round-robining on the switch won't do it, because if one of the systems is > absolutely pinned, every Nth login will still wind up there. > > Determining which machines are least loaded will not be a problem. The > metrics may be gathered using SNMP or some other means from the > participating hosts. The problem is entirely in the redirection from 'bob' > to 'bob3', 'bob6', 'bob8'. > > Logins are exclusively through SSH. There is no need, and I don't > anticipate one (which means there will be some fantastic new request coming > in tomorrow) to support other protocols in this manner. > > The only half-solution I have come up with so far is to define a 'director' > box with the 'bob' alias, and then periodically grab load metrics from the > participating hosts, determine of the 'bob's which is the least loaded, and > then *cough* update a DNAT rule to redirect requests coming in for 'bob' to > the least-loaded 'bobX'. > > The last part feels horky, and I'm not even sure it will work, since later > packets coming in may be DNAT'ed to a different machine. Also, the director > then routes all the packets for logins to all the boxes. I can't see any > way to redirect the initial connection that won't cause all sorts of > problems with the client's firewalls. > > Any ideas? > > Thanks, > Drew. > -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From laforge at netfilter.org Thu Apr 27 21:24:30 2006 From: laforge at netfilter.org (Harald Welte) Date: Thu Apr 27 21:50:23 2006 Subject: CONFIG_KMOD in x86_64/defconfig (was Re: iptables is complaining with bogus unknown error 18446744073709551615) In-Reply-To: References: <200604210738.k3L7cBGO010103@mailgw.aecom.yu.edu> <20060427135119.GB5177@rama> Message-ID: <20060427192430.GE21823@rama> On Thu, Apr 27, 2006 at 11:41:40AM -0400, Maurice Volaski wrote: > >On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote: > >> Automatic kernel module loading! That is an option and it's off by > >> default. When it's off, attempts to load kernel modules are ignored > >> internally, and that's why iptables was failing. It tried to load > >> xt_tcpudp, but was ignored by the kernel. > >What do you mean by "it's an option" and "is off by default". I would > >claim that any major linux distribution that I've seen in the last ten > >years has support for module auto loading (enabled by default). > > Distribution vendors are free to change it to whatever they want, I guess, but it's OFF by > default in the official kernel (.config). apparently architecture-specific: grep KMOD arch/i386/defconfig CONFIG_KMOD=y grep KMOD arch/x86_64/defconfig CONFIG_KMOD is not set don't know why x86_64 turns it off by default. the help message says 'if unsure, say Y' (which makes sense!) -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060427/5a20bed3/attachment.pgp From mvolaski at aecom.yu.edu Thu Apr 27 22:00:30 2006 From: mvolaski at aecom.yu.edu (Maurice Volaski) Date: Thu Apr 27 22:18:46 2006 Subject: CONFIG_KMOD in x86_64/defconfig (was Re: iptables is complaining with bogus unknown error 18446744073709551615) In-Reply-To: <20060427192430.GE21823@rama> References: <200604210738.k3L7cBGO010103@mailgw.aecom.yu.edu> <20060427135119.GB5177@rama> <20060427192430.GE21823@rama> Message-ID: >On Thu, Apr 27, 2006 at 11:41:40AM -0400, Maurice Volaski wrote: >> >On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote: >> >> Automatic kernel module loading! That is an option and it's off by >> >> default. When it's off, attempts to load kernel modules are ignored >> >> internally, and that's why iptables was failing. It tried to load >> >> xt_tcpudp, but was ignored by the kernel. >> >What do you mean by "it's an option" and "is off by default". I would >> >claim that any major linux distribution that I've seen in the last ten >> >years has support for module auto loading (enabled by default). >> >> Distribution vendors are free to change it to whatever they want, >>I guess, but it's OFF by >> default in the official kernel (.config). > >apparently architecture-specific: > >grep KMOD arch/i386/defconfig >CONFIG_KMOD=y > >grep KMOD arch/x86_64/defconfig >CONFIG_KMOD is not set > >don't know why x86_64 turns it off by default. the help message says A typo, perhaps? If so, won't be for much longer: http://bugzilla.kernel.org/show_bug.cgi?id=6451 -- Maurice Volaski, mvolaski@aecom.yu.edu Computing Support, Rose F. Kennedy Center Albert Einstein College of Medicine of Yeshiva University From netdenizen at gmail.com Thu Apr 27 22:50:50 2006 From: netdenizen at gmail.com (denizen) Date: Thu Apr 27 23:09:33 2006 Subject: SNAT or MASQ or both? Message-ID: I'm creating a gateway that has dynamic addresses for most of the internal machines. I'm using masquerading successfully but my question is this...i have some machines for which I want to use static internal addresses...do i need to setup an snat rule for these machines or is masquerading adequate? A brief sentence in a how-to made me think maybe masquerading wasn't the right way to go for these machines...but i'm not sure. Thanks in advance. Dennis From rob at sterenborg.info Fri Apr 28 00:37:15 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Fri Apr 28 00:56:03 2006 Subject: SNAT or MASQ or both? In-Reply-To: Message-ID: <001901c66a4b$22a02590$0101000a@sterenborg.info> netfilter-bounces@lists.netfilter.org scribbled on Thursday, 27 April 2006 22:51: > I'm creating a gateway that has dynamic addresses for most of the > internal machines. I'm using masquerading successfully but my > question is this...i have some machines for which I want to use static > internal addresses...do i need to setup an snat rule for these > machines or is masquerading adequate? A brief sentence in a how-to > made me think maybe masquerading wasn't the right way to go for these > machines...but i'm not sure. That's about *external* dynamic IP adresses, not internal. User SNAT is you have a static external IP (and are not using a ppp adapter for your internet connection, if I remember correctly). Gr, Rob From phil at pricom.com.au Fri Apr 28 02:50:03 2006 From: phil at pricom.com.au (Philip Rhoades) Date: Fri Apr 28 03:08:50 2006 Subject: IP drop question Message-ID: <1146185403.29318.7.camel@prix.pricom.com.au> People, My config does not appear to be dropping unauthorised IPs - in my logwatch file I am still getting lines like: Failed logins from: 211.238.253.248: 54 times Illegal users from: 202.110.131.27: 1 time 211.238.253.248: 164 times **Unmatched Entries** pam_succeed_if(sshd:auth): error retrieving information about user administrator : 1 time(s) My config is this: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -j