From stefan.friedel at iwr.uni-heidelberg.de  Mon Oct  2 10:00:13 2006
From: stefan.friedel at iwr.uni-heidelberg.de (Stefan Friedel)
Date: Mon Oct  2 10:36:42 2006
Subject: DNAT problem
Message-ID: <20061002080013.GB23849@woyzeck>

Good Morning,
I have a problem after switching from an old 2.4.x installation to 2.6.17.3 - scenario:
- computer pool with central server, central server visible in the internet
- several nodes, two of them access nodes, private network
- the two access nodes in the pool get all external ssh connections via a rule on the central server

iptables -t nat -A PREROUTING -p tcp -i eth3 -d <external IP> -j DNAT --dport 22 --to-destination <firstprivip>-<lastprivip>

This worked fine with 2.4.29 (server+nodes). But after switching to 2.6 round
robin is no longer working: only the node <lastprivip> is used. Changing the
rule and using the --to-destination <firstprivip> --to-destination <lastprivip>
does not work at all: iptables is complaining about invalid arguments.

iptables on the server is v1.2.11, Debian sarge, 2.6.17.3

Any hint? Did I miss some changes in the behavior of netfilter/iptables?

Thanks and Regards, Stefan Friedel
-- 
Zentrale Dienste - Interdisziplin?res Zentrum f?r Wissenschaftliches
Rechnen der Universit?t Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de  Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de          HELICS: www.helics.uni-hd.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20061002/1984b546/attachment-0001.pgp
From stefan.friedel at iwr.uni-heidelberg.de  Mon Oct  2 10:15:07 2006
From: stefan.friedel at iwr.uni-heidelberg.de (Stefan Friedel)
Date: Mon Oct  2 10:51:30 2006
Subject: forget my last mail
Message-ID: <20061002081507.GC23849@woyzeck>

Sorry list,
Google was not enough - I just found the thread in the list archive (multiple
to-destination not longer supported > 2.6.11).

Thanks, Stefan Friedel
-- 
Zentrale Dienste - Interdisziplin?res Zentrum f?r Wissenschaftliches
Rechnen der Universit?t Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de  Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de          HELICS: www.helics.uni-hd.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20061002/6507cf27/attachment.pgp
From pupilla at hotmail.com  Mon Oct  2 10:25:01 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Mon Oct  2 11:01:29 2006
Subject: DNAT problem
In-Reply-To: <20061002080013.GB23849@woyzeck>
Message-ID: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl>

Stefan Friedel wrote:

>Good Morning,

>iptables on the server is v1.2.11, Debian sarge, 2.6.17.3

upgrade to iptables 1.3.6

>Any hint? Did I miss some changes in the behavior of netfilter/iptables?

Man page (from iptables 1.3.6) states:

In Kernels up to 2.6.10 you can add several --to-destination options.
For those kernels, if you specify more than one destination address,
either via an address range or multiple --to-destination options, a
simple round-robin (one after another in cycle)  load  balancing
takes place between these addresses.  Later Kernels (>= 2.6.11-rc1)
don't have the ability to NAT to multiple ranges anymore.

Maybe the SAME target extension will help you.



From pascal.mail at plouf.fr.eu.org  Mon Oct  2 12:42:29 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Mon Oct  2 13:18:51 2006
Subject: DNAT problem
In-Reply-To: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl>
References: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl>
Message-ID: <4520ED15.5090205@plouf.fr.eu.org>

Hello,

Marco Berizzi a ?crit :
> 
> In Kernels up to 2.6.10 you can add several --to-destination options.
> For those kernels, if you specify more than one destination address,
> either via an address range or multiple --to-destination options, a
> simple round-robin (one after another in cycle)  load  balancing
> takes place between these addresses.  Later Kernels (>= 2.6.11-rc1)
> don't have the ability to NAT to multiple ranges anymore.

OK, SNAT and DNAT do not support multiple --to any more in kernels above 
2.6.10. But it is unclear to me whether they still support one IP 
address *range* (with round robin) or only one single IP address.

> Maybe the SAME target extension will help you.

The SAME target won't do round robin for the same source address. It 
will only do round robin for separate source addresses.

What about the BALANCE target ? It's in the man page, but I had never 
heard of it.

From stefan.friedel at iwr.uni-heidelberg.de  Mon Oct  2 14:01:37 2006
From: stefan.friedel at iwr.uni-heidelberg.de (Stefan Friedel)
Date: Mon Oct  2 14:38:05 2006
Subject: DNAT problem
In-Reply-To: <4520ED15.5090205@plouf.fr.eu.org>
References: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl>
	<4520ED15.5090205@plouf.fr.eu.org>
Message-ID: <20061002120137.GD23849@woyzeck>

Hello,
> 
> OK, SNAT and DNAT do not support multiple --to any more in kernels above 
> 2.6.10. But it is unclear to me whether they still support one IP 
> address *range* (with round robin) or only one single IP address.
The range is still accepted as option for iptables 1.3.6, but it has no effect
with 2.6.17.3 (so I assume that it is indeed the "NAT+round robin" capability
which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
the DNAT target in PREROUTING -
> 
> The SAME target won't do round robin for the same source address. It 
> will only do round robin for separate source addresses.
> 
> What about the BALANCE target ? It's in the man page, but I had never 
> heard of it.
In iptables 1.3.6 BALANCE is not available (nor is it available in the 2.6.17.3
source). Obsolete? And I fear that it would not help, because the problem is
the missing round robin/load balancing in the Kernel.

Maybe LVS is a solution -

Thanks and Best Regards, Stefan Friedel
-- 
Zentrale Dienste - Interdisziplin?res Zentrum f?r Wissenschaftliches
Rechnen der Universit?t Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de  Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de          HELICS: www.helics.uni-hd.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20061002/0bfdccbd/attachment.pgp
From pupilla at hotmail.com  Mon Oct  2 14:48:37 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Mon Oct  2 15:24:59 2006
Subject: DNAT problem
In-Reply-To: <4520ED15.5090205@plouf.fr.eu.org>
Message-ID: <BAY103-F3134519578B54418B4FF25B21F0@phx.gbl>

Pascal Hambourg wrote:

>The SAME target won't do round robin for the same source address. It will 
>only do round robin for separate source addresses.

You could try with the nth match (it is called statistic match
since 2.6.18, and you need iptables 1.3.6).

>What about the BALANCE target ? It's in the man page, but I had never heard 
>of it.

This is from ipt_SAME.c:

copied ipt_BALANCE.c to ipt_SAME.c and changed a few things.



From pupilla at hotmail.com  Mon Oct  2 14:51:20 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Mon Oct  2 15:27:43 2006
Subject: DNAT problem
In-Reply-To: <20061002120137.GD23849@woyzeck>
Message-ID: <BAY103-F3608425584D140A3A03C2AB21F0@phx.gbl>

Stefan Friedel wrote:

>Maybe LVS is a solution -

you may also try the nth match (called statistic on linux >=2.6.18)



From pascal.mail at plouf.fr.eu.org  Mon Oct  2 15:14:41 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Mon Oct  2 15:51:00 2006
Subject: DNAT problem
In-Reply-To: <20061002120137.GD23849@woyzeck>
References: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl>	<4520ED15.5090205@plouf.fr.eu.org>
	<20061002120137.GD23849@woyzeck>
Message-ID: <452110C1.2010203@plouf.fr.eu.org>

Stefan Friedel a ?crit :
> 
>>OK, SNAT and DNAT do not support multiple --to any more in kernels above 
>>2.6.10. But it is unclear to me whether they still support one IP 
>>address *range* (with round robin) or only one single IP address.
> 
> The range is still accepted as option for iptables 1.3.6, but it has no effect
> with 2.6.17.3 (so I assume that it is indeed the "NAT+round robin" capability
> which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
> the DNAT target in PREROUTING -

One question : did you test this from only one single source IP address 
of from several source IP addresses ? SAME is designed to always give 
the same mapping to a given source address, and it seems that DNAT/SNAT 
do the same in kernels >= 2.6.11.

I remember reading something about this in kernel 2.6.11 changelog :
=======================================================================
   [PATCH] Remove Randomness in Selecting NAT IP Address

   We currently choose a "random" IP address to NAT to, where we have a
   range.  Martin Josefsson pointed out that he uses the SAME target in
   iptables because changing IP addresses breaks Internet banking sites
   (among others) which assume the customer will be coming from a
   consistent IP address.
   In fact, we spend a fair bit of effort trying to balance the number of
   connections we NAT to each IP address.  We can come pretty damn close
   just hashing the source and destination IP addresses, and it has the
   consistency property which is so desirable, as well as being faster.
========================================================================

I believe that with this patch the SNAT and DNAT targets behave in a way 
like the SAME target and always use the same mapping in the --to range 
for a given source IP address. However, when a range is specified, 
different sources may use different mappings. But it won't be a dynamic 
round robin, just a static hash. However I believe that when there are 
many different source addresses it can achieve some kind of load balancing.

>>What about the BALANCE target ? It's in the man page, but I had never 
>>heard of it.
> 
> In iptables 1.3.6 BALANCE is not available (nor is it available in the 2.6.17.3
> source). Obsolete? And I fear that it would not help, because the problem is
> the missing round robin/load balancing in the Kernel.

I don't think so. Each target has its own code.

From stefan.friedel at iwr.uni-heidelberg.de  Mon Oct  2 16:18:00 2006
From: stefan.friedel at iwr.uni-heidelberg.de (Stefan Friedel)
Date: Mon Oct  2 16:54:32 2006
Subject: DNAT problem
In-Reply-To: <452110C1.2010203@plouf.fr.eu.org>
References: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl>
	<4520ED15.5090205@plouf.fr.eu.org> <20061002120137.GD23849@woyzeck>
	<452110C1.2010203@plouf.fr.eu.org>
Message-ID: <20061002141800.GE23849@woyzeck>

Hello Pascal Hambourg,
> 
> One question : did you test this from only one single source IP address 
> of from several source IP addresses ? SAME is designed to always give 
> the same mapping to a given source address, and it seems that DNAT/SNAT 
> do the same in kernels >= 2.6.11.
ah, great. I just tested a few (3 different source ips, to be honest) accounts
before with SAME - after your last mail I asked some colleagues to test: it is
working indeed (obviously using some statistical method to choose the
destination ip. The destination ip did not change until we opened ~ 10
connections from different source ips...)

Thank you for your hint! and best regards, Stefan Friedel
-- 
Zentrale Dienste - Interdisziplin?res Zentrum f?r Wissenschaftliches
Rechnen der Universit?t Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de  Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de          HELICS: www.helics.uni-hd.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20061002/2416442a/attachment.pgp
From joel at waveteq.com  Mon Oct  2 18:54:59 2006
From: joel at waveteq.com (Joel Lindsay)
Date: Mon Oct  2 19:31:23 2006
Subject: Cant find 
References: <BAY103-F25ED7B9242FA2718CEF385B21F0@phx.gbl><4520ED15.5090205@plouf.fr.eu.org>
	<20061002120137.GD23849@woyzeck><452110C1.2010203@plouf.fr.eu.org>
	<20061002141800.GE23849@woyzeck>
Message-ID: <009701c6e643$7f20ef60$4401a8c0@WINXPVIRUSMONITOR>

Keep getting the error.

iptables v1.2.11: Couldn't find target `MASQUERADE'

Using kernel 2.6.15-uc0 uclinux.

Have compiled as module and statically the following.

iptables support
connection tracking support
ip filter support
reject target support
full nat support
masquerading support

the module ipt_MASQUERADE exists and is loaded, but I keep getting this 
error.  I cant figure out why??

Is there more dependencies on some other modules?


Joel Lindsay, B.Eng
Project Engineer
Waveteq Communications
(250) 766-9229
----- Original Message ----- 
From: "Stefan Friedel" <stefan.friedel@iwr.uni-heidelberg.de>
To: "Pascal Hambourg" <pascal.mail@plouf.fr.eu.org>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, October 02, 2006 7:18 AM
Subject: Re: DNAT problem



From zenith.of.perfection at gmail.com  Mon Oct  2 20:21:37 2006
From: zenith.of.perfection at gmail.com (malvika joshi)
Date: Mon Oct  2 20:57:59 2006
Subject: interaction of iptables userspace tool with kernel
Message-ID: <9157ddef0610021121u74a7c30awd0deb1c5143b8cdc@mail.gmail.com>

I want to find all the possible means by which iptables userspace
program interacts with the kernel.I have found that it does by means
of setsockopt and getsockopt calls in the source code.But there is
also a libipq library with the userspace program which uses netlink
sockets.But any of the functions of the libipq library are not called
from the source code.Is it safe to assume that the only means of
interaction of the userspace program with the kernel is only by means
of set and getsockopt calls?? If so under what circumstances is the
libipq used??

From struggle at mail.nankai.edu.cn  Tue Oct  3 03:43:17 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Tue Oct  3 04:21:42 2006
Subject: how to unblock connections coming from a NAT boxB
In-Reply-To: <359556648.06377@mail.nankai.edu.cn>
References: <359556648.06377@mail.nankai.edu.cn>
Message-ID: <359840032.09438@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Vidya Ravipati :
> I have a question regarding how to unblock the incoming connections
>  from the source NAT box. If I have source machine behind the NAT ,
> how should I configure my iptable rules to unblock the connections
> coming from that particular host only. 1) How should I specify my
> rule to unblock only particular host behing the source NAt only
> 2)How to unblock the particular host behind the particular NAT box
> (can allow the connections from other host behind the same NAt
> also)
>
> Thanks
>
> Vidya Sagar Ravipati
I am sorry , but I can't fully understand what is your problem .
So I just guess the situation :
You hava a machine which is connected to the Internet and a LAN .
You want to block some machines in your LAN from accessing the Internet
and meanwhile allow some of them .

Am I right ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFIcA17tZp58UCwyMRAq++AKCT61JlBuMokhFjqrvfgdb5APY7iwCcCn3Z
hTaMkctgXx9CcabkSlmtTsQ=
=BKQE
-----END PGP SIGNATURE-----


From struggle at mail.nankai.edu.cn  Tue Oct  3 03:46:36 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Tue Oct  3 04:24:37 2006
Subject: P-O-M:  connrate for 2.6.14-4
In-Reply-To: <359584344.16978@mail.nankai.edu.cn>
References: <359584344.16978@mail.nankai.edu.cn>
Message-ID: <359840230.09436@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Pablo Sanchez ??:
> Hi,
>
> I'd like to get connrate installed on my 2.6.14-4 kernel.  When I
> run P-O-M extra, it doesn't show up as an option.  I've checked out
> revision 6677 of the P-O-M trunk:
>
> # svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
>  Checked out revision 6677.
>
> Any ideas how to patch my kernel to get connrate implemented?
I think the patch Document will tell you how to do it .
Or you can man patch !
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFIcD87tZp58UCwyMRAuyVAKCcwY5ioIacrL60B7yIAejS+bI48ACcCyDS
2lnc9t8FwAjKs3ne337eAhI=
=P+W6
-----END PGP SIGNATURE-----


From pablo at blueoakdb.com  Tue Oct  3 03:52:22 2006
From: pablo at blueoakdb.com (Pablo Sanchez)
Date: Tue Oct  3 04:28:48 2006
Subject: P-O-M:  connrate for 2.6.14-4
In-Reply-To: <359840230.09436@mail.nankai.edu.cn>
Message-ID: <003901c6e68e$918561e0$0419a8c0@fly>

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Bo Yang
> Sent: Monday, October 02, 2006 9:47 PM
> Cc: netfilter@lists.netfilter.org
> Subject: Re: P-O-M: connrate for 2.6.14-4
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Pablo Sanchez ??:
> > Hi,
> >
> > I'd like to get connrate installed on my 2.6.14-4 kernel.  When I
> > run P-O-M extra, it doesn't show up as an option.  I've checked out
> > revision 6677 of the P-O-M trunk:
> >
> > # svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
> >  Checked out revision 6677.
> >
> > Any ideas how to patch my kernel to get connrate implemented?
> I think the patch Document will tell you how to do it .
> Or you can man patch !

Unfortunately, the document doesn't instruct.  

I think I'm going to try to emulate connrate.  I'll see if I can pen some
thoughts and run it by the list.  Perhaps someone else may find it useful
(or not).

Cheers,
-pablo


From struggle at mail.nankai.edu.cn  Tue Oct  3 03:53:57 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Tue Oct  3 04:31:04 2006
Subject: Help with NAT and port translation
In-Reply-To: <359601254.21358@mail.nankai.edu.cn>
References: <900f379d0609300020u25d1ef89k912fb031cd72897c@mail.gmail.com>
	<359601254.21358@mail.nankai.edu.cn>
Message-ID: <359840672.09392@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
AkiL Muss? :
> Hi all,
>
> I need some help setting up iptables with NAT and port translation.
>
>
> I need to redirect all traffic comming to 41.220.40.183:80 to
> 10.0.0.1:8080
>
> The netfilter HOWTO says that its possible using the following
> rule, but it isn't working for me: iptables -A PREROUTING -t nat -p
> tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:8080
>
> When I setup NAT using the same port (port 80 to 80), it works
> perfectly. The problem is when redirecting from port 80 to 8080
>
> Note: - 10.0.0.1 is a virtual machine created using Xen VMM
>
>
> My actual configuration is: # iptables -L -t nat -nv Chain
> PREROUTING (policy ACCEPT 1659 packets, 143K bytes) pkts bytes
> target     prot opt in     out     source destination 0     0 DNAT
> tcp  --  eth0   *       0.0.0.0/0 0.0.0.0/0           tcp dpt:80
> to:10.0.0.1:8080
>
> Chain POSTROUTING (policy ACCEPT 28126 packets, 1747K bytes) pkts
> bytes target     prot opt in     out     source destination 17560
> 1110K MASQUERADE  all  --  *      eth0 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 45638 packets, 2854K bytes) pkts bytes
> target     prot opt in     out     source destination
>
> ##### ##### ##### ##### #####
>
> #  iptables -L -nv Chain INPUT (policy ACCEPT 3470K packets, 374M
> bytes) pkts bytes target     prot opt in     out     source
>  destination
>
> Chain FORWARD (policy ACCEPT 3212 packets, 1440K bytes) pkts bytes
> target     prot opt in     out     source destination 0     0
> ACCEPT     all  --  *      *       10.0.0.1 0.0.0.0/0
> PHYSDEV match --physdev-in vif5.0 0     0 ACCEPT     udp  --  *
> *       0.0.0.0/0 0.0.0.0/0           PHYSDEV match --physdev-in
> vif5.0 udp spt:68 dpt:67 0     0 ACCEPT     all  --  *      *
> 10.0.0.2 0.0.0.0/0           PHYSDEV match --physdev-in vif6.0 0
> 0 ACCEPT     udp  --  *      *        0.0.0.0/0 0.0.0.0/0
> PHYSDEV match --physdev-in vif6.0 udp spt:68 dpt:67
>
> Chain OUTPUT (policy ACCEPT 3465K packets, 353M bytes) pkts bytes
> target     prot opt in     out     source destination
>
>
> Thanks for any help...
I think there is nothing wrong in your iptables NAT rule .
The bug may be present in other parts of your box .
Do you use Xen in your box ?
Can you access the 10.0.0.1:8080 directly ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFIcK17tZp58UCwyMRAqawAKChFxJ3qSrLoO3NdNkiUJ6n7+lCwACeOLNB
K5GACoB4jLReav6E5N/8y7Y=
=NmdP
-----END PGP SIGNATURE-----


From winanjaya at lippogeneral.com  Tue Oct  3 05:02:08 2006
From: winanjaya at lippogeneral.com (Winanjaya)
Date: Tue Oct  3 05:34:55 2006
Subject: newbie - load balancing with iptables
Message-ID: <004b01c6e698$51107b90$580110ac@HO.lippogeneral.com>


Dear All,

I am very new with this, I am running squid with transparent proxy on my
FC1, it is also as client's gateway
my FC1 has 2 NICs .. Eth0 and Eth1 .. how to load balancing? .. Internet
browsing service should be taken on Eth0 and for other services such as port
25, 110, 21, 389, 53 etc .. should be taken on Eth1 ..

Can I do this with iptables? .. please help

Thanks a lot in advance

Regards
Winanjaya


***********************
No virus was detected in the attachment (no filename).

Your mail has been scanned by InterScan.
***********-***********


From Jason.Neurohr at uniqueworld.net  Tue Oct  3 05:41:26 2006
From: Jason.Neurohr at uniqueworld.net (Jason Neurohr)
Date: Tue Oct  3 06:17:53 2006
Subject: PPTP ISSUE
Message-ID: <4D82EB5486E2904A912F7A3A2089B548015455CE@sydexch.sydney.uw.local>

Hello, 

We are having a problem with a pptp connection from internal
workstations to a remote pptp server through linux firewall running
iptables.

Tcp dump on the firewall shows this:

[root@firewall ~]# tcpdump host 203.41.135.162
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:23:55.604900 IP ourip.1648 > 203.41.135.162.1723: S
3351021274:3351021274(0) win 65535 <mss 1260,nop,nop,sackOK>
13:23:55.611369 IP 203.41.135.162.1723 > ourip.1648: S
3618448323:3618448323(0) ack 3351021275 win 8820 <mss 1460>
13:23:55.617619 IP ourip.1648 > 203.41.135.162.1723: P 1:157(156) ack 1
win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A)
BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
13:23:55.624110 IP 203.41.135.162.1723 > ourip.1648: P 1:157(156) ack
157 win 8820: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1)
ERR_CODE(0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(100) FIRM_REV(1)
[|pptp]
13:23:55.630607 IP ourip.1648 > 203.41.135.162.1723: P 157:325(168) ack
157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(58240)
MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E)
RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
13:23:55.636850 IP 203.41.135.162.1723 > ourip.1648: P 157:189(32) ack
325 win 8820: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384)
RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000)
RECV_WIN(3) PROC_DELAY(0) PHY_CHAN_ID(0)
13:23:55.638724 IP 203.41.135.162 > ourip: call 16384 seq 1
gre-ppp-payload
13:23:55.780617 IP ourip.1648 > 203.41.135.162.1723: . ack 189 win 65347
13:23:55.784488 IP ourip.1648 > 203.41.135.162.1723: P 325:349(24) ack
189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0)
SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
13:23:55.871054 IP 203.41.135.162.1723 > ourip.1648: . ack 349 win 8820
13:23:58.986263 IP 203.41.135.162 > ourip: call 16384 seq 2
gre-ppp-payload
13:24:01.919107 IP 203.41.135.162 > ourip: call 16384 seq 3
gre-ppp-payload
13:24:04.851702 IP 203.41.135.162 > ourip: call 16384 seq 4
gre-ppp-payload
13:24:07.787543 IP 203.41.135.162 > ourip: call 16384 seq 5
gre-ppp-payload
13:24:10.988065 IP 203.41.135.162 > ourip: call 16384 seq 6
gre-ppp-payload
13:24:13.917661 IP 203.41.135.162 > ourip: call 16384 seq 7
gre-ppp-payload
13:24:16.849381 IP 203.41.135.162 > ourip: call 16384 seq 8
gre-ppp-payload
13:24:19.782475 IP 203.41.135.162 > ourip: call 16384 seq 9
gre-ppp-payload
13:24:22.981124 IP 203.41.135.162 > ourip: call 16384 seq 10
gre-ppp-payload
13:24:25.897355 IP 203.41.135.162.1723 > ourip.1648: P 189:337(148) ack
349 win 8820: pptp CTRL_MSGTYPE=CDN CALL_ID(0) RESULT_CODE(3)
ERR_CODE(0) CAUSE_CODE(0) [|pptp]
13:24:25.903600 IP ourip.1648 > 203.41.135.162.1723: P 349:365(16) ack
337 win 65199: pptp CTRL_MSGTYPE=StopCCRQ REASON(1)
13:24:25.910471 IP 203.41.135.162.1723 > ourip.1648: P 337:353(16) ack
365 win 8820: pptp CTRL_MSGTYPE=StopCCRP RESULT_CODE(1) ERR_CODE(0)
13:24:25.910596 IP 203.41.135.162.1723 > ourip.1648: F 353:353(0) ack
365 win 8820
13:24:25.916715 IP ourip.1648 > 203.41.135.162.1723: F 365:365(0) ack
354 win 65183
13:24:25.921213 IP 203.41.135.162.1723 > ourip.1648: . ack 366 win 8820

25 packets captured
25 packets received by filter
0 packets dropped by kernel

Any help with this would be greatly apprectiated.


Regards

Jason Neurohr

------------------------------------------------------------------------
------------------
Jason Neurohr | Network Engineer | PH 02 8001 7777 |
https://www.whitehat.net.au


From gary at primeexalia.com  Tue Oct  3 06:04:56 2006
From: gary at primeexalia.com (Gary W. Smith)
Date: Tue Oct  3 06:41:25 2006
Subject: PPTP ISSUE
In-Reply-To: <4D82EB5486E2904A912F7A3A2089B548015455CE@sydexch.sydney.uw.local>
Message-ID: <57F9959B46E0FA4D8BA88AEDFBE5829024EA0E@pxtbenexd01.pxt.primeexalia.com>

What kernel are you running.  I believe that conntrack_pptpd was not
supported directly in the kernel prior to 2.6.14 (or maybe even 2.6.16).
If it's earlier than that you will need to patch your kernel and
recompile both the kernel and iptables (to match the kernel header
changes).  

Gary Wayne Smith

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Jason Neurohr
> Sent: Monday, October 02, 2006 8:41 PM
> To: netfilter@lists.netfilter.org
> Subject: PPTP ISSUE
> 
> Hello,
> 
> We are having a problem with a pptp connection from internal
> workstations to a remote pptp server through linux firewall running
> iptables.
> 
> Tcp dump on the firewall shows this:
> 
> [root@firewall ~]# tcpdump host 203.41.135.162
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 13:23:55.604900 IP ourip.1648 > 203.41.135.162.1723: S
> 3351021274:3351021274(0) win 65535 <mss 1260,nop,nop,sackOK>
> 13:23:55.611369 IP 203.41.135.162.1723 > ourip.1648: S
> 3618448323:3618448323(0) ack 3351021275 win 8820 <mss 1460>
> 13:23:55.617619 IP ourip.1648 > 203.41.135.162.1723: P 1:157(156) ack
1
> win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A)
> BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
> 13:23:55.624110 IP 203.41.135.162.1723 > ourip.1648: P 1:157(156) ack
> 157 win 8820: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1)
> ERR_CODE(0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(100) FIRM_REV(1)
> [|pptp]
> 13:23:55.630607 IP ourip.1648 > 203.41.135.162.1723: P 157:325(168)
ack
> 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384)
CALL_SER_NUM(58240)
> MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E)
> RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
> 13:23:55.636850 IP 203.41.135.162.1723 > ourip.1648: P 157:189(32) ack
> 325 win 8820: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384)
> RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000)
> RECV_WIN(3) PROC_DELAY(0) PHY_CHAN_ID(0)
> 13:23:55.638724 IP 203.41.135.162 > ourip: call 16384 seq 1
> gre-ppp-payload
> 13:23:55.780617 IP ourip.1648 > 203.41.135.162.1723: . ack 189 win
65347
> 13:23:55.784488 IP ourip.1648 > 203.41.135.162.1723: P 325:349(24) ack
> 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0)
> SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
> 13:23:55.871054 IP 203.41.135.162.1723 > ourip.1648: . ack 349 win
8820
> 13:23:58.986263 IP 203.41.135.162 > ourip: call 16384 seq 2
> gre-ppp-payload
> 13:24:01.919107 IP 203.41.135.162 > ourip: call 16384 seq 3
> gre-ppp-payload
> 13:24:04.851702 IP 203.41.135.162 > ourip: call 16384 seq 4
> gre-ppp-payload
> 13:24:07.787543 IP 203.41.135.162 > ourip: call 16384 seq 5
> gre-ppp-payload
> 13:24:10.988065 IP 203.41.135.162 > ourip: call 16384 seq 6
> gre-ppp-payload
> 13:24:13.917661 IP 203.41.135.162 > ourip: call 16384 seq 7
> gre-ppp-payload
> 13:24:16.849381 IP 203.41.135.162 > ourip: call 16384 seq 8
> gre-ppp-payload
> 13:24:19.782475 IP 203.41.135.162 > ourip: call 16384 seq 9
> gre-ppp-payload
> 13:24:22.981124 IP 203.41.135.162 > ourip: call 16384 seq 10
> gre-ppp-payload
> 13:24:25.897355 IP 203.41.135.162.1723 > ourip.1648: P 189:337(148)
ack
> 349 win 8820: pptp CTRL_MSGTYPE=CDN CALL_ID(0) RESULT_CODE(3)
> ERR_CODE(0) CAUSE_CODE(0) [|pptp]
> 13:24:25.903600 IP ourip.1648 > 203.41.135.162.1723: P 349:365(16) ack
> 337 win 65199: pptp CTRL_MSGTYPE=StopCCRQ REASON(1)
> 13:24:25.910471 IP 203.41.135.162.1723 > ourip.1648: P 337:353(16) ack
> 365 win 8820: pptp CTRL_MSGTYPE=StopCCRP RESULT_CODE(1) ERR_CODE(0)
> 13:24:25.910596 IP 203.41.135.162.1723 > ourip.1648: F 353:353(0) ack
> 365 win 8820
> 13:24:25.916715 IP ourip.1648 > 203.41.135.162.1723: F 365:365(0) ack
> 354 win 65183
> 13:24:25.921213 IP 203.41.135.162.1723 > ourip.1648: . ack 366 win
8820
> 
> 25 packets captured
> 25 packets received by filter
> 0 packets dropped by kernel
> 
> Any help with this would be greatly apprectiated.
> 
> 
> Regards
> 
> Jason Neurohr
> 
>
------------------------------------------------------------------------
> ------------------
> Jason Neurohr | Network Engineer | PH 02 8001 7777 |
> https://www.whitehat.net.au
> 


From mingching.tiew at redtone.com  Tue Oct  3 12:40:55 2006
From: mingching.tiew at redtone.com (Ming-Ching Tiew)
Date: Tue Oct  3 12:40:57 2006
Subject: ipset loading to/from file
Message-ID: <011501c6ff2f$49546010$0100a8c0@newlife>


Shell scripts are slow, when it has to iterate over hugh
amount of data. Is there a way to load ipset data to/from files 
( as a binary blob perhaps ) so that it can be loaded quickily into the 
memory when the system re-starts ?

Cheers.






From pupilla at hotmail.com  Tue Oct  3 12:11:27 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Tue Oct  3 12:49:05 2006
Subject: DNAT problem
In-Reply-To: <4521C6A3.1040902@mail.nankai.edu.cn>
Message-ID: <BAY103-F2959DFC95676C9CA4F26F6B21C0@phx.gbl>

Bo Yang wrote:

>How to do the balance using nth match , can you give an example ?
>For example , I have a gateway 111.111.111.111 which connected to my
>own LAN .
>And in LAN , I have four machines 10.0.0.1 - 10.0.0.4 to share the ssh
>connection .
>Could you tell me how to balance the ssh flow ?

I haven't exactly understood your question. However this is
an example:

$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22 
-m statistic --mode nth --every 4 -j DNAT --to 10.0.0.1
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22 
-m statistic --mode nth --every 4 -j DNAT --to 10.0.0.2
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22 
-m statistic --mode nth --every 4 -j DNAT --to 10.0.0.3
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22 
-j DNAT --to 10.0.0.4



From bclark at eccotours.co.za  Tue Oct  3 12:34:49 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Tue Oct  3 13:10:14 2006
Subject: Cant get transparent proxy to route out new ISP.
Message-ID: <45223CC9.4050005@eccotours.co.za>

Hi all

Could someone please me with my current setup.

I just got another DSL line and I have my routing  and marking the packets etc so that I can decided the fate as to which ISP I would like to route my
traffic out of etc.

I managed to get squid to be used as a trasparent proxy, but im forced to use the default gw of the machine and for the likes of my I cant figure out to
send traffic out the new ISP.

So my question / request for help is, Would anyone please advise me as to how I can choose what ISP I can route my transparent proxy.

I was thinking that maybe it is a POSTROUTING marking that I need to do, and the the routing tables will take care of the rest.

Kinds Regards and thank you in advance.

Brent Clark


From angico at yahoo.com  Tue Oct  3 14:36:39 2006
From: angico at yahoo.com (angico)
Date: Tue Oct  3 15:13:08 2006
Subject: Cant find 
In-Reply-To: <009701c6e643$7f20ef60$4401a8c0@WINXPVIRUSMONITOR>
Message-ID: <20061003123639.47431.qmail@web36810.mail.mud.yahoo.com>

Try upgrading iptables.
regards,
angico.


--- Joel Lindsay <joel@waveteq.com> wrote:

> Keep getting the error.
> 
> iptables v1.2.11: Couldn't find target `MASQUERADE'
> 
> Using kernel 2.6.15-uc0 uclinux.
> 
> Have compiled as module and statically the following.
> 
> iptables support
> connection tracking support
> ip filter support
> reject target support
> full nat support
> masquerading support
> 
> the module ipt_MASQUERADE exists and is loaded, but I keep getting
> this 
> error.  I cant figure out why??
> 
> Is there more dependencies on some other modules?
> 
> 
> Joel Lindsay, B.Eng
> Project Engineer
> Waveteq Communications
> (250) 766-9229
> ----- Original Message ----- 
> From: "Stefan Friedel" <stefan.friedel@iwr.uni-heidelberg.de>
> To: "Pascal Hambourg" <pascal.mail@plouf.fr.eu.org>
> Cc: <netfilter@lists.netfilter.org>
> Sent: Monday, October 02, 2006 7:18 AM
> Subject: Re: DNAT problem
> 
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

From mohammadfarooq at tango-networks.com  Tue Oct  3 16:45:32 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Tue Oct  3 17:22:12 2006
Subject: Pleeeeeeeeeeease help me with u32 module
Message-ID: <1159886732.28977.156.camel@mfarooq-1.tango-networks.com>

Hi All,

I need help very badly. I want to use u32 kernel module which is
unfortunately not part of the iptables core set. When I tried to compile
this module with redhat enterprise which is using kernel 2.6.9, it
failed with the following error:

net/ipv4/netfilter/ipt_u32.c:127: warning: "struct xt_match" declared
inside parameter list
net/ipv4/netfilter/ipt_u32.c:127: warning: its scope is only this
definition or declaration, which is probably not what you want
net/ipv4/netfilter/ipt_u32.c:210: warning: "struct xt_match" declared
inside parameter list
net/ipv4/netfilter/ipt_u32.c:219: warning: initialization from
incompatible pointer type
net/ipv4/netfilter/ipt_u32.c:220: error: unknown field `matchsize'
specified in initializer
net/ipv4/netfilter/ipt_u32.c:220: warning: initialization makes pointer
from integer without a cast
net/ipv4/netfilter/ipt_u32.c:221: warning: initialization from
incompatible pointer type
make[3]: *** [net/ipv4/netfilter/ipt_u32.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2

I solve this compile error by adding the matchsize variable in the
ipt_match structure in
the /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h

Now I can compile without any compile error but when I try to run
iptables command:
iptables -A INPUT -m u32 --u32 "2&0xffff=0x2" -j ACCEPT
iptables: Invalid argument

I get "Invalid argument" error. I am stuck right now. I am not a kernel
hacker and have no clue how to move forward. I would appreciate if some
kind soul point me to the right direction. Thanks in advance.

MF




From pupilla at hotmail.com  Tue Oct  3 16:48:45 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Tue Oct  3 17:25:17 2006
Subject: DNAT problem
In-Reply-To: <45227670.8040702@mail.nankai.edu.cn>
Message-ID: <BAY103-F389194DE2542288130B31BB21C0@phx.gbl>

Bo Yang wrote:

>Thank you , I just want to know how to use the nth module ,
>so in your response , I know you load the module statistic but
>not the nth module , does this mean nth match belongs to the statistic
>module ?

Yes, nth match belongs to the statistic
module since linux 2.6.18. However you
must also upgrade to iptables 1.3.6



From lists at netdigix.com  Tue Oct  3 17:19:03 2006
From: lists at netdigix.com (Nathan @ Netdigix Systems)
Date: Tue Oct  3 17:54:50 2006
Subject: newbie - load balancing with iptables
In-Reply-To: <004b01c6e698$51107b90$580110ac@HO.lippogeneral.com>
References: <004b01c6e698$51107b90$580110ac@HO.lippogeneral.com>
Message-ID: <1159888743.45227f674127f@mail.dreamtoy.net>

you should use keepalived or ultramonkey

otherwise check out http://www.netfilter.org/patch-o-matic/pom-extra.html

Quoting Winanjaya <winanjaya@lippogeneral.com>:

> 
> Dear All,
> 
> I am very new with this, I am running squid with transparent proxy on my
> FC1, it is also as client's gateway
> my FC1 has 2 NICs .. Eth0 and Eth1 .. how to load balancing? .. Internet
> browsing service should be taken on Eth0 and for other services such as port
> 25, 110, 21, 389, 53 etc .. should be taken on Eth1 ..
> 
> Can I do this with iptables? .. please help
> 
> Thanks a lot in advance
> 
> Regards
> Winanjaya
> 
> 
> ***********************
> No virus was detected in the attachment (no filename).
> 
> Your mail has been scanned by InterScan.
> ***********-***********
> 
> 





thanks and best regards,
- Nathan
- http://www.netdigix.com


From mlist at c2h2.net  Tue Oct  3 17:28:44 2006
From: mlist at c2h2.net (David Fletcher)
Date: Tue Oct  3 18:05:35 2006
Subject: GRE tunnel bound to bridged interface
Message-ID: <452281AC.7040809@c2h2.net>

Hi,

I have a very specific repeatable issue with a gre tunnel bound to a 
bridged interface.

Tunnel "tgre0" is bound to a source address on "br1"

tuxnix ~ # ip tunnel show tgre0
tgre0: gre/ip  remote 72.25.98.XXX  local 12.106.79.YYY  ttl 64

tuxnix ~ # brctl show
bridge name     bridge id               STP enabled     interfaces
br1             8000.000b824a311c       no              eth1
                                                         eth2
br0             8000.00065b6f4c82       no              eth0
                                                         eth3
                                                         eth4
br2             8000.00022acb474a       no              eth5

The tunnel is built on br1.

When i disable the bridge and put the 12.106.79.YYY address on the 
physical interface, this is what I see in the firewall debug:

Oct  3 07:55:02 tuxnix Shorewall:vpn2loc:ACCEPT:IN=tgre0 OUT=br2 
PHYSOUT=eth5 SRC=10.2.1.6 DST=10.2.2.30 LEN=84 TOS=0x00 PREC=0x00 TTL=62 
ID=19 DF PROTO=ICMP TYPE=8 CODE=0 ID=22904 SEQ=20

This is the correct output - the packet is shown as coming IN on tgre0.

When i reenable the bridge and look at the same output:

Oct  2 23:03:47 tuxnix Shorewall:net2loc:ACCEPT:IN=br1 OUT=br2 
PHYSIN=eth1 PHYSOUT=eth5 SRC=10.2.1.6 DST=10.2.2.30 LEN=100 TOS=0x00 
PREC=0x00 TTL=62 ID=625 PROTO=ICMP TYPE=8 CODE=0 ID=59 SEQ=3


As you can see, the input interface is incorrect. This is causing 
numerous issues (Shorewall detecting the wrong zone due to wrong source 
interface, masquerading failing because of wrong source interface) etc 
etc etc, so i really need to get this fixed.


Any help would be much appreciated

Current kernel:
tuxnix ~ # uname -a
Linux tuxnix 2.6.14-rc1 #4 PREEMPT Thu Sep 28 16:38:03 PDT 2006 i686 
Pentium III (Coppermine) GenuineIntel GNU/Linux

I have also tried 2.6.18 to see if that would resolve this issue. It did 
not.

tuxnix ~ # iptables -V
iptables v1.3.5

Bridge utils version: net-misc/bridge-utils-1.0.6-r3

--David
mlist@c2h2.net






From jengelh at linux01.gwdg.de  Tue Oct  3 17:43:37 2006
From: jengelh at linux01.gwdg.de (Jan Engelhardt)
Date: Tue Oct  3 18:20:30 2006
Subject: Pleeeeeeeeeeease help me with u32 module
In-Reply-To: <1159886732.28977.156.camel@mfarooq-1.tango-networks.com>
References: <1159886732.28977.156.camel@mfarooq-1.tango-networks.com>
Message-ID: <Pine.LNX.4.61.0610031742280.5403@yvahk01.tjqt.qr>

>Subject: Pleeeeeeeeeeease help me with u32 module

ftp://ftp-1.gwdg.de/pub/linux/misc/suser-jengelh/kernel/linux-2.6.17-jen34/nf_u32.diff



	-`J'
-- 

From alan.ezust at presinet.com  Tue Oct  3 17:55:16 2006
From: alan.ezust at presinet.com (Alan Ezust)
Date: Tue Oct  3 18:31:54 2006
Subject: patchomatic runme script bug - using backup files?
In-Reply-To: <200609201525.39890.alan.ezust@presinet.com>
References: <200609201525.39890.alan.ezust@presinet.com>
Message-ID: <200610030855.16979.alan.ezust@presinet.com>


Hi - I don't have commit access yet, so I'm hoping someone will apply this 
patch for me.

This patch will prevent patchomatic from sucking up old backup files when it's 
applying patches.

diff -u ../patch-o-matic-ng-trunk/Netfilter_POM.pm  Netfilter_POM.pm
--- ../patch-o-matic-ng-trunk/Netfilter_POM.pm  2006-10-03 
08:21:19.000000000 -0700
+++ Netfilter_POM.pm    2006-10-03 08:46:41.000000000 -0700
@@ -361,7 +361,7 @@
        opendir(DIR, $dir)
                or croak "can't open directory $dir: $!";
        # Don't miss .foo-test files!
-       my @dents = sort grep {!/^(\.\.?|CVS|\.svn)$/} readdir(DIR);
+       my @dents = sort grep {!/^(\.\.?|CVS|\.svn|#?.*~)$/} readdir(DIR);
        closedir(DIR);
        foreach my $dent (@dents) {
                my $fullpath = "$dir/$dent";

On Wednesday 20 September 2006 15:25, Alan Ezust wrote:
> I just ran into this bug in runme script from patchomatic - I was writing a
> patch file called linux-2.6.16.29.patch but there was a BACKUP file
> called linux-2.6.16.29.patch~ and another one called linux-2.6.patch~
> and it seems to be finding the BACKUP files and using them in favor of the
> actual patch files I am developing. Since the output doesn't tell me which
> file it is reading, I couldn't tell what was wrong, and wasted quite a lot
> of time looking at a file that wasn't even being read by runme.

From alan.ezust at presinet.com  Tue Oct  3 19:46:34 2006
From: alan.ezust at presinet.com (Alan Ezust)
Date: Tue Oct  3 20:23:09 2006
Subject: patchomatic runme script bug - using backup files?
In-Reply-To: <200610030855.16979.alan.ezust@presinet.com>
References: <200609201525.39890.alan.ezust@presinet.com>
	<200610030855.16979.alan.ezust@presinet.com>
Message-ID: <200610031046.34705.alan.ezust@presinet.com>

Found another place which also needed to be patched. Here is the updated diff:

diff -u ../patch-o-matic-ng-trunk/Netfilter_POM.pm Netfilter_POM.pm
--- ../patch-o-matic-ng-trunk/Netfilter_POM.pm  2006-10-03 
08:21:19.000000000 -0700
+++ Netfilter_POM.pm    2006-10-03 10:23:52.000000000 -0700
@@ -361,7 +361,7 @@
        opendir(DIR, $dir)
                or croak "can't open directory $dir: $!";
        # Don't miss .foo-test files!
-       my @dents = sort grep {!/^(\.\.?|CVS|\.svn)$/} readdir(DIR);
+       my @dents = sort grep {!/^(\.\.?|CVS|\.svn|#?.*~)$/} readdir(DIR);
        closedir(DIR);
        foreach my $dent (@dents) {
                my $fullpath = "$dir/$dent";
@@ -486,7 +486,7 @@
        # get list of source files that we'd need to copy
        opendir(PDIR, $patchdir)
                or croak "unable to open patchdir $patchdir: $!";
-       my @dents = sort readdir(PDIR);
+        my @dents = sort grep {!/^(\.\.?|CVS|\.svn|#?.*~)$/} readdir(PDIR);
        closedir(PDIR);

        foreach my $pf (@dents) {
@@ -494,7 +494,6 @@
                my $ver;
                my $oldpwd;

-               next if $pf =~ /^(\.|CVS$)/;

                if ($pf =~ /\.patch/) {
                        # Patch file of a project:


On Tuesday 03 October 2006 08:55, Alan Ezust wrote:
> Hi - I don't have commit access yet, so I'm hoping someone will apply this
> patch for me.
>
> This patch will prevent patchomatic from sucking up old backup files when
> it's applying patches.
>

From swifty at freemail.hu  Wed Oct  4 10:03:37 2006
From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=)
Date: Wed Oct  4 10:40:21 2006
Subject: STRING  module : Invalid argument
Message-ID: <45236AD9.4090300@freemail.hu>

Hi,

Is there a bug in 2.6.18 kernel?
I am using it with iptables v1.2.11 and the following command gives me 
error:

fw1:~# iptables -A INPUT -j DROP -p tcp -m string --string "test"
iptables: Invalid argument

fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
iptables: Invalid argument

fw1:~# uname -a
Linux fw1 2.6.18.06.275.16 #1 SMP Mon Oct 2 16:29:40 CEST 2006 i686 
GNU/Linux

fw1:~# iptables -V
iptables v1.2.11

Any comments?

From rob at sterenborg.info  Wed Oct  4 11:45:17 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Wed Oct  4 12:21:59 2006
Subject: STRING  module : Invalid argument
In-Reply-To: <45236AD9.4090300@freemail.hu>
References: <45236AD9.4090300@freemail.hu>
Message-ID: <53842.193.173.147.3.1159955117.squirrel@webmail.sterenborg.info>

On Wed, October 4, 2006 10:03, G?sp?r Lajos wrote:
> Hi,
>
>
> Is there a bug in 2.6.18 kernel?
> I am using it with iptables v1.2.11 and the following command gives me
> error:
>
>
> fw1:~# iptables -A INPUT -j DROP -p tcp -m string --string "test"
> iptables: Invalid argument
>
>
> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
> iptables: Invalid argument
>
>
> fw1:~# uname -a
> Linux fw1 2.6.18.06.275.16 #1 SMP Mon Oct 2 16:29:40 CEST 2006 i686
> GNU/Linux
>
>
> fw1:~# iptables -V
> iptables v1.2.11
>
> Any comments?

Yeah.
- You probably don't have the string module installed and/or loaded.
- Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather old
(june 2004). Upgrade to a new iptables version: 1.3.6 is just released.


Grts,
Rob



From bclark at eccotours.co.za  Wed Oct  4 12:06:33 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Wed Oct  4 12:41:59 2006
Subject: redirect all HTTP traffic
Message-ID: <452387A9.3010906@eccotours.co.za>

Hey all

Ive been trying to redirect all HTTP traffic to my newly built proxy (squid).

But I cant seem to get it working.

This is what I have

$IPT -t nat -A PREROUTING -i eth1 -s 192.168.111.0/24 -p tcp --dport 80 -j DNAT --to 192.168.111.9:3128
$IPT -t nat -A POSTROUTING -o eth1 -s 192.168.111.0/24 -j SNAT --to 192.168.111.10

and

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -i eth1 -o eth1 -p tcp --dport 80 -m state --state NEW -j ACCEPT


If anyone could assit, I would be most grateful.

Kind Regards
Brent Clark

From bclark at eccotours.co.za  Wed Oct  4 12:15:42 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Wed Oct  4 12:51:09 2006
Subject: redirect all HTTP traffic
In-Reply-To: <452387A9.3010906@eccotours.co.za>
References: <452387A9.3010906@eccotours.co.za>
Message-ID: <452389CE.9060902@eccotours.co.za>

Brent Clark wrote:
> $IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A FORWARD -i eth1 -o eth1 -p tcp --dport 80 -m state 
> --state NEW -j ACCEPT

sorry my forward was wrong.

Should have been 3128 as opposed to 80

Thanks
Brent


From pascal.mail at plouf.fr.eu.org  Wed Oct  4 12:30:12 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Wed Oct  4 13:06:44 2006
Subject: redirect all HTTP traffic
In-Reply-To: <452387A9.3010906@eccotours.co.za>
References: <452387A9.3010906@eccotours.co.za>
Message-ID: <45238D34.8040104@plouf.fr.eu.org>

Hello,

Brent Clark a ?crit :
> 
> Ive been trying to redirect all HTTP traffic to my newly built proxy 
> (squid).
> 
> But I cant seem to get it working.

Please elaborate. What's happening exactly ?

> This is what I have
> 
> $IPT -t nat -A PREROUTING -i eth1 -s 192.168.111.0/24 -p tcp --dport 80 
> -j DNAT --to 192.168.111.9:3128
> $IPT -t nat -A POSTROUTING -o eth1 -s 192.168.111.0/24 -j SNAT --to 
> 192.168.111.10
> 
> and
> 
> $IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A FORWARD -i eth1 -o eth1 -p tcp --dport 3128 -m state 
> --state NEW -j ACCEPT

It seems that the proxy is in the same network as the clients. Does it 
use the same gateway too ? If so, you need to set a no-DNAT exception in 
PREROUTING for the proxy source address and a rule in FORWARD to allow 
NEW packets from the proxy to the outside.

From swifty at freemail.hu  Wed Oct  4 12:56:32 2006
From: swifty at freemail.hu (=?UTF-8?B?R8Ohc3DDoXIgTGFqb3M=?=)
Date: Wed Oct  4 13:33:19 2006
Subject: STRING  module : Invalid argument
In-Reply-To: <53842.193.173.147.3.1159955117.squirrel@webmail.sterenborg.info>
References: <45236AD9.4090300@freemail.hu>
	<53842.193.173.147.3.1159955117.squirrel@webmail.sterenborg.info>
Message-ID: <45239360.6060304@freemail.hu>

Rob Sterenborg ?rta:
> On Wed, October 4, 2006 10:03, G?sp?r Lajos wrote:
>   
>> Hi,
>>
>> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
>> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
>> iptables: Invalid argument
>>
>>     
Does it means that it fails at insertation of the rule into the chain, 
doesn't?

> - You probably don't have the string module installed and/or loaded.
> - Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather old
> (june 2004). Upgrade to a new iptables version: 1.3.6 is just released.
>
>   
I have already tried it with the Debian backport of iptables (v1.3.x) 
... Same results.

Right now I am recompiling the kernel and iptables + pom-ng.
Hope it helps... :)
> Grts,
> Rob
>
>
>
>
>
>   


From bclark at eccotours.co.za  Wed Oct  4 14:32:17 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Wed Oct  4 15:07:42 2006
Subject: redirect all HTTP traffic
In-Reply-To: <45238D34.8040104@plouf.fr.eu.org>
References: <452387A9.3010906@eccotours.co.za>
	<45238D34.8040104@plouf.fr.eu.org>
Message-ID: <4523A9D1.2060705@eccotours.co.za>

Pascal Hambourg wrote:

> Please elaborate. What's happening exactly ?

HI Pascal

A Big thanks for replying I actually got it working (Which proved to be a solution I dont need).

I specified the wrong port number.

Thanks again
Kind Regards
Brent Clark


From nfcan.x.jimlaur at dfgh.net  Wed Oct  4 14:34:23 2006
From: nfcan.x.jimlaur at dfgh.net (Jim Laurino)
Date: Wed Oct  4 15:11:01 2006
Subject: redirect all HTTP traffic (nfcan: addressed to exclusive sender
	for this address)
In-Reply-To: <452387A9.3010906@eccotours.co.za> (from
	+nfcan+jimlaur+beeeb246f4.bclark#eccotours.co.za@spamgourmet.com
	on Wed, Oct 04, 2006 at 06:06:33 -0400)
References: <452387A9.3010906@eccotours.co.za>
Message-ID: <20061004123423.GA22147@salty>

On 2006.10.04 06:06, Brent Clark - bclark@eccotours.co.za wrote:
> Hey all
> 
> Ive been trying to redirect all HTTP traffic to my newly built proxy  
> (squid).
> 
> But I cant seem to get it working.
> 
> This is what I have
> 
> $IPT -t nat -A PREROUTING -i eth1 -s 192.168.111.0/24 -p tcp --dport 80 -j  
> DNAT --to 192.168.111.9:3128
> $IPT -t nat -A POSTROUTING -o eth1 -s 192.168.111.0/24 -j SNAT --to  
> 192.168.111.10
> 
> and
> 
> $IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A FORWARD -i eth1 -o eth1 -p tcp --dport 80 -m state --state  
> NEW -j ACCEPT

The prerouting rule changed the destination port from 80 to 3128.
Try accepting new traffic on 3128 in the filter table.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

From bclark at eccotours.co.za  Wed Oct  4 15:02:42 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Wed Oct  4 15:38:07 2006
Subject: change routes for a transparenty proxy
Message-ID: <4523B0F2.1080009@eccotours.co.za>

Hey all

Would anyone know how to switch routes for a transparent proxy. I am connected to 2 ISPs, but I would like to be able to chop and change which ISP
I route HTTP out of.

Would be great for redundancy, if one DSL line should go down.

Kind Regards
Brent Clark



From gabrix at gabrix.ath.cx  Wed Oct  4 15:12:41 2006
From: gabrix at gabrix.ath.cx (gabrix)
Date: Wed Oct  4 15:49:14 2006
Subject: iptables and hostnames.
Message-ID: <4523B349.20009@gabrix.ath.cx>

What is the reason why if i use this iptables:
> # (APACHE)
> $IPT -A INPUT -p tcp -d x.gabrix.ath.cx --dport 80 -m state --state ! 
> INVALID -j ACCEPT
> $IPT -A INPUT -p tcp -d tor.gabrix.ath.cx --dport 443 -m state --state 
> ! INVALID -j ACCEPT
the hostnames you see get resolved to their pubblic ips.This is on an 
inside lan pc but this doesn't happen on the gateway pc right before it 
where iptables says it can't resolve the hostnames .Why this ?I have 
debian sarge kernel 2.6 on all machines.
Thanks !

From jsullivan at opensourcedevel.com  Wed Oct  4 17:02:38 2006
From: jsullivan at opensourcedevel.com (John A. Sullivan III)
Date: Wed Oct  4 17:39:25 2006
Subject: iptables and hostnames.
In-Reply-To: <4523B349.20009@gabrix.ath.cx>
References: <4523B349.20009@gabrix.ath.cx>
Message-ID: <1159974158.3036.22.camel@localhost>

On Wed, 2006-10-04 at 15:12 +0200, gabrix wrote:
> What is the reason why if i use this iptables:
> > # (APACHE)
> > $IPT -A INPUT -p tcp -d x.gabrix.ath.cx --dport 80 -m state --state ! 
> > INVALID -j ACCEPT
> > $IPT -A INPUT -p tcp -d tor.gabrix.ath.cx --dport 443 -m state --state 
> > ! INVALID -j ACCEPT
> the hostnames you see get resolved to their pubblic ips.This is on an 
> inside lan pc but this doesn't happen on the gateway pc right before it 
> where iptables says it can't resolve the hostnames .Why this ?I have 
> debian sarge kernel 2.6 on all machines.
> Thanks !

What is the DNS for the gateway? Have you allowed the gateway to send
DNS in the OUTPUT chain? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net


From t.munker at gmx.net  Wed Oct  4 20:05:38 2006
From: t.munker at gmx.net (Thomas)
Date: Wed Oct  4 19:40:30 2006
Subject: POM, random, unclean, psd match and other
Message-ID: <4523F7F2.2040608@gmx.net>

hi,

in short form: where do i get random, unclean, psd for example to work
in my 2.6.16.29 kernel?
i wanted to use some matches, but i am only getting following message:
iptables: No chain/target/match by that name
for unclean
and
iptables v1.3.6: Couldn't load match
'random':/usr/local/lib/iptables/libipt_random.so: cannot open shared
object file: No such file or directory
for random, psd, osf, and others
because auf this i checked netfilter.org and got the newest
version(1.3.6) and checked my kernel for support of that match. But
there is no option to enable in my kernel configuration.
That is why i got pom from the ftp, patch-o-matic-ng-20061003.
but that did give me the option to install that patches.
I looked at iptable sources and saw that there is the C-file for random
(and so on), but no .o or .so file. Only unclean had them.
So here is my question again, how do i get random psd and so on to work?
I think it isn't in my kernel, and i have to get it in there, but how?
patch-o-matic doesn't offer it!

Regards and thanks, Thomas

From gabrix at gabrix.ath.cx  Wed Oct  4 20:18:31 2006
From: gabrix at gabrix.ath.cx (gabrix)
Date: Wed Oct  4 20:55:00 2006
Subject: Patch o matic
Message-ID: <4523FAF7.1070503@gabrix.ath.cx>

I have a debian sarge kernel 2.6 i got the patch-o-matic-ng , a kernel 
and iptables source ...
> root@argo:~# ls /usr/src/
> iptables-1.3.6  kernel-image-2.6.8_custom.1.0_i386.deb  
> kernel-source-2.6.8  patch-o-matic-ng-20040621
I have placed all in the /usr/src/ dir as you can see , compiled the new 
kernel , installed by dpkg -i the new kernel,rebooted,no kernel panic 
and i can't find the new ipt modules.Some got built like NOTRACK and TTL 
but no TARPIT or psd ...
> root@argo:~# lsmod | grep ipt
> ipt_ttl                 2176  0
> ipt_NOTRACK             2304  0
> ipt_recent             10252  2
> ipt_REDIRECT            2432  2
> ipt_multiport           2304  4
> ipt_limit               2688  18
> ipt_owner               3712  2
> ipt_tos                 1920  12
> ipt_MARK                2432  29
> ipt_ULOG                7592  95
> ipt_state               2304  12
> ipt_MASQUERADE          3968  1
> ipt_LOG                 6272  0
> iptable_mangle          3072  1
> iptable_filter          3072  1
> iptable_nat            22692  5 
> ipt_REDIRECT,ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE
> ip_conntrack           32908  9 
> ipt_NOTRACK,ipt_REDIRECT,ip_nat_irc,ip_conntrack_irc,ip_nat_ftp,ip_conntrack_ftp,ipt_state,ipt_MASQUERADE,iptable_nat
> ip_tables              16896  16 
> ipt_ttl,ipt_NOTRACK,ipt_recent,ipt_REDIRECT,ipt_multiport,ipt_limit,ipt_owner,ipt_tos,ipt_MARK,ipt_ULOG,ipt_state,ipt_MASQUERADE,ipt_LOG,iptable_mangle,iptable_filter,iptable_nat
where are they ?
> root@argo:~# ls /lib/modules/2.6.8-2-386/kernel/net/ipv4/netfilter/
> arptable_filter.ko      ipfwadm.ko            iptable_nat.ko    
> ipt_ecn.ko      ipt_mark.ko        ipt_realm.ko     ipt_TOS.ko
> arp_tables.ko           ip_nat_amanda.ko      iptable_raw.ko    
> ipt_ECN.ko      ipt_MARK.ko        ipt_recent.ko    ipt_ttl.ko
> arpt_mangle.ko          ip_nat_ftp.ko         ip_tables.ko      
> ipt_esp.ko      ipt_MASQUERADE.ko  ipt_REDIRECT.ko  ipt_ULOG.ko
> ipchains.ko             ip_nat_irc.ko         ipt_addrtype.ko   
> ipt_helper.ko   ipt_multiport.ko   ipt_REJECT.ko
> ip_conntrack_amanda.ko  ip_nat_snmp_basic.ko  ipt_ah.ko         
> ipt_iprange.ko  ipt_NETMAP.ko      ipt_SAME.ko
> ip_conntrack_ftp.ko     ip_nat_tftp.ko        ipt_CLASSIFY.ko   
> ipt_length.ko   ipt_NOTRACK.ko     ipt_state.ko
> ip_conntrack_irc.ko     ip_queue.ko           ipt_conntrack.ko  
> ipt_limit.ko    ipt_owner.ko       ipt_tcpmss.ko
> ip_conntrack.ko         iptable_filter.ko     ipt_dscp.ko       
> ipt_LOG.ko      ipt_physdev.ko     ipt_TCPMSS.ko
> ip_conntrack_tftp.ko    iptable_mangle.ko     ipt_DSCP.ko       
> ipt_mac.ko      ipt_pkttype.ko     ipt_tos.ko
Is this the right dir for iptables kernel modules?
Is TARPIT and psd part of a chain of modules i missed to modprobe ?
Thanks !

From mohammadfarooq at tango-networks.com  Thu Oct  5 01:01:26 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Thu Oct  5 01:38:04 2006
Subject: Pleeeeeeeeeeease help me with u32 module
In-Reply-To: <Pine.LNX.4.61.0610031742280.5403@yvahk01.tjqt.qr>
References: <1159886732.28977.156.camel@mfarooq-1.tango-networks.com>
	<Pine.LNX.4.61.0610031742280.5403@yvahk01.tjqt.qr>
Message-ID: <1160002886.28977.169.camel@mfarooq-1.tango-networks.com>

On Tue, 2006-10-03 at 17:43 +0200, Jan Engelhardt wrote:
> >Subject: Pleeeeeeeeeeease help me with u32 module
> 
> ftp://ftp-1.gwdg.de/pub/linux/misc/suser-jengelh/kernel/linux-2.6.17-jen34/nf_u32.diff
> 
> 
> 
> 	-`J'

I new to adding module to the kernel. I would appreciate if you could
explain it a little more? Thanks.