LOG --log-prefix "ssh connect:" -A INPUT -p tcp -m tcp -s 149.171.173.169 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp -s 203.166.81.114 --dport 22 -j ACCEPT # -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 --syn -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 --syn -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 --syn -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -p udp -m udp -s 149.171.173.169 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 203.166.81.114 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p tcp -m tcp --syn -j REJECT -A INPUT -p udp -m udp -j REJECT -A INPUT -j LOG --log-level alert -A INPUT -j LOG --log-prefix "Dropped: " COMMIT Can someone point out what I am doing wrong? Thanks, Phil. -- Philip Rhoades Pricom Pty Limited (ACN 003 252 275 ABN 91 003 252 275) GPO Box 3411 Sydney NSW 2001 Australia Mobile: +61:(0)411-185-652 Fax: +61:(0)2-8221-9599 E-mail: phil@pricom.com.au From sergey at fidoman.ru Fri Apr 28 10:47:02 2006 From: sergey at fidoman.ru (Sergey Dorofeev) Date: Fri Apr 28 11:05:58 2006 Subject: iptablet DNAT rule Message-ID: <009701c66aa0$51f6fad0$151010ac@prodo.ru> Hello. Cannot understand logic of such rule: 172.16.16.1 has rule [0:0] -A PREROUTING -d 172.16.16.1 -p udp -m udp --dport 6400:6419 -j DNAT --to-destination 172.16.16.14:6400 But only some packets pass through it: (172.16.16.1) 12:14:33.197569 IP 172.31.255.10.59130 > 172.16.16.1.6409: UDP, length: 8 -- this packet rejected 12:14:33.197613 IP 172.16.16.1 > 172.31.255.10: icmp 204: 172.16.16.1 udp port 6409 unreachable 12:14:33.416206 IP 172.31.255.1.51908 > 172.16.16.1.6400: UDP, length: 1464 12:14:33.427087 IP 172.31.255.14.53870 > 172.16.16.1.6413: UDP, length: 312 12:14:36.619363 IP 172.31.255.9.51978 > 172.16.16.1.6409: UDP, length: 6 -- and this passed (172.16.16.14) 12:18:35.349735 IP 172.31.255.7.49988 > 172.16.16.14.6400: UDP, length: 120 12:18:36.973405 IP 172.31.255.1.51908 > 172.16.16.14.6400: UDP, length: 1464 12:18:37.171828 IP 172.31.255.9.51978 > 172.16.16.14.6400: UDP, length: 1128 12:18:38.215781 IP 172.31.255.3.55501 > 172.16.16.14.6400: UDP, length: 360 12:18:39.549072 IP 172.31.255.8.50953 > 172.16.16.14.6400: UDP, length: 72 12:18:42.405602 IP 172.31.255.4.49547 > 172.16.16.14.6400: UDP, length: 408 12:18:42.973790 IP 172.31.255.1.51908 > 172.16.16.14.6400: UDP, length: 1464 12:18:43.392740 IP 172.31.255.12.52400 > 172.16.16.14.6400: UDP, length: 456 12:18:44.974014 IP 172.31.255.1.51908 > 172.16.16.14.6400: UDP, length: 1464 12:18:44.984748 IP 172.31.255.14.53870 > 172.16.16.14.6400: UDP, length: 312 12:18:48.177249 IP 172.31.255.9.51978 > 172.16.16.14.6400: UDP, length: -- here it is What's wrong? # uname -a Linux gw.prodo.ru 2.6.16.5 #5 SMP Fri Apr 21 15:32:34 MSD 2006 i686 GNU/Linux # iptables -V iptables v1.3.5 From arnt at c2i.net Fri Apr 28 12:00:05 2006 From: arnt at c2i.net (Arnt Karlsen) Date: Fri Apr 28 12:19:53 2006 Subject: Login load balancing In-Reply-To: <445100BC.1080907@uvic.ca> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> <20060427121619.3e2bf426.arnt@c2i.net> <445100BC.1080907@uvic.ca> Message-ID: <20060428120005.4d940e7b.arnt@c2i.net> On Thu, 27 Apr 2006 10:34:52 -0700, Drew wrote in message <445100BC.1080907@uvic.ca>: > > ..check out sdm and sdm-terminal, if you wanna provide X logins over > > ssh, the user sees a menu to choose from and you should be able to > > "pile up the good boxes" on top of that menu listing: > > Interesting, and I might find this useful elsewhere, but for this > issue I need to support console logins as well. ..and this can't? At the very least you should be able to offer console logins from the sdm-terminal X menu, and then there's offering a console menu from /etc/inittab instead of /bin/bash or whatever you guys use. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. From sertys at supportivo.org Fri Apr 28 12:36:50 2006 From: sertys at supportivo.org (Daniel Ivanov) Date: Fri Apr 28 12:55:07 2006 Subject: Login load balancing In-Reply-To: <444FB608.10009@netzwerk.cc> References: <444FAEFF.1040100@uvic.ca> <444FB608.10009@netzwerk.cc> Message-ID: <4451F042.70103@supportivo.org> The last one is not the best solution, because of the fact that you rely on randomness. I would suggest you take a more comprehensive approach. As the machines are snmp enabled, you just have to write a custom daemon, receiving on port 22 (ssh) as a front-end and check which machine is most idle and dnat the user there, for the DNAT to be able to work, you would have to send an RST packet back to the ssh client and wait for it to reconnect to the already DNAT-ted machine. That would be a working solution. As long as you don't wanna have millions of rules on the redirecting machine, you just have to "count" the active logins(use pam_script for example) and remove the rules as long as the last shell quits. You would like to have all simultaneous logins on the same machine, so you'll have to check on a new login if the user is still there and put it on the same machine. Just think about the RST packet, cause i think it's not the most elegant solution as long as the user will get a "Connection closed by remote site" msg. Mailings'AT'netzwerk.cc wrote: > Drew Leske wrote: > >> Hi all, >> >> I'm looking for a solution (and I'm not afraid of devving one if >> necessary) >> to load-balance SSH logins over several mostly identical systems. So >> far >> the closest I have come is a solution using iptables, but I'm not >> sure it >> will work, and I may well be overlooking some other solution. Any ideas >> would be appreciated. My research has so far turned up little. >> >> We have several systems that are, from a user's perspective, identical. >> Their home directories are network mounted, libraries are >> synchronised, and >> so on, so they don't really care which system they log in to. Their >> work on >> these systems can be quite intensive and may consume quite a few >> resources, >> but must remain interactive (so a batch system running on a cluster >> won't do >> it). >> >> For the users it's a guessing game as to which of the machines they >> should >> log in to at any point. They may log in to the first and find it's >> heavily >> loaded, and so log in to another, until they find the best. A second >> difficulty with this is the users have be aware of which machines are >> available--and they are named, due to historical reasons, using a >> non-contiguous numbering scheme. >> >> So instead of the users logging in to bob3, bob6 or bob8, I'd like >> for them >> to be able to simply log in to "bob" and be directed to the least-loaded >> machine. >> >> Round-robining on the switch won't do it, because if one of the >> systems is >> absolutely pinned, every Nth login will still wind up there. >> >> Determining which machines are least loaded will not be a problem. The >> metrics may be gathered using SNMP or some other means from the >> participating hosts. The problem is entirely in the redirection from >> 'bob' >> to 'bob3', 'bob6', 'bob8'. >> >> Logins are exclusively through SSH. There is no need, and I don't >> anticipate one (which means there will be some fantastic new request >> coming >> in tomorrow) to support other protocols in this manner. >> >> The only half-solution I have come up with so far is to define a >> 'director' >> box with the 'bob' alias, and then periodically grab load metrics >> from the >> participating hosts, determine of the 'bob's which is the least >> loaded, and >> then *cough* update a DNAT rule to redirect requests coming in for >> 'bob' to >> the least-loaded 'bobX'. >> >> The last part feels horky, and I'm not even sure it will work, since >> later >> packets coming in may be DNAT'ed to a different machine. Also, the >> director >> then routes all the packets for logins to all the boxes. I can't see >> any >> way to redirect the initial connection that won't cause all sorts of >> problems with the client's firewalls. >> >> Any ideas? >> >> Thanks, >> Drew. >> > Hi Drew, > > maybe you should take a look on "iptables random" - target. > > Something like > > iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ > -m random --average $[100/$howmuchserveryouvegot] \ > -j DNAT --to $server1 > > iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ > -m random --average $[100/$howmuchserveryouvegot] \ > -j DNAT --to $server2 > > ... > > Only one idea, but remember "the last rule should realy match" ;-) > > Hope this is the right syntax. > > Best > > Sven > From angico at yahoo.com Fri Apr 28 12:56:09 2006 From: angico at yahoo.com (angico) Date: Fri Apr 28 13:14:58 2006 Subject: IP drop question In-Reply-To: <1146185403.29318.7.camel@prix.pricom.com.au> Message-ID: <20060428105609.56120.qmail@web36808.mail.mud.yahoo.com> if i can understand it well, it doesn't make sense you have your INPUT policy set to DROP if you have matches that say to -j ACCEPT if -i eth0 and eth1 (unless you have other interfaces that actualy connects you to the outside world and eth0/1 are tied to your intranet). regards, angico. --- Philip Rhoades wrote: > People, > > My config does not appear to be dropping unauthorised IPs - in my > logwatch file I am still getting lines like: > > Failed logins from: > 211.238.253.248: 54 times > > Illegal users from: > 202.110.131.27: 1 time > 211.238.253.248: 164 times > > **Unmatched Entries** > pam_succeed_if(sshd:auth): error retrieving information about user > administrator : 1 time(s) > > My config is this: > > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > # -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -j LOG > --log-prefix "ssh connect:" > -A INPUT -p tcp -m tcp -s 149.171.173.169 --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp -s 203.166.81.114 --dport 22 -j ACCEPT > # -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 > -j > ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 > --syn > -j ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 > --syn > -j ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j > ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 > --syn -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -j ACCEPT > -A INPUT -i eth1 -j ACCEPT > -A INPUT -p udp -m udp -s 149.171.173.169 --sport 53 -d 0/0 -j ACCEPT > -A INPUT -p udp -m udp -s 203.166.81.114 --sport 53 -d 0/0 -j ACCEPT > -A INPUT -p tcp -m tcp --syn -j REJECT > -A INPUT -p udp -m udp -j REJECT > -A INPUT -j LOG --log-level alert > -A INPUT -j LOG --log-prefix "Dropped: " > COMMIT > > > Can someone point out what I am doing wrong? > > Thanks, > > Phil. > -- > Philip Rhoades > > Pricom Pty Limited (ACN 003 252 275 ABN 91 003 252 275) > GPO Box 3411 > Sydney NSW 2001 > Australia > Mobile: +61:(0)411-185-652 > Fax: +61:(0)2-8221-9599 > E-mail: phil@pricom.com.au > > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jpabuyer at tecnoera.com Fri Apr 28 16:12:12 2006 From: jpabuyer at tecnoera.com (Juan Pablo Abuyeres) Date: Fri Apr 28 16:31:09 2006 Subject: to SMP or not to SMP? Message-ID: <1146233532.7235.277.camel@blackbird.tecnoera.com> Hi guys, I've been using an old single processor / linux 2.4 iptables based firewall for a few years. Now it's time to upgrade that machine, so, I am wondering, would it be of real benefit if I put a two-processor system for a firewall? This machine is going to have 4 NICs, it's going to make routing (lots of routes), and firewall (iptables). I don't know if these kind of tasks take advantage from a multiple-processor architecture. Please enlighten me :) Thank you! From dleske at uvic.ca Fri Apr 28 18:32:49 2006 From: dleske at uvic.ca (Drew Leske) Date: Fri Apr 28 18:53:01 2006 Subject: IP drop question In-Reply-To: <1146185403.29318.7.camel@prix.pricom.com.au> References: <1146185403.29318.7.camel@prix.pricom.com.au> Message-ID: <445243B1.3080904@uvic.ca> Hi Philip, > My config does not appear to be dropping unauthorised IPs - in my > logwatch file I am still getting lines like: > > Failed logins from: > 211.238.253.248: 54 times > > Illegal users from: > 202.110.131.27: 1 time > 211.238.253.248: 164 times I'm not familiar with logwatch. Are these SSH, telnet, other? I assume SSH, because new telnet connections are allowed in with this rule: > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 --syn > -j ACCEPT Going through the iptables you provided, let's say with 211.238.253.248, coming in on a new connection for SSH on port 22, the first rule matched would be this one (assuming eth0 and/or eth1 are external interfaces): > -A INPUT -i eth0 -j ACCEPT > -A INPUT -i eth1 -j ACCEPT So they'd get through. As an aside, I'd recommend you 'tail -f /var/log/messages' or wherever you've got your kernel messages going in a separate window while you tune your iptables configuration. This will allow you to catch these attempts and make rules for them faster than waiting to see them show up in a log the next day. Cheers, Drew. > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > # -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -j LOG > --log-prefix "ssh connect:" > -A INPUT -p tcp -m tcp -s 149.171.173.169 --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp -s 203.166.81.114 --dport 22 -j ACCEPT > # -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j > ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 --syn > -j ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 --syn > -j ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j > ACCEPT > -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 > --syn -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -j ACCEPT > -A INPUT -i eth1 -j ACCEPT > -A INPUT -p udp -m udp -s 149.171.173.169 --sport 53 -d 0/0 -j ACCEPT > -A INPUT -p udp -m udp -s 203.166.81.114 --sport 53 -d 0/0 -j ACCEPT > -A INPUT -p tcp -m tcp --syn -j REJECT > -A INPUT -p udp -m udp -j REJECT > -A INPUT -j LOG --log-level alert > -A INPUT -j LOG --log-prefix "Dropped: " > COMMIT -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From dleske at uvic.ca Fri Apr 28 18:37:49 2006 From: dleske at uvic.ca (Drew Leske) Date: Fri Apr 28 18:58:02 2006 Subject: Login load balancing In-Reply-To: <20060428120005.4d940e7b.arnt@c2i.net> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> <20060427121619.3e2bf426.arnt@c2i.net> <445100BC.1080907@uvic.ca> <20060428120005.4d940e7b.arnt@c2i.net> Message-ID: <445244DD.8040100@uvic.ca> Arnt Karlsen wrote: > On Thu, 27 Apr 2006 10:34:52 -0700, Drew wrote in message > <445100BC.1080907@uvic.ca>: > >>> ..check out sdm and sdm-terminal, if you wanna provide X logins over >>> ssh, the user sees a menu to choose from and you should be able to >>> "pile up the good boxes" on top of that menu listing: >> Interesting, and I might find this useful elsewhere, but for this >> issue I need to support console logins as well. > > ..and this can't? At the very least you should be able to offer console > logins from the sdm-terminal X menu, and then there's offering a console > menu from /etc/inittab instead of /bin/bash or whatever you guys use. I'm not sure I understand, but you seem to be suggesting a way by which I could use a console window in X. As a base case, I have to support somebody connecting with a vt100 and a 9600 baud modem. This solution needs to be completely independent of X. Thanks, Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From dleske at uvic.ca Fri Apr 28 18:54:33 2006 From: dleske at uvic.ca (Drew Leske) Date: Fri Apr 28 19:14:41 2006 Subject: Login load balancing In-Reply-To: <4451F042.70103@supportivo.org> References: <444FAEFF.1040100@uvic.ca> <444FB608.10009@netzwerk.cc> <4451F042.70103@supportivo.org> Message-ID: <445248C9.5010402@uvic.ca> Hi Daniel, > The last one is not the best solution, because of the fact that you rely > on randomness. I would suggest you take a more comprehensive approach. Agreed. If I had enough users and enough nodes, randomness would approach other methods for effectiveness, but that's not the case here. > As the machines are snmp enabled, you just have to write a custom > daemon, receiving on port 22 (ssh) as a front-end and check which > machine is most idle and dnat the user there, for the DNAT to be able to Slight aside: I don't want to check the load at time of login, because that would significantly slow down the login process. The load checking would be done periodically--say every 5 or 15 minutes or so--and the results would force a change to the DNAT rule. > work, you would have to send an RST packet back to the ssh client and > wait for it to reconnect to the already DNAT-ted machine. That would be > a working solution. As long as you don't wanna have millions of rules on > the redirecting machine, you just have to "count" the active logins(use > pam_script for example) and remove the rules as long as the last shell > quits. You would like to have all simultaneous logins on the same > machine, so you'll have to check on a new login if the user is still > there and put it on the same machine. Just think about the RST packet, > cause i think it's not the most elegant solution as long as the user > will get a "Connection closed by remote site" msg. I've considered that (keeping all logins together on the same head node). My feelings on that are: (0) The users should not actually need to have multiple logins on the same real host. If their environment is not consistent across the hosts, there is another problem. (1) Once the user logs in and is redirected, they have the option to 'manually' log in to that node for subsequent sessions. (2) Tracking user logins so I can make this automatic for them is desirable, however, it would be non-trivial to implement robustly. (3) So, that would be 'version 2'! :) >> Hi Drew, >> >> maybe you should take a look on "iptables random" - target. >> >> Something like >> >> iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ >> -m random --average $[100/$howmuchserveryouvegot] \ >> -j DNAT --to $server1 >> >> iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ >> -m random --average $[100/$howmuchserveryouvegot] \ >> -j DNAT --to $server2 >> >> ... >> >> Only one idea, but remember "the last rule should realy match" ;-) >> >> Hope this is the right syntax. >> >> Best >> >> Sven -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From rob at sterenborg.info Fri Apr 28 19:06:22 2006 From: rob at sterenborg.info (Rob Sterenborg) Date: Fri Apr 28 19:25:11 2006 Subject: IP drop question In-Reply-To: <445243B1.3080904@uvic.ca> Message-ID: <000901c66ae6$13a76e40$0101000a@sterenborg.info> >> My config does not appear to be dropping unauthorised IPs - in my >> logwatch file I am still getting lines like: >> >> Failed logins from: >> 211.238.253.248: 54 times >> >> Illegal users from: >> 202.110.131.27: 1 time >> 211.238.253.248: 164 times > > I'm not familiar with logwatch. Are these SSH, telnet, other? I > assume SSH, because new telnet connections are allowed in with > this rule: > >> -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 >> --syn -j ACCEPT Huh..? Not to nitpick or anything, but dport 25 is smtp and dport 23 is telnet. IMHO this rule will not allow telnet. Gr, Rob From dleske at uvic.ca Fri Apr 28 19:46:06 2006 From: dleske at uvic.ca (Drew Leske) Date: Fri Apr 28 20:06:11 2006 Subject: IP drop question In-Reply-To: <000901c66ae6$13a76e40$0101000a@sterenborg.info> References: <000901c66ae6$13a76e40$0101000a@sterenborg.info> Message-ID: <445254DE.6000805@uvic.ca> > Huh..? Not to nitpick or anything, but dport 25 is smtp and dport 23 is > telnet. IMHO this rule will not allow telnet. Hah--you're right. I thought something was off as I typed that. Chrs, Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From arnt at c2i.net Fri Apr 28 20:23:56 2006 From: arnt at c2i.net (Arnt Karlsen) Date: Fri Apr 28 20:43:38 2006 Subject: Login load balancing In-Reply-To: <445244DD.8040100@uvic.ca> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> <20060427121619.3e2bf426.arnt@c2i.net> <445100BC.1080907@uvic.ca> <20060428120005.4d940e7b.arnt@c2i.net> <445244DD.8040100@uvic.ca> Message-ID: <20060428202356.5c09239b.arnt@c2i.net> On Fri, 28 Apr 2006 09:37:49 -0700, Drew wrote in message <445244DD.8040100@uvic.ca>: > Arnt Karlsen wrote: > > On Thu, 27 Apr 2006 10:34:52 -0700, Drew wrote in message > > <445100BC.1080907@uvic.ca>: > > > >>> ..check out sdm and sdm-terminal, if you wanna provide X logins > >over >> ssh, the user sees a menu to choose from and you should be > >able to >> "pile up the good boxes" on top of that menu listing: > >> Interesting, and I might find this useful elsewhere, but for this > >> issue I need to support console logins as well. > > > > ..and this can't? At the very least you should be able to offer > > console logins from the sdm-terminal X menu, and then there's > > offering a console menu from /etc/inittab instead of /bin/bash or > > whatever you guys use. > > I'm not sure I understand, but you seem to be suggesting a way by > which I could use a console window in X. As a base case, I have to > support somebody connecting with a vt100 and a 9600 baud modem. This > solution needs to be completely independent of X. ..yup, and I was thinking of the various ttys, on which again you offer a shell menu to choose from, instead of the usual shell prompt, any tty (except mingetty or fgetty) should do this for you, a few quick ideas: arnt@a45:~ $ apt-cache search tty |grep tty a2ps - GNU a2ps - 'Anything to PostScript' converter and pretty-printer bibclean - pretty-printer for BibTeX databases boxshade - [Biology] Pretty-printing of multiple sequence alignments brltty - Access software for a blind person using a soft braille terminal brltty-flite - Access software for a blind person using a soft braille terminal brltty-x11 - Access software for a blind person using a soft braille terminal detachtty - Attach/detach from interactive processes across the network discus - Pretty version of df(1) command. dvi2tty - Previewing dvi-files on text-only devices enscript - Converts ASCII text to Postscript, HTML, RTF or Pretty-Print eskuel - A pretty PHP administration tool for MySQL databases fbgetty - A console getty with and without frame buffer capability fgetty - very small, efficient, console-only getty and login fillets-ng - puzzle game about witty fish saving the world sokoban-style fvwm-crystal - Pretty Desktop Environment based on fvwm hztty - Translates GB, Big5, zW/HZ Chinese encodings in a tty session kitty - a Qt/KDE based RSS podcast and video aggregator libemail-mime-contenttype-perl - Parse a MIME Content-Type Header libio-pty-perl - Perl module for pseudo tty IO libio-stty-perl - Interface to secure pseudo ttys libmlrisctools-smlnj - Library for parsing and pretty printing SML code libmodem-vgetty-perl - Perl module for interfacing with vgetty (Modem::Vgetty) libpty-ruby - pseudo tty interface for Ruby libpty-ruby1.6 - pseudo tty interface for Ruby 1.6.x libterm-query-perl - Subroutines that handle simple tty-based UI libxml-filter-reindent-perl - Perl module for reformatting whitespace for pretty printing XML linuxvnc - VNC server to monitor a tty lyskom-tty-client - TTY client for LysKOM mgetty - Smart Modem getty replacement mgetty-docs - Documentation Package for mgetty mgetty-fax - Faxing tools for mgetty mgetty-pvftools - Programs for listening and manipulating pvf and rmd files mgetty-viewfax - Program for displaying Group-3 Fax files under X mgetty-voice - Voicemail handler for mgetty mingetty - Console-only getty mp - pretty-printer for email messages and other text files muttprint - Pretty printing of mails owl - A curses-based tty Zephyr client. pretzel - Prettyprinter generator for noweb putty - Telnet/SSH client for X putty-tools - command-line tools for SSH, SCP, and SFTP rungetty - minimal console getty that can run any process trueprint - pretty printing of source code ttv - tty TV application ttyd - Remote Modem Utility for Unix ttylog - serial port logger ttyrec - A tty recorder ttysnoop - TTY Snoop - allows you to spy on telnet+serial connections zope-atcontenttypes - archetypes-based replacement for Plone/CMF types arnt@a45:~ $ -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. From gnychis at cmu.edu Fri Apr 28 20:29:57 2006 From: gnychis at cmu.edu (George P Nychis) Date: Fri Apr 28 20:48:45 2006 Subject: getting random and average to accept decimals? Message-ID: <33064.128.2.140.234.1146248997.squirrel@128.2.140.234> Hi, I need a very high precision loss model, and right now it seems as though --average can only accept integer numbers I would for example like to introduce .01% packet loss, .1% packet loss, 1% packet loss, 1.5% packet loss ... except it seemas though out of that set, i would only be able to do 1% packet loss lanthanum-ini ~ # iptables -A FORWARD -p all -m random --average .25 -j DROP iptables v1.3.5: bad --average `.25', must be between 1 and 99 Try `iptables -h' or 'iptables --help' for more information. is there any way i can get higher precision? Thanks! George From dleske at uvic.ca Fri Apr 28 20:36:47 2006 From: dleske at uvic.ca (Drew Leske) Date: Fri Apr 28 20:57:00 2006 Subject: Login load balancing In-Reply-To: <20060428202356.5c09239b.arnt@c2i.net> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> <20060427121619.3e2bf426.arnt@c2i.net> <445100BC.1080907@uvic.ca> <20060428120005.4d940e7b.arnt@c2i.net> <445244DD.8040100@uvic.ca> <20060428202356.5c09239b.arnt@c2i.net> Message-ID: <445260BF.5010406@uvic.ca> Arnt Karlsen wrote: >> I'm not sure I understand, but you seem to be suggesting a way by >> which I could use a console window in X. As a base case, I have to >> support somebody connecting with a vt100 and a 9600 baud modem. This >> solution needs to be completely independent of X. > > ..yup, and I was thinking of the various ttys, on which again you offer > a shell menu to choose from, instead of the usual shell prompt, any tty > (except mingetty or fgetty) should do this for you, a few quick ideas: > arnt@a45:~ $ apt-cache search tty |grep tty > [...] Okay, so what you're talking about now has nothing to do with sdm-terminal, and is just a script run when users log in to the director, which will give the user a menu and then shunt them off through ssh or some other means to one of the participating hosts. I wouldn't bother with the menu, though, because that defeats the 'load-balacing' part of it (unless I put the latest load figures in the menu and let the user choose). This solution requires login access to the director host. Not necessarily a show-stopper, but it's a drawback. Thanks for your input, Drew. -- Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria dleske@uvic.ca / +1250 472 5055 (office) / +1250 588 4311 (cel) From laforge at netfilter.org Sat Apr 29 00:50:03 2006 From: laforge at netfilter.org (Harald Welte) Date: Sat Apr 29 01:07:45 2006 Subject: linux/iptables + smp question In-Reply-To: <44520085.3030909@tecnoera.com> References: <44520085.3030909@tecnoera.com> Message-ID: <20060428225003.GF5598@rama> On Fri, Apr 28, 2006 at 07:46:13AM -0400, Juan Pablo Abuyeres wrote: > Hi guys, Hi, please follow up to the netfilter mailinglist, since this is not a kernel [development] question. > I've been using an old single processor / linux 2.4 iptables based firewall for a few years. > > Now it's time to upgrade that machine, so, I am wondering, would it be of real benefit if I put a > two-processor system for a firewall? This machine is going to have 4 NICs, it's going to make > routing (lots of routes), and firewall (iptables). I don't know if these kind of tasks take > advantage from a multiple-processor architecture. Please enlighten me :) some notes: 1) 2.6. network stack scales better on smp 2) iptables and routing both scale very good on smp systems, if you use multiple interfaces and distribute the interrupts over multiple cpus 3) connection tracking inherently scales less good on SMP systems -- - Harald Welte http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20060429/a2712184/attachment.pgp From gnychis at cmu.edu Sat Apr 29 04:16:06 2006 From: gnychis at cmu.edu (George Nychis) Date: Sat Apr 29 04:34:53 2006 Subject: getting random and average to accept decimals? In-Reply-To: <33064.128.2.140.234.1146248997.squirrel@128.2.140.234> References: <33064.128.2.140.234.1146248997.squirrel@128.2.140.234> Message-ID: <4452CC66.40402@cmu.edu> Daniel made a really helpful suggestion on #iptables to solve my problem: iptables -N CENTAPKT; iptables -A INPUT -m random --average 1 -j CENTAPKT; iptables -A CENTAPKT -m random --average 1 -j DROP yey, 0.01% packet loss :) George P Nychis wrote: > Hi, > > I need a very high precision loss model, and right now it seems as though --average can only accept integer numbers > > I would for example like to introduce .01% packet loss, .1% packet loss, 1% packet loss, 1.5% packet loss ... except it seemas though out of that set, i would only be able to do 1% packet loss > > lanthanum-ini ~ # iptables -A FORWARD -p all -m random --average .25 -j DROP > iptables v1.3.5: bad --average `.25', must be between 1 and 99 > Try `iptables -h' or 'iptables --help' for more information. > > is there any way i can get higher precision? > > Thanks! > George > > > From petr.pisar at atlas.cz Sat Apr 29 20:44:53 2006 From: petr.pisar at atlas.cz (Petr Pisar) Date: Sat Apr 29 21:04:06 2006 Subject: Not NATed packets In-Reply-To: References: Message-ID: Petr Pisar wrote: > lukas@tank.eu.org wrote: > >>NAT configuration is simple but some packets are not NATed - on my >>public interface packets with source address of my internal (NATed) >>network appears and i have no clue what is wrong. > > >>16:30:39.015880 IP (tos 0x0, ttl 127, id 28594, offset 0, flags [DF], >>proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, >>cksum 0x1623 (correct), 3885889894:3885889894(0) ack 3151418643 win 65535 > > Exactly. I can see only FIN packets which are not translated. After > looking into conntrack table, I think MASQ ignores FIN packets that are > missing in conntrack table (Is it INVALID or NEW state?). > So, I'm able to reproduce this bug. Simply send untracked FIN pakcet from intranet station to the Internet: $ hping2 -c 1 -F 1.2.3.4 HPING 1.2.3.4 (eth1 1.2.3.4): F set, 40 headers + 0 data bytes --- 1.2.3.4 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms And dump traffic on your gateway: $ tcpdump -i ppp0 -n net 192.168.0.0/24 tcpdump: listening on ppp0 20:30:36.304397 192.168.0.2.1039 > 1.2.3.4.0: F 2063212909:2063212909(0) win 512 > Very strange behaviour have counters too. These strange packets are not > loggable after MASQ rule. It seems like a bug. > Here is my POSTROUTING chain (ppp0 is public interface): Chain POSTROUTING (policy ACCEPT 783 packets, 126K bytes) pkts bytes target prot opt in out source destination 897 54437 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 2 level 4 prefix `PRE' 4531 365K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0 38 2258 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 2 level 4 prefix `POST' and after doing this excercise I can't see any change on counters in POSTROUTING chain. Naturaly I can't see anything in the kernel log (as you can see, I log everything before MASQ and after that). I seems, these magic packets are completly bypassing POSTROUTING chain. I found out too that TCP traffic goes inside this chain only with first SYN packet. After that there the packets are I don't see them anymore. Is it normal? -- Petr From petr.pisar at atlas.cz Sat Apr 29 21:15:23 2006 From: petr.pisar at atlas.cz (Petr Pisar) Date: Sat Apr 29 21:34:29 2006 Subject: Not NATed packets In-Reply-To: References: Message-ID: lukas@tank.eu.org wrote: > NAT configuration is simple but some packets are not NATed - on my > public interface packets with source address of my internal (NATed) > network appears and i have no clue what is wrong. > > tcpdump -i eth0 -n -vvv |grep 10.10.10 > 16:30:39.015880 IP (tos 0x0, ttl 127, id 28594, offset 0, flags [DF], > proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F, > cksum 0x1623 (correct), 3885889894:3885889894(0) ack 3151418643 win 65535 So, I have one workaround. These magic packets are INVALID from point of state module's view. Therefore this rules 5 200 LOG all -- * ppp0 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 2 level 4 prefix `FWD-INVALID' 1 40 REJECT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 state INVALID reject-with icmp-admin-prohibited where ppp0 is nating device can log and discard this packets. I'm not sure if any INVALID packet can also be considered as a health packet. Can you see any false positivities? (I know, that these packets can occure, when interface with dynamicly assignes address changes its IP address during established TCP connection, but then we are not able to repair this state [i.e. close connection on both sides with proper source IP] either. Therefore we can consider following packets as realy invalid.) -- Petr From dave at dtracorp.com Sun Apr 30 07:03:12 2006 From: dave at dtracorp.com (dave) Date: Sun Apr 30 07:22:14 2006 Subject: fc4 iptables blocking yum and smtp (postfix) Message-ID: <44544510.5020907@dtracorp.com> hi all ok, i know this is an iptables issue, because both yum and smtp work when i turn iptables off i don't really have any idea when it comes to server level stuff, so i really need someone