MF


From rob at sterenborg.info  Thu Oct  5 09:55:50 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Thu Oct  5 10:32:39 2006
Subject: Patch o matic
In-Reply-To: <4523FAF7.1070503@gabrix.ath.cx>
References: <4523FAF7.1070503@gabrix.ath.cx>
Message-ID: <58185.193.173.147.3.1160034950.squirrel@webmail.sterenborg.info>

On Wed, October 4, 2006 20:18, gabrix wrote:
> I have a debian sarge kernel 2.6 i got the patch-o-matic-ng , a kernel
> and iptables source ...
>
>> root@argo:~# ls /usr/src/
>> iptables-1.3.6  kernel-image-2.6.8_custom.1.0_i386.deb kernel-source-2.6.8
>> patch-o-matic-ng-20040621
>
> I have placed all in the /usr/src/ dir as you can see , compiled the new
> kernel , installed by dpkg -i the new kernel,rebooted,no kernel panic and i
> can't find the new ipt modules.Some got built like NOTRACK and TTL but no
> TARPIT or psd ...

[....]

>> root@argo:~# ls /lib/modules/2.6.8-2-386/kernel/net/ipv4/netfilter/
>> arptable_filter.ko      ipfwadm.ko            iptable_nat.ko ipt_ecn.ko
>> ipt_mark.ko        ipt_realm.ko     ipt_TOS.ko arp_tables.ko

[....]

> Is this the right dir for iptables kernel modules?

Only if that is the kernel version you are using.
You say that you built a kernel from source, patched the kernel and iptables
using pom-ng:
- Did you really use 2.6.8? We are now at 2.6.18.
- Did you see a patch for TARPIT and psd when you ran pom-ng?
- You installed the kernel but are you sure you are running the version you
installed (uname -r)?

> Is TARPIT and psd part of a chain of modules i missed to modprobe ?

Check your kernel .config file if you have the lines
"CONFIG_IP_NF_TARGET_TARPIT=m" and "CONFIG_IP_NF_MATCH_PSD=m". If you can't
find them, support for these is not available in your kernel.


Grts,
Rob



From pablo at netfilter.org  Thu Oct  5 12:34:10 2006
From: pablo at netfilter.org (Pablo Neira Ayuso)
Date: Thu Oct  5 13:03:58 2006
Subject: STRING  module : Invalid argument
In-Reply-To: <45239360.6060304@freemail.hu>
References: <45236AD9.4090300@freemail.hu>	<53842.193.173.147.3.1159955117.squirrel@webmail.sterenborg.info>
	<45239360.6060304@freemail.hu>
Message-ID: <4524DFA2.9030504@netfilter.org>

G?sp?r Lajos wrote:
> Rob Sterenborg ?rta:
>> On Wed, October 4, 2006 10:03, G?sp?r Lajos wrote:
>>  
>>> Hi,
>>>
>>> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
>>> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match
>>> "test"
>>> iptables: Invalid argument
>>>
>>>     
> Does it means that it fails at insertation of the rule into the chain,
> doesn't?

Yes

>> - You probably don't have the string module installed and/or loaded.
>> - Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather
>> old
>> (june 2004). Upgrade to a new iptables version: 1.3.6 is just released.
>>
>>   
> I have already tried it with the Debian backport of iptables (v1.3.x)
> ... Same results.

Debian backport of iptables? What do mean?

> Right now I am recompiling the kernel and iptables + pom-ng.
> Hope it helps... :)

The string match was introduced in kernel 2.6.16 if my mind serves well,
the old version that was available in pom-ng was broken. You also need a
recent iptables version to make it work as Rob pointed out.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

From aoliva at it.uc3m.es  Thu Oct  5 12:34:15 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Thu Oct  5 13:11:17 2006
Subject: Packet change in OUTPUT mangle table and not being rerouted
Message-ID: <4524DFA7.7050806@it.uc3m.es>

Hi all,

I have been trying to change the src and dst address of a packet by 
jumping to QUEUE target and modifying it via libipq (using OUTPUT chain 
in mangle table). Later this packet is accepted and I was expecting it 
to be rerouted through the correct interface but it is not, it continues 
be sent by the old interface.
Any help please?

Regards
Antonio

From pascal.mail at plouf.fr.eu.org  Thu Oct  5 19:11:10 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Thu Oct  5 19:47:52 2006
Subject: Patch o matic
In-Reply-To: <4523FAF7.1070503@gabrix.ath.cx>
References: <4523FAF7.1070503@gabrix.ath.cx>
Message-ID: <45253CAE.8080600@plouf.fr.eu.org>

Hello,

gabrix a ?crit :
> I have a debian sarge kernel 2.6 i got the patch-o-matic-ng , a kernel 
> and iptables source ...
> 
>> root@argo:~# ls /usr/src/
>> iptables-1.3.6  kernel-image-2.6.8_custom.1.0_i386.deb  
>> kernel-source-2.6.8  patch-o-matic-ng-20040621

Aw. This is a very old and broken patch-o-matic-ng that you have.
There have ben a lot of changes since then. You may want to look at more 
recent patch-o-matic-ng snapshots. Not too recent though, as some 
patches have been removed from more or less recent patch-o-matic-ng 
snapshots over time (some have been merged into recent kernels, some 
have just been removed).

> I have placed all in the /usr/src/ dir as you can see , compiled the new 
> kernel , installed by dpkg -i the new kernel,rebooted,no kernel panic 
> and i can't find the new ipt modules.Some got built like NOTRACK and TTL 
> but no TARPIT or psd ...
> 
>> root@argo:~# lsmod | grep ipt
>> ipt_ttl                 2176  0
>> ipt_NOTRACK             2304  0
>> ipt_recent             10252  2
[...]
Well, AFAIK all the listed modules, including ipt_NOTRACK, are already 
included in the standard 2.6.8 kernel. I don't see ipt_TTL (TTL target) 
but only ipt_ttl (TTL match). Did you apply the patch-o-matic patches to 
the kernel source before compiling ? Are you running the new kernel ?

From dsung at lantronix.com  Thu Oct  5 21:23:12 2006
From: dsung at lantronix.com (Danny Sung)
Date: Thu Oct  5 21:59:56 2006
Subject: getting original destination after UDP REDIRECT
Message-ID: <2F0FC2A92C0B154BB406D5E74CB3E6930336BD22@3putt.int.lantronix.com>

Is there a way to get the original destination address/port of a UDP
packet that has been REDIRECTed?

I'm looking for the equivalent to the SO_ORIGINAL_DST flag for TCP.

I've seen some talk about this on the list about a year ago, but
couldn't find any resolution.  I've tried the faqs and general web
searches.  Miquel van Smoorenburg's recvfromto() function looked
promising, but didn't appear to work.

I'm running on a linux 2.6.12 kernel, btw.

Thanks,
Danny
**********************************************************************
This e-mail is the property of Lantronix. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail, or the information contained herein, to anyone other than the intended recipient is prohibited.


From palczews at uiuc.edu  Fri Oct  6 00:47:07 2006
From: palczews at uiuc.edu (Andrzej Palczewski)
Date: Fri Oct  6 01:24:06 2006
Subject: Netfilter Hooks with Queue
Message-ID: <010701c6e8d0$2fa5bb70$cd9a7e82@ASP.COM>

Good afternoon,
	I am trying to measure the time between a packet entering a linux
router's queue and leaving it.  At which points in the Netfilter Packet flow
(http://www.shorewall.net/images/Netfilter.png) should I place my hooks in
order to hook the packet before it is queued by the kernel and hook it after
it leaves?


From gabrix at gabrix.ath.cx  Fri Oct  6 05:05:12 2006
From: gabrix at gabrix.ath.cx (gabrix)
Date: Fri Oct  6 05:41:43 2006
Subject: patch o matic modules
Message-ID: <4525C7E8.4010301@gabrix.ath.cx>

I will try to explain in a better way my POM modules problem .
I have a debian sarge kernel 2.6 these are the packages i got to compile 
POM in the kernel:
> root@argo:~# ls /usr/src/
> iptables-1.3.6  kernel-source-2.6.8  patch-o-matic-ng-20040621
This the resulting .deb kernel afther compile:

> kernel-image-2.6.8_custom.1.0_i386.deb
this the kernel installed:

> root@argo:~# uname -a
> Linux argo 2.6.8-2-386 #1 Tue Aug 16 12:46:35 UTC 2005 i686 GNU/Linux

the iptables POM modules are where they are supposed to be:

> lroot@argo:~# ls /lib/iptables/
> libip6t_ah.so          libip6t_multiport.so  libipt_CONNMARK.so       
> libipt_LOG.so         libipt_POOL.so      libipt_TARPIT.so
> libip6t_condition.so   libip6t_nth.so        libipt_conntrack.so      
> libipt_mac.so         libipt_psd.so       libipt_TCPLAG.so
> libip6t_dst.so         libip6t_owner.so      libipt_DNAT.so           
> libipt_mark.so        libipt_quota.so     libipt_tcpmss.so
> libip6t_esp.so         libip6t_policy.so     libipt_dscp.so           
> libipt_MARK.so        libipt_random.so    libipt_TCPMSS.so
> libip6t_eui64.so       libip6t_random.so     libipt_DSCP.so           
> libipt_MASQUERADE.so  libipt_realm.so     libipt_tcp.so
> libip6t_frag.so        libip6t_REJECT.so     libipt_dstlimit.so       
> libipt_MIRROR.so      libipt_recent.so    libipt_time.so
> libip6t_fuzzy.so       libip6t_ROUTE.so      libipt_ecn.so            
> libipt_mport.so       libipt_REDIRECT.so  libipt_tos.so
> libip6t_hbh.so         libip6t_rt.so         libipt_ECN.so            
> libipt_multiport.so   libipt_REJECT.so    libipt_TOS.so
> libip6t_hl.so          libip6t_standard.so   libipt_esp.so            
> libipt_NETLINK.so     libipt_ROUTE.so     libipt_TRACE.so
> libip6t_HL.so          libip6t_tcp.so        libipt_fuzzy.so          
> libipt_NETMAP.so      libipt_rpc.so       libipt_ttl.so
> libip6t_icmpv6.so      libip6t_TRACE.so      libipt_helper.so         
> libipt_NOTRACK.so     libipt_SAME.so      libipt_TTL.so
> libip6t_ipv6header.so  libip6t_udp.so        libipt_icmp.so           
> libipt_nth.so         libipt_sctp.so      libipt_u32.so
> libip6t_length.so      libipt_addrtype.so    libipt_IPMARK.so         
> libipt_osf.so         libipt_set.so       libipt_udp.so
> libip6t_limit.so       libipt_ah.so          libipt_iprange.so        
> libipt_owner.so       libipt_SET.so       libipt_ULOG.so
> libip6t_LOG.so         libipt_CLASSIFY.so    libipt_ipv4options.so    
> libipt_physdev.so     libipt_SNAT.so      libipt_unclean.so
> libip6t_mac.so         libipt_condition.so   libipt_IPV4OPTSSTRIP.so  
> libipt_pkttype.so     libipt_standard.so  libipt_XOR.so
> libip6t_mark.so        libipt_connlimit.so   libipt_length.so         
> libipt_policy.so      libipt_state.so
> libip6t_MARK.so        libipt_connmark.so    libipt_limit.so          
> libipt_pool.so        libipt_string.so
How do i load them in my iptables script ?
many of the modules above are not present in the 
/lib/modules/2.6.8-2-386/kernel/net/ipv4/netfilter/ dir

> root@argo:~# ls /lib/modules/2.6.8-2-386/kernel/net/ipv4/netfilter/
> arptable_filter.ko      ip_nat_irc.ko           
> ipt_conntrack.ko        ipt_mark.ko             ipt_REJECT.ko
> arp_tables.ko           ip_nat_snmp_basic.ko    
> ipt_dscp.ko             ipt_MARK.ko             ipt_SAME.ko
> arpt_mangle.ko          ip_nat_tftp.ko          
> ipt_DSCP.ko             ipt_MASQUERADE.ko       ipt_state.ko
> ipchains.ko             ip_queue.ko             
> ipt_ecn.ko              ipt_multiport.ko        ipt_tcpmss.ko
> ip_conntrack_amanda.ko  iptable_filter.ko       
> ipt_ECN.ko              ipt_NETMAP.ko           ipt_TCPMSS.ko
> ip_conntrack_ftp.ko     iptable_mangle.ko       
> ipt_esp.ko              ipt_NOTRACK.ko          ipt_tos.ko
> ip_conntrack_irc.ko     iptable_nat.ko          
> ipt_helper.ko           ipt_owner.ko            ipt_TOS.ko
> ip_conntrack.ko         iptable_raw.ko          
> ipt_iprange.ko          ipt_physdev.ko          ipt_ttl.ko
> ip_conntrack_tftp.ko    ip_tables.ko            
> ipt_length.ko           ipt_pkttype.ko          ipt_ULOG.ko
> ipfwadm.ko              ipt_addrtype.ko         
> ipt_limit.ko            ipt_realm.ko
> ip_nat_amanda.ko        ipt_ah.ko               
> ipt_LOG.ko              ipt_recent.ko
> ip_nat_ftp.ko           ipt_CLASSIFY.ko         ipt_mac.ko
and this modules get loaded :
 
> root@argo:~# modprobe ipt_TCPMSS
> root@argo:~# modprobe ipt_SAME
> root@argo:~# modprobe ipt_REJECT
> root@argo:~# 
What's happening?
Why modules are present in one dir and not in the orther ?
What am i supposed to do to make POM happen ?
thanks !






From wingback06 at yahoo.com  Fri Oct  6 08:30:13 2006
From: wingback06 at yahoo.com (Adhi Laksono)
Date: Fri Oct  6 09:06:58 2006
Subject: Layer 7 Filter
Message-ID: <20061006063013.80678.qmail@web31010.mail.mud.yahoo.com>

Hi all,

I made a script using iptables with layer 7 filter
support... My default policy is :

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

The rules in the filter table works fine, but the
wierd thing is, how come all the application (ex.
bittorrent) doesn't work?? I haven't written any rules
for the application to DROP yet, and have tried to add

$IPTABLES -A LAN-Internet -s $NET_LAN -d 0/0 -m layer7
--l7proto bittorrent

And still, it wont work...

Any help please???

Regards,

Adhi  

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

From kirusz at freemail.hu  Fri Oct  6 09:10:24 2006
From: kirusz at freemail.hu (kiraly laszlo)
Date: Fri Oct  6 09:47:11 2006
Subject: POM-NG missing patchlets
Message-ID: <freemail.20060906091024.30448@fm10.freemail.hu>

Hi list!

I have some questions about POM-NG.

Maybe I'm lame or blind but:

Why aren't many modules in recent POM-NG version like geoip,
accounting etc.?
These aren't in the kernel. Are these modules already
usefulness?
I need these modules.
The only method that I found is searching in the devel list
to find some modules
and add to the new POM-NG than patch it to work with recent
kernel.

I found only very old documentation about POM. :(

regards

---
kiru


______________________________________________________________________
Ne maradjon ki az internetes kereskedelem n?veked?s?b?l! Nyisson webboltot most - az els? 3 havi b?rleti d?jat mi fizetj?k!
http://origo.hu/adsminisites/webbolt_akcio/index.html


From kadlec at blackhole.kfki.hu  Fri Oct  6 09:19:50 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Fri Oct  6 09:56:39 2006
Subject: ipset on 2.4.18-14
In-Reply-To: <Pine.LNX.4.58.0609242036020.6965@blackhole.kfki.hu>
References: <4516BEAE.3030708@mailinator.com>
	<Pine.LNX.4.58.0609242036020.6965@blackhole.kfki.hu>
Message-ID: <Pine.LNX.4.58.0610060915240.3869@blackhole.kfki.hu>

On Sun, 24 Sep 2006, Jozsef Kadlecsik wrote:

> > I've been trying to add ipset support to a remote box running Redhat 8
> > with kernel 2.4.18-14 and am having build problems.

Sorry, I was blind: that is an old release from the 2.4 tree. You should
really upgrade.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From mysql.jorge at decimal.pt  Fri Oct  6 20:41:58 2006
From: mysql.jorge at decimal.pt (Jorge Bastos)
Date: Fri Oct  6 21:18:43 2006
Subject: Compiling 1.3.6
Message-ID: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>

I was compiling the 1.3.6 version of iptables, agains my 2.6.19-rc1 kernel 
version and i get this (it also happens with the final 2.6.18).
Is there some livrary that needs an upgrade or am i missing something?
I already tryed the svn last version and the same happens.

Thanks,
Jorge


Extensions found: IPv4:CLUSTERIP IPv4:connbytes IPv4:dccp IPv4:quota 
IPv4:recent IPv4:statistic IPv4:string IPv6:REJECT IPv6:ah IPv6:esp 
IPv6:frag IPv6:ipv6header IPv6:rt
cc -O2 -Wall -Wunused -I/usr/src/linux-2.6.18/include -Iinclude/ -DIPTABLES_VERSION=\"1.3.6\" 
  -fPIC -o extensions/libipt_iprange_sh.o -c extensions/libipt_iprange.c
In file included from extensions/libipt_iprange.c:9:
/usr/src/linux-2.6.18/include/linux/netfilter_ipv4/ipt_iprange.h:11: error: 
expected specifier-qualifier-list before '__be32'
extensions/libipt_iprange.c: In function 'parse_iprange':
extensions/libipt_iprange.c:43: error: 'struct ipt_iprange' has no member 
named 'min_ip'
extensions/libipt_iprange.c:50: error: 'struct ipt_iprange' has no member 
named 'max_ip'
extensions/libipt_iprange.c:52: error: 'struct ipt_iprange' has no member 
named 'max_ip'
extensions/libipt_iprange.c:52: error: 'struct ipt_iprange' has no member 
named 'min_ip'
extensions/libipt_iprange.c: In function 'print_iprange':
extensions/libipt_iprange.c:116: error: 'const struct ipt_iprange' has no 
member named 'min_ip'
extensions/libipt_iprange.c:117: error: 'const struct ipt_iprange' has no 
member named 'max_ip'
make: *** [extensions/libipt_iprange_sh.o] Error 1 


From clm_lists at mac.com  Sat Oct  7 04:40:05 2006
From: clm_lists at mac.com (Colin Madere)
Date: Sat Oct  7 05:17:02 2006
Subject: ulogd IP extension?
Message-ID: <9DC2C4DA-12D8-43BC-B84E-2B0680402726@mac.com>

Hello list,

Wondering if anyone knows of a ulogd extension that will log to an IP  
address.  Want to pick up log messages via unicast or multicast,  
either will do.

Thanks,

Colin

From pattonb at network1.ca  Sat Oct  7 10:06:24 2006
From: pattonb at network1.ca (Blake Patton)
Date: Sat Oct  7 10:43:11 2006
Subject: 2.4.33.3 kernel & pptp-conntrack-nat
Message-ID: <45276000.1070506@network1.ca>

I am attempting to to add the pptp-conntrack-nat from patch-o-matic and
I receive the following error,

unable to find ladd slot in src usr/src/linux/net/ipv4/netfilter/Config.in


do I need a 2.6 kernel ?



From pascal.mail at plouf.fr.eu.org  Sun Oct  8 12:13:34 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Sun Oct  8 12:50:33 2006
Subject: 2.4.33.3 kernel & pptp-conntrack-nat
In-Reply-To: <45276000.1070506@network1.ca>
References: <45276000.1070506@network1.ca>
Message-ID: <4528CF4E.6060705@plouf.fr.eu.org>

Hello,

Blake Patton a ?crit :
> I am attempting to to add the pptp-conntrack-nat from patch-o-matic and
> I receive the following error,
> 
> unable to find ladd slot in src usr/src/linux/net/ipv4/netfilter/Config.in

I just tried to apply the pptp-conntrack-nat patch from the latest 
patch-o-matic-ng (20060511) which contains it on a 2.4.33.3 kernel tree 
and it worked. However it failed to restore Documentation/Configure.help 
when I tried to reverse the patch.

What version of the patch-o-matic are you using ?

From pablo at netfilter.org  Mon Oct  9 00:21:43 2006
From: pablo at netfilter.org (Pablo Neira Ayuso)
Date: Mon Oct  9 00:51:55 2006
Subject: Compiling 1.3.6
In-Reply-To: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>
References: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>
Message-ID: <452979F7.9090205@netfilter.org>

Hi Patrick,

Jorge Bastos wrote:
> I was compiling the 1.3.6 version of iptables, agains my 2.6.19-rc1
> kernel version and i get this (it also happens with the final 2.6.18).
> Is there some livrary that needs an upgrade or am i missing something?
> I already tryed the svn last version and the same happens.

min_ip and max_ip type has been changed from u_int32_t to __be32 that is
not defined in userspace, this breaks iptables compilation. Attached a
patch that recovers the use of u_int32_t. I'm not sure if this is the
best fix so let me know what you think.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
-------------- next part --------------
[PATCH] Fix iptables compilation with support for iprange

iptables requires ipt_iprange.h that defines max_ip and min_ip as __be32
that is not defined in userspace.

Reported by Jorge Bastos.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Index: net-2.6/include/linux/netfilter_ipv4/ipt_iprange.h
===================================================================
--- net-2.6.orig/include/linux/netfilter_ipv4/ipt_iprange.h	2006-10-09 00:15:42.000000000 +0200
+++ net-2.6/include/linux/netfilter_ipv4/ipt_iprange.h	2006-10-09 00:15:55.000000000 +0200
@@ -8,7 +8,7 @@
 
 struct ipt_iprange {
 	/* Inclusive: network order. */
-	__be32 min_ip, max_ip;
+	u_int32_t min_ip, max_ip;
 };
 
 struct ipt_iprange_info
From pablo at netfilter.org  Mon Oct  9 00:25:59 2006
From: pablo at netfilter.org (Pablo Neira Ayuso)
Date: Mon Oct  9 00:56:06 2006
Subject: 2.4.33.3 kernel & pptp-conntrack-nat
In-Reply-To: <45276000.1070506@network1.ca>
References: <45276000.1070506@network1.ca>
Message-ID: <45297AF7.3020305@netfilter.org>

Blake Patton wrote:
> I am attempting to to add the pptp-conntrack-nat from patch-o-matic and
> I receive the following error,
> 
> unable to find ladd slot in src usr/src/linux/net/ipv4/netfilter/Config.in
> 
> 
> do I need a 2.6 kernel ?

AFAIK pptp helper in pom-ng is outdated, so it is a good idea using a
recent kernel that already comes with it.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

From mohammadfarooq at tango-networks.com  Mon Oct  9 16:51:20 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Mon Oct  9 17:28:35 2006
Subject: How to find out packet latency?
Message-ID: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>

Hi all,

I am using linux box as router. Every ip packet which enters the box is
forwarded to some ip address. I have iptables rules which performs this
task. My question is how can I find out the duration ip packet took to
go out of the box. Basically I need time difference when the packet
entered the box and the time it left the box. I want to monitor the
latency. If it crosses some threshold value, I may have to notify. Since
the packets are switched at the kernel level, I am not sure how to get
this information. I would appreciate if someone can point me to the
right direction. Thanks in advance.

MF 


From aoliva at it.uc3m.es  Mon Oct  9 17:13:24 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Mon Oct  9 17:50:37 2006
Subject: How to find the chain which calls the match
In-Reply-To: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>
References: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>
Message-ID: <452A6714.5030709@it.uc3m.es>

Hi all, I am writing a match for iptables and I would like it to have a 
different behaviour when it is called from different chains (e.g. 
different behaviour when called from INPUT than OUTPUT) anyone knows how 
to check in the match which is the chain that is calling it?

Thanks in advance.

Antonio de la Oliva

From aoliva at it.uc3m.es  Mon Oct  9 17:20:30 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Mon Oct  9 17:57:39 2006
Subject: How to find the chain which calls the match
In-Reply-To: <452A6714.5030709@it.uc3m.es>
References: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>
	<452A6714.5030709@it.uc3m.es>
Message-ID: <452A68BE.8030605@it.uc3m.es>

Sorry if you receives multiple copies,

Hi all, I am writing a match for iptables and I would like it to have a 
different behaviour when it is called from different chains (e.g. 
different behaviour when called from INPUT than OUTPUT) anyone knows how 
to check in the match which is the chain that is calling it?

Thanks in advance.

Antonio de la Oliva




From kaber at trash.net  Mon Oct  9 17:23:01 2006
From: kaber at trash.net (Patrick McHardy)
Date: Mon Oct  9 18:00:10 2006
Subject: Compiling 1.3.6
In-Reply-To: <452979F7.9090205@netfilter.org>
References: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>
	<452979F7.9090205@netfilter.org>
Message-ID: <452A6955.6020100@trash.net>

Pablo Neira Ayuso wrote:
> min_ip and max_ip type has been changed from u_int32_t to __be32 that is
> not defined in userspace, this breaks iptables compilation. Attached a
> patch that recovers the use of u_int32_t. I'm not sure if this is the
> best fix so let me know what you think.

I think we should just define the endian-annotation types in userspace.
Does this patch fix compilation?

-------------- next part --------------
Index: include/iptables_common.h
===================================================================
--- include/iptables_common.h	(Revision 6660)
+++ include/iptables_common.h	(Arbeitskopie)
@@ -42,4 +42,9 @@
   extern void init_extensions(void);
 #endif
 
+#define __be32	u_int32_t
+#define __le32	u_int32_t
+#define __be16	u_int16_t
+#define __le16	u_int16_t
+
 #endif /*_IPTABLES_COMMON_H*/
From pablo at netfilter.org  Mon Oct  9 17:36:54 2006
From: pablo at netfilter.org (Pablo Neira Ayuso)
Date: Mon Oct  9 18:12:30 2006
Subject: Compiling 1.3.6
In-Reply-To: <452A6955.6020100@trash.net>
References: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>
	<452979F7.9090205@netfilter.org> <452A6955.6020100@trash.net>
Message-ID: <452A6C96.2070102@netfilter.org>

Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
> 
>>min_ip and max_ip type has been changed from u_int32_t to __be32 that is
>>not defined in userspace, this breaks iptables compilation. Attached a
>>patch that recovers the use of u_int32_t. I'm not sure if this is the
>>best fix so let me know what you think.
> 
> 
> I think we should just define the endian-annotation types in userspace.
> Does this patch fix compilation?

But this breaks previous iptables version with new kernels :(. An 
alternative can be exporting ipt_iprange.h to iptables/include although 
this is also a hack.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

From pablo at netfilter.org  Mon Oct  9 17:44:53 2006
From: pablo at netfilter.org (Pablo Neira Ayuso)
Date: Mon Oct  9 18:20:33 2006
Subject: Compiling 1.3.6
In-Reply-To: <452A6C96.2070102@netfilter.org>
References: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>
	<452979F7.9090205@netfilter.org> <452A6955.6020100@trash.net>
	<452A6C96.2070102@netfilter.org>
Message-ID: <452A6E75.2030700@netfilter.org>

Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
> 
>> Pablo Neira Ayuso wrote:
>>
>>> min_ip and max_ip type has been changed from u_int32_t to __be32 that is
>>> not defined in userspace, this breaks iptables compilation. Attached a
>>> patch that recovers the use of u_int32_t. I'm not sure if this is the
>>> best fix so let me know what you think.
>>
>>
>>
>> I think we should just define the endian-annotation types in userspace.
>> Does this patch fix compilation?
> 
> 
> But this breaks previous iptables version with new kernels :(.  An
> alternative can be exporting ipt_iprange.h to iptables/include although 
> this is also a hack.

Forget the alternative, it won't work either

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

From pupilla at hotmail.com  Mon Oct  9 17:58:34 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Mon Oct  9 18:35:46 2006
Subject: Compiling 1.3.6
In-Reply-To: <452A6E75.2030700@netfilter.org>
Message-ID: <BAY103-F13D1C1A680193B4FD7C978B2160@phx.gbl>

Pablo Neira Ayuso wrote:

>Pablo Neira Ayuso wrote:
>>Patrick McHardy wrote:
>>
>>>Pablo Neira Ayuso wrote:
>>>
>>>>min_ip and max_ip type has been changed from u_int32_t to __be32 that is
>>>>not defined in userspace, this breaks iptables compilation.

I'm able to compile iptables 1.3.6 with 2.6.18 kernel
headers without any errors.
However iptables 1.3.6 + linux 2.6.19-rc1 kernel
headers give me this error:

cc -O2 -Wall -Wunused -I/usr/src/linux/include -Iinclude/ 
-DIPTABLES_VERSION=\"1.3.6\"  -fPIC -o extensions/libipt_iprange_sh.o -c 
exte
nsions/libipt_iprange.c
In file included from extensions/libipt_iprange.c:9:
/usr/src/linux/include/linux/netfilter_ipv4/ipt_iprange.h:11: error: syntax 
error before "__be32"
/usr/src/linux/include/linux/netfilter_ipv4/ipt_iprange.h:11: warning: no 
semicolon at end of struct or union
/usr/src/linux/include/linux/netfilter_ipv4/ipt_iprange.h:16: error: field 
`src' has incomplete type
/usr/src/linux/include/linux/netfilter_ipv4/ipt_iprange.h:17: error: field 
`dst' has incomplete type
extensions/libipt_iprange.c: In function `parse_iprange':
extensions/libipt_iprange.c:43: error: dereferencing pointer to incomplete 
type
extensions/libipt_iprange.c:50: error: dereferencing pointer to incomplete 
type
extensions/libipt_iprange.c:52: error: dereferencing pointer to incomplete 
type
extensions/libipt_iprange.c:52: error: dereferencing pointer to incomplete 
type
extensions/libipt_iprange.c: In function `print_iprange':
extensions/libipt_iprange.c:116: error: dereferencing pointer to incomplete 
type
extensions/libipt_iprange.c:117: error: dereferencing pointer to incomplete 
type
make: *** [extensions/libipt_iprange_sh.o] Error 1

My env: Slackware Linux 11.0

Linux Calimero 2.6.19-rc1 #1 PREEMPT Thu Oct 5 15:26:06 CEST 2006 i686 
pentium3 i386 GNU/Linux

Gnu C                  3.4.6
Gnu make               3.81
binutils               2.15.92.0.2
util-linux             2.12r
mount                  2.12r
module-init-tools      3.2.2
e2fsprogs              1.38
Linux C Library        2.3.6
Dynamic linker (ldd)   2.3.6
Linux C++ Library      6.0.3
Procps                 3.2.7
Net-tools              1.60
Kbd                    1.12
Sh-utils               5.97



From swifty at freemail.hu  Mon Oct  9 17:58:19 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Mon Oct  9 18:35:49 2006
Subject: How to find the chain which calls the match
In-Reply-To: <452A68BE.8030605@it.uc3m.es>
References: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>	<452A6714.5030709@it.uc3m.es>
	<452A68BE.8030605@it.uc3m.es>
Message-ID: <452A719B.9080209@freemail.hu>

aoliva ?rta:
> Sorry if you receives multiple copies,
>
> Hi all, I am writing a match for iptables and I would like it to have 
> a different behaviour when it is called from different chains (e.g. 
> different behaviour when called from INPUT than OUTPUT) anyone knows 
> how to check in the match which is the chain that is calling it?
>
> Thanks in advance.
>
> Antonio de la Oliva
>

I DO NOT THINK THAT IT IS A GOOD IDEA OF USING IPTABLES THIS WAY,
but anyway try this:

iptables -A INPUT -j MARK --set-mark 1
iptables -A INPUT -j mychain

iptables -A OUTPUT -j MARK --set-mark 2
iptables -A OUTPUT -j mychain

iptables -A FORWARD -j MARK --set-mark 3
iptables -A FORWARD -j mychain

iptables -A mybehaviour1 -j DROP

iptables -A mychain -j mybehaviour1 -m mark --mark 1 //INPUT
iptables -A mychain -j mybehaviour2 -m mark --mark 2 //OUTPUT
iptables -A mychain -j mybehaviour3 -m mark --mark 3 //FORWARD



Swifty

From kaber at trash.net  Mon Oct  9 18:02:14 2006
From: kaber at trash.net (Patrick McHardy)
Date: Mon Oct  9 18:39:26 2006
Subject: Compiling 1.3.6
In-Reply-To: <452A6C96.2070102@netfilter.org>
References: <00be01c6e977$1ba6bcd0$0101a8c0@pcjorge>
	<452979F7.9090205@netfilter.org> <452A6955.6020100@trash.net>
	<452A6C96.2070102@netfilter.org>
Message-ID: <452A7286.3080403@trash.net>

Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
> 
>> Pablo Neira Ayuso wrote:
>>
>>> min_ip and max_ip type has been changed from u_int32_t to __be32 that is
>>> not defined in userspace, this breaks iptables compilation. Attached a
>>> patch that recovers the use of u_int32_t. I'm not sure if this is the
>>> best fix so let me know what you think.
>>
>>
>>
>> I think we should just define the endian-annotation types in userspace.
>> Does this patch fix compilation?
> 
> 
> But this breaks previous iptables version with new kernels :(. An
> alternative can be exporting ipt_iprange.h to iptables/include although
> this is also a hack.

We should consider moving away from using the kernel headers directly.
Breaking compilation of old iptables versions is not too bad IMO,
old binaries will still work and someone compiling old iptables with
a new kernel can just as well just compile a new version.

Unfortunately 1.3.6 won't compile with 2.6.19, so we might have to put
out a new version soon.

From kaber at trash.net  Mon Oct  9 18:02:49 2006
From: kaber at trash.net (Patrick McHardy)
Date: Mon Oct  9 18:40:00 2006
Subject: Compiling 1.3.6
In-Reply-To: <BAY103-F13D1C1A680193B4FD7C978B2160@phx.gbl>
References: <BAY103-F13D1C1A680193B4FD7C978B2160@phx.gbl>
Message-ID: <452A72A9.4060800@trash.net>

Marco Berizzi wrote:
> Pablo Neira Ayuso wrote:
> 
>> Pablo Neira Ayuso wrote:
>>
>>> Patrick McHardy wrote:
>>>
>>>> Pablo Neira Ayuso wrote:
>>>>
>>>>> min_ip and max_ip type has been changed from u_int32_t to __be32
>>>>> that is
>>>>> not defined in userspace, this breaks iptables compilation.
> 
> 
> I'm able to compile iptables 1.3.6 with 2.6.18 kernel
> headers without any errors.
> However iptables 1.3.6 + linux 2.6.19-rc1 kernel
> headers give me this error:

Does the patch I just sent fix it?

From pupilla at hotmail.com  Mon Oct  9 18:10:56 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Mon Oct  9 18:48:06 2006
Subject: Compiling 1.3.6
In-Reply-To: <452A72A9.4060800@trash.net>
Message-ID: <BAY103-F3071C68178C779A4BD21EEB2160@phx.gbl>

Patrick McHardy wrote:

>Marco Berizzi wrote:
> > Pablo Neira Ayuso wrote:
> >
> >> Pablo Neira Ayuso wrote:
> >>
> >>> Patrick McHardy wrote:
> >>>
> >>>> Pablo Neira Ayuso wrote:
> >>>>
> >>>>> min_ip and max_ip type has been changed from u_int32_t to __be32
> >>>>> that is
> >>>>> not defined in userspace, this breaks iptables compilation.
> >
> >
> > I'm able to compile iptables 1.3.6 with 2.6.18 kernel
> > headers without any errors.
> > However iptables 1.3.6 + linux 2.6.19-rc1 kernel
> > headers give me this error:
>
>Does the patch I just sent fix it?

Yes, now I'm able to compile iptables 1.3.6 with 2.6.19-rc1
kernel headers with your patch:

Index: include/iptables_common.h
===================================================================
--- include/iptables_common.h   (Revision 6660)
+++ include/iptables_common.h   (Arbeitskopie)
@@ -42,4 +42,9 @@
   extern void init_extensions(void);
#endif

+#define __be32 u_int32_t
+#define __le32 u_int32_t
+#define __be16 u_int16_t
+#define __le16 u_int16_t
+
#endif /*_IPTABLES_COMMON_H*/



From mohammadfarooq at tango-networks.com  Mon Oct  9 18:28:41 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Mon Oct  9 19:05:55 2006
Subject: What time stamp represents in the ipq_packet_msg structure
Message-ID: <1160411321.28977.207.camel@mfarooq-1.tango-networks.com>

Hi,

Does time stamp in the ipq_packet_msg is the time packet enter the box
or it is the time QUEUE received the packect. Thanks.

MF


From aoliva at it.uc3m.es  Mon Oct  9 18:53:12 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Mon Oct  9 19:30:41 2006
Subject: How to find the chain which calls the match
In-Reply-To: <452A719B.9080209@freemail.hu>
References: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>	<452A6714.5030709@it.uc3m.es>
	<452A68BE.8030605@it.uc3m.es> <452A719B.9080209@freemail.hu>
Message-ID: <452A7E78.40709@it.uc3m.es>

Thank you very much for the answer but I think this is not what I was 
trying. I mean how to know which is the calling chain from inside the 
code of the matching function.

Thank you very much for the help.

Regards
Antonio de la Oliva

G?sp?r Lajos wrote:
> aoliva ?rta:
>> Sorry if you receives multiple copies,
>>
>> Hi all, I am writing a match for iptables and I would like it to have 
>> a different behaviour when it is called from different chains (e.g. 
>> different behaviour when called from INPUT than OUTPUT) anyone knows 
>> how to check in the match which is the chain that is calling it?
>>
>> Thanks in advance.
>>
>> Antonio de la Oliva
>>
>
> I DO NOT THINK THAT IT IS A GOOD IDEA OF USING IPTABLES THIS WAY,
> but anyway try this:
>
> iptables -A INPUT -j MARK --set-mark 1
> iptables -A INPUT -j mychain
>
> iptables -A OUTPUT -j MARK --set-mark 2
> iptables -A OUTPUT -j mychain
>
> iptables -A FORWARD -j MARK --set-mark 3
> iptables -A FORWARD -j mychain
>
> iptables -A mybehaviour1 -j DROP
>
> iptables -A mychain -j mybehaviour1 -m mark --mark 1 //INPUT
> iptables -A mychain -j mybehaviour2 -m mark --mark 2 //OUTPUT
> iptables -A mychain -j mybehaviour3 -m mark --mark 3 //FORWARD
>
>
>
> Swifty
>


From kaber at trash.net  Mon Oct  9 19:23:31 2006
From: kaber at trash.net (Patrick McHardy)
Date: Mon Oct  9 20:24:05 2006
Subject: Compiling 1.3.6
In-Reply-To: <BAY103-F3071C68178C779A4BD21EEB2160@phx.gbl>
References: <BAY103-F3071C68178C779A4BD21EEB2160@phx.gbl>
Message-ID: <452A8593.6030003@trash.net>

Marco Berizzi wrote:
> Patrick McHardy wrote:
> 
>> Does the patch I just sent fix it?
> 
> 
> Yes, now I'm able to compile iptables 1.3.6 with 2.6.19-rc1
> kernel headers with your patch:

Thanks, I've committed it to SVN.

From mysql.jorge at decimal.pt  Mon Oct  9 19:57:46 2006
From: mysql.jorge at decimal.pt (Jorge Bastos)
Date: Mon Oct  9 20:37:54 2006
Subject: Compiling 1.3.6
References: <BAY103-F3071C68178C779A4BD21EEB2160@phx.gbl>
	<452A8593.6030003@trash.net>
Message-ID: <002101c6ebcc$d62f7d10$0101a8c0@pcjorge>

Great!
I'm going to try it.

Jorge

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Marco Berizzi" <pupilla@hotmail.com>
Cc: <pablo@netfilter.org>; <mysql.jorge@decimal.pt>; 
<netfilter-devel@lists.netfilter.org>; <netfilter@lists.netfilter.org>
Sent: Monday, October 09, 2006 6:23 PM
Subject: Re: Compiling 1.3.6


> Marco Berizzi wrote:
>> Patrick McHardy wrote:
>>
>>> Does the patch I just sent fix it?
>>
>>
>> Yes, now I'm able to compile iptables 1.3.6 with 2.6.19-rc1
>> kernel headers with your patch:
>
> Thanks, I've committed it to SVN.
> 


From eric at inl.fr  Mon Oct  9 22:03:59 2006
From: eric at inl.fr (Eric Leblond)
Date: Mon Oct  9 22:41:07 2006
Subject: [Announce] pynetfilter_conntrack,
 a Python binding of libnetfilter_conntrack
Message-ID: <1721.83.156.14.82.1160424239.squirrel@mail.inl.fr>

Hi,

INL development team is proud to announce the availability of
pynetfilter_conntrack.

pynetfilter_conntrack is a Python binding of libnetfilter_conntrack. The
binding is the file pynetfilter_conntrack.py and you have also a clone of
conntrack program: conntrack.py.

It provides a high level API for libnetfilter_conntrack. For example, you
can display all TCP connections with destination port 22 by doing
something like :

nf = NetfilterConntrack(CONNTRACK)
table = nf.create_table(IPV4)
table = table.filter(6,dport=22)
table.display()

The current release of pynetfilter_conntrack supports listing,
modification and deletion of conntrack entries.

pynetfilter_conntrack has been developped by Victor Stinner aka Haypo. It
is released under GPL by INL.

pynetfilter_conntrack :
http://software.inl.fr/trac/trac.cgi/wiki/pynetfilter_conntrack
INL : http://www.inl.fr/

BR,
--
Eric Leblond
INL : http://www.inl.fr
NuFW, Now User Filtering Works (http://www.nufw.org)


From mohammadfarooq at tango-networks.com  Mon Oct  9 23:55:08 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Tue Oct 10 00:32:17 2006
Subject: Is timestamp_sec in ipq_packet_msg_t used?
Message-ID: <1160430908.28977.213.camel@mfarooq-1.tango-networks.com>

Hi all,

I just wrote a test program which reads the packets from the QUEUE and
accepts them. When I printed the timestamp_sec and timestamp_usec they
are set to zero. Are these fields used? My iptables rule is:

iptables -A FORWARD -p udp -j QUEUE

Thanks.

MF


From holger.kinkelin at gmail.com  Tue Oct 10 10:17:44 2006
From: holger.kinkelin at gmail.com (Holger Kinkelin)
Date: Tue Oct 10 10:54:58 2006
Subject: How to create a transparent proxy with iptables and redirect
	incoming packets to another port?
Message-ID: <c936c6b70610100117s79a832ebka9fff1bae1f240da@mail.gmail.com>

Hello list!

I need to implement some sort of transparent proxy server for the sip
protocol. (In case you don't know: sip uses udp and the standard port
5060).

Step 1:
I redirect packets sent by the sip client (running on 192.168.0.21) to
the server (192.168.0.31) to my proxy server app (running on
192.168.0.21, too) using the following rule:

iptables -A OUTPUT -t nat -p udp --sport 5060 -j DNAT --to-destination
192.168.0.21:5061

As you can imagine my proxy app listens on 5061 for these redirected
packets. This part works well.

---

Step 2:
Now I do "something magic" with the captured sip packets inside my
proxy app and send the  (unchanged) packets to the sip server. My idea
was to send them out at port 5062 and redirect the packets using
another iptables rule that it looks like, if the packets were sent on
5060. That rule looks as follows:

iptables -A POSTROUTING -t nat -p udp --sport 5062 -j SNAT --to-source
192.168.0.21:5060

This part works, too

___

Step 3:
Now I need to redirect the response packets coming IN form the SIP
Server to my proxy app. My idea was to open another port 5063 on the
proxy and redirect the incoming packets to that port. But how? My rule

iptables -A INPUT -t nat -p udp --sport 5060 -j DNAT --to-destination
192.168.0.21:5063

was rejected, since DNAT won't work for INPUT. I tried PREROUTING, the
rule was valid, but no packets are redirected to my proxy.

So my first question is: How can I redirect INCOMING packets to another port?
And the second question is: is there a better way of doing this
transparent proxy app?

Thanks for reading / answering!

Regards,
Holger

From pascal.mail at plouf.fr.eu.org  Tue Oct 10 11:24:08 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Tue Oct 10 12:01:20 2006
Subject: How to find the chain which calls the match
In-Reply-To: <452A68BE.8030605@it.uc3m.es>
References: <1160405480.28977.201.camel@mfarooq-1.tango-networks.com>	<452A6714.5030709@it.uc3m.es>
	<452A68BE.8030605@it.uc3m.es>
Message-ID: <452B66B8.3060805@plouf.fr.eu.org>

Hello,

aoliva a ?crit :
> 
> Hi all, I am writing a match for iptables and I would like it to have a 
> different behaviour when it is called from different chains (e.g. 
> different behaviour when called from INPUT than OUTPUT) anyone knows how 
> to check in the match which is the chain that is calling it?

I do not have the answer to your question, but you could watch the code 
of the NETMAP target which does destination NAT in the PREROUTING chain 
and source NAT in the POSTROUTING chain. By the way, how does it behave 
in the OUTPUT chain ?

From mingching.tiew at redtone.com  Tue Oct 10 11:51:06 2006
From: mingching.tiew at redtone.com (Ming-Ching Tiew)
Date: Tue Oct 10 12:28:53 2006
Subject: More question about ipset - protocol ?
Message-ID: <011d01c6ec51$9b514ae0$0100a8c0@newlife>


I still have more questions with ipset, I noticed that
in the portmap, there is no mentioned of protocol,
whether should it be tcp or udp. Taking the example
from the url :-

            http://ipset.netfilter.org/features.html

iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT
iptables -A FORWARD -j DROP

You notice that the ipmap 'server' binds to a portmap, but there is 
no mentioned of protocol ( whether it should be tcp or udp ).

Does it mean I have to specify the protocol in the iptables command,
Shoudn't there be a way the protocol be mentioned in the binding
somewhere  ? 

Cheers. 




From mohammadfarooq at tango-networks.com  Tue Oct 10 16:41:58 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Tue Oct 10 17:19:22 2006
Subject: Pleeeeeeeease help: question about ip_queue
Message-ID: <1160491318.4059.18.camel@mfarooq-1.tango-networks.com>

Hi,

I hope someone familiar with ip_queue can clarify the functioning of the
ip_queue. I wrote a simple test program, what all it does read packets
from the queue, hold a packet and accept it later. Here is the logic:

read message from the ip_queue
save message id
read message from the ip_queue
accept current message
read message from the ip_queue
accept current message
read message from the ip_queue
accept current message
read message from the ip_queue
accept current message
read message from the ip_queue
accept current message
**accept saved message using the saved message id
accept current message
read message from the ip_queue
accept current message

When I accept the saved message, it just disappears. My question is, can
we hold packets and accept them sometimes in the future? Thanks.

MF

Note: here is my iptable rules:
iptables -t nat -A PREROUTING -p udp -s 192.168.82.140 -d 192.168.75.51
--dport 7862 -j DNAT --to 192.168.82.140:7862
iptables -t nat -A POSTROUTING -p udp -s 192.168.82.140 -d
192.168.82.140 --dport 7862 -j SNAT --to 192.168.75.51:7862

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -p udp -j QUEUE



From aoliva at it.uc3m.es  Tue Oct 10 17:36:44 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Tue Oct 10 18:14:01 2006
Subject: Pleeeeeeeease help: question about ip_queue
In-Reply-To: <1160491318.4059.18.camel@mfarooq-1.tango-networks.com>
References: <1160491318.4059.18.camel@mfarooq-1.tango-networks.com>
Message-ID: <452BBE0C.2060402@it.uc3m.es>

Hi all,
I think you can do what you want by storing the message in the module, 
dropping the current one and after the specific time sending it again.

Regards
Antonio



Mohammad Farooq wrote:
> Hi,
>
> I hope someone familiar with ip_queue can clarify the functioning of the
> ip_queue. I wrote a simple test program, what all it does read packets
> from the queue, hold a packet and accept it later. Here is the logic:
>
> read message from the ip_queue
> save message id
> read message from the ip_queue
> accept current message
> read message from the ip_queue
> accept current message
> read message from the ip_queue
> accept current message
> read message from the ip_queue
> accept current message
> read message from the ip_queue
> accept current message
> **accept saved message using the saved message id
> accept current message
> read message from the ip_queue
> accept current message
>
> When I accept the saved message, it just disappears. My question is, can
> we hold packets and accept them sometimes in the future? Thanks.
>
> MF
>
> Note: here is my iptable rules:
> iptables -t nat -A PREROUTING -p udp -s 192.168.82.140 -d 192.168.75.51
> --dport 7862 -j DNAT --to 192.168.82.140:7862
> iptables -t nat -A POSTROUTING -p udp -s 192.168.82.140 -d
> 192.168.82.140 --dport 7862 -j SNAT --to 192.168.75.51:7862
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -A FORWARD -p udp -j QUEUE
>
>
>
>
>   


From mohammadfarooq at tango-networks.com  Tue Oct 10 18:26:45 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Tue Oct 10 19:04:29 2006
Subject: Pleeeeeeeease help: question about ip_queue
In-Reply-To: <452BBE0C.2060402@it.uc3m.es>
References: <1160491318.4059.18.camel@mfarooq-1.tango-networks.com>
	<452BBE0C.2060402@it.uc3m.es>
Message-ID: <1160497605.4059.26.camel@mfarooq-1.tango-networks.com>

Hi Antonio,

Thanks for the reply. Pardon my ignorance, once I drop the current
packet, how can I resend the the saved packet through the ip_queue in
the future? I don't see any API in libipq which allows that. Could you
please elaborate. Thanks.

MF

On Tue, 2006-10-10 at 17:36 +0200, aoliva wrote:
> Hi all,
> I think you can do what you want by storing the message in the module, 
> dropping the current one and after the specific time sending it again.
> 
> Regards
> Antonio
> 
> 
> 
> Mohammad Farooq wrote:
> > Hi,
> >
> > I hope someone familiar with ip_queue can clarify the functioning of the
> > ip_queue. I wrote a simple test program, what all it does read packets
> > from the queue, hold a packet and accept it later. Here is the logic:
> >
> > read message from the ip_queue
> > save message id
> > read message from the ip_queue
> > accept current message
> > read message from the ip_queue
> > accept current message
> > read message from the ip_queue
> > accept current message
> > read message from the ip_queue
> > accept current message
> > read message from the ip_queue
> > accept current message
> > **accept saved message using the saved message id
> > accept current message
> > read message from the ip_queue
> > accept current message
> >
> > When I accept the saved message, it just disappears. My question is, can
> > we hold packets and accept them sometimes in the future? Thanks.
> >
> > MF
> >
> > Note: here is my iptable rules:
> > iptables -t nat -A PREROUTING -p udp -s 192.168.82.140 -d 192.168.75.51
> > --dport 7862 -j DNAT --to 192.168.82.140:7862
> > iptables -t nat -A POSTROUTING -p udp -s 192.168.82.140 -d
> > 192.168.82.140 --dport 7862 -j SNAT --to 192.168.75.51:7862
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > iptables -A FORWARD -p udp -j QUEUE
> >
> >
> >
> >
> >   
> 
> 


From mohammadfarooq at tango-networks.com  Tue Oct 10 22:26:17 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Tue Oct 10 23:03:54 2006
Subject: Pleeeeeeeease help: question about ip_queue
In-Reply-To: <1160497605.4059.26.camel@mfarooq-1.tango-networks.com>
References: <1160491318.4059.18.camel@mfarooq-1.tango-networks.com>
	<452BBE0C.2060402@it.uc3m.es>
	<1160497605.4059.26.camel@mfarooq-1.tango-networks.com>
Message-ID: <1160511977.4059.36.camel@mfarooq-1.tango-networks.com>

I have performed a different test. I read 5 message from the queue and
save message ids of all five of them. Then I accepted all five message
in the order they read. The first message reaches its destination and
the other four are dropped. I would really appreciate if someone can
explains the inner working of the ip_queue. Is this a bug in the
ip_queue implementation? Thanks.

MF

On Tue, 2006-10-10 at 11:26 -0500, Mohammad Farooq wrote:
> Hi Antonio,
> 
> Thanks for the reply. Pardon my ignorance, once I drop the current
> packet, how can I resend the the saved packet through the ip_queue in
> the future? I don't see any API in libipq which allows that. Could you
> please elaborate. Thanks.
> 
> MF
> 
> On Tue, 2006-10-10 at 17:36 +0200, aoliva wrote:
> > Hi all,
> > I think you can do what you want by storing the message in the module, 
> > dropping the current one and after the specific time sending it again.
> > 
> > Regards
> > Antonio
> > 
> > 
> > 
> > Mohammad Farooq wrote:
> > > Hi,
> > >
> > > I hope someone familiar with ip_queue can clarify the functioning of the
> > > ip_queue. I wrote a simple test program, what all it does read packets
> > > from the queue, hold a packet and accept it later. Here is the logic:
> > >
> > > read message from the ip_queue
> > > save message id
> > > read message from the ip_queue
> > > accept current message
> > > read message from the ip_queue
> > > accept current message
> > > read message from the ip_queue
> > > accept current message
> > > read message from the ip_queue
> > > accept current message
> > > read message from the ip_queue
> > > accept current message
> > > **accept saved message using the saved message id
> > > accept current message
> > > read message from the ip_queue
> > > accept current message
> > >
> > > When I accept the saved message, it just disappears. My question is, can
> > > we hold packets and accept them sometimes in the future? Thanks.
> > >
> > > MF
> > >
> > > Note: here is my iptable rules:
> > > iptables -t nat -A PREROUTING -p udp -s 192.168.82.140 -d 192.168.75.51
> > > --dport 7862 -j DNAT --to 192.168.82.140:7862
> > > iptables -t nat -A POSTROUTING -p udp -s 192.168.82.140 -d
> > > 192.168.82.140 --dport 7862 -j SNAT --to 192.168.75.51:7862
> > >
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > > iptables -A FORWARD -p udp -j QUEUE
> > >
> > >
> > >
> > >
> > >   
> > 
> > 
> 
> 
> 


From holger.kinkelin at gmail.com  Wed Oct 11 10:09:46 2006
From: holger.kinkelin at gmail.com (Holger Kinkelin)
Date: Wed Oct 11 10:47:02 2006
Subject: Redirecting incoming packets to other port
Message-ID: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>

Hello everybody

how can I redirect packets sent to my computer to another port?

I tried: iptables -A PREROUTING -t nat -p udp --dport 5060 --sport
5060 -j DNAT --to-destination 192.168.0.21:5063

This rule is accepted but doesn't do anything. There are no other
rules that could cause side effects.

Regards,
Holger

From kaber at trash.net  Wed Oct 11 10:41:35 2006
From: kaber at trash.net (Patrick McHardy)
Date: Wed Oct 11 11:17:23 2006
Subject: [netfilter-core] linux-2.6.19-rc1 (commit ebf7a227) build failed
In-Reply-To: <200610110939.28328.toralf.foerster@gmx.de>
References: <200610110939.28328.toralf.foerster@gmx.de>
Message-ID: <452CAE3F.7040608@trash.net>

Toralf F?rster wrote:
> net/built-in.o: In function `xt_connsecmark_init':
> xt_CONNSECMARK.c:(.init.text+0xed4): undefined reference to `need_conntrack'
> make: *** [.tmp_vmlinux1] Error 1

Thanks, fixed by this patch.

BTW, please report non-critical bugs to netfilter-devel only.
I know MAINTAINERS says to send them to coreteam@, I'm going
to fix that.

-------------- next part --------------
[NETFILTER]: xt_CONNSECMARK: fix Kconfig dependencies

CONNSECMARK needs conntrack, add missing dependency to fix linking error
with CONNSECMARK=y and CONNTRACK=m.

Reported by Toralf F?rster <toralf.foerster@gmx.de>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 0ab5046ab83e4f0e88c40922701b2bc365f6aa09
tree 4add4ff88904c63e7ff20872f2faff015bbcbc28
parent 889d786a9211434b29e402a501d01a590b072d31
author Patrick McHardy <kaber@trash.net> Wed, 11 Oct 2006 10:39:47 +0200
committer Patrick McHardy <kaber@trash.net> Wed, 11 Oct 2006 10:39:47 +0200

 net/netfilter/Kconfig |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ce94732..f619c65 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -209,7 +209,9 @@ config NETFILTER_XT_TARGET_SECMARK
 
 config NETFILTER_XT_TARGET_CONNSECMARK
 	tristate '"CONNSECMARK" target support'
-	depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK)
+	depends on NETFILTER_XTABLES && \
+		   ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \
+		    (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK))
 	help
 	  The CONNSECMARK target copies security markings from packets
 	  to connections, and restores security markings from connections
From bclark at eccotours.co.za  Wed Oct 11 10:48:28 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Wed Oct 11 11:24:09 2006
Subject: Redirecting incoming packets to other port
In-Reply-To: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
References: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
Message-ID: <452CAFDC.3070909@eccotours.co.za>

Holger Kinkelin wrote:
> Hello everybody
> 
> how can I redirect packets sent to my computer to another port?
> 
> I tried: iptables -A PREROUTING -t nat -p udp --dport 5060 --sport
> 5060 -j DNAT --to-destination 192.168.0.21:5063
> 
> This rule is accepted but doesn't do anything. There are no other
> rules that could cause side effects.
> 
> Regards,
> Holger


http://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html

HTH

Kind Regards
Brent Clark

From holger.kinkelin at gmail.com  Wed Oct 11 11:44:14 2006
From: holger.kinkelin at gmail.com (Holger Kinkelin)
Date: Wed Oct 11 12:21:36 2006
Subject: Redirecting incoming packets to other port
In-Reply-To: <452CAFDC.3070909@eccotours.co.za>
References: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
	<452CAFDC.3070909@eccotours.co.za>
Message-ID: <c936c6b70610110244m34760db8wc1a942becc475910@mail.gmail.com>

Hello,
no this doesn't seem to work.

I can REDIRECT packets sent BY my computer, not packets sent TO it. Is
there maybe another posibility?

Regards,
Holger

PS: Thanks to Brent for his reply

2006/10/11, Brent Clark <bclark@eccotours.co.za>:
> Holger Kinkelin wrote:
> > Hello everybody
> >
> > how can I redirect packets sent to my computer to another port?
> >
> > I tried: iptables -A PREROUTING -t nat -p udp --dport 5060 --sport
> > 5060 -j DNAT --to-destination 192.168.0.21:5063
> >
> > This rule is accepted but doesn't do anything. There are no other
> > rules that could cause side effects.
> >
> > Regards,
> > Holger
>
>
> http://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html
>
> HTH
>
> Kind Regards
> Brent Clark
>
>

From blancher at cartel-securite.fr  Wed Oct 11 12:04:52 2006
From: blancher at cartel-securite.fr (Cedric Blancher)
Date: Wed Oct 11 12:42:24 2006
Subject: Redirecting incoming packets to other port
In-Reply-To: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
References: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
Message-ID: <1160561093.3906.17.camel@anduril.intranet.cartel-securite.net>

Le mercredi 11 octobre 2006 ? 10:09 +0200, Holger Kinkelin a ?crit :
> I tried: iptables -A PREROUTING -t nat -p udp --dport 5060 --sport
> 5060 -j DNAT --to-destination 192.168.0.21:5063
> This rule is accepted but doesn't do anything. There are no other
> rules that could cause side effects.

Is your filtering ruleset consistent with this ? I.e. are theses packets
allowed by a FORWARD or INPUT rule ? If you want to redirect traffic to
your host, you can give a try to REDIRECT target.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

From bclark at eccotours.co.za  Wed Oct 11 12:08:13 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Wed Oct 11 12:43:51 2006
Subject: Redirecting incoming packets to other port
In-Reply-To: <c936c6b70610110244m34760db8wc1a942becc475910@mail.gmail.com>
References: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>	
	<452CAFDC.3070909@eccotours.co.za>
	<c936c6b70610110244m34760db8wc1a942becc475910@mail.gmail.com>
Message-ID: <452CC28D.5020000@eccotours.co.za>

Holger Kinkelin wrote:
> Hello,
> no this doesn't seem to work.
> 
> I can REDIRECT packets sent BY my computer, not packets sent TO it. Is
> there maybe another posibility?
> 
> Regards,
> Holger
> 
> PS: Thanks to Brent for his reply

Hi

Only a pleasure.

Lets take a working example.
When you want to create a Transparent Proxy. Traffic gets sent to port 80, to the site in question.

You, on your firewall /router redirect to port 3128, or what ever you choose to have squid to run on.

So are you sure you have your service running on port 5053 as opposed to 5060.

Is this really for SIP.

Brent

P.s. You may want to share your ruleset.

From mohammadfarooq at tango-networks.com  Wed Oct 11 15:41:54 2006
From: mohammadfarooq at tango-networks.com (Mohammad Farooq)
Date: Wed Oct 11 16:19:16 2006
Subject: Redirecting incoming packets to other port
In-Reply-To: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
References: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
Message-ID: <1160574114.4059.54.camel@mfarooq-1.tango-networks.com>

On Wed, 2006-10-11 at 10:09 +0200, Holger Kinkelin wrote:
> Hello everybody
> 
> how can I redirect packets sent to my computer to another port?
> 
> I tried: iptables -A PREROUTING -t nat -p udp --dport 5060 --sport
> 5060 -j DNAT --to-destination 192.168.0.21:5063
> 
> This rule is accepted but doesn't do anything. There are no other
> rules that could cause side effects.
> 
> Regards,
> Holger
> 
> 
Make sure forwarding is turn on on your box. Execute the following
command:
echo 1 > /proc/sys/net/ipv4/ip_forward

MF


From info at mail.apd-hp.de  Wed Oct 11 15:49:22 2006
From: info at mail.apd-hp.de (info)
Date: Wed Oct 11 16:32:10 2006
Subject: iptables psd with kernel 2.6.18
Message-ID: <6407D8226F45114A973E9E4005AE9E5C165164@ns1.apd-hp.de>

Hello, 

I've tried to compile iptables and kernel 2.6.18 with some extensions
I'd used with a prior kernel as they're string and psd match.

Now I'm getting a little confused about patch-o-matic-ng. 

A lot of the extension I've seen before went out from patch-o-matic-ng
(like string and psd) but they're described in base or extra.

I'm getting string working but psd does'nt work. I was lookin' in an old
branch psd code which was portet to 2.6.11 but it does'nt work also.

Iptables prints out an "invalid size 0 != 12" on psd match. 

Any hints? 

Thanks in advance for your help. 

Best regards 

Chris 



From idgarad at gmail.com  Wed Oct 11 15:57:50 2006
From: idgarad at gmail.com (Idgarad)
Date: Wed Oct 11 16:35:12 2006
Subject: Fwd: Critque of IPTables Firewall
In-Reply-To: <f22ceeb10610110654j7372e4afs2ec81cdd9ce18e43@mail.gmail.com>
References: <f22ceeb10610110654j7372e4afs2ec81cdd9ce18e43@mail.gmail.com>
Message-ID: <f22ceeb10610110657x24d2979bxeb3f0e2e08f9ae11@mail.gmail.com>

There are many guides on how to write a firewall script functionally,
but form is disregarded. Is the following a decent, well written
firewall (Form, not function)? It's is clear and easy to follow? In
the event that I get hit by a bus would someone else with IPTables
experience be able to pick up where I left off?

Has anyone from the Netfilter's list thought about writing a
Best-Practices guide not from the functional side, but rather the form
side of writing IPTABLES scripts and what not?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firewall.sh
Type: application/x-sh
Size: 22601 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20061011/9cd2624c/firewall-0001.sh
From richard.wilson at eds.com  Wed Oct 11 22:39:10 2006
From: richard.wilson at eds.com (Wilson, Richard E)
Date: Wed Oct 11 23:17:30 2006
Subject: Recurring ip_conntrack table overflow
Message-ID: <F1B471B6CE5CFA458DFED6C7669D039706C21D3B@usplm234.amer.corp.eds.com>

All,

I have a server that is frequently running out of slots in the
ip_conntrack table and have been trying to determine how best to handle
it.  The ip_contrack_max sysctl parm is set to 65536 already (this
server has 4GB of RAM) and the ip_conntrack slot count (determined by
"cat /proc/net/ip_conntrack | wc -l") is both growing and decreasing.
Apparently a "clean" disconnect frees a slot.

The server had to be rebooted this AM as the console was displaying a
series of messages:

ip_conntrack: table full, dropping packet

After some research, I'd like to find out what my options are:

1. Can the ip_contrack_max parm be set higher than 65536?  Is it
desirable (how much RAM does each slot take)?

2. I found a reference to a timeout value in Linuxquestions.org: 

/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

This appears to be the amount of time to keep an entry in the conntrack
table, and defaults to 6 days... This parm doesn't exist on my server
(running RH EL 3.2.3-54, kernel 2.4.21-47 and iptables 1.2.8)   What
would be involved in upgrading iptables to include this parm and would
decreasing it to 1 or 2 days address the issue?

3. I also found a reference to a "NOTRACK" target that appears to make
packets to which it applies not get put into the conntrack table.  Could
this be used to handle my loopback traffic?  I currently have an ACCEPT
rule for any traffic on the loopback (127.0.0.1) and out of 17,485
entries currently in my conntrack table, 6,216 have source and
destination of 127.0.0.1 -- getting these out of the table would really
help.  (I have verified that this is legitimate traffic for this server)

Where can I find more information out about the NOTRACK target and how
is it implemented (does NOTRACK DROP, REJECT or ACCEPT packets)?

Thanks in advance,


Richard Wilson
Richard dot wilson at eds dot com

From eric at inl.fr  Wed Oct 11 23:04:50 2006
From: eric at inl.fr (Eric Leblond)
Date: Wed Oct 11 23:42:16 2006
Subject: Recurring ip_conntrack table overflow
In-Reply-To: <F1B471B6CE5CFA458DFED6C7669D039706C21D3B@usplm234.amer.corp.eds.com>
References: <F1B471B6CE5CFA458DFED6C7669D039706C21D3B@usplm234.amer.corp.eds.com>
Message-ID: <1160600690.24065.1.camel@localhost>

Le mercredi 11 octobre 2006 ? 15:39 -0500, Wilson, Richard E a ?crit :
> All,
> 
> I have a server that is frequently running out of slots in the
> ip_conntrack table and have been trying to determine how best to handle
> it.  The ip_contrack_max sysctl parm is set to 65536 already (this
> server has 4GB of RAM) and the ip_conntrack slot count (determined by
> "cat /proc/net/ip_conntrack | wc -l") is both growing and decreasing.
> Apparently a "clean" disconnect frees a slot.
> 
> The server had to be rebooted this AM as the console was displaying a
> series of messages:
> 
> ip_conntrack: table full, dropping packet
> 
> After some research, I'd like to find out what my options are:
> 
> 1. Can the ip_contrack_max parm be set higher than 65536?  Is it
> desirable (how much RAM does each slot take)?

I recommend this reading this is really informative :
	http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
This documents the way you can *greatly* improve the conntrack
behaviour.

BR,

> 
> 2. I found a reference to a timeout value in Linuxquestions.org: 
> 
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
> 
> This appears to be the amount of time to keep an entry in the conntrack
> table, and defaults to 6 days... This parm doesn't exist on my server
> (running RH EL 3.2.3-54, kernel 2.4.21-47 and iptables 1.2.8)   What
> would be involved in upgrading iptables to include this parm and would
> decreasing it to 1 or 2 days address the issue?
> 
> 3. I also found a reference to a "NOTRACK" target that appears to make
> packets to which it applies not get put into the conntrack table.  Could
> this be used to handle my loopback traffic?  I currently have an ACCEPT
> rule for any traffic on the loopback (127.0.0.1) and out of 17,485
> entries currently in my conntrack table, 6,216 have source and
> destination of 127.0.0.1 -- getting these out of the table would really
> help.  (I have verified that this is legitimate traffic for this server)
> 
> Where can I find more information out about the NOTRACK target and how
> is it implemented (does NOTRACK DROP, REJECT or ACCEPT packets)?
> 
> Thanks in advance,
> 
> 
> Richard Wilson
> Richard dot wilson at eds dot com
> 
-- 
Eric Leblond <eric@inl.fr>
INL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : /pipermail/netfilter/attachments/20061011/21f2cfb3/attachment.pgp
From holger.kinkelin at gmail.com  Thu Oct 12 08:47:54 2006
From: holger.kinkelin at gmail.com (Holger Kinkelin)
Date: Thu Oct 12 09:25:19 2006
Subject: Redirecting incoming packets to other port
In-Reply-To: <452CC28D.5020000@eccotours.co.za>
References: <c936c6b70610110109v73453362h65b8e34d6771dadd@mail.gmail.com>
	<452CAFDC.3070909@eccotours.co.za>
	<c936c6b70610110244m34760db8wc1a942becc475910@mail.gmail.com>
	<452CC28D.5020000@eccotours.co.za>
Message-ID: <c936c6b70610112347q1caa9fb9nfc824771796dd998@mail.gmail.com>

Hi Brent, hi others

> Is this really for SIP.
Yes, it's definately for SIP. I try to create some sort of transparent
sip proxy that I will use later for monitoring packets for a project /
for my thesis.

The thing I want to do is the following

1. redirect traffic from the client to my proxy
--> iptables -A OUTPUT -t nat -p udp --dport 5060 --sport 5060 -j
REDIRECT --to-ports 5061
The proxy waits on 5061 for this traffic, the packets do arrive. Step
1 is working.

2. Now the proxy collects some info from the packets and sends them
(unchanged) out on 5062 to the server. I need a second rule that
changes the source port from 5062 back to 5060 that the SIP server
doesn't notice the proxy
--> iptables -A POSTROUTING -t nat -p udp --dport 5060 --sport 5062 -j
SNAT --to-source 192.168.0.21:5060
192.168.0.21 is the IP of the PC where the client and proxy are
running on. That's working, too. The packets get sent to the server
using the correct ports, the server accepts the packets and replies
correctly. BUT NOW I think the problem occurs! When the reply from the
server arrives on the proxy computer, a "ICMP destination port
unreachable" is sent back to the server. Why? I don't get this.

Has anybody an idea how to fix this problem or how to do the whole
proxy differently?

Regards,
Holger

From njamil at gmail.com  Thu Oct 12 12:08:36 2006
From: njamil at gmail.com (Noman Jamil)
Date: Thu Oct 12 12:45:58 2006
Subject: iptables XOR patch
Message-ID: <f5e96a3c0610120308n3cf94b9ai725ff4fc943be4df@mail.gmail.com>

Hi all

How to get iptables XOR patched to the kernel and get it working ?
i tried to compile versin 1.3.5 and i can see the libipt_XOR.c and man
file but when i run make and make install i dont see XOR patched to
the kernel ?

Any help will be apprecited

-- 
Deceving Looks

From markus.marquardt at atosorigin.com  Thu Oct 12 13:39:28 2006
From: markus.marquardt at atosorigin.com (Markus Marquardt)
Date: Thu Oct 12 14:16:54 2006
Subject: Something like next hop match
Message-ID: <452E2970.6090401@atosorigin.com>

Hello,

in my configuration there's a linux router which is dynamically learning
routes via RIP from an isdn router connected to the "outside" interface
of the router. The internet gateway is also conencted to that interface.

For some reason i don't want the packets which travel through the isdn
router to get SNATted. Packets going out to the internet gateway must be
SNATted.

Is there any way to match the packets which travel through the isdn
router by something like a next hop match in the POSTROUTING table? Some
years ago there was a nexthop match patch, but it never makes it into
the netfilter project.

Any ideas?

Regards,
Markus


From bclark at eccotours.co.za  Thu Oct 12 14:34:14 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Thu Oct 12 15:09:54 2006
Subject: -j ROUTE vs marking and then forwarding
Message-ID: <452E3646.6050804@eccotours.co.za>

Hi

Im still in a state of uncertainty on this question, as I have not performed routing with -j ROUTE before, but getting a glimpse of ROUTE did make me wonder
about effiency / speed.

So my question is.

Would anyone know if there is a difference or which is the faster of just routing via just using -j ROUTE --oif as opposed to

a) marking the packets (-j MARK --set-mark 0x1) and then
b) using FORWARD.

Kind Regards
Brent Clark

From cummingspatrick at hotmail.com  Fri Oct 13 05:08:19 2006
From: cummingspatrick at hotmail.com (Patrick Cummings)
Date: Fri Oct 13 05:45:54 2006
Subject: Can't get access to local servers using external IP
Message-ID: <BAY102-F34366D66CEBC07CEBB779FBC0A0@phx.gbl>

Hi,
I've already posted this but it looks like it has been deleted or somehow 
was not sent.

I have setup a linux router for my network. Everything works well except one 
thing.
It has three network connections. One is the Internet, another is a bridge 
of network cards that is the LAN and the last one is a separate network used 
as a SAN.

The problem is that I can't access the local servers with the external 
Internet IP.
This worked before when I had my POS linksys router that I smashed into 
pieces after the linux router was setup because I hated it.
This creates some problems. For example, if I host something on my local 
webserver (192.168.0.2) and somebody links to it from a webpage on an 
external server and I click on it I can't get access. However it would work 
if I was not a the LAN. So if I replace the IP address in the link with the 
one of my LAN it will work. However that's a real mess, if there is a page 
with like 50 pictures the 50 pictures will load for everybody except the 
ones that are on the lan except if they were to click on each picture 
manually and edit the adress so that it contains the LAN IP.
Also I always need to log remotely to an outside computer to test if 
services are accessible with the internet IP.

If it can help, here are the scripts I use to configure IPtables:
(they are extremely hard to read....sorry)
http://etherealnet.servehttp.com/patrick/iptables-start
http://etherealnet.servehttp.com/patrick/iptables-start.conf

http://etherealnet.servehttp.com/patrick/ifconfig

I run Debian GNU/Linux with 2.6.8 kernel.
I wish there is a quick way to fix this since my previous crappy router did 
it so well.



From pabartur at gmail.com  Fri Oct 13 05:09:41 2006
From: pabartur at gmail.com (=?ISO-8859-1?Q?Pablo_Proa=F1o?=)
Date: Fri Oct 13 05:47:12 2006
Subject: Ultima vez que se uso una cadena??
Message-ID: <298bd5800610122009w5f4c0cd1o89f2dba3ca58d865@mail.gmail.com>

Saludos:

Tal vez alguien me puede ayudar,  estoy desarrollando una aplicacion
para la cual me seria de utilidad conocer cuando fue la ultima vez que
se utilizo una regla de iptabels para filtrar o dejar pasar cierto
contenido.

(ACCEPT, DROP, REJECT)

por ejemplo tengo configurado en mi firewall una regla  com esta:

iptables -t filter -A INPUT -s 192.168.1.1/32 -j ACCEPT

y deseo saber cuando fue la ultima vez (HH:MM:SS) que me permitio
pasar trafico de la IP 192.168.1.1 hacia el Internet.

From gobnat at optusnet.com.au  Fri Oct 13 08:59:21 2006
From: gobnat at optusnet.com.au (Brendan S (Scratch User))
Date: Fri Oct 13 09:30:39 2006
Subject: Iptables and rate limiting per ip address
Message-ID: <452F3949.2050502@optusnet.com.au>

Hi  

I am an iptables beginner. I want to set up my firewall to rate limit incoming packets based on a particular source IP address (but not any other IP).

I understand that there are dstlimit and hashlimit options for iptables.  It is not clear to me whether these apply the same limit (x packets/sec) to each ip address (ie all IP addresses limited at x packets/sec) or whether their action can be applied to a single address (I suspect the former).

If it is the latter, can the hashlimit switch be limited by (eg) -s?   Alternatively can I jump past the rule for other ip addresses?

Would either of these work?
...
-A src_limit -s !<limit_ip> -j ACCEPT
-A src_limit -m hashlimit --hashlimit 2/min --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name per_src --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 300000 -j ACCEPT

...
or

-A src_limit -s <limit_ip> -m hashlimit --hashlimit 2/min --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name per_src --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 300000 -j ACCEPT

Thanks


Brendan



From swifty at freemail.hu  Fri Oct 13 09:50:54 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 13 10:28:52 2006
Subject: Ultima vez que se uso una cadena??
In-Reply-To: <298bd5800610122009w5f4c0cd1o89f2dba3ca58d865@mail.gmail.com>
References: <298bd5800610122009w5f4c0cd1o89f2dba3ca58d865@mail.gmail.com>
Message-ID: <452F455E.1090002@freemail.hu>

Please use english if you want an answer ... :)

Thanx

 Swifty

Pablo Proa?o ?rta:
> Saludos:
>
> Tal vez alguien me puede ayudar,  estoy desarrollando una aplicacion
> para la cual me seria de utilidad conocer cuando fue la ultima vez que
> se utilizo una regla de iptabels para filtrar o dejar pasar cierto
> contenido.
>
> (ACCEPT, DROP, REJECT)
>
> por ejemplo tengo configurado en mi firewall una regla  com esta:
>
> iptables -t filter -A INPUT -s 192.168.1.1/32 -j ACCEPT
>
> y deseo saber cuando fue la ultima vez (HH:MM:SS) que me permitio
> pasar trafico de la IP 192.168.1.1 hacia el Internet.
>
>
>


From swifty at freemail.hu  Fri Oct 13 10:01:52 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 13 10:39:46 2006
Subject: Iptables and rate limiting per ip address
In-Reply-To: <452F3949.2050502@optusnet.com.au>
References: <452F3949.2050502@optusnet.com.au>
Message-ID: <452F47F0.2040108@freemail.hu>

Brendan S (Scratch User) ?rta:
> Hi  
>
> I am an iptables beginner. I want to set up my firewall to rate limit incoming packets based on a particular source IP address (but not any other IP).
>
> I understand that there are dstlimit and hashlimit options for iptables.  It is not clear to me whether these apply the same limit (x packets/sec) to each ip address (ie all IP addresses limited at x packets/sec) or whether their action can be applied to a single address (I suspect the former).
>
> If it is the latter, can the hashlimit switch be limited by (eg) -s?   Alternatively can I jump past the rule for other ip addresses?
>
>   
You can use -s switch
> Would either of these work?
> ...
> -A src_limit -s !<limit_ip> -j ACCEPT
> -A src_limit -m hashlimit --hashlimit 2/min --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name per_src --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 300000 -j ACCEPT
>
>   
1. Accept EVERYTHING from EVERYONE except <limit_ip>
2. Accept EVERYTHING ELSE (from <limit_ip>) if hashlimit module permits

> ...
> or
>
> -A src_limit -s <limit_ip> -m hashlimit --hashlimit 2/min --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name per_src --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 300000 -j ACCEPT
>
>   
1. Accept from <limit_ip> if haslimit module permits
> Thanks
>
>
> Brendan
>
>   
Do not forget the DROP policy in the chain...

Swifty

From swifty at freemail.hu  Fri Oct 13 10:34:09 2006
From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 13 11:11:59 2006
Subject: Fwd: Critque of IPTables Firewall
In-Reply-To: <f22ceeb10610110657x24d2979bxeb3f0e2e08f9ae11@mail.gmail.com>
References: <f22ceeb10610110654j7372e4afs2ec81cdd9ce18e43@mail.gmail.com>
	<f22ceeb10610110657x24d2979bxeb3f0e2e08f9ae11@mail.gmail.com>
Message-ID: <452F4F81.5050200@freemail.hu>

Idgarad ?rta:
> There are many guides on how to write a firewall script functionally,
> but form is disregarded. Is the following a decent, well written
> firewall (Form, not function)? It's is clear and easy to follow? In
> the event that I get hit by a bus would someone else with IPTables
> experience be able to pick up where I left off?
Hopefully an experienced firewall professional would understand it... :)
Not because it is too complicated but not everyone uses the same 
programing technics and style.

> Has anyone from the Netfilter's list thought about writing a
> Best-Practices guide not from the functional side, but rather the form
> side of writing IPTABLES scripts and what not?
Well... I published my firewall script two months before...
( https://lists.netfilter.org/pipermail/netfilter/2006-August/066404.html )

Let me quote Jan Engelhardt's reply:

"No one ever reads through that mess, really. There are so many scripts floating
around, the number is just too outstanding, and it makes tired after a while.

Jan Engelhardt"

Well... I think this is okay but anyway I would be glad if a guide would exist.
So I am a bit interested ...
 


For example I would propose the following format:

iptables -t <table> <command> -j <jump_target> [filters]

table: mangle, nat, filter...
command: -A, -I, -P...
jump_target: ACCEPT, DROP ...
filters: -p tcp, -p tcp -s 192.168.0.1....

There could be other rules like separating the tables and so on...

Swifty

From xktnniuymlla at mailinator.com  Fri Oct 13 20:24:45 2006
From: xktnniuymlla at mailinator.com (Mike Wright)
Date: Fri Oct 13 21:02:01 2006
Subject: Ultima vez que se uso una cadena??
In-Reply-To: <298bd5800610122009w5f4c0cd1o89f2dba3ca58d865@mail.gmail.com>
References: <298bd5800610122009w5f4c0cd1o89f2dba3ca58d865@mail.gmail.com>
Message-ID: <452FD9ED.9070203@mailinator.com>

Pablo Proa?o wrote:
> Saludos:
> 
> Tal vez alguien me puede ayudar,  estoy desarrollando una aplicacion
> para la cual me seria de utilidad conocer cuando fue la ultima vez que
> se utilizo una regla de iptabels para filtrar o dejar pasar cierto
> contenido.
> 
> (ACCEPT, DROP, REJECT)
> 
> por ejemplo tengo configurado en mi firewall una regla  com esta:
> 
> iptables -t filter -A INPUT -s 192.168.1.1/32 -j ACCEPT
> 
> y deseo saber cuando fue la ultima vez (HH:MM:SS) que me permitio
> pasar trafico de la IP 192.168.1.1 hacia el Internet.
> 

"man iptables" y busca LOG

Tal vez algo como esto:

iptables -N LOGGER
iptables -t filter -A INPUT -s 192.168.1.1/32 -j LOGGER
iptables -t filter -A LOGGER -j LOG
iptables -t filter -A LOGGER -j ACCEPT

Se puede mirar los resultados en /var/log/messages.  Los datos al fin 
estan los mas recien.

(desculpame el espanol ;)

From bclark at eccotours.co.za  Sat Oct 14 15:16:34 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Sat Oct 14 16:33:51 2006
Subject: use of -m  limit for Syn Flood protection
Message-ID: <4530E332.4090306@eccotours.co.za>

Hey all

In my continuous quest to understand TCP and netfilter / iptables more, I have started experimenting with rate limiting and different TCP Flags.

On my Lan I have mail server and obviously ident requests are perform etc, so I currently im trying this

# we allow 4 TCP connects per second, no more
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j LOG --log-level info --log-prefix '#### Syn Flood ####'
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp --syn -j syn-flood

so now I get this

Oct 14 14:51:46 gate kernel: #### Syn Flood ####IN=eth1 OUT=eth0 SRC=192.168.111.11 DST=218.15.249.32 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23007 DF PROTO=TCP SPT=40108 DPT=113 WINDOW=5840 RES=0x00 SYN 
URGP=0
Oct 14 14:51:49 gate kernel: #### Syn Flood ####IN=eth1 OUT=eth0 SRC=192.168.111.11 DST=218.15.249.32 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23008 DF PROTO=TCP SPT=40108 DPT=113 WINDOW=5840 RES=0x00 SYN 
URGP=0
Oct 14 14:51:55 gate kernel: #### Syn Flood ####IN=eth1 OUT=eth0 SRC=192.168.111.11 DST=218.15.249.32 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23009 DF PROTO=TCP SPT=40108 DPT=113 WINDOW=5840 RES=0x00 SYN 
URGP=0
Oct 14 14:52:07 gate kernel: #### Syn Flood ####IN=eth1 OUT=eth0 SRC=192.168.111.11 DST=218.15.249.32 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23010 DF PROTO=TCP SPT=40108 DPT=113 WINDOW=5840 RES=0x00 SYN 
URGP=0

So my question is, have I maybe been to aggressive on the limit.

I use the -j syn-flood for both FORWARD and INPUT

From sujiannming at gmail.com  Sat Oct 14 16:17:24 2006
From: sujiannming at gmail.com (Jiann-Ming Su)
Date: Sat Oct 14 16:55:07 2006
Subject: use of -m limit for Syn Flood protection
In-Reply-To: <4530E332.4090306@eccotours.co.za>
References: <4530E332.4090306@eccotours.co.za>
Message-ID: <561dc3260610140717i45c75303weaa16bf327bd1f6d@mail.gmail.com>

On 10/14/06, Brent Clark <bclark@eccotours.co.za> wrote:
>
> # we allow 4 TCP connects per second, no more
> $IPT -N syn-flood
> $IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j LOG --log-level info --log-prefix '#### Syn Flood ####'
> $IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> $IPT -A syn-flood -j DROP
>
>
> So my question is, have I maybe been to aggressive on the limit.
>

If you're trying to limit the SYNs to 4/sec, then the --limit should
be "--limit 4/s" along with the --limit-burst 4.  Though, 4 SYNs per
second is hardly a syn flood.  Also, you may want to specify the
destination port of the syn flood to give more grainular control.
-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.
 If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank.  The election baby has peed in
the bath water.  You got to throw 'em both out."  --Dale Gribble

From m at rtij.nl  Sat Oct 14 18:34:45 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Sat Oct 14 19:12:48 2006
Subject: Can't get access to local servers using external IP
In-Reply-To: <BAY102-F34366D66CEBC07CEBB779FBC0A0@phx.gbl>
References: <BAY102-F34366D66CEBC07CEBB779FBC0A0@phx.gbl>
Message-ID: <453111A5.8000603@rtij.nl>

Patrick Cummings wrote:

> Hi,
> I've already posted this but it looks like it has been deleted or 
> somehow was not sent.
>
> I have setup a linux router for my network. Everything works well 
> except one thing.
> It has three network connections. One is the Internet, another is a 
> bridge of network cards that is the LAN and the last one is a separate 
> network used as a SAN.
>
> The problem is that I can't access the local servers with the external 
> Internet IP.
> This worked before when I had my POS linksys router that I smashed 
> into pieces after the linux router was setup because I hated it.
> This creates some problems. For example, if I host something on my 
> local webserver (192.168.0.2) and somebody links to it from a webpage 
> on an external server and I click on it I can't get access. However it 
> would work if I was not a the LAN. So if I replace the IP address in 
> the link with the one of my LAN it will work. However that's a real 
> mess, if there is a page with like 50 pictures the 50 pictures will 
> load for everybody except the ones that are on the lan except if they 
> were to click on each picture manually and edit the adress so that it 
> contains the LAN IP.
> Also I always need to log remotely to an outside computer to test if 
> services are accessible with the internet IP.
>

Your workstation sends a packet to $public_ip, which gets DNATted to 
192.168.0.2. The webservers sees a packet from $workstation so responds 
there. That return packet never traverses the firewall again, as 
$workstation is on the same local subnet. Your workstation is expecting 
a reply from $public_ip, so it ignores the return packet from 192.168.0.2.

There are several ways you can make this work.

1) When packets from $local_lan arrive destined for the webserver, not 
only DNAT them, but SNAT them as well to an ip of the firewall. The 
disadvantage is that the webserverlogs will not acurately report the 
source address for these connections. This is probably what the linksys did.

2) Set up a DMZ, put the webserver in the DMZ. You need another nic in 
the firewall, but it is a very clean solution.

3) Fake a DMZ, don't put another nic in the server but configure two 
network segments on the same phyisical LAN. Dirty. Don't go there unless 
you understand perfectly what it does.

4) Use mod_proxy on the firewall instead of DNAT. I do this all the time 
and it works perfectly. As an added advantage, you can map multiple 
(probably internal) webservers to different paths on your public webserver.

5) Use DNAT on your workstation to translate $public_ip to 192.168.0.2 
(for port 80 and 443). Obviously this doesn't scale, but may be the 
simplest solution.

6) Probably lots of other solutions I didn't think about.

HTH,
M4

From bclark at eccotours.co.za  Sat Oct 14 18:45:41 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Sat Oct 14 19:23:22 2006
Subject: use of -m limit for Syn Flood protection
In-Reply-To: <561dc3260610140717i45c75303weaa16bf327bd1f6d@mail.gmail.com>
References: <4530E332.4090306@eccotours.co.za>
	<561dc3260610140717i45c75303weaa16bf327bd1f6d@mail.gmail.com>
Message-ID: <45311435.20604@eccotours.co.za>

Jiann-Ming Su wrote:
> If you're trying to limit the SYNs to 4/sec, then the --limit should
> be "--limit 4/s" along with the --limit-burst 4.  Though, 4 SYNs per
> second is hardly a syn flood.  Also, you may want to specify the
> destination port of the syn flood to give more grainular control.

Hi Jiann

Thank you for your reply.

May I ask what you would consider a more realistic limit /value.

I currently have ports 25, 80 and 443 open. I would like to strive to get a respectable value that would cater for these ports.

Kind Regards
Brent Clark


From sujiannming at gmail.com  Sat Oct 14 22:03:10 2006
From: sujiannming at gmail.com (Jiann-Ming Su)
Date: Sat Oct 14 22:40:50 2006
Subject: use of -m limit for Syn Flood protection
In-Reply-To: <45311435.20604@eccotours.co.za>
References: <4530E332.4090306@eccotours.co.za>
	<561dc3260610140717i45c75303weaa16bf327bd1f6d@mail.gmail.com>
	<45311435.20604@eccotours.co.za>
Message-ID: <561dc3260610141303u1d41bd43t2f8d59c1afa93d5f@mail.gmail.com>

On 10/14/06, Brent Clark <bclark@eccotours.co.za> wrote:
>
> Thank you for your reply.
>
> May I ask what you would consider a more realistic limit /value.
>
> I currently have ports 25, 80 and 443 open. I would like to strive to get a respectable value that would cater for these ports.
>
>

Here's what we've used for the wild, wild west that is a residential
hall network for a university:

-A FORWARD -i eth2 -p tcp -m tcp --tcp-flags SYN SYN -j FWD_SYN
-A FWD_SYN -p tcp -m tcp --tcp-flags FIN FIN -m limit --limit 10/min
-j ULOG --ulog-prefix "iptables S
YN/FIN attack"
-A FWD_SYN -p tcp -m tcp --tcp-flags FIN FIN -j DROP
-A FWD_SYN -p tcp -m tcp --dport 80 -m limit --limit 200/sec
--limit-burst 400 -j ACCEPT
-A FWD_SYN -p tcp -m tcp --dport 135 -m limit --limit 50/sec
--limit-burst 50 -j ACCEPT
-A FWD_SYN -p tcp -m tcp --dport 139 -m limit --limit 50/sec
--limit-burst 50 -j ACCEPT
-A FWD_SYN -p tcp -m tcp --dport 443 -m limit --limit 50/sec
--limit-burst 50 -j ACCEPT
-A FWD_SYN -p tcp -m tcp --dport 445 -m limit --limit 50/sec
--limit-burst 50 -j ACCEPT
-A FWD_SYN -p tcp -m tcp --dport 80 -m limit --limit 1/sec -j ULOG
--ulog-prefix "iptables syn limit (http): "
-A FWD_SYN -p tcp -m multiport --dports 135,139,443,445 -m limit
--limit 10/min -j ULOG --ulog-prefix "iptables syn limit (MS): "
-A FWD_SYN -p tcp -m tcp -m multiport --dports 80,135,139,443,445 -j DROP
-A FWD_SYN -p tcp -m tcp -m limit --limit 100/sec --limit-burst 200 -j ACCEPT
-A FWD_SYN -p tcp -m tcp -m limit --limit 10/min -j ULOG --ulog-prefix
"iptables syn limit: "
-A FWD_SYN -j DROP


-- 
Jiann-Ming Su
"I have to decide between two equally frightening options.
 If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank.  The election baby has peed in
the bath water.  You got to throw 'em both out."  --Dale Gribble

From grtruchet at gigared.com  Sun Oct 15 01:55:14 2006
From: grtruchet at gigared.com (piraguasu)
Date: Sun Oct 15 02:30:34 2006
Subject: Can't get access remote LAN through firewall
Message-ID: <453178E2.5020602@gigared.com>

Hi All

I have two LAN, both connected to Internet through proxy/firewall on 
Linux. One is my working LAN and other remote. I want to see internal 
machines of remote LAN from any computers of my LAN, for this I setup a 
tunnel and when the  firewall  is down in both LAN, all OK.

When firewall is up, my problem is forwarding between tunnel device and 
internal card (eth1), I can't get pass through firewall, iptables rules 
don't work.

Forwarding is enabled in the systems "/proc/sys/net/ipv4/ip_forward = 1"

Why iptables FORWARD don't work.

Who can help me?

From cummingspatrick at hotmail.com  Sun Oct 15 05:08:43 2006
From: cummingspatrick at hotmail.com (Patrick Cummings)
Date: Sun Oct 15 05:46:34 2006
Subject: Can't get access to local servers using external IP
In-Reply-To: <453111A5.8000603@rtij.nl>
Message-ID: <BAY102-F39C2BA72F1E93EAD2DD46DBC080@phx.gbl>

>Your workstation sends a packet to $public_ip, which gets DNATted to 
>192.168.0.2. The webservers sees a packet from $workstation so responds 
>there. That return packet never traverses the firewall again, as 
>$workstation is on the same local subnet. Your workstation is expecting a 
>reply from $public_ip, so it ignores the return packet from 192.168.0.2.
>
>There are several ways you can make this work.
>
>1) When packets from $local_lan arrive destined for the webserver, not only 
>DNAT them, but SNAT them as well to an ip of the firewall. The disadvantage 
>is that the webserverlogs will not acurately report the source address for 
>these connections. This is probably what the linksys did.
>
>2) Set up a DMZ, put the webserver in the DMZ. You need another nic in the 
>firewall, but it is a very clean solution.
>
>3) Fake a DMZ, don't put another nic in the server but configure two 
>network segments on the same phyisical LAN. Dirty. Don't go there unless 
>you understand perfectly what it does.
>
>4) Use mod_proxy on the firewall instead of DNAT. I do this all the time 
>and it works perfectly. As an added advantage, you can map multiple 
>(probably internal) webservers to different paths on your public webserver.
>
>5) Use DNAT on your workstation to translate $public_ip to 192.168.0.2 (for 
>port 80 and 443). Obviously this doesn't scale, but may be the simplest 
>solution.
>
>6) Probably lots of other solutions I didn't think about.
>
>HTH,
>M4

wow thanks a lot that makes perfect sense. I'm for sure going to do #1, as 
it seems the most secure and scalable. Thanks for your time really



From pascal.mail at plouf.fr.eu.org  Sun Oct 15 14:24:31 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Sun Oct 15 15:02:22 2006
Subject: use of -m  limit for Syn Flood protection
In-Reply-To: <4530E332.4090306@eccotours.co.za>
References: <4530E332.4090306@eccotours.co.za>
Message-ID: <4532287F.2040407@plouf.fr.eu.org>

Hello,

Brent Clark a ?crit :
> 
> # we allow 4 TCP connects per second, no more
> $IPT -N syn-flood
> $IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j LOG 
> --log-level info --log-prefix '#### Syn Flood ####'
> $IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> $IPT -A syn-flood -j DROP

This accepts only 1 packet per second after an initial 4-packet burst, 
and it logs *accepted* packets, not dropped ones. I am not sure this is 
what you want.

You probably want something like this instead, assuming there is an 
ACCEPT rule later that matches these packets in the calling chain :

$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 4/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j LOG --log-level info \
   --log-prefix '#### Syn Flood ####'
$IPT -A syn-flood -j DROP

You may also want to set a rate limit in the LOG rule not to prevent SYN 
flood but to prevent log flood. ;-)

From pascal.mail at plouf.fr.eu.org  Sun Oct 15 14:54:24 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Sun Oct 15 15:32:09 2006
Subject: Can't get access to local servers using external IP
In-Reply-To: <453111A5.8000603@rtij.nl>
References: <BAY102-F34366D66CEBC07CEBB779FBC0A0@phx.gbl>
	<453111A5.8000603@rtij.nl>
Message-ID: <45322F80.3090502@plouf.fr.eu.org>

Hello,

Martijn Lievaart a ?crit :
> 
> There are several ways you can make this work.
> 
> 1) When packets from $local_lan arrive destined for the webserver, not 
> only DNAT them, but SNAT them as well to an ip of the firewall. The 
> disadvantage is that the webserverlogs will not acurately report the 
> source address for these connections. This is probably what the linksys 
> did.

Hint : using NETMAP to do the source NAT, you can do a 1:1 mapping so 
you can retrieve the original source address.

[...]
> 6) Probably lots of other solutions I didn't think about.

If you access the server by name instead of by IP address :

7) Put the private address and the name in the /etc/hosts file of your 
workstations. Quick and dirty, does not scale.

8) Set up a "split DNS" server so the internal requests receive the 
private address and the external request receive the public address.

From pascal.mail at plouf.fr.eu.org  Sun Oct 15 15:13:15 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Sun Oct 15 15:51:01 2006
Subject: Can't get access remote LAN through firewall
In-Reply-To: <453178E2.5020602@gigared.com>
References: <453178E2.5020602@gigared.com>
Message-ID: <453233EB.3080404@plouf.fr.eu.org>

Hello,

piraguasu a ?crit :
> 
> I have two LAN, both connected to Internet through proxy/firewall on 
> Linux. One is my working LAN and other remote. I want to see internal 
> machines of remote LAN from any computers of my LAN, for this I setup a 
> tunnel and when the  firewall  is down in both LAN, all OK.
> 
> When firewall is up, my problem is forwarding between tunnel device and 
> internal card (eth1), I can't get pass through firewall, iptables rules 
> don't work.

Does the FORWARD chain contains rules which accept packets between the 
tunnel interface and the LAN interface in both directions ?

Something like :
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT

From kamash at gmail.com  Sun Oct 15 16:43:55 2006
From: kamash at gmail.com (Kamal)
Date: Sun Oct 15 17:21:42 2006
Subject: NAT POSTROUTING accounting
Message-ID: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>

I have the following 2 rules:
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2

 How can I do accounting on TOTAL number of packets & bytes that pass
through both rules since the packets & bytes that appear when listing
the chain reflect the number of packets creating new connections & not
all the packets that are NAT'ed. Also you can't add a chain in front
of this chain since NAT POSTROUTING is the last chain in a packet
traversal:

 Chain POSTROUTING (policy ACCEPT 2593 packets, 1181K bytes)
  pkts bytes target     prot opt in     out     source               destination
  2259  114K SNAT       tcp  --  *      eth0     0.0.0.0/0
0.0.0.0/0           tcp dpt:80 to:192.168.0.1
  223K   15M SNAT       all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           to:192.168.0.2

From wakko at animx.eu.org  Sun Oct 15 19:00:14 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Sun Oct 15 19:48:05 2006
Subject: Confusion about MAC address in FORWARD chain (iptables)
Message-ID: <20061015170014.GC402@animx.eu.org>

Please keep me in CC.

I've read the man page for iptables and added -j LOG to attempt to log the
failure I was seeing with no success.  I'm using the MAC match to control
access from one ethernet card (being that it's connected directly to a
wireless AP)

I have the following interfaces:
br0: enslaved eth0 and tap[01]
eth0: Local network
tap0: vpn to my other network
tap1: vpn for the laptop I use on wireless.
eth1: connected to the wireless ap.
ppp0: internet

I'm going to refer to IPs and MACs symbollically as I do not want the IPs to
be known.

IFACE=eth1

# This sets up the rules for INPUT and FORWARDING for the wireless interface
# This is excerpts from my script that is called by ifupdown.  I use insert
# instead of append so that these rules are guaranteed to be hit.
iptables -I INPUT 1 -j wireless-in -i "$IFACE"
iptables -I INPUT 2 -j DROP -i "$IFACE"
iptables -I FORWARD 1 -j wireless-in -i "$IFACE"
iptables -I FORWARD 2 -j DROP -i "$IFACE"

# wireless-in is supposed to only operate on packets coming from eth1
# This is why the forward rule above jumps to wireless-in with -i
# Anything coming from another interface to eth1 should be allowed.
# The for loop has a list of MAC addresses I'm willing to even consider
# listening too.  If they don't match, I ignore them.
# IF_WAP_MAC contains 1 mac address for the WAP
# IF_CLIENT_MAC contains 1 mac address for the laptop
iptables -N wireless-in
for mac in $IF_WAP_MAC $IF_CLIENT_MAC;do
	iptables -A wireless-in -j wireless-ip -m mac --mac-source $mac
done
iptables -A wireless-in -j DROP

# This defines the packets I'm willing to accept.  Basically, I want to
# allow ICMP (pings), the VPN port (obviously =), and port 80 so that I can
# configure the WAP.  This machine does not have X and the WAP requires a
# java compatible browser so I need to access that port.
iptables -N wireless-ip
iptables -A wireless-ip -j ACCEPT -p icmp
iptables -A wireless-ip -j ACCEPT -p udp --dport vpnport
iptables -A wireless-ip -j DROP -m conntrack --ctstate NEW
iptables -A wireless-ip -j ACCEPT -m conntrack --ctstate ESTABLISHED \
	-p tcp --sport 80

NOTE: br0.x.x and eth1.x.x are representations of IP addresses, not VLAN
interfaces below.  Also note that the network on br0 is not the same class B
as eth1

On the firewall machine, pinging eth1.1.2 works as expected.
On a machine on the local lan, pinging eth1.1.2 failes (source br0.2.1).
The problem is the MAC source matching.  My understanding is (layer 2):
Laptop mac to firewall eth1 mac.  This should be seen in the FORWARD chain
since it is coming from eth1.  Then from the firewall mac (br0) to the other
machine's mac.  I thought that the MAC address that the mac matching would
see is the mac of the laptop.  This confused me.  I just decided to add the
mac of br0 to the wireless-in (insert at the beginning) and everything is
working.  My problem is, I do not understand why.

I could have added -I FORWARD 3 -j ACCEPT  above, but I saw no reason to add
this and ping packet did reach the laptop.  A tcpdump -eni eth1 icmp shows
that the MAC of the laptop and eth1 and also shows that echorq and echo
packets are going to/coming from the laptop.  So I figured the problem was
with the input side of the FORWARD chain.  Adding logging just before the
DROP in wireless-in shows that packets were indeed getting dropped. 
Unfortunately, the logging does not log source/destination mac and I saw no
way to enable that.

Here's another problem I ran into.  Originally, I added the MAC of BR0
in the FORWARD chain instead of the wireless-in chain.  This caused ALL
blocking I had (DNAT'd packets) to be ignored.  Basically the packet was
-i ppp0 and -o br0 and the MAC source test of br0 caused it to accept all
traffic.

Can anyone explain/comment on this?  I'd like to understand why this
happens.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From negri at cs.unibo.it  Sun Oct 15 19:15:23 2006
From: negri at cs.unibo.it (Alberto Negri)
Date: Sun Oct 15 19:53:15 2006
Subject: hi all
Message-ID: <20061015171523.3ac5ebe3@localhost>

hi all,

i post here after spoke with people into #iptables irc channel 
in particular with "Taube". At the end of my problem explanation 
he suggested me to use a script instead of iptables-{save,restore}
commands, but reading iptables tutorial in particular here:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SAVEANDRESTORE
i get the advice to use iptables-{save,restore} instead of a bash script...now i 
thought to post here...
So now my problem: 

Using iptables-{save,restore} on a gentoo box iptables crashes at start up. 
my error message(doing /etc/init.d/iptables start):

 * Caching service
dependencies ...
[ ok ]
 * Loading iptables state and starting firewall ...
/etc/init.d/iptables: line 57:  9820 Segmentation fault
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}
<"${iptables_save}"                                                          [ !! ]

where my iptables rule file is(cat /etc/conf.d/iptables| grep -v ^$ | grep -v ^#):

IPTABLES_SAVE="/var/lib/iptables/firewall"
SAVE_RESTORE_OPTIONS="-c"
SAVE_ON_STOP="yes"

contents of firewall file(cat /var/lib/iptables/firewall)[i dropped some my comments, starting with 
'#' before post]:
(Taube told me it is right...anyway i post it)
# Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
*raw
:PREROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
# Completed on Sun Oct  8 18:08:12 2006
# Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sun Oct  8 18:08:12 2006
# Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
# Completed on Sun Oct  8 18:08:12 2006
# Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
:INBOUND -
:LOG_FILTER -
:LSI -
:LSO -
:OUTBOUND -
-A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2667 -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/min -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 193.70.192.25 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 193.70.192.25 -p udp -j ACCEPT
-A INPUT -s 212.48.4.15 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 212.48.4.15 -p udp -j ACCEPT
-A INPUT -s 62.211.69.150 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 62.211.69.150 -p udp -j ACCEPT
-A INPUT -s 62.101.80.80 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 62.101.80.80 -p udp -j ACCEPT
-A INPUT -s 130.136.1.110 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 130.136.1.110 -p udp -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -o ppp0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND
-A OUTPUT -d 193.70.192.25 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 193.70.192.25 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 212.48.4.15 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 212.48.4.15 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 62.211.69.150 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 62.211.69.150 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 62.101.80.80 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 62.101.80.80 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 130.136.1.110 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -d 130.136.1.110 -p udp -m udp --dport 53 -j ACCEPT
-A OUTBOUND -j ACCEPT
COMMIT
# Completed on Sun Oct  8 18:08:12 2006


where those are DNS:
193.70.192.25
212.48.4.15
62.211.69.150
62.101.80.80
130.136.1.110

theese are my gentoo configurations options(emerge --info):

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 1800+
Gentoo Base System version 1.12.5
Last Sync: Sun, 15 Oct 2006 10:30:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-mtune=athlon-xp -march=athlon-xp -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config 
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ 
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-mtune=athlon-xp -march=athlon-xp -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks fixpackages metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://lug.mtu.edu/gentoo http://mirror.phy.olemiss.edu/mirror/gentoo 
http://mirror.mcs.anl.gov/pub/gentoo/ http://mirror.uni-c.dk/pub/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ ftp://trumpetti.atm.tut.fi/gentoo/ 
http://pandemonium.tiscali.de/pub/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.intergenia.de ftp://files.gentoo.org http://files.gentoo.org ftp://ftp.ntua.gr/pub/linux/gentoo/ http://ftp.ntua.gr/pub/linux/gentoo/ ftp://ftp.uoi.gr/mirror/OS/gentoo/ 
http://ftp.uoi.gr/mirror/OS/gentoo/ http://ftp.physics.auth.gr/pub/mirrors/gentoo/ ftp://ftp.physics.auth.gr/pub/mirrors/gentoo/ ftp://mirror.scarlet-internet.nl/pub/gentoo 
http://mirror.gentoo.no/ http://darkstar.ist.utl.pt/gentoo/ ftp://darkstar.ist.utl.pt/pub/gentoo/ http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://ftp.solnet.ch/mirror/Gentoo http://gentoo.mirror.solnet.ch http://ftp.twaren.net/Linux/Gentoo/ ftp://ftp.twaren.net/Linux/Gentoo/ http://ftp.ncnu.edu.tw/Linux/Gentoo/ ftp://ftp.ncnu.edu.tw/Linux/Gentoo/ "
LINGUAS="it"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/xgl-coffee /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow 3dnowex X alsa arts cairo crypt cups dhcp elibc_glibc glitz gmp hal input_devices_keyboard input_devices_mouse kde kernel_linux linguas_it mmx mmxext mp3 mpeg2 mpeg4 nls nptl nvidia opengl pnp readline sse ssl userland_GNU video_cards_nvidia video_cards_vesa vorbis xmms"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS

As into guide is written that iptables-{save,restore} tools are not 
sufficiently test as there are not sufficiently user that try them...
i'm here :D 
I hope to give you some help to discover bugs(if it's not an error of mine ;) )...and i'm sorry if i 
make you lose your time. 
Thanks all in advance.
Alberto

-- 
Undergraduate student at Computer Science, University of Bologna.
Icq number: 79465051
Web page: www.cs.unibo.it/~negri
Gpg-id: 1024D/E96025D7
Fingerprint: 2C6A 3E88 05AB 5B21 82E8  4A80 C357 1E37 E960 25D7

 

From manish.jain at globallogic.com  Sun Oct 15 19:23:18 2006
From: manish.jain at globallogic.com (Manish Jain)
Date: Sun Oct 15 20:00:39 2006
Subject: query regarding hashlimit using ipset src,dst tuple
Message-ID: <001001c6f07e$9c290f80$0201a8c0@synapse.com>

Hi,

I have a requirement as follows -

Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1,
dst2.
I need to limit src1->dst1 as well as src2-dst2 communication but want
unlimited src2->dst1 communication.
I have a ipset KNOWN, which contains src1, src2, dst1, dst2

Now i write a rule as follows -
iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
--hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT

But this will limit the src2->dst1 communication as well, which I dont want.

1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do for
ip1%port?
2. Is there a mode which can help me do this, using a single iptable rule as
above?
3. Is there a way to specify multiple ipsets in 1 iptable rule?

Thanks & Regards
Manish Jain


From m at rtij.nl  Sun Oct 15 20:05:07 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Sun Oct 15 20:43:13 2006
Subject: Can't get access to local servers using external IP
In-Reply-To: <45322F80.3090502@plouf.fr.eu.org>
References: <BAY102-F34366D66CEBC07CEBB779FBC0A0@phx.gbl>	<453111A5.8000603@rtij.nl>
	<45322F80.3090502@plouf.fr.eu.org>
Message-ID: <45327853.4070101@rtij.nl>

Pascal Hambourg wrote:

> Hello,
>
> Martijn Lievaart a ?crit :
>
>>
>> There are several ways you can make this work.
>>
>> 1) When packets from $local_lan arrive destined for the webserver, 
>> not only DNAT them, but SNAT them as well to an ip of the firewall. 
>> The disadvantage is that the webserverlogs will not acurately report 
>> the source address for these connections. This is probably what the 
>> linksys did.
>
>
> Hint : using NETMAP to do the source NAT, you can do a 1:1 mapping so 
> you can retrieve the original source address.


I thought about this, but the documentation on NETMAP is actually pretty 
bad, so I decided I would not advertise this route.

>
> [...]
>
>> 6) Probably lots of other solutions I didn't think about.
>
>
> If you access the server by name instead of by IP address :
>
> 7) Put the private address and the name in the /etc/hosts file of your 
> workstations. Quick and dirty, does not scale.
>
> 8) Set up a "split DNS" server so the internal requests receive the 
> private address and the external request receive the public address.
>

I do that too, it may actually be the best advice from this list. A 
bitch to set up[1], but once it's working it works like a charm.

M4

[1] I don't exactly recall my troubles setting it up, it may have been 
just my situation.


From m at rtij.nl  Sun Oct 15 20:09:43 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Sun Oct 15 20:47:45 2006
Subject: NAT POSTROUTING accounting
In-Reply-To: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>
References: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>
Message-ID: <45327967.8080406@rtij.nl>

Kamal wrote:

> I have the following 2 rules:
> iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
> 192.168.0.1
> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2
>
> How can I do accounting on TOTAL number of packets & bytes that pass
> through both rules since the packets & bytes that appear when listing
> the chain reflect the number of packets creating new connections & not
> all the packets that are NAT'ed. Also you can't add a chain in front
> of this chain since NAT POSTROUTING is the last chain in a packet
> traversal:
>
> Chain POSTROUTING (policy ACCEPT 2593 packets, 1181K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2259  114K SNAT       tcp  --  *      eth0     0.0.0.0/0
> 0.0.0.0/0           tcp dpt:80 to:192.168.0.1
>  223K   15M SNAT       all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0           to:192.168.0.2
>

Create a seperate rule in FORWARD that jumps to an empty chain. Put this 
rule before the -m state rule(s).

HTH,
M4


From pascal.mail at plouf.fr.eu.org  Sun Oct 15 20:21:16 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Sun Oct 15 20:59:06 2006
Subject: Can't get access to local servers using external IP
In-Reply-To: <45327853.4070101@rtij.nl>
References: <BAY102-F34366D66CEBC07CEBB779FBC0A0@phx.gbl>	<453111A5.8000603@rtij.nl>	<45322F80.3090502@plouf.fr.eu.org>
	<45327853.4070101@rtij.nl>
Message-ID: <45327C1C.1090507@plouf.fr.eu.org>

Martijn Lievaart a ?crit :
>
>> 8) Set up a "split DNS" server so the internal requests receive the 
>> private address and the external request receive the public address.
> 
> I do that too, it may actually be the best advice from this list.

Nooo, we're on a Netfilter/iptables list !

> A bitch to set up[1], but once it's working it works like a charm.

Well, it depends a lot on what you've got.

If you have your own Bind9 authoritative DNS server for the name, you 
must set up "views". May be heavy.

If you have a DNS relay running dnsmasq, you just need to put the name 
in the /etc/hosts file of the box running dnsmasq. Easy.

From montyree2 at yahoo.com  Mon Oct 16 04:04:47 2006
From: montyree2 at yahoo.com (Monty Ree)
Date: Mon Oct 16 04:42:37 2006
Subject: How to disable ip_conntrack function? 
Message-ID: <20061016020447.532.qmail@web56109.mail.re3.yahoo.com>

Hello.. 

As I know, connection tracking(conntrack) requires
some memory at busy server. 
So I would like to disable conntrack function to
improve performance. 

And I disabled "state" match
support(CONFIG_NETFILTER_XT_MATCH_STATE)" at kernel
menu. 
But  I can see like below related conntrack. 
I just selected only this menu. 

Netfilter Xtables support (required for ip_tables) 
Connection tracking (required for masq/NAT) 
FTP protocol support IP tables support (required for
filtering/masq/NAT) 
Packet filtering 
REJECT target support Full NAT 
Packet mangling 
TOS target support 

and linux kernel is 2.6.17. 


How can I disable conntrack function? 

and what's the difference between
net.ipv4.ip_conntrack_max and
net.ipv4.netfilter.ip_conntrack_max? 


# sysctl -a|grep conntrack 
net.ipv4.ip_conntrack_max = 365536 
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3 
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0 
net.ipv4.netfilter.ip_conntrack_tcp_loose = 3 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans
= 300 
net.ipv4.netfilter.ip_conntrack_log_invalid = 0 
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600 
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30 
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream =
180 
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10

net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait
= 120 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack =
30 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait
= 60 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait =
120 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established
= 432000 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv =
60 
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent =
120 
net.ipv4.netfilter.ip_conntrack_checksum = 1 
net.ipv4.netfilter.ip_conntrack_buckets = 8192 
net.ipv4.netfilter.ip_conntrack_count = 1790 
net.ipv4.netfilter.ip_conntrack_max = 365536 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

From struggle at mail.nankai.edu.cn  Mon Oct 16 08:36:11 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Mon Oct 16 09:15:19 2006
Subject: query regarding hashlimit using ipset src,dst tuple
In-Reply-To: <360933340.11695@mail.nankai.edu.cn>
References: <360933340.11695@mail.nankai.edu.cn>
Message-ID: <360980823.25277@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Manish Jain :
> Hi,
>
> I have a requirement as follows -
>
> Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1,
> dst2.
> I need to limit src1->dst1 as well as src2-dst2 communication but want
> unlimited src2->dst1 communication.
> I have a ipset KNOWN, which contains src1, src2, dst1, dst2
>
> Now i write a rule as follows -
> iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
> --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
> src,dst -j ACCEPT
>
> But this will limit the src2->dst1 communication as well, which I dont
want.
>
> 1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can
do for
> ip1%port?
Yes , look the ipset manual to find the binding .
> 2. Is there a mode which can help me do this, using a single iptable
rule as
> above?
Following maybe :
ipset -N from  ipmap --network 192.168.0.0/24
ipset -A from src1
ipset -A from src2

ipset -N to ipmap --network 192.168.0.0/24
ipset -A to dst1
ipset -A to dst2

ipset -B from default -b to

iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
- --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT

> 3. Is there a way to specify multiple ipsets in 1 iptable rule?
I think one set with its bindings can do everything for you ~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFMyha7tZp58UCwyMRAhWDAJ9o8DdSFxcMDUbK8djcqtTF3Va7MACgsbU1
e5JKNYI/P62IGXKtVD3i7wY=
=mDXZ
-----END PGP SIGNATURE-----


From struggle at mail.nankai.edu.cn  Mon Oct 16 08:52:02 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Mon Oct 16 09:30:49 2006
Subject: More question about ipset - protocol ?
In-Reply-To: <360474234.15630@mail.nankai.edu.cn>
References: <360474234.15630@mail.nankai.edu.cn>
Message-ID: <360981767.23055@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Ming-Ching Tiew :
> I still have more questions with ipset, I noticed that in the
> portmap, there is no mentioned of protocol, whether should it be
> tcp or udp. Taking the example from the url :-
>
> http://ipset.netfilter.org/features.html
>
> iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT iptables
> -A FORWARD -j DROP
>
> You notice that the ipmap 'server' binds to a portmap, but there is
>  no mentioned of protocol ( whether it should be tcp or udp ).
>
> Does it mean I have to specify the protocol in the iptables
> command, Shoudn't there be a way the protocol be mentioned in the
> binding somewhere  ?
Ip and the port can determine a package , why you need protocol ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFMysu7tZp58UCwyMRAlnVAKDWKKw8I3KYLzSUzJpqttopyFX0MgCg1z8I
bhvgoiUxyfrs/ht4HlXW/u0=
=HoXR
-----END PGP SIGNATURE-----


From kadlec at blackhole.kfki.hu  Mon Oct 16 09:00:59 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Mon Oct 16 09:38:49 2006
Subject: query regarding hashlimit using ipset src,dst tuple
In-Reply-To: <001001c6f07e$9c290f80$0201a8c0@synapse.com>
References: <001001c6f07e$9c290f80$0201a8c0@synapse.com>
Message-ID: <Pine.LNX.4.58.0610160858240.15459@blackhole.kfki.hu>

On Sun, 15 Oct 2006, Manish Jain wrote:

> Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1,
> dst2.
> I need to limit src1->dst1 as well as src2-dst2 communication but want
> unlimited src2->dst1 communication.
> I have a ipset KNOWN, which contains src1, src2, dst1, dst2

What type of set is it?

> Now i write a rule as follows -
> iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
> --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
> src,dst -j ACCEPT
>
> But this will limit the src2->dst1 communication as well, which I dont want.
>
> 1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do for
> ip1%port?

No, such type of set currently does not exist.

> 2. Is there a mode which can help me do this, using a single iptable rule as
> above?

I don't think so.

> 3. Is there a way to specify multiple ipsets in 1 iptable rule?

Yes, you can specify as many same kind maches as you want, but please keep
in mind that the matches are AND-ed.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From temp02 at bluereef.com.au  Mon Oct 16 09:23:30 2006
From: temp02 at bluereef.com.au (Andrew Hall)
Date: Mon Oct 16 10:01:05 2006
Subject: Conntrack entry removal with an iptables delete
Message-ID: <00e201c6f0f3$fd1fb2b0$6401a8c0@bluereef.local>

Is it possible to add an option to iptables to allow an IP conntrack entry 
to be removed when a matching an iptables (-D) delete or flush occurs? In 
other words can we implement say a '-B' option to clear any matching 
conntrack entries before we remove the rule from the kernel? 


From chaosbringer at gmx.de  Mon Oct 16 09:55:57 2006
From: chaosbringer at gmx.de (Julian Hagenauer)
Date: Mon Oct 16 10:33:38 2006
Subject: Two identical ips connected
Message-ID: <20061016095557.058bbde3@vmm1.chaosbringer.de>

Hi,
is it possible somehow possible to attach two computers with the same ip
to a router, and let the router rewrite/masquerade the ip of one of
those computers with iptables, so that both could be accessed with different ips?

Can you give my some hints how this could be achieved? 

thanks,
Julian

From retesh.chadha at gmail.com  Mon Oct 16 10:54:31 2006
From: retesh.chadha at gmail.com (Retesh)
Date: Mon Oct 16 11:32:22 2006
Subject: query regarding hashlimit using ipset src,dst tuple
In-Reply-To: <Pine.LNX.4.58.0610160858240.15459@blackhole.kfki.hu>
References: <001001c6f07e$9c290f80$0201a8c0@synapse.com>
	<Pine.LNX.4.58.0610160858240.15459@blackhole.kfki.hu>
Message-ID: <b322db070610160154g13f52818o32d0f7134c6d051@mail.gmail.com>

Hi Jozsef
Can you let us know the way to AND 2 ipsets, with an example. It will
be really useful.

Thanks
Retesh Chadha

From kadlec at blackhole.kfki.hu  Mon Oct 16 11:19:14 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Mon Oct 16 11:57:01 2006
Subject: query regarding hashlimit using ipset src,dst tuple
In-Reply-To: <b322db070610160154g13f52818o32d0f7134c6d051@mail.gmail.com>
References: <001001c6f07e$9c290f80$0201a8c0@synapse.com> 
	<Pine.LNX.4.58.0610160858240.15459@blackhole.kfki.hu>
	<b322db070610160154g13f52818o32d0f7134c6d051@mail.gmail.com>
Message-ID: <Pine.LNX.4.58.0610161101350.15489@blackhole.kfki.hu>

On Mon, 16 Oct 2006, Retesh wrote:

> Can you let us know the way to AND 2 ipsets, with an example. It will
> be really useful.

Let's assume a bunch of servers (the IP addresses stored in the set
'servers') and a bunch of clients (the IP addresses stored in 'clients')
and one wants to allow any listed client to access any listed server:

iptables -A <chain> -m set --set clients src \
	            -m set --set servers dst \
		    -j ACCEPT

Or if you want to restrict the access to the given list of services on the
servers (port numbers are stored in 'services'), assuming the same list of
services on each server:

iptables -A <chain> -m set --set clients src \
	            -m set --set servers dst \
		    -m set --set services dst \
		    -j ACCEPT

Or if the list of services are different on the servers, then one can use
an ipporthash type of set to store (server IP, service port) pairs in
'server-service' and write:

iptables -A <chain> -m set --set clients src \
	            -m set --set server-service dst,dst \
		    -j ACCEPT

Hope it helps,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From rob at sterenborg.info  Mon Oct 16 11:41:06 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Mon Oct 16 12:19:07 2006
Subject: Two identical ips connected
In-Reply-To: <20061016095557.058bbde3@vmm1.chaosbringer.de>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>
Message-ID: <49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>


On Mon, October 16, 2006 09:55, Julian Hagenauer wrote:
> Hi,
> is it possible somehow possible to attach two computers with the same ip to a
> router, and let the router rewrite/masquerade the ip of one of those computers
> with iptables, so that both could be accessed with different ips?

I don't think you can.

> Can you give my some hints how this could be achieved?

If you packet would make it to the router and the router had this configuration:
- eth0: 192.168.1.0/24
- eth1: 192.168.1.0/24
the router cannot distinguish the subnets.

But you'd not even get that far.
When you send a packet from a client to the server and this server has same IP
as the client (thus src and dst IP are the same), then the packet wouldn't
even make it to the router: it would be sent to itself.


Grts,
Rob



From chaosbringer at gmx.de  Mon Oct 16 12:02:11 2006
From: chaosbringer at gmx.de (Julian Hagenauer)
Date: Mon Oct 16 12:39:56 2006
Subject: Two identical ips connected
In-Reply-To: <49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>
	<49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>
Message-ID: <20061016120211.6ab1d49b@vmm1.chaosbringer.de>

Hi

> If you packet would make it to the router and the router had this configuration:
> - eth0: 192.168.1.0/24
> - eth1: 192.168.1.0/24
> the router cannot distinguish the subnets.
> 

Why so complicated.
eth0: 192.168.1.4
eth1: 192.168.1.4

(Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?

> But you'd not even get that far.
> When you send a packet from a client to the server and this server has same IP
> as the client (thus src and dst IP are the same), then the packet wouldn't
> even make it to the router: it would be sent to itself.

Mhm, i don't understand that. Let me explain my setup in greater detail:

	Server1---------|
			|
			|
			|
	Server2-------Router-------Client
			|
			|
			DB

I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
The reason for that is, that i want do some kind of load-balancing.
The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.

I know it sound weird :-)

Sincerely,
Julian

From negri at cs.unibo.it  Mon Oct 16 13:02:01 2006
From: negri at cs.unibo.it (Alberto Negri)
Date: Mon Oct 16 13:40:02 2006
Subject: hi all
In-Reply-To: <20061015171523.3ac5ebe3@localhost>
References: <20061015171523.3ac5ebe3@localhost>
Message-ID: <20061016110201.58e06085@localhost>

On Sun, 15 Oct 2006 17:15:23 +0000
Alberto Negri <negri@cs.unibo.it> wrote:

any suggestions? 
am i wrong Mailing list? 
ping :)
Alberto

> hi all,
> 
> i post here after spoke with people into #iptables irc channel 
> in particular with "Taube". At the end of my problem explanation 
> he suggested me to use a script instead of iptables-{save,restore}
> commands, but reading iptables tutorial in particular here:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SAVEANDRESTORE
> i get the advice to use iptables-{save,restore} instead of a bash script...now i 
> thought to post here...
> So now my problem: 
> 
> Using iptables-{save,restore} on a gentoo box iptables crashes at start up. 
> my error message(doing /etc/init.d/iptables start):
> 
>  * Caching service
> dependencies ...
> [ ok ]
>  * Loading iptables state and starting firewall ...
> /etc/init.d/iptables: line 57:  9820 Segmentation fault
> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}
> <"${iptables_save}"                                                          [ !! ]
> 
> where my iptables rule file is(cat /etc/conf.d/iptables| grep -v ^$ | grep -v ^#):
> 
> IPTABLES_SAVE="/var/lib/iptables/firewall"
> SAVE_RESTORE_OPTIONS="-c"
> SAVE_ON_STOP="yes"
> 
> contents of firewall file(cat /var/lib/iptables/firewall)[i dropped some my comments, starting with 
> '#' before post]:
> (Taube told me it is right...anyway i post it)
> # Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
> *raw
> :PREROUTING ACCEPT
> :OUTPUT ACCEPT
> COMMIT
> # Completed on Sun Oct  8 18:08:12 2006
> # Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
> *nat
> :PREROUTING ACCEPT
> :POSTROUTING ACCEPT
> :OUTPUT ACCEPT
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
> # Completed on Sun Oct  8 18:08:12 2006
> # Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
> *mangle
> :PREROUTING ACCEPT
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
> :POSTROUTING ACCEPT
> COMMIT
> # Completed on Sun Oct  8 18:08:12 2006
> # Generated by iptables-save v1.3.5 on Sun Oct  8 18:08:12 2006
> *filter
> :INPUT DROP
> :FORWARD DROP
> :OUTPUT DROP
> :INBOUND -
> :LOG_FILTER -
> :LSI -
> :LSO -
> :OUTBOUND -
> -A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 2667 -j ACCEPT
> -A INPUT -p icmp -m limit --limit 10/min -j ACCEPT
> -A INPUT -i eth1 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 193.70.192.25 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -s 193.70.192.25 -p udp -j ACCEPT
> -A INPUT -s 212.48.4.15 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -s 212.48.4.15 -p udp -j ACCEPT
> -A INPUT -s 62.211.69.150 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -s 62.211.69.150 -p udp -j ACCEPT
> -A INPUT -s 62.101.80.80 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -s 62.101.80.80 -p udp -j ACCEPT
> -A INPUT -s 130.136.1.110 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -s 130.136.1.110 -p udp -j ACCEPT
> -A FORWARD -j ACCEPT
> -A OUTPUT -o ppp0 -j OUTBOUND
> -A OUTPUT -o eth1 -j OUTBOUND
> -A OUTPUT -d 193.70.192.25 -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -d 193.70.192.25 -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -d 212.48.4.15 -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -d 212.48.4.15 -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -d 62.211.69.150 -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -d 62.211.69.150 -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -d 62.101.80.80 -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -d 62.101.80.80 -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -d 130.136.1.110 -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -d 130.136.1.110 -p udp -m udp --dport 53 -j ACCEPT
> -A OUTBOUND -j ACCEPT
> COMMIT
> # Completed on Sun Oct  8 18:08:12 2006
> 
> 
> where those are DNS:
> 193.70.192.25
> 212.48.4.15
> 62.211.69.150
> 62.101.80.80
> 130.136.1.110
> 
> theese are my gentoo configurations options(emerge --info):
> 
> Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
> =================================================================
> System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 1800+
> Gentoo Base System version 1.12.5
> Last Sync: Sun, 15 Oct 2006 10:30:01 +0000
> distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
> ccache version 2.3 [enabled]
> app-admin/eselect-compiler: [Not Present]
> dev-java/java-config: 1.3.7, 2.0.30
> dev-lang/python:     2.4.3-r4
> dev-python/pycrypto: 2.0.1-r5
> dev-util/ccache:     2.3
> dev-util/confcache:  [Not Present]
> sys-apps/sandbox:    1.2.17
> sys-devel/autoconf:  2.13, 2.59-r7
> sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
> sys-devel/binutils:  2.16.1-r3
> sys-devel/gcc-config: 1.3.13-r4
> sys-devel/libtool:   1.5.22
> virtual/os-headers:  2.6.17-r1
> ACCEPT_KEYWORDS="x86"
> AUTOCLEAN="yes"
> CBUILD="i686-pc-linux-gnu"
> CFLAGS="-mtune=athlon-xp -march=athlon-xp -O2 -pipe"
> CHOST="i686-pc-linux-gnu"
> CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config 
> /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ 
> /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
> CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
> CXXFLAGS="-mtune=athlon-xp -march=athlon-xp -O2 -pipe"
> DISTDIR="/usr/portage/distfiles"
> FEATURES="autoconfig ccache distlocks fixpackages metadata-transfer sandbox sfperms strict"
> GENTOO_MIRRORS="ftp://lug.mtu.edu/gentoo http://mirror.phy.olemiss.edu/mirror/gentoo 
> http://mirror.mcs.anl.gov/pub/gentoo/ http://mirror.uni-c.dk/pub/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ ftp://trumpetti.atm.tut.fi/gentoo/ 
> http://pandemonium.tiscali.de/pub/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.intergenia.de ftp://files.gentoo.org http://files.gentoo.org ftp://ftp.ntua.gr/pub/linux/gentoo/ http://ftp.ntua.gr/pub/linux/gentoo/ ftp://ftp.uoi.gr/mirror/OS/gentoo/ 
> http://ftp.uoi.gr/mirror/OS/gentoo/ http://ftp.physics.auth.gr/pub/mirrors/gentoo/ ftp://ftp.physics.auth.gr/pub/mirrors/gentoo/ ftp://mirror.scarlet-internet.nl/pub/gentoo 
> http://mirror.gentoo.no/ http://darkstar.ist.utl.pt/gentoo/ ftp://darkstar.ist.utl.pt/pub/gentoo/ http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://ftp.solnet.ch/mirror/Gentoo http://gentoo.mirror.solnet.ch http://ftp.twaren.net/Linux/Gentoo/ ftp://ftp.twaren.net/Linux/Gentoo/ http://ftp.ncnu.edu.tw/Linux/Gentoo/ ftp://ftp.ncnu.edu.tw/Linux/Gentoo/ "
> LINGUAS="it"
> MAKEOPTS="-j2"
> PKGDIR="/usr/portage/packages"
> PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
> PORTAGE_TMPDIR="/var/tmp"
> PORTDIR="/usr/portage"
> PORTDIR_OVERLAY="/usr/local/overlays/xgl-coffee /usr/local/portage"
> SYNC="rsync://rsync.gentoo.org/gentoo-portage"
> USE="x86 3dnow 3dnowex X alsa arts cairo crypt cups dhcp elibc_glibc glitz gmp hal input_devices_keyboard input_devices_mouse kde kernel_linux linguas_it mmx mmxext mp3 mpeg2 mpeg4 nls nptl nvidia opengl pnp readline sse ssl userland_GNU video_cards_nvidia video_cards_vesa vorbis xmms"
> Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
> 
> As into guide is written that iptables-{save,restore} tools are not 
> sufficiently test as there are not sufficiently user that try them...
> i'm here :D 
> I hope to give you some help to discover bugs(if it's not an error of mine ;) )...and i'm sorry if i 
> make you lose your time. 
> Thanks all in advance.
> Alberto
> 
> -- 
> Undergraduate student at Computer Science, University of Bologna.
> Icq number: 79465051
> Web page: www.cs.unibo.it/~negri
> Gpg-id: 1024D/E96025D7
> Fingerprint: 2C6A 3E88 05AB 5B21 82E8  4A80 C357 1E37 E960 25D7
> 
>  
> 


-- 
Undergraduate student at Computer Science, University of Bologna.
Icq number: 79465051
Web page: www.cs.unibo.it/~negri
Gpg-id: 1024D/E96025D7
Fingerprint: 2C6A 3E88 05AB 5B21 82E8  4A80 C357 1E37 E960 25D7

 

From swifty at freemail.hu  Mon Oct 16 13:04:33 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Mon Oct 16 13:42:50 2006
Subject: Two identical ips connected
In-Reply-To: <20061016120211.6ab1d49b@vmm1.chaosbringer.de>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>	<49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>
	<20061016120211.6ab1d49b@vmm1.chaosbringer.de>
Message-ID: <45336741.5060508@freemail.hu>

Julian Hagenauer ?rta:
> Hi
>
>   
>> If you packet would make it to the router and the router had this configuration:
>> - eth0: 192.168.1.0/24
>> - eth1: 192.168.1.0/24
>> the router cannot distinguish the subnets.
>>
>>     
>
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
>
>   

You can not assign the same ip to both servers.
How would the router route the packets???
If the servers are on the SAME PHYSICAL network then you get an IP 
collision and they would deny to talk to the net... (Try this with 2 
Winsucks computers... :) )

The routing is based on IP and not on MAC !!!

> (Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>   
>> But you'd not even get that far.
>> When you send a packet from a client to the server and this server has same IP
>> as the client (thus src and dst IP are the same), then the packet wouldn't
>> even make it to the router: it would be sent to itself.
>>     
>
> Mhm, i don't understand that. Let me explain my setup in greater detail:
>
> 	Server1---------|
> 			|
> 			|
> 			|
> 	Server2-------Router-------Client
> 			|
> 			|
> 			DB
>
>   

Well for this scenario you can set up some load-balancing...

1. With DNS-balancing.
This is not that list ... :)

2. With iptables balancing.

iptables man pages:

"
   BALANCE
       This allows you to DNAT connections in a round-robin way over a 
given range of destination addresses.

       --to-destination ipaddr-ipaddr
              Address range to round-robin over.
"

"
   DNAT
       This target is only valid in the nat table, in the PREROUTING and 
OUTPUT chains, and user-defined chains which are only called from those 
chains.  It specifies that the
       destination  address of the packet should be modified (and all 
future packets in this connection will also be mangled), and rules 
should cease being examined.  It takes
       one type of option:

       --to-destination [ipaddr][-ipaddr][:port-port]
              which can specify a single new destination IP address, an 
inclusive range of IP addresses, and optionally, a port range (which is 
only valid  if  the  rule  also
              specifies -p tcp or -p udp).  If no port range is 
specified, then the destination port will never be modified. If no IP 
address is specified then only the desti-
              nation port will be modified.

              In Kernels up to 2.6.10 you can add several 
--to-destination options.  For those kernels, if you specify more than 
one destination address, either via an address
              range  or multiple --to-destination options, a simple 
round-robin (one after another in cycle) load balancing takes place 
between these addresses.  Later Kernels
              (>= 2.6.11-rc1) don't have the ability to NAT to multiple 
ranges anymore.
"

Let assume these settings:

c (client)
            192.168.1.52
s (virtual server)
            192.168.1.4
s1 (server)
            10.0.0.1
s2 (server)
            10.0.0.2

	     s1---------\
			|
			|
			|
	     s2-------Router-------c
                        |
			|
			DB

iptables -t nat -A PREROUTING -j BALANCE -d 192.168.1.4 --to-destination 10.0.0.1-10.0.0.2

iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.1 --to-source 192.168.1.4
iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.2 --to-source 192.168.1.4


Maybe this script is useful...
But maybe not... :)

You did not told us what kind of services will be on the servers...
Unfortunately with ftp these rules are not working... :)


> I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.
>
> I know it sound weird :-)
>
>   

Just a little bit... :)

> Sincerely,
> Julian
>   

Swifty

From rob at sterenborg.info  Mon Oct 16 13:57:39 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Mon Oct 16 14:35:43 2006
Subject: hi all
In-Reply-To: <20061016110201.58e06085@localhost>
References: <20061015171523.3ac5ebe3@localhost>
	<20061016110201.58e06085@localhost>
Message-ID: <58531.193.173.147.3.1160999859.squirrel@webmail.sterenborg.info>

On Mon, October 16, 2006 13:02, Alberto Negri wrote:
> On Sun, 15 Oct 2006 17:15:23 +0000
> Alberto Negri <negri@cs.unibo.it> wrote:
>
>
> any suggestions? am i wrong Mailing list? ping :) Alberto
>
>> hi all,
>>
>> i post here after spoke with people into #iptables irc channel in particular
>> with "Taube". At the end of my problem explanation he suggested me to use a
>> script instead of iptables-{save,restore} commands, but reading iptables
>> tutorial in particular here:
>> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SAVEANDRESTOR
>> E i get the advice to use iptables-{save,restore} instead of a bash
>> script...now i thought to post here... So now my problem:
>>
>> Using iptables-{save,restore} on a gentoo box iptables crashes at start up.
>>  my error message(doing /etc/init.d/iptables start):

[Snip lots of info]

I thought that the main benefit of these script was speed when
saving/restoring rules (someone please correct me if I'm wrong). I don't think
your ruleset is big enough to notice the difference.

If you're having trouble using iptables-[save|restore] then you can create
your own script: it's just a matter of preference.


Gr,
Rob



From kamash at gmail.com  Mon Oct 16 14:00:13 2006
From: kamash at gmail.com (Kamal)
Date: Mon Oct 16 14:38:09 2006
Subject: NAT POSTROUTING accounting
In-Reply-To: <45327967.8080406@rtij.nl>
References: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>
	<45327967.8080406@rtij.nl>
Message-ID: <8a1be4700610160500r3bee8e52taa1e7f0c4765eb8c@mail.gmail.com>

On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:

> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
> rule before the -m state rule(s).

I will try to guess that by FORWARD you mean the filter FORWARD chain
(as opposed to mangle FORWARD), & the empty chain that you're
referring to is a user-defined chain,
but I didn't get what you eman by "the -m state rule" since in my
example I didn't use the state module.

But in any case, doesn't the FORWARD chain only accounts for forwarded
packets through the machine. What about locally generated packets?

Thanks

From negri at cs.unibo.it  Mon Oct 16 14:24:58 2006
From: negri at cs.unibo.it (Alberto Negri)
Date: Mon Oct 16 15:02:57 2006
Subject: hi all
In-Reply-To: <58531.193.173.147.3.1160999859.squirrel@webmail.sterenborg.info>
References: <20061015171523.3ac5ebe3@localhost>
	<20061016110201.58e06085@localhost>
	<58531.193.173.147.3.1160999859.squirrel@webmail.sterenborg.info>
Message-ID: <20061016122458.56980859@localhost>

On Mon, 16 Oct 2006 13:57:39 +0200 (CEST)
"Rob Sterenborg" <rob@sterenborg.info> wrote:

LOG_LEVEL=1 :D

The most difficult thing speaking with expert linux user is setup the right log_level :D (when you don't post infos other says you: "post same datails...how do you think we can help you without them?", when you post too many datails...)
Anyway thanks for your replay, Rob! ;)
So debug of those tools will be neglected? 

Thanks all in particular at Rob 
Al

P.S.: the point was not to make my firewall working...the point is understanding why those tools does not work. ;) but if that does not interest at netfilter mailing list...

P.P.S.: sorry for my bad english :P

> On Mon, October 16, 2006 13:02, Alberto Negri wrote:
> > On Sun, 15 Oct 2006 17:15:23 +0000
> > Alberto Negri <negri@cs.unibo.it> wrote:
> >
> >
> > any suggestions? am i wrong Mailing list? ping :) Alberto
> >
> >> hi all,
> >>
> >> i post here after spoke with people into #iptables irc channel in particular
> >> with "Taube". At the end of my problem explanation he suggested me to use a
> >> script instead of iptables-{save,restore} commands, but reading iptables
> >> tutorial in particular here:
> >> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SAVEANDRESTOR
> >> E i get the advice to use iptables-{save,restore} instead of a bash
> >> script...now i thought to post here... So now my problem:
> >>
> >> Using iptables-{save,restore} on a gentoo box iptables crashes at start up.
> >>  my error message(doing /etc/init.d/iptables start):
> 
> [Snip lots of info]
> 
> I thought that the main benefit of these script was speed when
> saving/restoring rules (someone please correct me if I'm wrong). I don't think
> your ruleset is big enough to notice the difference.
> 
> If you're having trouble using iptables-[save|restore] then you can create
> your own script: it's just a matter of preference.
> 
> 
> Gr,
> Rob
> 
> 
> 


-- 
Undergraduate student at Computer Science, University of Bologna.
Icq number: 79465051
Web page: www.cs.unibo.it/~negri
Gpg-id: 1024D/E96025D7
Fingerprint: 2C6A 3E88 05AB 5B21 82E8  4A80 C357 1E37 E960 25D7

 

From swifty at freemail.hu  Mon Oct 16 14:28:52 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Mon Oct 16 15:07:12 2006
Subject: NAT POSTROUTING accounting
In-Reply-To: <8a1be4700610160500r3bee8e52taa1e7f0c4765eb8c@mail.gmail.com>
References: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>	<45327967.8080406@rtij.nl>
	<8a1be4700610160500r3bee8e52taa1e7f0c4765eb8c@mail.gmail.com>
Message-ID: <45337B04.4040808@freemail.hu>

Kamal ?rta:
> On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:
>
>> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
>> rule before the -m state rule(s).
>
> I will try to guess that by FORWARD you mean the filter FORWARD chain
> (as opposed to mangle FORWARD), & the empty chain that you're
> referring to is a user-defined chain,
> but I didn't get what you eman by "the -m state rule" since in my
> example I didn't use the state module.
>
> But in any case, doesn't the FORWARD chain only accounts for forwarded
> packets through the machine. What about locally generated packets?
>
> Thanks
>

Maybe you can use the mangle POSTROUTING chain...

Swifty

From rob at sterenborg.info  Mon Oct 16 14:51:57 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Mon Oct 16 15:30:02 2006
Subject: hi all
In-Reply-To: <20061016122458.56980859@localhost>
References: <20061015171523.3ac5ebe3@localhost>
	<20061016110201.58e06085@localhost>
	<58531.193.173.147.3.1160999859.squirrel@webmail.sterenborg.info>
	<20061016122458.56980859@localhost>
Message-ID: <65468.193.173.147.3.1161003117.squirrel@webmail.sterenborg.info>

On Mon, October 16, 2006 14:24, Alberto Negri wrote:
> LOG_LEVEL=1 :D
>
>
> The most difficult thing speaking with expert linux user is setup the right
> log_level :D (when you don't post infos other says you: "post same
> datails...how do you think we can help you without them?", when you post too
> many datails...) Anyway thanks for your replay, Rob! ;)

In fact I wasn't really helping you and for my answer the information was not
relevant; also, your problem didn't go away (yet?). :-)
I was responding to what people suggested and I suggest that if you're having
a problem using iptables-[save|restore] you can write a script that works for
you.

> So debug of those tools will be neglected?

I don't know if it is. (Can't imagine, but this is a user list; not developer)

> P.S.: the point was not to make my firewall working...the point is
> understanding why those tools does not work. ;) but if that does not interest
> at netfilter mailing list...

Well, I'm not using it so no: I'm not really that interested. But others may
be. ;-)
The latest version of iptables is 1.3.6. Since you're using 1.3.5, the latest
version may solve your problem with iptables-[save|restore].



Grts,
Rob



From kamash at gmail.com  Mon Oct 16 15:22:50 2006
From: kamash at gmail.com (Kamal)
Date: Mon Oct 16 16:01:22 2006
Subject: NAT POSTROUTING accounting
In-Reply-To: <45337B04.4040808@freemail.hu>
References: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>
	<45327967.8080406@rtij.nl>
	<8a1be4700610160500r3bee8e52taa1e7f0c4765eb8c@mail.gmail.com>
	<45337B04.4040808@freemail.hu>
Message-ID: <8a1be4700610160622q533ac28di9ab37f5735ddd554@mail.gmail.com>

This is one way, but isn't there a more graceful way other than
putting duplicate entries in NAT POSTROUTING & mangle POSTROUTING.

Thanks

On 10/16/06, G?sp?r Lajos <swifty@freemail.hu> wrote:
> Kamal ?rta:
> > On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:
> >
> >> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
> >> rule before the -m state rule(s).
> >
> > I will try to guess that by FORWARD you mean the filter FORWARD chain
> > (as opposed to mangle FORWARD), & the empty chain that you're
> > referring to is a user-defined chain,
> > but I didn't get what you eman by "the -m state rule" since in my
> > example I didn't use the state module.
> >
> > But in any case, doesn't the FORWARD chain only accounts for forwarded
> > packets through the machine. What about locally generated packets?
> >
> > Thanks
> >
>
> Maybe you can use the mangle POSTROUTING chain...
>
> Swifty
>

From swifty at freemail.hu  Mon Oct 16 16:03:20 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Mon Oct 16 16:41:28 2006
Subject: NAT POSTROUTING accounting
In-Reply-To: <8a1be4700610160622q533ac28di9ab37f5735ddd554@mail.gmail.com>
References: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>	<45327967.8080406@rtij.nl>	<8a1be4700610160500r3bee8e52taa1e7f0c4765eb8c@mail.gmail.com>	<45337B04.4040808@freemail.hu>
	<8a1be4700610160622q533ac28di9ab37f5735ddd554@mail.gmail.com>
Message-ID: <45339128.4010609@freemail.hu>

Kamal ?rta:
> This is one way, but isn't there a more graceful way other than
> putting duplicate entries in NAT POSTROUTING & mangle POSTROUTING.
>
> Thanks
>
Hmm... I do not understand you clearly... What do you mean "more 
graceful"... ? :)

1. You may do some changes on the packets... (SNAT/DNAT, etc...)

2.a. You have to mark or identify the packets you want to count in other 
chains ... (MARK target or direct rules)

2.b. You can use the mangle POSTROUTING chain for counting specified 
packets because this is the "last" chain BEFORE every packet leaves the 
system.
(I know that there is a "raw" table...)

So... How do you want to do it "more graceful" ?

Swifty

From lists at netdigix.com  Mon Oct 16 16:48:17 2006
From: lists at netdigix.com (Nathan @ Netdigix Systems)
Date: Mon Oct 16 17:24:09 2006
Subject: Two identical ips connected
In-Reply-To: <20061016120211.6ab1d49b@vmm1.chaosbringer.de>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>
	<49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>
	<20061016120211.6ab1d49b@vmm1.chaosbringer.de>
Message-ID: <1161010097.45339bb107dc6@mail.dreamtoy.net>

Pretty sure that will not work,  if you want to do some sort of failover or 
load balancing you should look at Keepalived or Ultramonkey.



Quoting Julian Hagenauer <chaosbringer@gmx.de>:

> Hi
> 
> > If you packet would make it to the router and the router had this
> configuration:
> > - eth0: 192.168.1.0/24
> > - eth1: 192.168.1.0/24
> > the router cannot distinguish the subnets.
> > 
> 
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
> 
> (Hostbased routing) would be enough. Sure the router can not distinguish
> between the IPs, but he could distinguish between the MACs, so would it be
> possible to do Masquerading based on MAC-Adresses?
> 
> > But you'd not even get that far.
> > When you send a packet from a client to the server and this server has same
> IP
> > as the client (thus src and dst IP are the same), then the packet wouldn't
> > even make it to the router: it would be sent to itself.
> 
> Mhm, i don't understand that. Let me explain my setup in greater detail:
> 
> 	Server1---------|
> 			|
> 			|
> 			|
> 	Server2-------Router-------Client
> 			|
> 			|
> 			DB
> 
> I want that Server 1 and Server2 have the same IP, although only Server1
> should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the
> router should somehow translate/masquerade the ip of the server2, so that
> both servers can access the db at the same time.
> 
> I know it sound weird :-)
> 
> Sincerely,
> Julian
> 




thanks,
-Nathan
-http://www.netdigix.net


From bclark at eccotours.co.za  Mon Oct 16 17:29:28 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Mon Oct 16 18:07:20 2006
Subject: trying different TCP flags for extra protections (probally false
 sense of security)
Message-ID: <4533A558.9090701@eccotours.co.za>

Hey all

I have added some extra checking for my ruleset. Would anyone care to please overlook them.
The INPUT, FORWARD and OUTPUT is all set to DROP

Ive been googling for examples and reading Oskar Andreasson iptables document, but im still worried that im doing something wrong.

# Limit 12 connections per second (burst to 24)
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN
$IPT -A syn-flood -j LOG --log-level info --log-prefix '#### Syn Flood ####'
$IPT -A syn-flood -j DROP

$IPT -N bad_tcp_packets
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### Stealth Scan ####'
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### XMAS Scan ####'
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### NULL Scan ####'
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####'
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####'
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/ACK Scan ####'
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Checking for naughty packets
$IPT -A FORWARD -p tcp --syn -j syn-flood
$IPT -A FORWARD -p tcp -j bad_tcp_packets

$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Checking for naughty packets
$IPT -A INPUT -p tcp --syn -j syn-flood
$IPT -A INPUT -p tcp -j bad_tcp_packets

Thank you in advance.

Kind Regarda
Brent Clark


From m at rtij.nl  Mon Oct 16 19:08:41 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Mon Oct 16 19:46:54 2006
Subject: Two identical ips connected
In-Reply-To: <20061016120211.6ab1d49b@vmm1.chaosbringer.de>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>	<49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>
	<20061016120211.6ab1d49b@vmm1.chaosbringer.de>
Message-ID: <4533BC99.6010800@rtij.nl>

Julian Hagenauer wrote:

>Hi
>
>  
>
>>If you packet would make it to the router and the router had this configuration:
>>- eth0: 192.168.1.0/24
>>- eth1: 192.168.1.0/24
>>the router cannot distinguish the subnets.
>>
>>    
>>
>
>Why so complicated.
>eth0: 192.168.1.4
>eth1: 192.168.1.4
>
>(Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>  
>
>>But you'd not even get that far.
>>When you send a packet from a client to the server and this server has same IP
>>as the client (thus src and dst IP are the same), then the packet wouldn't
>>even make it to the router: it would be sent to itself.
>>    
>>
>
>Mhm, i don't understand that. Let me explain my setup in greater detail:
>
>	Server1---------|
>			|
>			|
>			|
>	Server2-------Router-------Client
>			|
>			|
>			DB
>
>I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
>The reason for that is, that i want do some kind of load-balancing.
>The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.
>
>  
>

Give both servers their own IP. Give one of the servers also the IP the 
clients use to access the server. When that server fails, assign that IP 
to the second server (also as secondary!) instead.

M4


From negri at cs.unibo.it  Mon Oct 16 19:26:46 2006
From: negri at cs.unibo.it (Alberto Negri)
Date: Mon Oct 16 20:04:48 2006
Subject: hi all
In-Reply-To: <65468.193.173.147.3.1161003117.squirrel@webmail.sterenborg.info>
References: <20061015171523.3ac5ebe3@localhost>
	<20061016110201.58e06085@localhost>
	<58531.193.173.147.3.1160999859.squirrel@webmail.sterenborg.info>
	<20061016122458.56980859@localhost>
	<65468.193.173.147.3.1161003117.squirrel@webmail.sterenborg.info>
Message-ID: <20061016172646.2b82a25d@localhost>

On Mon, 16 Oct 2006 14:51:57 +0200 (CEST)
"Rob Sterenborg" <rob@sterenborg.info> wrote:

> In fact I wasn't really helping you and for my answer the information was not
> relevant; also, your problem didn't go away (yet?). :-)
> I was responding to what people suggested and I suggest that if you're having
> a problem using iptables-[save|restore] you can write a script that works for
> you.

Really i has no problem...as like you suggesed me(the same suggestion of Taube) i wrote a 
scritp. I was interested in helping netfilter comunity...as "i has a bug" (not sure ;) ).
 
> > So debug of those tools will be neglected?
> 
> I don't know if it is. (Can't imagine, but this is a user list; not developer)

You're right...but before spam into devel ml, i decided to spam here :D
Hearing some expert user is always better ;)
 
> > P.S.: the point was not to make my firewall working...the point is
> > understanding why those tools does not work. ;) but if that does not interest
> > at netfilter mailing list...
> 
> Well, I'm not using it so no: I'm not really that interested. But others may
> be. ;-)
> The latest version of iptables is 1.3.6. Since you're using 1.3.5, the latest
> version may solve your problem with iptables-[save|restore].

Ok...but before i'll see changelog ;)

Do you think that this problem could be interesting for developers? 
Is there some way to let it see at some devel before posting (and probably spamming) on devel
mailing list?

> Grts,
> Rob

thanks and bye
Alberto

 

From kamash at gmail.com  Mon Oct 16 19:40:25 2006
From: kamash at gmail.com (Kamal)
Date: Mon Oct 16 20:18:22 2006
Subject: NAT POSTROUTING accounting
In-Reply-To: <45339128.4010609@freemail.hu>
References: <8a1be4700610150743t6c089bfcm7648174d88793c00@mail.gmail.com>
	<45327967.8080406@rtij.nl>
	<8a1be4700610160500r3bee8e52taa1e7f0c4765eb8c@mail.gmail.com>
	<45337B04.4040808@freemail.hu>
	<8a1be4700610160622q533ac28di9ab37f5735ddd554@mail.gmail.com>
	<45339128.4010609@freemail.hu>
Message-ID: <8a1be4700610161040g70d38874gf3d9fb1fe629d84@mail.gmail.com>

On 10/16/06, G?sp?r Lajos <swifty@freemail.hu> wrote:


mangle POSTROUTING comes before nat POSTROUTING so nat POSTROUTING is
the last chain in a packet traversal as per:
http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg

So replying to your email:
> 1. You may do some changes on the packets... (SNAT/DNAT, etc...)
How  would SNAT or DNAT help in accounting?

> 2.a. You have to mark or identify the packets you want to count in other
> chains ... (MARK target or direct rules)
Since nat POSTROUTING is the last chain I wouldn't be able to mark it
after the packet is SNATte'd.

> 2.b. You can use the mangle POSTROUTING chain for counting specified
> packets because this is the "last" chain BEFORE every packet leaves the
> system.
> (I know that there is a "raw" table...)
As I said POSTROUTING mangle comes before POSTROUTING nat.

If it were after it then I would have the following:

 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 443 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2

then I would have added
iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.1 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.2 -j ACCEPT

which would have been a nice solution

But since mangle POSTROUTING is before nat POSTROUTING, then the above
wouldn't work & I would have to add a statement in mangle POSTROUTING
for every nat rule:
iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -t mangle-I POSTROUTING -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 443 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -j ACCEPT

And that's what I meant by "not very graceful".

Thanks

From sterickson at gmail.com  Mon Oct 16 20:35:34 2006
From: sterickson at gmail.com (Shaun T. Erickson)
Date: Mon Oct 16 21:13:31 2006
Subject: Iptables & ftp (no natting or forwarding)
Message-ID: <92da24e00610161135v47ea20d3s45bcba52563239c5@mail.gmail.com>

I just installed an ftp server on a server, here at work, that's using
iptable as a host-based firewall.

I don't know if the ftp client will be able to do passive mode or not, yet.

How do I configure iptables to allow active or passive ftp
connections, while poking the least amount of holes in the firewall?

-- 
        -ste

From sterickson at gmail.com  Mon Oct 16 22:06:38 2006
From: sterickson at gmail.com (Shaun T. Erickson)
Date: Mon Oct 16 22:44:34 2006
Subject: Iptables & ftp (no natting or forwarding)
In-Reply-To: <5.1.0.14.2.20061016144543.020d1678@129.6.16.94>
References: <5.1.0.14.2.20061016144543.020d1678@129.6.16.94>
Message-ID: <92da24e00610161306i18236db0k625771c2ea82541@mail.gmail.com>

On 10/16/06, Joe Matusiewicz <joem@nist.gov> wrote:
> At 02:35 PM 10/16/2006, Shaun T. Erickson wrote:
> >
> >How do I configure iptables to allow active or passive ftp
> >connections, while poking the least amount of holes in the firewall?
>
> Loading these two modules got passive ftp to work for me:
>
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp

Thanks. It turns out all I had to do was open up tcp port 21 and load
the ip_conntrack_ftp module and then it just worked in both active and
passive modes.

    -ste

From dufresne at sysinfo.com  Mon Oct 16 22:35:08 2006
From: dufresne at sysinfo.com (R. DuFresne)
Date: Mon Oct 16 23:11:56 2006
Subject: how to write different ip sources on a single rule
In-Reply-To: <OF19100943.C82981C2-ONC22571F7.00439BBB-C22571F7.004445A5@gunessigorta.com.tr>
References: <OF19100943.C82981C2-ONC22571F7.00439BBB-C22571F7.004445A5@gunessigorta.com.tr>
Message-ID: <Pine.LNX.4.64.0610161634240.2583@darkstar.sysinfo.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 28 Sep 2006, Burak Ozgoren wrote:

>> On Thu, September 28, 2006 13:35, Burak Ozgoren wrote:
>>> Hi,
>>>
>>>
>>> I know i can write source ip within a ip range or with a network mask.
> For
>>> example: 192.168.0.5-192.168.0.15 or 192.168.0.0/24
>>>
>>>
>>> Can i write it for single ip. Like 192.168.0.5 and 192.168.0.9
>>
>> You can use the second notation (192.168.0.0/24), but for the first you
> need
>> the iprange match.
>>
>>
> http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-iprange
>>
>>
>>
>> Grts,
>> Rob
>>
>
> I know about range, and mask but need a rule like for example:
>
> Accept port 22 connections from 192.168.0.5, 10.10.60.163, 212.12.X.X
>
> Now i am writing 3 different rules for these.



Well, yes and no, it depends upon how you write you iptable script, is it 
a flat file of rule, rule, rule... or a more dynamic script.  Yeppers a 
iptable script can contain most any bash-ish convention, like:

gdhosts="192.168.0.5 10.10.60.163 212.12.X.X"

for h in gdhosts do
...

This will result in 3 rules, but certainly has the ability to grow and 
shrink as needed, and is likely far easier to read, especially with some 
comments in the script to keep you in the original mindset...


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            admin & senior security consultant:  sysinfo.com
                            http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                    -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFM+z/st+vzJSwZikRAsbuAKC1vp75R+ddUWPohkx6kgzzxlLthwCglMrW
sFQVBYsZN1EvpgVMl3k4tlQ=
=SrvL
-----END PGP SIGNATURE-----

From m at rtij.nl  Mon Oct 16 23:26:33 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Tue Oct 17 00:04:48 2006
Subject: hi all
In-Reply-To: <20061016172646.2b82a25d@localhost>
References: <20061015171523.3ac5ebe3@localhost>	<20061016110201.58e06085@localhost>	<58531.193.173.147.3.1160999859.squirrel@webmail.sterenborg.info>	<20061016122458.56980859@localhost>	<65468.193.173.147.3.1161003117.squirrel@webmail.sterenborg.info>
	<20061016172646.2b82a25d@localhost>
Message-ID: <4533F909.4090002@rtij.nl>

Alberto Negri wrote:

>Ok...but before i'll see changelog ;)
>
>Do you think that this problem could be interesting for developers? 
>Is there some way to let it see at some devel before posting (and probably spamming) on devel
>mailing list?
>
>  
>

By all means, post it to the netfilter-devel list, but after you tried 
1.3.6. If it is a real bug, and it's still there, that is the fastest 
way of getting it solved. Apart from fixing it yourself, that is.

M4


From dlang at digitalinsight.com  Tue Oct 17 02:34:11 2006
From: dlang at digitalinsight.com (David Lang)
Date: Tue Oct 17 03:11:05 2006
Subject: Two identical ips connected
In-Reply-To: <20061016095557.058bbde3@vmm1.chaosbringer.de>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>
Message-ID: <Pine.LNX.4.63.0610161729270.1754@qynat.qvtvafvgr.pbz>

On Mon, 16 Oct 2006, Julian Hagenauer wrote:

> Hi,
> is it possible somehow possible to attach two computers with the same ip
> to a router, and let the router rewrite/masquerade the ip of one of
> those computers with iptables, so that both could be accessed with different ips?
>
> Can you give my some hints how this could be achieved?
>

you can't do it with one router, but you could with two routers

machineA 10.0.0.1
   |      machineB Natted as 10.0.0.2 by router1 (from the 192.168.1.2 that
   |      router2 makes it)
router1
   |      machine A Natted as 192.168.1.1 (by router1)
   |      machine B Natted as 192.168.1.2 (by router2)
router2
   |      machineA Natted as 10.0.0.2 by router2 (from the 192.168.1.1 that
   |      router2 makes it)
machineB 10.0.0.1

each machine would see the other as 10.0.0.2

very ugly, but if you can't do anything else, this approach can work.

David Lang

From retesh.chadha at gmail.com  Tue Oct 17 08:05:30 2006
From: retesh.chadha at gmail.com (Retesh)
Date: Tue Oct 17 08:43:24 2006
Subject: performance impact by increasing number of ipsets
Message-ID: <b322db070610162305o20d92fb7tbbd7027700b7eb5@mail.gmail.com>

Hi
I want to increase the number of IPsets in a system to a high number
say 50000 (default is 255). What will be the impact on performance?

Has someone tried this, or can some explain the implementation of the
ipsets, so that I can estimate the impact on kernel?

Thanks & Regards
Retesh Chadha

From retesh.chadha at gmail.com  Tue Oct 17 08:09:35 2006
From: retesh.chadha at gmail.com (Retesh)
Date: Tue Oct 17 08:47:34 2006
Subject: work on ip%ip ipset
Message-ID: <b322db070610162309x379e504eud538c7e4f05ae045@mail.gmail.com>

Hi
Currently, is there any work going on, for developing a IPSet like
ipiphash containing a pair of IPs as ip1%ip2, similiar to ipporthash
as ip%port.
This can be useful in case when scrip as well as dstip need to be
stored as a tuple in a single ipset.

Thanks & Regards
Retesh Chadha

From kadlec at blackhole.kfki.hu  Tue Oct 17 10:00:00 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Tue Oct 17 10:37:52 2006
Subject: performance impact by increasing number of ipsets
In-Reply-To: <b322db070610162305o20d92fb7tbbd7027700b7eb5@mail.gmail.com>
References: <b322db070610162305o20d92fb7tbbd7027700b7eb5@mail.gmail.com>
Message-ID: <Pine.LNX.4.58.0610170852010.17511@blackhole.kfki.hu>

On Tue, 17 Oct 2006, Retesh wrote:

> I want to increase the number of IPsets in a system to a high number
> say 50000 (default is 255). What will be the impact on performance?

No problem - the sets are referred by index in netfilter (i.e
in the iptables rules). The set *creation* in such a high number can take
a while, however.

> Has someone tried this, or can some explain the implementation of the
> ipsets, so that I can estimate the impact on kernel?

I haven't heard about such an extreme setup. But if such a high number of
sets are really required I'd investigate other solutions like nf-hipac,
which might easily be a better solution.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From kadlec at blackhole.kfki.hu  Tue Oct 17 10:09:31 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Tue Oct 17 10:47:22 2006
Subject: work on ip%ip ipset
In-Reply-To: <b322db070610162309x379e504eud538c7e4f05ae045@mail.gmail.com>
References: <b322db070610162309x379e504eud538c7e4f05ae045@mail.gmail.com>
Message-ID: <Pine.LNX.4.58.0610171000110.17511@blackhole.kfki.hu>

On Tue, 17 Oct 2006, Retesh wrote:

> Currently, is there any work going on, for developing a IPSet like
> ipiphash containing a pair of IPs as ip1%ip2, similiar to ipporthash
> as ip%port.

ipset is in maintenace mode: bugfixes and minor (backward-compatible)
changes are accepted/added to the code only.

nfset is under development (alas, with a huge gap in the active work),
focusing on the follwing features:

- netlink kernel-user interface instead of [sg]etopt
- "binding" is dropped as a dead-end and new set types
  like the one you mentioned will be introduced: ip-ip pairs, etc.
- IPv6 address support

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From gregory.machin at gmail.com  Tue Oct 17 10:37:01 2006
From: gregory.machin at gmail.com (Gregory Machin)
Date: Tue Oct 17 11:14:56 2006
Subject: looking for the developer of webcbq or help ..
Message-ID: <30200a940610170137g3f3e7272gada79d3bb0e97356@mail.gmail.com>

Hi
I'm looking for the developer of webcbq, I'm trying to get it to work
on fc5_64 but I have hit a wall there are some errors I can't see why
the variables are being populated ... and I think is was writtn in php
3 because I have had to change alot on the syntax of the code to get
it half way working ...

here are the errors ....

Notice: Undefined variable: nuevoPadre in
/var/www/html/webcbq/parents.php on line 38

Notice: Undefined variable: borrarRegla in
/var/www/html/webcbq/parents.php on line 53

Notice: Undefined variable: modificarRegla in
/var/www/html/webcbq/parents.php on line 67

Notice: Undefined variable: cambiarNombre in
/var/www/html/webcbq/parents.php on line 76

Notice: Undefined variable: nuevaRegla in
/var/www/html/webcbq/children.php on line 38

Notice: Undefined variable: borrarRegla in
/var/www/html/webcbq/children.php on line 51

Notice: Undefined variable: modificarRegla in
/var/www/html/webcbq/children.php on line 63

Notice: Undefined variable: cambiarNombre in
/var/www/html/webcbq/children.php on line 72

Many thanks
-- 
Gregory Machin
gregory.machin@gmail.com
www.linuxpro.co.za

From retesh.chadha at gmail.com  Tue Oct 17 10:45:27 2006
From: retesh.chadha at gmail.com (Retesh)
Date: Tue Oct 17 11:23:28 2006
Subject: work on ip%ip ipset
In-Reply-To: <Pine.LNX.4.58.0610171000110.17511@blackhole.kfki.hu>
References: <b322db070610162309x379e504eud538c7e4f05ae045@mail.gmail.com>
	<Pine.LNX.4.58.0610171000110.17511@blackhole.kfki.hu>
Message-ID: <b322db070610170145o53e74571icdb4cd4aae9e7184@mail.gmail.com>

Hi Jozsef
When is nfset implementation expected to be released?

Thanks & Regards
Retesh Chadha

From aoliva at it.uc3m.es  Tue Oct 17 10:56:57 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Tue Oct 17 11:34:55 2006
Subject: How to know inside a match which chain is calling
Message-ID: <45349AD9.5030804@it.uc3m.es>

Hi all, I would like to know a way of programing in a match function a 
way of knowing which is the chain which is calling the match.

Thanks in advance
Antonio de la Oliva

From kadlec at blackhole.kfki.hu  Tue Oct 17 11:07:15 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Tue Oct 17 11:45:08 2006
Subject: work on ip%ip ipset
In-Reply-To: <b322db070610170145o53e74571icdb4cd4aae9e7184@mail.gmail.com>
References: <b322db070610162309x379e504eud538c7e4f05ae045@mail.gmail.com> 
	<Pine.LNX.4.58.0610171000110.17511@blackhole.kfki.hu>
	<b322db070610170145o53e74571icdb4cd4aae9e7184@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0610171106150.18869@blackhole.kfki.hu>

On Tue, 17 Oct 2006, Retesh wrote:

> When is nfset implementation expected to be released?

I expect it to be released in the first quarter of 2007.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From anisha.chandrasekaran at wipro.com  Tue Oct 17 11:19:06 2006
From: anisha.chandrasekaran at wipro.com (anisha.chandrasekaran@wipro.com)
Date: Tue Oct 17 11:57:06 2006
Subject: How to know inside a match which chain is calling
Message-ID: <2FEE63312285CF428A8480B07AC1C359036187D0@CHN-SNR-MBX01.wipro.com>


Can you be a little more specific on what you have asked.

Is it that you want to know how to develop a new match??? Something like
a "state" or "conntrack" that has already been developed


 Regards,

Anisha Chandrasekaran
Email : anisha.chandrasekaran@wipro.com 
 
        

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of aoliva
Sent: Tuesday, October 17, 2006 2:27 PM
To: netfilter@lists.netfilter.org
Subject: How to know inside a match which chain is calling

Hi all, I would like to know a way of programing in a match function a
way of knowing which is the chain which is calling the match.

Thanks in advance
Antonio de la Oliva



The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

From aoliva at it.uc3m.es  Tue Oct 17 13:16:06 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Tue Oct 17 13:54:05 2006
Subject: How to know inside a match which chain is calling
In-Reply-To: <2FEE63312285CF428A8480B07AC1C359036187D0@CHN-SNR-MBX01.wipro.com>
References: <2FEE63312285CF428A8480B07AC1C359036187D0@CHN-SNR-MBX01.wipro.com>
Message-ID: <4534BB76.7060500@it.uc3m.es>

Dear Anisha,
Sorry for being unspecific. I have implemented a match, this match is 
called in the chains OUTPUT and INPUT. I would like to know a way of 
accessing an structure or calling a function or something similar in 
order to be able of doing a switch inside the match changing the 
behaviour if the match is called from OUTPUT or INPUT.

Thank you very much
Regards
Antonio

anisha.chandrasekaran@wipro.com wrote:
> Can you be a little more specific on what you have asked.
>
> Is it that you want to know how to develop a new match??? Something like
> a "state" or "conntrack" that has already been developed
>
>
>  Regards,
>
> Anisha Chandrasekaran
> Email : anisha.chandrasekaran@wipro.com 
>  
>         
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of aoliva
> Sent: Tuesday, October 17, 2006 2:27 PM
> To: netfilter@lists.netfilter.org
> Subject: How to know inside a match which chain is calling
>
> Hi all, I would like to know a way of programing in a match function a
> way of knowing which is the chain which is calling the match.
>
> Thanks in advance
> Antonio de la Oliva
>
>
>
> The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
>
> WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
>
> www.wipro.com
>
>   


From anisha.chandrasekaran at wipro.com  Tue Oct 17 13:23:24 2006
From: anisha.chandrasekaran at wipro.com (anisha.chandrasekaran@wipro.com)
Date: Tue Oct 17 14:01:29 2006
Subject: How to know inside a match which chain is calling
Message-ID: <2FEE63312285CF428A8480B07AC1C35903618919@CHN-SNR-MBX01.wipro.com>


Dear Antonio,
     No sorries please. I jus wanted to get more clear on your doubt.
Did you refer to the ipt_state or ipt_conntrack files for idea? They
involve  number of structure and functional references. Is that what you
were looking for or am I taking you in a wrong direction?


 Regards,

Anisha Chandrasekaran
Email : anisha.chandrasekaran@wipro.com 
 
        

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of aoliva
Sent: Tuesday, October 17, 2006 4:46 PM
Cc: netfilter@lists.netfilter.org
Subject: Re: How to know inside a match which chain is calling

Dear Anisha,
Sorry for being unspecific. I have implemented a match, this match is
called in the chains OUTPUT and INPUT. I would like to know a way of
accessing an structure or calling a function or something similar in
order to be able of doing a switch inside the match changing the
behaviour if the match is called from OUTPUT or INPUT.

Thank you very much
Regards
Antonio

anisha.chandrasekaran@wipro.com wrote:
> Can you be a little more specific on what you have asked.
>
> Is it that you want to know how to develop a new match??? Something
like
> a "state" or "conntrack" that has already been developed
>
>
>  Regards,
>
> Anisha Chandrasekaran
> Email : anisha.chandrasekaran@wipro.com
> 
>        
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of aoliva
> Sent: Tuesday, October 17, 2006 2:27 PM
> To: netfilter@lists.netfilter.org
> Subject: How to know inside a match which chain is calling
>
> Hi all, I would like to know a way of programing in a match function a
> way of knowing which is the chain which is calling the match.
>
> Thanks in advance
> Antonio de la Oliva
>
>
>
> The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of the
addressee(s) and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately and destroy all copies of this message and any attachments.
>
> WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses.
The company accepts no liability for any damage caused by any virus
transmitted by this email.
>
> www.wipro.com
>
>  




The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

From kadlec at blackhole.kfki.hu  Tue Oct 17 13:54:24 2006
From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik)
Date: Tue Oct 17 14:32:23 2006
Subject: How to know inside a match which chain is calling
In-Reply-To: <4534BB76.7060500@it.uc3m.es>
References: <2FEE63312285CF428A8480B07AC1C359036187D0@CHN-SNR-MBX01.wipro.com>
	<4534BB76.7060500@it.uc3m.es>
Message-ID: <Pine.LNX.4.64.0610171349030.18869@blackhole.kfki.hu>

On Tue, 17 Oct 2006, aoliva wrote:

> Sorry for being unspecific. I have implemented a match, this match is called
> in the chains OUTPUT and INPUT. I would like to know a way of accessing an
> structure or calling a function or something similar in order to be able of
> doing a switch inside the match changing the behaviour if the match is called
> from OUTPUT or INPUT.

You can't figure out the calling chain in a match: netfilter does not 
provide the data. You have to pass the info as a command line option.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

From aoliva at it.uc3m.es  Tue Oct 17 14:21:14 2006
From: aoliva at it.uc3m.es (aoliva)
Date: Tue Oct 17 14:59:15 2006
Subject: How to know inside a match which chain is calling
In-Reply-To: <Pine.LNX.4.64.0610171349030.18869@blackhole.kfki.hu>
References: <2FEE63312285CF428A8480B07AC1C359036187D0@CHN-SNR-MBX01.wipro.com>
	<4534BB76.7060500@it.uc3m.es>
	<Pine.LNX.4.64.0610171349030.18869@blackhole.kfki.hu>
Message-ID: <4534CABA.8030608@it.uc3m.es>

Thanks for the answers, I have not read ipt_state or contract but if 
Jozsef is saying it is not possible I will provide the info through the 
command line.
Thanks a lot to all
Regards
Antonio

Jozsef Kadlecsik wrote:
> On Tue, 17 Oct 2006, aoliva wrote:
>
>   
>> Sorry for being unspecific. I have implemented a match, this match is called
>> in the chains OUTPUT and INPUT. I would like to know a way of accessing an
>> structure or calling a function or something similar in order to be able of
>> doing a switch inside the match changing the behaviour if the match is called
>> from OUTPUT or INPUT.
>>     
>
> You can't figure out the calling chain in a match: netfilter does not 
> provide the data. You have to pass the info as a command line option.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
>
>   


From ashutosh.naik at gmail.com  Tue Oct 17 16:32:11 2006
From: ashutosh.naik at gmail.com (Ashutosh Naik)
Date: Tue Oct 17 17:10:13 2006
Subject: Kphone not opening a secondary SIP direct connection
In-Reply-To: <81083a450610130319v12fb5585vf64f95ff64734933@mail.gmail.com>
References: <81083a450610130319v12fb5585vf64f95ff64734933@mail.gmail.com>
Message-ID: <81083a450610170732r6390dfa3l31703ad4c3083cdc@mail.gmail.com>

Hi guys,

I am using kphone 4.2 in my setup, where I am connecting to the
internet behind a router. What I observe is that my kphone client is
unable to establish a secondary direct connection with the other
user's  SIP client

I think SIP allows a secondary direct connection, and netfilter ALGs
have also been written to allow this ( ip_conntrack_sip.c and
ip_nat_sip.c ).

Please let me know if this is a kphone client issue ( The client is
not initiating a secondary connection ) or it is something else.

Kindly CC me on the replies,.

Regards
Ashutosh

From grtruchet at gigared.com  Tue Oct 17 20:41:03 2006
From: grtruchet at gigared.com (piraguasu)
Date: Tue Oct 17 21:24:51 2006
Subject: Can't get access remote LAN through firewall
In-Reply-To: <453233EB.3080404@plouf.fr.eu.org>
References: <453178E2.5020602@gigared.com> <453233EB.3080404@plouf.fr.eu.org>
Message-ID: <453523BF.3020902@gigared.com>

Pascal Hambourg wrote:
> Hello,
>
>
>>
>> I have two LAN, both connected to Internet through proxy/firewall on 
>> Linux. One is my working LAN and other remote. I want to see internal 
>> machines of remote LAN from any computers of my LAN, for this I setup 
>> a tunnel and when the  firewall  is down in both LAN, all OK.
>>
>> When firewall is up, my problem is forwarding between tunnel device 
>> and internal card (eth1), I can't get pass through firewall, iptables 
>> rules don't work.
>
> Does the FORWARD chain contains rules which accept packets between the 
> tunnel interface and the LAN interface in both directions ?
>
> Something like :
> iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
>
>
Hi Pascal

Yes, the rules are:
#
# On my LAN

iptables -A FORWARD -i eth1 -s $MY_LAN -d $REMOTE_LAN -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -s $REMOTE_LAN  -d $MY_LAN -o eth1 -j ACCEPT

#
# On remote LAN

iptables -A FORWARD -i eth1 -s $REMOTE_LAN -d $MY_LAN -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -s $MY_LAN  -d $REMOTE_LAN -o eth1 -j ACCEPT


The packets can't gain access to tunnel tcpdump say me.

If you have any idea, wellcome ........
Thank you
Gerardo


From richard.wilson at eds.com  Tue Oct 17 23:46:54 2006
From: richard.wilson at eds.com (Wilson, Richard E)
Date: Wed Oct 18 00:25:23 2006
Subject: Ip_conntrack enhancement idea
Message-ID: <F1B471B6CE5CFA458DFED6C7669D039706C21D75@usplm234.amer.corp.eds.com>

All,

I am having some issues with servers that run caching DNS and iptables
-- the ip_conntrack table overflows resulting in dropped packets.  I am
wondering what the value is in tracking connections whose source and
destination are both 127.0.0.1 -- would it be possible to flag such
packets so that no ip_conntrack table entry gets created for them at
all?  For my servers this can represent a third of the total tracked
connections (ip_conntrack_max is set at 65536 on systems with 2GB of
RAM).

I know this can be addressed other ways -- I am working to get the
server upgraded from its current kernel (2.4.21) to something newer so
that I can change the default ip_conntrack timeout value (I don't really
want to increase the ip_conntrack_max), but thought I should bring this
up.  Perhaps in other situations it's desirable to track localhost
connections, but I can't think of a good reason why.

Thanks,

Richard Wilson

richard dot wilson at eds dot com


From eric at inl.fr  Wed Oct 18 00:07:56 2006
From: eric at inl.fr (Eric Leblond)
Date: Wed Oct 18 00:46:08 2006
Subject: Ip_conntrack enhancement idea
In-Reply-To: <F1B471B6CE5CFA458DFED6C7669D039706C21D75@usplm234.amer.corp.eds.com>
References: <F1B471B6CE5CFA458DFED6C7669D039706C21D75@usplm234.amer.corp.eds.com>
Message-ID: <1161122877.4002.30.camel@localhost.localdomain>

Le mardi 17 octobre 2006 ? 16:46 -0500, Wilson, Richard E a ?crit :
> All,
> 
> I am having some issues with servers that run caching DNS and iptables
> -- the ip_conntrack table overflows resulting in dropped packets.  I am
> wondering what the value is in tracking connections whose source and
> destination are both 127.0.0.1 -- would it be possible to flag such
> packets so that no ip_conntrack table entry gets created for them at
> all?  For my servers this can represent a third of the total tracked
> connections (ip_conntrack_max is set at 65536 on systems with 2GB of
> RAM).

As I said in a previous mail you can really increase this value. The
default setting of conntrack size is computed to firewalling server and
it has to be increased to be used on server used as gateway. 

> 
> I know this can be addressed other ways -- I am working to get the
> server upgraded from its current kernel (2.4.21) to something newer so
> that I can change the default ip_conntrack timeout value (I don't really
> want to increase the ip_conntrack_max), but thought I should bring this
> up.  Perhaps in other situations it's desirable to track localhost
> connections, but I can't think of a good reason why.

You can use the NOTRACK target to do so.

BR,

> 
> Thanks,
> 
> Richard Wilson
> 
> richard dot wilson at eds dot com
> 
> 


From richard.wilson at eds.com  Wed Oct 18 00:15:07 2006
From: richard.wilson at eds.com (Wilson, Richard E)
Date: Wed Oct 18 00:54:28 2006
Subject: Ip_conntrack enhancement idea
In-Reply-To: <1161122877.4002.30.camel@localhost.localdomain>
Message-ID: <F1B471B6CE5CFA458DFED6C7669D039706C21D76@usplm234.amer.corp.eds.com>

Eric,

Thanks, I've been trying to find out more information on NOTRACK -- do you know what kernel revision it came with?

Rich

-----Original Message-----
From: Eric Leblond [mailto:eric@inl.fr] 
Sent: Tuesday, October 17, 2006 3:08 PM
To: Wilson, Richard E
Cc: netfilter@lists.netfilter.org
Subject: Re: Ip_conntrack enhancement idea

Le mardi 17 octobre 2006 ? 16:46 -0500, Wilson, Richard E a ?crit :
> All,
> 
> I am having some issues with servers that run caching DNS and iptables
> -- the ip_conntrack table overflows resulting in dropped packets.  I am
> wondering what the value is in tracking connections whose source and
> destination are both 127.0.0.1 -- would it be possible to flag such
> packets so that no ip_conntrack table entry gets created for them at
> all?  For my servers this can represent a third of the total tracked
> connections (ip_conntrack_max is set at 65536 on systems with 2GB of
> RAM).

As I said in a previous mail you can really increase this value. The
default setting of conntrack size is computed to firewalling server and
it has to be increased to be used on server used as gateway. 

> 
> I know this can be addressed other ways -- I am working to get the
> server upgraded from its current kernel (2.4.21) to something newer so
> that I can change the default ip_conntrack timeout value (I don't really
> want to increase the ip_conntrack_max), but thought I should bring this
> up.  Perhaps in other situations it's desirable to track localhost
> connections, but I can't think of a good reason why.

You can use the NOTRACK target to do so.

BR,

> 
> Thanks,
> 
> Richard Wilson
> 
> richard dot wilson at eds dot com
> 
> 


From siqhamo at newlunar.co.za  Wed Oct 18 06:49:00 2006
From: siqhamo at newlunar.co.za (Siqhamo Sifo)
Date: Wed Oct 18 07:35:12 2006
Subject: Kphone not opening a secondary SIP direct connection
In-Reply-To: <20061017221442.1B6351538A8@comm.newlunar.co.za>
References: <20061017221442.1B6351538A8@comm.newlunar.co.za>
Message-ID: <32809.196.211.143.85.1161146940.squirrel@196.211.143.82>

> Hi guys,
>
> I am using kphone 4.2 in my setup, where I am connecting to the
> internet behind a router. What I observe is that my kphone client is
> unable to establish a secondary direct connection with the other
> user's  SIP client
>
> I think SIP allows a secondary direct connection, and netfilter ALGs
> have also been written to allow this ( ip_conntrack_sip.c and
> ip_nat_sip.c ).
>
> Please let me know if this is a kphone client issue ( The client is
> not initiating a secondary connection ) or it is something else.
>
> Kindly CC me on the replies,.
>
> Regards
> Ashutosh
>

Hi ,
the problem may  not be  with ur phone it might be  with the ip_conntrack
and ip_nat_sip modules ,but before I get into that  u need to elaborate
more on ur setup ,c  the thing is in some cases these do work and in some
they don't e.g DNAT for more info c my bug report
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=503
.




From cschen at asiaa.sinica.edu.tw  Wed Oct 18 07:33:15 2006
From: cschen at asiaa.sinica.edu.tw (Joshua, C.S. Chen)
Date: Wed Oct 18 08:11:27 2006
Subject: outgoing skype ports
Message-ID: <4535BC9B.1010605@asiaa.sinica.edu.tw>

Hi folks,
I am maintaining a small office fw/gw using iptables. And the rules are,
only open outgoing connection for port (destination port) 80 and 443.
And stateful allowing returned/concerned sessions.
Now we want to allow skype traffic. My question is
What port(s) should be opened (outgoing) to use skype?

Thanks in advance

Cheers
Joshua


From techsafe.sec at gmail.com  Wed Oct 18 15:34:15 2006
From: techsafe.sec at gmail.com (TechSafe Seguranca)
Date: Wed Oct 18 16:12:28 2006
Subject: Teste
Message-ID: <50c841770610180634oc99f567ua0c39529a8b9983d@mail.gmail.com>

Teste
-- 
______________________________
                 TechSafe
Sua seguran?a sob nossa prote??o

From robert at leblancnet.us  Wed Oct 18 16:13:10 2006
From: robert at leblancnet.us (Robert LeBlanc)
Date: Wed Oct 18 16:51:25 2006
Subject: IPtables and bridge interface
Message-ID: <A78C6C481BFAE949BC5990E1EEB2FE1258B9@q.LeBlancNet.us>

Hi all,
  I'm having a problem with my new gateway set-up and I'm not sure where
to start with the troubleshooting. I set up a gateway with two NICs in
bridge mode to allow for my public IP addresses to pass straight through
and then set up two virtual addresses on the bridge interface to NAT the
remainder of the machines on my network, but still keep then in
differing collision domains. The problem that I see is that Internet
connectivity is sporadic at best. The connection will stay up for a
minute or so, then go down for 5-60 seconds and then come back up. The
odd thing is that machines with public addresses never see this problem,
only the ones behind the NAT. I am running Debian Etch with kernel

Linux debian 2.6.16-2-686 #1 Fri Aug 18 19:01:49 UTC 2006 i686 GNU/Linux

I've also tried the 2.6.17-2-686 kernel with the same results. My
iptables script is pretty bare:

#! /bin/bash

modprobe ip_conntrack_ftp iptables_nat iptables_mangle ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -F

iptables --out-interface br0 -t nat -A POSTROUTING -s 192.168.1.0/22 -j
SNAT --to EXTERNALIP

I had two iptables rules before, one for each subnet, but combined them
into one rule to see if that would help, but no luck. Can anyone point
me to how to get debug information from iptables or what I might try to
remedy this problem?

Thank you,
Robert LeBlanc

From tomslists at sandquisttech.net  Thu Oct 19 03:28:37 2006
From: tomslists at sandquisttech.net (Thomas Sandquist)
Date: Thu Oct 19 04:08:26 2006
Subject: (no subject)
Message-ID: <1857.209.160.56.254.1161221317.squirrel@www.toms-games.com>

Hello,

I'm trying to find out if the ipt_random module can be compiled in to the
2.6 kernels? A few years ago (back in the day of kernel 2.4) I patched and
compiled this module in to the kernel and used it in a load balancing
script (shotgunning cable modems). I'm interested in doing this with a new
box running FC5 (currently kernel 2.6.18) but have found very little
information on it. I finally figured out how to get POM again (I think I
got the right version anyways... it's now POM-NG however the release date
was in 2004) and found the random source there but the info note says it
only works on kernels below 2.6.0. Do I just have too old of a version of
the POM package or is the random module really only available in the 2.4
kernel? If it's not available in the 2.6 kernel are their any alternative
modules that I should be looking in to (perhaps the nth module although I
haven't really read up on it yet)? Any help would be appreciated. It was
great shotgunning cable modems with this setup a few years ago and it
would be even cooler if I could get this working on a more modern distro
(I am open to other distro's other than Fedora if someone knows of one
that might be better for my routing purposes).

Thanks,
Thomas Sandquist



From tomslists at sandquisttech.net  Thu Oct 19 03:42:27 2006
From: tomslists at sandquisttech.net (Thomas Sandquist)
Date: Thu Oct 19 04:22:14 2006
Subject: Ipt_random module questions
Message-ID: <2025.209.160.56.254.1161222147.squirrel@www.toms-games.com>

Hello,

I'm trying to find out if the ipt_random module can be compiled in to the
2.6 kernels? A few years ago (back in the day of kernel 2.4) I patched and
compiled this module in to the kernel and used it in a load balancing
script (shotgunning cable modems). I'm interested in doing this with a new
box running FC5 (currently kernel 2.6.18) but have found very little
information on it. I finally figured out how to get POM again (I think I
got the right version anyways... it's now POM-NG however the release date
was in 2004) and found the random source there but the info note says it
only works on kernels below 2.6.0. Do I just have too old of a version of
the POM package or is the random module really only available in the 2.4
kernel? If it's not available in the 2.6 kernel are their any alternative
modules that I should be looking in to (perhaps the nth module although I
haven't really read up on it yet)? Any help would be appreciated. It was
great shotgunning cable modems with this setup a few years ago and it
would be even cooler if I could get this working on a more modern distro
(I am open to other distro's other than Fedora if someone knows of one
that might be better for my routing purposes).

Thanks,
Thomas Sandquist




From wakko at animx.eu.org  Thu Oct 19 04:11:40 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Thu Oct 19 05:00:09 2006
Subject: recent match and DNAT.
Message-ID: <20061019021140.GA16667@animx.eu.org>

Is it possible to use the recent match and dnat to dynamically forward
incoming packets destined for a specific port (ident in this case) to the
machine that initiated the connection?  Or is anything like this possible at
all?

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From netfilter at rlworkman.net  Thu Oct 19 04:51:26 2006
From: netfilter at rlworkman.net (Robby Workman)
Date: Thu Oct 19 05:29:55 2006
Subject: recent match and DNAT.
In-Reply-To: <20061019021140.GA16667@animx.eu.org>
References: <20061019021140.GA16667@animx.eu.org>
Message-ID: <4536E82E.8040207@rlworkman.net>

Wakko Warner wrote:
> Is it possible to use the recent match and dnat to dynamically forward
> incoming packets destined for a specific port (ident in this case) to the
> machine that initiated the connection?  Or is anything like this possible at
> all?


There may very well be a way to do it, but if there is, I can't 
seem to find it, and I know of at least one other person who's 
messed with it.  Best I can tell, midentd on the gateway is going 
to be your best option.
You might find this useful as well - I wrote it up quite some 
time ago, but coupled with midentd, I think you'll have a 
workable solution.
http://howtos.rlworkman.net/irc-identd

RW

From tarak at ossindia.com  Thu Oct 19 07:08:59 2006
From: tarak at ossindia.com (tarak@ossindia.com)
Date: Thu Oct 19 07:36:24 2006
Subject: IPTABLES
Message-ID: <mailman.65.1161236184.31696.netfilter@lists.netfilter.org>




hello experts,

              i have a problem in iptables, i want to customize the
firewall. through iptable i want run a shell script which will keep an
watch
on each and every ip addresses in my organization, that how much amount
of
data downloading and uploading from those ip addresses...... seperately..
is
this possible to do,,,, if so please tell me how to do...

thanks in advance

Regards,
Tarak Ranjan


From tarak at ossindia.com  Thu Oct 19 06:52:09 2006
From: tarak at ossindia.com (tarak@ossindia.com)
Date: Thu Oct 19 07:38:59 2006
Subject: Iptables problem
Message-ID: <mailman.66.1161236339.31696.netfilter@lists.netfilter.org>

hello experts,

              i have a problem in iptables, i want to customize the
firewall. through iptable i want run a shell script which will keep an
watch
on each and every ip addresses in my organization, that how much amount
of
data downloading and uploading from those ip addresses...... seperately..
is
this possible to do,,,, if so please tell me how to do...

thanks in advance

Regards,
Tarak Ranjan


From pupilla at hotmail.com  Thu Oct 19 10:13:18 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Thu Oct 19 10:51:31 2006
Subject: Ipt_random module questions
In-Reply-To: <2025.209.160.56.254.1161222147.squirrel@www.toms-games.com>
Message-ID: <BAY103-F7AC52059E001ADA6EF7DBB20C0@phx.gbl>

Thomas Sandquist wrote:

>box running FC5 (currently kernel 2.6.18) but have found

2.6.18 has a module called statistic match.
You must upgrade to iptables 1.3.6

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


From ged at jubileegroup.co.uk  Thu Oct 19 11:35:04 2006
From: ged at jubileegroup.co.uk (G.W. Haywood)
Date: Thu Oct 19 12:13:27 2006
Subject: Two identical ips connected
In-Reply-To: <200610160944.k9G9iEZi013530@mail3.jubileegroup.co.uk>
References: <200610160944.k9G9iEZi013530@mail3.jubileegroup.co.uk>
Message-ID: <Pine.LNX.4.58.0610191030530.31797@mail3.jubileegroup.co.uk>

Hi there,

On Mon, 16 Oct 2006 netfilter-request@lists.netfilter.org wrote:

> On Mon, October 16, 2006 09:55, Julian Hagenauer wrote:
> >
> > is it possible somehow possible to attach two computers with the same ip
>
> I don't think you can.

You can, but you don't want to.  It's one of many techniques used by
criminals to breach security.  You have to use some means of flooding
one of the machines' interfaces with so much traffic that it can't
respond as it should to IP traffic, then 'steal' packets to which it
would otherwise respond before it has a chance to do so.

You aren't thinking of becoming a criminal, are you?

--

73,
Ged.

From pascal.mail at plouf.fr.eu.org  Thu Oct 19 11:46:21 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Thu Oct 19 12:24:36 2006
Subject: Can't get access remote LAN through firewall
In-Reply-To: <453523BF.3020902@gigared.com>
References: <453178E2.5020602@gigared.com> <453233EB.3080404@plouf.fr.eu.org>
	<453523BF.3020902@gigared.com>
Message-ID: <4537496D.7010707@plouf.fr.eu.org>

piraguasu a ?crit :
> #
> # On my LAN
> 
> iptables -A FORWARD -i eth1 -s $MY_LAN -d $REMOTE_LAN -o tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -s $REMOTE_LAN  -d $MY_LAN -o eth1 -j ACCEPT
> 
> #
> # On remote LAN
> 
> iptables -A FORWARD -i eth1 -s $REMOTE_LAN -d $MY_LAN -o tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -s $MY_LAN  -d $REMOTE_LAN -o eth1 -j ACCEPT

What happens if you remove the -s and -d options ?
No SNAT/MASQUERADE on the tunnel ?
Could it be that the tunnel packets are dropped on the WAN interface ?
What kind of tunnel protocol is it ?

> The packets can't gain access to tunnel tcpdump say me.

Can you explain this please ? My tcpdump only shows packets which enter 
and leave a network interface, it does not tell anything about getting 
access or not.

From pascal.mail at plouf.fr.eu.org  Thu Oct 19 12:12:51 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Thu Oct 19 12:51:01 2006
Subject: Ip_conntrack enhancement idea
In-Reply-To: <F1B471B6CE5CFA458DFED6C7669D039706C21D76@usplm234.amer.corp.eds.com>
References: <F1B471B6CE5CFA458DFED6C7669D039706C21D76@usplm234.amer.corp.eds.com>
Message-ID: <45374FA3.7010006@plouf.fr.eu.org>

Hello,

Wilson, Richard E a ?crit :
> 
> Thanks, I've been trying to find out more information on NOTRACK -- do
> you know what kernel revision it came with?

According to the kernel changelogs, the 'raw' table, which contains the 
NOTRACK target, was included in kernel version 2.6.6.
However, the related 'raw' patch for 2.4 kernels is in patch-o-matic-ng 
snaphots up to patch-o-matic-ng-20050918.
The 'raw' patch for 2.6 kernels was in the patch-o-matic-ng-20040621 
release but removed in later snapshots, probably due to its inclusion 
into the 2.6 kernel tree.

From szocske at gmail.com  Thu Oct 19 12:03:41 2006
From: szocske at gmail.com (Gabor Szokoli)
Date: Thu Oct 19 12:51:54 2006
Subject: Managed proxy between private network
Message-ID: <de47c0230610190303v37e0b55aia98d80d1bfac9db@mail.gmail.com>

Hi There,

I am new and have some questions:

We have a linux box (complete control) connected to multiple private
networks with possibly overlapping IP addressing. Its role is to
dynamically create and tear down individual port forwardings between
them.
Our basic idea was to create conntrack entries from the controlling application.
Having imagined conntrack to be like Cisco Express Forwarding, I was
supprised to find out the conntrack lists do not contain the incoming
and outgoing interfaces, only IP addresses which are then routed via
the normal path. Sadly, IP address based routing makes no sense
between the independent private networks which are reusing the same
IPaddresses.

We see two paths, both quite rickety:

-Modify the conntrack module to contain the incoming and outgoing interfaces.
(practically merging the route cache functionality into contrack, may
even have performance benefits)

-Use connmark to paint flows intended for each interface, act on it
with policy routing. Determining the incoming interface might be mad
unnecessary by assigning the incoming forwarded ports uniquely across
interfaces, but we would prefer to avoid this.

I promissed a question so here it is :-)
How would you guys do this?
Must be able to handle thousnads of flows busy with tiny packets
(upside: no fragmentation), so we have a supertitious affinity to
conntrack.
Any of the patches we should look at?

Sidenote:
We tried to make linux forward more packets by throwing more CPUs at
it, but have learned a huge conservative lock prevents paralellism in
network processing. Does anyone here know about any plans on improving
linux networking oerformance on SMP?

From wakko at animx.eu.org  Thu Oct 19 12:48:09 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Thu Oct 19 13:36:45 2006
Subject: recent match and DNAT.
In-Reply-To: <4536E82E.8040207@rlworkman.net>
References: <20061019021140.GA16667@animx.eu.org>
	<4536E82E.8040207@rlworkman.net>
Message-ID: <20061019104809.GA18016@animx.eu.org>

Robby Workman wrote:
> Wakko Warner wrote:
> >Is it possible to use the recent match and dnat to dynamically forward
> >incoming packets destined for a specific port (ident in this case) to the
> >machine that initiated the connection?  Or is anything like this possible 
> >at
> >all?
> 
> There may very well be a way to do it, but if there is, I can't 
> seem to find it, and I know of at least one other person who's 
> messed with it.  Best I can tell, midentd on the gateway is going 
> to be your best option.
> You might find this useful as well - I wrote it up quite some 
> time ago, but coupled with midentd, I think you'll have a 
> workable solution.
> http://howtos.rlworkman.net/irc-identd

I was looking for a pure netfilter way of doing it.  But it's no big deal
really, I have ident forwarded to one machine which is most likely to be the
source of the outgoing packets anyway.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From jnhefner at gmail.com  Thu Oct 19 16:28:47 2006
From: jnhefner at gmail.com (Jeremy)
Date: Thu Oct 19 17:07:00 2006
Subject: Netbios over NAT
Message-ID: <af07baa70610190728o14b82f89u40525a9e35340e6e@mail.gmail.com>

Has anyone been able to hack netfilter in order to get it to work with
Netbios over NAT? I've been searching online and I read some posts
from 2002 that said it didn't, but I was wondering if anyone has
written anything for it recently to allow those types of connections?

From jsullivan at opensourcedevel.com  Thu Oct 19 17:38:52 2006
From: jsullivan at opensourcedevel.com (John A. Sullivan III)
Date: Thu Oct 19 18:17:17 2006
Subject: Netbios over NAT
In-Reply-To: <af07baa70610190728o14b82f89u40525a9e35340e6e@mail.gmail.com>
References: <af07baa70610190728o14b82f89u40525a9e35340e6e@mail.gmail.com>
Message-ID: <1161272332.3212.12.camel@localhost>

On Thu, 2006-10-19 at 10:28 -0400, Jeremy wrote:
> Has anyone been able to hack netfilter in order to get it to work with
> Netbios over NAT? I've been searching online and I read some posts
> from 2002 that said it didn't, but I was wondering if anyone has
> written anything for it recently to allow those types of connections?

As far as I know, most NetBIOS functionality works across NAT except for
browsing (and perhaps name registration). That seems to embed the IP
address in the upper layer data.

We had an interest in partially sponsoring this addition which is
apparently near trivial.  In the ISCS network security management
project, we have a feature to map one network to another address to help
resolve internal IP address conflicts.  It's not a perfect solution but
it helps in a pinch.  The failure of browsing working across the NAT is
one of its major shortcomings.

Patrick McHardy was interested in writing the helper but we never found
full sponsorship.  If I recall, it was only around an US$800 job.  I do
not believe anyone else has added this functionality.

It's one of the very few areas where I have found iptables falling short
of the major commercial firewalls many of whom have a NetBIOS NAT helper
- John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net


From oan at frozentux.net  Thu Oct 19 18:20:19 2006
From: oan at frozentux.net (Oskar Andreasson)
Date: Thu Oct 19 18:58:30 2006
Subject: [rfc][update]iptables-tutorial 1.2.2
Message-ID: <1161274820.22792.91.camel@LAPTOP4.MSHOME>

Hi All, 

Thought I'd make a small update on the iptables-tutorial since it's now
been longer than I originally anticipated for this release. I'm still
waiting for the first copy of the book to arrive, hence the delay. 

I still have a few things to add to get up to 2.6.18 standards, but I
got (hopefully) 1-2 weeks before my personal deadline for the project. 

Would anyone care to give any suggestions on things that are either more
important than the ones in the listed TODO, or that you believe should
be included? 

Also, the book will be 'perfect bound' hard-cover, 9x6", and right now
is closing in on 400 pages, and that's where I hope it will stop for
now :-). The page count can go up/down pending any layout changes
however. It will run at 33-35 USD + shipping per copy. 

Sidenote, the current french translation seems to be done directly from
the chunky html source, as noted in the TODO. Would anyone be willing to
make a change of this?

Also, basically all the translations needs to be updated if anyone feels
inclined...

The current changelog looks as follows: 
1.2.2
* Added SCTP match.
* Added addrtype match.
* Added link to policy routing using linux by Matthew G. Marsh.
* Added some internal links for better cross linking.
* Added comment match.
* Added hashlimit match.
* Added new --cmd-owner to owner match.
* Added realm match.
* Added important.gif image sign.
* Fixed --limit-burst, bad explanation.
* Fixed s/package/packet/ in MARK target. ("G.W. Haywood"
<gedATjubileegroupDOTcoDOTuk>)
* Added raw table in traversing_of_tables_and_chains.sgml
* Updated tables_traverse.gif with raw table and switched fonts.
* Added UNTRACKED and new untracked connections section in
statemachine.sgml.
* Removed internal catalogs etc, living off of local ones instead.
* Added SCTP characteristics section to tcp_ip_repetition.sgml
* Added all images for the SCTP chapters.
* Remade all header images from the tcp_ip_repetition.sgml chapter.
* Added SCTP headers section in the tcp_ip_repetition.sgml chapter.

My TODO for the tutorial looks like this:
* nf-log??
* Add all new targets in 2.6 kernel and iptables-1.3.6.
-- CLUSTERIP
-- CONNMARK
-- CONNSECMARK?
-- SECMARK?
-- NOTRACK
-- NFQUEUE?
* Remake flow images (Basically all images except header images).
* Add section about VPN and iptables (ie, private incoming traffic to
netfilter box with public iface and vpn iface on top). including
routing. nat'ed ipsec, openvpn. filtering ipsec, openvpn.
* French translation needs to be done in DocBook SGML, please? Should
fix problem with wrong charset encoding.
* Improve explanation of chain traversal. Add explanation of user
defined chains.
* Create index.


-- 
--
Oskar Andreasson
http://www.frozentux.net
mail/sip: oan@frozentux.net
icq: 33147668
msn: allostra@hotmail.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : /pipermail/netfilter/attachments/20061019/4c88793c/attachment.pgp
From robert at leblancnet.us  Thu Oct 19 19:06:44 2006
From: robert at leblancnet.us (Robert LeBlanc)
Date: Thu Oct 19 19:45:03 2006
Subject: IPtables and bridge interface
Message-ID: <A78C6C481BFAE949BC5990E1EEB2FE1258C1@q.LeBlancNet.us>

Anyone with ideas how to troubleshoot this problem? I'm up for anything,
it's getting really annoying.

Robert LeBlanc

BioAg Computer Support

Brigham Young University

(801)422-1882

leblanc@byu.edu

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Robert LeBlanc
> Sent: Wednesday, October 18, 2006 8:13 AM
> To: netfilter@lists.netfilter.org
> Subject: IPtables and bridge interface
> 
> Hi all,
>   I'm having a problem with my new gateway set-up and I'm not sure
where
> to start with the troubleshooting. I set up a gateway with two NICs in
> bridge mode to allow for my public IP addresses to pass straight
through
> and then set up two virtual addresses on the bridge interface to NAT
the
> remainder of the machines on my network, but still keep then in
> differing collision domains. The problem that I see is that Internet
> connectivity is sporadic at best. The connection will stay up for a
> minute or so, then go down for 5-60 seconds and then come back up. The
> odd thing is that machines with public addresses never see this
problem,
> only the ones behind the NAT. I am running Debian Etch with kernel
> 
> Linux debian 2.6.16-2-686 #1 Fri Aug 18 19:01:49 UTC 2006 i686
GNU/Linux
> 
> I've also tried the 2.6.17-2-686 kernel with the same results. My
> iptables script is pretty bare:
> 
> #! /bin/bash
> 
> modprobe ip_conntrack_ftp iptables_nat iptables_mangle ip_nat_ftp
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> iptables -t nat -F
> 
> iptables --out-interface br0 -t nat -A POSTROUTING -s 192.168.1.0/22
-j
> SNAT --to EXTERNALIP
> 
> I had two iptables rules before, one for each subnet, but combined
them
> into one rule to see if that would help, but no luck. Can anyone point
> me to how to get debug information from iptables or what I might try
to
> remedy this problem?
> 
> Thank you,
> Robert LeBlanc


From pascal.mail at plouf.fr.eu.org  Thu Oct 19 19:14:53 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Thu Oct 19 19:53:07 2006
Subject: Netbios over NAT
In-Reply-To: <1161272332.3212.12.camel@localhost>
References: <af07baa70610190728o14b82f89u40525a9e35340e6e@mail.gmail.com>
	<1161272332.3212.12.camel@localhost>
Message-ID: <4537B28D.4020708@plouf.fr.eu.org>

Hello,

John A. Sullivan III a ?crit :
> 
> As far as I know, most NetBIOS functionality works across NAT except for
> browsing (and perhaps name registration).

Isn't it because these functionnalities use IP broadcasts ?

From techsafe.sec at gmail.com  Thu Oct 19 19:27:42 2006
From: techsafe.sec at gmail.com (TechSafe Seguranca)
Date: Thu Oct 19 20:05:58 2006
Subject: Check-List
Message-ID: <50c841770610191027p688d5e59r699e30b843083de6@mail.gmail.com>

Exists some check-list of vulnerabilities that must be prevented in firewall?

Compliments Cordials
-- 
______________________________
                 TechSafe
Sua seguran?a sob nossa prote??o

From jsullivan at opensourcedevel.com  Thu Oct 19 19:52:12 2006
From: jsullivan at opensourcedevel.com (John A. Sullivan III)
Date: Thu Oct 19 20:30:32 2006
Subject: Netbios over NAT
In-Reply-To: <4537B28D.4020708@plouf.fr.eu.org>
References: <af07baa70610190728o14b82f89u40525a9e35340e6e@mail.gmail.com>
	<1161272332.3212.12.camel@localhost> <4537B28D.4020708@plouf.fr.eu.org>
Message-ID: <1161280332.3212.28.camel@localhost>

On Thu, 2006-10-19 at 19:14 +0200, Pascal Hambourg wrote:
> Hello,
> 
> John A. Sullivan III a ?crit :
> > 
> > As far as I know, most NetBIOS functionality works across NAT except for
> > browsing (and perhaps name registration).
> 
> Isn't it because these functionnalities use IP broadcasts ?
> 
No, they can be configured to use unicast packets and a WINS.  However,
even with unicast packets and WINS, it breaks when NAT is applied - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net


From 1100100 at gmail.com  Thu Oct 19 20:25:02 2006
From: 1100100 at gmail.com (Mike)
Date: Thu Oct 19 21:04:31 2006
Subject: NAT PREROUTING vs. filter FORWARD
Message-ID: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>

I'm having difficulty with clients connecting to a game I'm hosting
over the internet.
So I'm wondering if my PREROUTING rule is conflicting with my FORWARD rule.

If I have these prerouting rules:

 $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
--to-destination 192.168.170.6

Then I should not have to worry about these FORWARD rules interfering
with the prerouted data getting to the server at 192.168.170.6 ---

$IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
ESTABLISHED,RELATED -j ACCEPT

Am I right or wrong?
If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
and leave out the ESTABLISHED,RELATED requirement?

Thanks for your time and assistance.

Mike

On 10/19/06, tarak@ossindia.com <tarak@ossindia.com> wrote:
> hello experts,
>
>               i have a problem in iptables, i want to customize the
> firewall. through iptable i want run a shell script which will keep an
> watch
> on each and every ip addresses in my organization, that how much amount
> of
> data downloading and uploading from those ip addresses...... seperately..
> is
> this possible to do,,,, if so please tell me how to do...
>
> thanks in advance
>
> Regards,
> Tarak Ranjan
>
>
>

From 1100100 at gmail.com  Thu Oct 19 20:27:36 2006
From: 1100100 at gmail.com (Mike)
Date: Thu Oct 19 21:05:55 2006
Subject: NAT PREROUTING vs. filter FORWARD
In-Reply-To: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
References: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
Message-ID: <8ca422820610191127y233a4bfdn289ce63fd18d391d@mail.gmail.com>

Sorry for the quoted text from another thread.
Accidentally copied it and did not realize before I hit Send.  :-(

From jasbir.k at gmail.com  Fri Oct 20 07:32:14 2006
From: jasbir.k at gmail.com (Jasbir Khehra)
Date: Fri Oct 20 08:13:31 2006
Subject: NAT PREROUTING vs. filter FORWARD
In-Reply-To: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
References: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
Message-ID: <45385F5E.5070408@gmail.com>

Mike wrote:

> I'm having difficulty with clients connecting to a game I'm hosting
> over the internet.
> So I'm wondering if my PREROUTING rule is conflicting with my FORWARD 
> rule.
>
>
> Then I should not have to worry about these FORWARD rules interfering
> with the prerouted data getting to the server at 192.168.170.6 ---
>
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> Am I right or wrong?
> If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> and leave out the ESTABLISHED,RELATED requirement?

You just missing out on the rule to accept NEW state connections on your 
game ports
$IPTABLES -t filter -A FORWARD -i ppp0  -m state --state NEW -p tcp -m 
multiport --dports 34297,34397,34447  -j ACCEPT
Same rule for udp connections.

>
> Thanks for your time and assistance.
>
> Mike 

HTH,
Jasbir

From struggle at mail.nankai.edu.cn  Thu Oct 19 09:29:39 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Fri Oct 20 10:09:19 2006
Subject: Need help !
Message-ID: <361329646.25736@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi ,
    Everybody , I am on the list for a month ,
everytime I saw your question and answers , I
just want to reproduct your enviroment and trouble ,
and then slove it .
    But your troubles almost occur in the very
complicated enviroment such as two router with four
LANs and a PPP interface and etc.

    How can I simulate such a condition ?
I have thought about do it using VMWare , but I need
many vms , and my system can't afford such a load !
    Is there any software to achive such a task ?

Thank you !

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFNylj7tZp58UCwyMRAswLAKDb6M51SSCwdTzZEkE/RE0Iwt4s0ACfUnqf
YDVevTQAXnzCK0WJJuCHxPY=
=8cfF
-----END PGP SIGNATURE-----

From eray.aslan at caf.com.tr  Fri Oct 20 10:59:25 2006
From: eray.aslan at caf.com.tr (Eray Aslan)
Date: Fri Oct 20 11:37:47 2006
Subject: [rfc][update]iptables-tutorial 1.2.2
In-Reply-To: <1161274820.22792.91.camel@LAPTOP4.MSHOME>
References: <1161274820.22792.91.camel@LAPTOP4.MSHOME>
Message-ID: <1682.10.0.0.24.1161334765.squirrel@mail.caf.com.tr>

On Thu, October 19, 2006 7:20 pm, Oskar Andreasson wrote:
> Hi All,
>
> Thought I'd make a small update on the iptables-tutorial since it's now
> been longer than I originally anticipated for this release. I'm still
> waiting for the first copy of the book to arrive, hence the delay.
>
> I still have a few things to add to get up to 2.6.18 standards, but I
> got (hopefully) 1-2 weeks before my personal deadline for the project.
>
> Would anyone care to give any suggestions on things that are either more
> important than the ones in the listed TODO, or that you believe should
> be included?
[snip]

Some mention and appropriate links/addresses for l7-filter and p2p addons
would be nice.

-- 
Eray



From 1100100 at gmail.com  Fri Oct 20 15:36:13 2006
From: 1100100 at gmail.com (Mike)
Date: Fri Oct 20 16:14:34 2006
Subject: NAT PREROUTING vs. filter FORWARD
In-Reply-To: <45385F5E.5070408@gmail.com>
References: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
	<45385F5E.5070408@gmail.com>
Message-ID: <8ca422820610200636h1e5d9d18m9db6155896ce6141@mail.gmail.com>

Thank you Jasbir!
I forgot about NEW option.
I will try later today and see if it makes success.
I appreciate your help.
Mike

On 10/20/06, Jasbir Khehra <jasbir.k@gmail.com> wrote:
> Mike wrote:
>
> > I'm having difficulty with clients connecting to a game I'm hosting
> > over the internet.
> > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> > rule.
> >
> >
> > Then I should not have to worry about these FORWARD rules interfering
> > with the prerouted data getting to the server at 192.168.170.6 ---
> >
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > Am I right or wrong?
> > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> > and leave out the ESTABLISHED,RELATED requirement?
>
> You just missing out on the rule to accept NEW state connections on your
> game ports
> $IPTABLES -t filter -A FORWARD -i ppp0  -m state --state NEW -p tcp -m
> multiport --dports 34297,34397,34447  -j ACCEPT
> Same rule for udp connections.
>
> >
> > Thanks for your time and assistance.
> >
> > Mike
>
> HTH,
> Jasbir
>

From m at rtij.nl  Fri Oct 20 17:14:21 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Fri Oct 20 17:52:46 2006
Subject: NAT PREROUTING vs. filter FORWARD
In-Reply-To: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
References: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
Message-ID: <50997.2001:888:19e1::53.1161357261.squirrel@dexter>

<citaat van="Mike">
> I'm having difficulty with clients connecting to a game I'm hosting
> over the internet.
> So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> rule.
>
> If I have these prerouting rules:
>
>  $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
>
> Then I should not have to worry about these FORWARD rules interfering
> with the prerouted data getting to the server at 192.168.170.6 ---
>
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> Am I right or wrong?
> If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> and leave out the ESTABLISHED,RELATED requirement?
`
You have to ACCEPT these packets in your forward chain. What I generally
do (but I generate this with a script) is to duplicate the rules in
PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use
--mark to accept those DNATted connections all in one rule.

HTH,
M4


From m at rtij.nl  Fri Oct 20 17:20:58 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Fri Oct 20 17:59:22 2006
Subject: Managed proxy between private network
In-Reply-To: <de47c0230610190303v37e0b55aia98d80d1bfac9db@mail.gmail.com>
References: <de47c0230610190303v37e0b55aia98d80d1bfac9db@mail.gmail.com>
Message-ID: <51013.2001:888:19e1::53.1161357658.squirrel@dexter>

<citaat van="Gabor Szokoli">
> Hi There,
>
> I am new and have some questions:
>
> We have a linux box (complete control) connected to multiple private
> networks with possibly overlapping IP addressing. Its role is to
> dynamically create and tear down individual port forwardings between
> them.
> Our basic idea was to create conntrack entries from the controlling
> application.
> Having imagined conntrack to be like Cisco Express Forwarding, I was
> supprised to find out the conntrack lists do not contain the incoming
> and outgoing interfaces, only IP addresses which are then routed via

Normally you don't care what interface the IP is on. Think loadbalancing,
redundant path setups, etc. That is a feature!

> the normal path. Sadly, IP address based routing makes no sense
> between the independent private networks which are reusing the same
> IPaddresses.

Ciscos can do stuf that netfilter cannot and vice versa. Contrack and
overlapping IP adresses are mutually incompatible. Netfilter assumes a
somewhat sane network.

What you can do is use a linux box per interface and connect all those to
a backbone. You can then map all overlapping subnets to some free subnet
and get it all to work fairly easily. You can possibly even do this in
different UMLs, so you need only one physical box.

HTH,
M4


From 1100100 at gmail.com  Fri Oct 20 19:04:31 2006
From: 1100100 at gmail.com (Mike)
Date: Fri Oct 20 19:42:52 2006
Subject: NAT PREROUTING vs. filter FORWARD
In-Reply-To: <4429765974127559812@unknownmsgid>
References: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>
	<4429765974127559812@unknownmsgid>
Message-ID: <8ca422820610201004w4fe2091bnbdb4fbba7a0b5b6@mail.gmail.com>

Martijn,
The sciprt idea sounds quite clever and efficient!
I would be very interested to see your method by script, if it is not
a security risk, etc.
Thank you very much for your response and idea.
Mike

On 10/20/06, Martijn Lievaart <m@rtij.nl> wrote:
> <citaat van="Mike">
> > I'm having difficulty with clients connecting to a game I'm hosting
> > over the internet.
> > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> > rule.
> >
> > If I have these prerouting rules:
> >
> >  $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> >
> > Then I should not have to worry about these FORWARD rules interfering
> > with the prerouted data getting to the server at 192.168.170.6 ---
> >
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > Am I right or wrong?
> > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> > and leave out the ESTABLISHED,RELATED requirement?
> `
> You have to ACCEPT these packets in your forward chain. What I generally
> do (but I generate this with a script) is to duplicate the rules in
> PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use
> --mark to accept those DNATted connections all in one rule.
>
> HTH,
> M4
>
>

From public at thesofa.de  Fri Oct 20 19:28:57 2006
From: public at thesofa.de (Alexander Hachmann)
Date: Fri Oct 20 20:07:45 2006
Subject: Problem With reading data through JNetFilter
Message-ID: <mailman.70.1161367665.31696.netfilter@lists.netfilter.org>

Hello there,
I am trying to modify my Firewall over Linux and am using JNetFilter with
libiptc.so Version 1.3.5

When I try to run a small programm to simply print out the chains that
exist, i reveive the error below.
I have no clue that this could mean. I can create chains without any
problem, but when i run the following method,
I reveive this error. Even the test.sh that is included in JNetFilter does
not work.

public static void main(String[] args){
	try{
		Table tabel = new Table("filter");
		Iterator it = table.iterator();
		Chain c;
		while (it.hasNext()){
			c = (Chain)it.next();
			System.out.println(c.getName());
		}
	}catch (Exception e){}
}


Has anyone a Idea what the problem is an how i can fix this?

Thanks,
     Alexander 

#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
#  SIGSEGV (0xb) at pc=0x45bf3a20, pid=2854, tid=16384 # # Java VM: Java
HotSpot(TM) Client VM (1.5.0_08-b03 mixed mode, sharing) # Problematic
frame:
# C  [libiptc.so+0x1a20]
#

---------------  T H R E A D  ---------------

Current thread (0x0805bf38):  JavaThread "main" [_thread_in_native, id=2854]

siginfo:si_signo=11, si_errno=0, si_code=1, si_addr=0x00b5042a

Registers:
EAX=0x00b5042a, EBX=0x45bf9ec8, ECX=0x00000000, EDX=0x080ca5a8
ESP=0xbfffd884, EBP=0xbfffd884, ESI=0x00b5042a, EDI=0x0805bf38
EIP=0x45bf3a20, CR2=0x00b5042a, EFLAGS=0x00010206

Top of Stack: (sp=0xbfffd884)
0xbfffd884:   bfffd894 45bf3a6e 45bf15e0 69a0b600
0xbfffd894:   bfffd8c4 45bef051 bfffd8b8 00000000
0xbfffd8a4:   00000000 45bef038 4397fe88 bfffd928
0xbfffd8b4:   69a0b600 080ca5a8 0805bf38 69a0b600
0xbfffd8c4:   bfffd8f4 4397a4db 0805bff8 bfffd8fc
0xbfffd8d4:   080ca5a8 bfffd8d8 69a0b600 bfffd904
0xbfffd8e4:   69a0e8d0 00000000 69a0b600 bfffd904
0xbfffd8f4:   bfffd928 43974a64 69a0d2e0 43978653 

Instructions: (pc=0x45bf3a20)
0x45bf3a10:   89 81 78 00 00 00 5d c3 55 89 e5 89 c2 8b 40 0c
0x45bf3a20:   8b 08 8d 42 04 39 c1 74 05 89 4a 0c 5d c3 c7 42 

Stack: [0xbfe01000,0xc0000000),  sp=0xbfffd884,  free space=2034k Native
frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) C
[libiptc.so+0x1a20] C  [libiptc.so+0x1a6e]  iptc_first_chain+0x37 C
[libIPTables.so+0x2051]  Java_jnetfilter_IPTableControl_firstChain+0x25
j  jnetfilter.IPTableControl.firstChain(I)Ljava/lang/String;+0
j  jnetfilter.ChainIterator.hasNext()Z+32
j  jnetfilter.Test.main([Ljava/lang/String;)V+28
v  ~StubRoutines::call_stub
V  [libjvm.so+0x17a75c]
V  [libjvm.so+0x28afd8]
V  [libjvm.so+0x17a58f]
V  [libjvm.so+0x1a4e32]
V  [libjvm.so+0x196042]
C  [java+0x1873]
C  [libc.so.6+0x15e36]  __libc_start_main+0xc6

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code) j
jnetfilter.IPTableControl.firstChain(I)Ljava/lang/String;+0
j  jnetfilter.ChainIterator.hasNext()Z+32
j  jnetfilter.Test.main([Ljava/lang/String;)V+28
v  ~StubRoutines::call_stub

---------------  P R O C E S S  ---------------

Java Threads: ( => current thread )
  0x080a6fc8 JavaThread "Low Memory Detector" daemon [_thread_blocked,
id=2861]
  0x080a5a98 JavaThread "CompilerThread0" daemon [_thread_blocked, id=2860]
  0x080a4bb0 JavaThread "Signal Dispatcher" daemon [_thread_blocked,
id=2859]
  0x0809dfa0 JavaThread "Finalizer" daemon [_thread_blocked, id=2858]
  0x0809d308 JavaThread "Reference Handler" daemon [_thread_blocked,
id=2857]
=>0x0805bf38 JavaThread "main" [_thread_in_native, id=2854]

Other Threads:
  0x080987f8 VMThread [id=2856]
  0x080a8470 WatcherThread [id=2862]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
 def new generation   total 576K, used 221K [0x65a00000, 0x65aa0000,
0x65ee0000)
  eden space 512K,  43% used [0x65a00000, 0x65a37700, 0x65a80000)
  from space 64K,   0% used [0x65a80000, 0x65a80000, 0x65a90000)
  to   space 64K,   0% used [0x65a90000, 0x65a90000, 0x65aa0000)
 tenured generation   total 1408K, used 0K [0x65ee0000, 0x66040000,
0x69a00000)
   the space 1408K,   0% used [0x65ee0000, 0x65ee0000, 0x65ee0200,
0x66040000)
 compacting perm gen  total 8192K, used 61K [0x69a00000, 0x6a200000,
0x6da00000)
   the space 8192K,   0% used [0x69a00000, 0x69a0f4b8, 0x69a0f600,
0x6a200000)
    ro space 8192K,  68% used [0x6da00000, 0x6df7eaf8, 0x6df7ec00,
0x6e200000)
    rw space 12288K,  48% used [0x6e200000, 0x6e7c9d78, 0x6e7c9e00,
0x6ee00000)

Dynamic libraries:
08048000-08057000 r-xp 00000000 08:01 792612
/www/htdocs/jdk1.5.0_08/bin/java
08057000-08059000 rw-p 0000e000 08:01 792612
/www/htdocs/jdk1.5.0_08/bin/java
08059000-081a7000 rwxp 00000000 00:00 0 
40000000-40016000 r-xp 00000000 08:01 711067     /lib/ld-2.3.2.so
40016000-40017000 rw-p 00015000 08:01 711067     /lib/ld-2.3.2.so
40017000-40018000 rw-p 00000000 00:00 0 40018000-40019000 r--p 00000000
00:00 0 40019000-4001a000 rw-p 00000000 00:00 0 
4001a000-4001c000 r--s 00000000 08:01 775791
/www/htdocs/jdk1.5.0_08/jre/lib/ext/dnsns.jar
4001c000-40029000 r-xp 00000000 08:01 711087     /lib/libpthread-0.10.so
40029000-4002b000 rw-p 0000c000 08:01 711087     /lib/libpthread-0.10.so
4002b000-4006d000 rw-p 00000000 00:00 0 
4006d000-4006f000 r-xp 00000000 08:01 711076     /lib/libdl-2.3.2.so
4006f000-40070000 rw-p 00002000 08:01 711076     /lib/libdl-2.3.2.so
40070000-40071000 rw-p 00000000 00:00 0 
40071000-40199000 r-xp 00000000 08:01 711074     /lib/libc-2.3.2.so
40199000-401a1000 rw-p 00127000 08:01 711074     /lib/libc-2.3.2.so
401a1000-401a4000 rw-p 00000000 00:00 0 
401a4000-40510000 r-xp 00000000 08:01 744175
/www/htdocs/jdk1.5.0_08/jre/lib/i386/client/libjvm.so
40510000-4052f000 rw-p 0036b000 08:01 744175
/www/htdocs/jdk1.5.0_08/jre/lib/i386/client/libjvm.so
4052f000-40945000 rw-p 00000000 00:00 0 
40945000-40966000 r-xp 00000000 08:01 711077     /lib/libm-2.3.2.so
40966000-40967000 rw-p 00020000 08:01 711077     /lib/libm-2.3.2.so
40967000-4096d000 r-xp 00000000 08:01 744169
/www/htdocs/jdk1.5.0_08/jre/lib/i386/native_threads/libhpi.so
4096d000-4096e000 rw-p 00006000 08:01 744169
/www/htdocs/jdk1.5.0_08/jre/lib/i386/native_threads/libhpi.so
40972000-40984000 r-xp 00000000 08:01 711079     /lib/libnsl-2.3.2.so
40984000-40985000 rw-p 00011000 08:01 711079     /lib/libnsl-2.3.2.so
40985000-40987000 rw-p 00000000 00:00 0 
40987000-4098e000 r-xp 00000000 08:01 711080     /lib/libnss_compat-2.3.2.so
4098e000-4098f000 rw-p 00006000 08:01 711080     /lib/libnss_compat-2.3.2.so
4098f000-40997000 r-xp 00000000 08:01 711084     /lib/libnss_nis-2.3.2.so
40997000-40998000 rw-p 00007000 08:01 711084     /lib/libnss_nis-2.3.2.so
40998000-409a0000 r-xp 00000000 08:01 711082     /lib/libnss_files-2.3.2.so
409a0000-409a1000 rw-p 00008000 08:01 711082     /lib/libnss_files-2.3.2.so
409a1000-409a9000 rw-s 00000000 08:01 113909     /tmp/hsperfdata_root/2854
409a9000-409b4000 r-xp 00000000 08:01 744181
/www/htdocs/jdk1.5.0_08/jre/lib/i386/libverify.so
409b4000-409b5000 rw-p 0000b000 08:01 744181
/www/htdocs/jdk1.5.0_08/jre/lib/i386/libverify.so
409b5000-409d6000 r-xp 00000000 08:01 744182
/www/htdocs/jdk1.5.0_08/jre/lib/i386/libjava.so
409d6000-409d8000 rw-p 00020000 08:01 744182
/www/htdocs/jdk1.5.0_08/jre/lib/i386/libjava.so
409d8000-409e7000 r-xp 00000000 08:01 744184
/www/htdocs/jdk1.5.0_08/jre/lib/i386/libzip.so
409e7000-409e9000 rw-p 0000e000 08:01 744184
/www/htdocs/jdk1.5.0_08/jre/lib/i386/libzip.so
409e9000-42fff000 r--s 00000000 08:01 744286
/www/htdocs/jdk1.5.0_08/jre/lib/rt.jar
42fff000-43068000 rw-p 00000000 00:00 0 
43068000-430ed000 r--s 00000000 08:01 744267
/www/htdocs/jdk1.5.0_08/jre/lib/jsse.jar
430ed000-43102000 r--s 00000000 08:01 744220
/www/htdocs/jdk1.5.0_08/jre/lib/jce.jar
43102000-43972000 r--s 00000000 08:01 744270
/www/htdocs/jdk1.5.0_08/jre/lib/charsets.jar
43972000-45a88000 rwxp 00028000 00:00 0 
45a88000-45ad7000 r--p 00000000 08:01 339571
/usr/lib/locale/locale-archive
45ad7000-45afe000 r--s 00000000 08:01 775768
/www/htdocs/jdk1.5.0_08/jre/lib/ext/sunjce_provider.jar
45afe000-45b29000 r--s 00000000 08:01 775790
/www/htdocs/jdk1.5.0_08/jre/lib/ext/sunpkcs11.jar
45b29000-45bed000 r--s 00000000 08:01 776457
/www/htdocs/jdk1.5.0_08/jre/lib/ext/localedata.jar
45bed000-45bf1000 r-xp 00000000 08:01 130082
/root/JavaTest/JNetFilter/c/lib/libIPTables.so
45bf1000-45bf2000 rw-p 00003000 08:01 130082
/root/JavaTest/JNetFilter/c/lib/libIPTables.so
45bf2000-45bf9000 r-xp 00000000 08:01 712041     /lib/libiptc.so.0.0
45bf9000-45bfa000 rw-p 00006000 08:01 712041     /lib/libiptc.so.0.0
65a00000-6da00000 rwxp 22156000 00:00 0 
6da00000-6df7f000 r--s 00001000 08:01 744269
/www/htdocs/jdk1.5.0_08/jre/lib/i386/client/classes.jsa
6df7f000-6e200000 rwxp 2a6d5000 00:00 0 
6e200000-6e7ca000 rw-p 00580000 08:01 744269
/www/htdocs/jdk1.5.0_08/jre/lib/i386/client/classes.jsa
6e7ca000-6ee00000 rwxp 2af20000 00:00 0 
6ee00000-6eed0000 rw-p 00b4a000 08:01 744269
/www/htdocs/jdk1.5.0_08/jre/lib/i386/client/classes.jsa
6eed0000-6f200000 rwxp 2b626000 00:00 0 
6f200000-6f204000 r-xs 00c1a000 08:01 744269
/www/htdocs/jdk1.5.0_08/jre/lib/i386/client/classes.jsa
6f204000-6f600000 rwxp 2b95a000 00:00 0 bea00000-bea01000 ---p 00000000
00:00 0 bea01000-bec00000 rwxp 00001000 00:00 0 bec01000-bec04000 ---p
00003000 00:00 0 bec04000-bee00000 rwxp 00006000 00:00 0 bee00000-bee04000
---p 00000000 00:00 0 bee04000-bf000000 rwxp 00004000 00:00 0
bf001000-bf004000 ---p 00003000 00:00 0 bf004000-bf200000 rwxp 00006000
00:00 0 bf201000-bf204000 ---p 00003000 00:00 0 bf204000-bf400000 rwxp
00006000 00:00 0 bf401000-bf404000 ---p 00003000 00:00 0 bf404000-bf600000
rwxp 00006000 00:00 0 bf600000-bf601000 ---p 00000000 00:00 0
bf601000-bf800000 rwxp 00001000 00:00 0 bfe01000-bfe04000 ---p 00000000
00:00 0 bfe04000-c0000000 rwxp ffe05000 00:00 0 

VM Arguments:
java_command: jnetfilter.Test
Launcher Type: SUN_STANDARD

Environment Variables:
JAVA_HOME=/www/htdocs/jdk1.5.0_08/
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X
11
LD_LIBRARY_PATH=/www/htdocs/jdk1.5.0_08/jre/lib/i386/client:/www/htdocs/jdk1
.5.0_08/jre/lib/i386:/www/htdocs/jdk1.5.0_08/jre/../lib/i386:../../c/lib:/us
r/local/lib:
SHELL=/bin/bash

Signal Handlers:
SIGSEGV: [libjvm.so+0x325bd0], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGBUS: [libjvm.so+0x325bd0], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGFPE: [libjvm.so+0x28a010], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGPIPE: [libjvm.so+0x28a010], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGILL: [libjvm.so+0x28a010], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGUSR1: SIG_DFL, sa_mask[0]=0x00000000, sa_flags=0x00000000
SIGUSR2: [libjvm.so+0x28c460], sa_mask[0]=0x80000000, sa_flags=0x14000004
SIGHUP: [libjvm.so+0x28be90], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGINT: [libjvm.so+0x28be90], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGQUIT: [libjvm.so+0x28be90], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004
SIGTERM: [libjvm.so+0x28be90], sa_mask[0]=0xfffbfeff, sa_flags=0x14000004


---------------  S Y S T E M  ---------------

OS:3.1

uname:Linux 2.4.27-2-386 #1 Wed Aug 17 09:33:35 UTC 2005 i686 libc:glibc
2.3.2 linuxthreads-0.10 (fixed stack)
rlimit: STACK 2044k, CORE 0k, NPROC infinity, NOFILE 1024, AS infinity load
average:0.01 0.02 0.00

CPU:total 1 (cores per cpu 2, threads per core 1) family 15 model 72
stepping 2, cmov, cx8, fxsr, mmx, sse, sse2, sse3, mmxext, 3dnowext, 3dnow

Memory: 4k page, physical 200316k(13088k free), swap 377488k(377488k free)

vm_info: Java HotSpot(TM) Client VM (1.5.0_08-b03) for linux-x86, built on
Jun 28 2006 01:40:21 by java_re with gcc 3.2.1-7a (J2SE release)



From wingback06 at yahoo.com  Sat Oct 21 08:06:51 2006
From: wingback06 at yahoo.com (Adhi Laksono)
Date: Sat Oct 21 08:45:15 2006
Subject: Why is my 443 port blocked
Message-ID: <20061021060651.60312.qmail@web31001.mail.mud.yahoo.com>

Hello everyone,

I made a script for my firewall, one of the rules is

$IPTABLES -A LAN-Internet -p tcp -s $NET_LSN -d 0/0
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A LAN-Internet -p tcp -s 0/0 --sport 443 -d
$NET_LAN -m state --state ESTABLISHED -j ACCEPT

with my default policy DROP..

I can open http://www.yahoo.com, but how come I can't
open the mail.yahoo.com???

In my log list, it says that the packet for port 443
is blocked, and sometimes port 80 is blocked to???
what's wrong with my firewall??? why isn't it
stable...



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

From rob at sterenborg.info  Sat Oct 21 08:27:31 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Sat Oct 21 09:06:07 2006
Subject: Why is my 443 port blocked
In-Reply-To: <20061021060651.60312.qmail@web31001.mail.mud.yahoo.com>
Message-ID: <000f01c6f4d9$fd188140$0101000a@tanjian>

> I made a script for my firewall, one of the rules is
> 
> $IPTABLES -A LAN-Internet -p tcp -s $NET_LSN -d 0/0
> --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
> 
> $IPTABLES -A LAN-Internet -p tcp -s 0/0 --sport 443 -d
> $NET_LAN -m state --state ESTABLISHED -j ACCEPT
> 
> with my default policy DROP..
> 
> I can open http://www.yahoo.com, but how come I can't
> open the mail.yahoo.com???
> 
> In my log list, it says that the packet for port 443
> is blocked, and sometimes port 80 is blocked to???
> what's wrong with my firewall??? why isn't it
> stable...

Try this:

$ipt -A LAN-Internet -m state --state RELATED,ESTABLISHED \
  -j ACCEPT
$ipt -A LAN-Internet -m state --state NEW -s $NET_LAN \
  -m multiport -p tcp --dports 80,443 -j ACCEPT

Why not have the RELATED,ESTABLISHED rule in your FORWARD chain? This
rule will match most traffic so you want it to be one of the first rules
to be checked.


Gr,
Rob


From m at rtij.nl  Sat Oct 21 08:46:31 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Sat Oct 21 09:25:13 2006
Subject: NAT PREROUTING vs. filter FORWARD
In-Reply-To: <8ca422820610201004w4fe2091bnbdb4fbba7a0b5b6@mail.gmail.com>
References: <8ca422820610191125k16f58f03t3ce33bd4e1d22c28@mail.gmail.com>	
	<4429765974127559812@unknownmsgid>
	<8ca422820610201004w4fe2091bnbdb4fbba7a0b5b6@mail.gmail.com>
Message-ID: <4539C247.9020803@rtij.nl>

Mike wrote:

> Martijn,
> The sciprt idea sounds quite clever and efficient!
> I would be very interested to see your method by script, if it is not
> a security risk, etc.
> Thank you very much for your response and idea.


It is pretty efficient. I write my firewall rules in perl. The loader 
executes this script and pipes the output into iptables-restore. It is 
not in a stage that I want to release it to the world yet, however.

M4

From struggle at mail.nankai.edu.cn  Fri Oct 20 09:10:46 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Sat Oct 21 09:50:44 2006
Subject: Some simulator ?
Message-ID: <361414896.21252@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi ,
    Everybody , I am on the list for a month ,
everytime I saw your question and answers , I
just want to reproduct your enviroment and trouble ,
and then slove it .
    But your troubles almost occur in the very
complicated enviroment such as two router with four
LANs and a PPP interface and etc.

    How can I simulate such a condition ?
    Is there any software to achive such a task ?

Thank you !

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFOHZ17tZp58UCwyMRAhgfAJ9RsnnZDZiKdeHra+hoYFqEDmkHBQCgiP5t
Pn0ZTHCLjK7wUVPjjXlN6dU=
=+UrL
-----END PGP SIGNATURE-----

From wingback06 at yahoo.com  Sat Oct 21 09:58:55 2006
From: wingback06 at yahoo.com (Adhi Laksono)
Date: Sat Oct 21 10:37:19 2006
Subject: Why is my 443 port blocked
In-Reply-To: <000f01c6f4d9$fd188140$0101000a@tanjian>
Message-ID: <20061021075856.75119.qmail@web31012.mail.mud.yahoo.com>

OK, thank you very much for the help... I will try
it...

Can I write the rules like this too :

$IPTABLES -A LAN-Internet -p tcp -s $NET_LSN -d 0/0
--dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LAN-Internet -p tcp -s 0/0 --sport 443 -d
$NET_LAN -m state --state RELATED,ESTABLISHED -j
ACCEPT

It's the same right??? or it's different???

Oh yeah... I have a task in my campus to make a
firewall with a default policy ACCEPT, but I still
don't know witch port to block... can you help me with
this, or is there any reference that I can read... my
block script is this :

dropport="137:138 5050" <this is where I put my ports
to block>

#this is my rule
for ports in $dropport;do
$IPTABLES -A LAN-Internet -p tcp -s 0/0 -d $NET_LAN
--dport $ports -j DROPLOG
$IPTABLES -A LAN-Internet -p udp -s 0/0 -d $NET_LAN
--dport $ports -j DROPLOG
done;

DROPLOG is my LOG chain with DROP policy... Is this
script save??? well, it's easy to block port though, I
can just add the ports I like to block in the
"dropport" variable...


Regards,

Adhi


--- Rob Sterenborg <rob@sterenborg.info> wrote:

> > I made a script for my firewall, one of the rules
> is
> > 
> > $IPTABLES -A LAN-Internet -p tcp -s $NET_LSN -d
> 0/0
> > --dport 443 -m state --state NEW,ESTABLISHED -j
> ACCEPT
> > 
> > $IPTABLES -A LAN-Internet -p tcp -s 0/0 --sport
> 443 -d
> > $NET_LAN -m state --state ESTABLISHED -j ACCEPT
> > 
> > with my default policy DROP..
> > 
> > I can open http://www.yahoo.com, but how come I
> can't
> > open the mail.yahoo.com???
> > 
> > In my log list, it says that the packet for port
> 443
> > is blocked, and sometimes port 80 is blocked to???
> > what's wrong with my firewall??? why isn't it
> > stable...
> 
> Try this:
> 
> $ipt -A LAN-Internet -m state --state
> RELATED,ESTABLISHED \
>   -j ACCEPT
> $ipt -A LAN-Internet -m state --state NEW -s
> $NET_LAN \
>   -m multiport -p tcp --dports 80,443 -j ACCEPT
> 
> Why not have the RELATED,ESTABLISHED rule in your
> FORWARD chain? This
> rule will match most traffic so you want it to be
> one of the first rules
> to be checked.
> 
> 
> Gr,
> Rob
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

From rob at sterenborg.info  Sat Oct 21 10:16:58 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Sat Oct 21 10:55:37 2006
Subject: Why is my 443 port blocked
In-Reply-To: <20061021074630.14729.qmail@web31005.mail.mud.yahoo.com>
Message-ID: <001301c6f4e9$47280440$0101000a@tanjian>

Adhi Laksono <mailto:wingback06@yahoo.com> wrote:
> OK, thank you very much for the help... I will try
> it...
> 
> Can I write the rules like this too :
> 
> $IPTABLES -A LAN-Internet -p tcp -s $NET_LSN -d 0/0
> --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A LAN-Internet -p tcp -s 0/0 --sport 443 -d
> $NET_LAN -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> 
> It's the same right??? or it's different???

[quote from previous post:]

>> $ipt -A LAN-Internet -m state --state RELATED,ESTABLISHED \
>>   -j ACCEPT
>> $ipt -A LAN-Internet -m state --state NEW -s $NET_LAN \
>>   -m multiport -p tcp --dports 80,443 -j ACCEPT

As you can see: no, the rules are not the same and do not act the same
(well, they might, but they might not).

You only need to match packets in state NEW (optionally you can also use
--syn when matching tcp packets). After that, packets in a connection
that is validated by such rule are either ESTABLISHED or RELATED.

There's no need to specify -d 0/0. If you omit it, it is asumed.

What is the reason you're using a user defined chain "LAN-Internet"? It
doesn't sound like your ruleset is that complex.

Also, you don't show the rest of your ruleset. It may be irrelevant, but
rules in it could also be preventing the rules you show from working.

> Oh yeah... I have a task in my campus to make a
> firewall with a default policy ACCEPT, but I still
> don't know witch port to block... can you help me with
> this,

I'm sorry but I can't because you don't specify what has to be
firewalled.

> or is there any reference that I can read... my block
> script is this :
> 
> dropport="137:138 5050" <this is where I put my ports
> to block>
> 
> #this is my rule
> for ports in $dropport;do
> $IPTABLES -A LAN-Internet -p tcp -s 0/0 -d $NET_LAN
> --dport $ports -j DROPLOG
> $IPTABLES -A LAN-Internet -p udp -s 0/0 -d $NET_LAN
> --dport $ports -j DROPLOG
> done;

Here you don't specify a state where in previous rules you do. Perhaps
you want to be consistent in this throughout the script, but that's your
call..

There's no need to specify -s 0/0; you don't specify -d 0/0 either (so
it is assumed). Personally I think it just clutters the line to be
executed with useless information.

> DROPLOG is my LOG chain with DROP policy... Is this
> script save??? well, it's easy to block port though, I
> can just add the ports I like to block in the
> "dropport" variable...

I don't consider it safe: you only block the specified tcp and udp
ports. All other traffic is allowed and IMHO a firewall should block
everything that I don't specifically allow.
But again: I don't know what it is you need to achieve.

If you have to make a firewall with policy set to ACCEPT, why not make
the **last** rule in a chain a DROP rule:

$ipt -P <chain> -j ACCEPT
$ipt <stuff to allow>
...
$ipt -A <chain> -j DROP

Here you have an ACCEPT policy but the ruleset will act the same way
when doing this:

$ipt -P <chain> -j DROP
$ipt <stuff to allow>
...


Gr,
Rob


> --- Rob Sterenborg <rob@sterenborg.info> wrote:
> 
>>> I made a script for my firewall, one of the rules is
>>> 
>>> $IPTABLES -A LAN-Internet -p tcp -s $NET_LSN -d 0/0
>>> --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
>>> 
>>> $IPTABLES -A LAN-Internet -p tcp -s 0/0 --sport 443 -d
>>> $NET_LAN -m state --state ESTABLISHED -j ACCEPT
>>> 
>>> with my default policy DROP..
>>> 
>>> I can open http://www.yahoo.com, but how come I can't open the
>>> mail.yahoo.com??? 
>>> 
>>> In my log list, it says that the packet for port 443
>>> is blocked, and sometimes port 80 is blocked to???
>>> what's wrong with my firewall??? why isn't it
>>> stable...
>> 
>> Try this:
>> 
>> $ipt -A LAN-Internet -m state --state
>> RELATED,ESTABLISHED \
>>   -j ACCEPT
>> $ipt -A LAN-Internet -m state --state NEW -s
>> $NET_LAN \
>>   -m multiport -p tcp --dports 80,443 -j ACCEPT
>> 
>> Why not have the RELATED,ESTABLISHED rule in your
>> FORWARD chain? This
>> rule will match most traffic so you want it to be
>> one of the first rules
>> to be checked.
>> 
>> 
>> Gr,
>> Rob


From jasbir.k at gmail.com  Sat Oct 21 12:58:54 2006
From: jasbir.k at gmail.com (Jasbir Khehra)
Date: Sat Oct 21 13:40:45 2006
Subject: Need help !
In-Reply-To: <361329646.25736@mail.nankai.edu.cn>
References: <361329646.25736@mail.nankai.edu.cn>
Message-ID: <4539FD6E.2050709@gmail.com>

Bo Yang wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi ,
>    Everybody , I am on the list for a month ,
>everytime I saw your question and answers , I
>just want to reproduct your enviroment and trouble ,
>and then slove it .
>    But your troubles almost occur in the very
>complicated enviroment such as two router with four
>LANs and a PPP interface and etc.
>
>    How can I simulate such a condition ?
>I have thought about do it using VMWare , but I need
>many vms , and my system can't afford such a load !
>    Is there any software to achive such a task ?
>
>Thank you !
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.5 (MingW32)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFFNylj7tZp58UCwyMRAswLAKDb6M51SSCwdTzZEkE/RE0Iwt4s0ACfUnqf
>YDVevTQAXnzCK0WJJuCHxPY=
>=8cfF
>-----END PGP SIGNATURE----
>
netkit >> netkit.org
HTH
-Jasbir

From struggle at mail.nankai.edu.cn  Fri Oct 20 13:11:04 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Sat Oct 21 13:50:29 2006
Subject: Need help !
In-Reply-To: <361428794.18279@mail.nankai.edu.cn>
References: <361329646.25736@mail.nankai.edu.cn>
	<361428794.18279@mail.nankai.edu.cn>
Message-ID: <361429304.03341@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Jasbir Khehra :


Thank you !
I am downloading it now !
And I have take a look at the introduction , good tools .
But I also want to know  ,
Does netkit has the ablity to let my VMWare machine to be a node in
the vitual network ?
I have read the introduction , found it may not !


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFOK7H7tZp58UCwyMRAso3AKDKMUPq0Xcj9yCdzq46i/v9HdFymwCdF8sN
51cyO5ticY62uW2s+/bv40M=
=i+/6
-----END PGP SIGNATURE-----


From linux at shadypond.com  Sun Oct 22 03:05:15 2006
From: linux at shadypond.com (Pollywog)
Date: Sun Oct 22 03:43:44 2006
Subject: installing ipsets
Message-ID: <200610220105.15805.linux@shadypond.com>

I am running Debian Sarge and I have just installed iptables following the 
instructions at http://ipset.netfilter.org/   This documentation does not say 
whether I need to remove the iptables package provided by Debian, but I would 
guess this is necessary.  It appears the iptables version I downloaded from 
the ipsets homepage is a newer version of iptables than what is present in 
Debian Sarge but if I remove the Debian iptables package, I will need to put 
a dummy package in its place so as not to cause shorewall to be removed.

Does the old package need to be removed?


thanks

From m at rtij.nl  Sun Oct 22 12:45:42 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Sun Oct 22 13:24:38 2006
Subject: installing ipsets
In-Reply-To: <200610220105.15805.linux@shadypond.com>
References: <200610220105.15805.linux@shadypond.com>
Message-ID: <453B4BD6.8080003@rtij.nl>

Pollywog wrote:

>I am running Debian Sarge and I have just installed iptables following the 
>instructions at http://ipset.netfilter.org/   This documentation does not say 
>whether I need to remove the iptables package provided by Debian, but I would 
>guess this is necessary.  It appears the iptables version I downloaded from 
>the ipsets homepage is a newer version of iptables than what is present in 
>Debian Sarge but if I remove the Debian iptables package, I will need to put 
>a dummy package in its place so as not to cause shorewall to be removed.
>
>Does the old package need to be removed?
>  
>

You can install the new package next to the old one (f.i. in /usr/local) 
but I would look at packaging the new version. As you have the old 
package, this should be relatively trivial.

M4


From lists at netdigix.com  Sun Oct 22 20:49:14 2006
From: lists at netdigix.com (Nathan)
Date: Sun Oct 22 21:25:32 2006
Subject: Need help !
In-Reply-To: <4539FD6E.2050709@gmail.com>
References: <361329646.25736@mail.nankai.edu.cn> <4539FD6E.2050709@gmail.com>
Message-ID: <1161542954.453bbd2a1b3f6@mail.dreamtoy.net>

Try Xen or V-Server


Quoting Jasbir Khehra <jasbir.k@gmail.com>:

> Bo Yang wrote:
> 
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Hi ,
> >    Everybody , I am on the list for a month ,
> >everytime I saw your question and answers , I
> >just want to reproduct your enviroment and trouble ,
> >and then slove it .
> >    But your troubles almost occur in the very
> >complicated enviroment such as two router with four
> >LANs and a PPP interface and etc.
> >
> >    How can I simulate such a condition ?
> >I have thought about do it using VMWare , but I need
> >many vms , and my system can't afford such a load !
> >    Is there any software to achive such a task ?
> >
> >Thank you !
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.5 (MingW32)
> >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> >iD8DBQFFNylj7tZp58UCwyMRAswLAKDb6M51SSCwdTzZEkE/RE0Iwt4s0ACfUnqf
> >YDVevTQAXnzCK0WJJuCHxPY=
> >=8cfF
> >-----END PGP SIGNATURE----
> >
> netkit >> netkit.org
> HTH
> -Jasbir
> 




Thanks

- Nathan
- http://www.linuxcare.ca


From wakko at animx.eu.org  Mon Oct 23 03:20:29 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Mon Oct 23 04:09:52 2006
Subject: mac match and FORWARD chain
Message-ID: <20061023012029.GA32086@animx.eu.org>

Keep me in CC.

I'd like to request that the mac match not be allowed in the FORWARD chain
as it does not function the way that some may think.

The tests I've performed indicate that the match will match the MAC address
of the transmitting interface (not what one would expect if attempting to
allow based on the mac address of the sender and blocking all other packets)

I'd like to hear comments about this.  If it is not fesable to do this, I'd
recommend adding text to the man page so that others do not fall into the
same problem I did.

I have already worked around this problem in my setup.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From struggle at mail.nankai.edu.cn  Mon Oct 23 03:46:51 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Mon Oct 23 04:26:25 2006
Subject: mac match and FORWARD chain
In-Reply-To: <361567501.01771@mail.nankai.edu.cn>
References: <361567501.01771@mail.nankai.edu.cn>
Message-ID: <361568247.28633@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Wakko Warner :
> Keep me in CC.
>
> I'd like to request that the mac match not be allowed in the FORWARD chain
> as it does not function the way that some may think.
>
> The tests I've performed indicate that the match will match the MAC address
> of the transmitting interface (not what one would expect if attempting to
> allow based on the mac address of the sender and blocking all other
packets)
>
> I'd like to hear comments about this.  If it is not fesable to do this, I'd
> recommend adding text to the man page so that others do not fall into the
> same problem I did.
>
> I have already worked around this problem in my setup.
MAC address is some concept in the link layer , so how do
you get the packet sender mac if the packet is routed to your
box through some other routers ?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFPB8L7tZp58UCwyMRAthwAKDXi4s4YznMzB58lEAYcn/QD5cHrACgo6/I
KvAaZB7hBiqKaJt7AE4duxs=
=znkf
-----END PGP SIGNATURE-----


From per at computer.org  Mon Oct 23 11:08:10 2006
From: per at computer.org (Per Jessen)
Date: Mon Oct 23 11:46:52 2006
Subject: tarpitting?
Message-ID: <ehi0pq$sbj$1@saturn.local.net>

I'm using iptables 1.3.6 on a SUSE 10.1 box with 2.6.16 - and I just
cannot get tarpitting to work. 

# iptables -A INPUT -p tcp -m tcp --dport 135  -j TARPIT
iptables: No chain/target/match by that name

Can someone guide me in the right direction, please?  

When I asked this on another mailing list it was suggested I need to
install/run patch-o-matic to get the latest kernel-patches, but when I
tried that nothing got applied. 


Per Jessen, Zurich


From rob at sterenborg.info  Mon Oct 23 11:44:05 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Mon Oct 23 12:22:50 2006
Subject: tarpitting?
In-Reply-To: <ehi0pq$sbj$1@saturn.local.net>
References: <ehi0pq$sbj$1@saturn.local.net>
Message-ID: <62608.193.173.147.3.1161596645.squirrel@webmail.sterenborg.info>

On Mon, October 23, 2006 11:08, Per Jessen wrote:
> I'm using iptables 1.3.6 on a SUSE 10.1 box with 2.6.16 - and I just
> cannot get tarpitting to work.
>
> # iptables -A INPUT -p tcp -m tcp --dport 135  -j TARPIT
> iptables: No chain/target/match by that name
>
>
> Can someone guide me in the right direction, please?
>
>
> When I asked this on another mailing list it was suggested I need to
> install/run patch-o-matic to get the latest kernel-patches, but when I tried
> that nothing got applied.

I don't know exactly what you've tried and if TARPIT is already in kernel
2.6.16, but, if you want to patch your kernel then do it like this:

KERNEL_DIR=/path/to/kernel_src \
IPTABLES_DIR=/path/to/iptables_src \
./runme extra

Next, you have to configure your kernel for the TARPIT extension and
compile/install it.


Grts,
Rob



From iler.ml at gmail.com  Mon Oct 23 12:08:38 2006
From: iler.ml at gmail.com (Yakov Lerner)
Date: Mon Oct 23 12:47:22 2006
Subject: psd
Message-ID: <f36b08ee0610230308n479c6b70h34b362266fd2aa6e@mail.gmail.com>

I'm sorry I must be missing something totally obvious.
I patch-o-matic-ng-20060921 and iptables-1.3.6.tar.bz2
picked kernel 2.6.18 and, but in none of them I can [not]
see kernel-part of psd module.

I see that psd exists somewhere for 2.6 but why I can't
find it ? It is builtin in 2.4, but for 2.6, I'd like to find exactly
from where download it (the kernel part).

Thanks
Yakov

From wakko at animx.eu.org  Mon Oct 23 12:50:43 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Mon Oct 23 13:40:12 2006
Subject: mac match and FORWARD chain
In-Reply-To: <453C1F0B.4010707@mail.nankai.edu.cn>
References: <361567501.01771@mail.nankai.edu.cn>
	<453C1F0B.4010707@mail.nankai.edu.cn>
Message-ID: <20061023105043.GA1104@animx.eu.org>

Bo Yang wrote:
> > I'd like to request that the mac match not be allowed in the FORWARD chain
> > as it does not function the way that some may think.
> >
> > The tests I've performed indicate that the match will match the MAC address
> > of the transmitting interface (not what one would expect if attempting to
> > allow based on the mac address of the sender and blocking all other
> packets)
> >
> > I'd like to hear comments about this.  If it is not fesable to do this, I'd
> > recommend adding text to the man page so that others do not fall into the
> > same problem I did.
> >
> > I have already worked around this problem in my setup.
> MAC address is some concept in the link layer , so how do
> you get the packet sender mac if the packet is routed to your
> box through some other routers ?

I understand.  However, the machine I was using for this was directly
connected to both system.  There were no other routers.

Take this for instance:

Box A -> (eth1)firewall/router(eth0) -> Box B

firewall/router does not trust eth1 and uses MAC addresses to allow access,
so it does this:
-I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
-I FORWARD -j DROP -i eth1

firewall/router knows the mac of both box a and b (obviously, box a doesn't
know box b's mac and vice versa).  Consider the above the only rules in the
firewall and box A and B have no rules at all.

Box A pings Box B and fails.  The reason is the mac test above is seeing the
MAC of eth0, not of Box A.

This is what I'm referring to and I had to add a MARK rule in PREROUTING to
mark packets that I want to allow and then allow in the forward chain based
upon the mark.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From struggle at mail.nankai.edu.cn  Mon Oct 23 13:30:35 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Mon Oct 23 14:10:28 2006
Subject: mac match and FORWARD chain
In-Reply-To: <361601544.29487@mail.nankai.edu.cn>
References: <361567501.01771@mail.nankai.edu.cn>
	<453C1F0B.4010707@mail.nankai.edu.cn>
	<361601544.29487@mail.nankai.edu.cn>
Message-ID: <361603279.29770@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Wakko Warner :
> Bo Yang wrote:
>>> I'd like to request that the mac match not be allowed in the FORWARD
chain
>>> as it does not function the way that some may think.
>>>
>>> The tests I've performed indicate that the match will match the MAC
address
>>> of the transmitting interface (not what one would expect if attempting to
>>> allow based on the mac address of the sender and blocking all other
>> packets)
>>> I'd like to hear comments about this.  If it is not fesable to do
this, I'd
>>> recommend adding text to the man page so that others do not fall into the
>>> same problem I did.
>>>
>>> I have already worked around this problem in my setup.
>> MAC address is some concept in the link layer , so how do
>> you get the packet sender mac if the packet is routed to your
>> box through some other routers ?
>
> I understand.  However, the machine I was using for this was directly
> connected to both system.  There were no other routers.
>
> Take this for instance:
>
> Box A -> (eth1)firewall/router(eth0) -> Box B
>
> firewall/router does not trust eth1 and uses MAC addresses to allow access,
> so it does this:
> -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
> -I FORWARD -j DROP -i eth1
>
> firewall/router knows the mac of both box a and b (obviously, box a doesn't
> know box b's mac and vice versa).  Consider the above the only rules in the
> firewall and box A and B have no rules at all.
>
> Box A pings Box B and fails.  The reason is the mac test above is
seeing the
> MAC of eth0, not of Box A.
>
> This is what I'm referring to and I had to add a MARK rule in PREROUTING to
> mark packets that I want to allow and then allow in the forward chain based
> upon the mark.
>
I think when  the packet is in the FORWARD chain , the routing must
have been affect the packet , so that
is the reason why you see the eth0 mac in the rule .
You can just add a rule in the PREROUTING chain in the mangle table ,
and DROP the packat you don't
want there . Why you must mark it first , and then drop it in another
chain ?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFPKfa7tZp58UCwyMRAs7oAKDBM3ogNgaj4su6dD/i2Uj4LXcCwwCfZHhe
L4LTRT9YjEL2AdZOIOHbHtA=
=XWVR
-----END PGP SIGNATURE-----


From afshinlamei at gmail.com  Mon Oct 23 13:55:39 2006
From: afshinlamei at gmail.com (afshin lamei)
Date: Mon Oct 23 14:34:16 2006
Subject: time match for kernel 2.6
Message-ID: <3115d56e0610230455v5c36e9oc5619ddd5bb18778@mail.gmail.com>

hi,
is there any port of time match for kernel 2.6?
regards,
afshin

From m at rtij.nl  Mon Oct 23 16:48:59 2006
From: m at rtij.nl (Martijn Lievaart)
Date: Mon Oct 23 17:27:38 2006
Subject: Some simulator ?
In-Reply-To: <45387676.7090001@mail.nankai.edu.cn>
References: <45387676.7090001@mail.nankai.edu.cn>
Message-ID: <55259.2001:888:19e1::53.1161614939.squirrel@dexter>

<citaat van="Bo Yang">
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi ,
>     Everybody , I am on the list for a month ,
> everytime I saw your question and answers , I
> just want to reproduct your enviroment and trouble ,
> and then slove it .
>     But your troubles almost occur in the very
> complicated enviroment such as two router with four
> LANs and a PPP interface and etc.
>
>     How can I simulate such a condition ?
>     Is there any software to achive such a task ?

I usually aproach this using VMware or UML.

M4


From facubarrera at gmail.com  Mon Oct 23 17:45:52 2006
From: facubarrera at gmail.com (Facundo Barrera)
Date: Mon Oct 23 18:24:34 2006
Subject: Blocking MSN
Message-ID: <c544f7190610230845uf32bd1fka58f02f9b39cd533@mail.gmail.com>

Hi list:
         I need to block MSN to certain IP's of my LAN, i'm using
iptables on Slackware linux, please can u help me, or send me any link
to read about it.

Thanks.



-- 
Facundo Agustin Barrera
IT Management.
Buenos Aires - Argentina.

From tdotreppe at gmail.com  Mon Oct 23 17:48:33 2006
From: tdotreppe at gmail.com (Thomas d'Otreppe)
Date: Mon Oct 23 18:27:17 2006
Subject: Blocking MSN
In-Reply-To: <c544f7190610230845uf32bd1fka58f02f9b39cd533@mail.gmail.com>
References: <c544f7190610230845uf32bd1fka58f02f9b39cd533@mail.gmail.com>
Message-ID: <78a2adce0610230848n74f54f71s5efe7c4582212d2b@mail.gmail.com>

You should have a look at Layer-7: l7-filter.sourceforge.net

Thomas

2006/10/23, Facundo Barrera <facubarrera@gmail.com>:
> Hi list:
>         I need to block MSN to certain IP's of my LAN, i'm using
> iptables on Slackware linux, please can u help me, or send me any link
> to read about it.
>
> Thanks.
>
>
>
> --
> Facundo Agustin Barrera
> IT Management.
> Buenos Aires - Argentina.
>
>

From pablo at blueoakdb.com  Mon Oct 23 17:52:20 2006
From: pablo at blueoakdb.com (Pablo Sanchez)
Date: Mon Oct 23 18:31:07 2006
Subject: Blocking MSN
In-Reply-To: <c544f7190610230845uf32bd1fka58f02f9b39cd533@mail.gmail.com>
Message-ID: <008401c6f6bb$39ad1700$0419a8c0@fly>

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Facundo Barrera
> Sent: Monday, October 23, 2006 11:46 AM
> To: netfilter@lists.netfilter.org
> Subject: Blocking MSN
> 
> Hi list:
>          I need to block MSN to certain IP's of my LAN, i'm using
> iptables on Slackware linux, please can u help me, or send me any link
> to read about it.

Hi,

MSN is devious as it'll use different ports if you block the port it
typically uses.

What you'll want to do is use L7 (layer 7) filtering in order to identify
MSN and block it.

This will require you have the kernel sources for your kernel and to patch
it as well as iptables.  It sounds difficult but it's not.

Cheers,
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph:    819.459.1926          Toll free:  888.459.1926
Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
Fax:   603.720.7723 (US)


From wakko at animx.eu.org  Mon Oct 23 18:24:35 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Mon Oct 23 19:14:09 2006
Subject: mac match and FORWARD chain
In-Reply-To: <453CA7DB.5000509@mail.nankai.edu.cn>
References: <361567501.01771@mail.nankai.edu.cn>
	<453C1F0B.4010707@mail.nankai.edu.cn>
	<361601544.29487@mail.nankai.edu.cn>
	<453CA7DB.5000509@mail.nankai.edu.cn>
Message-ID: <20061023162435.GA2441@animx.eu.org>

Bo Yang wrote:
> Wakko Warner :
> > Bo Yang wrote:
> >> MAC address is some concept in the link layer , so how do
> >> you get the packet sender mac if the packet is routed to your
> >> box through some other routers ?
> >
> > I understand.  However, the machine I was using for this was directly
> > connected to both system.  There were no other routers.
> >
> > Take this for instance:
> >
> > Box A -> (eth1)firewall/router(eth0) -> Box B
> >
> > firewall/router does not trust eth1 and uses MAC addresses to allow access,
> > so it does this:
> > -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
> > -I FORWARD -j DROP -i eth1
> >
> > firewall/router knows the mac of both box a and b (obviously, box a doesn't
> > know box b's mac and vice versa).  Consider the above the only rules in the
> > firewall and box A and B have no rules at all.
> >
> > Box A pings Box B and fails.  The reason is the mac test above is
> seeing the
> > MAC of eth0, not of Box A.
> >
> > This is what I'm referring to and I had to add a MARK rule in PREROUTING to
> > mark packets that I want to allow and then allow in the forward chain based
> > upon the mark.
> >
> I think when  the packet is in the FORWARD chain , the routing must
> have been affect the packet , so that
> is the reason why you see the eth0 mac in the rule .

Yes, and the reason I wanted to request that it not be allowed to match in
the FORWARD chain (or have a note in the man page about this)

> You can just add a rule in the PREROUTING chain in the mangle table ,
> and DROP the packat you don't
> want there . Why you must mark it first , and then drop it in another
> chain ?

Actually, I was tinkering and using MARK was the first thing that came to
mind.  After thinking about it, I think the best place would be in
nat/PREROUTING (since nat is already loaded on the firewall machine).  I do
not need mangle at all if I'm not marking.  At the time, I didn't think the
filtering place should be in the mangle or nat tables, afterall, that is
what the filter table is for =)

In the nat/PREROUTING chain, are all incoming packets passed through this or
just the initial packets?  In my current setup, I have br0 (eth0 and some
vpns) that are routed through ppp0 to get to the internet.  eth1 is
connected to a wireless ap and I do not want ANY access from anything on
that network except ICMP, VPN, and the web/snmp port to the WAP (I need a GUI
browser to configure the thing and the firewall has no GUI installed which
is why I am using forwarding).  On eth1, I only allow specific MACs to
be able to connect at all.

I do appreciate the idea to block in the prerouting chain instead of marking
then blocking.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From alan.ezust at presinet.com  Mon Oct 23 20:19:12 2006
From: alan.ezust at presinet.com (Alan Ezust)
Date: Mon Oct 23 20:59:22 2006
Subject: understanding how conntrack works
Message-ID: <200610231119.13034.alan.ezust@presinet.com>

Greetings all, I'm exploring the kernel source trying to understand better how 
the conntrack facility works. I had a couple of questions which I hope 
someone more familiar with the code can answer...

Q: Where in the code does a table entry get added to the conntrack table? 
nf_conntrack_put doesn't seem to contain much code related to that.

Q: Where in the code is the conntrack data lines being written, and using what 
mechanism? (kprintf? procfs?)

I did some ctags jumping and keep coming to the nf_conntrack_put function, 
which I expected to contain the code. Instead it only contains a

<pre>
// ip_conntrack.h:
static inline void
ip_conntrack_put(struct ip_conntrack *ct)
{
	IP_NF_ASSERT(ct);
	nf_conntrack_put(&ct->ct_general);
}

// skbuff.h:
#ifdef CONFIG_NETFILTER
static inline void nf_conntrack_put(struct nf_conntrack *nfct)
{
	if (nfct && atomic_dec_and_test(&nfct->use))
		nfct->destroy(nfct);
}
</pre>

The "destroy" call is an indirect function call, which appears to be a call 
(most of the time) to nf_conntrack_core.c:541
<pre>
static void destroy_conntrack(struct nf_conntrack *nfct)
</pre>

I hope the table updating and kprintf lines are not embedded within the 
destroy code?

Q: What is "master"?

It seems that conntrack data has a concept called "master". When a connection 
is "destroyed", a call to the "master" destroy is also made. What is the 
relationship between the nf_conntrack and the master of an nf_conntrack 
(appears to be a tree or a linked list). It seems to be an ownership 
relationship.



From mikepb at hoplite.org  Mon Oct 23 21:34:29 2006
From: mikepb at hoplite.org (Michael P. Brininstool)
Date: Mon Oct 23 22:13:29 2006
Subject: mac match and FORWARD chain
In-Reply-To: <20061023162435.GA2441@animx.eu.org>
Message-ID: <00f901c6f6da$45b04080$c84f949b@nasw.ds.army.mil>

 I think you are doing this the hard way.  This is what I do and it works
just fine
(MAC's altered, I control eth[0134] via physical access security i.e. locked
room):

===============================================
-A FORWARD -i eth2 -j macchk
...
===============================================
-A macchk -m mac --mac-source 00:xx:xx:xx:8F:FD -j RETURN
...
-A macchk -m mac --mac-source 00:xx:xx:xx:8C:B6 -j RETURN
-A macchk -j logmac
===============================================
-A logmac -j LOG --log-prefix "PACKET_FROM_MAC_DROPPED "
-A logmac -j DROP
===============================================

Remove first line of FORWARD (shown above) to remove the restrictions.

I have a program generate macchk whenever the database of allowed machines
changes.  It does this by removing the reference to macchk in the forward
change, flushing the macchk chain, rebuilding it (with the logmac reference
on the end, and it re-inserts the reference to macchk at beginning of
FORWARD.



From scoth at bigfoot.com  Mon Oct 23 22:09:14 2006
From: scoth at bigfoot.com (Scot Harkins)
Date: Mon Oct 23 22:48:00 2006
Subject: Fwd UDP packets to multiple destinations
Message-ID: <013301c6f6df$1d4922b0$640fa8c0@harkinshome>

Howdy,


I am looking for a way to set up a simple trap forwarder that doesn't mess 
with the packets.  I want to have SNMP traps in UDP coming into one 
destination and use perhaps iptables to distribute the traps to multiple 
servers.

I am about to experiment with a few things involving the netfilter tools, 
starting with iptables.

Has this problem already been licked?  Can you point me to the solution?


Thanks!
sh

--
Scot Harkins (KA5KDU)
Greenbank, WA
360-544-8750
877-303-4656
scoth@bigfoot.com
http://www.bigfoot.com/~scoth



From netfilter-list at kromo.org  Mon Oct 23 23:31:57 2006
From: netfilter-list at kromo.org (Victor Toni)
Date: Tue Oct 24 00:10:41 2006
Subject: Howto access modem behind router
Message-ID: <453D34CD.904@kromo.org>

Hello,

I have one of these modems which is a router by itself. The modem is
configured to work in bridged mode.
Connected to the modem is a router which connects via pppoe via the
modem with my ISP.

   |<---------- PPPOE link ------------->|    
   |                                     |    |====== 
  ISP ======= bridged ================= WRT ========= PCs
               modem |                 |   |  |======
                     |                 |   |
                     |<- 169.254.1.x ->|   |<-- 192.168.1.x -->>



The modem has a web interface and and telnet which I would like to
connect to from within the LAN but this doesn't seem to work.
I tried the instructions from:
http://www.dd-wrt.com/wiki/index.php/Access_To_Modem_Configuration
but this makes the modem only available from the router and not from the
LAN.
I have currently some trouble with my connection and would like to use a
tool to monitor the modem's error status but this fails due to the
configuration.
The modem has the static IP 169.254.1.1 and the router has the static
IPs 169.254.1.100 and 192.168.1.1.
I can ping "169.254.1.100" from any LAN machine on 192.168.1.0/24 but
that's it.

Any help is very much appreciated.

Kindest regards,
Victor

From wakko at animx.eu.org  Tue Oct 24 00:59:00 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Tue Oct 24 01:48:37 2006
Subject: mac match and FORWARD chain
In-Reply-To: <00f901c6f6da$45b04080$c84f949b@nasw.ds.army.mil>
References: <20061023162435.GA2441@animx.eu.org>
	<00f901c6f6da$45b04080$c84f949b@nasw.ds.army.mil>
Message-ID: <20061023225900.GB2441@animx.eu.org>

Michael P. Brininstool wrote:
>  I think you are doing this the hard way.  This is what I do and it works
> just fine
> (MAC's altered, I control eth[0134] via physical access security i.e. locked
> room):
> 
> ===============================================
> -A FORWARD -i eth2 -j macchk
> ...
> ===============================================
> -A macchk -m mac --mac-source 00:xx:xx:xx:8F:FD -j RETURN
> ...
> -A macchk -m mac --mac-source 00:xx:xx:xx:8C:B6 -j RETURN
> -A macchk -j logmac
> ===============================================
> -A logmac -j LOG --log-prefix "PACKET_FROM_MAC_DROPPED "
> -A logmac -j DROP
> ===============================================
> 
> Remove first line of FORWARD (shown above) to remove the restrictions.
> 
> I have a program generate macchk whenever the database of allowed machines
> changes.  It does this by removing the reference to macchk in the forward
> change, flushing the macchk chain, rebuilding it (with the logmac reference
> on the end, and it re-inserts the reference to macchk at beginning of
> FORWARD.

I tried something almost exactly the same, except it was in the filter
table.  it simply did not work and the MAC source that was actually tested
was that of the outgoing interface (verified when I added a rule testing the
mac of the outgoing interface).  I want it blocked at both incoming to the
local machine and being routed depending on what is used.  There is no
locked room per se.

In the filter table:
I first test the incoming interface in both FORWARD and INPUT, if it's eth1,
jump to the mac testing chain.  In that chain, if the mac is an allowed one,
jump to the ip testing chain, if that packet is allowed, accept.  the next
line of FORWARD and INPUT is a jump to DROP (testing for eth1 again).

That is exactly what I want.  Your example is more permissive than mine. 
Instead of using filter/INPUT and filter/FORWARD, either nat/PREROUTING or
mangle/PREROUTING with the same rules should handle what I want w/o testing
in both INPUT and FORWARD since at the PREROUTING stage, it has not
determined where the packet will be going.  I just do not know if
nat/PREROUTING is traversed every time a packet comes in, or if it only is
traversed on the initial packet of a connection (Probably doesn't matter
though)

From vwf at vulkor.net  Tue Oct 24 09:46:55 2006
From: vwf at vulkor.net (vwf)
Date: Tue Oct 24 10:25:38 2006
Subject: how to filter on application? (cmd-owner)
Message-ID: <20061024074655.GA4996@trane.vulkor.net>

Hello,

Some time ago --cmd-owner went silently. I think a firewall must be able
to filter on the originating application: I do not want an application
running on Wine to connect to an unknown server somewhere.

I disallow all outgoing connections by default and only allow connections 
for some selected application. Now --cmd-owner has gone, can anyone tell me 
how to do this? (in detail, please)

Thank you

From struggle at mail.nankai.edu.cn  Tue Oct 24 10:02:55 2006
From: struggle at mail.nankai.edu.cn (Bo Yang)
Date: Tue Oct 24 10:43:00 2006
Subject: mac match and FORWARD chain
In-Reply-To: <361621573.16343@mail.nankai.edu.cn>
References: <361567501.01771@mail.nankai.edu.cn>
	<453C1F0B.4010707@mail.nankai.edu.cn>
	<361601544.29487@mail.nankai.edu.cn>
	<453CA7DB.5000509@mail.nankai.edu.cn>
	<361621573.16343@mail.nankai.edu.cn>
Message-ID: <361677217.01086@mail.nankai.edu.cn>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Wakko Warner :
> Bo Yang wrote:
>> Wakko Warner :
>>> Bo Yang wrote:
>>>> MAC address is some concept in the link layer , so how do
>>>> you get the packet sender mac if the packet is routed to your
>>>> box through some other routers ?
>>> I understand.  However, the machine I was using for this was directly
>>> connected to both system.  There were no other routers.
>>>
>>> Take this for instance:
>>>
>>> Box A -> (eth1)firewall/router(eth0) -> Box B
>>>
>>> firewall/router does not trust eth1 and uses MAC addresses to allow
access,
>>> so it does this:
>>> -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
>>> -I FORWARD -j DROP -i eth1
>>>
>>> firewall/router knows the mac of both box a and b (obviously, box a
doesn't
>>> know box b's mac and vice versa).  Consider the above the only rules
in the
>>> firewall and box A and B have no rules at all.
>>>
>>> Box A pings Box B and fails.  The reason is the mac test above is
>> seeing the
>>> MAC of eth0, not of Box A.
>>>
>>> This is what I'm referring to and I had to add a MARK rule in
PREROUTING to
>>> mark packets that I want to allow and then allow in the forward chain
based
>>> upon the mark.
>>>
>> I think when  the packet is in the FORWARD chain , the routing must
>> have been affect the packet , so that
>> is the reason why you see the eth0 mac in the rule .
>
> Yes, and the reason I wanted to request that it not be allowed to match in
> the FORWARD chain (or have a note in the man page about this)
>
>> You can just add a rule in the PREROUTING chain in the mangle table ,
>> and DROP the packat you don't
>> want there . Why you must mark it first , and then drop it in another
>> chain ?
>
> Actually, I was tinkering and using MARK was the first thing that came to
> mind.  After thinking about it, I think the best place would be in
> nat/PREROUTING (since nat is already loaded on the firewall machine).  I do
> not need mangle at all if I'm not marking.  At the time, I didn't think the
> filtering place should be in the mangle or nat tables, afterall, that is
> what the filter table is for =)
>
> In the nat/PREROUTING chain, are all incoming packets passed through
this or
> just the initial packets? 
Yes , I think so .
> In my current setup, I have br0 (eth0 and some
> vpns) that are routed through ppp0 to get to the internet.  eth1 is
> connected to a wireless ap and I do not want ANY access from anything on
> that network except ICMP, VPN, and the web/snmp port to the WAP (I need
a GUI
> browser to configure the thing and the firewall has no GUI installed which
> is why I am using forwarding).  On eth1, I only allow specific MACs to
> be able to connect at all.
>
> I do appreciate the idea to block in the prerouting chain instead of
marking
> then blocking.
It is up to you !

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFPciu7tZp58UCwyMRAp6EAJ9q/sqxoqDoUU1GhruoxrXNM0ldzACgzQLm
95PI7qRc3wr6+ebSnAwTaqs=
=Ay2C
-----END PGP SIGNATURE-----


From pascal.mail at plouf.fr.eu.org  Tue Oct 24 12:21:51 2006
From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg)
Date: Tue Oct 24 13:00:37 2006
Subject: mac match and FORWARD chain
In-Reply-To: <20061023105043.GA1104@animx.eu.org>
References: <361567501.01771@mail.nankai.edu.cn>	<453C1F0B.4010707@mail.nankai.edu.cn>
	<20061023105043.GA1104@animx.eu.org>
Message-ID: <453DE93F.3000704@plouf.fr.eu.org>

Hello,

Wakko Warner a ?crit :
> 
> Box A -> (eth1)firewall/router(eth0) -> Box B
> 
> firewall/router does not trust eth1 and uses MAC addresses to allow access,
> so it does this:
> -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
> -I FORWARD -j DROP -i eth1

If the firewall does not trust what is beyond eth1, MAC filtering is 
pointless : a MAC address can be easily sniffed and spoofed.

> firewall/router knows the mac of both box a and b (obviously, box a doesn't
> know box b's mac and vice versa).  Consider the above the only rules in the
> firewall and box A and B have no rules at all.
> 
> Box A pings Box B and fails.  The reason is the mac test above is seeing the
> MAC of eth0, not of Box A.

There must be a bug in your specific setup/kernel/iptables/whatever. On 
my box, the FORWARD chain sees the correct MAC source address.
Besides, I don't see how iptables could see the outgoing MAC source 
address which AFAIK is added at the link layer, after the packet has 
leaved Netfilter.

> This is what I'm referring to and I had to add a MARK rule in PREROUTING to
> mark packets that I want to allow and then allow in the forward chain based
> upon the mark.

About your idea of doing this in the nat table PREROUTING chain : it 
won't work because the nat chains see only the initial packet of a 
connection.

*Don't you ever use the nat table chains for anything else than NAT*

From benny+usenet at amorsen.dk  Tue Oct 24 12:30:27 2006
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Tue Oct 24 13:09:37 2006
Subject: mac match and FORWARD chain
References: <361567501.01771@mail.nankai.edu.cn>
	<453C1F0B.4010707@mail.nankai.edu.cn>
	<20061023105043.GA1104@animx.eu.org>
	<453DE93F.3000704@plouf.fr.eu.org>
Message-ID: <m3vemam2f0.fsf@ursa.amorsen.dk>

>>>>> "PH" == Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:

PH> Hello, Wakko Warner a ?crit :
>> Box A -> (eth1)firewall/router(eth0) -> Box B firewall/router does
>> not trust eth1 and uses MAC addresses to allow access, so it does
>> this: -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC -I FORWARD
>> -j DROP -i eth1

PH> If the firewall does not trust what is beyond eth1, MAC filtering
PH> is pointless : a MAC address can be easily sniffed and spoofed.

Unless the switches use MAC-address-based security... Of course these
days you can let the switches sniff DHCP and enforce IP's as well.


/Benny



From wakko at animx.eu.org  Tue Oct 24 12:23:08 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Tue Oct 24 13:12:51 2006
Subject: mac match and FORWARD chain
In-Reply-To: <453DE93F.3000704@plouf.fr.eu.org>
References: <361567501.01771@mail.nankai.edu.cn>
	<453C1F0B.4010707@mail.nankai.edu.cn>
	<20061023105043.GA1104@animx.eu.org>
	<453DE93F.3000704@plouf.fr.eu.org>
Message-ID: <20061024102308.GA6433@animx.eu.org>

Pascal Hambourg wrote:
> Wakko Warner a ?crit :
> >Box A -> (eth1)firewall/router(eth0) -> Box B
> >
> >firewall/router does not trust eth1 and uses MAC addresses to allow access,
> >so it does this:
> >-I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC
> >-I FORWARD -j DROP -i eth1
> 
> If the firewall does not trust what is beyond eth1, MAC filtering is 
> pointless : a MAC address can be easily sniffed and spoofed.

I'm quite well aware of that.  The likely hood is quite low, plus doing mac
filtering was only the first step.  Coming from that interface, I only allow
ICMP and a VPN port.

> >firewall/router knows the mac of both box a and b (obviously, box a doesn't
> >know box b's mac and vice versa).  Consider the above the only rules in the
> >firewall and box A and B have no rules at all.
> >
> >Box A pings Box B and fails.  The reason is the mac test above is seeing 
> >the
> >MAC of eth0, not of Box A.
> 
> There must be a bug in your specific setup/kernel/iptables/whatever. On 
> my box, the FORWARD chain sees the correct MAC source address.
> Besides, I don't see how iptables could see the outgoing MAC source 
> address which AFAIK is added at the link layer, after the packet has 
> leaved Netfilter.

As I explained in the other emails, the mac test was using the MAC of the
outgoing interface when the packet was forwarded.  The kernel is
2.6.8-3-generic from debian (which seems to be the only 2.6 kernel I can run
on that machine for some reason.  All newer self compiled kernels crash on
that machine within an hour w/o any explanation)

> >This is what I'm referring to and I had to add a MARK rule in PREROUTING to
> >mark packets that I want to allow and then allow in the forward chain based
> >upon the mark.
> 
> About your idea of doing this in the nat table PREROUTING chain : it 
> won't work because the nat chains see only the initial packet of a 
> connection.

I was using mangle/PREROUTING to do the MARK target, since that's the only
place it'll work.

> *Don't you ever use the nat table chains for anything else than NAT*

Sometimes you have to, esp if you do not want specific packets to be nat'd

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From laforge at netfilter.org  Tue Oct 24 13:35:51 2006
From: laforge at netfilter.org (Harald Welte)
Date: Tue Oct 24 14:15:11 2006
Subject: Daily svn snapshots now working again (was Re: patch-o-matic-ng
	stopped ?)
In-Reply-To: <1265.85.68.10.218.1161688632.squirrel@www.on-fire.net>
References: <1265.85.68.10.218.1161688632.squirrel@www.on-fire.net>
Message-ID: <20061024113551.GN6045@sunbeam.de.gnumonks.org>

On Tue, Oct 24, 2006 at 01:17:12PM +0200, Wilfried BARNAVON wrote:
 
> I was used to test new linux kernels with
> experimental patches for netfilter, and - oh surprise !- the last month
> patch-o-matic-ng archives are more and more little, and finally with a
> null content !

You can find the current patch-o-matic-ng repository at
http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/

> What happens ? Is this the end of a centralized and structured
> iptables developpement ? Is there a break in the developpement team ? 

patch-o-matic[-ng] alwayas was a collection of various contributions
from people around the net, not a form of centralized and structured
development

> Is there a secret replacement of netfilter that justifies this
> carelessness ? 

nobody is careless.  you just seem to be the first person to report that
problem to me.

> Just a bug in the patch-o-matic-ng "tar-gz" generator ?

Exactly.  It's fixed now, please use the 
ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20061024.tar.bz2
snapshot that I just created.

Cheers,

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20061024/31eed8ea/attachment.pgp
From jcpelaez at gmail.com  Tue Oct 24 15:54:41 2006
From: jcpelaez at gmail.com (=?ISO-8859-1?Q?Juan_Carlos_Pel=E1ez_Mendoza?=)
Date: Tue Oct 24 16:33:30 2006
Subject: Blocking SMTP Worm
In-Reply-To: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
References: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
Message-ID: <19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>

Hi list,

My IP Address have been listed in the RBL's too many times, I
installed into my linux box MailScanner + Spamassassin + Clamavmodule
+ FProt, I set up the iptables rules allowing only smtp, pop and ssh
traffic, but when I see the traffic with tcpdump I see this strange
behavior:

17:14:42.255867 IP 192.168.0.92.2802 >
Static-IP-cr2001181.cable.net.co.smtp: S 396792405:396792405(0) win
16384 <mss 1460,nop,nop,sackOK>
17:14:43.457612 IP 192.168.0.92.2803 >
Static-IP-cr2001181.cable.net.co.smtp  : S 760094736:760094736(0) win
16384 <mss 1460,nop,nop,sackOK>
17:14:46.512975 IP 192.168.0.92.2804 >
Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
16384 <mss 1460,nop,nop,sackOK>
17:14:49.466442 IP 192.168.0.92.2804 >
Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
16384 <mss 1460,nop,nop,sackOK>
17:14:50.118528 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp  : S
2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
17:14:53.071734 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp: S
2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>

I see the traffic today and still getting that result after blocking
the traffic for the  192.168.0.92 address:

08:40:10.664379 IP 192.168.0.92.2728 >
emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
16384 <mss 1460,nop,nop,sackOK>
08:40:16.683771  IP 192.168.0.92.2728 >
emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
16384 <mss 1460,nop,nop,sackOK>
08:40:20.731636 IP 192.168.0.92.2731 >
bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
16384 <mss 1460,nop,nop,sackOK>
08:40:23.706369 IP 192.168.0.92.2731 >
bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
16384 <mss 1460,nop,nop,sackOK>


What can I do to stop and block this worm???

Here are my basic rules for IPtables.


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_conntrack_irc

iptables --table nat --flush

  iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Blocking  192.168.0.92 SMTP Traffic
 iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.92 -j DROP

iptables -A FORWARD -i eth1 -j ACCEPT

echo "Enrutamiento Activado..."

# Bloqueando ip  218.55.23.50
iptables -A INPUT -s 218.55.23.50 -j DROP

# Bloqueando ip  201.160.33.60
iptables -A INPUT -s  201.160.33.60 -j DROP

iptables -A INPUT -s 192.168.0.92 -j DROP
iptables -A FORWARD -p tcp --dport 25 -j DROP

#Permitir trafico de entrada a puertos SMTP, POP, SSH
 iptables -A INPUT -p tcp --dport 25 -s 192.168.0.0/24 -d PRIVATE_IP -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 0/0 -d  PUBLIC_IP --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 25 -s  192.168.0.0/24 -d 0/0 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d   192.168.0.0/24 --sport 25 -i eth0 -j DROP

iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 3306 -j REJECT


# Botar paquetes que vayan de la Lan por el puerto 25
iptables -A FORWARD -p tcp --dport 25 -j DROP



Can anybody help me with this???


Thanks,



Juan Carlos Pel?ez Mendoza

From swifty at freemail.hu  Tue Oct 24 16:04:52 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Tue Oct 24 16:44:01 2006
Subject: Blocking SMTP Worm
In-Reply-To: <19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>
References: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
	<19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>
Message-ID: <453E1D84.6080803@freemail.hu>

Juan Carlos Pel?ez Mendoza ?rta:
> Hi list,
>
> My IP Address have been listed in the RBL's too many times, I
> installed into my linux box MailScanner + Spamassassin + Clamavmodule
> + FProt, I set up the iptables rules allowing only smtp, pop and ssh
> traffic, but when I see the traffic with tcpdump I see this strange
> behavior:
>
> 17:14:42.255867 IP 192.168.0.92.2802 >
> Static-IP-cr2001181.cable.net.co.smtp: S 396792405:396792405(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:43.457612 IP 192.168.0.92.2803 >
> Static-IP-cr2001181.cable.net.co.smtp  : S 760094736:760094736(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:46.512975 IP 192.168.0.92.2804 >
> Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:49.466442 IP 192.168.0.92.2804 >
> Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 17:14:50.118528 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp  : S
> 2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
> 17:14:53.071734 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp: S
> 2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
>
> I see the traffic today and still getting that result after blocking
> the traffic for the  192.168.0.92 address:
>
> 08:40:10.664379 IP 192.168.0.92.2728 >
> emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 08:40:16.683771  IP 192.168.0.92.2728 >
> emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 08:40:20.731636 IP 192.168.0.92.2731 >
> bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
> 16384 <mss 1460,nop,nop,sackOK>
> 08:40:23.706369 IP 192.168.0.92.2731 >
> bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
> 16384 <mss 1460,nop,nop,sackOK>
>
>
> What can I do to stop and block this worm???
>
> Here are my basic rules for IPtables.
>
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables --flush
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> modprobe ip_conntrack_irc
>
> iptables --table nat --flush
>
>  iptables --table nat --append POSTROUTING --out-interface eth0 -j 
> MASQUERADE
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>
> #Blocking  192.168.0.92 SMTP Traffic
> iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.92 -j DROP
>
> iptables -A FORWARD -i eth1 -j ACCEPT
>
> echo "Enrutamiento Activado..."
>
> # Bloqueando ip  218.55.23.50
> iptables -A INPUT -s 218.55.23.50 -j DROP
>
> # Bloqueando ip  201.160.33.60
> iptables -A INPUT -s  201.160.33.60 -j DROP
>
> iptables -A INPUT -s 192.168.0.92 -j DROP
> iptables -A FORWARD -p tcp --dport 25 -j DROP
>
> #Permitir trafico de entrada a puertos SMTP, POP, SSH
> iptables -A INPUT -p tcp --dport 25 -s 192.168.0.0/24 -d PRIVATE_IP -j 
> ACCEPT
> iptables -t filter -A INPUT -p tcp -s 0/0 -d  PUBLIC_IP --dport 25 -j 
> ACCEPT
> iptables -t filter -A INPUT -p tcp --dport 25 -s  192.168.0.0/24 -d 
> 0/0 -j DROP
> iptables -A INPUT -p tcp -s 0/0 -d   192.168.0.0/24 --sport 25 -i eth0 
> -j DROP
>
> iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT
> iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 3306 -j REJECT
>
>
> # Botar paquetes que vayan de la Lan por el puerto 25
> iptables -A FORWARD -p tcp --dport 25 -j DROP
>
>
>
> Can anybody help me with this???
>
Have you tried this command???

iptables -vnL
>
> Thanks,
>
>
>
> Juan Carlos Pel?ez Mendoza
>
>
>



From jcpelaez at gmail.com  Tue Oct 24 16:19:07 2006
From: jcpelaez at gmail.com (=?ISO-8859-1?Q?Juan_Carlos_Pel=E1ez_Mendoza?=)
Date: Tue Oct 24 16:58:30 2006
Subject: Blocking SMTP Worm
In-Reply-To: <453E1D84.6080803@freemail.hu>
References: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
	<19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>
	<453E1D84.6080803@freemail.hu>
Message-ID: <19fb1ac90610240719p75fc3580mc45c621cfb616502@mail.gmail.com>

I got this

Chain FORWARD (policy ACCEPT 59M packets, 20G bytes)
 pkts bytes target     prot opt in     out     source               destination
18236  876K DROP       tcp  --  *      *       192.168.0.92
0.0.0.0/0           tcp dpt:25
3317K 2826M ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 6671K packets, 733M bytes)
 pkts bytes target     prot opt in     out     source               destination
 3084  207K DROP       all  --  *      *       192.168.0.92         0.0.0.0/0

Does this mean that my rule is working?? because the traffic still
passing through the both NIC's.


Thanks,


Juan Carlos Pelaez Mendoza



On 10/24/06, G?sp?r Lajos <swifty@freemail.hu> wrote:
> Juan Carlos Pel?ez Mendoza ?rta:
> > Hi list,
> >
> > My IP Address have been listed in the RBL's too many times, I
> > installed into my linux box MailScanner + Spamassassin + Clamavmodule
> > + FProt, I set up the iptables rules allowing only smtp, pop and ssh
> > traffic, but when I see the traffic with tcpdump I see this strange
> > behavior:
> >
> > 17:14:42.255867 IP 192.168.0.92.2802 >
> > Static-IP-cr2001181.cable.net.co.smtp: S 396792405:396792405(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 17:14:43.457612 IP 192.168.0.92.2803 >
> > Static-IP-cr2001181.cable.net.co.smtp  : S 760094736:760094736(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 17:14:46.512975 IP 192.168.0.92.2804 >
> > Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 17:14:49.466442 IP 192.168.0.92.2804 >
> > Static-IP-cr2001181.cable.net.co.smtp: S 804817506:804817506(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 17:14:50.118528 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp  : S
> > 2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
> > 17:14:53.071734 IP 192.168.0.92.2805 > mailgw2.diveo.net.co.smtp: S
> > 2079962326:2079962326(0) win 16384 <mss 1460,nop,nop,sackOK>
> >
> > I see the traffic today and still getting that result after blocking
> > the traffic for the  192.168.0.92 address:
> >
> > 08:40:10.664379 IP 192.168.0.92.2728 >
> > emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 08:40:16.683771  IP 192.168.0.92.2728 >
> > emt200-31-197-53.emtelco.com.smtp: S 3599806789:3599806789(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 08:40:20.731636 IP 192.168.0.92.2731 >
> > bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> > 08:40:23.706369 IP 192.168.0.92.2731 >
> > bbvaganadero.telefonica.net.co.smtp: S 4026584844:4026584844(0) win
> > 16384 <mss 1460,nop,nop,sackOK>
> >
> >
> > What can I do to stop and block this worm???
> >
> > Here are my basic rules for IPtables.
> >
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > iptables --flush
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> > modprobe ip_nat_ftp
> > modprobe ip_conntrack_irc
> >
> > iptables --table nat --flush
> >
> >  iptables --table nat --append POSTROUTING --out-interface eth0 -j
> > MASQUERADE
> > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> >
> > #Blocking  192.168.0.92 SMTP Traffic
> > iptables -A FORWARD -p tcp --dport 25 -s 192.168.0.92 -j DROP
> >
> > iptables -A FORWARD -i eth1 -j ACCEPT
> >
> > echo "Enrutamiento Activado..."
> >
> > # Bloqueando ip  218.55.23.50
> > iptables -A INPUT -s 218.55.23.50 -j DROP
> >
> > # Bloqueando ip  201.160.33.60
> > iptables -A INPUT -s  201.160.33.60 -j DROP
> >
> > iptables -A INPUT -s 192.168.0.92 -j DROP
> > iptables -A FORWARD -p tcp --dport 25 -j DROP
> >
> > #Permitir trafico de entrada a puertos SMTP, POP, SSH
> > iptables -A INPUT -p tcp --dport 25 -s 192.168.0.0/24 -d PRIVATE_IP -j
> > ACCEPT
> > iptables -t filter -A INPUT -p tcp -s 0/0 -d  PUBLIC_IP --dport 25 -j
> > ACCEPT
> > iptables -t filter -A INPUT -p tcp --dport 25 -s  192.168.0.0/24 -d
> > 0/0 -j DROP
> > iptables -A INPUT -p tcp -s 0/0 -d   192.168.0.0/24 --sport 25 -i eth0
> > -j DROP
> >
> > iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -j ACCEPT
> > iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT
> > iptables -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 3306 -j REJECT
> >
> >
> > # Botar paquetes que vayan de la Lan por el puerto 25
> > iptables -A FORWARD -p tcp --dport 25 -j DROP
> >
> >
> >
> > Can anybody help me with this???
> >
> Have you tried this command???
>
> iptables -vnL
> >
> > Thanks,
> >
> >
> >
> > Juan Carlos Pel?ez Mendoza
> >
> >
> >
>
>
>


-- 
________________________________________________
"Hope has died in me."

From tomslists at sandquisttech.net  Tue Oct 24 18:53:51 2006
From: tomslists at sandquisttech.net (Tommy Sandquist)
Date: Wed Oct 25 22:40:53 2006
Subject: Ipt_random module questions
In-Reply-To: <BAY103-F7AC52059E001ADA6EF7DBB20C0@phx.gbl>
References: <BAY103-F7AC52059E001ADA6EF7DBB20C0@phx.gbl>
Message-ID: <453E451F.1000900@sandquisttech.net>

Thanks for the help! Do you know where I can find more information on 
this statistic match module in 2.6.18. I compiled IPTables 1.3.6 and 
installed it and am now able to add the module to my command line put 
there is very poor documentation on this modules use and capabilities. 
The syntax in iptables didn't help me a whole lot either. I tried using 
this module in random mode and am assuming from the error I was getting 
earlier that I must use a decimal for the probability but then I get 
errors about chain, target, or match not existing when I try to jump 
from that table to my packet marking table (for iproute2 to use). Any 
additional information or sites you can provide with information would 
be of great value.
Also, probably not for this discussion but does anyone know the proper 
way to rebuild the iptables 1.3.6 tarball in to a rpm file? I seriously 
doubt my issues are related to this but just thought I'd ask since the 
binary package is a little cleaner on the package based systems.
Thanks for all the help so far.

Tom

From alan.ezust at presinet.com  Wed Oct 25 18:02:27 2006
From: alan.ezust at presinet.com (Alan Ezust)
Date: Wed Oct 25 22:44:03 2006
Subject: understanding how conntrack works
In-Reply-To: <2FEE63312285CF428A8480B07AC1C35903657F21@CHN-SNR-MBX01.wipro.com>
References: <2FEE63312285CF428A8480B07AC1C35903657F21@CHN-SNR-MBX01.wipro.com>
Message-ID: <200610250902.27939.alan.ezust@presinet.com>

On Tuesday 24 October 2006 20:14, anisha.chandrasekaran@wipro.com wrote:
> Hello all,
>      Alan, I jus read your below mail regarding the conntrack facility.
> I am sorry that I am not able to help you with an answer to your query.
> I am actually writing this mail to ask you if you could help me know
> what are the structures that store conntrack details, i.e, if I want to
> drop a particular connection that is established which structure entry I
> should be parsing and deleting??????

After some searching, I came across these parts of the code:
nfct_create_conntrack (libnetfilter_conntrack.c:951)
This code creates a struct nfct_conntrack. 

Then there is the nf_conntrack_tuple 
(linux/include/net/netfilter/nf_conntrack_tuple.h:64)
which contains "the information to distinguish a connection")

I *think* this is the right place in the code. I hope someone else will 
correct me if this answer is wrong or incomplete :-)


From anisha.chandrasekaran at wipro.com  Wed Oct 25 05:14:27 2006
From: anisha.chandrasekaran at wipro.com (anisha.chandrasekaran@wipro.com)
Date: Wed Oct 25 22:47:19 2006
Subject: understanding how conntrack works
Message-ID: <2FEE63312285CF428A8480B07AC1C35903657F21@CHN-SNR-MBX01.wipro.com>


Hello all,
     Alan, I jus read your below mail regarding the conntrack facility.
I am sorry that I am not able to help you with an answer to your query.
I am actually writing this mail to ask you if you could help me know
what are the structures that store conntrack details, i.e, if I want to
drop a particular connection that is established which structure entry I
should be parsing and deleting??????
     Since I am also doing an analysis on the kernel code for conntrack
facility I thought you may be able to help me out...


 Regards,

Anisha Chandrasekaran
Email : anisha.chandrasekaran@wipro.com 
 
        

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alan Ezust
Sent: Monday, October 23, 2006 11:49 PM
To: netfilter@lists.netfilter.org
Subject: understanding how conntrack works

Greetings all, I'm exploring the kernel source trying to understand
better how
the conntrack facility works. I had a couple of questions which I hope
someone more familiar with the code can answer...

Q: Where in the code does a table entry get added to the conntrack
table?
nf_conntrack_put doesn't seem to contain much code related to that.

Q: Where in the code is the conntrack data lines being written, and
using what
mechanism? (kprintf? procfs?)

I did some ctags jumping and keep coming to the nf_conntrack_put
function,
which I expected to contain the code. Instead it only contains a

<pre>
// ip_conntrack.h:
static inline void
ip_conntrack_put(struct ip_conntrack *ct)
{
	IP_NF_ASSERT(ct);
	nf_conntrack_put(&ct->ct_general);
}

// skbuff.h:
#ifdef CONFIG_NETFILTER
static inline void nf_conntrack_put(struct nf_conntrack *nfct)
{
	if (nfct && atomic_dec_and_test(&nfct->use))
		nfct->destroy(nfct);
}
</pre>

The "destroy" call is an indirect function call, which appears to be a
call
(most of the time) to nf_conntrack_core.c:541
<pre>
static void destroy_conntrack(struct nf_conntrack *nfct)
</pre>

I hope the table updating and kprintf lines are not embedded within the
destroy code?

Q: What is "master"?

It seems that conntrack data has a concept called "master". When a
connection
is "destroyed", a call to the "master" destroy is also made. What is the

relationship between the nf_conntrack and the master of an nf_conntrack
(appears to be a tree or a linked list). It seems to be an ownership
relationship.





The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

From edspremolla at antel.com.uy  Wed Oct 25 16:21:23 2006
From: edspremolla at antel.com.uy (Eduardo Spremolla)
Date: Wed Oct 25 22:49:37 2006
Subject: outgoing skype ports
In-Reply-To: <4535BC9B.1010605@asiaa.sinica.edu.tw>
References: <4535BC9B.1010605@asiaa.sinica.edu.tw>
Message-ID: <1161786083.21404.3.camel@fly.in.iantel.com.uy>

Take a look here:

http://www.skype.com/help/guides/firewall.html


On Wed, 2006-10-18 at 13:33 +0800, Joshua, C.S. Chen wrote:
> Hi folks,
> I am maintaining a small office fw/gw using iptables. And the rules are,
> only open outgoing connection for port (destination port) 80 and 443.
> And stateful allowing returned/concerned sessions.
> Now we want to allow skype traffic. My question is
> What port(s) should be opened (outgoing) to use skype?
> 
> Thanks in advance
> 
> Cheers
> Joshua
> 
> 
-- 
Ing. Eduardo Spremolla
Gerente de Desarrollo Aplicado
Antel
Uruguay


Este e-mail y cualquier posible archivo adjunto est? dirigido ?nicamente al destinatario del mensaje y contiene informaci?n que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Est? prohibida cualquier utilizaci?n, difusi?n o copia de este e-mail por cualquier persona o entidad que no sean las espec?ficas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicaci?n que haya sido emitida incumpliendo nuestra Pol?tica de Seguridad de la Informaci?n.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.

From techsafe.sec at gmail.com  Wed Oct 25 12:01:06 2006
From: techsafe.sec at gmail.com (TechSafe Seguranca)
Date: Wed Oct 25 22:59:18 2006
Subject: Blocking MSN
In-Reply-To: <008401c6f6bb$39ad1700$0419a8c0@fly>
References: <c544f7190610230845uf32bd1fka58f02f9b39cd533@mail.gmail.com>
	<008401c6f6bb$39ad1700$0419a8c0@fly>
Message-ID: <50c841770610250301p5ce1ac6pd2ab20bb3b8a8a92@mail.gmail.com>

If your iptables will be compiled with patch-o-matic, is enough you
block string "gateway.dll".

iptables -A INPUT -m string --string 'gateway.dll' - j DROP

Cordial,

-- 
______________________________
                 TechSafe
Sua seguran?a sob nossa prote??o

From pupilla at hotmail.com  Wed Oct 25 09:08:16 2006
From: pupilla at hotmail.com (Marco Berizzi)
Date: Wed Oct 25 23:00:37 2006
Subject: Ipt_random module questions
In-Reply-To: <453E451F.1000900@sandquisttech.net>
Message-ID: <BAY103-F24CB7892FB4E589F6228A8B2060@phx.gbl>

Tommy Sandquist wrote:

>Thanks for the help! Do you know where I can find more information on this 
>statistic match module in 2.6.18. I compiled IPTables 1.3.6

http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-random

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


From iler.ml at gmail.com  Wed Oct 25 08:46:49 2006
From: iler.ml at gmail.com (Yakov Lerner)
Date: Wed Oct 25 23:30:20 2006
Subject: psd
In-Reply-To: <f36b08ee0610230308n479c6b70h34b362266fd2aa6e@mail.gmail.com>
References: <f36b08ee0610230308n479c6b70h34b362266fd2aa6e@mail.gmail.com>
Message-ID: <f36b08ee0610242346s750827b7sc9988feaae3dcee9@mail.gmail.com>

On 10/23/06, Yakov Lerner <iler.ml@gmail.com> wrote:
> I'm sorry I must be missing something totally obvious.
> I patch-o-matic-ng-20060921 and iptables-1.3.6.tar.bz2
> picked kernel 2.6.18 and, but in none of them I can [not]
> see kernel-part of psd module.
>
> I see that psd exists somewhere for 2.6 but why I can't
> find it ? It is builtin in 2.4, but for 2.6, I'd like to find exactly
> from where download it (the kernel part).

I see that psd was removed from patch-o-matic-ng on 2006-05-12.
Before 2006-05-12, psd was in patch-o-matic.
After 2006-05-11, psd is not in patch-o-matic anymore.
Anybody knows the reason it was removed ?

Yakov

From jcpelaez at gmail.com  Tue Oct 24 21:53:36 2006
From: jcpelaez at gmail.com (=?ISO-8859-1?Q?Juan_Carlos_Pel=E1ez_Mendoza?=)
Date: Thu Oct 26 01:37:04 2006
Subject: Blocking SMTP Worm
In-Reply-To: <9e12c5a529145622a46a6cbe5fc05e4b@former03.de>
References: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
	<19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>
	<453E1D84.6080803@freemail.hu>
	<19fb1ac90610240719p75fc3580mc45c621cfb616502@mail.gmail.com>
	<9e12c5a529145622a46a6cbe5fc05e4b@former03.de>
Message-ID: <19fb1ac90610241253u1bc73507u42f133845f60e3cc@mail.gmail.com>

Baltasar,

I think what you say is right, the traffic that the tcpdump shows is
before applying the filters and rules, The IP that I mentioned it's
now blocked, but another IP's are beggining to send traffic through
the interface,

how can I do to stop the traffic to my LAN but not to my linux box,
because this is my Mail Server and is the only one that I want to send
traffic at this port???

14:51:55.442934 IP 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp >
192.168.0.163.4115: P 168:192(24) ack 168 win 17353
14:51:55.443055 IP 192.168.0.163.4115 >
61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp: . ack 192 win 65344
14:51:55.659325 IP 192.168.0.163.4115 >
61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp: P 168:190(22) ack
192 win 65344
14:51:56.554482 IP 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp >
192.168.0.163.4115: P 192:210(18) ack 190 win 17331
14:51:56.665159 IP 192.168.0.163.4115 >
61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp: . ack 210 win 65326


Thanks,


Juan Carlos  Pel?ez Mendoza

On 10/24/06, former03 | Baltasar Cevc <baltasar.cevc@former03.de> wrote:
> Hi Juan,
>
> On 24.10.2006, at 16:19, Juan Carlos Pel?ez Mendoza wrote:
> > Chain FORWARD (policy ACCEPT 59M packets, 20G bytes)
> > pkts bytes target     prot opt in     out     source
> > destination
> > 18236  876K DROP       tcp  --  *      *       192.168.0.92
> > 0.0.0.0/0           tcp dpt:25
> > 3317K 2826M ACCEPT     all  --  eth1   *       0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain INPUT (policy ACCEPT 6671K packets, 733M bytes)
> > pkts bytes target     prot opt in     out     source
> > destination
> > 3084  207K DROP       all  --  *      *       192.168.0.92
> > 0.0.0.0/0
> >
> > Does this mean that my rule is working?? because the traffic still
> > passing through the both NIC's.
> Well, it does mean that these rules are acive and x pakets/bytes (the
> two first figures on ach) lines have mached, thus have been
> dropped/accepted. I think tcpdump shows the traffic before filtering is
> done, but I'm not sure.
>
> Baltasar
>
> Baltasar Cevc
>
> _____ former 03 gmbh
> _____ infanteriestra?e 19 haus 6 eg
> _____ D-80797 muenchen
>
> _____ http://www.former03.de
>
>


-- 
________________________________________________
"Hope has died in me."

From netfilter-list at kromo.org  Tue Oct 24 20:05:51 2006
From: netfilter-list at kromo.org (Victor Toni)
Date: Thu Oct 26 02:05:04 2006
Subject: Howto access modem behind router
In-Reply-To: <453D34CD.904@kromo.org>
References: <453D34CD.904@kromo.org>
Message-ID: <453E55FF.7000705@kromo.org>

Victor Toni wrote:
> Hello,
>
> I have one of these modems which is a router by itself. The modem is
> configured to work in bridged mode.
> Connected to the modem is a router which connects via pppoe via the
> modem with my ISP.
>
>    |<---------- PPPOE link ------------->|    
>    |                                     |    |====== 
>   ISP ======= bridged ================= WRT ========= PCs
>                modem |                 |   |  |======
>                      |                 |   |
>                      |<- 169.254.1.x ->|   |<-- 192.168.1.x -->>
>
>
>
> The modem has a web interface and and telnet which I would like to
> connect to from within the LAN but this doesn't seem to work.
> I tried the instructions from:
> http://www.dd-wrt.com/wiki/index.php/Access_To_Modem_Configuration
> but this makes the modem only available from the router and not from the
> LAN.
> I have currently some trouble with my connection and would like to use a
> tool to monitor the modem's error status but this fails due to the
> configuration.
> The modem has the static IP 169.254.1.1 and the router has the static
> IPs 169.254.1.100 and 192.168.1.1.
> I can ping "169.254.1.100" from any LAN machine on 192.168.1.0/24 but
> that's it.
>
> Any help is very much appreciated.
>   

Is there any additional information I could provide? I have really no
clue about iptables so I would rather have my firewall open or NAT not
working anymore after my experiments.

Victor


From laforge at netfilter.org  Wed Oct 25 23:11:03 2006
From: laforge at netfilter.org (Harald Welte)
Date: Thu Oct 26 05:21:23 2006
Subject: [ADMINISTRATIVE] netfilter.org service downtime
Message-ID: <20061025211103.GG6264@sunbeam.de.gnumonks.org>

Hi!

As some of you have noticed already, there was a downtime for about 24
hours in delivery of netfilter.org mails, including all mailinglist.

Also, bugzilla.netfilter.org is down for the same period of time.

=== This service outage was brought to you by Gentoo updates ===

Mail delivery is now up and running again, bugzilla will take some more
time.

I'm really sorry, but apparently every time you update gentoo packages
for security reasons on ppc64, it results in major breakage :(

For years I want to migrate to debian/ppc32 on that ppc64 box, but that
is likely to take at least two full days, and I'm a bit short in time at
the moment.

Sorry for any inconvenience caused.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20061026/73525d88/attachment.pgp
From szocske at gmail.com  Thu Oct 26 09:04:48 2006
From: szocske at gmail.com (Gabor Szokoli)
Date: Thu Oct 26 09:43:47 2006
Subject: understanding how conntrack works
In-Reply-To: <2FEE63312285CF428A8480B07AC1C35903657F21@CHN-SNR-MBX01.wipro.com>
References: <2FEE63312285CF428A8480B07AC1C35903657F21@CHN-SNR-MBX01.wipro.com>
Message-ID: <de47c0230610260004p311d17eap31126b486f8f78da@mail.gmail.com>

On 10/25/06, anisha.chandrasekaran@wipro.com

> [...]
> what are the structures that store conntrack details, i.e, if I want to
> drop a particular connection that is established which structure entry I
> should be parsing and deleting??????

Hi!

I have no idea, but if I were you, I'd look at the source of the
conntrack command line utility which does just that.
Google code search for a string literal from its usage notes:
http://www.google.com/codesearch?q=+%22Tool+to+manipulate+conntrack+and+expectations%22+show:RD63OKff6uI:4Aj5uJ7HKoA:cv34qD7QSD4&sa=N&cd=2&ct=rc&cs_p=http://ftp.netfilter.org/pub/conntrack/conntrack-1.00beta2.tar.bz2&cs_f=conntrack-1.00beta2/src/conntrack.c#a0

There, links to libnetfilter_conntrack, you continue :-)


Hope it helps:

Gabor Szokoli

From tarak at ossindia.com  Thu Oct 26 09:31:57 2006
From: tarak at ossindia.com (tarak@ossindia.com)
Date: Thu Oct 26 10:20:52 2006
Subject: firewall configuration
Message-ID: <mailman.77.1161850852.31696.netfilter@lists.netfilter.org>




>
hi all,
>
>              i have a problem in iptables, i want to customize the
>firewall. through iptable i want run a shell script which will keep an
>watch
>on each and every ip addresses in my organization, that how much amount
>of
>data downloading and uploading from those ip addresses...... seperately..
>is
>this possible to do,,,, if so please tell me how to do...
>
>thanks in advance
>
>Regards,
>Tarak Ranjan
>
>
>


From nicolm at gmail.com  Thu Oct 26 11:23:30 2006
From: nicolm at gmail.com (Marco Nicoloso)
Date: Thu Oct 26 12:02:30 2006
Subject: Cannot go out the firewall
Message-ID: <e8c943190610260223r232897fdi1aa4ed3e6d1a98b8@mail.gmail.com>

Hello,

I am trying to set up a firewall via iptables on a Debian Sarge with
kernel 2.6.8.

There are many problems because I have a DNS Server on a Windows
Machine in the internal network. For now I want to keep this
configuration because installing a DNS cache on my Linux server would
be very difficult for me.

Clients and DNS server cannot resolve any name.

Worse, Clients of the internal network cannot connect to any of the
ports specified in the script. I don't know what to do, I read many
many sample self-explained configurations and it seems to me that I
have done everything correctly but, actually, that's not true. I post
my script.

Help me, please.

Thanks in advance
M. Nicoloso

eth0 is the public IP interface
eth1 is the private LAN interface

#!/bin/bash

## RESET DELLE REGOLE ##
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -t mangle -X
iptables -t nat -X


## TABELLA FILTER ##

# Definizione criterio generale
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Creazione nuove catene

#Definizione catena int->ext
iptables -N laninet
#Definizione catena ext->int
iptables -N inetlan

#Forward delle catene
iptables -A FORWARD -i eth1 -o eth0 -j laninet
iptables -A FORWARD -i eth0 -o eth1 -j inetlan

# Frammenti e pacchetti non validi
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Traffico di loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Traffico rete interna
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

## TABELLA FILTER - INGRESSO ##
# Accetta pacchetti di connessioni esistenti
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Drop di tutti pacchetti non facenti parte delle catene
iptables -A laninet -s ! 192.168.7.0/24 -j DROP
iptables -A inetlan -s 192.168.7.0/24 -j DROP


# Accettiamo il traffico in ingresso nelle porte del client
# Accetta connessioni per client P2P
#iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 4668 -j ACCEPT
#iptables -A INPUT -i ppp0 -p udp --dport 18745 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -s 192.168.7.33 -j ACCEPT
#iptables -A OUTPUT -o eth0 -d pop.narod.ru -j ACCEPT
#iptables -A OUTPUT -o eth0 -d smtp.narod.ru -j ACCEPT

#Enabling some of the ICMP Packets
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

#Forward
iptables -A laninet -d 0/0 -j ACCEPT
#iptables -A laninet -p tcp --dport 110 -j ACCEPT
#iptables -A laninet -p tcp --dport 25 -j ACCEPT
#iptables -A laninet -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A laninet -p tcp -j REJECT --reject-with tcp-reset

iptables -A inetlan -p tcp --sport 53 -j ACCEPT
iptables -A inetlan -p udp --sport 53 -j ACCEPT
iptables -A inetlan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A inetlan -p tcp -j REJECT --reject-with tcp-reset

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.xx.xxx.xxx

From balazs.fulop at initon.com  Thu Oct 26 11:27:45 2006
From: balazs.fulop at initon.com (Balazs Fulop)
Date: Thu Oct 26 12:06:05 2006
Subject: multiple uplinks masquerading
Message-ID: <45407F91.2030201@initon.com>

Dear List!

I am a system administrator at an IT company. We have recently
subscribed to a PPPoE Internet connection besides the one we are
currently using. I thought it would be a good idea to use them in
parallel, as described in the LARTC HOWTO
(http://lartc.org/howto/lartc.rpdb.multiple-links.html). I have set up
the two pppoe connections as described there and created the following
two rules in my iptables setup:
-t nat -A POSTROUTING -o ppp0 -j MASQUERADE
-t nat -A POSTROUTING -o ppp1 -j MASQUERADE
It worked more or less. In most cases the HTTP downloads were faster,
however, we had strange experiences. Sometimes SSH didn't seem to work
at all. SSH client asked for a password, but after that it hanged. FTP
never worked, but I have a thought that it won't ever work because of
that it uses two ports (control, data), and my links are weighted 1 - 1.
Important versions:
Linux 2.6.17.11-grsec
iproute2-ss041019
iptables v1.3.5
Could you please tell me if I did anything wrong? Please answer to the
sender address, I am not on the list. Thanks in advance.

F?l?p Bal?zs




From swifty at freemail.hu  Thu Oct 26 11:27:50 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Thu Oct 26 12:08:02 2006
Subject: Blocking SMTP Worm
In-Reply-To: <19fb1ac90610241253u1bc73507u42f133845f60e3cc@mail.gmail.com>
References: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>	<19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>	<453E1D84.6080803@freemail.hu>	<19fb1ac90610240719p75fc3580mc45c621cfb616502@mail.gmail.com>	<9e12c5a529145622a46a6cbe5fc05e4b@former03.de>
	<19fb1ac90610241253u1bc73507u42f133845f60e3cc@mail.gmail.com>
Message-ID: <45407F96.8090000@freemail.hu>

Juan Carlos Pel?ez Mendoza ?rta:
> Baltasar,
>
> I think what you say is right, the traffic that the tcpdump shows is
> before applying the filters and rules, The IP that I mentioned it's
> now blocked, but another IP's are beggining to send traffic through
> the interface,
>
> how can I do to stop the traffic to my LAN but not to my linux box,
> because this is my Mail Server and is the only one that I want to send
> traffic at this port???
>

iptables -A FORWARD -j DROP -p tcp --dport 25

This will drop every smtp traffic that goes through your box!
Remember: This is the FORWARD chain!

It is not the nicest solution... :)

Take a look on my script ! :)

https://lists.netfilter.org/pipermail/netfilter/2006-August/066404.html

Swifty
> 14:51:55.442934 IP 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp >
> 192.168.0.163.4115: P 168:192(24) ack 168 win 17353
> 14:51:55.443055 IP 192.168.0.163.4115 >
> 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp: . ack 192 win 65344
> 14:51:55.659325 IP 192.168.0.163.4115 >
> 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp: P 168:190(22) ack
> 192 win 65344
> 14:51:56.554482 IP 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp >
> 192.168.0.163.4115: P 192:210(18) ack 190 win 17331
> 14:51:56.665159 IP 192.168.0.163.4115 >
> 61-64-104-223-adsl-tai.STATIC.so-net.net.tw.smtp: . ack 210 win 65326
>
>
> Thanks,
>
>
> Juan Carlos  Pel?ez Mendoza
>



From balazs.fulop at initon.com  Thu Oct 26 11:30:43 2006
From: balazs.fulop at initon.com (Balazs Fulop)
Date: Thu Oct 26 12:09:22 2006
Subject: multiple uplinks masquerading
Message-ID: <45408043.2080403@initon.com>

I am on the list now. Sorry for causing too much traffic.

-------------- next part --------------
An embedded message was scrubbed...
From: Balazs Fulop <balazs.fulop@initon.com>
Subject: multiple uplinks masquerading
Date: Thu, 26 Oct 2006 11:27:45 +0200
Size: 1532
Url: /pipermail/netfilter/attachments/20061026/60651a0d/multipleuplinksmasquerading-0001.mht
From usenet06 at philpem.me.uk  Thu Oct 26 11:08:38 2006
From: usenet06 at philpem.me.uk (Philip Pemberton)
Date: Thu Oct 26 12:19:12 2006
Subject: NATing on a single interface?
Message-ID: <ehptuc$bo6$1@sea.gmane.org>

Hi,
   I've got an ADSL router with a built-in firewall. It's a nice little box,
the ADSL front-end is solid (and ADSL2+ compatible, which is nice). Only
problem is, it has a maximum of 16 firewall port-forward rules and no support
for time-based firewalling. What I'd like to do is make the router forward
packets onto my firewall box, then have iptables deal with NATing and stuff 
like that.

   At the moment, the network looks like this:
ADSL ---SpeedtouchUSB@ppp0---> FIREWALL ---eth0---> Other machines

   What I want is something more like:

         10.1.0.2  10.1.0.1   10.0.0.1      10.0.0.0/16
ADSL Router ----------> Firewall ------(nat)-----> LAN

ADSL Router: 10.1.0.2/16
Firewall: 10.0.0.1/16 and 10.1.0.1/16
LAN: 10.0.0.0/16

   Ordinarily I'd fit another NIC into the firewall, then use Arno's IPtables 
script to do the NATing from eth0 (external) to eth1 (internal). Problem is, 
the firewall server can't take another NIC - it's only got one onboard and no 
facility to add another (the server is a Linksys NSLU2 - an embedded server in 
other words) unless I add a USB adapter, which would be a bit less than ideal 
for LAN routing (I hear the USB adapters are quite slow and prone to packet loss).

   So what I'd like to do is have the DSL router forwarding to the firewall 
server, then have the firewall server do NATing and firewalling for the entire 
LAN subnet, all on a single interface. Is this doable, or do I really need to 
add another Ethernet interface?

   I've read a few IPtables HOWTOs and I just don't understand how it's all 
supposed to work (which is why I used the Arno script in the first place)...

Thanks.
-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
usenet06@philpem.me.uk        | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.
If mail bounces, replace "06" with the last two digits of the current year.


From swifty at freemail.hu  Thu Oct 26 11:41:31 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Thu Oct 26 12:21:13 2006
Subject: Cannot go out the firewall
In-Reply-To: <e8c943190610260223r232897fdi1aa4ed3e6d1a98b8@mail.gmail.com>
References: <e8c943190610260223r232897fdi1aa4ed3e6d1a98b8@mail.gmail.com>
Message-ID: <454082CB.4070805@freemail.hu>

Marco Nicoloso ?rta:
> Hello,
>
...
>
> Help me, please.
Would you please post the output of these commands?

iptables -vnL
iptables -vnL -t nat
iptables -vnL -t mangle

Thanx

Swifty


From nicolm at gmail.com  Thu Oct 26 11:55:39 2006
From: nicolm at gmail.com (Marco Nicoloso)
Date: Thu Oct 26 12:34:38 2006
Subject: Cannot go out the firewall
In-Reply-To: <454082CB.4070805@freemail.hu>
References: <e8c943190610260223r232897fdi1aa4ed3e6d1a98b8@mail.gmail.com>
	<454082CB.4070805@freemail.hu>
Message-ID: <e8c943190610260255o8496543w731c103623050d10@mail.gmail.com>

2006/10/26, G?sp?r Lajos <swifty@freemail.hu>:
> Would you please post the output of these commands?

Immediately

> iptables -vnL

    0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    8   528 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           udp spt:53
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp spt:53
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:3128
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:25
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:25
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 5
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 9
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 laninet    all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 inetlan    all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    5   540 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain inetlan (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       192.168.7.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp spt:53
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with tcp-reset

Chain laninet (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *      !192.168.7.0/24       0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
> iptables -vnL -t nat
iptables: Table does not exist (do you need to insmod?)
> iptables -vnL -t mangle
iptables: Table does not exist (do you need to insmod?)

But modules iptable_nat and iptable_mangle (although, I think,
iptable_mangle is not necessary for me) are loaded.

Do I need to create table nat, or it is built-in?

> Thanx
>
> Swifty
>
>

From don at bowenvale.co.nz  Thu Oct 26 11:48:43 2006
From: don at bowenvale.co.nz (Don Gould)
Date: Thu Oct 26 12:37:56 2006
Subject: IPTables script problem...
Message-ID: <4540847B.8080407@bowenvale.co.nz>

Can anyone tell me why this isn't working?

If I add the ip to the filter manually from the cmd line then it works,
if I try to do it in the script is doesn't.

 From below...

iptables -A traffic_in -d $3  >> /home/shared/dhcpconnect.log
iptables -A traffic_out -s $3  >> /home/shared/dhcpconnect.log

doesn't seem to add the IP, but...

iptables -A traffic_out -s 192.168.3.151

will work just fine...

Chain traffic_in (4 references)
  pkts bytes target     prot opt in     out     source
destination
  7707 4745K            all  --  *      *       0.0.0.0/0
192.168.2.148
   678  529K            all  --  *      *       0.0.0.0/0
192.168.2.136
Chain traffic_out (3 references)
  pkts bytes target     prot opt in     out     source
destination
  7402 1328K            all  --  *      *       192.168.2.148
0.0.0.0/0
   582 95736            all  --  *      *       192.168.2.136
0.0.0.0/0
     0     0            all  --  *      *       192.168.3.151
0.0.0.0/0

As you can see, I only added 151 to one filter manually.  It should have
been added automatically when the script was next called by dnsmasq.


==== And now for the offending script...


[root@bowenvale shared]# cat dhcp.src
#!/bin/sh
nowdate=$(date)
# echo $nowdate, $0, $1, $2, $3 >> /home/shared/dhcpconnect.log

echo $nowdate, $2, $3 >> /home/shared/dhcpconnect.log

echo "Start" >> /home/shared/dhcpconnect.log

mysql -h bowenvale -u oncs -pbutterfly -e "INSERT INTO
oncs.tblSessionRequest (MACAddress, IPAddress) VALUES('$2', '$3
    ');" &> /home/shared/dhcpconnect.log

echo "Done - database log" >> /home/shared/dhcpconnect.log

# Now we start the data accounting bit using IP tables...
# Make sure the iptables rules exist!  This should return errors because
these rules should always already exist.
iptables -N traffic_in  >> /home/shared/dhcpconnect.log
iptables -N traffic_out  >> /home/shared/dhcpconnect.log

echo $nowdate, $2, $3 >> /home/shared/dhcpconnect.log

echo "Done - rule create" >> /home/shared/dhcpconnect.log

# Create Rule for IP to count the data.
iptables -A traffic_in -d $3  >> /home/shared/dhcpconnect.log
iptables -A traffic_out -s $3  >> /home/shared/dhcpconnect.log

echo "Done - counter add" >> /home/shared/dhcpconnect.log

#add chains as target to FORWARD rule - after the first time, this
should always be already done.
iptables -I FORWARD 1 -j traffic_in  >> /home/shared/dhcpconnect.log
iptables -I FORWARD 2 -j traffic_out  >> /home/shared/dhcpconnect.log


echo "Done forward rule add" >> /home/shared/dhcpconnect.log

echo "Done", $2, $3  >> /home/shared/dhcpconnect.log



[root@bowenvale shared]#



Cheers Don
-- 
Don Gould
www.thinkdesignprint.co.nz - www.tcn.bowenvale.co.nz -
www.bowenvale.co.nz - www.hearingbooks.co.nz - www.buxtonsquare.co.nz -
SkypeMe:  ThinkDesignPrint - Good ideas:  www.solarking.co.nz




From swifty at freemail.hu  Thu Oct 26 12:15:03 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Thu Oct 26 12:54:40 2006
Subject: Cannot go out the firewall
In-Reply-To: <e8c943190610260255o8496543w731c103623050d10@mail.gmail.com>
References: <e8c943190610260223r232897fdi1aa4ed3e6d1a98b8@mail.gmail.com>	
	<454082CB.4070805@freemail.hu>
	<e8c943190610260255o8496543w731c103623050d10@mail.gmail.com>
Message-ID: <45408AA7.5050106@freemail.hu>

Marco Nicoloso ?rta:
>> iptables -vnL
>
>    0     0 DROP       all  -f  *      *       0.0.0.0/0            
> 0.0.0.0/0
...

hmmm...

Something wrong with your kernel or iptables...
Or you just entered these command right after your firewall script...
The counts of packets in the chains should be mostly more than 0 ! :)

>> iptables -vnL -t nat
> iptables: Table does not exist (do you need to insmod?)
Well...
You need it.

In this command:

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.xx.xxx.xxx

Try this in the head of your script:

modprobe ip_conntrack >/dev/null 2>/dev/null
modprobe ip_conntrack_ftp >/dev/null 2>/dev/null
modprobe ip_conntrack_irc >/dev/null 2>/dev/null
modprobe ip_nat >/dev/null 2>/dev/null
modprobe ip_nat_ftp >/dev/null 2>/dev/null
modprobe ip_nat_irc >/dev/null 2>/dev/null
modprobe iptable_filter >/dev/null 2>/dev/null
modprobe iptable_mangle >/dev/null 2>/dev/null
modprobe iptable_nat >/dev/null 2>/dev/null


>> iptables -vnL -t mangle
> iptables: Table does not exist (do you need to insmod?)
>
Not now :) Maybe later... :)

> But modules iptable_nat and iptable_mangle (although, I think,
> iptable_mangle is not necessary for me) are loaded.
>
Are you sure?
> Do I need to create table nat, or it is built-in?
>
It is built-in, but should be loaded if you compiled as a module in you 
kernel.

 From "man iptables":

              If the kernel  is
              configured  with  automatic  module loading, an attempt 
will be made to load the appropriate module for
              that table if it is not already there.


Swifty


From swifty at freemail.hu  Thu Oct 26 14:06:51 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Thu Oct 26 14:46:15 2006
Subject: IPTables script problem...
In-Reply-To: <4540847B.8080407@bowenvale.co.nz>
References: <4540847B.8080407@bowenvale.co.nz>
Message-ID: <4540A4DB.6080001@freemail.hu>

Don Gould ?rta:
> Can anyone tell me why this isn't working?
>
...
>
> [root@bowenvale shared]# cat dhcp.src
> #!/bin/sh
For debug try this:

#!/bin/bash -x

> nowdate=$(date)
> # echo $nowdate, $0, $1, $2, $3 >> /home/shared/dhcpconnect.log
>
> echo $nowdate, $2, $3 >> /home/shared/dhcpconnect.log
>
> echo "Start" >> /home/shared/dhcpconnect.log
>
> mysql -h bowenvale -u oncs -pbutterfly -e "INSERT INTO
> oncs.tblSessionRequest (MACAddress, IPAddress) VALUES('$2', '$3
>    ');" &> /home/shared/dhcpconnect.log
hmm...
You mean:
&>>/home
???
> echo "Done - database log" >> /home/shared/dhcpconnect.log
>
> # Now we start the data accounting bit using IP tables...
> # Make sure the iptables rules exist!  This should return errors because
> these rules should always already exist.
> iptables -N traffic_in  >> /home/shared/dhcpconnect.log
> iptables -N traffic_out  >> /home/shared/dhcpconnect.log
>
> echo $nowdate, $2, $3 >> /home/shared/dhcpconnect.log
>
> echo "Done - rule create" >> /home/shared/dhcpconnect.log
>
> # Create Rule for IP to count the data.
> iptables -A traffic_in -d $3  >> /home/shared/dhcpconnect.log
> iptables -A traffic_out -s $3  >> /home/shared/dhcpconnect.log
>
> echo "Done - counter add" >> /home/shared/dhcpconnect.log
>
> #add chains as target to FORWARD rule - after the first time, this
> should always be already done.
> iptables -I FORWARD 1 -j traffic_in  >> /home/shared/dhcpconnect.log
> iptables -I FORWARD 2 -j traffic_out  >> /home/shared/dhcpconnect.log
>
>
> echo "Done forward rule add" >> /home/shared/dhcpconnect.log
>
> echo "Done", $2, $3  >> /home/shared/dhcpconnect.log
>
What is in dhcpconnect.log ??? :)
Could you post it? :)

Swifty


From dufresne at sysinfo.com  Thu Oct 26 17:47:23 2006
From: dufresne at sysinfo.com (R. DuFresne)
Date: Thu Oct 26 18:24:38 2006
Subject: Two identical ips connected
In-Reply-To: <20061016120211.6ab1d49b@vmm1.chaosbringer.de>
References: <20061016095557.058bbde3@vmm1.chaosbringer.de>
	<49542.193.173.147.3.1160991666.squirrel@webmail.sterenborg.info>
	<20061016120211.6ab1d49b@vmm1.chaosbringer.de>
Message-ID: <Pine.LNX.4.64.0610261145440.15161@darkstar.sysinfo.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 16 Oct 2006, Julian Hagenauer wrote:

> Hi
>
>> If you packet would make it to the router and the router had this configuration:
>> - eth0: 192.168.1.0/24
>> - eth1: 192.168.1.0/24
>> the router cannot distinguish the subnets.
>>
>
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
>
> (Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>> But you'd not even get that far.
>> When you send a packet from a client to the server and this server has same IP
>> as the client (thus src and dst IP are the same), then the packet wouldn't
>> even make it to the router: it would be sent to itself.
>
> Mhm, i don't understand that. Let me explain my setup in greater detail:
>
> 	Server1---------|
> 			|
> 			|
> 			|
> 	Server2-------Router-------Client
> 			|
> 			|
> 			DB
>
> I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.


The VIP goes on the load balancer, the servers behind it have distict 
IP's, then your setup would work.  But, you are going to have to obtain or 
setup a server in front of the two servers to do the load balancing bhind 
to those servers.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFQNiOst+vzJSwZikRAqyCAJ0bGx/8bMaxjyb/ISS5cKWWJbcGzACfQb0H
aMXNMR0g+jdCUe9IGQ+HBlM=
=KJJA
-----END PGP SIGNATURE-----

From rnicholsNOSPAM at comcast.net  Thu Oct 26 17:45:08 2006
From: rnicholsNOSPAM at comcast.net (Robert Nichols)
Date: Thu Oct 26 18:25:24 2006
Subject: NATing on a single interface?
In-Reply-To: <ehptuc$bo6$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org>
Message-ID: <ehql65$f08$1@sea.gmane.org>

Philip Pemberton wrote:
>   So what I'd like to do is have the DSL router forwarding to the 
> firewall server, then have the firewall server do NATing and firewalling 
> for the entire LAN subnet, all on a single interface. Is this doable, or 
> do I really need to add another Ethernet interface?

There's no reason a forwarded packet can't go back out the same
interface on which it arrived.  There's an obvious compromise in
security when you have both sides of the firewall on the same
physical network, but if you trust your own machines and just
want to protect against external attacks you should be OK as
long as the DSL router forwards packets to the firewall machine
only.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.


From baltasar.cevc at former03.de  Thu Oct 26 17:53:01 2006
From: baltasar.cevc at former03.de (former03 | Baltasar Cevc)
Date: Thu Oct 26 18:32:16 2006
Subject: Howto access modem behind router
In-Reply-To: <453E55FF.7000705@kromo.org>
References: <453D34CD.904@kromo.org> <453E55FF.7000705@kromo.org>
Message-ID: <f4a92e196d29239919190685a041d19d@former03.de>

Victor,

On 24.10.2006, at 20:05, Victor Toni wrote:
> Victor Toni wrote:
>> Hello,
>>
>> I have one of these modems which is a router by itself. The modem is
>> configured to work in bridged mode.
>> Connected to the modem is a router which connects via pppoe via the
>> modem with my ISP.
>>
>>    |<---------- PPPOE link ------------->|
>>    |                                     |    |======
>>   ISP ======= bridged ================= WRT ========= PCs
>>                modem |                 |   |  |======
>>                      |                 |   |
>>                      |<- 169.254.1.x ->|   |<-- 192.168.1.x -->>
>>
>>
>>
>> The modem has a web interface and and telnet which I would like to
>> connect to from within the LAN but this doesn't seem to work.

>> I have currently some trouble with my connection and would like to 
>> use a
>> tool to monitor the modem's error status but this fails due to the
>> configuration.
>> The modem has the static IP 169.254.1.1 and the router has the static
>> IPs 169.254.1.100 and 192.168.1.1.
>> I can ping "169.254.1.100" from any LAN machine on 192.168.1.0/24 but
>> that's it.

You should provide the relevant rulesets (iptables -L -v;
iptables -L -v -t nat). If you can ping the modem from a client
in the LAN, the routing seems to be working, as well as the
NAT (if needed).
You'll probably have to add some rule to the forwarding filter; but
that's impossible to tell without knowing your current setup.

While I don't think that's the problem, just a little warning: the
IPs on the modem segment are from the linklocal net, and are not
meant to be routed - see RFC 3927: "[...]valid for communication
with other devices connected to the same physical (or logical) link".

Baltasar


_____ former 03 gmbh
_____ infanteriestra?e 19 haus 6 eg
_____ 80797 muenchen

_____ baltasar.cevc@former03.de
_____ www.former03.de

_____ fon 0941.206.6952
_____ fax 089.322112.11
_____ mobil 0176.232.20.822


From netfilter-list at kromo.org  Thu Oct 26 18:20:00 2006
From: netfilter-list at kromo.org (Victor Toni)
Date: Thu Oct 26 18:59:05 2006
Subject: Howto access modem behind router
In-Reply-To: <f4a92e196d29239919190685a041d19d@former03.de>
References: <453D34CD.904@kromo.org> <453E55FF.7000705@kromo.org>
	<f4a92e196d29239919190685a041d19d@former03.de>
Message-ID: <4540E030.1070404@kromo.org>

former03 | Baltasar Cevc wrote:
> On 24.10.2006, at 20:05, Victor Toni wrote:
>> Victor Toni wrote:
>>> I have one of these modems which is a router by itself. The modem is
>>> configured to work in bridged mode.
>>> Connected to the modem is a router which connects via pppoe via the
>>> modem with my ISP.
>>>
>>>    |<---------- PPPOE link ------------->|
>>>    |                                     |    |======
>>>   ISP ======= bridged ================= WRT ========= PCs
>>>                modem |                 |   |  |======
>>>                      |                 |   |
>>>                      |<- 169.254.1.x ->|   |<-- 192.168.1.x -->>
>>>
>>>
>>>
>>> The modem has a web interface and and telnet which I would like to
>>> connect to from within the LAN but this doesn't seem to work.

Base on the article above I tried this:

/usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -d 169.254.0.0/16 -j
MASQUERADE

(as you seem to speak German, here is the German article which uses the
(seemingly) same config
http://wiki.mhilfe.de/index.php/Modem_%C3%BCber_Router_auslesen
)

>>> I have currently some trouble with my connection and would like to
>>> use a
>>> tool to monitor the modem's error status but this fails due to the
>>> configuration.
>>> The modem has the static IP 169.254.1.1 and the router has the static
>>> IPs 169.254.1.100 and 192.168.1.1.
>>> I can ping "169.254.1.100" from any LAN machine on 192.168.1.0/24 but
>>> that's it.
>
> You should provide the relevant rulesets (iptables -L -v;
> iptables -L -v -t nat). If you can ping the modem from a client
> in the LAN, the routing seems to be working, as well as the
> NAT (if needed).
> You'll probably have to add some rule to the forwarding filter; but
> that's impossible to tell without knowing your current setup.
>
> While I don't think that's the problem, just a little warning: the
> IPs on the modem segment are from the linklocal net, and are not
> meant to be routed - see RFC 3927: "[...]valid for communication
> with other devices connected to the same physical (or logical) link".
It seems that people got this to work with a config similar to mine
although I don't know exactly where it doesn't get through.
I can ping the modem from the router (WRT) but not from any other
machine. It can see the packet count go up in the router when I try to
ping the router from a LAN machine but that's it.
Below are the rulesets.

Thanks for your response.

Victor

--------------------------------------------------------------------------------------------------------------


~ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
   51  4649 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       udp  --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:520
    0     0 DROP       udp  --  br0    *       0.0.0.0/0           
0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0           udp dpt:520
   16  1101 DROP       icmp --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
    2    64 DROP       2    --  *      *       0.0.0.0/0           
0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0           
0.0.0.0/0           state NEW
    3   324 logaccept  all  --  br0    *       0.0.0.0/0           
0.0.0.0/0           state NEW
  181 13713 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     47   --  *      ppp0    192.168.1.0/24      
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      ppp0    192.168.1.0/24      
0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0           
0.0.0.0/0
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state INVALID
  772 37084 TCPMSS     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 1453:65535 TCPMSS
set 1452
38579   10M lan2wan    all  --  br0    *       0.0.0.0/0           
0.0.0.0/0
73474   31M ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
  191  9339 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.13        tcp dpt:4662
   51  3578 ACCEPT     udp  --  *      *       0.0.0.0/0           
192.168.1.13        udp dpt:4672
    0     0 TRIGGER    all  --  ppp0   br0     0.0.0.0/0           
0.0.0.0/0           TRIGGER type:in match:0 relate:0
 4695  366K trigger_out  all  --  br0    *       0.0.0.0/0           
0.0.0.0/0
 4695  366K ACCEPT     all  --  br0    *       0.0.0.0/0           
0.0.0.0/0           state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 54 packets, 11482 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source              
destination

Chain logaccept (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    3   324 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0

Chain logdrop (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp reject-with tcp-reset

Chain trigger_out (1 references)
 pkts bytes target     prot opt in     out     source              
destination

--------------------------------------------------------------------------------------------------------------

~ # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 5306 packets, 370K bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DNAT       icmp --  *      *       0.0.0.0/0           
84.62.187.36        to:192.168.1.1
  290 14143 DNAT       tcp  --  *      *       0.0.0.0/0           
84.62.187.36        tcp dpt:4662 to:192.168.1.13:4662
  127  8421 DNAT       udp  --  *      *       0.0.0.0/0           
84.62.187.36        udp dpt:4672 to:192.168.1.13:4672
  301 24403 TRIGGER    all  --  *      *       0.0.0.0/0           
84.62.187.36        TRIGGER type:dnat match:0 relate:0

Chain POSTROUTING (policy ACCEPT 417 packets, 22564 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 MASQUERADE  all  --  *      vlan1   0.0.0.0/0           
169.254.0.0/16
 5002  346K MASQUERADE  all  --  *      ppp0    0.0.0.0/0           
0.0.0.0/0
    0     0 RETURN     all  --  *      br0     0.0.0.0/0           
0.0.0.0/0           PKTTYPE = broadcast
    0     0 MASQUERADE  all  --  *      br0     192.168.1.0/24      
192.168.1.0/24

Chain OUTPUT (policy ACCEPT 9 packets, 583 bytes)
 pkts bytes target     prot opt in     out     source              
destination


From nicolm at gmail.com  Thu Oct 26 19:37:08 2006
From: nicolm at gmail.com (Marco Nicoloso)
Date: Thu Oct 26 20:16:11 2006
Subject: Cannot go out the firewall
In-Reply-To: <45408AA7.5050106@freemail.hu>
References: <e8c943190610260223r232897fdi1aa4ed3e6d1a98b8@mail.gmail.com>
	<454082CB.4070805@freemail.hu>
	<e8c943190610260255o8496543w731c103623050d10@mail.gmail.com>
	<45408AA7.5050106@freemail.hu>
Message-ID: <e8c943190610261037q17b3efa5s979ef4c316c46dc4@mail.gmail.com>

2006/10/26, G?sp?r Lajos <swifty@freemail.hu>:
> Marco Nicoloso ?rta:
> >> iptables -vnL
> >
> >    0     0 DROP       all  -f  *      *       0.0.0.0/0
> > 0.0.0.0/0
> ...
>
> hmmm...
>
> Something wrong with your kernel or iptables...
> Or you just entered these command right after your firewall script...
> The counts of packets in the chains should be mostly more than 0 ! :)
>
> >> iptables -vnL -t nat
> > iptables: Table does not exist (do you need to insmod?)
> Well...
> You need it.
>
> In this command:
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
> 81.xx.xxx.xxx
>
> Try this in the head of your script:
>
> modprobe ip_conntrack >/dev/null 2>/dev/null
> modprobe ip_conntrack_ftp >/dev/null 2>/dev/null
> modprobe ip_conntrack_irc >/dev/null 2>/dev/null
> modprobe ip_nat >/dev/null 2>/dev/null
> modprobe ip_nat_ftp >/dev/null 2>/dev/null
> modprobe ip_nat_irc >/dev/null 2>/dev/null
> modprobe iptable_filter >/dev/null 2>/dev/null
> modprobe iptable_mangle >/dev/null 2>/dev/null
> modprobe iptable_nat >/dev/null 2>/dev/null
>
I found out that module ip_nat isn't found, this is likely the cause
of the problem. Which options of the kernel enables it.

Thank you very much.
Dosto
>
>

From vwf at vulkor.net  Thu Oct 26 20:53:57 2006
From: vwf at vulkor.net (vwf)
Date: Thu Oct 26 21:32:59 2006
Subject: how to filter on applications?
Message-ID: <20061026185357.GA4832@trane.vulkor.net>

Hello,

I want to filter outgoing traffic based on the originating application.
How do I do this? Please tell me iptables can do this. If not, how can I
lock down my system?

Thanks.

From lists at addictz.org  Thu Oct 26 21:25:22 2006
From: lists at addictz.org (Mike)
Date: Thu Oct 26 22:04:29 2006
Subject: how to filter on applications?
In-Reply-To: <20061026185357.GA4832@trane.vulkor.net>
References: <20061026185357.GA4832@trane.vulkor.net>
Message-ID: <46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>

vwf wrote:
> Hello,
>
> I want to filter outgoing traffic based on the originating application.
> How do I do this? Please tell me iptables can do this. If not, how can I
> lock down my system?
>
> Thanks.
>
>

http://l7-filter.sourceforge.net/


From allan.comar at gmail.com  Thu Oct 26 21:35:51 2006
From: allan.comar at gmail.com (Allan Spagnol Comar)
Date: Thu Oct 26 22:14:51 2006
Subject: Block smtp traffic
Message-ID: <1cc2dc830610261235q7d678544r7dc62711bbea43d9@mail.gmail.com>

Hi list, this is my first post.

I had a internet gateway that I want to block all traffic send to smtp
ports ( 25 tcp ). I had done this:
iptables -A FORWARD -i eth1 -p tcp --dport 25 -j DROP

and I cannot make this rule work, my user still can connect to port
25.... I try to change from drop to reject and still the same problem,
where can I look for to make this work ?

thanks, Allan

-- 
An application asked:
"Requires Windows 9x, NT4 or better",
so I?ve installed Linux

From dromano at vmware.com  Thu Oct 26 21:44:10 2006
From: dromano at vmware.com (Darryl Romano)
Date: Thu Oct 26 22:23:16 2006
Subject: Block smtp traffic
Message-ID: <882A4B7A51024043B9E5EA13382DF2110151572A@PA-EXCH03.vmware.com>

If the server that you are running this rule on is the same server as your
smtp, then you should change the rule to -A INPUT.

Regards,
Darryl Romano, VCP, RHCE
VMware Technical Support
 
1-877-4-VMWARE
1-877-486-9273
 
Use our Knowledge Base to search for
Troubleshooting information:
http://www.vmware.com/kb
 
VMware Community Access:
http://www.vmware.com/community/index.jspa


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Allan Spagnol
Comar
Sent: Thursday, October 26, 2006 3:36 PM
To: netfilter@lists.netfilter.org
Subject: Block smtp traffic

Hi list, this is my first post.

I had a internet gateway that I want to block all traffic send to smtp
ports ( 25 tcp ). I had done this:
iptables -A FORWARD -i eth1 -p tcp --dport 25 -j DROP

and I cannot make this rule work, my user still can connect to port
25.... I try to change from drop to reject and still the same problem,
where can I look for to make this work ?

thanks, Allan

-- 
An application asked:
"Requires Windows 9x, NT4 or better",
so I?ve installed Linux


From pablo at blueoakdb.com  Thu Oct 26 21:49:43 2006
From: pablo at blueoakdb.com (Pablo Sanchez)
Date: Thu Oct 26 22:28:55 2006
Subject: Block smtp traffic
In-Reply-To: <1cc2dc830610261235q7d678544r7dc62711bbea43d9@mail.gmail.com>
Message-ID: <010301c6f937$e22daec0$0419a8c0@fly>

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Allan Spagnol Comar
> Sent: Thursday, October 26, 2006 3:36 PM
> To: netfilter@lists.netfilter.org
> Subject: Block smtp traffic
> 
> Hi list, this is my first post.
> 
> I had a internet gateway that I want to block all traffic send to smtp
> ports ( 25 tcp ). I had done this:
> iptables -A FORWARD -i eth1 -p tcp --dport 25 -j DROP
> 
> and I cannot make this rule work, my user still can connect to port
> 25.... I try to change from drop to reject and still the same problem,
> where can I look for to make this work ?

Think of iptables as being a huge if-then check per rule until a
DROP/RETURN/ACCEPT/QUEUE is encountered - the man page does an excellent job
of describing this in paragraph one of 'TARGETS'

	if rule #1 applies _and_ DROP/RETURN/ACCEPT/QUEUE, stop
	if rule #2 applies _and_ DROP/RETURN/ACCEPT/QUEUE, stop
	...
	if rule #N applies or not and we've run out of things to do, apply
the POLICY as our 'DEFAULT'

This means that given you're A(ppending) your rule, you probably have
another rule preceeding the rule above which is ACCEPT'ing the packet
somehow.  

Move the above rule up the chain.  You might even put it at the very
beginning as a test:

	iptables -I FORWARD ....

I hope that helps.
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph:    819.459.1926          Toll free:  888.459.1926
Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
Fax:   603.720.7723 (US)


From gabrix at gabrix.ath.cx  Thu Oct 26 22:29:14 2006
From: gabrix at gabrix.ath.cx (gabrix)
Date: Thu Oct 26 23:08:24 2006
Subject: my script !
Message-ID: <45411A9A.6080509@gabrix.ath.cx>

I would like your opinion on my firewall script.I will also list all
services avialable on each machine in lan and how lan is configured...
keep tight !!!
my lan :
[router-netgear]
|
|
|
[Linuxbox-2eth__firewall_debian_sarge3.1kernel 2.6]
|
|
|[switch8ports]
|
|
|
[1debianbox_courier-pop-popssl-postfix-webserver]
[2debianbox_samba_nfs_proftpd_ircd_webserver]
[3windows_emule]

firewall on linuxbox:

> #!/bin/bash -x
>
>
> #LOAD mODULES
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> modprobe ip_conntrack_irc
> modprobe ip_nat_irc
>
> # ALCUNE VARIABILI PER INIZIARE
> NET1=192.168.0.0/16
> NET2=192.168.0.0/30
> NET3=192.168.1.0/29
> NET4=192.168.1.0/24
> ROUT=192.168.0.1/32
> ARG0=192.168.0.2/32
> ARG1=192.168.1.1/32
> WWW=192.168.1.4/32
> MAIL=192.168.6/32
> MAC=192.168.0.3/32
> DNS1=85.37.17.11/32
> DNS2=85.38.28.69/32
> IPT=/sbin/iptables
> IF0=eth0
> IF1=eth1
>
> # FLUSH
> echo "0" > /proc/sys/net/ipv4/ip_forward
>
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -t nat -P PREROUTING ACCEPT
> $IPT -t nat -P POSTROUTING ACCEPT
> $IPT -t nat -P OUTPUT ACCEPT
> $IPT -t mangle -P PREROUTING ACCEPT
> $IPT -t mangle -P POSTROUTING ACCEPT
> $IPT -t mangle -P INPUT ACCEPT
> $IPT -t mangle -P OUTPUT ACCEPT
> $IPT -t mangle -P FORWARD ACCEPT
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
>
> # DEFAULTS
> $IPT -P INPUT DROP
> $IPT -P OUTPUT DROP
> $IPT -P FORWARD DROP
> $IPT -t mangle -P PREROUTING ACCEPT
> $IPT -t mangle -P OUTPUT ACCEPT
> $IPT -t nat -P PREROUTING ACCEPT
> $IPT -t nat -P POSTROUTING ACCEPT
> $IPT -t nat -P OUTPUT ACCEPT
>
>
> # FREE_LOCALHOST
> $IPT -A INPUT -j ACCEPT -i lo
> $IPT -A INPUT -j ULOG --ulog-prefix "LOCAL_SPOOF:" -i ! lo -s
> 127.0.0.1/255.0.0.0
> $IPT -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
> $IPT -A OUTPUT -j ACCEPT -o lo
>
>
> # LAN eth0
> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A INPUT -i $IF0 -s $NET2 -j ACCEPT
> $IPT -A INPUT -i $IF0 -s $MAC -j ACCEPT
> $IPT -A INPUT -i $IF0 -s $NET1 -j ULOG --ulog-prefix " ### ETH0__SPOOF:"
> $IPT -A INPUT -i $IF0 -s $NET1 -j DROP
>
> # LAN eth1
> $IPT -A INPUT -i eth1 -s 192.168.1.0/29 -j ACCEPT
>
> ##
> WW=135,136,137,138,139,445
> $IPT -t nat -I PREROUTING -p tcp -i $IF0 -d $ARG0 -m multiport --dport
> $WW -j DROP
> $IPT -t nat -I PREROUTING -p udp -i $IF0 -d $ARG0 -m multiport --dport
> $WW -j DROP
>
> # MSSQL
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -m limit -j
> ULOG --ulog-prefix "Firewalled packet: MSSQL "
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -m limit -j
> ULOG --ulog-prefix "Firewalled packet: MSSQL "
> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -j DROP
>
> # Traceroutes depend on finding a rejected port.  DROP the ones it uses
> $IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j ULOG
> --ulog-prefix "TRACEROUTE_UDP:"
> $IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j DROP
>
>
> # GNUTELLA NETWORK
> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 6346:6348 -d $NET2 -j
> DROP
>
> # PORTS_BLACK_LIST
> PBL=1024,1025,1026,1027,33058,34120,40193
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m multiport
> --dports $PBL -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d $NET2 -m multiport
> --dports $PBL -j DROP
>
> # UDP Traceroute
> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport
> 33434:33523 -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport
> 33434:33523 -j ULOG --ulog-prefix "UDP_TRACEROUTES :"
>
>
> #-----------------------------------------------------------------------------------#
> #                                  ICMP
> TYPES                                       #
> #-----------------------------------------------------------------------------------#
> #                                                                                  
> #
> #    0 = Echo Reply, what gets sent back after a type 8 is received
> here            #
> #    3 = Destination Unreachable (inbound) or Fragmentation Needed
> (out) [RFC792]   #
> #    4 = Source Quench tells sending IP to slow down its rate to
> destination        #
> #    5 = Redirect
> [RFC792]                                                          #
> #    6 = Alternate Host
> Address                                                     #
> #    8 = Echo Request used for pinging hosts, but see the note
> above                #
> #    9 = Router Advertisement
> [RFC1256]                                             #
> #   10 = Router Selection
> [RFC1256]                                                 #
> #   11 = Time Exceeded used for traceroute (TTL) or sometimes frag
> packets          #
> #   12 = Parameter Problem is some error or weirdness detected in
> header            #
> #   13 = Timestamp 
> [RFC792]                                                        #
> #   14 = Timestamp Reply 
> [RFC792]                                                  #
> #   15 = Information Request 
> [RFC792]                                              #
> #   16 = Information Reply 
> [RFC792]                                                #
> #   17 = Address Mask Request 
> [RFC950]                                             #
> #   18 = Address Mask Reply 
> [RFC950]                                               #
> #   30 = Traceroute 
> [RFC1393]                                                      #
> #                                                                                  
> #
> #-----------------------------------------------------------------------------------#
>
> # ICMP
> $IPT -t nat -I PREROUTING -i $IF0 -p icmp -d $NET1 -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 0 -m limit
> --limit 3/s -d $NET1 -j ACCEPT
> $IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 3 -m limit
> --limit 3/s -d $NET1 -j ACCEPT
>
> # CHECK_FLAGS
> $IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j ULOG --ulog-prefix
> "FRAGMENTS:"
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state
> INVALID -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state
> INVALID -j ULOG --ulog-prefix "INVALID_FLAGS:"
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL
> FIN,URG,PSH -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL
> FIN,URG,PSH -m limit --limit 3/s -j ULOG --ulog-prefix "NMAP-XMAS_SCAN:"
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST
> SYN,RST -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST
> SYN,RST -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/RST_SCAN: "
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN
> SYN,FIN -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN
> SYN,FIN -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/FIN_SCAN: "
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN
> -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN
> -m limit --limit 3/s -j ULOG --ulog-prefix "FIN_SCAN:"
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL
> -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL
> -m limit --limit 3/s -j ULOG --ulog-prefix "ALL/ALL__SCAN : "
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE
> -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE
> -m limit --limit 3/s -j ULOG --ulog-prefix "NULL_SCAN: "
>
>
> # _____________ANTISPOOF
>
> cat /home/gabrix/bogon-bn-nonagg.txt |\
> egrep -ve
> "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
> |^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
> $IPT -t nat -I PREROUTING -i $IF0 -s $s -j DROP
> $IPT -t nat -I PREROUTING -i $IF0 -s $s -j ULOG --ulog-prefix
> 'BOGON_SPOOF:'
> done
>
> # Make laptop get into LAN
> #echo
> "-----------------------------------------------------------------------------------------------------"
> #$IPT -t nat -A PREROUTING -i eth0 -p ALL -s 192.168.0.3/32 -d
> 192.168.1.0/24 -j DNAT --to-dest 192.168.1.1
>  
>
> # PREROUTING DNAT ################################# -------------------- >
> # HTTP & HTTPS per .... www.gabrix.ath.cx
> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 80 -d
> 192.168.0.2/32 -j DNAT --to 192.168.1.4:80
> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 443 -d
> 192.168.0.2/32 -j DNAT --to 192.168.1.4:443
> # HTTP ... per .... mail.gabrix.ath.cx
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 80 -m state --state
> NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:80
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 443 -m state --state
> NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:443
>
>
>
> # SMTP
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 25
> -j DNAT --to 192.168.1.6:25
>
>
> # INN
> #$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.2/32 --dport
> 119 -j DNAT --to 192.168.1.4:119
>
>
> # IRCD
> IRC=6664:6669
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
> $IRC -j DNAT --to 192.168.1.4:6664-6669
> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
> 32768 -j DNAT --to 192.168.1.4:32768
>
>
> # FTP
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 20
> -j DNAT --to 192.168.1.4:20
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 21
> -j DNAT --to 192.168.1.4:21
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
> 60000:65535 -m state --state ESTABLISHED,RELATED -j DNAT --to
> 192.168.1.4:60000-65534
>
>
> # POP-SSL
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 995
> -j DNAT --to 192.168.1.6:995
> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport 995
> -j DNAT --to 192.168.1.6:995
>
>
> # TIM --- DNS
> $IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS1 -d $ARG0 -j DNAT
> --to 192.168.1.6
> $IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS2 -d $ARG0 -j DNAT
> --to 192.168.1.6
>
> #  PROXY
> #$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s $NET3 --dport 80 -j DNAT
> --to 192.168.1.1:8888
>
> # EMULE
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
> 18744 -j DNAT --to 192.168.1.2:18744
> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
> 57692 -j DNAT --to 192.168.1.2:57692
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
> 4711 -j DNAT --to 192.168.1.2:4711
> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
> 4672 -j DNAT --to 192.168.1.2:4672
> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
> 4661:4662 -j DNAT --to 192.168.1.2:4661-4662
>
> ##########################################################################################
> #                    INPUT    ARGO      
> SERVICES                                        #
> ##########################################################################################
> # I want broadcats to reach only machines in lan and avoid packets to
> go out in the internet and other #machines
>
> # BROADCASTS
> # ETH0
> $IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j ULOG --ulog-prefix
> "NET_BROADCASTS:"
> $IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j DROP
>
> # ETH1
> $IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 192.168.1.255/29
> $IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_BROADCASTS:" -s
> 192.168.1.0/29 -d 192.168.1.255/32
> $IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 192.168.1.255/32
>
> $IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 255.255.255.255/29
> $IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_NBIOS_BROADCASTS:" -s
> 192.168.1.0/29 -d 255.255.255.255/32
> $IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 255.255.255.255/32
>
> # MULTICASTS
> $IPT -A INPUT -i $IF0 -j DROP -m state --state NEW -d 224.0.0.0/4 -p ! 6
>
> # INPUT ARGO_SERVICES -----------------------------------------
> # TOR
> $IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 22 -j REDIRECT
> --to-port 9090
> $IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 110 -j REDIRECT
> --to-port 9091
> $IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9090 -j ACCEPT
> $IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9091 -j ACCEPT
>
>
> # Accetto SSH e prevengo bruteforces
> $IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m recent
> --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG
> --ulog-prefix "SSH_BRUTEFORCE:"
> $IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m state
> --state NEW -m recent --set --name SSH -j ACCEPT
>
>
> # TIM_DNS
> $IPT -A INPUT -i eth0 -s $DNS1 -d $ARG0 -j ACCEPT
> $IPT -A INPUT -i eth0 -s $DNS2 -d $ARG0 -j ACCEPT
>
> # DROP Anything else
> $IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j ULOG
> --ulog-prefix "TCP:"
> $IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j DROP
> $IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j ULOG
> --ulog-prefix "UDP:"
> $IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j DROP
> $IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j ULOG --ulog-prefix "#######|
> STOP_ALL_ |######:"
> $IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j DROP
>
>
> # FORWARD
> #
>
> # 192.168.0.0 NETWORK
> $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.0.3 -d 192.168.1.0/29 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -s $ARG0 -d $NET3 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -s $ROUT -d $NET3 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j ULOG
> --ulog-prefix "Forward_SPOOF:"
> $IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j DROP
>
> # LAN
> $IPT -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
>
>
> # # Services FORWARD-------->
>
> # TIM DNS
> $IPT -A FORWARD -s $DNS1 -d 192.168.1.0/24 -j ACCEPT
> $IPT -A FORWARD -s $DNS2 -d 192.168.1.0/24 -j ACCEPT
>  
>
> # FTP
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 20 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 21 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport
> 60000:65534 -j ACCEPT
>
>
> # INN
> #$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 119 -d 192.168.1.4 -j
> ACCEPT
>  
>
> # SMTP
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 25 -d 192.168.1.6 -j ACCEPT
>
>
> # IRCD
> IRC=6665:6669
> $IPT -A FORWARD -i eth0 -p tcp --dport $IRC -d 192.168.1.4/32 -j ACCEPT
> $IPT -A FORWARD -i eth0 -p udp --dport 32768 -d 192.168.1.4/32 -j ACCEPT
>
>
> # HTTP
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.4 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.4 -j
> ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.6 -j ACCEPT
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.6 -j
> ACCEPT
>
>
> # POP SSL
> $IPT -A FORWARD -i eth0 -p tcp --dport 995 -d 192.168.1.6 -j ACCEPT
> $IPT -A FORWARD -i eth0 -p udp --dport 995 -d 192.168.1.6 -j ACCEPT
>
> # EMULE
> $IPT -A FORWARD -p tcp -i $IF0 --dport 18744 -d 192.168.1.2 -j ACCEPT
> $IPT -A FORWARD -p udp -i $IF0 --dport 57692 -d 192.168.1.2 -j ACCEPT
> $IPT -A FORWARD -p tcp -i $IF0 --dport 4711 -d 192.168.1.2 -j ACCEPT
> $IPT -A FORWARD -p udp -i $IF0 --dport 4672 -d 192.168.1.2 -j ACCEPT
> $IPT -A FORWARD -p tcp -i $IF0 --dport 4661:4662 -d 192.168.1.2 -j ACCEPT
>
> # OUTPUT
> $IPT -A OUTPUT -o eth0 -s 192.168.0.2/32 -j ACCEPT
> $IPT -A OUTPUT -j ACCEPT -o eth1 -d 192.168.1.0/24
> $IPT -A OUTPUT -s 192.168.0.0/16 -j ACCEPT
> $IPT -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
>
> $IPT -A OUTPUT -p icmp --icmp-type time-exceeded -j DROP
> $IPT -A OUTPUT -p icmp --icmp-type 0 -j DROP
>
> # MASQUERADE
> $IPT -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
If you have question just ask .... thanks !!!

From usenet06 at philpem.me.uk  Thu Oct 26 22:44:06 2006
From: usenet06 at philpem.me.uk (Philip Pemberton)
Date: Thu Oct 26 23:23:30 2006
Subject: NATing on a single interface?
In-Reply-To: <ehql65$f08$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org> <ehql65$f08$1@sea.gmane.org>
Message-ID: <ehr6m6$v00$1@sea.gmane.org>

Robert Nichols wrote:
> There's no reason a forwarded packet can't go back out the same
> interface on which it arrived.  There's an obvious compromise in
> security when you have both sides of the firewall on the same

I do trust my own machines, basically because they're mine - I'm very 
obsessive about keeping the OS and virus scanners up to date.

 > physical network, but if you trust your own machines and just
 > want to protect against external attacks you should be OK as
 > long as the DSL router forwards packets to the firewall machine
 > only.

It appears to be mangling the packets - e.g. an inbound packet from 
12.34.56.78 to 98.76.54.32 (PPP_IP) gets its destination IP changed to the DMZ 
address (e.g. 10.0.0.1 for my server). Return packets are sent to the source 
(e.g. 12.34.56.78 in the example) using the DSL router (10.1.0.2) as the gateway.

What I need to figure out is how to actually set up the firewall. I did find a 
nice IPTables tutorial, but it's 357 pages long! Guess I'd better stop 
procrastinating and start reading....

Thanks.
-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
usenet06@philpem.me.uk        | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.
If mail bounces, replace "06" with the last two digits of the current year.


From don at bowenvale.co.nz  Fri Oct 27 01:12:01 2006
From: don at bowenvale.co.nz (Don Gould)
Date: Fri Oct 27 01:51:16 2006
Subject: IPTables script problem...
In-Reply-To: <4540A4DB.6080001@freemail.hu>
References: <4540847B.8080407@bowenvale.co.nz> <4540A4DB.6080001@freemail.hu>
Message-ID: <454140C1.6010201@bowenvale.co.nz>

Thanks :)

With help from a few others I found the answer...

you need sudo to do this.

See:  www.tcn.bowenvale.co.nz - my web site, if you're interested in 
following the progress.

What I'm working on will be gpl

Cheers Don

G?sp?r Lajos wrote:
> Don Gould ?rta:
>> Can anyone tell me why this isn't working?
>>
> ...
>>
>> [root@bowenvale shared]# cat dhcp.src
>> #!/bin/sh
> For debug try this:
> 
> #!/bin/bash -x
> 
>> nowdate=$(date)
>> # echo $nowdate, $0, $1, $2, $3 >> /home/shared/dhcpconnect.log
>>
>> echo $nowdate, $2, $3 >> /home/shared/dhcpconnect.log
>>
>> echo "Start" >> /home/shared/dhcpconnect.log
>>
>> mysql -h bowenvale -u oncs -pbutterfly -e "INSERT INTO
>> oncs.tblSessionRequest (MACAddress, IPAddress) VALUES('$2', '$3
>>    ');" &> /home/shared/dhcpconnect.log
> hmm...
> You mean:
> &>>/home
> ???
>> echo "Done - database log" >> /home/shared/dhcpconnect.log
>>
>> # Now we start the data accounting bit using IP tables...
>> # Make sure the iptables rules exist!  This should return errors because
>> these rules should always already exist.
>> iptables -N traffic_in  >> /home/shared/dhcpconnect.log
>> iptables -N traffic_out  >> /home/shared/dhcpconnect.log
>>
>> echo $nowdate, $2, $3 >> /home/shared/dhcpconnect.log
>>
>> echo "Done - rule create" >> /home/shared/dhcpconnect.log
>>
>> # Create Rule for IP to count the data.
>> iptables -A traffic_in -d $3  >> /home/shared/dhcpconnect.log
>> iptables -A traffic_out -s $3  >> /home/shared/dhcpconnect.log
>>
>> echo "Done - counter add" >> /home/shared/dhcpconnect.log
>>
>> #add chains as target to FORWARD rule - after the first time, this
>> should always be already done.
>> iptables -I FORWARD 1 -j traffic_in  >> /home/shared/dhcpconnect.log
>> iptables -I FORWARD 2 -j traffic_out  >> /home/shared/dhcpconnect.log
>>
>>
>> echo "Done forward rule add" >> /home/shared/dhcpconnect.log
>>
>> echo "Done", $2, $3  >> /home/shared/dhcpconnect.log
>>
> What is in dhcpconnect.log ??? :)
> Could you post it? :)
> 
> Swifty

-- 
Don Gould
www.thinkdesignprint.co.nz - www.tcn.bowenvale.co.nz - 
www.bowenvale.co.nz - www.hearingbooks.co.nz - www.buxtonsquare.co.nz - 
SkypeMe:  ThinkDesignPrint - Good ideas:  www.solarking.co.nz


From rnicholsNOSPAM at comcast.net  Fri Oct 27 01:52:44 2006
From: rnicholsNOSPAM at comcast.net (Robert Nichols)
Date: Fri Oct 27 02:31:59 2006
Subject: NATing on a single interface?
In-Reply-To: <ehr6m6$v00$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org> <ehql65$f08$1@sea.gmane.org>
	<ehr6m6$v00$1@sea.gmane.org>
Message-ID: <ehrhod$17a$1@sea.gmane.org>

Philip Pemberton wrote:
> It appears to be mangling the packets - e.g. an inbound packet from 
> 12.34.56.78 to 98.76.54.32 (PPP_IP) gets its destination IP changed to 
> the DMZ address (e.g. 10.0.0.1 for my server). Return packets are sent 
> to the source (e.g. 12.34.56.78 in the example) using the DSL router 
> (10.1.0.2) as the gateway.
>
> What I need to figure out is how to actually set up the firewall. I > 
> did find a nice IPTables tutorial, but it's 357 pages long! Guess I'd 
> better stop procrastinating and start reading....

If your other machines are set up to use the DSL router as the default
route, of course that's where the return packets will go.  You have
two choices:

1. (Preferable) Set up the default route on your other machines so
    that they use the firewall machine as their gateway to the outside
    world.

2. SNAT the forwarded packets so that they appear to come from the
    firewall machine.  This really screws up logging on your other
    machines (all traffic will appear to originate on the firewall
    machine), so you probably don't want to do it that way.

If that's Oskar Andreasson's tutorial you've got, you'll find you
really don't need to read through the whole thing.  The section on
the DNAT target is what you need right now.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.



From swifty at freemail.hu  Fri Oct 27 09:42:19 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 27 10:21:40 2006
Subject: my script !
In-Reply-To: <45411A9A.6080509@gabrix.ath.cx>
References: <45411A9A.6080509@gabrix.ath.cx>
Message-ID: <4541B85B.5060409@freemail.hu>

Intresting... :)

Take a look on my script also... :)

Swifty

gabrix ?rta:
> I would like your opinion on my firewall script.I will also list all
> services avialable on each machine in lan and how lan is configured...
> keep tight !!!
> my lan :
>   
...
>> #!/bin/bash -x
>>
>>
>> #LOAD mODULES
>> modprobe ip_conntrack_ftp
>> modprobe ip_nat_ftp
>> modprobe ip_conntrack_irc
>> modprobe ip_nat_irc
>>
>> # ALCUNE VARIABILI PER INIZIARE
>> NET1=192.168.0.0/16
>> NET2=192.168.0.0/30
>> NET3=192.168.1.0/29
>> NET4=192.168.1.0/24
>> ROUT=192.168.0.1/32
>> ARG0=192.168.0.2/32
>> ARG1=192.168.1.1/32
>> WWW=192.168.1.4/32
>> MAIL=192.168.6/32
>> MAC=192.168.0.3/32
>> DNS1=85.37.17.11/32
>> DNS2=85.38.28.69/32
>> IPT=/sbin/iptables
>> IF0=eth0
>> IF1=eth1
>>
>> # FLUSH
>> echo "0" > /proc/sys/net/ipv4/ip_forward
>>
>> $IPT -P INPUT ACCEPT
>> $IPT -P FORWARD ACCEPT
>> $IPT -P OUTPUT ACCEPT
>>     
Policy: ACCEPT
>> $IPT -t nat -P PREROUTING ACCEPT
>> $IPT -t nat -P POSTROUTING ACCEPT
>> $IPT -t nat -P OUTPUT ACCEPT
>> $IPT -t mangle -P PREROUTING ACCEPT
>> $IPT -t mangle -P POSTROUTING ACCEPT
>> $IPT -t mangle -P INPUT ACCEPT
>> $IPT -t mangle -P OUTPUT ACCEPT
>> $IPT -t mangle -P FORWARD ACCEPT
Default policy is always ACCEPT....
>> $IPT -F
>> $IPT -t nat -F
>> $IPT -t mangle -F
>> $IPT -X
>> $IPT -t nat -X
>> $IPT -t mangle -X
>>
>> # DEFAULTS
>> $IPT -P INPUT DROP
>> $IPT -P OUTPUT DROP
>> $IPT -P FORWARD DROP
>>     
Policy: DROP

Why ACCEPT before, and DROP now?
>> $IPT -t mangle -P PREROUTING ACCEPT
>> $IPT -t mangle -P OUTPUT ACCEPT
>> $IPT -t nat -P PREROUTING ACCEPT
>> $IPT -t nat -P POSTROUTING ACCEPT
>> $IPT -t nat -P OUTPUT ACCEPT
>>
>>
>>     
Default policy
>> # FREE_LOCALHOST
>> $IPT -A INPUT -j ACCEPT -i lo
>> $IPT -A INPUT -j ULOG --ulog-prefix "LOCAL_SPOOF:" -i ! lo -s
>> 127.0.0.1/255.0.0.0
>> $IPT -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
>> $IPT -A OUTPUT -j ACCEPT -o lo
>>
>>
>> # LAN eth0
>> $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> $IPT -A INPUT -i $IF0 -s $NET2 -j ACCEPT
>> $IPT -A INPUT -i $IF0 -s $MAC -j ACCEPT
>> $IPT -A INPUT -i $IF0 -s $NET1 -j ULOG --ulog-prefix " ### ETH0__SPOOF:"
>> $IPT -A INPUT -i $IF0 -s $NET1 -j DROP
>>
>> # LAN eth1
>> $IPT -A INPUT -i eth1 -s 192.168.1.0/29 -j ACCEPT
>>
>> ##
>> WW=135,136,137,138,139,445
>> $IPT -t nat -I PREROUTING -p tcp -i $IF0 -d $ARG0 -m multiport --dport
>> $WW -j DROP
>> $IPT -t nat -I PREROUTING -p udp -i $IF0 -d $ARG0 -m multiport --dport
>> $WW -j DROP
>>
>> # MSSQL
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -m limit -j
>> ULOG --ulog-prefix "Firewalled packet: MSSQL "
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp --dport 1433:1434 -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -m limit -j
>> ULOG --ulog-prefix "Firewalled packet: MSSQL "
>> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 1433:1434 -j DROP
>>
>> # Traceroutes depend on finding a rejected port.  DROP the ones it uses
>> $IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j ULOG
>> --ulog-prefix "TRACEROUTE_UDP:"
>> $IPT -t nat -I PREROUTING -i eth0 -p udp --dport 33434:33523 -j DROP
>>
>>
>> # GNUTELLA NETWORK
>> $IPT -t nat -I PREROUTING -i $IF0 -p udp --dport 6346:6348 -d $NET2 -j
>> DROP
>>
>> # PORTS_BLACK_LIST
>> PBL=1024,1025,1026,1027,33058,34120,40193
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m multiport
>> --dports $PBL -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d $NET2 -m multiport
>> --dports $PBL -j DROP
>>
>> # UDP Traceroute
>> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport
>> 33434:33523 -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p udp -d 192.168.0.0/16 --dport
>> 33434:33523 -j ULOG --ulog-prefix "UDP_TRACEROUTES :"
>>
>>
>> #-----------------------------------------------------------------------------------#
>> #                                  ICMP
>> TYPES                                       #
>> #-----------------------------------------------------------------------------------#
>> #                                                                                  
>> #
>> #    0 = Echo Reply, what gets sent back after a type 8 is received
>> here            #
>> #    3 = Destination Unreachable (inbound) or Fragmentation Needed
>> (out) [RFC792]   #
>> #    4 = Source Quench tells sending IP to slow down its rate to
>> destination        #
>> #    5 = Redirect
>> [RFC792]                                                          #
>> #    6 = Alternate Host
>> Address                                                     #
>> #    8 = Echo Request used for pinging hosts, but see the note
>> above                #
>> #    9 = Router Advertisement
>> [RFC1256]                                             #
>> #   10 = Router Selection
>> [RFC1256]                                                 #
>> #   11 = Time Exceeded used for traceroute (TTL) or sometimes frag
>> packets          #
>> #   12 = Parameter Problem is some error or weirdness detected in
>> header            #
>> #   13 = Timestamp 
>> [RFC792]                                                        #
>> #   14 = Timestamp Reply 
>> [RFC792]                                                  #
>> #   15 = Information Request 
>> [RFC792]                                              #
>> #   16 = Information Reply 
>> [RFC792]                                                #
>> #   17 = Address Mask Request 
>> [RFC950]                                             #
>> #   18 = Address Mask Reply 
>> [RFC950]                                               #
>> #   30 = Traceroute 
>> [RFC1393]                                                      #
>> #                                                                                  
>> #
>> #-----------------------------------------------------------------------------------#
>>
>> # ICMP
>> $IPT -t nat -I PREROUTING -i $IF0 -p icmp -d $NET1 -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 0 -m limit
>> --limit 3/s -d $NET1 -j ACCEPT
>> $IPT -t nat -I PREROUTING -i $IF0 -p icmp --icmp-type 3 -m limit
>> --limit 3/s -d $NET1 -j ACCEPT
>>
>> # CHECK_FLAGS
>> $IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -f -d $NET2 -j ULOG --ulog-prefix
>> "FRAGMENTS:"
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state
>> INVALID -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 -m state --state
>> INVALID -j ULOG --ulog-prefix "INVALID_FLAGS:"
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL
>> FIN,URG,PSH -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL
>> FIN,URG,PSH -m limit --limit 3/s -j ULOG --ulog-prefix "NMAP-XMAS_SCAN:"
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST
>> SYN,RST -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,RST
>> SYN,RST -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/RST_SCAN: "
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN
>> SYN,FIN -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags SYN,FIN
>> SYN,FIN -m limit --limit 3/s -j ULOG --ulog-prefix "SYN/FIN_SCAN: "
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN
>> -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL FIN
>> -m limit --limit 3/s -j ULOG --ulog-prefix "FIN_SCAN:"
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL
>> -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL ALL
>> -m limit --limit 3/s -j ULOG --ulog-prefix "ALL/ALL__SCAN : "
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE
>> -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -p tcp -d $NET2 --tcp-flags ALL NONE
>> -m limit --limit 3/s -j ULOG --ulog-prefix "NULL_SCAN: "
>>
>>
>> # _____________ANTISPOOF
>>
>> cat /home/gabrix/bogon-bn-nonagg.txt |\
>> egrep -ve
>> "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.\
>> |^124\.|^125\.|^126\.|^189\.| ^190\.)"|while read s; do
>> $IPT -t nat -I PREROUTING -i $IF0 -s $s -j DROP
>> $IPT -t nat -I PREROUTING -i $IF0 -s $s -j ULOG --ulog-prefix
>> 'BOGON_SPOOF:'
>> done
>>
>> # Make laptop get into LAN
>> #echo
>> "-----------------------------------------------------------------------------------------------------"
>> #$IPT -t nat -A PREROUTING -i eth0 -p ALL -s 192.168.0.3/32 -d
>> 192.168.1.0/24 -j DNAT --to-dest 192.168.1.1
>>  
>>
>> # PREROUTING DNAT ################################# -------------------- >
>> # HTTP & HTTPS per .... www.gabrix.ath.cx
>> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 80 -d
>> 192.168.0.2/32 -j DNAT --to 192.168.1.4:80
>> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 443 -d
>> 192.168.0.2/32 -j DNAT --to 192.168.1.4:443
>> # HTTP ... per .... mail.gabrix.ath.cx
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 80 -m state --state
>> NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:80
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 --dport 443 -m state --state
>> NEW -d 192.168.0.2/32 -j DNAT --to 192.168.1.6:443
>>
>>
>>
>> # SMTP
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 25
>> -j DNAT --to 192.168.1.6:25
>>
>>
>> # INN
>> #$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.2/32 --dport
>> 119 -j DNAT --to 192.168.1.4:119
>>
>>
>> # IRCD
>> IRC=6664:6669
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
>> $IRC -j DNAT --to 192.168.1.4:6664-6669
>> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
>> 32768 -j DNAT --to 192.168.1.4:32768
>>
>>
>> # FTP
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 20
>> -j DNAT --to 192.168.1.4:20
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 21
>> -j DNAT --to 192.168.1.4:21
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
>> 60000:65535 -m state --state ESTABLISHED,RELATED -j DNAT --to
>> 192.168.1.4:60000-65534
>>
>>
>> # POP-SSL
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport 995
>> -j DNAT --to 192.168.1.6:995
>> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport 995
>> -j DNAT --to 192.168.1.6:995
>>
>>
>> # TIM --- DNS
>> $IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS1 -d $ARG0 -j DNAT
>> --to 192.168.1.6
>> $IPT -t nat -A PREROUTING -p ALL -i $IF0 -s $DNS2 -d $ARG0 -j DNAT
>> --to 192.168.1.6
>>
>> #  PROXY
>> #$IPT -t nat -I PREROUTING -i $IF1 -p tcp -s $NET3 --dport 80 -j DNAT
>> --to 192.168.1.1:8888
>>
>> # EMULE
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
>> 18744 -j DNAT --to 192.168.1.2:18744
>> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
>> 57692 -j DNAT --to 192.168.1.2:57692
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
>> 4711 -j DNAT --to 192.168.1.2:4711
>> $IPT -t nat -A PREROUTING -p udp -i $IF0 -d 192.168.0.2/32 --dport
>> 4672 -j DNAT --to 192.168.1.2:4672
>> $IPT -t nat -A PREROUTING -p tcp -i $IF0 -d 192.168.0.2/32 --dport
>> 4661:4662 -j DNAT --to 192.168.1.2:4661-4662
>>
>> ##########################################################################################
>> #                    INPUT    ARGO      
>> SERVICES                                        #
>> ##########################################################################################
>> # I want broadcats to reach only machines in lan and avoid packets to
>> go out in the internet and other #machines
>>
>> # BROADCASTS
>> # ETH0
>> $IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j ULOG --ulog-prefix
>> "NET_BROADCASTS:"
>> $IPT -A INPUT -i $IF0 -d 255.255.255.255/32 -j DROP
>>
>> # ETH1
>> $IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 192.168.1.255/29
>> $IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_BROADCASTS:" -s
>> 192.168.1.0/29 -d 192.168.1.255/32
>> $IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 192.168.1.255/32
>>
>> $IPT -A INPUT -i $IF1 -j ACCEPT -s 192.168.1.0/29 -d 255.255.255.255/29
>> $IPT -A INPUT -i $IF1 -j ULOG --ulog-prefix "LAN_NBIOS_BROADCASTS:" -s
>> 192.168.1.0/29 -d 255.255.255.255/32
>> $IPT -A INPUT -i $IF1 -j DROP -s 192.168.1.0/29 -d 255.255.255.255/32
>>
>> # MULTICASTS
>> $IPT -A INPUT -i $IF0 -j DROP -m state --state NEW -d 224.0.0.0/4 -p ! 6
>>
>> # INPUT ARGO_SERVICES -----------------------------------------
>> # TOR
>> $IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 22 -j REDIRECT
>> --to-port 9090
>> $IPT -t nat -A PREROUTING -i $IF0 -p tcp --dport 110 -j REDIRECT
>> --to-port 9091
>> $IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9090 -j ACCEPT
>> $IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --dport 9091 -j ACCEPT
>>
>>
>> # Accetto SSH e prevengo bruteforces
>> $IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m recent
>> --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG
>> --ulog-prefix "SSH_BRUTEFORCE:"
>> $IPT -A INPUT -i eth0 -p tcp --dport 666 -d 192.168.0.2/32 -m state
>> --state NEW -m recent --set --name SSH -j ACCEPT
>>
>>
>> # TIM_DNS
>> $IPT -A INPUT -i eth0 -s $DNS1 -d $ARG0 -j ACCEPT
>> $IPT -A INPUT -i eth0 -s $DNS2 -d $ARG0 -j ACCEPT
>>
>> # DROP Anything else
>> $IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j ULOG
>> --ulog-prefix "TCP:"
>> $IPT -A INPUT -i $IF0 -p tcp --dport 1:65535 -d $ARG0 -j DROP
>> $IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j ULOG
>> --ulog-prefix "UDP:"
>> $IPT -A INPUT -i $IF0 -p udp --dport 1:65535 -d $ARG0 -j DROP
>> $IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j ULOG --ulog-prefix "#######|
>> STOP_ALL_ |######:"
>> $IPT -A INPUT -i $IF0 -p ALL -d $ARG0 -j DROP
>>
>>
>> # FORWARD
>> #
>>
>> # 192.168.0.0 NETWORK
>> $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.0.3 -d 192.168.1.0/29 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -s $ARG0 -d $NET3 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -s $ROUT -d $NET3 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j ULOG
>> --ulog-prefix "Forward_SPOOF:"
>> $IPT -A FORWARD -i eth0 -o eth1 -s $NET1 -d $NET4 -j DROP
>>
>> # LAN
>> $IPT -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
>>
>>
>> # # Services FORWARD-------->
>>
>> # TIM DNS
>> $IPT -A FORWARD -s $DNS1 -d 192.168.1.0/24 -j ACCEPT
>> $IPT -A FORWARD -s $DNS2 -d 192.168.1.0/24 -j ACCEPT
>>  
>>
>> # FTP
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 20 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 21 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport
>> 60000:65534 -j ACCEPT
>>
>>
>> # INN
>> #$IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 119 -d 192.168.1.4 -j
>> ACCEPT
>>  
>>
>> # SMTP
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 25 -d 192.168.1.6 -j ACCEPT
>>
>>
>> # IRCD
>> IRC=6665:6669
>> $IPT -A FORWARD -i eth0 -p tcp --dport $IRC -d 192.168.1.4/32 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -p udp --dport 32768 -d 192.168.1.4/32 -j ACCEPT
>>
>>
>> # HTTP
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.4 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.4 -j
>> ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.6 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -d 192.168.1.6 -j
>> ACCEPT
>>
>>
>> # POP SSL
>> $IPT -A FORWARD -i eth0 -p tcp --dport 995 -d 192.168.1.6 -j ACCEPT
>> $IPT -A FORWARD -i eth0 -p udp --dport 995 -d 192.168.1.6 -j ACCEPT
>>
>> # EMULE
>> $IPT -A FORWARD -p tcp -i $IF0 --dport 18744 -d 192.168.1.2 -j ACCEPT
>> $IPT -A FORWARD -p udp -i $IF0 --dport 57692 -d 192.168.1.2 -j ACCEPT
>> $IPT -A FORWARD -p tcp -i $IF0 --dport 4711 -d 192.168.1.2 -j ACCEPT
>> $IPT -A FORWARD -p udp -i $IF0 --dport 4672 -d 192.168.1.2 -j ACCEPT
>> $IPT -A FORWARD -p tcp -i $IF0 --dport 4661:4662 -d 192.168.1.2 -j ACCEPT
>>
>> # OUTPUT
>> $IPT -A OUTPUT -o eth0 -s 192.168.0.2/32 -j ACCEPT
>> $IPT -A OUTPUT -j ACCEPT -o eth1 -d 192.168.1.0/24
>> $IPT -A OUTPUT -s 192.168.0.0/16 -j ACCEPT
>> $IPT -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
>>
>> $IPT -A OUTPUT -p icmp --icmp-type time-exceeded -j DROP
>> $IPT -A OUTPUT -p icmp --icmp-type 0 -j DROP
>>
>> # MASQUERADE
>> $IPT -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
>>
>> echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>>     
> If you have question just ask .... thanks !!!
>
>
>   
I do not really believe that this is the best form of a script but if 
you understand your script (and hopefully you do :D ) then this is 
good... :)

I prefer scripts much like the output of  "iptables -vnL"


Swifty


From vwf at vulkor.net  Fri Oct 27 10:22:01 2006
From: vwf at vulkor.net (vwf)
Date: Fri Oct 27 11:01:07 2006
Subject: how to filter on applications?
In-Reply-To: <46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>
References: <20061026185357.GA4832@trane.vulkor.net>
	<46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>
Message-ID: <20061027082201.GA4298@trane.vulkor.net>

On Thu, Oct 26, 2006 at 03:25:22PM -0400, Mike wrote:
> vwf wrote:
> > Hello,
> >
> > I want to filter outgoing traffic based on the originating application.
> > How do I do this? Please tell me iptables can do this. If not, how can I
> > lock down my system?

> http://l7-filter.sourceforge.net/

This filters on protocol, not on application.

From swifty at freemail.hu  Fri Oct 27 10:27:00 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 27 11:06:39 2006
Subject: how to filter on applications?
In-Reply-To: <20061027082201.GA4298@trane.vulkor.net>
References: <20061026185357.GA4832@trane.vulkor.net>	<46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>
	<20061027082201.GA4298@trane.vulkor.net>
Message-ID: <4541C2D4.1030903@freemail.hu>


vwf ?rta:
> On Thu, Oct 26, 2006 at 03:25:22PM -0400, Mike wrote:
>   
>> vwf wrote:
>>     
>>> Hello,
>>>
>>> I want to filter outgoing traffic based on the originating application.
>>> How do I do this? Please tell me iptables can do this. If not, how can I
>>> lock down my system?
>>>       
>
>   
>> http://l7-filter.sourceforge.net/
>>     
>
> This filters on protocol, not on application.
>
>   
Yes! Because APPLICATIONS use PROTOCOLS to communicate with....

What do you do not understand?

Swifty


From swifty at freemail.hu  Fri Oct 27 10:53:33 2006
From: swifty at freemail.hu (=?windows-1252?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 27 11:32:56 2006
Subject: how to filter on applications?
In-Reply-To: <20061027083635.GA4518@trane.vulkor.net>
References: <20061026185357.GA4832@trane.vulkor.net>
	<46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>
	<20061027082201.GA4298@trane.vulkor.net>
	<4541C2D4.1030903@freemail.hu>
	<20061027083635.GA4518@trane.vulkor.net>
Message-ID: <4541C90D.3050000@freemail.hu>


vwf ?rta:
> On Fri, Oct 27, 2006 at 10:27:00AM +0200, G?sp?r Lajos wrote:
>   
>> vwf ?rta:
>>     
>>> On Thu, Oct 26, 2006 at 03:25:22PM -0400, Mike wrote:
>>>  
>>>       
>>>> vwf wrote:
>>>>    
>>>>         
>>>>> Hello,
>>>>>
>>>>> I want to filter outgoing traffic based on the originating application.
>>>>> How do I do this? Please tell me iptables can do this. If not, how can I
>>>>> lock down my system?
>>>>>      
>>>>>           
>>>  
>>>       
>>>> http://l7-filter.sourceforge.net/
>>>>    
>>>>         
>>> This filters on protocol, not on application.
>>>
>>>  
>>>       
>> Yes! Because APPLICATIONS use PROTOCOLS to communicate with....
>>
>> What do you do not understand?
>>     
>
> My question was how to filter on application. Filtering on protocol does
> not suffice.
>
>   
Okay... You want to filter on APPLICATION...
Let me assume that you have a firewall and some clients.
You want to block some traffic originated from your clients depending on
the application.

If an application talks to an other party then it uses a "language" that
both understands.
This is the PROTOCOL.

In netfilter/iptables you can analyse the packets. Where from do they
coming and where do they go...
If you want to know the content of this pipe then you have to use some
layer 7 filtering mechanism...

http://en.wikipedia.org/wiki/OSI_model

BUT if I did not understood you correctly then please send me an exact
question...

Thanx

Swifty




From usenet06 at philpem.me.uk  Fri Oct 27 11:09:39 2006
From: usenet06 at philpem.me.uk (Philip Pemberton)
Date: Fri Oct 27 11:49:20 2006
Subject: NATing on a single interface?
In-Reply-To: <ehrhod$17a$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org>
	<ehql65$f08$1@sea.gmane.org>	<ehr6m6$v00$1@sea.gmane.org>
	<ehrhod$17a$1@sea.gmane.org>
Message-ID: <ehsic6$has$1@sea.gmane.org>

Robert Nichols wrote:
> If your other machines are set up to use the DSL router as the default
> route, of course that's where the return packets will go.  You have
> two choices:
> 
> 1. (Preferable) Set up the default route on your other machines so
>    that they use the firewall machine as their gateway to the outside
>    world.

Which is what's happening now. DNSMasq (lightweight DHCP/DNS server) allocates 
IP addresses based on /etc/ethers and /etc/hosts, and tells those machines to 
use 10.0.0.1 as the gateway. 10.0.0.1 (the firewall server) forwards those 
onto their eventual destination, and handles masquerading in the opposite 
direction, so that one or more LAN-based machines can access the Internet 
using only one public IP address.

> 2. SNAT the forwarded packets so that they appear to come from the
>    firewall machine.  This really screws up logging on your other
>    machines (all traffic will appear to originate on the firewall
>    machine), so you probably don't want to do it that way.

Based on

> If that's Oskar Andreasson's tutorial you've got, you'll find you

Yep.

> really don't need to read through the whole thing.  The section on
> the DNAT target is what you need right now.

Well, I've read the chapter on TCP/IP, now I'm just skimming through the stuff 
on DNAT and Masquerading. Problem with DNAT is that it seems to be more of a 
port-forwarding system rather than allowing more than one machine to access 
the Internet from one public IP.

I think I'll spend tonight playing around with firewall rules and routing 
tables. No doubt I'll take some flak from the rest of the family in the 
process ("why can't you just use the old modem?" and stuff like that)

I was going to use "Arno's IPTables Firewall" to do this, but it doesn't seem 
to support single-NIC NAT routing. Guess I'll have to write my own firewall 
script.. in at the deep end, as always :)

Thanks.
-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
usenet06@philpem.me.uk        | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.
If mail bounces, replace "06" with the last two digits of the current year.


From bclark at eccotours.co.za  Fri Oct 27 11:45:54 2006
From: bclark at eccotours.co.za (Brent Clark)
Date: Fri Oct 27 12:24:11 2006
Subject: why DROP in PREROUTING
Message-ID: <4541D552.2070802@eccotours.co.za>

Hi all

Would please help me understand as to why you would do some dropping in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)

Ive been browsing a few sites and I see sites like iptablesrocks.org etc all have rules like so

A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

Just something I was thinking.

Kind Regards
Brent Clark

From swifty at freemail.hu  Fri Oct 27 11:59:58 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Fri Oct 27 12:39:22 2006
Subject: why DROP in PREROUTING
In-Reply-To: <4541D552.2070802@eccotours.co.za>
References: <4541D552.2070802@eccotours.co.za>
Message-ID: <4541D89E.1080507@freemail.hu>


Brent Clark ?rta:
> Hi all
>
> Would please help me understand as to why you would do some dropping 
> in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)
>
It is not really nice, BUT...

the reason is:

You can filter all of these packets at one point no matter where they 
coming from and going to....

> Ive been browsing a few sites and I see sites like iptablesrocks.org 
> etc all have rules like so
>
> A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
> FIN,PSH,URG -j DROP
...
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
>
> Just something I was thinking.
>
> Kind Regards
> Brent Clark
>
>
Swifty


From szocske at gmail.com  Fri Oct 27 12:37:00 2006
From: szocske at gmail.com (Gabor Szokoli)
Date: Fri Oct 27 13:16:09 2006
Subject: how to filter on applications?
In-Reply-To: <4541C90D.3050000@freemail.hu>
References: <20061026185357.GA4832@trane.vulkor.net>
	<46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>
	<20061027082201.GA4298@trane.vulkor.net>
	<4541C2D4.1030903@freemail.hu>
	<20061027083635.GA4518@trane.vulkor.net>
	<4541C90D.3050000@freemail.hu>
Message-ID: <de47c0230610270337p7b3e59f4g2706d54c16137276@mail.gmail.com>

On 10/27/06, G?sp?r Lajos <swifty@freemail.hu> wrote:
> BUT if I did not understood you correctly then please send me an exact
> question...

I might be able to mediate before this escalates...
I think vwf assumes the firewall is on the same host as the
applications, no forwarding takes place.
In this case it is not an unreasonable expectation to be able to write
iptables rules matching the name of the executable whose process
instance owns the socket: so called "personal firewall" applications
on some other operating system do this all the time.

Google-lee-goo:
http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-ownercmd


Szocske

From vwf at vulkor.net  Fri Oct 27 13:04:42 2006
From: vwf at vulkor.net (vwf)
Date: Fri Oct 27 13:43:48 2006
Subject: how to filter on applications?
In-Reply-To: <de47c0230610270337p7b3e59f4g2706d54c16137276@mail.gmail.com>
References: <20061026185357.GA4832@trane.vulkor.net>
	<46522.136.1.1.154.1161890722.squirrel@mail.addictz.org>
	<20061027082201.GA4298@trane.vulkor.net>
	<4541C2D4.1030903@freemail.hu>
	<20061027083635.GA4518@trane.vulkor.net>
	<4541C90D.3050000@freemail.hu>
	<de47c0230610270337p7b3e59f4g2706d54c16137276@mail.gmail.com>
Message-ID: <20061027110442.GA6607@trane.vulkor.net>

On Fri, Oct 27, 2006 at 12:37:00PM +0200, Gabor Szokoli wrote:
> On 10/27/06, G?sp?r Lajos <swifty@freemail.hu> wrote:
> >BUT if I did not understood you correctly then please send me an exact
> >question...
> 
> I might be able to mediate before this escalates...
> I think vwf assumes the firewall is on the same host as the
> applications, no forwarding takes place.
> In this case it is not an unreasonable expectation to be able to write
> iptables rules matching the name of the executable whose process
> instance owns the socket: so called "personal firewall" applications
> on some other operating system do this all the time.
> 
> Google-lee-goo:
> http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-ownercmd

Thank you. Your assumptions are right. I filter on application on the
workstation, and on port/destination on the router.

Iptables lost --cmd-owner, so new kernels were pretty useless to me,
but they seem to be reintroduced for ip6tables. Is there a "howto" to
rewrite a iptables firewall-ruleset to ip6tables (or a good
introduction for ip6tables)?


From netdev at sc-software.com  Fri Oct 27 13:27:44 2006
From: netdev at sc-software.com (netdev@sc-software.com)
Date: Fri Oct 27 14:02:23 2006
Subject: ethernet mac filter configuration (fwd)
Message-ID: <Pine.LNX.4.63.0610270426570.14561@sc-software.com>



What, if any, user space command is available/recommended
for adding/deleting MAC addresses and masks to hardware
based ARC/CAM/MAC address filter memory on chip.

I've done a driver for a new 10/100 MAC/PHY combo (currently
running on ARM) that has on chip memory and logic for
this kind of filtration.

I'm aware of the kernel multicast support and I've tied
my set_multicast_list() function to needed chip interface
but can't find a standard user space command to instantiate
the list with MAC addresses/masks.


Thnx v much,
johnh


.
===========================================================
John Heil
South Coast Software
Custom firmware, device drivers and board bring up services
Ph: 1-714-774-6952
Fx: 1-714-774-7053
www.sc-software.com
email: johnhscs@sc-software.com
===========================================================


From pablo at blueoakdb.com  Fri Oct 27 14:54:19 2006
From: pablo at blueoakdb.com (Pablo Sanchez)
Date: Fri Oct 27 15:33:33 2006
Subject: how to filter on applications?
In-Reply-To: <20061027110442.GA6607@trane.vulkor.net>
Message-ID: <013001c6f9c7$049aa690$0419a8c0@fly>

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of vwf
> Sent: Friday, October 27, 2006 7:05 AM
> To: Netfilter IPtableMailinglist
> Subject: Re: how to filter on applications?
> 
> Thank you. Your assumptions are right. I filter on application on the
> workstation, and on port/destination on the router.

I find this e-mail list generally very courteous.  English is a difficult
language and it's not the primary language for a lot of people on this list.

In my opinion what is important is to strive to understand what the poster
is trying to say.  Posters should strive to put as much detail as possible
in their post to cut down on the 'discovery cycle.'  Make it clear; don't
leave anything to be assumed (if you can help it).

Provide diagrams if possible (emacs' picture-mode works very well!  ;)

Now, back to filtering... 
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph:    819.459.1926          Toll free:  888.459.1926
Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
Fax:   603.720.7723 (US)


From rnicholsNOSPAM at comcast.net  Fri Oct 27 16:40:11 2006
From: rnicholsNOSPAM at comcast.net (Robert Nichols)
Date: Fri Oct 27 17:27:24 2006
Subject: NATing on a single interface?
In-Reply-To: <ehsic6$has$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org>	<ehql65$f08$1@sea.gmane.org>	<ehr6m6$v00$1@sea.gmane.org>	<ehrhod$17a$1@sea.gmane.org>
	<ehsic6$has$1@sea.gmane.org>
Message-ID: <eht5oc$mte$1@sea.gmane.org>

Philip Pemberton wrote:
> Well, I've read the chapter on TCP/IP, now I'm just skimming through the 
> stuff on DNAT and Masquerading. Problem with DNAT is that it seems to be 
> more of a port-forwarding system rather than allowing more than one 
> machine to access the Internet from one public IP.

Well, you started out saying that your router's limitation of "a
maximum of 16 firewall port-forward rules" was a problem, so I
jumped to the conclusion that you were trying to do port forwarding.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.


From jsosic at jsosic.homeunix.org  Fri Oct 27 16:52:56 2006
From: jsosic at jsosic.homeunix.org (Jakov Sosic)
Date: Fri Oct 27 17:32:05 2006
Subject: why DROP in PREROUTING
In-Reply-To: <4541D89E.1080507@freemail.hu>
References: <4541D552.2070802@eccotours.co.za> <4541D89E.1080507@freemail.hu>
Message-ID: <20061027165256.57d2e6d3@localhost>

On Fri, 27 Oct 2006 11:59:58 +0200
G?sp?r Lajos <swifty@freemail.hu> wrote:

> You can filter all of these packets at one point no matter where they 
> coming from and going to....

Oscar is against it in his tutorial, he even says a reason. If I
remember correctly, it's beacuse only the first packet hits that rule,
and others get the same action without further checking, and that's not
a good idea to do.



-- 
|   Jakov Sosic   |   ICQ: 28410271   |   PGP: 0x244F89CA   |
| http://jsosic.homeunix.org  |  jsosic@jsosic.homeunix.org |
--

From usenet06 at philpem.me.uk  Fri Oct 27 21:33:59 2006
From: usenet06 at philpem.me.uk (Philip Pemberton)
Date: Fri Oct 27 22:31:46 2006
Subject: Port forwarding fun (was NATing on a single interface?)
In-Reply-To: <eht5oc$mte$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org>	<ehql65$f08$1@sea.gmane.org>	<ehr6m6$v00$1@sea.gmane.org>	<ehrhod$17a$1@sea.gmane.org>	<ehsic6$has$1@sea.gmane.org>
	<eht5oc$mte$1@sea.gmane.org>
Message-ID: <ehtmuq$nf9$1@sea.gmane.org>

Robert Nichols wrote:
> Well, you started out saying that your router's limitation of "a
> maximum of 16 firewall port-forward rules" was a problem, so I
> jumped to the conclusion that you were trying to do port forwarding.

What I've done is set my router's DMZ option to "10.1.0.1". In other words, 
everything my router receives is forwarded on to 10.1.0.1 -- the firewall box.

The firewall box is doing a pretty good job of handling the IP masquerading, 
but I'm having trouble getting port-forwarding to work. What I want to do is 
forward port 99 inbound to port 80 on 10.0.0.8. I've added a rule to do this 
(search for 'DNAT') but although it seems to accept the connection, I get a 
Receive Timeout error on the client machine, and the GRC ShieldsUp port 
scanner reports the port as 'stealthed' (i.e. machine is silently dropping 
packets).

The weird thing is, the target machine isn't even receiving the SYN, and I 
can't figure out why. If I change the DNAT rule to forward to 10.0.0.1:80 (the 
firewall box's HTTP server), the rule works fine. If I change the IP to 
10.0.0.8, it doesn't. I'm not seeing anything in syslog from my LOG rules 
either...

Here's my firewall script:

--8<-- cut here --8<--
#!/bin/sh
##############################################################################
# Simple single-NIC IPTables firewall script
# Philip Pemberton -- http://www.philpem.me.uk/
# Rev: 2006-10-27 20:13 BST
#
# Based on Arno's IPtables Firewall Script (<http://rocky.leidenuniv.nl>)
# and Brandon Hutchinson's Multi-Homed IPTables Firewall
# (<http://www.brandonhutchinson.com/multi_homed_iptables_firewall.html>)
##############################################################################
# TODO list:
#   - Get port forwarding working
#     - Allow pf to be configured eg. "1020>10.0.0.18" fwds port 1020 to
#       10.0.0.18; "1234>10.0.0.92:80" fwds port 1234 to port 80 on 10.0.0.92
#   - Coloured stdout log messages - headings white, "firewall up" green, etc.
#   - Easier configuration!
#   - Better documentation!

# Path to IPTables
IPT=/sbin/iptables

# TCP/UDP ports to open
OPEN_TCP="http https ssh"
OPEN_UDP=""

##############################################################################

echo "======================================================================="
echo "= IPTables firewall starting"
echo "======================================================================="

echo "Attempting to flush all rules in the filter table"
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush

# Accept packets from local loopback
echo "Accepting packets from local loopback"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Set default policy to DROP
echo "Setting default policy to DROP"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT 2>/dev/null
$IPT -t nat -P OUTPUT ACCEPT 2>/dev/null
$IPT -t nat -P POSTROUTING ACCEPT 2>/dev/null
$IPT -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IPT -t mangle -P PREROUTING ACCEPT 2>/dev/null

# Enable some IPv4 tweaks
echo "Enabling some IPv4 security tweaks:"
echo "  Activating IP forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "  Enabling broadcast echo protection"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "  Disabling source-routed packets"
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $f
done

echo "  Enabling TCP SYN cookie protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "  Disabling ICMP Redirect acceptance"
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   echo 0 > $f
done

echo "  Disabling sending of ICMP Redirect messages"
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
   echo 0 > $f
done

echo "  Enabling RP_Filter anti-spoof protection"
# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
done

echo "  Logging packets with impossible addresses (martians)"
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
   echo 1 > $f
done


echo "Dropping packets with invalid TCP state combinations"
# First list of TCP state flags lists the bits to be tested
# Second list of TCP state flags lists the bits that must be set to match test
#####
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is set without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is set without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is set without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

# Allow forwarding and masquerading on local net
echo "Allowing forwarding and masquerading on local net"
$IPT -t nat -A POSTROUTING -s 10.0.0.0/16 -d ! 10.0.0.0/16 -j MASQUERADE
$IPT -A FORWARD -i eth0 -o eth0 -s 10.0.0.0/16 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth0 -d 10.0.0.0/16 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

# Also accept broadcast traffic for the global broadcast address (for DHCP)
echo "Accepting packets from the global broadcast address"
$IPT -A INPUT -i eth0 -d 255.255.255.255 -j ACCEPT

# Accept packets from the local LAN subnet
echo "Accepting packets from the local LAN subnet"
$IPT -A INPUT -i eth0 -s 10.0.0.0/16 -j ACCEPT
$IPT -A OUTPUT -o eth0 -d 10.0.0.0/16 -j ACCEPT
# TODO: use these instead? would these be better? need to rtfm...
#$IPT -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow packets to go out to the gateway
echo "Allowing outbound packets to gateway"
$IPT -A INPUT -i eth0 -d 10.1.0.0/16 -m state --state ESTABLISHED,RELATED  -j 
ACCEPT
$IPT -A OUTPUT -o eth0 -s 10.1.0.0/16 -j ACCEPT
$IPT -A OUTPUT -o eth0 -s 10.0.0.0/16 -j ACCEPT

# Open some TCP ports
echo -n "Opening TCP ports: "
for i in $OPEN_TCP; do
   echo -n "$i "
   $IPT -A INPUT -i eth0 -p tcp --dport $i -j ACCEPT
done
echo "[done]"

# Open some UDP ports
echo -n "Opening UDP ports: "
for i in $OPEN_UDP; do
   echo -n "$i "
   $IPT -A INPUT -i eth0 -p udp --dport $i -j ACCEPT
done
echo "[done]"

# Forward some ports
echo "Forwarding port 99 to 10.0.0.8:80"
$IPT -t nat -A PREROUTING -p tcp -m tcp --dport 99 -j DNAT --to-destination 
10.0.0.8:80

##############################################################################
# BIG FAT WARNING:
#   All IPTables rules MUST be added BEFORE the two logging rules, otherwise
#   you'll get "packet dropped" entries in syslog. Oh, and the packets will
#   get dropped too.
##############################################################################
# LOG rules stolen from Arno's IPTables Firewall Script, which can be
# downloaded from http://rocky.leidenuniv.nl/
echo "Logging dropped packets"
$IPT -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "Dropped INPUT 
packet: " --log-level 7
$IPT -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "Dropped OUTPUT 
packet: " --log-level 7

# Let the user know the firewall is running
echo "=== Firewall is up and running ==="
# end of firewall-script
--8<-- cut here --8<--

Can anyone see anything obviously wrong with this?

Thanks.
-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
usenet06@philpem.me.uk        | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.
If mail bounces, replace "06" with the last two digits of the current year.


From usenet06 at philpem.me.uk  Fri Oct 27 22:26:11 2006
From: usenet06 at philpem.me.uk (Philip Pemberton)
Date: Fri Oct 27 23:10:40 2006
Subject: Port forwarding fun (was NATing on a single interface?)
In-Reply-To: <ehtmuq$nf9$1@sea.gmane.org>
References: <ehptuc$bo6$1@sea.gmane.org>	<ehql65$f08$1@sea.gmane.org>	<ehr6m6$v00$1@sea.gmane.org>	<ehrhod$17a$1@sea.gmane.org>	<ehsic6$has$1@sea.gmane.org>	<eht5oc$mte$1@sea.gmane.org>
	<ehtmuq$nf9$1@sea.gmane.org>
Message-ID: <ehtq0l$2sm$1@sea.gmane.org>

> # Forward some ports
> echo "Forwarding port 99 to 10.0.0.8:80"
> $IPT -t nat -A PREROUTING -p tcp -m tcp --dport 99 -j DNAT 
> --to-destination 10.0.0.8:80

Oh $CURSE. Forgot the FORWARD rule:

$IPT -A FORWARD -p tcp -d 10.0.0.8 --dport 80 -j ACCEPT

Now it works, and I'm a happy bunny once more. I would appreciate some 
constructive criticism relating to my iptables script though - possible 
security/style improvements, etc.

Spotted that on <http://www.hackorama.com/network/portfwd.shtml>. Found on the 
second page of results from a Google search for 'iptables DNAT port-forward'.

Thanks.
-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
usenet06@philpem.me.uk        | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.
If mail bounces, replace "06" with the last two digits of the current year.


From iler.ml at gmail.com  Fri Oct 27 23:42:44 2006
From: iler.ml at gmail.com (Yakov Lerner)
Date: Sat Oct 28 00:21:53 2006
Subject: 2.4 vs 2.6 in linux routers ?
Message-ID: <f36b08ee0610271442k6290a741me112fe2abf97ca25@mail.gmail.com>

I'd like to collect some estimates about 2.4 vs 2.6 share
in [small] linux routers in 2006.

My own estimate is that definite majority is 2.4 (I'd say >75% ar 2.4),
in small linux routers in 2006. Can anyone offer his estimates ?
And if 2.4 is indeed more used than 2.6, than why ? Which factors make
2.4 or 2.6 more attractive for small linux router (128-256 mb RAM) ?

Yakov Lerner
P.S. If this is off-topic in this list, can anyone suggest better forum ?

From ingsiong at daltron.com.pg  Sat Oct 28 00:20:40 2006
From: ingsiong at daltron.com.pg (Lawrence - Daltron)
Date: Sat Oct 28 01:00:27 2006
Subject: How to block Chikka chatting
References: <BAY103-F7AC52059E001ADA6EF7DBB20C0@phx.gbl>
Message-ID: <009101c6fa16$23191a30$7700000a@comservwinxp>

Hi,
    Anyone can advice me how to block chikka chatting at firewall ?
    thank in advance.

Lawrence Tang

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Scanned with Copfilter Version 0.83beta2 (ProxSMTP 1.3.91)
AntiVirus: ClamAV 0.88.3/2126 - Fri Oct 27 23:48:55 2006
by Markus Madlener @ http://www.copfilter.org

From rob at sterenborg.info  Sun Oct 29 11:23:34 2006
From: rob at sterenborg.info (Rob Sterenborg)
Date: Sun Oct 29 12:03:04 2006
Subject: How to block Chikka chatting
In-Reply-To: <009101c6fa16$23191a30$7700000a@comservwinxp>
Message-ID: <000b01c6fb44$4bc09ce0$0101000a@tanjian>

> Hi,
>     Anyone can advice me how to block chikka chatting at firewall ?  
> thank in advance. 

What have you tried already?

This post seems to allow Chikka. If that works then it shouldn't be too
hard to rework the rule for iptables to block Chikka.
http://lists.freebsd.org/pipermail/freebsd-net/2003-October/001578.html

This list has a posting with hints about blocking Chikka servers:
http://www.freelists.org/archives/isalist/02-2006/

To be short: use a packet sniffer to see where a Chikka clients connects
to and block that.


Grts,
Rob


From kaleb_tuimala at sanityloss.com  Mon Oct 30 03:57:25 2006
From: kaleb_tuimala at sanityloss.com (Kaleb D. Tuimala)
Date: Mon Oct 30 04:36:51 2006
Subject: (no subject)
Message-ID: <13521.69.129.144.25.1162177045.squirrel@www.sanityloss.com>

I am new to Linux. I am using Open Suse 10.0. Currently iptables 1.3.3 is
installed. I want to patch that up to 1.3.6. The problem I am having is
that I have no idea how to install the incremental patches from iptables
1.3.3 - 1.3.6. How do I successfully do this? If anyone could give me
detailed instructions on how to use the patches I would greatly appreciate
it.

-- Kaleb

From kaleb_tuimala at sanityloss.com  Mon Oct 30 03:58:11 2006
From: kaleb_tuimala at sanityloss.com (Kaleb D. Tuimala)
Date: Mon Oct 30 04:37:36 2006
Subject: How to apply iptables patches...
Message-ID: <13529.69.129.144.25.1162177091.squirrel@www.sanityloss.com>

I am new to Linux. I am using Open Suse 10.0. Currently iptables 1.3.3 is
installed. I want to patch that up to 1.3.6. The problem I am having is
that I have no idea how to install the incremental patches from iptables
1.3.3 - 1.3.6. How do I successfully do this? If anyone could give me
detailed instructions on how to use the patches I would greatly appreciate
it.

-- Kaleb




From swifty at freemail.hu  Mon Oct 30 10:40:04 2006
From: swifty at freemail.hu (=?ISO-8859-1?Q?G=E1sp=E1r_Lajos?=)
Date: Mon Oct 30 11:19:54 2006
Subject: how to filter on applications?
In-Reply-To: <013001c6f9c7$049aa690$0419a8c0@fly>
References: <013001c6f9c7$049aa690$0419a8c0@fly>
Message-ID: <4545C874.1040803@freemail.hu>

Hi all,

Let me apologize for my posts in this thread.
Sorry if I were rude.
I did not wanted to be.

As Pablo Sanchez wrote, English is sometimes very difficult to understand.

This list is mostly read by sysops/sysadms. (I think.) They/we create 
iptables rules for a whole network.
Simply I just wanted to help vwf and assumed things. That was bad.

In the future I will not send any comment if I do not fully understand 
the question.

Again, let me apologize.

Swifty


From azez at ufomechanic.net  Mon Oct 30 14:09:57 2006
From: azez at ufomechanic.net (Amin Azez)
Date: Mon Oct 30 14:50:06 2006
Subject: 2.4 vs 2.6 in linux routers ?
In-Reply-To: <f36b08ee0610271442k6290a741me112fe2abf97ca25@mail.gmail.com>
References: <f36b08ee0610271442k6290a741me112fe2abf97ca25@mail.gmail.com>
Message-ID: <4545F9A5.7040301@ufomechanic.net>

* Yakov Lerner wrote, On 27/10/06 22:42:
> I'd like to collect some estimates about 2.4 vs 2.6 share
> in [small] linux routers in 2006.
> 
> My own estimate is that definite majority is 2.4 (I'd say >75% ar 2.4),
> in small linux routers in 2006. Can anyone offer his estimates ?
> And if 2.4 is indeed more used than 2.6, than why ? Which factors make
> 2.4 or 2.6 more attractive for small linux router (128-256 mb RAM) ?

Upgrading router software must be performed by the customer and is a
headache.

The requirement for customers to upgrade router software usually relates
to a customer support nightmare.

So... when the software is working pretty well, vendors who weigh this
headache and nightmare against the benefit of updating, the benefit -
you can imagine - must be pretty great.

Consider also how often a new router model line is released?
How many base models of the routers you looked at for 2006 were totally
new in 2006 and not extensions of 2005/2004 models?

Sam


From benny+usenet at amorsen.dk  Mon Oct 30 15:03:11 2006
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Mon Oct 30 15:46:38 2006
Subject: 2.4 vs 2.6 in linux routers ?
References: <f36b08ee0610271442k6290a741me112fe2abf97ca25@mail.gmail.com>
Message-ID: <m33b95ucio.fsf@ursa.amorsen.dk>

>>>>> "YL" == Yakov Lerner <iler.ml@gmail.com> writes:

YL> Which factors make 2.4 or 2.6 more attractive for small linux
YL> router (128-256 mb RAM) ?

Many vendors use proprietary kernel modules which are unavailable for
2.6.


/Benny



From cozzi at nd.edu  Mon Oct 30 17:02:43 2006
From: cozzi at nd.edu (Marc Cozzi)
Date: Mon Oct 30 17:48:21 2006
Subject: Packet mangle and re-directing
Message-ID: <F163413C9250D211A55C0060979D5280014F34A2@hertz.rad.nd.edu>

I am using RH ESr4 configured as a bridge device with
two Ethernet cards. Bridging and IPTABLES works
well for filtering and blocking. No NAT is being used
on this box.

I'm not sure I understand the IPTABLES mangle interaction
with NAT or forwarding.

What I would like to do is the following:
an unregistered user plugs their laptop into the Ethernet and
their MAC address is not recognize by the IPTABLES filter rules,
they try to open any default web page outside of the controlled area,
the destination address: port 80, should be re-directed.

Redirect them to a local web page clearly informing them what
needs to be done in order to use their laptop on the local LANs
and who to see.

Is this possible?

Thanks for any help,

  --marco

From nathaniel.d.hall at gmail.com  Mon Oct 30 17:36:48 2006
From: nathaniel.d.hall at gmail.com (Nathaniel Hall)
Date: Mon Oct 30 18:16:18 2006
Subject: Change Source
Message-ID: <45462A20.3040504@gmail.com>

Is there any way to change the source address of an outbound ICMP packet?

Here is why I am asking.  Instead of dropping packets I reject them with ICMP host unreachable
packets.  If I were to try to initiate a connection to my firewalls outside IP I would get a host
unreachable from the same IP address as the firewall.  I would like to be able to change this
address to be the gateway at my ISP.  That will lesson the chances of recon and mess with a few
heads.  Is there any way?
-- 
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA

From wakko at animx.eu.org  Mon Oct 30 18:38:07 2006
From: wakko at animx.eu.org (Wakko Warner)
Date: Mon Oct 30 19:08:13 2006
Subject: Change Source
In-Reply-To: <45462A20.3040504@gmail.com>
References: <45462A20.3040504@gmail.com>
Message-ID: <20061030173807.GA16619@animx.eu.org>

Nathaniel Hall wrote:
> Is there any way to change the source address of an outbound ICMP packet?
> 
> Here is why I am asking.  Instead of dropping packets I reject them with ICMP host unreachable
> packets.  If I were to try to initiate a connection to my firewalls outside IP I would get a host
> unreachable from the same IP address as the firewall.  I would like to be able to change this
> address to be the gateway at my ISP.  That will lesson the chances of recon and mess with a few
> heads.  Is there any way?

I did this once, but for some reason it won't work with my current machine
(Using an older kernel if that matters).

Background: I have a range of IPs.  I route the ones I am using to the
proper interface and anything else gets icmp-network-unreachable.  To do
this I just did:
iptables -I FORWARD -i internetif -o internetif -j REJECT ...

In the nat/POSTROUTING change I look for icmp-network-unreachable and -j
SNAT it to the address I want.  Unfortunately, it does this for all
icmp-network-unreachable.  I know of no way, other than u32 patch, to
determin what the original connection was.

Be aware that your provider may not allow you to spoof the ip address and
just drop the packets that you altered.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

From frnkblk at iname.com  Tue Oct 31 04:53:27 2006
From: frnkblk at iname.com (Frank Bulk)
Date: Tue Oct 31 05:33:00 2006
Subject: Some packets leaving Ethernet interface include a source port value
	of 1
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACdNqwKeFm8QItdmrDY1Sn8AQAAAAA=@iname.com>

I googled around and I found this addressed in two different threads, but
I'm too dense to know how to resolve this my configuration.
	http://marc.theaimsgroup.com/?l=netfilter&m=114303032503010&w=2
	
http://lists.netfilter.org/pipermail/netfilter/2004-March/051044.html

I have two DHCP servers, one with IP address a.b.c.22 and the other with
a.b.c.23.  These are set up in redundant form, such that if one fails, the
other takes over.  The master and floating IP address, much like VRRP, is
a.b.c.24.  My DHCP relays point to this IP address.  

The DHCP response packets have been given a rule to replace their source
address from the .22 or .23 to the correct .24.  When the DHCP relay was
using a UDP src/dst port of 68/67 we had no problems, with just some of the
DHCP Acks using a source port of 1.  That's not great, but the big problem
started when our DHCP relay started using a UDP src/dst port of 67/67.  Now
most DHCP Offers and Acks have a source port of 1.

The NAT table has this rule:
	-A POSTROUTING -s a.b.c.22 -p udp -m udp --sport 67 -j SNAT
--to-source a.b.c.24 


And here's the output of iptables-save:
# Generated by iptables-save v1.2.11 on Mon Oct 30 21:51:38 2006
*nat
:PREROUTING ACCEPT [692:279420]
:POSTROUTING ACCEPT [1696:186148]
:OUTPUT ACCEPT [2070:309673]
-A POSTROUTING -s a.b.c.22 -o eth0 -p udp -m udp --sport 67 -j SNAT
--to-source a.b.c.24 
COMMIT
# Completed on Mon Oct 30 21:51:38 2006

Here's the relevant portion of my ifconfig:

server1:~# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:E0:81:64:B2:B1  
          inet addr:a.b.c.22  Bcast:a.b.c.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:81ff:fe64:b2b1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:790809 errors:0 dropped:0 overruns:0 frame:0
          TX packets:263333 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:89577696 (85.4 Mb)  TX bytes:71876862 (68.5 Mb)
          Interrupt:20 Base address:0x7000 

eth0:0    Link encap:Ethernet  HWaddr 00:E0:81:64:B2:B1  
          inet addr:a.b.c.24  Bcast:199.120.69.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Base address:0x7000 

Any ideas how to rewrite the POSTROUTING rule so that this works correctly?

Regards,

Frank


From chenggh04 at st.lzu.edu.cn  Tue Oct 31 05:35:49 2006
From: chenggh04 at st.lzu.edu.cn (chenggh04@st.lzu.edu.cn)
Date: Tue Oct 31 06:51:23 2006
Subject: Does anyone have the tool which could be used for protocol
	transmission?
Message-ID: <362269349.29086@st.lzu.edu.cn>

Hi, everyone:
	Now I have a project. In this project I have to transmit the TCP protocol into
UDP protocol. The basic structure is like this:
	1    tcp    2    udp     3   tcp  4  MyProject
	1                   tcp 		   4  in common
	In common when the 1 and 4 communicate with each other they use tcp/ip protocol.
But in my project because of some reasons I have to add 2 proxies in this line
such as 2 and 3 based on udp protocol.
	I want to know if you have the better resolution or good protocol transmisson
tool?
	Best wishes.
	Thank you.
				                  		cheng



From manish.jain at globallogic.com  Tue Oct 31 10:58:31 2006
From: manish.jain at globallogic.com (Manish Jain)
Date: Tue Oct 31 12:23:51 2006
Subject: maximum tuple support of hashlimit
In-Reply-To: <453B4BD6.8080003@rtij.nl>
Message-ID: <002101c6fcd3$1ef3a1e0$6f00a8c0@synapse.com>

Hello Friends,

I am using hashlimit with hashlimit-mode as srcip-dstip. My expectation is
to have hashlimit for source-ip and destination ip tuple.

My question is, how many tuple, hashlimit can manage at any instance of
time?

Best Regards,
Manish Jain


From xpisar at fi.muni.cz  Tue Oct 31 13:21:21 2006
From: xpisar at fi.muni.cz (Petr Pisar)
Date: Tue Oct 31 15:19:52 2006
Subject: Does anyone have the tool which could be used for protocol
	transmission?
References: <362269349.29086@st.lzu.edu.cn>
Message-ID: <slrnekefu1.64v.xpisar@album.ics.muni.cz>

On 2006-10-31,   <chenggh04@st.lzu.edu.cn> wrote:
> Hi, everyone:
> 	Now I have a project. In this project I have to transmit the TCP
> 	protocol into UDP protocol.
[...]
> 	I want to know if you have the better resolution or good protocol
> 	transmisson tool?

There exists a protocol called AYIYA
[http://www.sixxs.net/tools/ayiya/], but it does more thigs like
autentization.

-- Petr


From pablo at blueoakdb.com  Tue Oct 31 14:58:19 2006
From: pablo at blueoakdb.com (Pablo Sanchez)
Date: Tue Oct 31 15:38:00 2006
Subject: maximum tuple support of hashlimit
In-Reply-To: <002101c6fcd3$1ef3a1e0$6f00a8c0@synapse.com>
Message-ID: <013301c6fcf4$9f019a60$0419a8c0@fly>

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Manish Jain
> Sent: Tuesday, October 31, 2006 4:59 AM
> To: netfilter@lists.netfilter.org
> Subject: maximum tuple support of hashlimit
> 
> Hello Friends,
> 
> I am using hashlimit with hashlimit-mode as srcip-dstip. My 
> expectation is
> to have hashlimit for source-ip and destination ip tuple.
> 
> My question is, how many tuple, hashlimit can manage at any 
> instance of
> time?

Hi,

I'm not entirely sure about your question.  The 'man iptables' shows for
'hashlimit' the following two tunable parameters which may address your
question(?):

       --hashlimit-htable-size num
              The number of buckets of the hash table

       --hashlimit-htable-max num
              Maximum entries in the hash

Cheers,
---
Pablo Sanchez - Blueoak Database Engineering, Inc
Ph:    819.459.1926          Toll free:  888.459.1926
Cell:  819.918.9731                Pgr:  pablo_p@blueoakdb.com
Fax:   603.720.7723 (US)


From ged at jubileegroup.co.uk  Tue Oct 31 16:15:50 2006
From: ged at jubileegroup.co.uk (G.W. Haywood)
Date: Tue Oct 31 16:55:37 2006
Subject: Does anyone have the tool which could be used for protocol
 transmission?
In-Reply-To: <200610311402.k9VE1neX001537@mail3.jubileegroup.co.uk>
References: <200610311402.k9VE1neX001537@mail3.jubileegroup.co.uk>
Message-ID: <Pine.LNX.4.58.0610311503440.3740@mail3.jubileegroup.co.uk>

Hi there,

On Tue, 31 Oct 2006 chenggh04@st.lzu.edu.cn wrote:

> Now I have a project. In this project I have to transmit the TCP
> protocol into UDP protocol. [...]  I want to know if you have the better
> resolution or good protocol transmisson tool?

I think your .edu establishment is trying to get you to think about it.

If you truly want to encapsulate TCP in UDP then you're going to have
to find out what TCP does that UDP doesn't do.  There's no substitute
for reading the documentation here, you can easily find what you need
on the Web using Google (even in China:).

Then you're going to have to come up with some code which can take a
TCP connection and transmit/receive/maintain all the data, status etc.
associated with it over some medium (I gues it doesn't matter what the
medium is?) using UDP so that your code makes up for what UDP lacks.
(Hint: TCP is intended to be a 'reliable' protocol, UDP is not.)

OpenVPN for example can do this, it might help you to look at that
project.  I think this is well Off Topic for the netfilter List.

73,
Ged.

From dufresne at sysinfo.com  Tue Oct 31 20:54:11 2006
From: dufresne at sysinfo.com (R. DuFresne)
Date: Tue Oct 31 21:36:32 2006
Subject: Blocking SMTP Worm
In-Reply-To: <19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>
References: <19fb1ac90610240653x69cc1951g9766d7c809ddecef@mail.gmail.com>
	<19fb1ac90610240654x44bdd20em7e04b21469739a10@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0610311952090.12621@darkstar.sysinfo.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 Oct 2006, Juan Carlos Pel?ez Mendoza wrote:

> Hi list,
>
> My IP Address have been listed in the RBL's too many times, I
> installed into my linux box MailScanner + Spamassassin + Clamavmodule
> + FProt, I set up the iptables rules allowing only smtp, pop and ssh
> traffic, but when I see the traffic with tcpdump I see this strange
> behavior:
>
 		[SNIP]
>
> What can I do to stop and block this worm???
>

Wipe out the OS on 192.168.0.92, reinstall from scratch and apply all 
patches and updates prior to exposing to the internet.  that should clear 
up the sapm worm.

Thanks,


Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFR6nnst+vzJSwZikRAnNPAJ9F4HQkzAQjkKSaNVr6+uNg4FE44ACfSsDf
CrGJLJ9MZPZbV1wJu76Faos=
=4IZ+
-----END PGP SIGNATURE-----
From alan.ezust at presinet.com  Tue Oct 31 23:38:00 2006
From: alan.ezust at presinet.com (Alan Ezust)
Date: Wed Nov  1 00:17:52 2006
Subject: iptables: Unknown error 4294967295
In-Reply-To: <200609260041.k8Q0fikT014394@toshiba.co.jp>
References: <20060926000301.GC10112@fmp.com>
	<200609260041.k8Q0fikT014394@toshiba.co.jp>
Message-ID: <200610311438.05556.alan.ezust@presinet.com>

I was getting this too, and my problem was related to the fact that my kernel 
was configued with CONFIG_NETFILTER_NETLINK=m. I changed that to a "y" and my
UNKNOWN ERROR went away. And yes, I was loading the module at the right time 
in my /etc/modules, but that didn't seem to make a difference to netfilter.



On Monday 25 September 2006 17:41, Yasuyuki KOZAKAI wrote:
> Hello,
>
> From: Lindsay Haisley <fmouse-netfilter@fmp.com>
> Date: Mon, 25 Sep 2006 19:03:01 -0500
>
> > When I execute the following:
> >
> > iptables -t nat -I PREROUTING -s 10.8.0.1 -i tap0 -j SNAT --to-source
> > 216.110.12.105
> >
> > ... I'm getting the error:
> >
> > iptables: Unknown error 4294967295
> >
> > (4294967295 = an unsigned representation of a signed long int of -1)
> >
> > Running this under strace shows the following:
> >
> >
> > mmap2(NULL, 7648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
> > 0xb7fbb000
> > mmap2(0xb7fbc000, 4096, PROT_READ|PROT_WRITE,
> > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xb7fbc000 close(3)         
> >                       = 0
> > socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
> > getsockopt(3, SOL_IP, 0x40 /* IP_??? */,
> > "nat\0\1\0\0\0\335g\21\300\0\0\0\0\224\313F\300\1\0\0\0"..., [84]) = 0
> > getsockopt(3, SOL_IP, 0x41 /* IP_??? */,
> > "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [656]) = 0
> > setsockopt(3, SOL_IP, 0x40 /* IP_??? */,
> > "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 876) = -1
> > EINVAL (Invalid argument) write(2, "iptables: Unknown error 42949672"...,
> > 35iptables: Unknown error 4294967295 ) = 35
> > exit_group(1)                           = ?
> > Process 10231 detached
> >
> > Apprently the error is originating in a malformed socket option call. 
> > What's happening here, and how can I fix it?   I'm running kernel
> > 2.6.17-gentoo-r4, iptables v1.3.5.
> >
> > I have about every possible kernel netfilter capability compiled as a
> > module, or built into the kernel.
>
> Is your iptables 32bit binary and do you run it on 64bit kernel ?
> And did syslog output anything ?
>
> -- Yasuyuki Kozakai

-- 
Alan Ezust            www.presinet.com
Presinet, inc         alan.ezust@presinet.com
           Victoria, BC,Canada
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20061101/c0409557/attachment.pgp