to help me out here i have been told that it has something to do with ESTABLISHED,RELATED settings that i need to add (but don't know what i need to do) my iptables listed below thanks dave [code] # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,10000 -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 20,21,25,80,110,143,443,993,995,3306 -A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 53,123 #-A INPUT -p udp -m udp --sport 53 -j ACCEPT # Localhost traffic -A INPUT -i lo -j ACCEPT COMMIT # Completed on Tue Apr 11 23:20:05 2006 # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [247924:148337622] :OUTPUT ACCEPT [203797:85733410] :POSTROUTING ACCEPT [203797:85733410] :PREROUTING ACCEPT [273515:151663480] COMMIT # Completed on Tue Apr 11 23:20:05 2006 # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 *nat :OUTPUT ACCEPT [3330:227736] :POSTROUTING ACCEPT [3330:227736] :PREROUTING ACCEPT [41038:5544645] COMMIT # Completed on Tue Apr 11 23:20:05 2006 [/code] -- http://dtracorp.com From alex at zoomnet.ro Sun Apr 30 07:36:48 2006 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Sun Apr 30 07:55:51 2006 Subject: fc4 iptables blocking yum and smtp (postfix) In-Reply-To: <44544510.5020907@dtracorp.com> References: <44544510.5020907@dtracorp.com> Message-ID: <44544CF0.20404@zoomnet.ro> dave wrote: > hi all > > ok, i know this is an iptables issue, because both yum and smtp work > when i turn iptables off > > i don't really have any idea when it comes to server level stuff, so i > really need someone to help me out here > > i have been told that it has something to do with ESTABLISHED,RELATED > settings that i need to add (but don't know what i need to do) > > my iptables listed below > > thanks > dave > > [code] > # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 > *filter > :FORWARD ACCEPT [0:0] > :INPUT DROP [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,10000 > -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports > 20,21,25,80,110,143,443,993,995,3306 > -A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 53,123 > #-A INPUT -p udp -m udp --sport 53 -j ACCEPT > # Localhost traffic > -A INPUT -i lo -j ACCEPT > COMMIT > # Completed on Tue Apr 11 23:20:05 2006 > # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 > *mangle > :FORWARD ACCEPT [0:0] > :INPUT ACCEPT [247924:148337622] > > :OUTPUT ACCEPT [203797:85733410] > :POSTROUTING ACCEPT [203797:85733410] > :PREROUTING ACCEPT [273515:151663480] > COMMIT > # Completed on Tue Apr 11 23:20:05 2006 > # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 > *nat > :OUTPUT ACCEPT [3330:227736] > :POSTROUTING ACCEPT [3330:227736] > :PREROUTING ACCEPT [41038:5544645] > COMMIT > # Completed on Tue Apr 11 23:20:05 2006 > [/code] > > Try adding -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --sports 22,10000 -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --sports 20,21,25,80,110,143,443,993,995,3306 From dave at dtracorp.com Sun Apr 30 08:03:51 2006 From: dave at dtracorp.com (dave) Date: Sun Apr 30 08:22:53 2006 Subject: fc4 iptables blocking yum and smtp (postfix) In-Reply-To: <44544CF0.20404@zoomnet.ro> References: <44544510.5020907@dtracorp.com> <44544CF0.20404@zoomnet.ro> Message-ID: <44545347.6000206@dtracorp.com> Alexandru Dragoi wrote: > dave wrote: > > >> hi all >> >> ok, i know this is an iptables issue, because both yum and smtp work >> when i turn iptables off >> >> i don't really have any idea when it comes to server level stuff, so i >> really need someone to help me out here >> >> i have been told that it has something to do with ESTABLISHED,RELATED >> settings that i need to add (but don't know what i need to do) >> >> my iptables listed below >> >> thanks >> dave >> >> [code] >> # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 >> *filter >> :FORWARD ACCEPT [0:0] >> :INPUT DROP [0:0] >> :OUTPUT ACCEPT [0:0] >> -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,10000 >> -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports >> 20,21,25,80,110,143,443,993,995,3306 >> -A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 53,123 >> #-A INPUT -p udp -m udp --sport 53 -j ACCEPT >> # Localhost traffic >> -A INPUT -i lo -j ACCEPT >> COMMIT >> # Completed on Tue Apr 11 23:20:05 2006 >> # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 >> *mangle >> :FORWARD ACCEPT [0:0] >> :INPUT ACCEPT [247924:148337622] >> >> :OUTPUT ACCEPT [203797:85733410] >> :POSTROUTING ACCEPT [203797:85733410] >> :PREROUTING ACCEPT [273515:151663480] >> COMMIT >> # Completed on Tue Apr 11 23:20:05 2006 >> # Generated by iptables-save v1.3.0 on Tue Apr 11 23:20:05 2006 >> *nat >> :OUTPUT ACCEPT [3330:227736] >> :POSTROUTING ACCEPT [3330:227736] >> :PREROUTING ACCEPT [41038:5544645] >> COMMIT >> # Completed on Tue Apr 11 23:20:05 2006 >> [/code] >> >> >> > Try adding > -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --sports 22,10000 > -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --sports > 20,21,25,80,110,143,443,993,995,3306 > > thanks, that seems to have done the trick From arnt at c2i.net Sun Apr 30 11:51:04 2006 From: arnt at c2i.net (Arnt Karlsen) Date: Sun Apr 30 12:10:55 2006 Subject: Login load balancing In-Reply-To: <445260BF.5010406@uvic.ca> References: <444FAEFF.1040100@uvic.ca> <1146073387.24375.74.camel@sehe-c4.berlin.teles.de> <444FBBA7.2020501@uvic.ca> <20060427121619.3e2bf426.arnt@c2i.net> <445100BC.1080907@uvic.ca> <20060428120005.4d940e7b.arnt@c2i.net> <445244DD.8040100@uvic.ca> <20060428202356.5c09239b.arnt@c2i.net> <445260BF.5010406@uvic.ca> Message-ID: <20060430115104.5506e3d3.arnt@c2i.net> On Fri, 28 Apr 2006 11:36:47 -0700, Drew wrote in message <445260BF.5010406@uvic.ca>: > Arnt Karlsen wrote: > >> I'm not sure I understand, but you seem to be suggesting a way by > >> which I could use a console window in X. As a base case, I have to > >> support somebody connecting with a vt100 and a 9600 baud modem. > >This > solution needs to be completely independent of X. > > > > ..yup, and I was thinking of the various ttys, on which again you > > offer a shell menu to choose from, instead of the usual shell > > prompt, any tty (except mingetty or fgetty) should do this for you, > > a few quick ideas: arnt@a45:~ $ apt-cache search tty |grep tty > > [...] > > Okay, so what you're talking about now has nothing to do with > sdm-terminal, ..yes and no, it can remain as an alternative on the console login menu and vice versa. > and is just a script run when users log in ..yup. > to the director ..no need, just have each box fetch the menu text du jour from it. >, which will > give the user a menu and then shunt them off through ssh or some other > means to one of the participating hosts. > > I wouldn't bother with the menu, though, because that defeats the > 'load-balacing' part of it (unless I put the latest load figures in > the menu and let the user choose). > > This solution requires login access to the director host. Not > necessarily a show-stopper, but it's a drawback. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. From cmould at cwjamaica.com Sat Apr 29 18:31:02 2006 From: cmould at cwjamaica.com (cmould) Date: Sun Apr 30 16:50:51 2006 Subject: interruption in natted return http traffic Message-ID: <445394C6.6060303@cwjamaica.com> Help: I have a strange problem and I am not finding answers using Google. I have setup a gateway on my network using Mandrake 10.1. I am running squid, IP tables, and portsentry. The problem is this: About once a week users on the network cannot get any response from an http request. After many hours of diagnostic what I know is this. 1) http requests are leaving the gateway but not being returned. 2) https requests are leaving the gateway and are being returned. Works as expected 3) SSh traffic works as expected 4) If I reboot the server the problem goesaway. 5) After approximately 8- 9 hours behavior returns to normal with http traffic. I am not seeing evidence of ip_conntrack table overflows. The traffic is not being blocked in the firewall. Has anyone experienced this behavior, what is the problem, where can I look. From tony at games-master.co.uk Sun Apr 30 20:34:19 2006 From: tony at games-master.co.uk (Tony) Date: Sun Apr 30 20:53:23 2006 Subject: Redirecting web traffic out of eth1 Message-ID: <200604301830.k3UIUgqs025150@main.games-master.co.uk> We currently running a squid server which proxies requests that get send to it from our Cisco router. The Cisco router terminates and L2TP tunnel and our users connect over this tunnel. We don't need to proxy all web traffic so each user that needs to be proxied is assigned a policy map via a radius attribrute. The policy map sends all web requests to our squid server and the squid server has the following iptables entries to forward the port 80 requests to squid on port 3128. ############### /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE /sbin/iptables -A PREROUTING -t nat -p tcp -s 10.0.0.0/20 --dport 80 -j DNAT --to 192.168.0.4:3128 ############### This all works fine and has been for a while now, and all users on 10.0.0.0/20 get forwarded to squid. However since we added another subnet on a different interface on the Cisco we've had some issues. If a user is being proxied via a policy map they can't browse any web sites on the second subnet. The natural route to the second subnet from the squid server is out the server, through a switch, onto the Cisco and into the interface the second subnet is on. L2tp-tunnel---switch---cisco--switch--second-subnet | | squid However the request never even reaches the web server on the second subnet. I've run tcpdump on the web server and it shows no traffic coming in. A tcpdump on the squid server just shows the request trying to be made to the web server. It seems that the Cisco is just send the port 80 traffic back to squid, although no interface on the router has the redirect policy map assigned to it, other than the per user virtual interfaces. And besides the access list the policy map uses has a rule to deny web requests from the squid IP address. So I thought the solution was to connect eth1 on the squid server to the switch on the second subnet, thus giving the natural route out through eth1 bypassing the Cisco. This I did and from a command prompt a traceroute to the second subnet goes out through eth1. A printing of the route table shows a route for the subnet out through eth1 also. L2tp-tunnel---switch---cisco--switch--second-subnet | | | | Squid--------------- However I'm still getting the same problem. Any user with the policy map assigned still cannot view web sites on the second subnet. It seems that squid isn't sending this traffic via eth1, again I run tcpdump on the squid server and the web server on the second subnet and get the same results. Is there a way with iptables to force any web traffic for the second subnet, 10.1.1.0/24 out through eth1 before the squid redirect rules? ##### /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE /sbin/iptables -A PREROUTING -t nat -p tcp -s 10.0.0.0/20 --dport 80 -j DNAT --to 192.168.0.4:3128 #### I thought since I'm already doing some POSTROUTING/MASQUERADING out through eth0, that isn't wasn't possible. I'm not an expert with iptables so I'm seeking some advice and help. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kelly at cliffhanger.com Sun Apr 30 23:15:31 2006 From: kelly at cliffhanger.com (kelly@cliffhanger.com) Date: Mon May 1 04:35:14 2006 Subject: Is there a way.... In-Reply-To: References: Message-ID: <20060430211531.GH23121@Knoppix> This link may have an answer. I haven't read the entire thing but, it talks about netfilter and the iproute2 utility. http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH08.web.html It's an online copy of a book (I have the hard copy). It's a very good book. Policy Routing With Linux - Online Edition by Matthew G. Marsh http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html -- kelly http://home1.gte.net/res0psau/index.html#Hang-Gliding-Stuff -- -- \ / \/ /\ / \ -- -- Quoting David Sims : Hi, I want to use Linux to do NAT between some 192.168.x.x addresses in a routed network on one side and a single 10.0.0.x/24 on the other side. I want to do one-to-one NAT but in a dynamic way... such that a calling address is NATed into the next available 10.0.0.x/24.... in a round robin sort of way... IS there a way to do this using NETFILTER?? If not NETFILTER, then how?? This sort of thing is common in many-to-one NAT (port-address translation)... but I need each call to come from a separate NATed IP address to support my application (TN3270 session)... It's OK to reuse addresses after a call (session) is complete, but each session needs to come from it's own fixed (for the duration of the session) IP address.... The exact application that I am trying to support is connecting to an IBM mainframe from random hosts in a routed network via an Attachmate gateway where calling addresses are mapped into terminal sessions on a 1:1 basis.... Port address translation won't work because all calls appear to eminate from the single IP address.... I need to do 1:1 NAT but only on a temporary basis where once a call is complete the NAT address can be used by another caller... Clues? Suggestions? Examples? TIA, Dave _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc