From rayed at saudi.net.sa Tue May 1 08:30:22 2007 From: rayed at saudi.net.sa (Rayed) Date: Tue May 1 09:30:48 2007 Subject: Forking inside netfilter queue In-Reply-To: References: <4635EC8E.4090905@saudi.net.sa> Message-ID: <4636DE7E.80600@saudi.net.sa> Thanks Jan for the reply. I know how preforking works (almost), what I want to know if multi processes can access the same queue API without breaking anything. Jan Engelhardt wrote: > On Apr 30 2007 16:18, Rayed wrote: > >> I am building netfilter queue application, that implement simple >> HTTP filter. >> >> It basically will capture the packet, extract the URL, and issue >> MySQL lookup to see if the address is permitted or blocked. >> >> My only fear that address lookup will block the traffic until I get >> the lookup reply, so I am thinking of using preforking model to >> fork 10-20 processes to handle the same queue. >> >> Has any one done multi prcoess handling of the queue, is it even doable? >> > > See Apache, it uses preforking. But perhaps threading is much simpler > and equally fast. > > > Jan > From jengelh at linux01.gwdg.de Tue May 1 10:32:19 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue May 1 11:32:31 2007 Subject: Forking inside netfilter queue In-Reply-To: <4636DE7E.80600@saudi.net.sa> References: <4635EC8E.4090905@saudi.net.sa> <4636DE7E.80600@saudi.net.sa> Message-ID: On May 1 2007 09:30, Rayed wrote: > > Thanks Jan for the reply. > > I know how preforking works (almost), what I want to know if multi processes > can access the same queue API without breaking anything. Well, you should be aware that calling ipq_read() [or whatever it's called now] in a thread may return a packet that does not actually belong to the connection you created a certain thread for. Maybe you even need to pthread_mutex_* around calls to ipq_*, I am not sure if libipq (or whatever we use now) does that by itself. Jan -- From joel at waveteq.com Tue May 1 20:27:04 2007 From: joel at waveteq.com (Joel Lindsay) Date: Tue May 1 21:27:04 2007 Subject: Can't get --dport to work References: <4635EC8E.4090905@saudi.net.sa><4636DE7E.80600@saudi.net.sa> Message-ID: <006b01c78c1e$515f5c20$aa64a8c0@JOELDESKTOP> Hi, At one time I had this working. I could match on the ports and deny http traffic from certain interfaces. Now I get an error message and I am not sure what is causing it. Can anyone help? # iptables -A OUTPUT -i ath0 -p tcp --dport 80 -j ACCEPT iptables v1.3.6-20061129: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. Thanks, Joel Lindsay, B.Eng Project Engineer From michael.heimpold at s2000.tu-chemnitz.de Tue May 1 21:32:41 2007 From: michael.heimpold at s2000.tu-chemnitz.de (Michael Heimpold) Date: Tue May 1 23:04:36 2007 Subject: ip_conntrack crashs box with kernel 2.6.13.1 Message-ID: <001f01c78c27$7e4f7c20$0108a8c0@kerker> Hi, we (some guys at the german IP-Phone-Forum http://www.ip-phone-forum.de) have some trouble with the ip_conntrack kernel module on the AVM Fritz!Boxes (embedded DSL/WLAN/VoIP devices, very popular in Germany). The (newest) firmwares of these boxes run with kernel version 2.6.13.1 (mipsel platform, 32 MB RAM). The problem is that the box crashs or reboots (probably triggered by the internal watchdog) as soon as the ip_conntrack module is simply loaded via modprobe/insmod. There is no need for creating any rule with iptables, loading the module is sufficient and the box hangs after exactly 3 hours (+-5min). Firstly, we suspected a low-on-memory condition so I studied the source code. I found out that the hashsize is calculated upon a wrong value (256 buckets should be normal for 32 MB RAM, the module uses 2816 buckets). But also when limiting the hashsize via module parameter the problem still exists. I don't know enough about the netfilter internals, but I wonder what happens after 3h. There should be still enough free memory (some guys already tried adding swap space). The fun has just begun: unloading the ip_conntrack module after 2 hours via cron, re-loading it etc. and the crash/reboot doesn't occur. We also enabled some additional printk in the module for debugging, but dmesg/syslog/console doesn't give any useful approach for tracking down the problem... You can read the following forum thread with contain some additional infos (in german, sorry): http://www.ip-phone-forum.de/showthread.php?t=134683 Any hints? Thanks, Michael PS: sorry for my poor english From ksivakumar at packetmotion.com Tue May 1 22:28:36 2007 From: ksivakumar at packetmotion.com (Krishnamoorthy (Siva) Sivakumar) Date: Tue May 1 23:28:37 2007 Subject: Can't get --dport to work In-Reply-To: <006b01c78c1e$515f5c20$aa64a8c0@JOELDESKTOP> References: <4635EC8E.4090905@saudi.net.sa><4636DE7E.80600@saudi.net.sa> <006b01c78c1e$515f5c20$aa64a8c0@JOELDESKTOP> Message-ID: I don't know why it complains about the --dport option. However, I don't see how -i ath0 option is compatible with the OUTPUT chain. Siva -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Joel Lindsay Sent: Tuesday, May 01, 2007 11:27 AM To: netfilter@lists.netfilter.org Subject: Can't get --dport to work Hi, At one time I had this working. I could match on the ports and deny http traffic from certain interfaces. Now I get an error message and I am not sure what is causing it. Can anyone help? # iptables -A OUTPUT -i ath0 -p tcp --dport 80 -j ACCEPT iptables v1.3.6-20061129: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. Thanks, Joel Lindsay, B.Eng Project Engineer From takhtaei at amnafzar.com Wed May 2 08:23:22 2007 From: takhtaei at amnafzar.com (Bahamin Takhtaei) Date: Wed May 2 09:27:55 2007 Subject: Question about running nf_queue Message-ID: <46382E5A.9060201@amnafzar.com> Hi, I installed libnfnetlink_0.0.16 and libnetfilter-queue_0.0.12, now please tell me how can I use nf_queue instead ip_queue? From eric at inl.fr Wed May 2 08:55:42 2007 From: eric at inl.fr (Eric Leblond) Date: Wed May 2 09:55:45 2007 Subject: Question about running nf_queue In-Reply-To: <46382E5A.9060201@amnafzar.com> References: <46382E5A.9060201@amnafzar.com> Message-ID: <1178088942.861.19.camel@localhost> Hi, Le mercredi 02 mai 2007 ? 10:53 +0430, Bahamin Takhtaei a ?crit : > Hi, > I installed libnfnetlink_0.0.16 and libnetfilter-queue_0.0.12, > now please tell me how can I use nf_queue instead ip_queue? The API has changed and you need to use a modified version of the software you use. Thus look at configure option to see if nf_queue support is already available. If you are interested in porting the software, you can have a look to nfqnl_test.c in libnetfilter_queue source or to NuFW code. You can find a doxygen documentation of the more interesting field related to this subject here: http://docs.nufw.org/doxygen/trunk/html/packetsrv_8c-source.html Best regard, -- Eric Leblond INL -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= Url : /pipermail/netfilter/attachments/20070502/e3111019/attachment.pgp From omasnjak at gmail.com Wed May 2 14:00:51 2007 From: omasnjak at gmail.com (Elvir Kuric) Date: Wed May 2 15:00:53 2007 Subject: Port forwarding question In-Reply-To: <4636295F.7040202@gmail.com> References: <4636295F.7040202@gmail.com> Message-ID: <1814bfe70705020500m24c58888y4bb9fcb595cfafa2@mail.gmail.com> Hi all, maybe you can try this iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -m iprange --dst-range 192.168.0.2-192.168.0.254 -j DNAT --to-destination 192.168.0.2-192.168..254 or check http://iptables-tutorial.frozentux.net/iptables-tutorial.html#IPRANGEMATCH Regards Elvir Kuric On 4/30/07, David wrote: > Hi all - first post, should be a simple question but google and the docs are not > helping > > I want to forward port 10000 from internal hosts to the internet and it works with: > > iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -j DNAT --to 192.168.0.2 > > for the host with ip 192.168.0.2, but how do I forward it for a range of hosts, > ie 192.168.0.2-192.168.0.254 > > I try > > iptables -t nat -A PREROUTING -p tcp --dport 10000 -i ppp0 -j DNAT --to > 192.168.0.2-192.168.0.254 > > but it does not work for any other hosts > > iptables -L -v -t nat > gives the range, but does not actually forward the port in any apps > tcp dpt:10000 to:192.168.0.2-192.168.0.254 > > How do I forward the range of ports? > TIA, > David > > ============================================== > Running gentoo 2.16.18.4, iptables 1.3.5 > > From omasnjak at gmail.com Wed May 2 14:05:32 2007 From: omasnjak at gmail.com (Elvir Kuric) Date: Wed May 2 15:05:33 2007 Subject: my DNAT not working...help In-Reply-To: <001a01c78b35$77917f20$648045ac@Sneak> References: <001a01c78b35$77917f20$648045ac@Sneak> Message-ID: <1814bfe70705020505g735a96cal7bfe355faa10aef1@mail.gmail.com> Hi, maybe try route add default gw 10.x.x.x .... what is default gateway for 10.22.200.25 host ( or for that network ) ..... please copy/paste route -n on host 10.22.200.25 Regards Elvir Kuric On 4/30/07, sneak@ipnoc.co.za wrote: > Hi my DNAT is no longer working? > > This used to work on kernel 2.6.10 FC3, i am now running kernel 2.6.18 on > CentOS5 due to hardware upgrade > > These are my nat rules .. > > iptables -t nat -A POSTROUTING -o eth1 -s 10.22.200.25 -j SNAT --to > 172.15.0.15 > iptables -t nat -A PREROUTING -i eth1 -d 172.15.0.15 -j DNAT --to > 10.22.200.25 > > I can see my traffic getting natted to 172.15.0.15 but though a tcpdump but > not back to 10.22.200.25 > any ideas? > > > From linux4michelle at freenet.de Wed May 2 19:18:59 2007 From: linux4michelle at freenet.de (Michelle Konzack) Date: Wed May 2 20:23:17 2007 Subject: Wireless Login Page In-Reply-To: <1177785807.3828.227.camel@ws1.walco02.com> References: <1177772620.3828.176.camel@ws1.walco02.com> <46338845.1020605@lopsch.com> <1177785807.3828.227.camel@ws1.walco02.com> Message-ID: <20070502171859.GG1894@freenet.de> Hello Kirk and *, Am 2007-04-28 11:43:27, schrieb Kirk Wallace: > I was using 192.168.21.2 just to test whether httpd would respond to any > IP address sent on the 192.168.21.0/24 address space. > > I envision that a person would boot their wireless laptop and scan for > hotspots. They would see my hotspot and connect. Then my DHCP server > would give the laptop an IP address, subnet mask, gateway address, DNS1 > and DNS2. Then the user would start firefox and try to open a link to > anywhere.com, but I have FORWARD denied to all but logged in users > (which have a tunnel IP address on another subnet). At this point, I > want the anywhere.com request to invoke the httpd on the wireless router > to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd > are on the same PC. This is exactly what I want to do to. But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY connections (any Ports except DNS and DHCP) nust be blocked until the user has once started a Webbrowser and authentificated. I was thinking, that if the $USER open a connection plus auth, the connection will be droped for example 5 minutes after the last traffic going over the Interface with the specified MAC/IP. I have not found any examples ho to do this. Would you like to share your config? And speciay how you have setup your "fist-connect" page to auth? Greetings Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/netfilter/attachments/20070502/169653d4/attachment.pgp From pascal.mail at plouf.fr.eu.org Wed May 2 19:47:36 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Wed May 2 20:48:22 2007 Subject: SIP conntrack question In-Reply-To: <3931e0d50704301448u354ae3afo81e155e6ecfff09d@mail.gmail.com> References: <3931e0d50704301448u354ae3afo81e155e6ecfff09d@mail.gmail.com> Message-ID: <4638CEB8.3020404@plouf.fr.eu.org> Hello, Sanjoy Dey a ?crit : > > I am trying to find out whether the SIP connection tracking module > that was introduced in 2.6.18 works even if SIP runs on ports OTHER > THAN 5060. "modinfo ip_conntrack_sip" will tell you about the optional "ports" parameter which takes a comma-separated port list. > Would the helper module listen on all ports for a SIP/SDP > header to find out which ports to open up for RTP or RTCP? No. It watches only the port list (up to 8 ports) provided in the "ports" parameter. By default, if watches only port 5060. Note that if you want to watch port 5060 and some other ports, you must explicitly put 5060 in the list. From frozenspot at gmail.com Thu May 3 01:06:05 2007 From: frozenspot at gmail.com (fender) Date: Thu May 3 02:06:17 2007 Subject: [ANNOUNCE] new match extension about Port Knocking and SPA Message-ID: <7e36c7130705021606kcbae516g1e34adabd3b441f@mail.gmail.com> Hi, We hope that this project can be added to the p-o-m, as netfilter experimental part. (*) Abstract The PortKnockO Project implements Port Knocking and SPA (Simple Packet Authentication) in kernel space, as a netfilter match extension. For instance, this can be used to avoid brute force attacks to ssh or ftp services. It allows you to send messages from the kernel module to a user application. For instance, this would enable to start up an application (as a web server), after a peer has knocked the ports specified in a port knocking rule. Pros: + You can configure Port Knocking or SPA rules with the iptables syntax. + It does not require any daemons running in background. + You do not need to know a new syntax depending on an application. + The netfilter module can send messages to an user application through netlink sockets. (*) Status This project is in beta version and it is still under development. (*) You can check the source code out here: svn checkout svn://svn.berlios.de/portknocko/trunk (*) More information at http://portknocko.berlios.de/ Any feedback is welcome! Regards, -- J. Federico Hernandez -------------- next part -------------- A non-text attachment was scrubbed... Name: pknock-0.3.tar.gz Type: application/x-gzip Size: 20648 bytes Desc: not available Url : /pipermail/netfilter/attachments/20070503/c5b7267f/pknock-0.3.tar-0001.bin From alan.ezust at presinet.com Thu May 3 01:56:43 2007 From: alan.ezust at presinet.com (Alan Ezust) Date: Thu May 3 02:56:53 2007 Subject: missing DESTROY events in conntrack -e output? Message-ID: <200705021656.45401.alan.ezust@presinet.com> I was just wondering, has anyone else observed that conntrack -e (running in events mode) sometimes shows me DESTROY events and sometimes does not, even for TCP protocol packets. Why would this be? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20070503/a17b3234/attachment.pgp From kaber at trash.net Thu May 3 13:01:36 2007 From: kaber at trash.net (Patrick McHardy) Date: Thu May 3 14:03:46 2007 Subject: [ANNOUNCE] new match extension about Port Knocking and SPA In-Reply-To: <7e36c7130705021606kcbae516g1e34adabd3b441f@mail.gmail.com> References: <7e36c7130705021606kcbae516g1e34adabd3b441f@mail.gmail.com> Message-ID: <4639C110.6000407@trash.net> fender wrote: > We hope that this project can be added to the p-o-m, as netfilter > experimental part. We don't add entirely externally developed things to pom anymore, but we could add an external repository to the sources.list. From alex at hackgod.org Thu May 3 17:25:30 2007 From: alex at hackgod.org (Alex) Date: Thu May 3 18:25:51 2007 Subject: Forking inside netfilter queue References: <4635EC8E.4090905@saudi.net.sa> Message-ID: <002901c78d97$4f60f1c0$0a00080a@rhea> Unless there are a real lot of these addresses that are permitted, and they change rapidly, then I'd expect it would be a better design to get all the valid URIs from the MySQL query on init and store them in a linked list. Also, people already do this type of thing with an HTTP proxy like squid before the HTTPd. ----- Original Message ----- From: "Rayed" To: Sent: Monday, April 30, 2007 2:18 PM Subject: Forking inside netfilter queue > Hi, > > I am building netfilter queue application, that implement simple HTTP > filter. > > It basically will capture the packet, extract the URL, and issue MySQL > lookup to see if the address is permitted or blocked. > > My only fear that address lookup will block the traffic until I get the > lookup reply, so I am thinking of using preforking model to fork 10-20 > processes to handle the same queue. > > Has any one done multi prcoess handling of the queue, is it even doable? > > Rayed > > From rayed at saudi.net.sa Thu May 3 21:20:55 2007 From: rayed at saudi.net.sa (Rayed Alrashed) Date: Thu May 3 19:21:09 2007 Subject: Forking inside netfilter queue In-Reply-To: <002901c78d97$4f60f1c0$0a00080a@rhea> References: <4635EC8E.4090905@saudi.net.sa> <002901c78d97$4f60f1c0$0a00080a@rhea> Message-ID: <463A3617.7050702@saudi.net.sa> > Unless there are a real lot of these addresses that are permitted, and > they change rapidly, then I'd expect it would be a better design to > get all the valid URIs from the MySQL query on init and store them in > a linked list. I am afraid this not an option, because my final goal is to integrate my application with external vendor database using the vendor own API. > Also, people already do this type of thing with an HTTP proxy like > squid before the HTTPd. I've tested HTTP proxy before, but the overhead is very big, and I couldn't get the proxy to handle high loads. Another problem with proxy servers is using the proxy own IP for outgoing request, unfortunately using the same IP for many requests trigger many IDSes to block the proxy IP. What I am trying to do is a light weight HTTP filter, by searching for HTTP requests in packet traveling on the wire, with minimal TCP reassembly to find HTTP requests spanning more than one packet. From andres at paglayan.com Thu May 3 18:44:11 2007 From: andres at paglayan.com (Andres Paglayan) Date: Thu May 3 19:44:35 2007 Subject: Proxy arping Message-ID: <4BE2588D-6B2F-4D89-A5DC-149A048545D6@paglayan.com> Hi, how can I properly set proxy arping in a one to one mapped nat? I have a router with 192.168.1.0 in one side (our lan eth0) and 192.168.50.0 in the other (other lan eth2), plus an internet gateway (eth3) this is the routing table root@ipcop:~/scripts # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 * 255.255.255.0 U 0 0 0 eth2 192.168.2.0 * 255.255.255.0 U 0 0 0 eth1 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 65.19.28.0 * 255.255.255.0 U 0 0 0 eth3 172.22.0.0 * 255.255.254.0 U 0 0 0 eth2 172.16.2.0 * 255.255.254.0 U 0 0 0 eth2 172.16.0.0 * 255.255.254.0 U 0 0 0 eth2 default 65.19.28.1 0.0.0.0 UG 0 0 0 eth3 at the 50.0 side, I am routing traffic to other subnets as well, ie 172.16.2.0/23 For the applications we are running, instead of regular natting, I am using NETMAP target of iptables, which instead of making the packets as going out from 192.168.50.1 they are mapped to addresses at 50.0/24 i.e. when packet goes from 192.168.1.5 to 172.16.2.34 trasversing the 192.168.50.1 device the router mangles it an makes it appear as going out from 192.168.50.5 and then translates back everything goes fabulous, but I am having a problem with arping, arp questions addressed to 192.168.50.0/24 are not reaching my router's device, I have been reading and experimenting with this a bunch, echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp (an to eth0) on the proper device is set, but still not proxy arping, is there anybody with experience on this proxy arp issue? Thanks, Andres From alex at hackgod.org Thu May 3 19:48:20 2007 From: alex at hackgod.org (Alex) Date: Thu May 3 20:48:29 2007 Subject: Forking inside netfilter queue In-Reply-To: <463A3617.7050702@saudi.net.sa> References: <4635EC8E.4090905@saudi.net.sa> <002901c78d97$4f60f1c0$0a00080a@rhea> <463A3617.7050702@saudi.net.sa> Message-ID: <13098.213.106.233.77.1178214500.squirrel@xeentech.com> If you were to do this with the queue lib, then you'd ataualy have to either let the client establish the connection OR fake that the connection was established, before you get the HTTP request is sent to rule on. Also keep in mind that the servers/client might want to do a Keep-alive or long lived HTTP session, with multiple HTTP requests. Keeping track of that, from an NFNetlink/Queue based interface would be hecktic. > >> Unless there are a real lot of these addresses that are permitted, and >> they change rapidly, then I'd expect it would be a better design to >> get all the valid URIs from the MySQL query on init and store them in >> a linked list. > I am afraid this not an option, because my final goal is to integrate my > application with external vendor database using the vendor own API. > > >> Also, people already do this type of thing with an HTTP proxy like >> squid before the HTTPd. > > I've tested HTTP proxy before, but the overhead is very big, and I > couldn't get the proxy to handle high loads. > > Another problem with proxy servers is using the proxy own IP for > outgoing request, unfortunately using the same IP for many requests > trigger many IDSes to block the proxy IP. > > What I am trying to do is a light weight HTTP filter, by searching for > HTTP requests in packet traveling on the wire, with minimal TCP > reassembly to find HTTP requests spanning more than one packet. > From alan.ezust at presinet.com Thu May 3 19:51:51 2007 From: alan.ezust at presinet.com (Alan Ezust) Date: Thu May 3 20:52:04 2007 Subject: conntrack -e filter by ethernet addr? In-Reply-To: <200705021656.45401.alan.ezust@presinet.com> References: <200705021656.45401.alan.ezust@presinet.com> Message-ID: <200705031051.53718.alan.ezust@presinet.com> First, please ignore my previous message about the missing conntrack destroy events. I was distracted by another problem that was causing me grief and looking in the wrong place. I had another question about conntrack - is there an easy way to tell conntrack -e to only report conntrack entries for one ethernet address? Alternately, I see that I can supply src_mask and a dest_mask, but i'm not sure how to specify inverse masks there. For example, I want to specify that conntrack -e shows me the entries with src or dest which are not in the ranges of 127.127.0.1/24 and 192.168.1.0/24. can I specify multiple inverse masks? On Wednesday 02 May 2007 16:56, Alan Ezust wrote: > I was just wondering, has anyone else observed that conntrack -e (running > in events mode) sometimes shows me DESTROY events and sometimes does not, > even for TCP protocol packets. Why would this be? -- Alan Ezust www.presinet.com Presinet, inc alan.ezust@presinet.com Victoria, BC, Canada -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/netfilter/attachments/20070503/43df339c/attachment.pgp From jengelh at linux01.gwdg.de Thu May 3 20:12:14 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 3 21:12:43 2007 Subject: Proxy arping In-Reply-To: <4BE2588D-6B2F-4D89-A5DC-149A048545D6@paglayan.com> References: <4BE2588D-6B2F-4D89-A5DC-149A048545D6@paglayan.com> Message-ID: On May 3 2007 10:44, Andres Paglayan wrote: > > Hi, > > how can I properly set proxy arping in a one to one mapped nat? > > I have a router with 192.168.1.0 in one side (our lan eth0) and > 192.168.50.0 in the other (other lan eth2), plus an internet > gateway (eth3) > > this is the routing table > > root@ipcop:~/scripts # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.50.0 * 255.255.255.0 U 0 0 0 eth2 > 192.168.2.0 * 255.255.255.0 U 0 0 0 eth1 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 > 65.19.28.0 * 255.255.255.0 U 0 0 0 eth3 > 172.22.0.0 * 255.255.254.0 U 0 0 0 eth2 > 172.16.2.0 * 255.255.254.0 U 0 0 0 eth2 > 172.16.0.0 * 255.255.254.0 U 0 0 0 eth2 > default 65.19.28.1 0.0.0.0 UG 0 0 0 eth3 > > > at the 50.0 side, I am routing traffic to other subnets as well, ie > 172.16.2.0/23 > > For the applications we are running, instead of regular natting, > I am using NETMAP target of iptables, > which instead of making the packets as going out from 192.168.50.1 > they are mapped to addresses at 50.0/24 > i.e. when packet goes from 192.168.1.5 to 172.16.2.34 trasversing the > 192.168.50.1 device > the router mangles it an makes it appear as going out from 192.168.50.5 and > then translates back > > everything goes fabulous, but I am having a problem with arping, > arp questions addressed to 192.168.50.0/24 are not reaching my router's device, > > I have been reading and experimenting with this a bunch, > echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp (an to eth0) > on the proper device is set, but still not proxy arping, > > > is there anybody with experience on this proxy arp issue? If you can't get arpd running, try arp faking: brctl addbr br0; brctl addif br0 eth0 eth2; ebtables -t broute -P BROUTING DROP; ebtables -t broute -p arp --arp-opcode request -j ACCEPT; ebtables -t nat -A PREROUTING -i eth0 -p arp --arp-opcode request \ -j arpreply --arpreply-mac `cat /sys/class/net/eth0/address` \ --arpreply-target DROP; # repeat last command for eth2 Assume now that 192.168.1.5 contacts 172.16.2.34, it will send out "arp who-has 172.16.2.34". The router will then reply "arp 172.16.2.34 is at AA:BB:CC:DD:EE:FF" -- however the MAC address reported back to .1.5 not the one of .2.34, but the one of the eth0 card. This makes sure that packets for .2.34 do actually get routed to the router. The router then asks for .2.34 itself (arp replies by ebtables do NOT end up in the arp cache, thankfully) and should forward it. BTW, why would you need NETMAP? Jan -- From rayed at saudi.net.sa Thu May 3 20:39:48 2007 From: rayed at saudi.net.sa (Rayed Alrashed) Date: Thu May 3 21:40:01 2007 Subject: Forking inside netfilter queue In-Reply-To: <13098.213.106.233.77.1178214500.squirrel@xeentech.com> References: <4635EC8E.4090905@saudi.net.sa> <002901c78d97$4f60f1c0$0a00080a@rhea> <463A3617.7050702@saudi.net.sa> <13098.213.106.233.77.1178214500.squirrel@xeentech.com> Message-ID: <463A2C74.90401@saudi.net.sa> > > If you were to do this with the queue lib, then you'd ataualy have to > either let the client establish the connection OR fake that the connection > was established, before you get the HTTP request is sent to rule on. > Of course! I want my application to be totally transparent from the client. The client will use regular browser without any proxy, and I won't inspect TCP handshaking packets, only packets that looks like HTTP request. > Also keep in mind that the servers/client might want to do a Keep-alive or > long lived HTTP session, with multiple HTTP requests. Keeping track of > that, from an NFNetlink/Queue based interface would be hecktic. > According to my tests and observations, most HTTP requests reside in a single packet, for request that span more than one request, I'll start tracking the session when I get a packet that looks like the beginning of HTTP request, and stop when I get "Host" header. For example: 3rd Packet: "GET /ver_long_uri\r\n" It looks like the start of HTTP request, Start tracking. 4th Packet: "Host: ad-ware.domain\r\n\r\n" I have URI+HOST, Stop tracking. In this case I won't have to keep track of the whole TCP session only what I need to get URI and HOST. This will allow me to process more packets with minimal session tracking. From ethy.brito at inexo.com.br Thu May 3 20:45:20 2007 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu May 3 21:52:18 2007 Subject: conntrack and SIP Message-ID: <20070503154520.70b8d52a@pulsar.inexo.com.br> Hello I have these two SIP clients behind two linux NAT. they both connect to the same server. On client 1 I have: udp 17 174 src=192.168.0.201 dst=X.X.X.X sport=5060 dport=5060 src=X.X.X.X dst=Y.Y.Y.Y sport=5060 dport=5060 [ASSURED] use=1 Note that the sport and dport were not changed from in and out. But on client 2: udp 17 171 src=10.172.40.118 dst=X.X.X.X sport=5060 dport=5060 src=X.X.X.X dst=Z.Z.Z.Z sport=5060 dport=1024 [ASSURED] use=1 What could cause the change in dport?? I have no SNAT or DNAT rules in any of them. Is that a way to copy the client 1 behavior to client 2? Client 1 is iptables version 1.3.3 and kernel 2.4.33 Client 2 is iptables version 1.3.5 and kernel 2.4.33.3 -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3797-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From m at rtij.nl Thu May 3 21:31:41 2007 From: m at rtij.nl (Martijn Lievaart) Date: Thu May 3 22:32:54 2007 Subject: Proxy arping In-Reply-To: <4BE2588D-6B2F-4D89-A5DC-149A048545D6@paglayan.com> References: <4BE2588D-6B2F-4D89-A5DC-149A048545D6@paglayan.com> Message-ID: <463A389D.8050206@rtij.nl> Andres Paglayan wrote: > Hi, > > how can I properly set proxy arping in a one to one mapped nat? > > I have a router with 192.168.1.0 in one side (our lan eth0) and > 192.168.50.0 in the other (other lan eth2), > plus an internet gateway (eth3) > > this is the routing table > > root@ipcop:~/scripts # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.50.0 * 255.255.255.0 U 0 0 > 0 eth2 > 192.168.2.0 * 255.255.255.0 U 0 0 > 0 eth1 > 192.168.1.0 * 255.255.255.0 U 0 0 > 0 eth0 > 65.19.28.0 * 255.255.255.0 U 0 0 > 0 eth3 > 172.22.0.0 * 255.255.254.0 U 0 0 > 0 eth2 > 172.16.2.0 * 255.255.254.0 U 0 0 > 0 eth2 > 172.16.0.0 * 255.255.254.0 U 0 0 > 0 eth2 > default 65.19.28.1 0.0.0.0 UG 0 0 > 0 eth3 > > > at the 50.0 side, I am routing traffic to other subnets as well, ie > 172.16.2.0/23 > > For the applications we are running, instead of regular natting, > I am using NETMAP target of iptables, > which instead of making the packets as going out from 192.168.50.1 > they are mapped to addresses at 50.0/24 > i.e. when packet goes from 192.168.1.5 to 172.16.2.34 trasversing the > 192.168.50.1 device > the router mangles it an makes it appear as going out from > 192.168.50.5 and then translates back > > everything goes fabulous, but I am having a problem with arping, > arp questions addressed to 192.168.50.0/24 are not reaching my > router's device, > > I have been reading and experimenting with this a bunch, > echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp (an to eth0) > on the proper device is set, but still not proxy arping, > > > is there anybody with experience on this proxy arp issue? The usual way is to add static arp entries. # (untested code) for i in `seq 2 254` do arp -Ds 192.168.50.$i eth2 pub done HTH, M4 From jengelh at linux01.gwdg.de Thu May 3 22:03:14 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 3 23:04:20 2007 Subject: Proxy arping In-Reply-To: <463A389D.8050206@rtij.nl> References: <4BE2588D-6B2F-4D89-A5DC-149A048545D6@paglayan.com> <463A389D.8050206@rtij.nl> Message-ID: On May 3 2007 21:31, Martijn Lievaart wrote: > > The usual way is to add static arp entries. Do that for a /16 and you're smelling the boundaries. > # (untested code) > for i in `seq 2 254` do > arp -Ds 192.168.50.$i eth2 pub > done > > HTH, > M4 > Jan -- From cas12 at xentech.co.uk Thu May 3 23:26:14 2007 From: cas12 at xentech.co.uk (cas12@xentech.co.uk) Date: Fri May 4 00:26:42 2007 Subject: SIP and NAT conntrack or RTP streams Message-ID: Hi, I'm having a problem with what I thought should be a simple SIP setup. I have a system NATing a number of other systems, one of which is a VOIP phone. The UDP port 5060 stuff all works fine, but one of the RTP streams doesn't seem to get through the NAT/firewall. Whats interesting is that both the VOIP providers I've checked against seem to end up with the in and out RTP streams with different addresses. The audio RTP stream from the phone to the VOIP gateway goes to the same address as the port 5060 connection and uses the port numbers in the SIP INVITE. The return audio RTP data comes on the same ports but from a different IP address.. I see the same behavior with soft and hard phones. If I move the phone to the outside (so it doesn't go through the NAT and firewall), its all OK so the VOIP service is not the problem. Testing with an incoming call to the VOIP phone: If I look at the /proc/net/nf_conntrack and nf_conntrack_expect files, I see the 5060 control connection OK. The INVITE arrives, the phone rings and an expect get set for the outbound (ie phone to server) RTP stream to the same address as the port 5060 SIP connection event though the INVITE o= and c= fields have the 'other' IP address. 172 l3proto = 2 proto=17 src= dst= sport=0 dport=18986 When I answer the phone, the expect entry is converted to a conntrack entry and packets flow outbound OK but the conntrack remains [UNREPLIED], which seems reasonable. Inbound packets (which don't match that conntrack rule since they are from a different address) hit the ouside of the NAT gateway and are dropped on the floor. It seems like only one of the needed 2 expect entries are being created. For inbound and outbound forwarding There are -m state --state RELATED,ESTABLISHED -j ACCEPT rules set up and other services seem to get out OK. As a test, I tried to use "conntrack -I" to manually set up another rule for the second stream. It did seem to match OK and counts the packets, but the packets still get dropped on the floor, so I presume I'm missing some magic to get the packets 'un-NATed'. Anyone got some examples for using "conntrack -I" to set up a NAT stream? This is FC6 with the 2.6.20 kernel. Anyone seen similar problems? Cheers Clive From mailinglists at lucassen.org Fri May 4 11:54:03 2007 From: mailinglists at lucassen.org (richard lucassen) Date: Fri May 4 13:17:03 2007 Subject: conntrack: Operation failed: invalid parameters Message-ID: <20070504115403.0f5c023d.mailinglists@lucassen.org> When using the 2.6.16.x branch (which is still maintained) I get an error using conntrack: # conntrack -L Operation failed: invalid parameters When using kernel 2.6.20.7 there's no problem. I'd like to use the kernel 2.6.16.x branch, but I cannot find the patch which resolves the above mentioned problem. Does someone know which patch to apply to 2.6.16.x? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From dardiration at yahoo.fr Fri May 4 13:09:27 2007 From: dardiration at yahoo.fr (Darmoul Ramzi) Date: Fri May 4 20:16:16 2007 Subject: libipt_time.so Message-ID: <683717.39696.qm@web26303.mail.ukl.yahoo.com> I use Fedora 6 i try to use ipatables -time but i have a problem libipt_time.so. please help me i peapare a QoS project Best Regards Darmoul Ramzi ___________________________________________________________________________ D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions ! Profitez des connaissances, des opinions et des exp?riences des internautes sur Yahoo! Questions/R?ponses http://fr.answers.yahoo.com From pandolphe at pandolphe-vision.net Fri May 4 21:03:21 2007 From: pandolphe at pandolphe-vision.net (Benjamin RIOU) Date: Fri May 4 22:03:42 2007 Subject: libipt_time.so In-Reply-To: <683717.39696.qm@web26303.mail.ukl.yahoo.com> References: <683717.39696.qm@web26303.mail.ukl.yahoo.com> Message-ID: <28c01a080705041203p74de7f41la760c91bae059c7b@mail.gmail.com> Le 04/05/07, Darmoul Ramzi a ?crit : > I use Fedora 6 > i try to use ipatables -time but i have a problem libipt_time.so. > > please help me i peapare a QoS project > > Best Regards > > Darmoul Ramzi > Hi. this module is'nt in the kernel by default. You have to download the patch o matic and patch your kernel in order to have this fonction added. As I think you're French, I explained how to do in french (i'm unable to do that in english :D) ++ Ben Salut, Le module n'est pas pr?sent dans le noyau par d?faut. Tu dois : t?l?charger patch-o-matic sur le site netfilter, 1) R?cup?rer une archive r?cente du patch-o-matic-ng dans (pas ceux qui font 46 octets, ils sont vides). 2) D?compresser l'archive. 3) Ex?cuter "./runme --download" pour t?l?charger le patch conlimit. 4) Ex?cuter "./runme connlimit" pour appliquer le patch connlimit aux sources du noyau. 5) Configurer le noyau pour activer la correspondance connlimit en dur ou en module. 6) Compiler et installer le noyau. Je suis dessus en ce moment d'ailleurs. ++ Ben patcher les sources de ton noyau, recompiler ton noyau. Si tu veux pas t'embeter, il reste CRON pour modifier tes regles... From kwallace at wallacecompany.com Fri May 4 21:35:08 2007 From: kwallace at wallacecompany.com (Kirk Wallace) Date: Fri May 4 22:35:32 2007 Subject: Wireless Login Page Message-ID: <1178307309.2896.63.camel@ws1.walco02.com> On Wed, 2007-05-02 at 19:18 +0200, Michelle Konzack wrote: > Hello Kirk and *, > > Am 2007-04-28 11:43:27, schrieb Kirk Wallace: > > I was using 192.168.21.2 just to test whether httpd would respond to any > > IP address sent on the 192.168.21.0/24 address space. > > > > I envision that a person would boot their wireless laptop and scan for > > hotspots. They would see my hotspot and connect. Then my DHCP server > > would give the laptop an IP address, subnet mask, gateway address, DNS1 > > and DNS2. Then the user would start firefox and try to open a link to > > anywhere.com, but I have FORWARD denied to all but logged in users > > (which have a tunnel IP address on another subnet). At this point, I > > want the anywhere.com request to invoke the httpd on the wireless router > > to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd > > are on the same PC. > > This is exactly what I want to do to. > > But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY > connections (any Ports except DNS and DHCP) nust be blocked > until the user has once started a Webbrowser and authentificated. If the above comment relates to restricting the wireless client's access to providing only a login, I do that by setting the policy for INPUT and OUTPUT to ACCEPT, then FORWARD to DROP. Then I add a rule to FORWARD to allow forwarding of the tunnel traffic. Users cannot get to the Internet with out first logging in and being assigned a tunnel IP address. The wireless clients have access to all the open ports running locally on the wireless router. > I was thinking, that if the $USER open a connection plus auth, > the connection will be droped for example 5 minutes after the > last traffic going over the Interface with the specified MAC/IP. Currently, I allow my clients a full time connection. In fact I have set them all up with an OpenWRT router with pptpd and a five minute ping from cron to keep the connection alive. I use the ifconfig data to record the tunnel traffic (ppp0, ppp1, ...) then cross reference this with the Radius data in order to bill based on a user's data volume. > I have not found any examples ho to do this. > > Would you like to share your config? > > And speciay how you have setup your "fist-connect" page to auth? Well, that's my problem, I don't have an authorization page yet. Currently, I have to pre-configure a client's router or PC to log in using pptp. I would like to have a client cruise for hotspots and if they find mine, then be able to connect themselves. My first goal is to just figure out how to get an opening page on a person's screen, after they have found my hotspot. After selecting my ssid, I am assuming that the client would have their PC setup to get the connection settings from DHCP. Then I am assuming that they would recognize that they have a valid connection and try to browse the Internet. A this point, I want the wireless router to detect the http request and reply to that request with my opening page instead. The more I am learning about this, the more I think that iptables is just part of the solution, but I don't know yet know enough to realize what I need to know. Below is my iptables related configuration so far. ~~~~~~~~~~ root@ls:~# cat /etc/rc.d/rc.local #!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script. # # Put any local setup commands in here: # Fix iwconfig mode problem called from rc.wireless 20060927 KW /usr/bin/wlanconfig ath0 destroy /usr/bin/wlanconfig ath0 create wlandev wifi0 wlanmode Master # rc.wireless seems to have a problem with essid and channel too 20060927 KW /sbin/iwconfig ath0 essid walco04 channel 10 # Todo - make these autoload as normal rc files do /etc/rc.d/rc.wlvpn_iptab /etc/rc.d/rc.pptpd /etc/rc.d/rc.radiusd /etc/rc.d/rc.dhcpd ~~~~~~~~~~~~~~~ root@ls:~# cat /etc/rc.d/rc.wlvpn_iptab #!/bin/sh # # wlvpn_iptab.sh - 20060926 KW # Set IP tables to foward only wireless VPN traffic wlvpn_iptab_start() { /usr/sbin/iptables -F /usr/sbin/iptables -t nat -F /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables --table nat --append POSTROUTING \ --out-interface eth0 --jump SNAT --to-source 192.168.12.7 /usr/sbin/iptables -A FORWARD -s 192.168.123.0/24 -d 0/0 -j ACCEPT /usr/sbin/iptables -A FORWARD -s 0/0 -d 192.168.123.0/24 -j ACCEPT } # Stop VPN forwarding: wlvpn_iptab_stop() { /usr/sbin/iptables -F /usr/sbin/iptables -t nat -F /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT } # Restart IP packet forwarding: wlvpn_iptab_restart() { wlvpn_iptab_stop sleep 1 wlvpn_iptab_start } case "$1" in 'start') wlvpn_iptab_start ;; 'stop') wlvpn_iptab_stop ;; 'restart') wlvpn_iptab_restart ;; *) # Default is "start", for backwards compatibility with previous # Slackware versions. This may change to a 'usage' error someday. wlvpn_iptab_start esac > Greetings > Michelle Konzack > Systemadministrator > Tamay Dogan Network > Debian GNU/Linux Consultant > > From tommy at svearike.sytes.net Fri May 4 22:01:21 2007 From: tommy at svearike.sytes.net (Tommy W) Date: Fri May 4 23:01:47 2007 Subject: Simulating a "bad" connection. Message-ID: <200705042201.21985.tommy@svearike.sytes.net> Hi, I was just wondering if someone knows of a good way to simulate a "bad" network?. I want high latency AND/OR high packet loss. I was thinking along the lines iptables -I INPUT -m random --average 90 -j DROP but then I get libipt_random.so doesn't exist. I see that it is not included, how do you get it ? kernel: 2.6.16-rc5 iptables: 1.3.4 or is there some other more simple solution? Thanks in advance /Tommy From jengelh at linux01.gwdg.de Fri May 4 23:05:08 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat May 5 00:05:46 2007 Subject: libipt_time.so In-Reply-To: <683717.39696.qm@web26303.mail.ukl.yahoo.com> References: <683717.39696.qm@web26303.mail.ukl.yahoo.com> Message-ID: On May 4 2007 11:09, Darmoul Ramzi wrote: > >I use Fedora 6 >i try to use ipatables -time but i have a problem libipt_time.so. > >please help me i peapare a QoS project > >Best Regards > >Darmoul Ramzi > Unfortunately we cannot help you since you do not tell us what problem. Jan -- From jengelh at linux01.gwdg.de Fri May 4 23:11:29 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat May 5 00:12:04 2007 Subject: Simulating a "bad" connection. In-Reply-To: <200705042201.21985.tommy@svearike.sytes.net> References: <200705042201.21985.tommy@svearike.sytes.net> Message-ID: On May 4 2007 22:01, Tommy W wrote: >Hi, >I was just wondering if someone knows of a good way to simulate a "bad" >network?. >I want high latency AND/OR high packet loss. > >I was thinking along the lines >iptables -I INPUT -m random --average 90 -j DROP > >but then I get libipt_random.so doesn't exist. -m statistic --mode random It might not exist yet either. >I see that it is not included, how do you get it ? > >kernel: 2.6.16-rc5 >iptables: 1.3.4 > >or is there some other more simple solution? > >Thanks in advance >/Tommy > Jan -- From tommy at svearike.sytes.net Fri May 4 23:42:26 2007 From: tommy at svearike.sytes.net (Tommy W) Date: Sat May 5 00:42:49 2007 Subject: Simulating a "bad" connection. In-Reply-To: References: <200705042201.21985.tommy@svearike.sytes.net> Message-ID: <200705042342.26764.tommy@svearike.sytes.net> On Friday 04 May 2007 23:11, you wrote: > On May 4 2007 22:01, Tommy W wrote: > >Hi, > >I was just wondering if someone knows of a good way to simulate a "bad" > >network?. > >I want high latency AND/OR high packet loss. > > > >I was thinking along the lines > >iptables -I INPUT -m random --average 90 -j DROP > > > >but then I get libipt_random.so doesn't exist. > > -m statistic --mode random > > It might not exist yet either. Thanks for the tip, although I did not have that either :\ Is it included in a newer version of netfilter/iptables ? /Tommy From pascal.mail at plouf.fr.eu.org Fri May 4 23:55:40 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Sat May 5 00:56:29 2007 Subject: Simulating a "bad" connection. In-Reply-To: References: <200705042201.21985.tommy@svearike.sytes.net> Message-ID: <463BABDC.6000106@plouf.fr.eu.org> Hello, Jan Engelhardt a ?crit : > > -m statistic --mode random > > It might not exist yet either. Indeed. The 'statistic' match was included in kernel 2.6.18 and requires iptables >= 1.3.6. >>kernel: 2.6.16-rc5 >>iptables: 1.3.4 The 'random' match is supported by iptables 1.3.4, but not by the standard kernel. It needs to be patched with the 'connlimit' patch which used to be included in the patch-o-matic-ng snapshots until patch-o-matic-ng-20060511. Unfortunately such old snapshots are not available on the Netfilter main server any more. They may still be available in some archives or mirrors out there. I think I kept a copy. From pascal.mail at plouf.fr.eu.org Fri May 4 23:58:06 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Sat May 5 00:58:24 2007 Subject: Simulating a "bad" connection. In-Reply-To: <463BABDC.6000106@plouf.fr.eu.org> References: <200705042201.21985.tommy@svearike.sytes.net> <463BABDC.6000106@plouf.fr.eu.org> Message-ID: <463BAC6E.8010909@plouf.fr.eu.org> Pascal Hambourg a ?crit : > > The 'random' match is supported by iptables 1.3.4, but not by the > standard kernel. It needs to be patched with the 'connlimit' patch Dunno why I wrote 'connlimit'. I meant the 'random' patch of course. From jsullivan at opensourcedevel.com Sat May 5 03:40:18 2007 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat May 5 04:40:40 2007 Subject: [OT] iptables and 802.1x authenticator Message-ID: <1178329218.8026.0.camel@localhost> Hello, all. Does anyone know of an open source linux 802.1x authenticator? I see XSupplicant for the supplicant and FreeRADIUS for the authentication server but I can't seem to find an authenticator. We've been toying with combining iptables with the ISCS network management project (http://iscs.sourceforge.net) and 802.1x. If we can do what we think we can do, the results should be quite stunning. We should be able to create true, perimeterless network security. That means we can stop LAN based worms dead in their tracks, foil ARP poisoning attacks and other nefarious activities -- all without end point clients (not that we have anything against end point clients). I'm in the prototype building stage and hence the need for a testbed 802.1x implementation. So, if you can kindly point me in the right direction, I'd greatly appreciate it. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com From blancher at cartel-securite.fr Sat May 5 08:48:09 2007 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Sat May 5 09:50:35 2007 Subject: [OT] iptables and 802.1x authenticator In-Reply-To: <1178329218.8026.0.camel@localhost> References: <1178329218.8026.0.camel@localhost> Message-ID: <1178347689.2956.4.camel@localhost> Le vendredi 04 mai 2007 ? 21:40 -0400, John A. Sullivan III a ?crit : > Hello, all. Does anyone know of an open source linux 802.1x > authenticator? I see XSupplicant for the supplicant and FreeRADIUS for > the authentication server but I can't seem to find an authenticator. See hostapd: http://hostap.epitest.fi/hostapd/ I never see it implemented for wired networks... But it's the only 802.1x authenticator I know around. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From jwinius at umrk.to Sat May 5 17:07:23 2007 From: jwinius at umrk.to (Jaap Winius) Date: Sat May 5 18:07:56 2007 Subject: Advanced routing problem Message-ID: <1178377643.463c9daba4959@www.umrk.to> Hi all, After having configured my first iptables firewall, it looks as though I've already found something it can't handle. Well, I hope not... All was fine until a secondary external interface was added. I was hoping that I could configure the firewall to allow remote users to use either external interface to access a Windows server on a private net behind the firewall using VNC. At first I couldn't access the firewall via the secondary external interface at all, because the firewall was routing its responses out its default route -- the primary external interface -- and the ISP was dropping those packets (hot potato routing). However, after installing the advanced routing package (iproute), I configured a second default route and solved that problem. I then set out adjust the firewall, thinking that all I'd need to do would be to duplicate some rules to accommodate the new interface (see rules below). However, that didn't work because, despite my efforts, the firewall loses track of where the packets come from and sends them out the primary external interface anyway. Is there a way around this behavior (advanced DNAT or something), or is the only solution to use a public IP address for the server? Any hints towards a solution would be appreciated. Cheers, Jaap Winius The Netherlands ====================== # 192.168.13.2 is the Windows server. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5900 \ -j DNAT --to-destination 192.168.13.2 iptables -t filter -A FORWARD -i eth0 -p tcp --dport 5900 \ -m state --state NEW -j ACCEPT iptables -t filter -A FORWARD -d 192.168.13.2 -i eth0 -o eth1 -p tcp \ -m tcp --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -s 192.168.13.2 -i eth1 -o eth0 -p tcp \ -m tcp --sport 5900 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 \ -j DNAT --to-destination 192.168.13.2 iptables -t filter -A FORWARD -i eth0 -p tcp --dport 1723 \ -m state --state NEW -j ACCEPT iptables -t filter -A FORWARD -d 192.168.13.2 -i eth0 -o eth1 -p tcp \ -m tcp --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -s 192.168.13.2 -i eth1 -o eth0 -p tcp \ -m tcp --sport 1723 -m state --state ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p 47 \ -j DNAT --to-destination 192.168.13.2 iptables -t filter -A FORWARD -d 192.168.13.2 -i eth0 -o eth1 -p 47 \ -j ACCEPT iptables -t filter -A FORWARD -s 192.168.13.2 -i eth1 -o eth0 -p 47 \ -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.13.2 -o eth0 -p 47 \ -j MASQUERADE ====================== From scott at unixheads.com Sat May 5 17:15:49 2007 From: scott at unixheads.com (Scott) Date: Sat May 5 18:16:21 2007 Subject: Rules review Message-ID: <463C9FA5.4020203@unixheads.com> I wanted to see if it would be proper to post my rules to this list to get comments on them.. I am a bit rusty on IPTables :-) Thanks! Scott From jsullivan at opensourcedevel.com Sat May 5 17:23:21 2007 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat May 5 18:23:48 2007 Subject: [OT] iptables and 802.1x authenticator In-Reply-To: <1178347689.2956.4.camel@localhost> References: <1178329218.8026.0.camel@localhost> <1178347689.2956.4.camel@localhost> Message-ID: <1178378601.6574.3.camel@localhost> On Sat, 2007-05-05 at 08:48 +0200, Cedric Blancher wrote: > Le vendredi 04 mai 2007 ? 21:40 -0400, John A. Sullivan III a ?crit : > > Hello, all. Does anyone know of an open source linux 802.1x > > authenticator? I see XSupplicant for the supplicant and FreeRADIUS for > > the authentication server but I can't seem to find an authenticator. > > See hostapd: http://hostap.epitest.fi/hostapd/ > > I never see it implemented for wired networks... But it's the only > 802.1x authenticator I know around. > > Thank you, Cedric. I looked at hostap but must have been brain cramping! Now I just need to see if we can create iptables rules based upon what the authentication server returns through the authenticator. If anyone has experience in doing that, please let me know. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net From blancher at cartel-securite.fr Sat May 5 17:31:24 2007 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Sat May 5 18:32:22 2007 Subject: [OT] iptables and 802.1x authenticator In-Reply-To: <1178378601.6574.3.camel@localhost> References: <1178329218.8026.0.camel@localhost> <1178347689.2956.4.camel@localhost> <1178378601.6574.3.camel@localhost> Message-ID: <1178379084.6720.11.camel@localhost> Le samedi 05 mai 2007 ? 11:23 -0400, John A. Sullivan III a ?crit : > Thank you, Cedric. You're welcome. > Now I just need to see if we can create iptables rules based upon what > the authentication server returns through the authenticator. If anyone > has experience in doing that, please let me know. That would be great. You have to configure your RADIUS in order to push specific attributes linked to user identity, group, whatever to the authenticator, that will do whatever is needed. I played a bit with usual VLAN assignment on switches and access points. Each user is thus assigned a dedicated VLAN based on his identity when authenticated. Works great, would be nice to have this on hostapd... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From m at rtij.nl Sat May 5 17:47:36 2007 From: m at rtij.nl (Martijn Lievaart) Date: Sat May 5 18:48:58 2007 Subject: Advanced routing problem In-Reply-To: <1178377643.463c9daba4959@www.umrk.to> References: <1178377643.463c9daba4959@www.umrk.to> Message-ID: <463CA718.4060509@rtij.nl> Jaap Winius wrote: > Hi all, > Ha Jaap, > After having configured my first iptables firewall, it looks as though > I've already found something it can't handle. Well, I hope not... > > All was fine until a secondary external interface was added. I was > hoping that I could configure the firewall to allow remote users to use > either external interface to access a Windows server on a private net > behind the firewall using VNC. > > At first I couldn't access the firewall via the secondary external > interface at all, because the firewall was routing its responses out > its default route -- the primary external interface -- and the ISP was > dropping those packets (hot potato routing). However, after installing > the advanced routing package (iproute), I configured a second default > route and solved that problem. > That's strange. that means you have some very funny routing. You'ld better explain how your routing is set up. Also post the output of 'ip ro'. M4 From m at rtij.nl Sat May 5 17:51:44 2007 From: m at rtij.nl (Martijn Lievaart) Date: Sat May 5 18:52:08 2007 Subject: Rules review In-Reply-To: <463C9FA5.4020203@unixheads.com> References: <463C9FA5.4020203@unixheads.com> Message-ID: <463CA810.8020804@rtij.nl> Scott wrote: > I wanted to see if it would be proper to post my rules to this list to > get comments on them.. I am a bit rusty on IPTables :-) Well, yes and no. If your ruleset is a mess without comments, it probably will not be reviewed. If it is large, make doubly sure it is readable. Otherwise, as long as such requests don't swamp the list (which they don't) it's fine with me (others may disagree). As an added bonus, discussing rulesets may give all mailinglist participants additional insights on how to set up rulesets, so I welcome such reviews once in a while. HTH, M4 From lists at andyfurniss.entadsl.com Sat May 5 21:07:28 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat May 5 22:07:38 2007 Subject: Simulating a "bad" connection. In-Reply-To: <200705042201.21985.tommy@svearike.sytes.net> References: <200705042201.21985.tommy@svearike.sytes.net> Message-ID: <463CD5F0.8090904@andyfurniss.entadsl.com> Tommy W wrote: > Hi, > I was just wondering if someone knows of a good way to simulate a "bad" > network?. > I want high latency AND/OR high packet loss. > > I was thinking along the lines > iptables -I INPUT -m random --average 90 -j DROP > > but then I get libipt_random.so doesn't exist. > I see that it is not included, how do you get it ? > > kernel: 2.6.16-rc5 > iptables: 1.3.4 > > or is there some other more simple solution? > > Thanks in advance > /Tommy > > http://linux-net.osdl.org/index.php/Netem Is in kernel. Andy. From jwinius at umrk.to Sat May 5 21:12:13 2007 From: jwinius at umrk.to (Jaap Winius) Date: Sat May 5 22:12:36 2007 Subject: Advanced routing problem In-Reply-To: <463CA718.4060509@rtij.nl> References: <1178377643.463c9daba4959@www.umrk.to> <463CA718.4060509@rtij.nl> Message-ID: <1178392333.463cd70d4571a@www.umrk.to> Quoting Martijn Lievaart : (nice website, interesting hobby) > That's strange. that means you have some very funny routing. You'd > better explain how your routing is set up. Also post the output of > 'ip ro'. Here's the output from 'ip ro': 196.190.250.17 dev ppp0 proto kernel scope link src 63.58.236.234 88.215.195.176/29 dev eth0 proto kernel scope link src 88.215.195.178 63.58.50.0/25 via 63.58.236.234 dev ppp0 scope link 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 192.168.14.0/24 dev eth2 proto kernel scope link src 192.168.14.1 192.168.13.0/24 dev eth1 proto kernel scope link src 192.168.13.1 10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.100 default via 88.215.195.177 dev eth0 The route to 63.58.50.0/25 is to make some of that ISP's servers available, including an SMTP relay that would not be accessible any other way. The second routing table, secnet, has only one line: default via 63.58.236.234 dev ppp0 The output of 'ip rule' look like this: 0: from all lookup local 1000: from 63.58.236.234 lookup secnet 32766: from all lookup main 32767: from all lookup default Interfaces: eth0 -- Primary external interface. address 88.215.195.178 netmask 255.255.255.248 gateway 88.215.195.177 eth0:0 -- Priv. net behind the prim. external interface's ADSL modem. address 192.168.1.1 netmask 255.255.255.0 eth0:1 -- Priv. net behind the sec. external interface's ADSL modem. address 10.0.0.100 netmask 255.0.0.0 eth1 -- Internal segment (UTP) address 192.168.13.1 netmask 255.255.255.0 eth2 -- Internal segment (wireless) address 192.168.14.1 netmask 255.255.255.0 ppp0 -- Secondary external interface. address 63.58.236.234 netmask 255.255.255.255 P-t-P: 196.190.250.17 A diagram of the network: The Internet / \ / \ / \ / \ | | Sec. | Prim. | ADSL ADSL modem modem-----------modem / | / | / eth0 | / ttyS0 ------------Firewall------------- | eth1 eth2 | | | | Wireless | Access | Point Ethernet switch--------Workstation | | Windows Server The secondary ADSL modem has only one Ethernet interface, while the firewall (a little Soekris box) has only one interface available for Internet connectivity. However, the primary ADSL modem has a built-in Ethernet switch, and since the secondary Internet connection uses PPtP anyway, I connected it to the primary ADSL modem's switch so that I could get to it from the firewall. The secondary ADSL modem is part of a cheap-o consumer subscription that the client did not want to part with. It was there before I became responsible for the system, so I thought I might be able to put it to good use this way -- it gives the remote users an alternative access route in case the primary external interface goes down. The primary ADSL modem is part of a business subscription. The ISP doesn't allow its clients to fiddle with the modem's configuration, so I wouldn't have recommended it, but this subscription had been requested by the client before I arrived on the scene. Anyway, I fixed the situation by asking for a public IP address for the firewall and was given 87.215.195.176/29, which allows me to bypass their modem. Did I leave anything out? If so, just ask and I'll post it ASAP. Thanks very much for your help! Cheers, Jaap From tommy at svearike.sytes.net Sun May 6 13:00:29 2007 From: tommy at svearike.sytes.net (Tommy W) Date: Sun May 6 14:03:19 2007 Subject: Simulating a "bad" connection. In-Reply-To: <463CD5F0.8090904@andyfurniss.entadsl.com> References: <200705042201.21985.tommy@svearike.sytes.net> <463CD5F0.8090904@andyfurniss.entadsl.com> Message-ID: <200705061300.29733.tommy@svearike.sytes.net> On Saturday 05 May 2007 21:07, Andy Furniss wrote: > Tommy W wrote: > > Hi, > > I was just wondering if someone knows of a good way to simulate a "bad" > > network?. > > I want high latency AND/OR high packet loss. > > > > I was thinking along the lines > > iptables -I INPUT -m random --average 90 -j DROP > > > > but then I get libipt_random.so doesn't exist. > > I see that it is not included, how do you get it ? > > > > kernel: 2.6.16-rc5 > > iptables: 1.3.4 > > > > or is there some other more simple solution? > > > > Thanks in advance > > /Tommy > > http://linux-net.osdl.org/index.php/Netem > > Is in kernel. Thanks, this looks alot like what I'm looking for and that it's already included in my kernel is a real plus. /Tommy From ethy.brito at inexo.com.br Sun May 6 16:54:26 2007 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Sun May 6 17:52:06 2007 Subject: Fw: conntrack and SIP Message-ID: <20070506115426.79246333@babalu.inexo.com.br> Hello I posted this a few days ago and got no answers. Can anyone point me some directions? Regards Ethy Begin forwarded message: Date: Thu, 3 May 2007 15:45:20 -0300 From: "Ethy H. Brito" To: netfilter@lists.netfilter.org Subject: conntrack and SIP Hello I have these two SIP clients behind two linux NAT. they both connect to the same server. On client 1 I have: udp 17 174 src=192.168.0.201 dst=X.X.X.X sport=5060 dport=5060 src=X.X.X.X dst=Y.Y.Y.Y sport=5060 dport=5060 [ASSURED] use=1 Note that the sport and dport were not changed from in and out. But on client 2: udp 17 171 src=10.172.40.118 dst=X.X.X.X sport=5060 dport=5060 src=X.X.X.X dst=Z.Z.Z.Z sport=5060 dport=1024 [ASSURED] use=1 What could cause the change in dport?? I have no SNAT or DNAT rules in any of them. Is that a way to copy the client 1 behavior to client 2? Client 1 is iptables version 1.3.3 and kernel 2.4.33 Client 2 is iptables version 1.3.5 and kernel 2.4.33.3 -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3797-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3797-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From pablo at netfilter.org Mon May 7 02:39:22 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon May 7 03:38:01 2007 Subject: [ANNOUNCE] Netfilter Workshop 2007 in Karlsruhe, Germany Message-ID: <463E753A.4060300@netfilter.org> = Overview = Following the lastest successful workshop in Sevilla, Andalusia, Spain in september 2005. We are happy to announce the next edition in the workshop series. This year the event will be hosted in Karlsruhe, Germany from October 11th to 14th, 2007. For more information, please visit the official website of the workshop [1]. = Attendance = The attendance is free but requires an invitation. You may consider attending if you are involved in any aspect of the Netfilter development. Please, send us an email to coreteam@netfilter.org before July 7th, 2007 (strict deadline). We have a very limited number of invitations! = Call for Participants = Are you involved in any awesome third party Netfilter related project? If your answer is yes then you have a chance to come and show us your project during the workshop days. In case that you are interested, please send us a fast abstract before July 7th, 2007 (strict deadline) to coreteam@netfilter.org in latex, docbook or odt format. The abstract must have 1000 words maximum provinding an introduction, targets, solution proposed and experimental results if any. You must also provide the source code under a GPL-compatible free software license. The source code requirement is mandatory. The program committee will select two candidates from all applications received whose travel and accomodation expenses will be funded by our sponsors. Pablo, on behalf of the Netfilter core team [1] http://workshop.netfilter.org/2007/ -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris From pablo at netfilter.org Mon May 7 02:47:04 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Mon May 7 03:45:26 2007 Subject: [ANNOUNCE] Netfilter Workshop 2007 in Karlsruhe, Germany In-Reply-To: <463E753A.4060300@netfilter.org> References: <463E753A.4060300@netfilter.org> Message-ID: <463E7708.5020002@netfilter.org> Pablo Neira Ayuso wrote: > = Overview = > > Following the lastest successful workshop in Sevilla, Andalusia, Spain > in september 2005. We are happy to announce the next edition in the > workshop series. This year the event will be hosted in Karlsruhe, > Germany from October 11th to 14th, 2007. For more information, please > visit the official website of the workshop [1]. Wrong dates, sorry. I meant from september 11th to 14th, 2007. [1] http://workshop.netfilter.org/2007/ -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris From Pieter.DeWit at vodacom.co.za Mon May 7 17:54:37 2007 From: Pieter.DeWit at vodacom.co.za (Pieter De Wit) Date: Mon May 7 18:55:12 2007 Subject: DNAT and local hosts Message-ID: Hello Guys, I have the following setup: C1 --. | |-FW--- internet | C2 --' Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11. The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is used to an adsl modem in bridged mode, which creates ppp0. Lets say for this email, ppp0 get 1.2.3.4. Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is a rule that allows connections to ppp0 on port 1234 and DNAT's them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection refused" since there is no "server" listening on the firewall's ppp0,port 1234. How can I solve this ? I need FW to DNAT "local/C2" connections back to C1. Thanks, Pieter “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " From jengelh at linux01.gwdg.de Mon May 7 18:01:53 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon May 7 19:02:46 2007 Subject: DNAT and local hosts In-Reply-To: References: Message-ID: On May 7 2007 17:54, Pieter De Wit wrote: > >Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is >a rule that allows connections to ppp0 on port 1234 and DNAT's them to >C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection >refused" since there is no "server" listening on the firewall's >ppp0,port 1234. *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2. Jan -- From Pieter.DeWit at vodacom.co.za Mon May 7 21:54:43 2007 From: Pieter.DeWit at vodacom.co.za (Pieter De Wit) Date: Mon May 7 22:56:29 2007 Subject: DNAT and local hosts References: Message-ID: *BEEP* *BUZZ* I know - but it's for a closed source app that I need to do this - and it takes the address from the server, the protocol doesn't carry it it :) -----Original Message----- From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de] Sent: Mon 2007/05/07 18:01 To: Pieter De Wit Cc: netfilter@lists.netfilter.org Subject: Re: DNAT and local hosts On May 7 2007 17:54, Pieter De Wit wrote: > >Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is >a rule that allows connections to ppp0 on port 1234 and DNAT's them to >C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection >refused" since there is no "server" listening on the firewall's >ppp0,port 1234. *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2. Jan -- ?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " From spoons at rchq.co.za Tue May 8 08:05:05 2007 From: spoons at rchq.co.za (Ray Leach) Date: Tue May 8 09:06:41 2007 Subject: DNAT and local hosts In-Reply-To: References: Message-ID: <46401311.2000507@rchq.co.za> Pieter De Wit wrote: > *BEEP* *BUZZ* I know - but it's for a closed source app that I need to do this - and it takes the address from the server, the protocol doesn't carry it it :) > > > -----Original Message----- > From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de] > Sent: Mon 2007/05/07 18:01 > To: Pieter De Wit > Cc: netfilter@lists.netfilter.org > Subject: Re: DNAT and local hosts > > > On May 7 2007 17:54, Pieter De Wit wrote: >> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is >> a rule that allows connections to ppp0 on port 1234 and DNAT's them to >> C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection >> refused" since there is no "server" listening on the firewall's >> ppp0,port 1234. > > *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2. > > > Jan There is no routing between C1 and C2, so your firewall never sees the traffic between the 2. Put C1 and C2 on two seperate physical networks and connect them through firewall to get routing to happen, then you can use iptables to do NATing between them. Else put two interfaces into your firewall, give each interface an ip address in the same subnet, configure bridging between the two, put C1 on the end of one interface and C2 on the other if, then look into ebtables. From Pieter.DeWit at vodacom.co.za Tue May 8 08:09:52 2007 From: Pieter.DeWit at vodacom.co.za (Pieter De Wit) Date: Tue May 8 09:10:52 2007 Subject: DNAT and local hosts In-Reply-To: <46401311.2000507@rchq.co.za> References: <46401311.2000507@rchq.co.za> Message-ID: Thought so - the other way is to run portfwd and use it to forward the port "back to C1" - it would have helped if they had an input chain on -t nat :) Thanks any ways -----Original Message----- From: Ray Leach [mailto:spoons@rchq.co.za] Sent: 2007/05/08 08:05 To: Pieter De Wit Cc: Jan Engelhardt; netfilter@lists.netfilter.org Subject: Re: DNAT and local hosts Pieter De Wit wrote: > *BEEP* *BUZZ* I know - but it's for a closed source app that I need to > do this - and it takes the address from the server, the protocol > doesn't carry it it :) > > > -----Original Message----- > From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de] > Sent: Mon 2007/05/07 18:01 > To: Pieter De Wit > Cc: netfilter@lists.netfilter.org > Subject: Re: DNAT and local hosts > > > On May 7 2007 17:54, Pieter De Wit wrote: >> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There >> is a rule that allows connections to ppp0 on port 1234 and DNAT's >> them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with >> "Connection refused" since there is no "server" listening on the >> firewall's ppp0,port 1234. > > *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2. > > > Jan There is no routing between C1 and C2, so your firewall never sees the traffic between the 2. Put C1 and C2 on two seperate physical networks and connect them through firewall to get routing to happen, then you can use iptables to do NATing between them. Else put two interfaces into your firewall, give each interface an ip address in the same subnet, configure bridging between the two, put C1 on the end of one interface and C2 on the other if, then look into ebtables. “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " From spoons at rchq.co.za Tue May 8 08:36:11 2007 From: spoons at rchq.co.za (Ray Leach) Date: Tue May 8 09:37:50 2007 Subject: DNAT and local hosts In-Reply-To: References: <46401311.2000507@rchq.co.za> Message-ID: <46401A5B.6060205@rchq.co.za> Pieter De Wit wrote: > Thought so - the other way is to run portfwd and use it to forward the > port "back to C1" - it would have helped if they had an input chain on > -t nat :) > > Thanks any ways > > -----Original Message----- > From: Ray Leach [mailto:spoons@rchq.co.za] > Sent: 2007/05/08 08:05 > To: Pieter De Wit > Cc: Jan Engelhardt; netfilter@lists.netfilter.org > Subject: Re: DNAT and local hosts > > Pieter De Wit wrote: >> *BEEP* *BUZZ* I know - but it's for a closed source app that I need to > >> do this - and it takes the address from the server, the protocol >> doesn't carry it it :) >> >> >> -----Original Message----- >> From: Jan Engelhardt [mailto:jengelh@linux01.gwdg.de] >> Sent: Mon 2007/05/07 18:01 >> To: Pieter De Wit >> Cc: netfilter@lists.netfilter.org >> Subject: Re: DNAT and local hosts >> >> >> On May 7 2007 17:54, Pieter De Wit wrote: >>> Now, all connections are routed out via FW:ppp0 and at NAT'ed. There >>> is a rule that allows connections to ppp0 on port 1234 and DNAT's >>> them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with >>> "Connection refused" since there is no "server" listening on the >>> firewall's ppp0,port 1234. >> *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2. >> >> >> Jan > > There is no routing between C1 and C2, so your firewall never sees the > traffic between the 2. > > Put C1 and C2 on two seperate physical networks and connect them through > firewall to get routing to happen, then you can use iptables to do > NATing between them. > > Else put two interfaces into your firewall, give each interface an ip > address in the same subnet, configure bridging between the two, put C1 > on the end of one interface and C2 on the other if, then look into > ebtables. > ?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " > > > INPUT on -t nat wouldn't help you here since the destination is not the firewall ... From Pieter.DeWit at vodacom.co.za Tue May 8 08:38:37 2007 From: Pieter.DeWit at vodacom.co.za (Pieter De Wit) Date: Tue May 8 09:41:08 2007 Subject: DNAT and local hosts In-Reply-To: <46401A5B.6060205@rchq.co.za> References: <46401311.2000507@rchq.co.za> <46401A5B.6060205@rchq.co.za> Message-ID: It is...the destination is the ppp0 interface... *snip* INPUT on -t nat wouldn't help you here since the destination is not the firewall ... “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " From michael.ransburg at gmail.com Tue May 8 09:00:47 2007 From: michael.ransburg at gmail.com (Michael Ransburg) Date: Tue May 8 10:01:28 2007 Subject: Handling queued packets? Message-ID: <22b256140705080000g2da19b53ifdc18b5b1a91807b@mail.gmail.com> Hi all, I'm currently going through the netfilter documentation and I'm particularly interested in queuing packets in order to handle them in userspace. A few initial questions on this: 1) The docs frequently mention redirect.c as an example for handling the packets in userspace which should be available in the test suit on CVS. I checked out all the modules from SVN but redirect.c seems not to be part of them. Can anyone give me a hint on this? Was redirect.c renamed to something else? 2) Will the packets which are received by the userspace application be defragmented already? Any additional pointers to information on queuing packets and handling them in userspace would be very much appreciated. Thanks so far, Michael -- icq: 71772353 | skype: daneel1409 | msn: mike@unfolded.com From pascal.mail at plouf.fr.eu.org Tue May 8 10:34:30 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 8 11:35:11 2007 Subject: DNAT and local hosts In-Reply-To: References: Message-ID: <46403616.60103@plouf.fr.eu.org> Hello, Pieter De Wit a ?crit : > > C1 --. > | > |-FW--- internet > | > C2 --' > > Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11. > The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is > used to an adsl modem in bridged mode, which creates ppp0. Lets say for > this email, ppp0 get 1.2.3.4. > > Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is > a rule that allows connections to ppp0 on port 1234 and DNAT's them to > C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection > refused" since there is no "server" listening on the firewall's > ppp0,port 1234. > > How can I solve this ? I need FW to DNAT "local/C2" connections back to > C1. Here is the FGA (Frequently Given Answer) to your FAQ (Frequently Asked Question). 1) NAT the incoming connections on the LAN interface based on the destination address and port. If ppp0 gets a different address at each PPP session, this rule must be created at the beginning (and deleted at the end) of the PPP session, for instance using the /etc/ppp/ip-up and /etc/ppp/ip-down scripts : iptables -t nat PREROUTING -i eth0 -d 1.2.3.4 -p tcp --dport 1234 \ -j DNAT --to-destination 192.168.0.10 2) Allow forwarded traffic from LAN to LAN, if blocked by default : iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT 3) NAT or MASQUERADE the source address of the redirected connections, so the replies from C1 are routed back to the firewall and can be properly un-DNATed before they reach C2 : iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \ -p tcp --dport 1234 -j SNAT --to-source or : iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \ -p tcp --dport 1234 -j MASQUERADE Note that if C2 runs Linux too, an alternative is to create a single DNAT rule on it in order to divert locally generated traffic sent to 1.2.3.4:1234 : iptables -t nat OUTPUT -d 1.2.3.4 -p tcp --dport 1234 \ -j DNAT --to-destination 192.168.0.10 Note : there is no INPUT chain in the 'nat' table because it is traversed after the routing decision, so it is too late to change the destination. From jsullivan at opensourcedevelopmentcorp.com Sat May 5 03:22:21 2007 From: jsullivan at opensourcedevelopmentcorp.com (John A. Sullivan III) Date: Tue May 8 11:38:03 2007 Subject: [OT] iptables and 802.1x authenticator Message-ID: <1178328141.7512.7.camel@localhost> Hello, all. Does anyone know of an open source linux 802.1x authenticator? I see XSupplicant for the supplicant and FreeRADIUS for the authentication server but I can't seem to find an authenticator. We've been toying with combining iptables with the ISCS network management project (http://iscs.sourceforge.net) and 802.1x. If we can do what we think we can do, the results should be quite stunning. We should be able to create true, perimeterless network security. That means we can stop LAN based worms dead in their tracks, foil ARP poisoning attacks and other nefarious activities -- all without end point clients (not that we have anything against end point clients). I'm in the prototype building stage and hence the need for a testbed 802.1x implementation. So, if you can kindly point me in the right direction, I'd greatly appreciate it. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com From Pieter.DeWit at vodacom.co.za Mon May 7 17:49:01 2007 From: Pieter.DeWit at vodacom.co.za (Pieter De Wit) Date: Tue May 8 11:38:07 2007 Subject: DNAT and local hosts Message-ID: Hello Guys, I have the following setup: C1 --. | |-FW--- internet | C2 --' Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11. The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is used to an adsl modem in bridged mode, which creates ppp0. Lets say for this email, ppp0 get 1.2.3.4. Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is a rule that allows connections to ppp0 on port 1234 and DNAT's them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection refused" since there is no "server" listening on the firewall's ppp0,port 1234. How can I solve this ? I need FW to DNAT "local/C2" connections back to C1. Thanks, Pieter “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " From Pieter.DeWit at vodacom.co.za Mon May 7 17:49:01 2007 From: Pieter.DeWit at vodacom.co.za (Pieter De Wit) Date: Tue May 8 11:38:09 2007 Subject: DNAT and local hosts Message-ID: Hello Guys, I have the following setup: C1 --. | |-FW--- internet | C2 --' Ok - for this email, I will give C1 192.168.0.10 and C2 192.168.0.11. The Firewall (FW) has two ethernet connections, eth0 and eth1. eth1 is used to an adsl modem in bridged mode, which creates ppp0. Lets say for this email, ppp0 get 1.2.3.4. Now, all connections are routed out via FW:ppp0 and at NAT'ed. There is a rule that allows connections to ppp0 on port 1234 and DNAT's them to C1. When C2 makes a connection to 1.2.3.4:1234 it fails with "Connection refused" since there is no "server" listening on the firewall's ppp0,port 1234. How can I solve this ? I need FW to DNAT "local/C2" connections back to C1. Thanks, Pieter “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " From jengelh at linux01.gwdg.de Tue May 8 10:39:40 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue May 8 11:41:21 2007 Subject: DNAT and local hosts In-Reply-To: References: <46401311.2000507@rchq.co.za> <46401A5B.6060205@rchq.co.za> Message-ID: On May 8 2007 08:38, Pieter De Wit wrote: > >It is...the destination is the ppp0 interface... But *only* for the first packet. >*snip* > >INPUT on -t nat wouldn't help you here since the destination is not the >firewall ... >This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " Jan -- From jengelh at linux01.gwdg.de Tue May 8 10:43:00 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue May 8 11:44:52 2007 Subject: DNAT and local hosts In-Reply-To: <46401311.2000507@rchq.co.za> References: <46401311.2000507@rchq.co.za> Message-ID: On May 8 2007 08:05, Ray Leach wrote: >> On May 7 2007 17:54, Pieter De Wit wrote: >> > Now, all connections are routed out via FW:ppp0 and at NAT'ed. There >> > is >> > a rule that allows connections to ppp0 on port 1234 and DNAT's them to >> > C1. When C2 makes a connection to 1.2.3.4:1234 it fails with >> > "Connection >> > refused" since there is no "server" listening on the firewall's >> > ppp0,port 1234. >> >> *BEEP* *BUZZ* *ERROR*. You have a direct connection between C1 and C2. > > There is no routing between C1 and C2, so your firewall never sees the traffic > between the 2. > > Put C1 and C2 on two seperate physical networks and connect them through > firewall to get routing to happen, then you can use iptables to do NATing > between them. > > Else put two interfaces into your firewall, give each interface an ip address > in the same subnet, configure bridging between the two, put C1 on the end of > one interface and C2 on the other if, then look into ebtables. Else always route to the gateway. As in... @client: * uncofigure the main interface * redo it with `ip a a 192.168.2.100/32 peer 192.168.2.1` (the server keeps using 192.168.2.1/24) (assuming 192.168.1.100 <-> 192.168.1.1/192.168.2.1 <-> 192.168.2.100) Jan -- From pascal.mail at plouf.fr.eu.org Tue May 8 11:03:34 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 8 12:04:15 2007 Subject: DNAT and local hosts In-Reply-To: <46403616.60103@plouf.fr.eu.org> References: <46403616.60103@plouf.fr.eu.org> Message-ID: <46403CE6.5010700@plouf.fr.eu.org> Pascal Hambourg a ?crit : > > 3) NAT or MASQUERADE the source address of the redirected connections, > so the replies from C1 are routed back to the firewall and can be > properly un-DNATed before they reach C2 : > > iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \ > -p tcp --dport 1234 -j SNAT --to-source Oops, I forgot "-s 192.168.0.0/24" in order to avoid hiding unnecessarily the source address of external connections to C2. > or : > > iptables -t nat POSTROUTING -o eth0 -d 192.168.0.10 \ > -p tcp --dport 1234 -j MASQUERADE Same here. From vishamr at gmail.com Tue May 8 12:45:20 2007 From: vishamr at gmail.com (Ramsurrun Visham) Date: Tue May 8 13:46:01 2007 Subject: Unable to see entries in ip_conntrack file!! Message-ID: <802220ef0705080345u7ac7890eq8e3f3435a8ca268e@mail.gmail.com> Hi to all, I'm trying to see the connections established on a firewall by looking at the contents of the file ip_conntrack by using this command: cat /proc/net/ip_conntrack The rules used on the firewall are: iptables -P FORWARD DROP iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.10.0/24 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT I have chosen all the modules related to connection tracking in my 2.6.20.4 kernel on the firewall machine. I'm using iptables 1.3.7 and Fedora Core 5. What might be going wrong? Warm regards, Visham From jwinius at umrk.to Tue May 8 14:14:39 2007 From: jwinius at umrk.to (Jaap Winius) Date: Tue May 8 15:15:32 2007 Subject: Advanced routing problem -- solution In-Reply-To: <1178392333.463cd70d4571a@www.umrk.to> References: <1178377643.463c9daba4959@www.umrk.to> <463CA718.4060509@rtij.nl> <1178392333.463cd70d4571a@www.umrk.to> Message-ID: <1178626479.464069af18f07@www.umrk.to> Hi all, To recap, my problem was that I have a Windows server on a private net behind a firewall and a NAT that I want to make accessible to the world outside through two different Internet connections simultaneously. Usually, this is not possible because you have to make a choice with your default gateway. I discovered how to make a second default gateway by using advanced routing (iproute), which made it possible for me to ssh to the firewall via the second Internet connection. However, if requests via this connection were then forwarded on to the server, its responses were still being routed out the main default gateway, after which they would be dropped by the ISP. The first step towards a solution was to define a second network, 192.168.15.0/24, on the UTP segment that the server was attached to. Luckily, Windows server 2003 allows you to bind additional IP addresses to its interfaces. In this case, only the server and the firewall (via eth1) have addresses on this network. The next step in my plan didn't work out. I wanted to use the firewall to mark certain packets coming in (into eth1) from this new network segment. I thought that this would do the trick: iptables -t mangle -A PREROUTING -s 192.168.15.2 -i eth1 \ -p tcp -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -s 192.168.15.2 -i eth1 \ -p 47 -j MARK --set-mark 0x1 (192.168.15.2 is the server). These marked packets would then be caught by iproute and routed according to my secondary routing table: ip rule add fwmark 0x1 table secnet prio 990 I hoped that this would send them out via my secondary Internet gateway (ppp0), but it didn't work. In theory, this kind of configuration will allow you to route your traffic by protocol (http via one gateway, smtp via another, etc.). Anyway, the second half of my eventual solution had nothing to do with the netfilter and everything to do with iproute. It's simple. Since all of the packets moving from 192.168/.15.0/24 into the firewall are responses to requests that arrived via the secondary Internet connection (and should be sent back that way) anyway, I could use this one routing rule: ip rule add from 192.168.15.0/24 lookup secnet prio 990 This may be less precise than marking the packets (perhaps also matching the protocol and state), but in my case this second approach will do and is probably more efficient. Cheers, Jaap From hdemir at metu.edu.tr Tue May 8 13:23:19 2007 From: hdemir at metu.edu.tr (husnu demir) Date: Tue May 8 18:18:23 2007 Subject: IPset and IPv6 support Message-ID: <20070508112319.GA2953330@metu.edu.tr> Hi, Is there any thought on the IPv6 support? hdemir. From kadlec at blackhole.kfki.hu Tue May 8 20:59:33 2007 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Tue May 8 22:00:22 2007 Subject: IPset and IPv6 support In-Reply-To: <20070508112319.GA2953330@metu.edu.tr> References: <20070508112319.GA2953330@metu.edu.tr> Message-ID: On Tue, 8 May 2007, husnu demir wrote: > Is there any thought on the IPv6 support? Yep, it's on my TODO list. At last it seems I'm going to have time to proceed... Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From pascal.mail at plouf.fr.eu.org Tue May 8 21:26:13 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 8 22:27:03 2007 Subject: 'tcpmss' match for ip6tables ? Message-ID: <4640CED5.7050301@plouf.fr.eu.org> Hello, I see with great pleasure that the 'TCPMSS' target for IPv6 has been added in the latest kernel and will be supported by the next ip6tables release. This will be useful for some people I know who have MTU trouble with PPPoE connections. Now my question : are there similar plans for the 'tcpmss' match ? I do not see support for it in the next ip6tables, although the kernel part has been moved to xtables. From linuxsemi at gmail.com Tue May 8 22:17:54 2007 From: linuxsemi at gmail.com (semi linux) Date: Tue May 8 23:18:40 2007 Subject: Two NICs, same network... Message-ID: I've got an odd problem where I've got two NICs on the same network and I want all traffic to one IP to go out one interface and all other traffic to use the second interface. I'm going to try an simplify my actual setup, because a lot of it makes no difference to this post... I know this has to be a iptables sort of setup since the routing table can only make a difference on different networks and not based on looking for a specific IP address. The question is: eth0 IP: 10.1.1.1 eth1 IP: 10.1.1.2 target: 10.1.1.3 (these IPs are just examples, there are no hard-fast rules surrounding the other possibilities) How do I make sure this goes out eth1 instead of eth0? Do I use the mangle rule with the physdev module? I feel like I'm overlooking something or forgetting my basic network ideas here... - Gareth From rgrimsha at syr.edu Tue May 8 22:25:21 2007 From: rgrimsha at syr.edu (Randall C Grimshaw) Date: Tue May 8 23:26:13 2007 Subject: IPset included in distro In-Reply-To: References: <20070508112319.GA2953330@metu.edu.tr> Message-ID: <47A63D8907C4DE419BE33AEA2DF95BB31FBBAB@SUEXCL-02.ad.syr.edu> Does anyone know of a mainstream distribution that does not require a custom kernel to use IPset? Is devil-linux approaching that class? <> References: <20070508112319.GA2953330@metu.edu.tr> <47A63D8907C4DE419BE33AEA2DF95BB31FBBAB@SUEXCL-02.ad.syr.edu> Message-ID: <1178656268.20039.1.camel@localhost> Hi, Le mardi 08 mai 2007 ? 16:25 -0400, Randall C Grimshaw a ?crit : > Does anyone know of a mainstream distribution that does not require a > custom kernel to use IPset? Mandriva is using Ipset for some of its tools : http://www.mandriva.com/ > Is devil-linux approaching that class? I don't know. BR, -- Eric Leblond INL -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= Url : /pipermail/netfilter/attachments/20070508/e4963b8a/attachment.pgp From david.lang at digitalinsight.com Tue May 8 21:56:21 2007 From: david.lang at digitalinsight.com (David Lang) Date: Tue May 8 23:35:00 2007 Subject: Two NICs, same network... In-Reply-To: References: Message-ID: On Tue, 8 May 2007, semi linux wrote: > I've got an odd problem where I've got two NICs on the same network > and I want all traffic to one IP to go out one interface and all other > traffic to use the second interface. I'm going to try an simplify my > actual setup, because a lot of it makes no difference to this post... > > I know this has to be a iptables sort of setup since the routing table > can only make a difference on different networks and not based on > looking for a specific IP address. > > The question is: > > eth0 IP: 10.1.1.1 > eth1 IP: 10.1.1.2 > > target: 10.1.1.3 > > (these IPs are just examples, there are no hard-fast rules surrounding > the other possibilities) > > How do I make sure this goes out eth1 instead of eth0? Do I use the > mangle rule with the physdev module? > > I feel like I'm overlooking something or forgetting my basic network > ideas here... you haven't quite given enough info here if you have target2 10.1.1.4 and you want all traffic to target to go out eth0 and all traffic to target2 to go out eth1 then you would want to start out with defining host routes (the routing table _can_ look at specific hosts, not just networks) in addition, I believe that you will need to play around with arp filtering to make sure that each NIC only responds to arp requests for it's IP addresses. if you really only have one remote IP address and two local addresses and you want all communications between the target and 10.1.1.1 to use eth0 while all communications between the target and 10.1.1.2 to use eth1 things get more complicated you would need to look into packet/connection tagging and iptables routeing decisions. rather then try and go into that right now why don't you try to be a little clearer about exactly what you are trying to do. David Lang From linuxsemi at gmail.com Tue May 8 23:02:19 2007 From: linuxsemi at gmail.com (semi linux) Date: Wed May 9 00:03:10 2007 Subject: Two NICs, same network... In-Reply-To: References: Message-ID: On 5/8/07, David Lang wrote: > On Tue, 8 May 2007, semi linux wrote: > > > I've got an odd problem where I've got two NICs on the same network > > and I want all traffic to one IP to go out one interface and all other > > traffic to use the second interface. I'm going to try an simplify my > > actual setup, because a lot of it makes no difference to this post... > > > > I know this has to be a iptables sort of setup since the routing table > > can only make a difference on different networks and not based on > > looking for a specific IP address. > > > > The question is: > > > > eth0 IP: 10.1.1.1 > > eth1 IP: 10.1.1.2 > > > > target: 10.1.1.3 > > > > (these IPs are just examples, there are no hard-fast rules surrounding > > the other possibilities) > > > > How do I make sure this goes out eth1 instead of eth0? Do I use the > > mangle rule with the physdev module? > > > > I feel like I'm overlooking something or forgetting my basic network > > ideas here... > > you haven't quite given enough info here > > if you have target2 10.1.1.4 and you want all traffic to target to go out eth0 > and all traffic to target2 to go out eth1 then you would want to start out with > defining host routes (the routing table _can_ look at specific hosts, not just > networks) > > in addition, I believe that you will need to play around with arp filtering to > make sure that each NIC only responds to arp requests for it's IP addresses. > > if you really only have one remote IP address and two local addresses and you > want all communications between the target and 10.1.1.1 to use eth0 while > all communications between the target and 10.1.1.2 to use eth1 things get more > complicated > > you would need to look into packet/connection tagging and iptables routeing > decisions. > > rather then try and go into that right now why don't you try to be a little > clearer about exactly what you are trying to do. > > David Lang > Ok... you asked for the whole thing, here it is (forget my previous example): eth0 - 10.1.1.1 eth1 - N/A eth2 - N/A br0 (eth1, eth2) - 10.1.1.2 target - 10.1.1.3 The bridge (br0) is setup using brctl and seems to work w/o problem... The eth1 and eth2 IP addresses really don't matter since they are both referenced via the bridge and are set to something invalid. 10.1.1.3 is connected via cross-over cable to eth2 port. br0 and eth0 are connected to my network on the same subnet. What I'd like: - all packets (from the network or local) where destination=10.1.1.3 to be routed to eth2. - otherwise, all traffic from the network to use eth0 for I/O. Basically, I want to specify that ONLY traffic for 10.1.1.3 is to use eth2. From david.lang at digitalinsight.com Tue May 8 22:29:37 2007 From: david.lang at digitalinsight.com (David Lang) Date: Wed May 9 00:08:15 2007 Subject: Two NICs, same network... In-Reply-To: References: Message-ID: On Tue, 8 May 2007, semi linux wrote: > Ok... you asked for the whole thing, here it is (forget my previous example): > > eth0 - 10.1.1.1 > eth1 - N/A > eth2 - N/A > br0 (eth1, eth2) - 10.1.1.2 > target - 10.1.1.3 > > The bridge (br0) is setup using brctl and seems to work w/o problem... > The eth1 and eth2 IP addresses really don't matter since they are both > referenced via the bridge and are set to something invalid. 10.1.1.3 > is connected via cross-over cable to eth2 port. br0 and eth0 are > connected to my network on the same subnet. > > What I'd like: > - all packets (from the network or local) where destination=10.1.1.3 > to be routed to eth2. > - otherwise, all traffic from the network to use eth0 for I/O. > > Basically, I want to specify that ONLY traffic for 10.1.1.3 is to use eth2. I may be missing something, but this seems trivial define br0 to include eth0 and add 10.1.1.1 to the bridge (br0:0 for example) then the normal bridgeing code will limit traffic out eth2 to stuff destined for 10.1.1.3 or stuff that the bridgeing code doesn't know where it goes. if this isn't good enough you can use iptables to put additional filters on the bridge port (search for bridge + iptables and you should find lots of documentation on how to do this) David Lang From netfilter at bserved.nl Tue May 8 23:16:03 2007 From: netfilter at bserved.nl (Bas Verhoeven) Date: Wed May 9 00:24:27 2007 Subject: iptables NAT routing issues Message-ID: <4640E893.1010206@bserved.nl> Hello, We're having some problems with iptables, have been playing ~3 hours with this and I need some advice. We want to 'forward' port 80 from one ip to another ip (other server) - mainly to protect the webserver. One could say that you could use basic portforwarding for this, but as far as i know this also breaks the source ip for apache logs, etc. So we decided that we needed NAT'ing. On the 'outbound' server we're doing DNAT to the webserver, which seems to work fine (can see the packets in tcpdump on web), and on the webserver we do SNAT back to the 'original' (outboundserver) ip the user connected to. The last part does not work tho, the webserver still uses its own outgoing ip, and not the IP we specified. If I telnet to some host however, using the webserver source ip - it DOES rewrite the source address (and fails to connect, of course). Tried various iptables commands on the servers: OUTBOUND SERVER: iptables -t nat -A PREROUTING -p tcp --dport 80 -d -j DNAT --to-destination :80 Note: We didn't touch this as it seems to works fine. WEBSERVER: Tried various, from the detailed: iptables -t nat -A POSTROUTING -s -p tcp --sport 80 -j SNAT --to-source :80 -o eth0 To the 'should-be-catching-it-all': iptables -t nat -A POSTROUTING -s -j SNAT --to-source None of those seem to do the thing we want to do tho. Some advice would be very welcome. Cheers, Bas Verhoeven From jengelh at linux01.gwdg.de Wed May 9 00:25:37 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed May 9 01:26:51 2007 Subject: iptables NAT routing issues In-Reply-To: <4640E893.1010206@bserved.nl> References: <4640E893.1010206@bserved.nl> Message-ID: On May 8 2007 23:16, Bas Verhoeven wrote: > > OUTBOUND SERVER: > > iptables -t nat -A PREROUTING -p tcp --dport 80 -d -j DNAT > --to-destination :80 > > Note: We didn't touch this as it seems to works fine. > > WEBSERVER: You do not need any rules here. The outbound server will do the translation in both directions. > Tried various, from the detailed: > iptables -t nat -A POSTROUTING -s -p tcp --sport 80 -j SNAT > --to-source :80 -o eth0 > > To the 'should-be-catching-it-all': > iptables -t nat -A POSTROUTING -s -j SNAT --to-source > > > None of those seem to do the thing we want to do tho. > > Some advice would be very welcome. > > Cheers, > Bas Verhoeven > Jan -- From pascal.mail at plouf.fr.eu.org Wed May 9 00:33:52 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Wed May 9 01:34:39 2007 Subject: iptables NAT routing issues In-Reply-To: References: <4640E893.1010206@bserved.nl> Message-ID: <4640FAD0.9050301@plouf.fr.eu.org> Hello, Jan Engelhardt a ?crit : > On May 8 2007 23:16, Bas Verhoeven wrote: > >>OUTBOUND SERVER: >> >>iptables -t nat -A PREROUTING -p tcp --dport 80 -d -j DNAT >>--to-destination :80 >> >>Note: We didn't touch this as it seems to works fine. >> >>WEBSERVER: > > You do not need any rules here. The outbound server will do the translation > in both directions. Assuming that the outbound server is the default gateway for the web server and receives the return traffic, of course. From max at rfc2324.org Wed May 9 00:37:36 2007 From: max at rfc2324.org (Maximilian Wilhelm) Date: Wed May 9 01:38:22 2007 Subject: iptables NAT routing issues In-Reply-To: <4640E893.1010206@bserved.nl> References: <4640E893.1010206@bserved.nl> Message-ID: <20070508223736.GC23200@outback.rfc2324.org> Am Tuesday, den 8 May hub Bas Verhoeven folgendes in die Tasten: Hi! > We're having some problems with iptables, have been playing ~3 hours > with this and I need some advice. > We want to 'forward' port 80 from one ip to another ip (other server) - > mainly to protect the webserver. One could say that you could use basic > portforwarding for this, but as far as i know this also breaks the > source ip for apache logs, etc. So we decided that we needed NAT'ing. [...] > OUTBOUND SERVER: > iptables -t nat -A PREROUTING -p tcp --dport 80 -d -j DNAT > --to-destination :80 That?s fine. This will also make netfilter care of answer packages. > Note: We didn't touch this as it seems to works fine. > > WEBSERVER: [...] There are no NAT rules needed here. All you have to accomplish is that the answer packages from WEBSERVER to $client are routed via OUTBOUND SERVER. I guess that?s just true by the network architecture. e.g. client network / inet <---> OUTBOUND SERVER <-> WEBSERVER HTH Ciao Max -- Follow the white penguin. From jengelh at linux01.gwdg.de Wed May 9 00:37:59 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed May 9 01:39:15 2007 Subject: iptables NAT routing issues In-Reply-To: <4640FAD0.9050301@plouf.fr.eu.org> References: <4640E893.1010206@bserved.nl> <4640FAD0.9050301@plouf.fr.eu.org> Message-ID: On May 9 2007 00:33, Pascal Hambourg wrote: > Jan Engelhardt a ?crit : >> On May 8 2007 23:16, Bas Verhoeven wrote: >> >> > OUTBOUND SERVER: >> > >> > iptables -t nat -A PREROUTING -p tcp --dport 80 -d -j DNAT >> > --to-destination :80 >> > >> > Note: We didn't touch this as it seems to works fine. >> > >> > WEBSERVER: >> >> You do not need any rules here. The outbound server will do the >> translation >> in both directions. > > Assuming that the outbound server is the default gateway for the web server and > receives the return traffic, of course. You'd be kinda screwed if that was not the case. Because the 'nat' table is only consulted for NEW connections afaics, the reply packets do _not_ get SNATed, since the _first_ packet was the TCP SYN, which makes the connection ESTABLISHED when input processing is done. Jan -- From scramatte at zensoluciones.com Wed May 9 00:39:12 2007 From: scramatte at zensoluciones.com (=?UTF-8?B?U8OpYmFzdGllbiBDUkFNQVRURQ==?=) Date: Wed May 9 01:39:38 2007 Subject: Two NICs, same network... In-Reply-To: References: Message-ID: <4640FC10.4090808@zensoluciones.com> Why do you no investigate channel bonding ? semi linux escribi?: > On 5/8/07, David Lang wrote: >> On Tue, 8 May 2007, semi linux wrote: >> >> > I've got an odd problem where I've got two NICs on the same network >> > and I want all traffic to one IP to go out one interface and all other >> > traffic to use the second interface. I'm going to try an simplify my >> > actual setup, because a lot of it makes no difference to this post... >> > >> > I know this has to be a iptables sort of setup since the routing table >> > can only make a difference on different networks and not based on >> > looking for a specific IP address. >> > >> > The question is: >> > >> > eth0 IP: 10.1.1.1 >> > eth1 IP: 10.1.1.2 >> > >> > target: 10.1.1.3 >> > >> > (these IPs are just examples, there are no hard-fast rules surrounding >> > the other possibilities) >> > >> > How do I make sure this goes out eth1 instead of eth0? Do I use the >> > mangle rule with the physdev module? >> > >> > I feel like I'm overlooking something or forgetting my basic network >> > ideas here... >> >> you haven't quite given enough info here >> >> if you have target2 10.1.1.4 and you want all traffic to target to go >> out eth0 >> and all traffic to target2 to go out eth1 then you would want to >> start out with >> defining host routes (the routing table _can_ look at specific hosts, >> not just >> networks) >> >> in addition, I believe that you will need to play around with arp >> filtering to >> make sure that each NIC only responds to arp requests for it's IP >> addresses. >> >> if you really only have one remote IP address and two local addresses >> and you >> want all communications between the target and 10.1.1.1 to use eth0 >> while >> all communications between the target and 10.1.1.2 to use eth1 things >> get more >> complicated >> >> you would need to look into packet/connection tagging and iptables >> routeing >> decisions. >> >> rather then try and go into that right now why don't you try to be a >> little >> clearer about exactly what you are trying to do. >> >> David Lang >> > > Ok... you asked for the whole thing, here it is (forget my previous > example): > > eth0 - 10.1.1.1 > eth1 - N/A > eth2 - N/A > br0 (eth1, eth2) - 10.1.1.2 > target - 10.1.1.3 > > The bridge (br0) is setup using brctl and seems to work w/o problem... > The eth1 and eth2 IP addresses really don't matter since they are both > referenced via the bridge and are set to something invalid. 10.1.1.3 > is connected via cross-over cable to eth2 port. br0 and eth0 are > connected to my network on the same subnet. > > What I'd like: > - all packets (from the network or local) where destination=10.1.1.3 > to be routed to eth2. > - otherwise, all traffic from the network to use eth0 for I/O. > > Basically, I want to specify that ONLY traffic for 10.1.1.3 is to use > eth2. > -- ZEN SOLUCIONES - Be in XForms take your "Concentr?" S?bastien CRAMATTE Plaza Sandoval, 5, piso 4b 30004 Murcia - ESPA?A M?vil : +34 627 66 52 83 Fijo : +34 968 29 29 65 E-mail : scramatte@zensoluciones.com Site : www.zensoluciones.com Skype : scramatte Msn : scramatte@hotmail.com Jabber: scramatte@jabber.org -- CONCENTR? xml entreprise grade framework http://concentre.zensoluciones.com -- This e-mail is privileged and may contain confidential information intended only for the person(s) named above. If you receive this e-mail in error, please notify the sender immediately and delete it. E-mail and internet transmissions can't be warrant privacy, integrity or correct reception. The sender will not be liable for any damages resulting. Este mensaje va dirigido, de manera exclusiva, a su destinatario y puede contener informaci?n confidencial. En caso de haber recibido este mensaje por error, informe al emisor inmediatamente y proceda a su eliminaci?n. El correo electr?nico y las comunicaciones por medio de Internet no permiten garantizar la confidencialidad de los mensajes transmitidos, as? como tampoco su integridad o su correcta de recepci?n. El emisor no asume responsabilidad alguna por tales circunstancias. Ce message est destin? exclusivement ? son destinataire et peut contenir des informations confidentielles. En cas de r?ception d'un tel message par erreur, informez l'exp?diteur imm?diatement et proc?dez ? son effacement. Il n'est pas possible de garantir la confidentialit?, l'int?grit? ou la r?ception correcte du courrier ?lectronique ainsi que des communications par internet. L'exp?diteur ne peut ?tre tenu pour responsable d'?ventuels dommages commis. From netfilter at bserved.nl Wed May 9 00:46:01 2007 From: netfilter at bserved.nl (Bas Verhoeven) Date: Wed May 9 01:46:27 2007 Subject: iptables NAT routing issues In-Reply-To: References: <4640E893.1010206@bserved.nl> <4640FAD0.9050301@plouf.fr.eu.org> Message-ID: <4640FDA9.5000706@bserved.nl> Jan Engelhardt wrote: > >> Assuming that the outbound server is the default gateway for the web server and >> receives the return traffic, of course. >> > > You'd be kinda screwed if that was not the case. Because the 'nat' table > is only consulted for NEW connections afaics, the reply packets do _not_ > get SNATed, since the _first_ packet was the TCP SYN, which makes the > connection ESTABLISHED when input processing is done. > > The webserver has its own gateway, and that's not the outer box. You seem to be describing the exact problem i'm seeing in tcpdump; new connections get snat'ed, 'forwarded' connections do not. Is there really no solution for this? Bas From max at rfc2324.org Wed May 9 00:48:06 2007 From: max at rfc2324.org (Maximilian Wilhelm) Date: Wed May 9 01:48:51 2007 Subject: iptables NAT routing issues In-Reply-To: <4640FDA9.5000706@bserved.nl> References: <4640E893.1010206@bserved.nl> <4640FAD0.9050301@plouf.fr.eu.org> <4640FDA9.5000706@bserved.nl> Message-ID: <20070508224806.GD23200@outback.rfc2324.org> Am Wednesday, den 9 May hub Bas Verhoeven folgendes in die Tasten: > Jan Engelhardt wrote: > > > >>Assuming that the outbound server is the default gateway for the web > >>server and > >>receives the return traffic, of course. > >> > > > >You'd be kinda screwed if that was not the case. Because the 'nat' table > >is only consulted for NEW connections afaics, the reply packets do _not_ > >get SNATed, since the _first_ packet was the TCP SYN, which makes the > >connection ESTABLISHED when input processing is done. > The webserver has its own gateway, and that's not the outer box. You > seem to be describing the exact problem i'm seeing in tcpdump; new > connections get snat'ed, 'forwarded' connections do not. > Is there really no solution for this? The solution is to use OUTBOUND SERVER as default gateway or do the DNATing on the gateway. Or stop DNATing and use "normal" rules to only allow traffic to WEBSERVER 80/tcp and reject the remaining traffic. Ciao Max -- Follow the white penguin. From pascal.mail at plouf.fr.eu.org Wed May 9 01:03:54 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Wed May 9 02:04:39 2007 Subject: iptables NAT routing issues In-Reply-To: <4640FDA9.5000706@bserved.nl> References: <4640E893.1010206@bserved.nl> <4640FAD0.9050301@plouf.fr.eu.org> <4640FDA9.5000706@bserved.nl> Message-ID: <464101DA.4070102@plouf.fr.eu.org> Bas Verhoeven a ?crit : >> >>> Assuming that the outbound server is the default gateway for the web >>> server and receives the return traffic, of course. >> >> You'd be kinda screwed if that was not the case. > > The webserver has its own gateway, and that's not the outer box. Don't look further. Here is why it does not work. > Is there really no solution for this? Use the outer box as a gateway, if it is in the same network. You do not have to use it as the default gateway for all traffic but at least for the HTTP return traffic. This could be done with iptables and advanced routing on the web server, for instance using the source port 80 to MARK packets or using CONNMARK/connmark. You could try to use the NOTRACK target on the web server in order to prevent the incoming SYN packets from creating a new connection, so the replies could be SNATed. But I would not bet a euro-cent on such a dirty method. If someone asks who suggested it, don't say it's me. ;-) From omasnjak at gmail.com Wed May 9 12:27:48 2007 From: omasnjak at gmail.com (Elvir Kuric) Date: Wed May 9 13:28:36 2007 Subject: IPset included in distro In-Reply-To: <47A63D8907C4DE419BE33AEA2DF95BB31FBBAB@SUEXCL-02.ad.syr.edu> References: <20070508112319.GA2953330@metu.edu.tr> <47A63D8907C4DE419BE33AEA2DF95BB31FBBAB@SUEXCL-02.ad.syr.edu> Message-ID: <1814bfe70705090327n2ef7e7eel7613b2254206a128@mail.gmail.com> Maybe try this, http://packages.debian.org/unstable/net/ipset .... Regards PS: Debian is mainstream distribution, is not it? Elvir Kuric On 5/8/07, Randall C Grimshaw wrote: > > Does anyone know of a mainstream distribution that does not require a > custom kernel to use IPset? Is devil-linux approaching that class? > <> > From mark at alpha2.com Wed May 9 15:27:30 2007 From: mark at alpha2.com (Mark L. Wise) Date: Wed May 9 16:28:33 2007 Subject: Two NICs, same network... In-Reply-To: References: Message-ID: <4641CC42.2000005@alpha2.com> Is this not a routing issue? route add -host 10.1.1.3 gw eth2 This would route all traffic to 10.1.1.3 to eth2 Mark semi linux wrote: > On 5/8/07, David Lang wrote: >> On Tue, 8 May 2007, semi linux wrote: >> >> > I've got an odd problem where I've got two NICs on the same network >> > and I want all traffic to one IP to go out one interface and all other >> > traffic to use the second interface. I'm going to try an simplify my >> > actual setup, because a lot of it makes no difference to this post... >> > >> > I know this has to be a iptables sort of setup since the routing table >> > can only make a difference on different networks and not based on >> > looking for a specific IP address. >> > >> > The question is: >> > >> > eth0 IP: 10.1.1.1 >> > eth1 IP: 10.1.1.2 >> > >> > target: 10.1.1.3 >> > >> > (these IPs are just examples, there are no hard-fast rules surrounding >> > the other possibilities) >> > >> > How do I make sure this goes out eth1 instead of eth0? Do I use the >> > mangle rule with the physdev module? >> > >> > I feel like I'm overlooking something or forgetting my basic network >> > ideas here... >> >> you haven't quite given enough info here >> >> if you have target2 10.1.1.4 and you want all traffic to target to go >> out eth0 >> and all traffic to target2 to go out eth1 then you would want to >> start out with >> defining host routes (the routing table _can_ look at specific hosts, >> not just >> networks) >> >> in addition, I believe that you will need to play around with arp >> filtering to >> make sure that each NIC only responds to arp requests for it's IP >> addresses. >> >> if you really only have one remote IP address and two local addresses >> and you >> want all communications between the target and 10.1.1.1 to use eth0 >> while >> all communications between the target and 10.1.1.2 to use eth1 things >> get more >> complicated >> >> you would need to look into packet/connection tagging and iptables >> routeing >> decisions. >> >> rather then try and go into that right now why don't you try to be a >> little >> clearer about exactly what you are trying to do. >> >> David Lang >> > > Ok... you asked for the whole thing, here it is (forget my previous > example): > > eth0 - 10.1.1.1 > eth1 - N/A > eth2 - N/A > br0 (eth1, eth2) - 10.1.1.2 > target - 10.1.1.3 > > The bridge (br0) is setup using brctl and seems to work w/o problem... > The eth1 and eth2 IP addresses really don't matter since they are both > referenced via the bridge and are set to something invalid. 10.1.1.3 > is connected via cross-over cable to eth2 port. br0 and eth0 are > connected to my network on the same subnet. > > What I'd like: > - all packets (from the network or local) where destination=10.1.1.3 > to be routed to eth2. > - otherwise, all traffic from the network to use eth0 for I/O. > > Basically, I want to specify that ONLY traffic for 10.1.1.3 is to use > eth2. > -- Mark L. Wise Alpha II Service, Inc. 1312 Epworth Ave Reynoldsburg, Ohio 43068-2116 USA Office: (614) 868-5033 Fax: (614) 868-1060 Email: mark@alpha2.com WEB: www.alpha2.com From vishamr at gmail.com Wed May 9 16:54:27 2007 From: vishamr at gmail.com (Ramsurrun Visham) Date: Wed May 9 17:55:18 2007 Subject: Problem with connection tracking in IPtables!! Message-ID: <802220ef0705090754q7b242fefvee61ea00ee58277e@mail.gmail.com> Hi to all, I am using Fedora Core 5 with an upgraded kernel of 2.6.20.4. I installed iptables-1.3.7 on it. However, I am not able to use connection tracking. I checked all the items in Networking options related to connection tracking and iptables. However, when I boot in my 2.6.20.4 kernel, and issue the comand "service iptables start", I get this: [root@localhost ~]# service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: raw mangle filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[FAILED] [root@localhost ~]# locate ip_conntrack_netbios /lib/modules/2.6.15-1.2054_FC5smp/kernel/net/ipv4/netfilter/ip_conntrack_netbios_ns.ko /usr/src/linux-2.6.20.4/net/ipv4/netfilter/ip_conntrack_netbios_ns.c [root@localhost ~]# It seems that connection tracking is not being activated. How can I solve this problem? Warm regards, Visham From brent at air2data.com Thu May 10 07:14:09 2007 From: brent at air2data.com (Brent Wilkinson) Date: Thu May 10 08:16:33 2007 Subject: Wireless Login Page In-Reply-To: <1178307309.2896.63.camel@ws1.walco02.com> References: <1178307309.2896.63.camel@ws1.walco02.com> Message-ID: <000001c792c2$0b7adae0$227090a0$@com> Sorry just noticed this. From what it sounds like you are describing a captive portal. I have setup a few systems that do this. Basically how it works is you let them get a ip address from the dhcp server. Once they have this ip address they then open up a website. What the captive portal does is redirects the http packets to your server (your firewall needs to also rewrite to header ip address they are requesting so your web server likes it). I would be happy to forward a working rc.firewall file with it already presetup. The ones I have allow a person to visit certain pages like my web page and the hotels webpage but don't allow them to visit anything else. Now if you want to get more complicated like charging them for a certain amount of time and then after that time expires you need to use ap's that support radius and use a radius server for timing or use what's called NoCat. Thanks Brent Air2Data.com -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Kirk Wallace Sent: Friday, May 04, 2007 1:35 PM To: netfilter@lists.netfilter.org Subject: Re: Wireless Login Page On Wed, 2007-05-02 at 19:18 +0200, Michelle Konzack wrote: > Hello Kirk and *, > > Am 2007-04-28 11:43:27, schrieb Kirk Wallace: > > I was using 192.168.21.2 just to test whether httpd would respond to any > > IP address sent on the 192.168.21.0/24 address space. > > > > I envision that a person would boot their wireless laptop and scan for > > hotspots. They would see my hotspot and connect. Then my DHCP server > > would give the laptop an IP address, subnet mask, gateway address, DNS1 > > and DNS2. Then the user would start firefox and try to open a link to > > anywhere.com, but I have FORWARD denied to all but logged in users > > (which have a tunnel IP address on another subnet). At this point, I > > want the anywhere.com request to invoke the httpd on the wireless router > > to reply with a login page. Currently dhcpd, httpd, radiusd and pptpd > > are on the same PC. > > This is exactly what I want to do to. > > But if the $CLIENT has gotten its DHCP-IP-Addressm then ANY > connections (any Ports except DNS and DHCP) nust be blocked > until the user has once started a Webbrowser and authentificated. If the above comment relates to restricting the wireless client's access to providing only a login, I do that by setting the policy for INPUT and OUTPUT to ACCEPT, then FORWARD to DROP. Then I add a rule to FORWARD to allow forwarding of the tunnel traffic. Users cannot get to the Internet with out first logging in and being assigned a tunnel IP address. The wireless clients have access to all the open ports running locally on the wireless router. > I was thinking, that if the $USER open a connection plus auth, > the connection will be droped for example 5 minutes after the > last traffic going over the Interface with the specified MAC/IP. Currently, I allow my clients a full time connection. In fact I have set them all up with an OpenWRT router with pptpd and a five minute ping from cron to keep the connection alive. I use the ifconfig data to record the tunnel traffic (ppp0, ppp1, ...) then cross reference this with the Radius data in order to bill based on a user's data volume. > I have not found any examples ho to do this. > > Would you like to share your config? > > And speciay how you have setup your "fist-connect" page to auth? Well, that's my problem, I don't have an authorization page yet. Currently, I have to pre-configure a client's router or PC to log in using pptp. I would like to have a client cruise for hotspots and if they find mine, then be able to connect themselves. My first goal is to just figure out how to get an opening page on a person's screen, after they have found my hotspot. After selecting my ssid, I am assuming that the client would have their PC setup to get the connection settings from DHCP. Then I am assuming that they would recognize that they have a valid connection and try to browse the Internet. A this point, I want the wireless router to detect the http request and reply to that request with my opening page instead. The more I am learning about this, the more I think that iptables is just part of the solution, but I don't know yet know enough to realize what I need to know. Below is my iptables related configuration so far. ~~~~~~~~~~ root@ls:~# cat /etc/rc.d/rc.local #!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script. # # Put any local setup commands in here: # Fix iwconfig mode problem called from rc.wireless 20060927 KW /usr/bin/wlanconfig ath0 destroy /usr/bin/wlanconfig ath0 create wlandev wifi0 wlanmode Master # rc.wireless seems to have a problem with essid and channel too 20060927 KW /sbin/iwconfig ath0 essid walco04 channel 10 # Todo - make these autoload as normal rc files do /etc/rc.d/rc.wlvpn_iptab /etc/rc.d/rc.pptpd /etc/rc.d/rc.radiusd /etc/rc.d/rc.dhcpd ~~~~~~~~~~~~~~~ root@ls:~# cat /etc/rc.d/rc.wlvpn_iptab #!/bin/sh # # wlvpn_iptab.sh - 20060926 KW # Set IP tables to foward only wireless VPN traffic wlvpn_iptab_start() { /usr/sbin/iptables -F /usr/sbin/iptables -t nat -F /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables --table nat --append POSTROUTING \ --out-interface eth0 --jump SNAT --to-source 192.168.12.7 /usr/sbin/iptables -A FORWARD -s 192.168.123.0/24 -d 0/0 -j ACCEPT /usr/sbin/iptables -A FORWARD -s 0/0 -d 192.168.123.0/24 -j ACCEPT } # Stop VPN forwarding: wlvpn_iptab_stop() { /usr/sbin/iptables -F /usr/sbin/iptables -t nat -F /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables -A OUTPUT -s 0/0 -d 0/0 -j ACCEPT /usr/sbin/iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT } # Restart IP packet forwarding: wlvpn_iptab_restart() { wlvpn_iptab_stop sleep 1 wlvpn_iptab_start } case "$1" in 'start') wlvpn_iptab_start ;; 'stop') wlvpn_iptab_stop ;; 'restart') wlvpn_iptab_restart ;; *) # Default is "start", for backwards compatibility with previous # Slackware versions. This may change to a 'usage' error someday. wlvpn_iptab_start esac > Greetings > Michelle Konzack > Systemadministrator > Tamay Dogan Network > Debian GNU/Linux Consultant > > From gopinath.u at gmail.com Thu May 10 07:28:35 2007 From: gopinath.u at gmail.com (Gopinath) Date: Thu May 10 08:29:29 2007 Subject: Default deny rule Message-ID: Good day everyone, I am very new to this list. I am running FC3 and want to convert my server to act as firewall, which does static NAT. I had setup everything and works fine in simulation. But the only thing is i am not able to make restriction in the FORWARD chain. The basic functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is missing in my firewall. I tried to make it by applicy DROP policy to the FORWARD chain & also appending a default DROP rule to the end of the FORWARD chain. But when i do so, all the packets were getting dropped at the firewall. I have pasted my firewall script below. I have enabled ip_conntrack & iptable_nat modules during bootup. OS: Fedora Core 3 IPtables Version: v1.2.11 # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 *filter :INPUT ACCEPT [364:57615] :FORWARD ACCEPT [1:52] :OUTPUT ACCEPT [211:18044] -A INPUT -s 10.44.x.x -p icmp -j ACCEPT -A INPUT -s 10.44.x.x -p icmp -j ACCEPT -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Fri Apr 27 08:16:21 2007 # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 *nat :PREROUTING ACCEPT [289:55706] :POSTROUTING ACCEPT [77:6468] :OUTPUT ACCEPT [77:6468] -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x COMMIT # Completed on Fri Apr 27 08:16:21 2007 Output of iptables -nv -L Chain INPUT (policy ACCEPT 73 packets, 13040 bytes) pkts bytes target prot opt in out source destination 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes) pkts bytes target prot opt in out source destination Any help would be highly appreciated. Thanks & Regards, Gopinath.U From bipindas.k at ditro.com Thu May 10 07:44:01 2007 From: bipindas.k at ditro.com (BipinDas) Date: Thu May 10 08:44:59 2007 Subject: Two internet connection in a gateway server howto. Message-ID: <4642B121.30308@ditro.com> Dear List, I do have a Gateway server with two NIC and one internet connection. One network card is with Public ip of the internet and the other with private ip of Local LAN. I had manage this with IPFORWARD and iptables rule. This machine is running on Debian sarge. Now company would like to take another internet connection for redundancy. And I would like to terminate this connection on this same machine. Is it possible,How can I do this,Please help. Please forgive me,if I made a wrong post here. Faithfully BipinDas K. From yasuyuki.kozakai at toshiba.co.jp Thu May 10 08:33:43 2007 From: yasuyuki.kozakai at toshiba.co.jp (Yasuyuki KOZAKAI) Date: Thu May 10 09:34:44 2007 Subject: Problem with connection tracking in IPtables!! In-Reply-To: <802220ef0705090754q7b242fefvee61ea00ee58277e@mail.gmail.com> References: <802220ef0705090754q7b242fefvee61ea00ee58277e@mail.gmail.com> Message-ID: <200705100633.l4A6XiPv022314@toshiba.co.jp> From: "Ramsurrun Visham" Date: Wed, 9 May 2007 18:54:27 +0400 > Hi to all, > > I am using Fedora Core 5 with an upgraded kernel of 2.6.20.4. I > installed iptables-1.3.7 on it. However, I am not able to use > connection tracking. I checked all the items in Networking options > related to connection tracking and iptables. However, when I boot in > my 2.6.20.4 kernel, and issue the comand "service iptables start", I > get this: > > [root@localhost ~]# service iptables start > Flushing firewall rules: [ OK ] > Setting chains to policy ACCEPT: raw mangle filter [ OK ] > Unloading iptables modules: [ OK ] > Applying iptables firewall rules: [ OK ] > Loading additional iptables modules: ip_conntrack_netbios_n[FAILED] > > [root@localhost ~]# locate ip_conntrack_netbios > /lib/modules/2.6.15-1.2054_FC5smp/kernel/net/ipv4/netfilter/ip_conntrack_netbios_ns.ko > /usr/src/linux-2.6.20.4/net/ipv4/netfilter/ip_conntrack_netbios_ns.c > [root@localhost ~]# > > It seems that connection tracking is not being activated. How can I > solve this problem? You really installed kernel modules for 2.6.20.4 by 'make modules_install' ? And please check that NF_CONNTRACK_NETBIOS_NS or IP_NF_NETBIOS_NS is set in your .config. -- Yasuyuki Kozakai From safecode at naver.com Thu May 10 09:10:08 2007 From: safecode at naver.com (???) Date: Thu May 10 10:11:07 2007 Subject: delete NAT conntrack entry. Message-ID: <000a01c792d2$3e07e240$8f0ba8c0@swparkt1> Hello We have some problems with nat. We want to relay "udp packet" from a host to other host using SNAT, DNAT. iptables -t nat -A PREROUTING -p udp -d PACKET.RELAY.HOST.IP --dport 10000 -j DNAT --to-destination TO.OTHER.HOST.IP:10000 iptables -t nat -A POSTROUTING -p udp -d TO.OTHER.HOST.IP --dport 10000 -j SNAT --to-source PACKET.RELAY.HOST.IP:10000 It works well. But after removing the rules, packet still transferred. I can find the conntrack entry in /proc/net/stat/ip_conntrack. We know libnfnetlink & libnetfilter_conntrack with kernel 2.6 can delete conntrack entries from userspace. But we use Redhat linux 2.4.21-32.EL. How can I delete specified conntrack entry in kernel 2.4 without kernel code ?? Cheers, Seongwoo Park From nlbhat at gmail.com Thu May 10 10:12:10 2007 From: nlbhat at gmail.com (Nandan Bhat) Date: Thu May 10 11:13:19 2007 Subject: Problem with connection tracking in IPtables!! Message-ID: <4642D3DA.7060801@gmail.com> Dear Visham, I faced a problem with iptables after upgrading to a recent kernel. However, the original Fedora install booted just fine. I went through some online forums and found somebody suggesting that I 1. comment all my iptables rules (/etc/sysconfig/iptables); 2. uncomment/enable one rule 3. restart iptables 4. look for a failure message One subsequent rule showed that I had a "-m state" specified, but no kernel module compiled for it. I just ran the "make menuconfig" again; went through all the options under Networking -> Netfilter configuration and enabled all modules (just to be safe). Enable specific modules to your requirement. I am not sure if this solves your problem; it solved mine. Nandan From jengelh at linux01.gwdg.de Thu May 10 11:52:51 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 10 12:54:10 2007 Subject: delete NAT conntrack entry. In-Reply-To: <000a01c792d2$3e07e240$8f0ba8c0@swparkt1> References: <000a01c792d2$3e07e240$8f0ba8c0@swparkt1> Message-ID: On May 10 2007 16:10, ??? wrote: >We have some problems with nat. >We want to relay "udp packet" from a host to other host using SNAT, DNAT. > >iptables -t nat -A PREROUTING -p udp -d PACKET.RELAY.HOST.IP --dport 10000 >-j DNAT --to-destination TO.OTHER.HOST.IP:10000 >iptables -t nat -A POSTROUTING -p udp -d TO.OTHER.HOST.IP --dport 10000 -j >SNAT --to-source PACKET.RELAY.HOST.IP:10000 > >It works well. But after removing the rules, packet still transferred. I can >find the conntrack entry in /proc/net/stat/ip_conntrack. >We know libnfnetlink & libnetfilter_conntrack with kernel 2.6 can delete >conntrack entries from userspace. But we use Redhat linux 2.4.21-32.EL. >How can I delete specified conntrack entry in kernel 2.4 without kernel code >?? I suppose that the reason that "conntrack" (the userspace tool to monitor/delete conntrack entries) was written is because there was no prior way to do it from userland. (In short: you are toast with 2.4) Or wait for the UDP connection tracking timeout to happen. Jan -- From wakko at animx.eu.org Thu May 10 13:14:03 2007 From: wakko at animx.eu.org (Wakko Warner) Date: Thu May 10 14:17:14 2007 Subject: delete NAT conntrack entry. In-Reply-To: References: <000a01c792d2$3e07e240$8f0ba8c0@swparkt1> Message-ID: <20070510111403.GA27624@animx.eu.org> Jan Engelhardt wrote: > > On May 10 2007 16:10, ??? wrote: > >We have some problems with nat. > >We want to relay "udp packet" from a host to other host using SNAT, DNAT. > > > >iptables -t nat -A PREROUTING -p udp -d PACKET.RELAY.HOST.IP --dport 10000 > >-j DNAT --to-destination TO.OTHER.HOST.IP:10000 > >iptables -t nat -A POSTROUTING -p udp -d TO.OTHER.HOST.IP --dport 10000 -j > >SNAT --to-source PACKET.RELAY.HOST.IP:10000 > > > >It works well. But after removing the rules, packet still transferred. I can > >find the conntrack entry in /proc/net/stat/ip_conntrack. > >We know libnfnetlink & libnetfilter_conntrack with kernel 2.6 can delete > >conntrack entries from userspace. But we use Redhat linux 2.4.21-32.EL. > >How can I delete specified conntrack entry in kernel 2.4 without kernel code > >?? > > I suppose that the reason that "conntrack" (the userspace tool to > monitor/delete conntrack entries) was written is because there was no > prior way to do it from userland. (In short: you are toast with 2.4) > > Or wait for the UDP connection tracking timeout to happen. Sometimes this may not be possible if the traffic doesn't stop long enough for it to time out. I wish I had known about conntrack when I had this problem occur. I just set the UDP timeout to 1 second (fortunately, that worked). If it were possible that when a rule like that is deleted, all active conntrack entries that this rule causes would be removed. -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? From ethy.brito at inexo.com.br Thu May 10 13:46:35 2007 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu May 10 14:47:43 2007 Subject: Fw: conntrack and SIP Message-ID: <20070510084635.13d3a1f3@pulsar.inexo.com.br> Hi again Guys, please help with this. I already simulated the same NAT condition at lab and it works flawlessly. Why this particular Linux NAT is changing port 5060 ?? Regards Begin forwarded message: Date: Thu, 3 May 2007 15:45:20 -0300 From: "Ethy H. Brito" To: netfilter@lists.netfilter.org Subject: conntrack and SIP Hello I have these two SIP clients behind two linux NAT. they both connect to the same server. On client 1 I have: udp 17 174 src=192.168.0.201 dst=X.X.X.X sport=5060 dport=5060 src=X.X.X.X dst=Y.Y.Y.Y sport=5060 dport=5060 [ASSURED] use=1 Note that the sport and dport were not changed from in and out. But on client 2: udp 17 171 src=10.172.40.118 dst=X.X.X.X sport=5060 dport=5060 src=X.X.X.X dst=Z.Z.Z.Z sport=5060 dport=1024 [ASSURED] use=1 What could cause the change in dport?? I have no SNAT or DNAT rules in any of them. Is that a way to copy the client 1 behavior to client 2? Client 1 is iptables version 1.3.3 and kernel 2.4.33 Client 2 is iptables version 1.3.5 and kernel 2.4.33.3 -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3797-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From jengelh at linux01.gwdg.de Thu May 10 14:48:19 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 10 15:50:24 2007 Subject: delete NAT conntrack entry. In-Reply-To: <20070510111403.GA27624@animx.eu.org> References: <000a01c792d2$3e07e240$8f0ba8c0@swparkt1> <20070510111403.GA27624@animx.eu.org> Message-ID: On May 10 2007 07:14, Wakko Warner wrote: > >If it were possible that when a rule like that is deleted, all >active conntrack entries that this rule causes would be removed. Problem 1: We would have to record in a ct entry what rule caused the ct to come alive. What if we have an empty ruleset? Conntracking still runs even when no iptables rules are in position. Problem 2: If I wanted to move a rule inside a chain, deleting/reinserting it would kill the ct entry and - given some ruleset* (there are many more that would apply) - stops all connections immediately. -P INPUT DROP -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j ACCEPT Jan -- From michael.ransburg at gmail.com Thu May 10 14:51:45 2007 From: michael.ransburg at gmail.com (Michael Ransburg) Date: Thu May 10 15:52:42 2007 Subject: Filter a TCP stream based on a text appearing in the initial IP packet of the stream Message-ID: <22b256140705100551q3a67e680nb184c23f4966cb1d@mail.gmail.com> Hi all, let's say someone is downloading a website using http/tcp/ip. This website is very large, i.e., there will be many IP packets in this TCP stream. I know that there is a certain phrase at the top of the website, let's say "foobar", which will therefore be part of the first IP packet of this TCP stream. I know that I can use the string match mechanism to match this first IP packet and drop it. However, is it also possibe to drop _all_ IP packets belonging to this TCP stream (i.e., also the reminder of the website) _if_ the first packet includes the phrase "foobar"? So what I want to say in a rule is: If the first (or simply "a") IP packet of a TCP stream contains a given phrase, then please filter (match) all IP packets which belong to this TCP stream. Can this be done using iptables / netfilter? Thanks, Michael -- icq: 71772353 | skype: daneel1409 | msn: mike@unfolded.com From jengelh at linux01.gwdg.de Thu May 10 16:15:06 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 10 17:16:17 2007 Subject: Filter a TCP stream based on a text appearing in the initial IP packet of the stream In-Reply-To: <22b256140705100551q3a67e680nb184c23f4966cb1d@mail.gmail.com> References: <22b256140705100551q3a67e680nb184c23f4966cb1d@mail.gmail.com> Message-ID: On May 10 2007 14:51, Michael Ransburg wrote: > of the stream > > Hi all, > > let's say someone is downloading a website using http/tcp/ip. This > website is very large, i.e., there will be many IP packets in this TCP > stream. I know that there is a certain phrase at the top of the > website, let's say "foobar", which will therefore be part of the first > IP packet of this TCP stream. The first return packet is not guaranteed to carry the first byte of the HTML page. If the HTTP header is "big enough" and the MTU is "small enough", then it is likely that the packet is split before foobar. Also see http://l7-filter.sourceforge.net/FAQ#usage > I know that I can use the string match mechanism to match this first > IP packet and drop it. > > However, is it also possibe to drop _all_ IP packets belonging to this > TCP stream (i.e., also the reminder of the website) _if_ the first > packet includes the phrase "foobar"? > > So what I want to say in a rule is: > If the first (or simply "a") IP packet of a TCP stream contains a > given phrase, then please filter (match) all IP packets which belong > to this TCP stream. > > Can this be done using iptables / netfilter? -m string --string foobar -j CONNMARK --set-mark 1 -m connmark --mark 1 -j DROP/REJECT/whatever. Jan -- From netfilter at bserved.nl Thu May 10 16:21:56 2007 From: netfilter at bserved.nl (Bas Verhoeven) Date: Thu May 10 17:22:38 2007 Subject: iptables NAT routing issues In-Reply-To: <464101DA.4070102@plouf.fr.eu.org> References: <4640E893.1010206@bserved.nl> <4640FAD0.9050301@plouf.fr.eu.org> <4640FDA9.5000706@bserved.nl> <464101DA.4070102@plouf.fr.eu.org> Message-ID: <46432A84.2010409@bserved.nl> Pascal Hambourg wrote: > Use the outer box as a gateway, if it is in the same network. You do > not have to use it as the default gateway for all traffic but at least > for the HTTP return traffic. This could be done with iptables and > advanced routing on the web server, for instance using the source port > 80 to MARK packets or using CONNMARK/connmark. I wasn't aware of that option, it seems to work fine ;-) Thanks. > > You could try to use the NOTRACK target on the web server in order to > prevent the incoming SYN packets from creating a new connection, so > the replies could be SNATed. But I would not bet a euro-cent on such a > dirty method. If someone asks who suggested it, don't say it's me. ;-) > From wakko at animx.eu.org Thu May 10 18:16:55 2007 From: wakko at animx.eu.org (Wakko Warner) Date: Thu May 10 19:19:31 2007 Subject: delete NAT conntrack entry. In-Reply-To: References: <000a01c792d2$3e07e240$8f0ba8c0@swparkt1> <20070510111403.GA27624@animx.eu.org> Message-ID: <20070510161655.GA29151@animx.eu.org> Jan Engelhardt wrote: > > On May 10 2007 07:14, Wakko Warner wrote: > > > >If it were possible that when a rule like that is deleted, all > >active conntrack entries that this rule causes would be removed. > > Problem 1: We would have to record in a ct entry what rule caused > the ct to come alive. What if we have an empty ruleset? Conntracking > still runs even when no iptables rules are in position. I figured something like that would be required. I do realize that conntrack tracks connections regardless of iptable rules. > Problem 2: If I wanted to move a rule inside a chain, > deleting/reinserting it would kill the ct entry and - given some > ruleset* (there are many more that would apply) - stops all > connections immediately. > > -P INPUT DROP > -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j ACCEPT I understood this before I wrote it. How often does one move things around in their firewall (after their experiemental stage)? -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? From joel.bertrand at systella.fr Wed May 9 21:58:04 2007 From: joel.bertrand at systella.fr (=?ISO-8859-1?Q?BERTRAND_Jo=EBl?=) Date: Thu May 10 19:44:09 2007 Subject: [2.6.21 linux kernel] NAT on sparc64 Message-ID: <464227CC.6000704@systella.fr> Hello, I use NAT with success for a long time. Yesterday, I have built a 2.6.21.1 linux kernel because a very important bug (sbus iommu) was fixed in this release. Before, I used a 2.6.20.4 patched kernel that worked fine. My iptables script is : # Generated by iptables-save v1.2.11 on Sat Jan 22 20:25:31 2005 *filter # # #=============================================================================== # Par d?faut, tout est rejet? sauf sur l'interface loopback #=============================================================================== # :INPUT DROP [28:3300] :FORWARD DROP [0:0] :OUTPUT DROP [27:3120] [0:0] -A INPUT -i lo -j ACCEPT # # #=============================================================================== # Tout ce qui provient du LAN est accept?. #=============================================================================== # [0:0] -A INPUT -i eth0 -j ACCEPT # # #=============================================================================== # Protocoles provenant de l'interface WAN rayleigh. # ftp, ssh, smtp, http, ntp, https, imaps, pop3s, cvs, jabber #=============================================================================== # [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 123 -j ACCEPT [0:0] -A INPUT -i eth1 -p udp -m udp --dport 123 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 2401 -j ACCEPT [0:0] -A INPUT -i eth1 -p udp -m udp --dport 2401 -j ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 5222 -j ACCEPT [0:0] -A INPUT -i eth1 -p icmp -j ACCEPT # # #=============================================================================== # Protocoles provenant de l'interface WAN newton. # ssh, ntp, smtp #=============================================================================== # [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 123 -j ACCEPT [0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT [0:0] -A INPUT -i eth2 -p icmp -j ACCEPT # # #=============================================================================== # R?ceptions inconditionnelles #=============================================================================== # [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -m state --state INVALID -j DROP # # #=============================================================================== # Transmission du LAN vers l'interface WAN rayleigh (route par d?faut). # ftp, ssh, http, pop3, nntp, https, imaps, pop3s, openvpn, cvs, # 3000:3001 (jcollab) #=============================================================================== # [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 43 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 119 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 1194 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 1194 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2401 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 2401 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3000:3001 -j ACCEPT [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT # # #=============================================================================== # De l'interface WAN rayleigh Vers les machines du /29. # ssh #=============================================================================== # [0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT # # #=============================================================================== # De l'interface WAN rayleigh vers lebegue. # 3000:3001 (jcollab), mysql #=============================================================================== # [0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport 80 -j ACCEPT [0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport 3000:3001 -j ACCEPT [0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport 3306 -j ACCEPT # # #=============================================================================== # De l'interface WAN rayleigh vers fermat. # smtp, http #=============================================================================== # [0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.83 --dport 25 -j ACCEPT [0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.83 --dport 80 -j ACCEPT # # #=============================================================================== # De fermat vers l'interface WAN newton. # smtp #=============================================================================== # [0:0] -A FORWARD -i eth0 -o eth2 -p tcp -m tcp -s 192.168.0.83 --dport 25 -j ACCEPT # # #=============================================================================== # De fermat vers l'interface WAN rayleigh. # smtp #=============================================================================== # [0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp -s 192.168.0.83 --dport 3307 -j ACCEPT # # #=============================================================================== # Transmissions inconditionnelles #=============================================================================== # [0:0] -A FORWARD -p icmp -j ACCEPT [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -m state --state INVALID -j DROP # # #=============================================================================== # ?missions autoris?es sur les interfaces LAN et loopback #=============================================================================== # [0:0] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -o eth0 -j ACCEPT # # #=============================================================================== # ?missions autoris?es sur l'interface WAN rayleigh # ftp, ssh, telnet, smtp, whois, domain, http, pop3, nntp, ntp, https, cvs # 3000:3001 (jcollab), mysql, 8080 (servlet jcollab) #=============================================================================== # [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 23 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 43 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 119 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 123 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 554 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 2401 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 2401 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3000 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3001 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3306 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT [0:0] -A OUTPUT -o eth1 -p icmp -j ACCEPT # # #=============================================================================== # ?missions autoris?es sur l'interface WAN newton # telnet, ntp #=============================================================================== # [0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 23 -j ACCEPT [0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 123 -j ACCEPT [0:0] -A OUTPUT -o eth2 -p udp -m udp --dport 123 -j ACCEPT [0:0] -A OUTPUT -o eth2 -p icmp -j ACCEPT [0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A OUTPUT -m state --state INVALID -j DROP COMMIT # Completed on Sat Jan 22 20:25:31 2005 # Generated by iptables-save v1.2.11 on Sat Jan 22 20:25:31 2005 *nat :PREROUTING ACCEPT [2:156] :POSTROUTING ACCEPT [4:377] :OUTPUT ACCEPT [0:0] # # #=============================================================================== # NAT de tout ce qui provient de l'interface LAN #=============================================================================== # [0:0] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # # #=============================================================================== # Force le routage des paquets ? destination du port 25 provenant de fermat # vers l'interface WAN newton #=============================================================================== # [0:0] -A PREROUTING -s 192.168.0.83 -p tcp -m tcp --dport 25 -jMARK --set-mark 1 COMMIT # Completed on Sat Jan 22 20:25:31 2005 This server runs as firewall/advanced router. eth0 is a LAN interface (192.168.0.0/24) and eth1 and eth2 are WAN interfaces. With 2.6.20.4 kernel, all rules worked fine. With 2.6.21.1 all but NAT rules work. Workstations on LAN cannot access to WAN. I haven't seen any regression in NAT support. All required conntrack are loaded and iptables -L -t nat returns : Root rayleigh:[/var/lib/iptables] > iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0 -- localnet/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Any idea to solve this trouble ? Thanks in advance, JKB From gcho at nalgo.co.jp Thu May 10 10:27:28 2007 From: gcho at nalgo.co.jp (gcho) Date: Thu May 10 19:44:16 2007 Subject: how to return a packet back to netfilter Message-ID: <20070510171309.61A0.GCHO@nalgo.co.jp> Hello all, Using NF_STOLEN I kept a ip packet by my hook function on NF_IP_PRE_ROUTING, how can I return the stolen packet back to NF_IP_LOCAL_IN or NF_IP_FORWARD after any other packet which I need arrived at NF_IP_PRE_ROUTING. Faithfully chou.genpou From pascal.mail at plouf.fr.eu.org Thu May 10 21:31:10 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Thu May 10 22:32:39 2007 Subject: iptables NAT routing issues In-Reply-To: <46432A84.2010409@bserved.nl> References: <4640E893.1010206@bserved.nl> <4640FAD0.9050301@plouf.fr.eu.org> <4640FDA9.5000706@bserved.nl> <464101DA.4070102@plouf.fr.eu.org> <46432A84.2010409@bserved.nl> Message-ID: <464372FE.1070802@plouf.fr.eu.org> Bas Verhoeven a ?crit : > >> Use the outer box as a gateway, if it is in the same network. You do >> not have to use it as the default gateway for all traffic but at least >> for the HTTP return traffic. This could be done with iptables and >> advanced routing on the web server, for instance using the source port >> 80 to MARK packets or using CONNMARK/connmark. > > I wasn't aware of that option, it seems to work fine ;-) Which option did you choose ? > Thanks. You're welcome. From pascal.mail at plouf.fr.eu.org Thu May 10 21:51:40 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Thu May 10 22:52:36 2007 Subject: Filter a TCP stream based on a text appearing in the initial IP packet of the stream In-Reply-To: References: <22b256140705100551q3a67e680nb184c23f4966cb1d@mail.gmail.com> Message-ID: <464377CC.7000502@plouf.fr.eu.org> Hello, Jan Engelhardt a ?crit : > On May 10 2007 14:51, Michael Ransburg wrote: >> >>let's say someone is downloading a website using http/tcp/ip. This >>website is very large, i.e., there will be many IP packets in this TCP >>stream. There may even be many different TCP connections. >>I know that there is a certain phrase at the top of the >>website, let's say "foobar", which will therefore be part of the first >>IP packet of this TCP stream. Do you mean the page title enclosed in the tag, which most browsers conveniently display in the title bar ? No, it is not part of the first IP packet. The first packets in a TCP stream are SYN packets used for synchronisation, which contain no TCP data. > The first return packet is not guaranteed to carry the first byte of the HTML > page. Don't you mean "the first return packet *is* guaranteed *not to* carry the first byte of the HTML page", or "the first return TCP *segment* is not guaranteed to carry the first byte of the HTML page" ? ;-) > If the HTTP header is "big enough" And/or the HTML header contents before the <title> tag is big enough. > and the MTU is "small enough", > then it is likely that the packet is split before foobar. [...] >>So what I want to say in a rule is: >>If the first (or simply "a") IP packet of a TCP stream contains a >>given phrase, then please filter (match) all IP packets which belong >>to this TCP stream. >> >>Can this be done using iptables / netfilter? > > -m string --string foobar -j CONNMARK --set-mark 1 > -m connmark --mark 1 -j DROP/REJECT/whatever. Does this work if the string is split in two consecutive segments ? From netfilter at bserved.nl Thu May 10 22:06:00 2007 From: netfilter at bserved.nl (Bas Verhoeven) Date: Thu May 10 23:06:39 2007 Subject: iptables NAT routing issues In-Reply-To: <464372FE.1070802@plouf.fr.eu.org> References: <4640E893.1010206@bserved.nl> <Pine.LNX.4.61.0705090024450.2342@yvahk01.tjqt.qr> <4640FAD0.9050301@plouf.fr.eu.org> <Pine.LNX.4.61.0705090036060.2342@yvahk01.tjqt.qr> <4640FDA9.5000706@bserved.nl> <464101DA.4070102@plouf.fr.eu.org> <46432A84.2010409@bserved.nl> <464372FE.1070802@plouf.fr.eu.org> Message-ID: <46437B28.5000805@bserved.nl> Pascal Hambourg wrote: > Which option did you choose ? We still have the outbound server DNAT-ing connections to the webserver's ip, that worked fine. On the webserver we now mark all outgoing web packets: # iptables -t mangle -A OUTPUT -s <webserver_inner_ip> -p tcp --sport 80 -j MARK --set-mark 2 And we use iproute2 to forward them back to the outbound server: # ip rule add fwmark 2 pref 10 table web.out # ip route add default via <outbound_box_ip> dev eth0 table web.out Couldn't test with CONNMARK, as the box doesn't ship with that, but MARK works great for now. I did test your last option too, but that just didn't work and sounded very hacky-ish, not something we could rely on, even if it worked. From jengelh at linux01.gwdg.de Thu May 10 23:25:51 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Fri May 11 00:27:12 2007 Subject: Filter a TCP stream based on a text appearing in the initial IP packet of the stream In-Reply-To: <464377CC.7000502@plouf.fr.eu.org> References: <22b256140705100551q3a67e680nb184c23f4966cb1d@mail.gmail.com> <Pine.LNX.4.61.0705101611360.32349@yvahk01.tjqt.qr> <464377CC.7000502@plouf.fr.eu.org> Message-ID: <Pine.LNX.4.61.0705102321570.6426@yvahk01.tjqt.qr> On May 10 2007 21:51, Pascal Hambourg wrote: >> > I know that there is a certain phrase at the top of the >> > website, let's say "foobar", which will therefore be part of the first >> > IP packet of this TCP stream. > > Do you mean the page title enclosed in the <title> tag, which most browsers > conveniently display in the title bar ? > No, it is not part of the first IP packet. The first packets in a TCP stream > are SYN packets used for synchronisation, which contain no TCP data. Well. One may match by l7 or similar, and filter by it. But NAT operations need to happen on the very first packet. That said, magically -A OUTPUT -m layer7 --l7proto http never worked for me, i.e. the counters just did not increase. >> The first return packet is not guaranteed to carry the first byte >> of the HTML page. > > Don't you mean "the first return packet *is* guaranteed *not to* carry the > first byte of the HTML page", or "the first return TCP *segment* is not > guaranteed to carry the first byte of the HTML page" ? ;-) "The packet that contains the first byte of the HTTP reply may not necessarily carry the first byte(s) of the HTML/XML/etc. data." >> -m string --string foobar -j CONNMARK --set-mark 1 >> -m connmark --mark 1 -j DROP/REJECT/whatever. > > Does this work if the string is split in two consecutive segments ? I suppose not, hence l7 exists (also because it can do regexp). Jan -- From pascal.mail at plouf.fr.eu.org Fri May 11 00:14:07 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Fri May 11 01:15:07 2007 Subject: iptables NAT routing issues In-Reply-To: <46437B28.5000805@bserved.nl> References: <4640E893.1010206@bserved.nl> <Pine.LNX.4.61.0705090024450.2342@yvahk01.tjqt.qr> <4640FAD0.9050301@plouf.fr.eu.org> <Pine.LNX.4.61.0705090036060.2342@yvahk01.tjqt.qr> <4640FDA9.5000706@bserved.nl> <464101DA.4070102@plouf.fr.eu.org> <46432A84.2010409@bserved.nl> <464372FE.1070802@plouf.fr.eu.org> <46437B28.5000805@bserved.nl> Message-ID: <4643992F.4050001@plouf.fr.eu.org> Bas Verhoeven a ?crit : > >> Which option did you choose ? [...] > On the webserver we now mark all outgoing web packets: [...] > And we use iproute2 to forward them back to the outbound server: [...] Ok. You seem to know how to use advanced routing, I am a bit surprised you said you "weren't aware of that option". > Couldn't test with CONNMARK, as the box doesn't ship with that, but MARK > works great for now. The 'CONNMARK' target and the 'connmark' match were included in the kernel 2.6.10. Earlier kernel versions had to be patched with the patch-o-matic-ng. > I did test your last option too, but that just didn't work and sounded > very hacky-ish, not something we could rely on, even if it worked. Huh, what last option ? I don't know what you're talking about. ;-) From andres at paglayan.com Fri May 11 01:01:59 2007 From: andres at paglayan.com (Andres Paglayan) Date: Fri May 11 02:03:04 2007 Subject: NAT "triangulation" and already opened nat port not reachable Message-ID: <96B053D2-93A1-4B81-96B1-B56DC2AF7121@paglayan.com> Hi, Sorry to post only problems, after this saga I am into, I might became someone able to post solutions as well, With Infinite thanks to Jan Engelhardt who has been helping beyond any imaginable point and getting me closer to the solution, I have a subnet which needs to connect to a several other subnets through a T1 for some reason at the other end, a request I initiate to a machine at 172.16.2.34 generates as well a response from 172.16.1.49 which in turn needs to trespass the nat thus the triangulation I tried from one to one nat, with proxy arping and would fail as well, could be a hardware problem? as a hint, when replaced my ipcop by a cheapo dsl router, the natting to the other subnets worked just fine, dump from ipcop box shows the following, I set a rule to allow whatever from 172.16.1.49 root@ipcop:~ # iptables -I CUSTOMINPUT -s 172.16.1.49 -j ACCEPT Now I dump the relevant (to my opinion) root@ipcop:~ # tcpdump -i eth2 | grep '172.16' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 68 bytes (here goes the first request) 16:47:06.068643 IP 192.168.50.1.qsm-proxy > 172.16.2.34.ms-sql-m: UDP, length 7 (now this machine gets in the middle) 16:47:06.072886 IP 172.16.1.49.ms-sql-m > 192.168.50.1.qsm-proxy: UDP, length 120 16:47:06.073061 arp who-has 172.16.1.49 tell 192.168.50.1 16:47:06.073511 arp reply 172.16.1.49 is-at 00:18:18:c4:96:50 (oui Unknown) (since I gave permission to 172.16.1.49 to do whatever, then why is the already opened port qsm-proxy unreachable?) 16:47:06.073541 IP 192.168.50.1 > 172.16.1.49: ICMP 192.168.50.1 udp port qsm-proxy unreachable, length 156 (tree more times until it fails) 16:47:09.958188 IP 192.168.50.1.vchat > 172.16.2.34.ms-sql-m: UDP, length 7 16:47:09.962465 IP 172.16.1.49.ms-sql-m > 192.168.50.1.vchat: UDP, length 120 16:47:09.962550 IP 192.168.50.1 > 172.16.1.49: ICMP 192.168.50.1 udp port vchat unreachable, length 156 16:47:11.060699 arp who-has 172.16.2.34 tell 192.168.50.1 16:47:11.061148 arp reply 172.16.2.34 is-at 00:18:18:c4:96:50 (oui Unknown) 16:47:13.943012 IP 192.168.50.1.tripwire > 172.16.2.34.ms-sql-m: UDP, length 7 16:47:13.947216 IP 172.16.1.49.ms-sql-m > 192.168.50.1.tripwire: UDP, length 120 16:47:13.947293 IP 192.168.50.1 > 172.16.1.49: ICMP 192.168.50.1 udp port tripwire unreachable, length 156 16:47:18.130143 IP 192.168.50.1.indigo-server > 172.16.2.34.ms-sql-m: UDP, length 7 16:47:18.134375 IP 172.16.1.49.ms-sql-m > 192.168.50.1.indigo-server: UDP, length 120 16:47:18.134457 IP 192.168.50.1 > 172.16.1.49: ICMP 192.168.50.1 udp port indigo-server unreachable, length 156 2469 packets captured 2491 packets received by filter 0 packets dropped by kernel From swifty at freemail.hu Fri May 11 12:09:08 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Fri May 11 13:10:21 2007 Subject: Default deny rule In-Reply-To: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> Message-ID: <464440C4.7000605@freemail.hu> Gopinath ?rta: > Good day everyone, > I am very new to this list. I am running FC3 and want to convert my > server to act as firewall, which does static NAT. I had setup > everything and works fine in simulation. But the only thing is i am > not able to make restriction in the FORWARD chain. The basic > functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is > missing in my firewall. I tried to make it by applicy DROP policy to > the FORWARD chain & also appending a default DROP rule to the end of > the FORWARD chain. But when i do so, all the packets were getting > dropped at the firewall. I have pasted my firewall script below. I > have enabled ip_conntrack & iptable_nat modules during bootup. > > OS: Fedora Core 3 > IPtables Version: v1.2.11 It is kind of old... :D > > # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 > *filter > :INPUT ACCEPT [364:57615] > :FORWARD ACCEPT [1:52] > :OUTPUT ACCEPT [211:18044] The DEFAULT DENYING FUNCTIONALITY is achieved by using these commands: iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP > -A INPUT -s 10.44.x.x -p icmp -j ACCEPT > -A INPUT -s 10.44.x.x -p icmp -j ACCEPT > -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j > ACCEPT > -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j > ACCEPT > -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > COMMIT > # Completed on Fri Apr 27 08:16:21 2007 > # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 > *nat > :PREROUTING ACCEPT [289:55706] > :POSTROUTING ACCEPT [77:6468] > :OUTPUT ACCEPT [77:6468] > -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x > -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x > -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x > -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x > COMMIT > # Completed on Fri Apr 27 08:16:21 2007 > > Output of iptables -nv -L > > Chain INPUT (policy ACCEPT 73 packets, 13040 bytes) > > pkts bytes target prot opt in out source destination > 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0 > 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22 > 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state > NEW,RELATED,ESTABLISHED > > Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes) > > pkts bytes target prot opt in out source destination > 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW > 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state > NEW,RELATED,ESTABLISHED > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED There is no packet that matches your rules.... What are these destinations : 10.44.x.x ??? Do you mean 10.44.0.0/16 ??? fw1:~# whois 10.44.0.0 ... NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: RESERVED-10 NetHandle: NET-10-0-0-0-1 Parent: NetType: IANA Special Use NameServer: BLACKHOLE-1.IANA.ORG NameServer: BLACKHOLE-2.IANA.ORG Comment: This block is reserved for special purposes. Comment: Please see RFC 1918 for additional information. Comment: RegDate: Updated: 2002-09-12 > > Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes) > pkts bytes target prot opt in out source destination > > Any help would be highly appreciated. > > Thanks & Regards, > Gopinath.U > > From swifty at freemail.hu Fri May 11 12:14:15 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Fri May 11 13:15:31 2007 Subject: Policy targets... Message-ID: <464441F7.3050808@freemail.hu> Hi all, I was reading the iptables manual because I needed the correct arguments of the policy (-P) command. Here it is: -P, --policy chain target Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets. So I checked the TARGETS. TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. My question is: What is the difference between the ACCEPT and the RETURN target in policy ??? :D Thanx. Swifty From pedro.pandre at gmail.com Fri May 11 12:21:34 2007 From: pedro.pandre at gmail.com (=?ISO-8859-2?Q?Pedro_Gon=E7alves?=) Date: Fri May 11 13:23:28 2007 Subject: Policy targets... In-Reply-To: <464441F7.3050808@freemail.hu> References: <464441F7.3050808@freemail.hu> Message-ID: <464443AE.5020904@gmail.com> G?sp?r Lajos wrote: > Hi all, > > I was reading the iptables manual because I needed the correct > arguments of the policy (-P) command. > Here it is: > > -P, --policy chain target > Set the policy for the chain to the given target. See > the section TARGETS for the legal targets. Only built-in > (non-user-defined) chains can > have policies, and neither built-in nor user-defined > chains can be policy targets. > > So I checked the TARGETS. > > TARGETS > A firewall rule specifies criteria for a packet, and a target. > If the packet does not match, the next rule in the chain is the > examined; if it does > match, then the next rule is specified by the value of the > target, which can be the name of a user-defined chain or one of the > special values ACCEPT, > DROP, QUEUE, or RETURN. > > My question is: What is the difference between the ACCEPT and the > RETURN target in policy ??? :D in http://node1.yo-linux.com/cgi-bin/man2html?cgi_command=iptables : TARGETS (...) *ACCEPT means to let the packet through.* DROP means to drop the on the floor. QUEUE means to pass the packet to userspace (if ported by the kernel). *RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with tar- get RETURN is matched, the target specified by the chain policy deter- mines the fate of the packet.* Best Regards pandre From swifty at freemail.hu Fri May 11 12:34:45 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Fri May 11 13:35:55 2007 Subject: Policy targets... In-Reply-To: <464443AE.5020904@gmail.com> References: <464441F7.3050808@freemail.hu> <464443AE.5020904@gmail.com> Message-ID: <464446C5.8090301@freemail.hu> Pedro Gon?alves ?rta: > > *ACCEPT means to let the packet through.* > DROP means to drop the on the floor. QUEUE means to pass the packet > to userspace (if ported by the kernel). *RETURN means stop > traversing this chain and > resume at the next rule in the previous (calling) chain. If > the end > of a built-in chain is reached or a rule in a built-in chain > with tar- > get RETURN is matched, the target specified by the chain policy > deter- > mines the fate of the packet.* > Thanx for the answer but my question was that what happens when the CHAIN POLICY is RETURN... :D (The packet will be returned to the sender ??? :D [Don't get seriously, just kidding.]) iptables -t nat -P PREROUTING ACCEPT vs. iptables -t nat -P PREROUTING RETURN > Best Regards > pandre From vishamr at gmail.com Fri May 11 12:43:19 2007 From: vishamr at gmail.com (Ramsurrun Visham) Date: Fri May 11 13:44:21 2007 Subject: Problem with connection tracking in IPtables!! Message-ID: <802220ef0705110343w38864b3ew9194a49ffa3ab9fb@mail.gmail.com> Hi to all, I am unable to see the contents of the ip_conntrack file. I have built the iptables modules in my 2.6.20.4 kernel itself. Is that what might causing this problem? Should I select the options as modules? Warm regards, Visham From swifty at freemail.hu Fri May 11 13:03:20 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Fri May 11 14:04:28 2007 Subject: Policy targets... In-Reply-To: <46444B26.6010206@gmail.com> References: <464441F7.3050808@freemail.hu> <464443AE.5020904@gmail.com> <464446C5.8090301@freemail.hu> <46444B26.6010206@gmail.com> Message-ID: <46444D78.7040809@freemail.hu> Pedro Gon?alves ?rta: >> Thanx for the answer but my question was that what happens when the >> CHAIN POLICY is RETURN... > Sorry, I didn't understand that in you original email. No problem... :D > I don't think that "RETURN" is a valid policy target, I think that > only "ACCEPT" or "DROP" may be used as policy targets. > At least, I've never used that target neither seen anyone using it, > but maybe someone in the list can provide more info. I tried and it gives me an error: fw1:~# iptables -t nat -P PREROUTING RETURN iptables: Bad policy name So you won ! Maybe someone should fix the manual.... > Best Regards > pandre Thanx anyway... :D Swifty From sven at clue.co.za Fri May 11 14:29:56 2007 From: sven at clue.co.za (Sven Agnew) Date: Fri May 11 15:31:23 2007 Subject: persistent packet marking for use in VPN creation. Message-ID: <464461C4.7090602@clue.co.za> Hi all, I am trying to set up a windows Road warrior VPN connection to a Gentoo Linux server running Linux Openswan U2.4.7/K2.6.18-gentoo-r6 (netkey). I know that an option to persist encrypted packet marks across de-capsulation used to exist and that this feature has now gone away ( or so I am told ). Could anyone tell me if there is a way to cause encrypted packets to be marked and then, after de-capsulation, have the mark persist onto the de-capsulated packet? If this is not possible, could anyone suggest another way to produce the results of getting a Windows VPN connection to a Linux server using Openswan? Any suggestions would be welcome. Thanks for your time, Sven From gcarter at aesgi.com Fri May 11 17:18:43 2007 From: gcarter at aesgi.com (Gregory Carter) Date: Fri May 11 18:20:43 2007 Subject: persistent packet marking for use in VPN creation. In-Reply-To: <464461C4.7090602@clue.co.za> References: <464461C4.7090602@clue.co.za> Message-ID: <46448953.50807@aesgi.com> Could you explain why the destination would be interested in your VPN's packet markings? I mean, windows doesn't have any software I am aware of that would be interested in your markings under Linux, so what is the point in this persistance you require? What are you trying to accomplish through persistance? -gc Sven Agnew wrote: > Hi all, > > I am trying to set up a windows Road warrior VPN connection to a > Gentoo Linux server running Linux Openswan U2.4.7/K2.6.18-gentoo-r6 > (netkey). > > I know that an option to persist encrypted packet marks across > de-capsulation used to exist and that this feature has now gone away ( > or so I am told ). > > Could anyone tell me if there is a way to cause encrypted packets to > be marked and then, after de-capsulation, have the mark persist onto > the de-capsulated packet? > If this is not possible, could anyone suggest another way to produce > the results of getting a Windows VPN connection to a Linux server > using Openswan? > > Any suggestions would be welcome. > > Thanks for your time, > Sven > From higuti.sam at gmail.com Fri May 11 19:53:18 2007 From: higuti.sam at gmail.com (Stephan Higuti) Date: Fri May 11 20:54:27 2007 Subject: Firewall L7 In-Reply-To: <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> References: <3da957060704180538m12ec86edr2536867007a8d05@mail.gmail.com> <462612C7.3090504@solutti.com.br> <3da957060704191115v62303fdh838beab7328ed331@mail.gmail.com> <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> Message-ID: <3da957060705111053o72da3957q7887879d7e9cc87d@mail.gmail.com> Thanks for help guys! It works! Just another question.... What I do to let a free IP behind my Bridge firewall (L7)? I need an Ip that can acess all....... Best Regards Stephan On 4/19/07, Juan Le?n <debjuanca@gmail.com> wrote: > > Hi Stephan, with my experience firewalling, you can try using this rules > with yours. > > Lets take a close look of your rules. > > > #iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm > > Maybe this line is associated with gmail, I suggest you use a proxy to match > strings like orkut. > Read Oscar Adreasson's paragraph. > > "For example, if we use a string match and match for a specific string > inside the packet, lets say get /index.html. Will that work? Normally, yes. > However, if the packet size is very small, it will not. The reason is that > iptables is built to work on a per packet basis, which means that if the > string is split into several separate packets, iptables will not see that > whole string. For this reason, you are much, much better off using a proxy > of some sort for filtering in the application layer" > > > For hotmail your can add this line just above of every FORWARD line, see > "-I", the same with your mail.server.com > > #iptables -I FORWARD -d www.hotmail.com -j ACCEPT > #iptables -I FORWARD -d mail.server.com -j ACCEPT > > > Hope this help. > > > > 2007/4/19, Stephan Higuti <higuti.sam@gmail.com>: > > My rulez.... > > > > ## Limpando as regras do IPTABLES > > iptables -F > > iptables -t nat -F > > iptables -t mangle -F > > > > ## Ativando repasse de pacotes ## > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > ## instalando modulos do IPTABLES ## > > modprobe iptable_nat > > modprobe ip_nat_ftp > > modprobe ip_conntrack > > modprobe ipt_conntrack > > modprobe ip_conntrack_ftp > > modprobe ip_tables > > modprobe ipt_LOG > > modprobe ipt_limit > > modprobe ipt_REJECT > > modprobe ipt_layer7 > > > > # Criando NAT para toda a rede. > > #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE > > > > ## Ativando regras do Layer 7 > > # Bloqueando de skype para skype > > iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP > > > > # Bloqueando o Skypeout > > iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP > > > > # Bloqueando o Messenger > > #iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > #iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP > > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > > > #Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se > > usar o km tambem) > > iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm > > > > #Bloquendo torrents > > iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP > > > > # Mudando para Statefull > > #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > > > These rules are blockin' gmail, hotmail and my mail server..... > > But its just a few rulez.... > > Some wrong? > > > > Cheers > > > > Stephan > > > > -- > > > --------------------------------------------------------------------- > > Stephan Higuti > > MSN: higutisam@hotmail.com > > Email: higuti.sam@gmail.com > > > --------------------------------------------------------------------- > > > > > > -- --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@hotmail.com Email: higuti.sam@gmail.com --------------------------------------------------------------------- From kakster7 at sbcglobal.net Sat May 12 03:55:25 2007 From: kakster7 at sbcglobal.net (Nicholas Kline) Date: Sat May 12 04:56:35 2007 Subject: Questions about DHCP firewall rules Message-ID: <729129.22320.qm@web83819.mail.sp1.yahoo.com> Greetings, I am in the process of learning Netfilter/IPtables. I plan on using Netfilter/IPtables to protect my Linux desktop computers and servers. We're talking host-based firewalls, not one firewall protecting all of the desktops and servers. I have a basic question I am hoping someone on this mailing list can answer. I am a little confused about configuring Netfilter/IPtables on a Linux desktop computer. Specifically, this situation: a linux desktop computer that is configured to use DHCP and configured to use the following rule: $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix "Spoofed source IP" $IPTABLES -A INPUT -s $IP_LOCAL -j DROP I would like to include the previous rule as part of a standard rule set. >From how I understand this situation, the firewall would have to be able to automatically detect when the computers IP address changes, right? Manually inputting the computers IP address each time it changes would get really old. I'm using several books as references for learning Netfilter/IPtables and they discuss implementing "dynamic firewall scripts". In this case, a dynamic firewall script that recognizes when the computers IP address changes. So, my questions are: 1.) If I am using a computer that is configured to obtain its IP address through DHCP, what firewall rules do I need to setup? 2.) Additionally, how do I configure the firewall to automatically detect changes in the computers network configuration (IP address change, etc.)? Thank you for your time, *Nick* From snelius at tsu.ru Sat May 12 06:03:52 2007 From: snelius at tsu.ru (Anatoly Y.) Date: Sat May 12 07:05:53 2007 Subject: Questions about DHCP firewall rules In-Reply-To: <729129.22320.qm@web83819.mail.sp1.yahoo.com> References: <729129.22320.qm@web83819.mail.sp1.yahoo.com> Message-ID: <46453CA8.3010101@tsu.ru> Timestamp: Sat 12 May 2007, 11:03 +0700 (NOVT) Nicholas Kline wrote: > Greetings, > > I am in the process of learning Netfilter/IPtables. I > plan on using Netfilter/IPtables to protect my Linux > desktop computers and servers. We're talking > host-based firewalls, not one firewall protecting all > of the desktops and servers. > > I have a basic question I am hoping someone on this > mailing list can answer. I am a little confused about > configuring Netfilter/IPtables on a Linux desktop > computer. Specifically, this situation: > > a linux desktop computer that is configured to use > DHCP > and configured to use the following rule: > > $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix > "Spoofed source IP" > $IPTABLES -A INPUT -s $IP_LOCAL -j DROP > > I would like to include the previous rule as part of a > standard rule set. > >>From how I understand this situation, the firewall > would have to be able to automatically detect when the > computers IP address changes, right? Manually > inputting the computers IP address each time it > changes would get really old. > > I'm using several books as references for learning > Netfilter/IPtables and they discuss implementing > "dynamic firewall scripts". In this case, a dynamic > firewall script that recognizes when the computers IP > address changes. > > So, my questions are: > > 1.) If I am using a computer that is configured to > obtain its IP address through DHCP, what firewall > rules do I need to setup? > > 2.) Additionally, how do I configure the firewall to > automatically detect changes in the computers network > configuration (IP address change, etc.)? Use full prefix of all fake networks (or your only). -A INPUT -s 192.168.0.0/16 -j LOG .... for example. -- Anatoly Y. aka Snelius | AY254-RIPE From gopinath.u at gmail.com Mon May 14 08:02:03 2007 From: gopinath.u at gmail.com (Gopinath) Date: Mon May 14 09:03:42 2007 Subject: Default deny rule In-Reply-To: <464440C4.7000605@freemail.hu> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> Message-ID: <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> Please find the correct IP details below... Is it neccessary to upgrade my kernel and iptables to achieve NAT and Default deny functionality ? # vi /etc/iptables.conf # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 *filter :INPUT ACCEPT [364:57615] :FORWARD ACCEPT [1:52] :OUTPUT ACCEPT [211:18044] -A INPUT -s 10.44.20.70 -p icmp -j ACCEPT -A INPUT -s 10.44.2.140 -p icmp -j ACCEPT -A INPUT -s 10.44.2.140 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.44.20.70 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.1.0.246 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -s 10.2.10.240 -d 10.44.2.140 -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT -A FORWARD -s 10.2.10.240 -d 10.44.2.100 -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Fri Apr 27 08:16:21 2007 # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 *nat :PREROUTING ACCEPT [289:55706] :POSTROUTING ACCEPT [77:6468] :OUTPUT ACCEPT [77:6468] -A PREROUTING -d 10.1.60.240 -i eth0 -j DNAT --to-destination 10.44.2.100 -A PREROUTING -d 10.1.60.245 -i eth0 -j DNAT --to-destination 10.44.2.140 -A POSTROUTING -s 10.44.2.100 -o eth0 -j SNAT --to-source 10.1.60.240 -A POSTROUTING -s 10.44.2.140 -o eth0 -j SNAT --to-source 10.1.60.245 COMMIT # Completed on Fri Apr 27 08:16:21 2007 # iptables -nv -L Chain INPUT (policy ACCEPT 100 packets, 14882 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 10.44.20.70 0.0.0.0/0 0 0 ACCEPT icmp -- * * 10.44.2.140 0.0.0.0/0 0 0 ACCEPT tcp -- * * 10.44.2.140 0.0.0.0/0 tcp dpt:22 356 24672 ACCEPT tcp -- * * 10.44.20.70 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 10.1.0.246 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth0 eth1 10.2.10.240 10.44.2.140 state NEW 0 0 ACCEPT tcp -- eth0 eth1 10.2.10.240 10.44.2.100 state NEW 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 302 packets, 34150 bytes) pkts bytes target prot opt in out source destination Regards, Gopinath.U On 5/11/07, G?sp?r Lajos <swifty@freemail.hu> wrote: > Gopinath ?rta: > > Good day everyone, > > I am very new to this list. I am running FC3 and want to convert my > > server to act as firewall, which does static NAT. I had setup > > everything and works fine in simulation. But the only thing is i am > > not able to make restriction in the FORWARD chain. The basic > > functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is > > missing in my firewall. I tried to make it by applicy DROP policy to > > the FORWARD chain & also appending a default DROP rule to the end of > > the FORWARD chain. But when i do so, all the packets were getting > > dropped at the firewall. I have pasted my firewall script below. I > > have enabled ip_conntrack & iptable_nat modules during bootup. > > > > OS: Fedora Core 3 > > IPtables Version: v1.2.11 > It is kind of old... :D > > > > # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 > > *filter > > :INPUT ACCEPT [364:57615] > > :FORWARD ACCEPT [1:52] > > :OUTPUT ACCEPT [211:18044] > The DEFAULT DENYING FUNCTIONALITY is achieved by using these commands: > iptables -t filter -P INPUT DROP > iptables -t filter -P FORWARD DROP > iptables -t filter -P OUTPUT DROP > > -A INPUT -s 10.44.x.x -p icmp -j ACCEPT > > -A INPUT -s 10.44.x.x -p icmp -j ACCEPT > > -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT > > -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT > > -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT > > -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j > > ACCEPT > > -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j > > ACCEPT > > -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > > COMMIT > > # Completed on Fri Apr 27 08:16:21 2007 > > # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007 > > *nat > > :PREROUTING ACCEPT [289:55706] > > :POSTROUTING ACCEPT [77:6468] > > :OUTPUT ACCEPT [77:6468] > > -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x > > -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x > > -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x > > -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x > > COMMIT > > # Completed on Fri Apr 27 08:16:21 2007 > > > > Output of iptables -nv -L > > > > Chain INPUT (policy ACCEPT 73 packets, 13040 bytes) > > > > pkts bytes target prot opt in out source destination > > 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0 > > 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22 > > 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state > > NEW,RELATED,ESTABLISHED > > > > Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes) > > > > pkts bytes target prot opt in out source destination > > 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW > > 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW > > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state > > NEW,RELATED,ESTABLISHED > > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > There is no packet that matches your rules.... > What are these destinations : 10.44.x.x ??? > Do you mean 10.44.0.0/16 ??? > > fw1:~# whois 10.44.0.0 > ... > NetRange: 10.0.0.0 - 10.255.255.255 > CIDR: 10.0.0.0/8 > NetName: RESERVED-10 > NetHandle: NET-10-0-0-0-1 > Parent: > NetType: IANA Special Use > NameServer: BLACKHOLE-1.IANA.ORG > NameServer: BLACKHOLE-2.IANA.ORG > Comment: This block is reserved for special purposes. > Comment: Please see RFC 1918 for additional information. > Comment: > RegDate: > Updated: 2002-09-12 > > > > > Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes) > > pkts bytes target prot opt in out source destination > > > > Any help would be highly appreciated. > > > > Thanks & Regards, > > Gopinath.U > > > > > > > From thomas at fragstein.de Mon May 14 12:43:18 2007 From: thomas at fragstein.de (Thomas Fragstein) Date: Mon May 14 13:44:54 2007 Subject: netfilter load sharing Message-ID: <46483D46.6040308@fragstein.de> Hi List, i have two questions. first: how i can see how many cpu load ist generate by netfilter (iptables) second: on my linux box i have seen 20-30% of one cpu is using by system. it is possible that netfilter can share the load over any cores (multicore cpu) best thanks Thomas From lokeshnb at intoto.com Mon May 14 13:52:24 2007 From: lokeshnb at intoto.com (Lokesh) Date: Mon May 14 14:49:04 2007 Subject: Async processing using NetFilters Message-ID: <200705141147.l4EBlAbV017164@brahma.intotoind.com> Sorry for sending this again. anybody can please give me a clue ? >X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 >Date: Thu, 19 Apr 2007 13:05:15 +0530 >To: netfilter@lists.netfilter.org >From: Lokesh <lokeshnb@intoto.com> >X-Virus-Scanned: by Intoto Anti-X 1.0; Thu, 19 Apr 2007 13:00:54 +0530 >X-Spam-Scanned: by Intoto Anti-X 1.0; Thu, 19 Apr 2007 13:00:54 +0530 >X-Spam-RefID: str=0001.0A090208.46271AAD.00D3,ss=1,fgs=0 >X-Virus-Scanned: by Intoto Anti-X 1.0; Thu, 19 Apr 2007 13:00:49 +0530 >X-Spam-Scanned: by Intoto Anti-X 1.0; Thu, 19 Apr 2007 13:00:49 +0530 >X-Spam-RefID: str=0001.0A090208.46271AA8.00DA,ss=1,fgs=0 >X-Scanned-By: MIMEDefang 2.41 >Subject: Async processing using NetFilters >X-Virus-Scanned: by Intoto Anti-X 1.0; > Thu, 19 Apr 2007 13:26:37 +0530 >X-Spam-Scanned: by Intoto Anti-X 1.0; > Thu, 19 Apr 2007 13:26:37 +0530 >X-Spam-RefID: str=0001.0A090204.462720B5.0025:SCGMAF58662,ss=1,fgs=0 >X-BeenThere: netfilter@lists.netfilter.org >X-Mailman-Version: 2.1.5 >List-Id: General discussion and user questions <netfilter.lists.netfilter.org> >List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, > <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe> >List-Archive: </pipermail/netfilter> >List-Post: <mailto:netfilter@lists.netfilter.org> >List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help> >List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, > <mailto:netfilter-request@lists.netfilter.org?subject=subscribe> >Sender: netfilter-bounces@lists.netfilter.org > >Hi All, >I'm using Linux RedHat 9 kernel version 2.4.20-8 >I want to do some asynchronous processing of packets in my kernel >module that is registered as >Netfilter Hook. I tried to make use of NF_QUEUE but found that only >one call back function per >protocol family (PF) is provided and already some module (probably >NET_LINK socket interface) >is making use of it for PF_INET. Is there any way to use NF_QUEUE >facility without disturbing >NET_LINK ? why per hook registration of call back function of >NF_QUEUE is not provided? >How to proceed if someone had to do async processing of packets so >that pkts can be queued to crypto hardware processing unit and can >be safely reinjected back into kernel later so that other registered >hooks can get pkts? >any help is highly appreciated. >Thanks >-Lokesh. > > > >******************************************************************************** >This email message (including any attachments) is for the sole use >of the intended recipient(s) and may contain confidential, >proprietary and privileged information. Any unauthorized review, >use, disclosure or distribution is prohibited. If you are not the >intended recipient, please immediately notify the sender by reply >email and destroy all copies of the original message. Thank you. >Intoto Inc. ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. From yasuyuki.kozakai at toshiba.co.jp Mon May 14 14:03:17 2007 From: yasuyuki.kozakai at toshiba.co.jp (Yasuyuki KOZAKAI) Date: Mon May 14 15:04:45 2007 Subject: Problem with connection tracking in IPtables!! In-Reply-To: <802220ef0705110343w38864b3ew9194a49ffa3ab9fb@mail.gmail.com> References: <802220ef0705110343w38864b3ew9194a49ffa3ab9fb@mail.gmail.com> Message-ID: <200705141203.l4EC3IEv028786@toshiba.co.jp> From: "Ramsurrun Visham" <vishamr@gmail.com> Date: Fri, 11 May 2007 14:43:19 +0400 > Hi to all, > > I am unable to see the contents of the ip_conntrack file. I have built > the iptables modules in my 2.6.20.4 kernel itself. Is that what might > causing this problem? Should I select the options as modules? AFAIK your .config in previous mail, you are using nf_conntrack, not ip_conntrack. nf_conntrack is new module. But it is compatible with ip_conntrack, if you also load nf_conntrack_ipv4. Don't worry. Regards, -- Yasuyuki Kozakai From swifty at freemail.hu Mon May 14 14:33:17 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Mon May 14 15:34:58 2007 Subject: Default deny rule In-Reply-To: <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> Message-ID: <4648570D.4040308@freemail.hu> Gopinath ?rta: > Please find the correct IP details below... Is it neccessary to > upgrade my kernel and iptables to achieve NAT and Default deny > functionality ? Not neccessary but suggested... At least you should upgrade your iptables to 1.3.7. Now I comment your rules... :D > :INPUT ACCEPT [364:57615] > :FORWARD ACCEPT [1:52] > :OUTPUT ACCEPT [211:18044] If there is no matching rule then EVERYTHING is ACCEPTED because your 3 policies above is set to ACCEPT. In DEFAULT DENY mode you should set these policies to DROP as mentioned in the previos mail of mine: iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP > -A INPUT -s 10.44.20.70 -p icmp -j ACCEPT > -A INPUT -s 10.44.2.140 -p icmp -j ACCEPT Here you enable 2 IPs to use ICMP (ping) on your host. > -A INPUT -s 10.44.2.140 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 10.44.20.70 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -s 10.1.0.246 -p tcp -m tcp --dport 22 -j ACCEPT The above 3 IPs are enabled to SSH to your host. BUT IF YOU DO NOT SET THE DEFAULT POLICY TO DROP THEN THESE RULES ARE MEANINGLESS!!! > -A FORWARD -s 10.2.10.240 -d 10.44.2.140 -i eth0 -o eth1 -p tcp -m > state --state NEW -j ACCEPT > -A FORWARD -s 10.2.10.240 -d 10.44.2.100 -i eth0 -o eth1 -p tcp -m > state --state NEW -j ACCEPT 10.2.10.240 can create NEW connections to 10.44.2.100 and 10.44.2.140... 10.2.10.240 should be on eth0 10.44.2.100 should be on eth1 10.44.2.140 should be on eth1 > -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT ANY host that sends ANY (NEW,RELATED,ESTABLISHED) packets through eth0 (not only to 10.2.10.240) is ACCEPTED. > -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT ANY host thar sends RELATED or ESTABLISED packets from eth0 (not only from 10.2.10.240) is ACCEPTED. AGAIN IF YOU DO NOT SET THE DEFAULT POLICY TO DROP THEN THESE RULES ARE MEANINGLESS!!! > *nat > :PREROUTING ACCEPT [289:55706] > :POSTROUTING ACCEPT [77:6468] > :OUTPUT ACCEPT [77:6468] These ACCEPTs are ok. > -A PREROUTING -d 10.1.60.240 -i eth0 -j DNAT --to-destination 10.44.2.100 > -A PREROUTING -d 10.1.60.245 -i eth0 -j DNAT --to-destination 10.44.2.140 Anything that comes form eth0 and would go to 10.1.60.240 should go to 10.44.2.100. Anything that comes form eth0 and would go to 10.1.60.245 should go to 10.44.2.140. > -A POSTROUTING -s 10.44.2.100 -o eth0 -j SNAT --to-source 10.1.60.240 > -A POSTROUTING -s 10.44.2.140 -o eth0 -j SNAT --to-source 10.1.60.245 Anything that goes out on eth0 and comes from 10.44.2.100 should appear as it would come from 10.1.60.240. Anything that goes out on eth0 and comes from 10.44.2.140 should appear as it would come from 10.1.60.245. Maybe you do not need these last two rules at all because a DNAT rule simply does the reverse SNAT is most cases. > # iptables -nv -L > > Chain INPUT (policy ACCEPT 100 packets, 14882 bytes) You had 100 packets that did not matched ANY rule in the INPUT chain. > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT icmp -- * * 10.44.20.70 > 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 10.44.2.140 > 0.0.0.0/0 > 0 0 ACCEPT tcp -- * * 10.44.2.140 > 0.0.0.0/0 tcp dpt:22 > 356 24672 ACCEPT tcp -- * * 10.44.20.70 > 0.0.0.0/0 tcp dpt:22 > 0 0 ACCEPT tcp -- * * 10.1.0.246 > 0.0.0.0/0 tcp dpt:22 No connection, no ping yet ??? > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT tcp -- eth0 eth1 10.2.10.240 > 10.44.2.140 state NEW > 0 0 ACCEPT tcp -- eth0 eth1 10.2.10.240 > 10.44.2.100 state NEW > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 state NEW,RELATED,ESTABLISHED > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > No NAT yet ??? > Chain OUTPUT (policy ACCEPT 302 packets, 34150 bytes) > pkts bytes target prot opt in out source > destination > Just 302 packet that went out and no rule. Btw. maybe you do not want to filter your outgoing traffic. In that case you should leave your OUTPUT policy as ACCEPT. > Regards, > Gopinath.U I think that you want something else then what you did in your rules. I would restart the whole project from the ground. !!! Please describe the connected networks and the target of the firewalling. !!! Here is a core script that may help you: (A bit long but can be usefull. And of course not working in current state... :D ) #!/bin/bash echo "Setting up FIREWALL rules:" core_set="/proc/sys/net/core" ip_set="/proc/sys/net/ipv4" echo 0 > $ip_set/conf/all/rp_filter echo 1 > $ip_set/conf/all/proxy_arp echo 1 > $ip_set/icmp_echo_ignore_broadcasts echo 1 > $ip_set/ip_forward echo 32768 > $ip_set/netfilter/ip_conntrack_max echo 1 > $ip_set/tcp_abort_on_overflow echo 10 > $ip_set/tcp_fin_timeout echo 1 > $ip_set/tcp_rfc1337 echo 1 > $ip_set/tcp_sack echo 2 > $ip_set/tcp_synack_retries echo 1 > $ip_set/tcp_syncookies echo 16384 16384 16384 > $ip_set/tcp_wmem echo 16384 > $core_set/rmem_default echo 16384 > $core_set/wmem_default echo 16384 > $core_set/wmem_max sysctl -w net.ipv4.tcp_ecn=0 >/dev/null 2>/dev/null modprobe ip_conntrack >/dev/null 2>/dev/null modprobe ip_nat >/dev/null 2>/dev/null modprobe iptable_nat >/dev/null 2>/dev/null clean_subchain() { $table -F $subchain >/dev/null 2>/dev/null $table -X $subchain >/dev/null 2>/dev/null $table -Z $subchain >/dev/null 2>/dev/null } create_subchain() { subchain=$1 clean_subchain $table -N $subchain } clean_table() { subchain="" clean_subchain } table="iptables -t nat" clean_table chain="PREROUTING" $table -P $chain ACCEPT create_subchain "DNAT_of_eth0" $table -A $chain -j $subchain -i eth0 $table -A $subchain -j DNAT -d 10.1.60.240 --to-destination 10.44.2.100 $table -A $subchain -j DNAT -d 10.1.60.245 --to-destination 10.44.2.140 chain="POSTROUTING" $table -P $chain ACCEPT chain="OUTPUT" $table -P $chain ACCEPT table="iptables -t filter" clean_table create_subchain "send_reject" $table -A $subchain -j REJECT -p tcp --reject-with tcp-reset $table -A $subchain -j REJECT --reject-with icmp-admin-prohibited $table -A $subchain -j DROP create_subchain "log_invalid" $table -A $subchain -j LOG --log-prefix "INVALID: " --log-level debug --log-tcp-sequence --log-tcp-options --log-ip-options $table -A $subchain -j send_reject create_subchain "con_icmp" $table -A $subchain -j RETURN -p icmp --icmp-type echo-reply $table -A $subchain -j RETURN -p icmp --icmp-type destination-unreachable $table -A $subchain -j RETURN -p icmp --icmp-type source-quench $table -A $subchain -j RETURN -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name icmp --hashlimit 1/s --hashlimit-mode srcip $table -A $subchain -j RETURN -p icmp --icmp-type time-exceeded $table -A $subchain -j DROP -p icmp create_subchain "con_udp" #TODO create_subchain "con_tcp" $table -A $subchain -j RETURN -p tcp --syn -m conntrack --ctstate NEW $table -A $subchain -j RETURN -m conntrack --ctstatus EXPECTED $table -A $subchain -j log_invalid create_subchain "connected" $table -A $subchain -j ACCEPT -m conntrack --ctstate ESTABLISHED $table -A $subchain -j ACCEPT -m conntrack --ctstate RELATED $table -A $subchain -j RETURN -i lo -o lo $table -A $subchain -j con_icmp -p icmp $table -A $subchain -j RETURN -p icmp $table -A $subchain -j con_udp -p udp $table -A $subchain -j RETURN -p udp $table -A $subchain -j con_tcp -p tcp $table -A $subchain -j RETURN -p tcp chain="INPUT" $table -P $chain DROP $table -A $chain -j connected create_subchain "ICMP_ok" $table -A $chain -j $subchain -p icmp $table -j ACCEPT -s 10.44.20.70 $table -j ACCEPT -s 10.44.2.140 create_subchain "SSH_ok" $table -A $chain -j $subchain -p tcp --dport 22 $table -j ACCEPT -s 10.1.0.246 $table -j ACCEPT -s 10.44.2.140 $table -j ACCEPT -s 10.44.20.70 chain="FORWARD" $table -P $chain DROP $table -A $chain -j connected create_chain "enable_DNAT_to_eth1" $table -A $chain -j $subchain -o eth1 $table -A $subchain -j ACCEPT -d 10.44.2.100 $table -A $subchain -j ACCEPT -d 10.44.2.140 chain="OUTPUT" $table -P $chain ACCEPT echo "done." Swifty From denismpa at gmail.com Mon May 14 14:43:50 2007 From: denismpa at gmail.com (Denis) Date: Mon May 14 15:45:16 2007 Subject: Two internet connection in a gateway server howto. In-Reply-To: <4642B121.30308@ditro.com> References: <4642B121.30308@ditro.com> Message-ID: <e9aeeef80705140543m26923580xafbde16351798149@mail.gmail.com> U can manage that using iptables fwmark and ip route2 Denis Anjos. 2007/5/10, BipinDas <bipindas.k@ditro.com>: > Dear List, > > I do have a Gateway server with two NIC and one internet connection. One > network card is with Public ip of the internet and the other with > private ip of Local LAN. I had manage this with IPFORWARD and iptables > rule. This machine is running on Debian sarge. Now company would like to > take another internet connection for redundancy. And I would like to > terminate this connection on this same machine. Is it possible,How can I > do this,Please help. > Please forgive me,if I made a wrong post here. > > Faithfully > BipinDas K. > > > From sumit_malik1 at yahoo.com Sun May 13 22:30:41 2007 From: sumit_malik1 at yahoo.com (Sumit Malik) Date: Mon May 14 16:44:19 2007 Subject: 12 interface FTP server - Possible routing problem - Please help Message-ID: <535519.69724.qm@web31508.mail.mud.yahoo.com> Hello, I have proFTPd setup on an Ubuntu server with 12 network interfaces, each one connected to a separate DSL line. The server binds to the 12 interfaces fine but has trouble taking connections on the 11 other than the first interface. - Each DSL line has a dynamic IP and is mapped to a DynDNS name. - Each interface is behind a NAT in the DSL router. (An incoming connection is able to get to the server so the incoming NAT is working fine) - All relevant ports are opened for FTP on each router and forwarded to the appropriate internal IP - Each interface in proFTPd is setup to use a DNS service to lookup the interface IP for PASV transfers. Each interface has a different DNS name - All interfaces are visible and enabled in the interface list - Each of the interfaces has an internal IP of 192.168.n.11 and the router has an IP of 192.168.n.1. - The server is running Ubuntu Server 6.10 with no firewall software With these routes below I am able to ftp to each interface independently and get directory listings. I am also able to upload data from the client to each of the 12 interfaces. ip route add 192.168.2.0/24 dev eth2 src 192.168.2.11 table r2 ip route add 192.168.3.0/24 dev eth3 src 192.168.3.11 table r3 ... ip route add 192.168.12.0/24 dev eth12 src 192.168.12.11 table r12 ip rule add from 192.168.2.11 table r2 ip rule add from 192.168.3.11 table r3 ... ip rule add from 192.168.12.11 table r12 ip route add default via 192.168.2.1 table r2 ip route add default via 192.168.3.1 table r3 ... ip route add default via 192.168.12.1 table r12 The strange part is that I am actually able to download in ascii mode but not in binary mode from any of the interfaces other than the default interface (eth1) I also tried loading ip_conntrack and ip_conntrack_ftp but that did not work. I also added the following iptable entries but they didn't help either. iptables -A INPUT -i eth2 -p tcp --sport 1024: --dport 1024: -d 192.168.2.11 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth2 -p tcp --sport 1024: --dport 1024: -s 192.168.2.11 -m state --state ESTABLISHED -j ACCEPT So now I am able to do the following using PASSIVE mode - Upload from Client -> Server in ASCII and BINARY mode - Download from Server -> Client in ASCII mode only. I have also tried several ftp clients. Any ideas why BINARY mode is not working for downloads? Thanks for your help in advance. Regards, -Sumit From higuti.sam at gmail.com Mon May 14 19:17:59 2007 From: higuti.sam at gmail.com (Stephan Higuti) Date: Mon May 14 20:19:25 2007 Subject: Firewall L7 In-Reply-To: <4644CC76.80502@zensoluciones.com> References: <3da957060704180538m12ec86edr2536867007a8d05@mail.gmail.com> <462612C7.3090504@solutti.com.br> <3da957060704191115v62303fdh838beab7328ed331@mail.gmail.com> <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> <3da957060705111053o72da3957q7887879d7e9cc87d@mail.gmail.com> <4644CC76.80502@zensoluciones.com> Message-ID: <3da957060705141017x700eee6bq7c1781f0b4756c39@mail.gmail.com> Thankz guys! My block rules isn't works! I'm using this rules to block msn protocol... iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP Any idea? Best Regards Stephan - --------------------------------------------------------------------- Stephan Higuti MSN: higutisam@hotmail.com Email: higuti.sam@gmail.com --------------------------------------------------------------------- From fernando at intrace.com.br Mon May 14 20:13:39 2007 From: fernando at intrace.com.br (Fernando R. Durso) Date: Mon May 14 21:16:26 2007 Subject: Firewall L7 In-Reply-To: <3da957060705141017x700eee6bq7c1781f0b4756c39@mail.gmail.com> References: <3da957060704180538m12ec86edr2536867007a8d05@mail.gmail.com> <462612C7.3090504@solutti.com.br> <3da957060704191115v62303fdh838beab7328ed331@mail.gmail.com> <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> <3da957060705111053o72da3957q7887879d7e9cc87d@mail.gmail.com> <4644CC76.80502@zensoluciones.com> <3da957060705141017x700eee6bq7c1781f0b4756c39@mail.gmail.com> Message-ID: <4648A6D3.4090307@intrace.com.br> give an ls /lib/iptables/ or /usr/lib/iptables or wherever your iptables libs are and look for libipt_layer7.so if you don't find it it's because your kernel and/or iptables compilation has failed.... by the way you can remove the "-t filter" Stephan Higuti escreveu: > Thankz guys! > > My block rules isn't works! > I'm using this rules to block msn protocol... > > > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP > > > Any idea? > > Best Regards > > Stephan > > - > --------------------------------------------------------------------- > Stephan Higuti > MSN: higutisam@hotmail.com > Email: higuti.sam@gmail.com > --------------------------------------------------------------------- > From jengelh at linux01.gwdg.de Mon May 14 21:53:09 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon May 14 22:55:29 2007 Subject: netfilter load sharing In-Reply-To: <46483D46.6040308@fragstein.de> References: <46483D46.6040308@fragstein.de> Message-ID: <Pine.LNX.4.61.0705142151340.9570@yvahk01.tjqt.qr> On May 14 2007 12:43, Thomas Fragstein wrote: > > Hi List, > > i have two questions. > > first: how i can see how many cpu load ist generate by netfilter (iptables) > > second: on my linux box i have seen 20-30% of one cpu is using by system. it is > possible that netfilter can share the load over any cores (multicore cpu) I believe that on incoming packets, the CPU handling the network card interurpt will also serve the iptables and routing logic, and on output, the processor the program runs on that sent a packet. Not sure, though. CC/FWD to nf-dev, maybe they know. Jan -- From jengelh at linux01.gwdg.de Mon May 14 22:03:33 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Mon May 14 23:05:47 2007 Subject: Firewall L7 In-Reply-To: <3da957060705141017x700eee6bq7c1781f0b4756c39@mail.gmail.com> References: <3da957060704180538m12ec86edr2536867007a8d05@mail.gmail.com> <462612C7.3090504@solutti.com.br> <3da957060704191115v62303fdh838beab7328ed331@mail.gmail.com> <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com> <3da957060705111053o72da3957q7887879d7e9cc87d@mail.gmail.com> <4644CC76.80502@zensoluciones.com> <3da957060705141017x700eee6bq7c1781f0b4756c39@mail.gmail.com> Message-ID: <Pine.LNX.4.61.0705142203150.9570@yvahk01.tjqt.qr> On May 14 2007 14:17, Stephan Higuti wrote: > > My block rules isn't works! That is _not_ a precise error description. > I'm using this rules to block msn protocol... > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP Jan -- From swifty at freemail.hu Tue May 15 11:03:19 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Tue May 15 12:05:02 2007 Subject: Policy targets... In-Reply-To: <46488357.90209@vlsmaps.com> References: <464441F7.3050808@freemail.hu> <464443AE.5020904@gmail.com> <464446C5.8090301@freemail.hu> <46444B26.6010206@gmail.com> <46444D78.7040809@freemail.hu> <46488357.90209@vlsmaps.com> Message-ID: <46497757.7090100@freemail.hu> jwlargent ?rta: ... >> fw1:~# iptables -t nat -P PREROUTING RETURN >> iptables: Bad policy name >> >> So you won ! >> Maybe someone should fix the manual.... >> > > Maybe you should just read the manual, RETURN is not a policy for the > nat table. > Believe me... I read many times... :D > - From the man page: > > nat: > This table is consulted when a packet that > creates a new > connection is encountered. It consists of three > built-ins: > PREROUTING (for altering packets as soon as they > come in), > OUTPUT (for altering locally-generated packets > before rout- > ing), and POSTROUTING (for altering packets as > they are > about to go out). > > Yeah... That is right.... But wait a minute... I am talking about DEFAULT POLICY and you are talking about BUILT-IN CHAINS !!! iptables -t nat -A PREROUTING -j RETURN != iptables -t nat -P PREROUTING RETURN The first works, the second not... I think that it is a bit confusing to use ACCEPT as a policy tartget and a rule target. (In nat/mangle/raw ACCEPT means CONTINUE. In filter it means OK, LET IT THORUGH.) That is why I tried to use RETURN in the policy. From the man page: -P, --policy chain target Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets. TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue han- dler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.) RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. > - -- > Jeff Largent > System Administrator > Visual Lease Services Inc. > http://www.vlsmaps.com > (405) 379-5280 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGSINWd02kARNrtZkRAsmPAJ4uJRdRreTDnz4Dy1XWYhCyuwFwhQCcCR7N > oAjjEJXXbHXfW3Xi0AvlFl4= > =jVxY > -----END PGP SIGNATURE----- > > From xpisar at fi.muni.cz Tue May 15 13:13:24 2007 From: xpisar at fi.muni.cz (Petr Pisar) Date: Tue May 15 14:15:16 2007 Subject: Policy targets... References: <464441F7.3050808@freemail.hu> Message-ID: <slrnf4j5ek.ic3.xpisar@album.ics.muni.cz> On 2007-05-11, Gáspár Lajos <swifty@freemail.hu> wrote: > Hi all, > > I was reading the iptables manual because I needed the correct arguments > of the policy (-P) command. > Here it is: > > -P, --policy chain target > Set the policy for the chain to the given target. See the > section TARGETS for the legal targets. Only built-in (non-user-defined) > chains can > have policies, and neither built-in nor user-defined > chains can be policy targets. > > So I checked the TARGETS. > > TARGETS > A firewall rule specifies criteria for a packet, and a target. > If the packet does not match, the next rule in the chain is the > examined; if it does > match, then the next rule is specified by the value of the > target, which can be the name of a user-defined chain or one of the > special values ACCEPT, > DROP, QUEUE, or RETURN. > > My question is: What is the difference between the ACCEPT and the RETURN > target in policy ??? :D > I think this is missunderstadning in man page. If you read the TARGETS section carefully you could see here is nothing about policy even if -P paragraph referres to it. My opinion is ACCEPT and DROP only are valid policies. I don't know where I have this idea from but I'm pretty sure that other targets have not sense in policy context. -- Petr From paolo at mapasainformatica.com Tue May 15 14:35:47 2007 From: paolo at mapasainformatica.com (MAPASA Informatica - Assistenza Tecnica) Date: Tue May 15 14:35:50 2007 Subject: time /date server Message-ID: <466155ED.4000408@mapasainformatica.com> Your server have the time/date error. please correct this From nofast at welnowiec.net Tue May 15 16:24:05 2007 From: nofast at welnowiec.net (=?iso-8859-2?B?o3VrYXN6IE5pZXJ5Y2izbw==?=) Date: Tue May 15 17:25:38 2007 Subject: IPSET iptree problem Message-ID: <op.tsdgyfm7343eys@comnetlap2.biuro.lan> Hello everyone, I would like to ask you to help me with ipset tool because it works other way I expect when I use "timeout" parameter. look: (this is OK without "--timeout") [root@rt ~]# ipset -N ts1 iptree [root@rt ~]# ipset -A ts1 10.10.10.10 [root@rt ~]# ipset -T ts1 10.10.10.10 10.10.10.10 is in set ts1. [root@rt ~]# ipset -T ts1 10.10.10.1 10.10.10.1 is NOT in set ts1. [root@rt ~]# ipset -T ts1 10.10.10.255 10.10.10.255 is NOT in set ts1. My question is what I did wrong here: "--timeout" is used: [root@rt ~]# ipset -N ts2 iptree --timeout 100 [root@rt ~]# ipset -A ts2 20.20.20.20 [root@rt ~]# ipset -T ts2 20.20.20.20 20.20.20.20 is in set ts2. [root@rt ~]# ipset -T ts2 20.20.20.1 20.20.20.1 is in set ts2. [root@rt ~]# ipset -T ts2 20.20.20.254 20.20.20.254 is in set ts2. [root@rt ~]# ipset -T ts2 20.20.1.1 20.20.1.1 is NOT in set ts2. If I use "timeout" then ipset test returns true to all IPs on subnet 20.20.20.0/24. Shouldn't this work the same way ( as without "timeout" )? Is this ok ? my linux = kernel-2.6.21.1 + set patch (pom-ng-20070513) + ipset-20070514 Help me please ?ukasz Nierych?o From pakar at imperialnet.org Tue May 15 19:55:54 2007 From: pakar at imperialnet.org (patric) Date: Tue May 15 20:57:36 2007 Subject: SPAM(6.2) mini-hack for country-based filter. Message-ID: <4649F42A.7010700@imperialnet.org> Hi, Just wanted to drop a note about a minimalistic, and ugly :), userspace app that enables country-based filtering instead of the kernel-module that's out there. I preferred this way since i dont like kernel-modules doing user-space access in this specific way, and it should cause less risk for crashed if there are any bugs in the code. The worst that could happen in that the app crashes and needs to be restarted. http://bladerunner.mine.nu/CJ And, it's a work in progress so there are a few loose ends currently in the source, but atleast it works.. Feel free to submit any patches.. Enjoy, Patric From roger38 at mdve.net Wed May 16 00:16:56 2007 From: roger38 at mdve.net (Roger Venable) Date: Wed May 16 01:18:28 2007 Subject: Unexpected UDP behavior using ipt_recent Message-ID: <38854.69.212.124.222.1179267416.squirrel@www.mdve.net> Hello, I have a problem with UDP traffic and use of the 'recent' module. I've recently modified my firewall script to use the ipt_recent module to help block SSH dictionary attacks, as well as attacks on certain trigger ports targetted by vulnerability scanning scripts. An excerpt of my firewall script appears below. Notice that I am using two ipt_recent lists, one for SSH and one for 'scram' ports used in vulnerability scans. One of the ports I watch is UDP 1434, a Microsoft SQL Server port targetted by the SQL Slammer worm. When iptables detects a new connection to that port, it adds the source IP to the 'scram' list, and a rule near the top (just after allowing established/related) eliminates further traffic from that source IP until timeout. However, if I don't specify "-p tcp" in that enforcement rule just after established/related, it appears that all UDP traffic (even from source IPs not in the list) are dropped by those enforcement rules. I'm expecting that traffic on UDP 1434 to hit the trigger, further traffic from that source IP gets blocked by the 'scram' enforcement rule, and all other UDP traffic (like NTP) passes through to the rest of the rules. What is happening is that all UDP traffic is dropped. What can I do to make this work? I think it's more to do with UDP connection states rather than a bug, but I'm not sure how or if I can structure this to operate like I want. (Previously I was using a ulogd custom plugin to dynamically add mangle table rules, and a forked thread to clear them after timeout. It was goofy, but it worked.) I don't think the use of more than one list has anything to do with this, but I thought I should include it for completeness. I know I'm using the new re-written ipt_recent.c module, I've checked it. Is this a bug or am I missing something silly? Thanks very much in advance for your assistance, all constructive comments are appreciated. --Roger Venable --Ann Arbor, Michigan Kernel: Linux 2.6.18.8-0.1-default #1 SMP Fri Mar 2 13:51:59 UTC 2007 i686 athlon i386 GNU/Linux iptables: v1.3.6 # some rules not pertaining to this example were cut # (and IP addresses changed to protect the innocent) # default drop iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP # accept established / related iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SCRAM rules # if '-p tcp' not specified here, all UDP traffic gets dropped # even from source addresses that are not in a 'recent' list iptables -A INPUT -i eth0 -p tcp -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP iptables -A INPUT -i eth0 -p tcp -m recent --update --seconds 3600 --name SCRAM -j DROP # <SNIP> more rules... # SSH # dictionary attacks get lost # iptables -N In_RULE_13 iptables -A INPUT -i eth0 -p tcp -m tcp -d 192.168.1.68 --dport 22 -j In_RULE_13 iptables -A INPUT -i eth0 -p tcp -m tcp -d 192.168.1.69 --dport 22 -j In_RULE_13 iptables -A In_RULE_13 -j ULOG --ulog-nlgroup 1 --ulog-prefix "SSH RECENT " --ulog-qthreshold 1 iptables -A In_RULE_13 -m recent --name SSH --set -j ACCEPT # <SNIP> more rules... # scan triggers # when trigger ports hit by script kiddies, add to 'scram' recent table # iptables -N In_RULE_30 iptables -A INPUT -i eth0 -p tcp -m tcp --dport 1023:1029 -j In_RULE_30 iptables -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 1433,3128,1761,12345,2967,37,5900 -j In_RULE_30 iptables -A INPUT -i eth0 -p udp -m udp --dport 1025:1029 -j In_RULE_30 iptables -A INPUT -i eth0 -p udp -m udp -m multiport --dports 1434,500 -j In_RULE_30 iptables -A In_RULE_30 -j ULOG --ulog-nlgroup 1 --ulog-prefix "SCRAM " --ulog-qthreshold 1 iptables -A In_RULE_30 -m recent --name SCRAM --set -j DROP # <SNIP> more rules... # Here accept other UDP traffic, like NTP on UDP 123 # So, Grim, you reap around here, do you? iptables -N RULE_36 iptables -A OUTPUT -j RULE_36 iptables -A INPUT -j RULE_36 iptables -A RULE_36 -j ULOG --ulog-nlgroup 1 --ulog-prefix "DEATH " --ulog-qthreshold 1 iptables -A RULE_36 -j DROP # 601 From glenn at webcat.no Wed May 16 11:23:48 2007 From: glenn at webcat.no (Glenn Terjesen) Date: Wed May 16 12:25:24 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? Message-ID: <1179307428.4102.55.camel@bathory.webcat.no> Hello, got a iptables firewall filtering our servers. Is it possible to block tcp packets that contains experimental tcp options ? AND is it smart to do so ? -- Mvh Glenn Terjesen @ Webcat AS Tlf: +47 37 02 20 20 E-post: support@webcat.no From cozzi at nd.edu Wed May 16 14:18:32 2007 From: cozzi at nd.edu (Marc Cozzi) Date: Wed May 16 15:21:29 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? Message-ID: <F163413C9250D211A55C0060979D5280016AB33A@hertz.rad.nd.edu> Glenn, Not sure what you mean by "experimental" however, there are some conditions of flags that should never occur on the network. These can be trapped with rules similar to the following. iptables -A BLOCKED -m state --state INVALID -j LOG-AND-DROP iptables -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP --marc > -----Original Message----- > From: Glenn Terjesen [mailto:glenn@webcat.no] > Sent: Wednesday, May 16, 2007 5:24 AM > To: netfilter@lists.netfilter.org > Subject: is it possible to block ip packets that contains > experimental tcp options ? > > Hello, > got a iptables firewall filtering our servers. > > Is it possible to block tcp packets that contains > experimental tcp options ? > > AND is it smart to do so ? > > > -- > Mvh Glenn Terjesen @ Webcat AS > Tlf: +47 37 02 20 20 > E-post: support@webcat.no > From vasanthakumar at iitb.ac.in Wed May 16 15:07:01 2007 From: vasanthakumar at iitb.ac.in (Vasantha Kumar Puttappa) Date: Wed May 16 16:09:06 2007 Subject: Packets lost Message-ID: <3388.10.107.26.27.1179320821.squirrel@gpo.iitb.ac.in> Hi All, Please somebody guide me here. I am tracking all udp packets (in particular, SIP based UDP packets)that goes through iptables using LOG mechanism. I use the following command, iptables -A INPUT -p udp -j LOG --log-level-4. In addition, i also run 'Ethereal' to make sure that all the packets captured goes through iptables as well. Here is the problem, Sometimes, a random number of packets doesnot go through IPtables and they are completely lost. Although, I can see those packets in Ethereal. I tried increasing the backlog queue and ip_queue length, but still no use. I am using Netgear's wireless network card (WG511, made in taiwan). Somebody please guide me. How do I findout the cause of this. Regards Vasanth From swifty at freemail.hu Wed May 16 16:48:09 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Wed May 16 17:50:16 2007 Subject: Packets lost In-Reply-To: <3388.10.107.26.27.1179320821.squirrel@gpo.iitb.ac.in> References: <3388.10.107.26.27.1179320821.squirrel@gpo.iitb.ac.in> Message-ID: <464B19A9.700@freemail.hu> Vasantha Kumar Puttappa ?rta: > Hi All, > Please somebody guide me here. > > I am tracking all udp packets (in particular, SIP based UDP packets)that > goes through iptables using LOG mechanism. > I use the following command, > iptables -A INPUT -p udp -j LOG --log-level-4. > Maybe you also need the following rule: iptables -A FORWARD -p udp -j LOG --log-level-4 > In addition, i also run 'Ethereal' to make sure that all the packets > captured goes through iptables as well. > Ethereal sees the packets BEFORE iptables. So maybe some of your rules drops the packet. > Here is the problem, > Sometimes, a random number of packets doesnot go through IPtables and > they are completely lost. Although, I can see those packets in Ethereal. > > I tried increasing the backlog queue and ip_queue length, but still no use. > I am using Netgear's wireless network card (WG511, made in taiwan). > > > Somebody please guide me. How do I findout the cause of this. > > Regards > Vasanth > Swifty From jengelh at linux01.gwdg.de Wed May 16 20:04:29 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed May 16 21:06:23 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? In-Reply-To: <F163413C9250D211A55C0060979D5280016AB33A@hertz.rad.nd.edu> References: <F163413C9250D211A55C0060979D5280016AB33A@hertz.rad.nd.edu> Message-ID: <Pine.LNX.4.61.0705162002420.9019@yvahk01.tjqt.qr> On May 16 2007 08:18, Marc Cozzi wrote: > >Not sure what you mean by "experimental" however, there are >some conditions of flags that should never occur on the >network. These can be trapped with rules similar to the following. > >iptables -A BLOCKED -m state --state INVALID -j LOG-AND-DROP >iptables -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP >iptables -A BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP Uhm, I think it is valid for a packet to carry no flags at all. (Regular data packet without TCP Selective ACK) Check up on http://jengelh.hopto.org/p/chaostables/ to see how to block evil stuff. Jan -- From steelhoof at gmail.com Wed May 16 20:35:10 2007 From: steelhoof at gmail.com (Bill Ries-Knight) Date: Wed May 16 21:36:50 2007 Subject: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel. Message-ID: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> ok, I have a solution issue... We just had a server cracked (fc4, built by my predecessor) The server acts as a firewall, VPN Server, content filtering system, samba server for files and ssh tunnel to the network. There are 3 nics covering 2 physical subnets , school administration/teachers and computer lab for the sudents, each with thier own NIC and the gateway to the internet on the third. Openvpn provides a tun interface with a third subnet to manage. Software we are running is iptables for the firewall, Openvpn for the vpn tunnel between physical sites, samba and clamav/squid/dansguardian for content filtering and openssh for remote access. I am using Debia Etch for the server. Is there anyone with a reference on how to manage this one? I can get the old firewall rules into place, but adding ipmasq munges it all up. Without ipmasq there is no name based browsing at all. At various times I can get the vpn happy, but no browsing. if I try to bring both physical subnets into play, it munges. I have issues with name based internet browsing, or a few minutes later, I have issues with the ip address based access. Ie: I can ping out, but not name browse.. a bit later I cannot even ping out. I am really lost here. Help! Please. -- -- Bill Ries-Knight Stockton, CA Respect the process, Vote. From pakar at imperialnet.org Wed May 16 22:30:00 2007 From: pakar at imperialnet.org (patric) Date: Wed May 16 23:32:02 2007 Subject: SPAM(6.0) Re: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel. In-Reply-To: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> References: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> Message-ID: <464B69C8.4080005@imperialnet.org> Hi, That sounds like a simple setup with the Shorewall script (http://www.shorewall.net/) It might be hard compared to the more simpler firewall-scripts out there, but it's much easier to configure when having more than 2 interfaces. What you do with shorewall is edit the interfaces file and configure the interfaces you have and set any options you want for them, edit the masq file to setup the masquerading and then rules file to setup and incoming connections and then the policy file to setup the default permissions between the networks... Best regards, Patric Ps. I hope my mail-host has resolved the issue with their mail-server now so i don't get the SPAM() in the title :) Bill Ries-Knight wrote: > ok, I have a solution issue... > > We just had a server cracked (fc4, built by my predecessor) > > The server acts as a firewall, VPN Server, content filtering system, > samba server for files and ssh tunnel to the network. > > There are 3 nics covering 2 physical subnets , school > administration/teachers and computer lab for the sudents, each with > thier own NIC and the gateway to the internet on the third. Openvpn > provides a tun interface with a third subnet to manage. > > Software we are running is iptables for the firewall, Openvpn for the > vpn tunnel between physical sites, samba and clamav/squid/dansguardian > for content filtering and openssh for remote access. > > I am using Debia Etch for the server. > > Is there anyone with a reference on how to manage this one? > > I can get the old firewall rules into place, but adding ipmasq munges > it all up. Without ipmasq there is no name based browsing at all. > > At various times I can get the vpn happy, but no browsing. if I try > to bring both physical subnets into play, it munges. I have issues > with name based internet browsing, or a few minutes later, I have > issues with the ip address based access. Ie: I can ping out, but not > name browse.. a bit later I cannot even ping out. > > I am really lost here. > > Help! > Please. > From kakster7 at sbcglobal.net Wed May 16 22:37:37 2007 From: kakster7 at sbcglobal.net (Nicholas Kline) Date: Wed May 16 23:39:20 2007 Subject: Questions about DHCP firewall rules Message-ID: <461550.70641.qm@web83807.mail.sp1.yahoo.com> Questions about DHCP firewall rules Greetings, I am in the process of learning Netfilter/IPtables. I plan on using Netfilter/IPtables to protect my Linux desktop computers and servers. We're talking host-based firewalls, not one firewall protecting all of the desktops and servers. I have a basic question I am hoping someone on this mailing list can answer. I am a little confused about configuring Netfilter/IPtables on a Linux desktop computer. Specifically, this situation: a linux desktop computer that is configured to use DHCP and configured to use the following rule: $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix "Spoofed source IP" $IPTABLES -A INPUT -s $IP_LOCAL -j DROP I would like to include the previous rule as part of a standard rule set. >From how I understand this situation, the firewall would have to be able to automatically detect when the computers IP address changes, right? Manually inputting the computers IP address each time it changes would get really old. I'm using several books as references for learning Netfilter/IPtables and they discuss implementing "dynamic firewall scripts". In this case, a dynamic firewall script that recognizes when the computers IP address changes. So, my questions are: 1.) If I am using a computer that is configured to obtain its IP address through DHCP, what firewall rules do I need to setup? 2.) Additionally, how do I configure the firewall to automatically detect changes in the computers network configuration (IP address change, etc.)? Thank you for your time, *Nick* From kbah at linuxmail.org Thu May 17 01:00:58 2007 From: kbah at linuxmail.org (k bah) Date: Thu May 17 02:02:44 2007 Subject: Match specific netbios flag? Message-ID: <20070516230058.CB1692477C@ws5-3.us4.outblaze.com> Hi, I'm using kernel 2.6.17, iptables 1.3.5. Is there a way to match specific netbios ns flags? I did not find any on the iptables man page. I'm trying to log it like this: -A INPUT -s 10.1.1.15 -i eth1 -p udp -m string --string "elease" --algo bm --to 65535 -j LOG --log-prefix "received release from 015" where 10.1.1.1 is the machine with iptables, the internal net router. 10.1.1.15 is Windows XP. I would like to match it with a flag, not a string, to be more secure (netbios ns flag 0x3010) the packet captured with wireshark is: ------------- ... 11164 11877.336283 10.1.1.15 10.1.1.255 NBNS Release NB HT015<20> ... NetBIOS Name Service Transaction ID: 0x808f Flags: 0x3010 (Release) 0... .... .... .... = Response: Message is a query .011 0... .... .... = Opcode: Release (6) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... ...1 .... = Broadcast: Broadcast packet Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries HT015<20>: type NB, class IN Name: HT015<20> (Server service) Type: NB Class: IN Additional records HT015<20>: type NB, class IN Name: HT015<20> (Server service) Type: NB Class: IN Time to live: 0 time Data length: 6 Flags: 0x0 (B-node, unique) 0... .... .... .... = Unique name .00. .... .... .... = B-node Addr: 10.1.1.15 ------------- I want to know when that host went offline by turning the computer off, or because of some physical failure, as a broken cable, or disconnected cable on the switch. thanks, kbah = ERP - Accounting Software, SQL Edition SQL, fully customizable free SDK. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea7c49bd3fe7f7a95586c9ff6c085471 -- Powered by Outblaze From kbah at linuxmail.org Thu May 17 01:14:36 2007 From: kbah at linuxmail.org (k bah) Date: Thu May 17 02:16:16 2007 Subject: UDP packets are not being forwarded to pc on the local net. Message-ID: <20070516231436.19B8CCA0A4@ws5-11.us4.outblaze.com> My machine is the network router, and a friend is using Winxp, her ip address is 10.1.1.15. My machine is 10.1.1.1. Ip forwarding is set correctly, that and other machines can browse the web, use IM clients, etc. eth0 is internet eth1 is local network My main problem is that udp packets are not being sent to 10.1.1.15. She can connect to the ed2k server, www.amule.org/testport.php shows a Success message when I try it from 10.1.1.1 or 10.1.1.15 with port 41001. TCP ed2k port for 10.1.1.15 is 41001, udp are 10.1.1.2 and 10.1.1.4. When I sniff the network, no udp is showing, and the big problem: *no downloads or uploads*, even with highid. Some of these rules are redundant, but I'm testing so don't mind if things are "being said" on the rules twice. What's wrong:(?) ------- *raw :PREROUTING ACCEPT [3135966:1535838293] :OUTPUT ACCEPT [2940578:1198730628] COMMIT *mangle :PREROUTING ACCEPT [3135989:1535842939] :INPUT ACCEPT [2997535:1491703469] :FORWARD ACCEPT [138406:44126734] :OUTPUT ACCEPT [2940592:1198731862] :POSTROUTING ACCEPT [3078998:1242858596] COMMIT *filter :INPUT ACCEPT [2709921:1398713255] :FORWARD ACCEPT [138406:44126734] :OUTPUT ACCEPT [2940578:1198730628] -A INPUT -i eth0 -p icmp -j ACCEPT -A INPUT -p tcp -m state --state RELATED -j ACCEPT -A INPUT -p udp -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 41001 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41002 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41004 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41004 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41004 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41002 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [56355:4155510] :POSTROUTING ACCEPT [427517:15872653] :OUTPUT ACCEPT [427469:15869989] -A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j DNAT --to-destination 10.1.1.15:41002 -A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j DNAT --to-destination 10.1.1.15:41001 -A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j DNAT --to-destination 10.1.1.15:41002 -A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j DNAT --to-destination 10.1.1.15:41004 -A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT ------- thanks, kbah = -- Powered by Outblaze From davila at nicaraguaopensource.com Thu May 17 02:14:48 2007 From: davila at nicaraguaopensource.com (Jorge Davila) Date: Thu May 17 03:11:28 2007 Subject: Match specific netbios flag? In-Reply-To: <20070516230058.CB1692477C@ws5-3.us4.outblaze.com> References: <20070516230058.CB1692477C@ws5-3.us4.outblaze.com> Message-ID: <web-14761470@bk3.webmaillogin.com> May you must try something different instead of iptables. For loggin the connection/disconnection is enough the configuration of the loggin in the smb configuration file. If you really want monitoring may you want use Nagios. Hope this help, Jorge D?vila. On Thu, 17 May 2007 07:00:58 +0800 "k bah" <kbah@linuxmail.org> wrote: > > Hi, > > I'm using kernel 2.6.17, iptables 1.3.5. > > Is there a way to match specific netbios ns flags? I did not find any on >the iptables man page. > > I'm trying to log it like this: > > -A INPUT -s 10.1.1.15 -i eth1 -p udp -m string --string "elease" --algo bm >--to 65535 -j LOG --log-prefix "received release from 015" > > where 10.1.1.1 is the machine with iptables, the internal net router. >10.1.1.15 is Windows XP. > > I would like to match it with a flag, not a string, to be more secure >(netbios ns flag 0x3010) > > the packet captured with wireshark is: > ------------- > ... > 11164 11877.336283 10.1.1.15 10.1.1.255 NBNS > Release NB HT015<20> > ... > NetBIOS Name Service > Transaction ID: 0x808f > Flags: 0x3010 (Release) > 0... .... .... .... = Response: Message is a query > .011 0... .... .... = Opcode: Release (6) > .... ..0. .... .... = Truncated: Message is not truncated > .... ...0 .... .... = Recursion desired: Don't do query recursively > .... .... ...1 .... = Broadcast: Broadcast packet > Questions: 1 > Answer RRs: 0 > Authority RRs: 0 > Additional RRs: 1 > Queries > HT015<20>: type NB, class IN > Name: HT015<20> (Server service) > Type: NB > Class: IN > Additional records > HT015<20>: type NB, class IN > Name: HT015<20> (Server service) > Type: NB > Class: IN > Time to live: 0 time > Data length: 6 > Flags: 0x0 (B-node, unique) > 0... .... .... .... = Unique name > .00. .... .... .... = B-node > Addr: 10.1.1.15 > ------------- > > I want to know when that host went offline by turning the computer off, or >because of some physical failure, as a broken cable, or disconnected cable >on the switch. > > thanks, > > kbah > > = > ERP - Accounting Software, SQL Edition > SQL, fully customizable free SDK. > http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea7c49bd3fe7f7a95586c9ff6c085471 > > > -- > Powered by Outblaze > > Jorge Isaac Davila Lopez Nicaragua Open Source davila@nicaraguaopensource.com From davila at nicaraguaopensource.com Thu May 17 02:53:20 2007 From: davila at nicaraguaopensource.com (Jorge Davila) Date: Thu May 17 03:49:55 2007 Subject: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel. In-Reply-To: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> References: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> Message-ID: <web-14764344@bk3.webmaillogin.com> My approach to this: Internet ! ! +-----+ ! ! ! ! eth0 tun0 ! ! ! ??? ! +--eth1 (administration/teachers) ! ! + eth2 (lab) Sorry for don't put in the diagram the allowed access for the roadwarriors. -> "Without ipmasq there is no name based browsing at all" and "VPN happy but no browsing" The OpenVPN client configuration is telling to the clients use another DNS servers than the configured in the gateways? If the answer is true, your firewall rules takes in consideration that kind of traffic? Are you speaking about local network navigation using WINS or DNS resolution browsing the Internet? To figure out better the situation you must put the result of: ip r ip a iptables -L -nvx And, additionally you must ask about the OpenVPN issues in the OpenVPN mailing list. May this help you, Jorge. On Wed, 16 May 2007 11:35:10 -0700 "Bill Ries-Knight" <steelhoof@gmail.com> wrote: > ok, I have a solution issue... > > We just had a server cracked (fc4, built by my predecessor) > > The server acts as a firewall, VPN Server, content filtering system, > samba server for files and ssh tunnel to the network. > > There are 3 nics covering 2 physical subnets , school > administration/teachers and computer lab for the sudents, each with > thier own NIC and the gateway to the internet on the third. Openvpn > provides a tun interface with a third subnet to manage. > > Software we are running is iptables for the firewall, Openvpn for the > vpn tunnel between physical sites, samba and clamav/squid/dansguardian > for content filtering and openssh for remote access. > > I am using Debia Etch for the server. > > Is there anyone with a reference on how to manage this one? > > I can get the old firewall rules into place, but adding ipmasq munges > it all up. Without ipmasq there is no name based browsing at all. > > At various times I can get the vpn happy, but no browsing. if I try > to bring both physical subnets into play, it munges. I have issues > with name based internet browsing, or a few minutes later, I have > issues with the ip address based access. Ie: I can ping out, but not > name browse.. a bit later I cannot even ping out. > > I am really lost here. > > Help! > Please. > > -- > -- > Bill Ries-Knight > Stockton, CA > > Respect the process, Vote. > > Jorge Isaac Davila Lopez Nicaragua Open Source davila@nicaraguaopensource.com From kbah at linuxmail.org Thu May 17 03:43:39 2007 From: kbah at linuxmail.org (k bah) Date: Thu May 17 04:45:21 2007 Subject: Match specific netbios flag? Message-ID: <20070517014341.1F84E2477C@ws5-3.us4.outblaze.com> > ----- Original Message ----- > From: "Jorge Davila" <davila@nicaraguaopensource.com> > To: "k bah" <kbah@linuxmail.org>, netfilter@lists.netfilter.org > Subject: Re: Match specific netbios flag? > Date: Wed, 16 May 2007 18:14:48 -0600 > > > May you must try something different instead of iptables. > > For loggin the connection/disconnection is enough the configuration > of the loggin in the smb configuration file. No samba running here. > > If you really want monitoring may you want use Nagios. I'll take a look, thanks. The logging will also be for statistics purposes, since our network was setup a few weeks ago I want to keep track of things while it's not stable. As I didn't find no netbios name service flags on the iptables manual (there are tcp flags), I asked. Didn't find documentation on ip_conntrack_netbios_ns neither, but I gave this one a brief search. thanks! = -- Powered by Outblaze From vasanthakumar at iitb.ac.in Thu May 17 08:54:43 2007 From: vasanthakumar at iitb.ac.in (Vasantha Kumar Puttappa) Date: Thu May 17 09:56:53 2007 Subject: Packets lost In-Reply-To: <464B19A9.700@freemail.hu> References: <3388.10.107.26.27.1179320821.squirrel@gpo.iitb.ac.in> <464B19A9.700@freemail.hu> Message-ID: <1845.10.107.26.27.1179384883.squirrel@gpo.iitb.ac.in> Hi Lajos, Thanks for responding so fast. I did try adding the forward rule, but still packets are missing. Let me give you more insight into what I am trying do. I have a vitrual network interface and 2 physical network interface (one Ethernet based, and other 802.11 based). The virtual network interface dynamically binds to any one of the above physical interfaces for packet transmission. The issue of packet loss occurs **only** during link switching. I feel that the following issues might be the possible reasons for the packet loss. 1. Due to missing soft_IRQ interrupt for packets and hence packet loss ( i have no proof to back this) 2. Due to incompatible wireless device driver. Any thoughts on this ? > Vasantha Kumar Puttappa ?rta: >> Hi All, >> Please somebody guide me here. >> >> I am tracking all udp packets (in particular, SIP based UDP packets)that >> goes through iptables using LOG mechanism. >> I use the following command, >> iptables -A INPUT -p udp -j LOG --log-level-4. >> > Maybe you also need the following rule: > iptables -A FORWARD -p udp -j LOG --log-level-4 >> In addition, i also run 'Ethereal' to make sure that all the packets >> captured goes through iptables as well. >> > Ethereal sees the packets BEFORE iptables. > So maybe some of your rules drops the packet. >> Here is the problem, >> Sometimes, a random number of packets doesnot go through IPtables and >> they are completely lost. Although, I can see those packets in Ethereal. >> >> I tried increasing the backlog queue and ip_queue length, but still no >> use. >> I am using Netgear's wireless network card (WG511, made in taiwan). >> >> >> Somebody please guide me. How do I findout the cause of this. >> >> Regards >> Vasanth >> > Swifty > > From omasnjak at gmail.com Thu May 17 10:09:21 2007 From: omasnjak at gmail.com (Elvir Kuric) Date: Thu May 17 11:11:04 2007 Subject: Questions about DHCP firewall rules In-Reply-To: <461550.70641.qm@web83807.mail.sp1.yahoo.com> References: <461550.70641.qm@web83807.mail.sp1.yahoo.com> Message-ID: <1814bfe70705170109w3676d645nb51c01413fd0e57@mail.gmail.com> Hi all, On 5/16/07, Nicholas Kline <kakster7@sbcglobal.net> wrote: > Questions about DHCP firewall rules > > Greetings, > > I am in the process of learning Netfilter/IPtables. I > plan on using Netfilter/IPtables to protect my Linux > desktop computers and servers. We're talking > host-based firewalls, not one firewall protecting all > of the desktops and servers. > > I have a basic question I am hoping someone on this > mailing list can answer. I am a little confused about > configuring Netfilter/IPtables on a Linux desktop > computer. Specifically, this situation: > > a linux desktop computer that is configured to use > DHCP and configured to use the following rule: > > $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix > "Spoofed source IP" > $IPTABLES -A INPUT -s $IP_LOCAL -j DROP > > I would like to include the previous rule as part of a > standard rule set. > > >From how I understand this situation, the firewall > would have to be able to automatically detect when the > computers IP address changes, right? Manually > inputting the computers IP address each time it > changes would get really old. > > I'm using several books as references for learning > Netfilter/IPtables and they discuss implementing > "dynamic firewall scripts". In this case, a dynamic > firewall script that recognizes when the computers IP > address changes. > > So, my questions are: > > 1.) If I am using a computer that is configured to > obtain its IP address through DHCP, what firewall > rules do I need to setup? So, you need to allow DHCP ports that use clinet to send an request to server and server to sent an offer to client. I do not what is configuation of your network but in case you are implementing iptables firewall on client then it should look like iptables -A INPUT -p udp --dport 68 -j ACCEPT This will accept all messages in INPUT chain that are destinated to port 67 ( the port that is used by dhcp server to send replays to clinets ) DHCP uses udp as transport protocol. In OUTPUT chain you probably will not have any restriction, but in case you have, server accepts dhcp requests on port 67. > > 2.) Additionally, how do I configure the firewall to > automatically detect changes in the computers network > configuration (IP address change, etc.)? > for this I think you can take that information from DHCP server or, make some kind of logging on iptables firewall, ... take a look at http://iptables-tutorial.frozentux.net/iptables-tutorial.html Regards Elvir Kuric > Thank you for your time, > > *Nick* > > From nokiairc at gmail.com Thu May 17 16:41:16 2007 From: nokiairc at gmail.com (TheNokia) Date: Thu May 17 17:43:01 2007 Subject: iptables doesn't keep chain list after reboot Message-ID: <b6d73fa90705170741o690baad4u9b37ff8b51cf530a@mail.gmail.com> Hi, iptables doesn't keep chan list after rebooting. I need to recreate all of them. Is there something to do? Thanks. From jpb at entel.ca Thu May 17 17:00:01 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Thu May 17 18:02:16 2007 Subject: iptables doesn't keep chain list after reboot In-Reply-To: <b6d73fa90705170741o690baad4u9b37ff8b51cf530a@mail.gmail.com> Message-ID: <001801c79894$0b0fe000$5a05a8c0@nisgaa.net> This is to keep you from making a mistake and not being able to get back into your server. One reboot, and everything is back to the way it was before the change. Of course, you can take other measures to regain access without having to take your server down, but this is a last-ditch method in case you didn't take any other precautions. Once you have a rule set that you are confident with, you have to make it a part of your server's startup sequence, much like a personal firewall automatically makes itself a part of your Windows startup. You will find all this and more here: http://www.iptablesrocks.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of TheNokia > Sent: Thursday, May 17, 2007 7:41 AM > To: netfilter@lists.netfilter.org > Subject: iptables doesn't keep chain list after reboot > > > Hi, > > iptables doesn't keep chan list after rebooting. I need to recreate > all of them. > > Is there something to do? > > Thanks. > From pandolphe at pandolphe-vision.net Thu May 17 17:00:50 2007 From: pandolphe at pandolphe-vision.net (Benjamin RIOU) Date: Thu May 17 18:02:41 2007 Subject: iptables doesn't keep chain list after reboot In-Reply-To: <b6d73fa90705170741o690baad4u9b37ff8b51cf530a@mail.gmail.com> References: <b6d73fa90705170741o690baad4u9b37ff8b51cf530a@mail.gmail.com> Message-ID: <28c01a080705170800h1904d631p14d88cd8aa46599f@mail.gmail.com> > Is there something to do? > Hi. You can use iptables-save to save your iptables configuration , and use iptables-restore to restore it. You can add this command to your /etc/rc.local to see them restored at every boot. ++ Ben From jpb at entel.ca Thu May 17 17:08:34 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Thu May 17 18:10:19 2007 Subject: is it possible to block ip packets that contains experimentaltcp options ? In-Reply-To: <F163413C9250D211A55C0060979D5280016AB33A@hertz.rad.nd.edu> Message-ID: <001901c79895$3d5d1d10$5a05a8c0@nisgaa.net> I assume that LOG-AND-DROP is your own chain, crafted so that you can perform both functions with a single entry? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Marc Cozzi > Sent: Wednesday, May 16, 2007 5:19 AM > To: netfilter@lists.netfilter.org > Subject: RE: is it possible to block ip packets that contains > experimentaltcp options ? > > > > Glenn, > > Not sure what you mean by "experimental" however, there are > some conditions of flags that should never occur on the > network. These can be trapped with rules similar to the following. > > iptables -A BLOCKED -m state --state INVALID -j LOG-AND-DROP > iptables -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP > iptables -A BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > --marc > > > > -----Original Message----- > > From: Glenn Terjesen [mailto:glenn@webcat.no] > > Sent: Wednesday, May 16, 2007 5:24 AM > > To: netfilter@lists.netfilter.org > > Subject: is it possible to block ip packets that contains > > experimental tcp options ? > > > > Hello, > > got a iptables firewall filtering our servers. > > > > Is it possible to block tcp packets that contains > > experimental tcp options ? > > > > AND is it smart to do so ? > > > > > > -- > > Mvh Glenn Terjesen @ Webcat AS > > Tlf: +47 37 02 20 20 > > E-post: support@webcat.no > > > From ssussman at starentnetworks.com Mon May 14 23:24:49 2007 From: ssussman at starentnetworks.com (Sussman, Scott) Date: Thu May 17 19:58:44 2007 Subject: connection refused trying to bind AF_INET to AF_NETLINK/NETFILTER socket Message-ID: <7CCD07160348804497EF29E9EA5560D702233BA1@exchtewks2.starentnetworks.com> Hi, I am trying to use the NETFILTER libraries to read from iptable queues. I am running linux 2.6.15 and have super-user priv's. But when I try to run the sample program from netfilter (nfq_test.c) it complains that the connection was refused during the unbind, bind, or create_queue routines. I verified that the socket gets created correctly but then I get: melty4:/localdisk/stargen# ./a.out opening library handle Socket: 3 unbinding nfnetlink_queue as nf_queue handler for AF_INET sendmsg on socket: 3 nfnl_talk: sendmsg(netlink) Connection refused error during nfq_unbind_pf() Any help would be greatly appreciated. thanks, Scott "This email message and any attachments are confidential information of Starent Networks, Corp. The information transmitted may not be used to create or change any contractual obligations of Starent Networks, Corp. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this e-mail and its attachments by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify the sender immediately -- by replying to this message or by sending an email to postmaster@starentnetworks.com -- and destroy all copies of this message and any attachments without reading or disclosing their contents. Thank you." From smith.not.western at gmail.com Thu May 17 02:56:54 2007 From: smith.not.western at gmail.com (Mike C) Date: Thu May 17 19:58:47 2007 Subject: TCP RST vulnerability - handling question Message-ID: <bd0eabd0705161756q79024a91y74a132e34616c7fa@mail.gmail.com> Hi, I am using an iptables 1.3.5 based setup and wonder if there are any tools or techniques available to prevent or mitigate the TCP RST spoofing issue (http://osvdb.org/displayvuln.php?osvdb_id=4030) I see elsewhere there has been suggestions of only accepting the RST if the sequence id is 1 more than the current, or providing some sort of challenge response (http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-02#section-2.2). I don't believe netfilter uses either of these, so I am interested in hearing other peoples approaches to it. Regards, Mike From cozzi at nd.edu Thu May 17 19:18:02 2007 From: cozzi at nd.edu (Marc Cozzi) Date: Thu May 17 20:20:52 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? Message-ID: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> Paul, I believe that's correct. Although I'm still not Sure what was originally meant by "experimental tcp options". -marc > -----Original Message----- > From: Paul Blond? [mailto:jpb@entel.ca] > Sent: Thursday, May 17, 2007 11:09 AM > To: netfilter@lists.netfilter.org > Subject: RE: is it possible to block ip packets that contains > experimentaltcp options ? > > I assume that LOG-AND-DROP is your own chain, crafted so that > you can perform both functions with a single entry? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Paul Blond? > > > > > -----Original Message----- > > From: netfilter-bounces@lists.netfilter.org > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > Marc Cozzi > > Sent: Wednesday, May 16, 2007 5:19 AM > > To: netfilter@lists.netfilter.org > > Subject: RE: is it possible to block ip packets that contains > > experimentaltcp options ? > > > > > > > > Glenn, > > > > Not sure what you mean by "experimental" however, there are some > > conditions of flags that should never occur on the network. > These can > > be trapped with rules similar to the following. > > > > iptables -A BLOCKED -m state --state INVALID -j > LOG-AND-DROP iptables > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > > > --marc > > > > > > > -----Original Message----- > > > From: Glenn Terjesen [mailto:glenn@webcat.no] > > > Sent: Wednesday, May 16, 2007 5:24 AM > > > To: netfilter@lists.netfilter.org > > > Subject: is it possible to block ip packets that contains > > > experimental tcp options ? > > > > > > Hello, > > > got a iptables firewall filtering our servers. > > > > > > Is it possible to block tcp packets that contains > experimental tcp > > > options ? > > > > > > AND is it smart to do so ? > > > > > > > > > -- > > > Mvh Glenn Terjesen @ Webcat AS > > > Tlf: +47 37 02 20 20 > > > E-post: support@webcat.no > > > > > > > From jpb at entel.ca Thu May 17 19:25:06 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Thu May 17 20:26:50 2007 Subject: is it possible to block ip packets that contains experimentaltcp options ? In-Reply-To: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> Message-ID: <000001c798a8$50246a80$5a05a8c0@nisgaa.net> I would guess this refers to the following: http://www.psc.edu/networking/projects/sack/ or, more generally, the options discussed here: http://www.snort.org/archive-3-186.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? Web Programmer enTel Communications Inc jpb@entel.ca 250.633.5151 866.633.2644 > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Marc Cozzi > Sent: Thursday, May 17, 2007 10:18 AM > To: netfilter@lists.netfilter.org > Subject: RE: is it possible to block ip packets that contains > experimentaltcp options ? > > > Paul, > > I believe that's correct. Although I'm still not > Sure what was originally meant by "experimental tcp options". > > -marc > > > -----Original Message----- > > From: Paul Blond? [mailto:jpb@entel.ca] > > Sent: Thursday, May 17, 2007 11:09 AM > > To: netfilter@lists.netfilter.org > > Subject: RE: is it possible to block ip packets that contains > > experimentaltcp options ? > > > > I assume that LOG-AND-DROP is your own chain, crafted so that > > you can perform both functions with a single entry? > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Paul Blond? > > > > > > > > > -----Original Message----- > > > From: netfilter-bounces@lists.netfilter.org > > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > > Marc Cozzi > > > Sent: Wednesday, May 16, 2007 5:19 AM > > > To: netfilter@lists.netfilter.org > > > Subject: RE: is it possible to block ip packets that contains > > > experimentaltcp options ? > > > > > > > > > > > > Glenn, > > > > > > Not sure what you mean by "experimental" however, there are some > > > conditions of flags that should never occur on the network. > > These can > > > be trapped with rules similar to the following. > > > > > > iptables -A BLOCKED -m state --state INVALID -j > > LOG-AND-DROP iptables > > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A > > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > > > > > --marc > > > > > > > > > > -----Original Message----- > > > > From: Glenn Terjesen [mailto:glenn@webcat.no] > > > > Sent: Wednesday, May 16, 2007 5:24 AM > > > > To: netfilter@lists.netfilter.org > > > > Subject: is it possible to block ip packets that contains > > > > experimental tcp options ? > > > > > > > > Hello, > > > > got a iptables firewall filtering our servers. > > > > > > > > Is it possible to block tcp packets that contains > > experimental tcp > > > > options ? > > > > > > > > AND is it smart to do so ? > > > > > > > > > > > > -- > > > > Mvh Glenn Terjesen @ Webcat AS > > > > Tlf: +47 37 02 20 20 > > > > E-post: support@webcat.no > > > > > > > > > > > > > From jpb at entel.ca Thu May 17 19:41:20 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Thu May 17 20:43:04 2007 Subject: TCP RST vulnerability - handling question In-Reply-To: <bd0eabd0705161756q79024a91y74a132e34616c7fa@mail.gmail.com> Message-ID: <000101c798aa$94b39d90$5a05a8c0@nisgaa.net> >From what I can tell, using IPSec mitigates this vulnerability, but if you can grok this article better than I you may be able to tighten your security even further: http://www.cert.org/advisories/CA-2001-09.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? Web Programmer enTel Communications Inc jpb@entel.ca 250.633.5151 866.633.2644 > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Mike C > Sent: Wednesday, May 16, 2007 5:57 PM > To: netfilter@lists.netfilter.org > Subject: TCP RST vulnerability - handling question > > > Hi, > > I am using an iptables 1.3.5 based setup and wonder if there are any > tools or techniques available to prevent or mitigate the TCP RST > spoofing issue (http://osvdb.org/displayvuln.php?osvdb_id=4030) > > I see elsewhere there has been suggestions of only accepting the RST > if the sequence id is 1 more than the current, or providing some sort > of challenge response > (http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-02#section-2.2). > I don't believe netfilter uses either of these, so I am interested in > hearing other peoples approaches to it. > > Regards, > > Mike > From kbah at linuxmail.org Thu May 17 22:29:23 2007 From: kbah at linuxmail.org (k bah) Date: Thu May 17 23:31:18 2007 Subject: [solved?] Re: UDP packets are not being forwarded to pc on the local net. Message-ID: <20070517202923.397C32477C@ws5-3.us4.outblaze.com> > ----- Original Message ----- > From: jwlargent <jwlargent@vlsmaps.com> > To: "k bah" <kbah@linuxmail.org> > Subject: Re: UDP packets are not being forwarded to pc on the local net. > Date: Thu, 17 May 2007 09:48:11 -0500 > > I would suggest you start with just a basic NAT setup and then once > that is working add the additional rules you need. > > Minimal NAT setup > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE The initial setup was like this. Everything was allowed, since it didn't work I started to explicitly allow some traffic. > > iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP > iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP > > and don't forget to turn on forwarding in the kernel > echo 1 > /proc/sys/net/ipv4/ip_forward Ok, I read some more and this is my setup a little more clear: (eth0 - router netcard to internet; eth1 router netcard to internal net) ---------- *raw :PREROUTING ACCEPT :OUTPUT ACCEPT *mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -i eth1 -p udp -m udp -j ACCEPT # *so the p2p client can send udp out? * -A INPUT -i eth0 -p icmp -j ACCEPT -A INPUT -p tcp -m state --state RELATED -j ACCEPT -A INPUT -p udp -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 41001 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41002 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41002 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 41004 -j ACCEPT -A FORWARD -p udp -m udp --sport 41002 -j LOG --log-prefix "H015 -t fwd udp41002 sport" -A FORWARD -p udp -m udp --dport 41002 -j LOG --log-prefix "H015 -t fwd udp41002 dport" -A FORWARD -p udp -m udp --sport 41004 -j LOG --log-prefix "H015 -t fwd udp41004 sport" -A FORWARD -p udp -m udp --dport 41004 -j LOG --log-prefix "H015 -t fwd udp41004 dport" -A FORWARD -p tcp -m tcp --dport 41001 -j LOG --log-prefix "H015 -t fwd tcp41001 dport" -A FORWARD -p tcp -m tcp --sport 41001 -j LOG --log-prefix "H015 -t fwd tcp41001 sport" -A OUTPUT -p udp -m udp --sport 41002 -j LOG --log-prefix " H015 -t out udp41002 sport" -A OUTPUT -p udp -m udp --dport 41002 -j LOG --log-prefix " H015 -t out udp41002 dport" -A OUTPUT -p udp -m udp --sport 41004 -j LOG --log-prefix " H015 -t out udp41004 sport" -A OUTPUT -p udp -m udp --dport 41004 -j LOG --log-prefix " H015 -t out udp41004 dport" -A OUTPUT -o eth0 -p udp -m udp -j ACCEPT -A OUTPUT -o eth1 -p udp -m udp -j ACCEPT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j LOG --log-prefix "H015 -t:nat:prerouting 01dpt" -A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j LOG --log-prefix "H015 -t:nat:prerouting 02dpt" -A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j LOG --log-prefix "H015 -t:nat:prerouting 04dpt" -A PREROUTING -i eth0 -p tcp -m tcp --dport 41001 -j DNAT --to-destination 10.1.1.15:41001 -A PREROUTING -i eth0 -p udp -m udp --dport 41002 -j DNAT --to-destination 10.1.1.15:41002 -A PREROUTING -i eth0 -p udp -m udp --dport 41004 -j DNAT --to-destination 10.1.1.15:41004 -A POSTROUTING -s 10.1.1.0/255.255.255.0 -o eth0 -j MASQUERADE ---------- I sent packets from a shell outside my network on the internet (to my router ip address on the internet, 201.x, not 10.1.1.1, of course): ----- tcp port 41001 ----- PACKET GOT TO MY NETWORK ROUTER H015 -t:nat:prerouting 01 dpt IN=eth0 OUT= MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=) SRC=87.227.31.20 DST=201.OK.OK.=) LEN=60 TOS=0x00 PREC=0x20 TTL=42 ID=20327 DF PROTO=TCP SPT=38631 DPT=41001 WINDOW=5840 RES=0x00 SYN URGP=0 PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE THE NET H015 -t fwd tcp41001 dport IN=eth0 OUT=eth1 SRC=87.227.31.20 DST=10.1.1.15 LEN=60 TOS=0x00 PREC=0x20 TTL=41 ID=20327 DF PROTO=TCP SPT=38631 DPT=41001 WINDOW=5840 RES=0x00 SYN URGP=0 MACHINE INSIDE MY NETWORK SENDING REPLY TO INTERNET MACHINE WHERE THE PACKET ORIGINATED H015 -t fwd tcp41001 sport IN=eth1 OUT=eth0 SRC=10.1.1.15 DST=87.227.31.20 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=20293 PROTO=TCP SPT=41001 DPT=38631 WINDOW=0 RES=0x00 ACK RST URGP=0 ----- tcp port 41001 ----- ----- udp port 41002 ----- PACKET GOT TO NETWORK ROUTER H015 -t:nat:prerouting 02 dpt IN=eth0 OUT= MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=) SRC=87.227.31.20 DST=201.OK.OK.=) LEN=54 TOS=0x00 PREC=0x20 TTL=42 ID=55587 DF PROTO=UDP SPT=53050 DPT=41002 LEN=34 PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE THE NET H015 -t fwd udp41002 dport IN=eth0 OUT=eth1 SRC=87.227.31.20 DST=10.1.1.15 LEN=54 TOS=0x00 PREC=0x20 TTL=41 ID=55587 DF PROTO=UDP SPT=53050 DPT=41002 LEN=34 ----- udp port 41002 ----- ----- udp port 41004 ----- PACKET GOT TO NETWORK ROUTER H015 -t:nat:prerouting 04 dpt IN=eth0 OUT= MAC=ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:ok:=) SRC=87.227.31.20 DST=201.OK.OK.=) LEN=54 TOS=0x00 PREC=0x20 TTL=42 ID=61379 DF PROTO=UDP SPT=53050 DPT=41004 LEN=34 PACKET INSIDE MY NETWORK BEING FORWARDED TO MACHINE INSIDE THE NET H015 -t fwd udp41004 dport IN=eth0 OUT=eth1 SRC=87.227.31.20 DST=10.1.1.15 LEN=54 TOS=0x00 PREC=0x20 TTL=41 ID=61379 DF PROTO=UDP SPT=53050 DPT=41004 LEN=34 ----- udp port 41004 ----- now check item 3.2 from http://www.stearns.org/iptables/netfilter-hacking-HOWTO.txt if it shows weird here (the ascii illustration showing packet flow): ----ascii---- --->PRE------>[ROUTE]--->FWD---------->POST------> Conntrack | Filter ^ NAT (Src) Mangle | | Conntrack NAT (Dst) | [ROUTE] (QDisc) v | IN Filter OUT Conntrack | Conntrack ^ Mangle | | NAT (Dst) v | Filter ----ascii---- I disabled WinXP firewall on the machine inside the network, and checked it again after reboot. Now I think the problem is not with packet forwarding, I think it's with the p2p client OR maybe the p2p client is not able to send out stuff? Anyone agrees with me? thanks for your time = -- Powered by Outblaze From smith.not.western at gmail.com Fri May 18 01:34:58 2007 From: smith.not.western at gmail.com (Mike C) Date: Fri May 18 02:36:44 2007 Subject: TCP RST vulnerability - handling question In-Reply-To: <bd0eabd0705161756q79024a91y74a132e34616c7fa@mail.gmail.com> References: <bd0eabd0705161756q79024a91y74a132e34616c7fa@mail.gmail.com> Message-ID: <bd0eabd0705171634wc4b54k8fa75afe3992adfa@mail.gmail.com> On 5/17/07, Mike C <smith.not.western@gmail.com> wrote: > I am using an iptables 1.3.5 based setup and wonder if there are any > tools or techniques available to prevent or mitigate the TCP RST > spoofing issue (http://osvdb.org/displayvuln.php?osvdb_id=4030) I just realised that I posted the wrong issue. The one I am referring to is where a third party sends a RST with a sequence number less than the current window, which is still treated as a valid RST by the end point. >From http://www.securityfocus.com/archive/1/361009 - "the 4.4BSD stack from which NetBSD's stack is derived, did not even check that a RST's sequence number was inside the window. RSTs anywhere to the left of the window were treated as valid." I should outline my situation a bit more. I have a firewall that I want to prevent passing illegal RST packets to an inside host. In my case the host is patched against this issue, but this may not always be the case, so need to stop the invalid resets from traversing the firewall in the first place. Regards, Mike From kadlec at blackhole.kfki.hu Fri May 18 08:54:29 2007 From: kadlec at blackhole.kfki.hu (Jozsef Kadlecsik) Date: Fri May 18 09:57:09 2007 Subject: TCP RST vulnerability - handling question In-Reply-To: <bd0eabd0705171634wc4b54k8fa75afe3992adfa@mail.gmail.com> References: <bd0eabd0705161756q79024a91y74a132e34616c7fa@mail.gmail.com> <bd0eabd0705171634wc4b54k8fa75afe3992adfa@mail.gmail.com> Message-ID: <Pine.LNX.4.64.0705180852160.12211@blackhole.kfki.hu> On Fri, 18 May 2007, Mike C wrote: > On 5/17/07, Mike C <smith.not.western@gmail.com> wrote: >> I am using an iptables 1.3.5 based setup and wonder if there are any >> tools or techniques available to prevent or mitigate the TCP RST >> spoofing issue (http://osvdb.org/displayvuln.php?osvdb_id=4030) > > I just realised that I posted the wrong issue. The one I am referring > to is where a third party sends a RST with a sequence number less than > the current window, which is still treated as a valid RST by the end > point. [...] > I should outline my situation a bit more. I have a firewall that I > want to prevent passing illegal RST packets to an inside host. In my > case the host is patched against this issue, but this may not always > be the case, so need to stop the invalid resets from traversing the > firewall in the first place. Any recent kernel from the 2.6 series come with TCP window tracking in netfilter, which makes sure that the RST segment is in the window. Nothing is needed besides enabling connection tracking. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary From Michal.Filka at sitronicsts.com Fri May 18 12:09:05 2007 From: Michal.Filka at sitronicsts.com (Filka Michal) Date: Fri May 18 13:11:48 2007 Subject: problem when compiling lbnfnetlink Message-ID: <2DD3CA89774593478BC28081C7392595BC8A1F@exalfa.stromtelecom.cz> Hi all, I have been trying to compile libnfnetlink library. I did autoconf, ./configure and make The result of make was src/Makefile.am:9: Libtool library used but `LIBTOOL' is undefined src/Makefile.am:9: The usual way to define `LIBTOOL' is to add `AC_PROG_LIBTOOL' src/Makefile.am:9: to `configure.in' and run `aclocal' and `autoconf' again. src/Makefile.am:9: If `AC_PROG_LIBTOOL' is in `configure.in', make sure src/Makefile.am:9: its definition is in aclocal's search path. make[1]: *** [Makefile.in] Error 1 I'm not so experienced in automake, so I invite any help ... I suppose that it is configuration problem. Current configuration: Debian 2.6.20 automake 1.10 aclocal 1.10 trying to compile libnfnetlink-0.0.16 thanks for any suggestions, Michal Filka From eric at inl.fr Fri May 18 12:15:00 2007 From: eric at inl.fr (Eric Leblond) Date: Fri May 18 13:16:52 2007 Subject: problem when compiling lbnfnetlink In-Reply-To: <2DD3CA89774593478BC28081C7392595BC8A1F@exalfa.stromtelecom.cz> References: <2DD3CA89774593478BC28081C7392595BC8A1F@exalfa.stromtelecom.cz> Message-ID: <58870.194.167.180.10.1179483300.squirrel@mail.inl.fr> Hi, > I'm not so experienced in automake, so I invite any help ... I suppose > that it is configuration problem. > > Current configuration: > Debian 2.6.20 > automake 1.10 > aclocal 1.10 Have you "libtool" installed ? > > trying to compile libnfnetlink-0.0.16 > > thanks for any suggestions, > > Michal Filka > > From tiron_adrian at yahoo.com Fri May 18 19:46:07 2007 From: tiron_adrian at yahoo.com (Tiron Adrian) Date: Fri May 18 20:47:59 2007 Subject: iptables and poptop Message-ID: <274713.44426.qm@web58309.mail.re3.yahoo.com> Hello, Can somebody please explain me how should i set up forwarding (as i understood) with iptables for the poptopserver to work?I've read a little on forums about this but i didn't understand much. Also if you could explain in detail so i could understand(not just to work for me) it would be great. Thank you. ____________________________________________________________________________________ Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ From altitude at funkware.com Sat May 19 00:36:19 2007 From: altitude at funkware.com (Alex Tang) Date: Sat May 19 01:38:22 2007 Subject: redirect 127.0.0.1:25 -> 127.0.0.1:2000 Message-ID: <464E2A63.3020903@funkware.com> Hi folks. I'm using a nat PREROUTING rule to forward all connections from port 25 to port 2000. This works fine for all addresses except for localhost. the rule i'm using is: "-A PREROUTING -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 2000" (CentOS4, kernel 2.6.9-55, iptables-1.2.11) For example, on my machine: foobar.example.com If i telnet from any machine other than foobar.example.com to foobar.example.com:25, the connection is redirected properly to foobar.example.com:2000. However, if i telnet from foobar.example.com to localhost:25, i get a connection refused. Telnetting to from foobar.example.com to localhost:2000 works fine (as expected) Telnetting from foobar.example.com to foobar.example.com:25 also does not work. I know that you can't do prerouting from localhost -> some.other.host (or vice versa), but i thought localhost->localhost would work. Am i screwing up the rule? Should I add another rule? Or am i just SOL. Thanks. ...alex... From altitude at funkware.com Sat May 19 00:42:44 2007 From: altitude at funkware.com (Alex Tang) Date: Sat May 19 01:44:48 2007 Subject: redirect 127.0.0.1:25 -> 127.0.0.1:2000 In-Reply-To: <464E2A63.3020903@funkware.com> References: <464E2A63.3020903@funkware.com> Message-ID: <464E2BE4.1060606@funkware.com> In looking through the mail archive, i see this post: Alex Tang wrote: > Hi folks. > > I'm using a nat PREROUTING rule to forward all connections from port > 25 to port 2000. This works fine for all addresses except for localhost. > > the rule i'm using is: "-A PREROUTING -p tcp -m tcp --dport 25 -j > REDIRECT --to-ports 2000" (CentOS4, kernel 2.6.9-55, iptables-1.2.11) > > For example, on my machine: foobar.example.com > > If i telnet from any machine other than foobar.example.com to > foobar.example.com:25, the connection is redirected properly to > foobar.example.com:2000. > However, if i telnet from foobar.example.com to localhost:25, i get a > connection refused. > Telnetting to from foobar.example.com to localhost:2000 works fine (as > expected) > > Telnetting from foobar.example.com to foobar.example.com:25 also does > not work. > > I know that you can't do prerouting from localhost -> some.other.host > (or vice versa), but i thought localhost->localhost would work. > > Am i screwing up the rule? Should I add another rule? Or am i just SOL. > > Thanks. > > ...alex... > > From altitude at funkware.com Sat May 19 00:46:04 2007 From: altitude at funkware.com (Alex Tang) Date: Sat May 19 01:48:04 2007 Subject: redirect 127.0.0.1:25 -> 127.0.0.1:2000 In-Reply-To: <464E2A63.3020903@funkware.com> References: <464E2A63.3020903@funkware.com> Message-ID: <464E2CAC.8060702@funkware.com> ARGH. Sorry about my premature previous post...lemme try this again... Hi again, In looking through the mail archive, i see this thread, http://lists.netfilter.org/pipermail/netfilter/2004-November/057098.html which answered my question. I verified that the kernel had IP_NF_NAT_LOCAL set to y, and i see that I was missing the "iptables -t nat -A OUTUPT" line. Everything works now. Whoohoo! Thanks. ...alex... Alex Tang wrote: > Hi folks. > > I'm using a nat PREROUTING rule to forward all connections from port > 25 to port 2000. This works fine for all addresses except for localhost. > > the rule i'm using is: "-A PREROUTING -p tcp -m tcp --dport 25 -j > REDIRECT --to-ports 2000" (CentOS4, kernel 2.6.9-55, iptables-1.2.11) > > For example, on my machine: foobar.example.com > > If i telnet from any machine other than foobar.example.com to > foobar.example.com:25, the connection is redirected properly to > foobar.example.com:2000. > However, if i telnet from foobar.example.com to localhost:25, i get a > connection refused. > Telnetting to from foobar.example.com to localhost:2000 works fine (as > expected) > > Telnetting from foobar.example.com to foobar.example.com:25 also does > not work. > > I know that you can't do prerouting from localhost -> some.other.host > (or vice versa), but i thought localhost->localhost would work. > > Am i screwing up the rule? Should I add another rule? Or am i just SOL. > > Thanks. > > ...alex... > > From wlperry at williamperry.com Sun May 20 04:53:55 2007 From: wlperry at williamperry.com (William Perry) Date: Sun May 20 05:55:56 2007 Subject: no connection Message-ID: <464FB843.5030605@williamperry.com> I am using the following iptables script: # eth0 is the Local network # eth1 is the External network *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] #allow traffic from the firewall to go out -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow local loopback connections -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow all connections to the local network -A INPUT -i eth0 -s 123.123.123.0/24 -j ACCEPT -A OUTPUT -o eth0 -d 123.123.123.0/24 -j ACCEPT # drop INVALID connections -A INPUT -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP # allow all established and related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow connectionsto my ISP's DNS servers -A OUTPUT -d 206.13.31.12 -m state --state NEW -p udp --dport 53 -o eth1 -j ACCEPT -A FORWARD -d 206.13.31.12 -m state --state NEW -p udp --dport 53 -i eth0 -o eth1 -j ACCEPT -A OUTPUT -d 206.13.28.12 -m state --state NEW -p udp --dport 53 -o eth1 -j ACCEPT -A FORWARD -d 206.13.28.12 -m state --state NEW -p udp --dport 53 -i eth0 -o eth1 -j ACCEPT # allow outgoing conections web servers -A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport http -o eth1 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport http -o eth1 -i eth0 -j ACCEPT -A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport https -o eth1 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport https -o eth1 -i eth0 -j ACCEPT # allow outgoing conections ntp -A OUTPUT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 123 -o eth1 -j ACCEPT -A FORWARD -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 123 -o eth1 -i eth0 -j ACCEPT # Log all other attempts to out-going connection -A OUTPUT -o eth1 -j LOG --log-level info --log-prefix "[ATTEMPTED] " -A FORWARD -o eth1 -j ACCEPT -A FORWARD -j LOG --log-level info --log-prefix "[FWD-] " -A FORWARD -o eth0 -j ACCEPT COMMIT *nat -A POSTROUTING -o eth1 -j SNAT --to 71.133.232.116 #port forward port 80 -A PREROUTING -d 71.133.232.116 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 123.123.123.2:80 COMMIT #---- I was expecting the firewall (external ip 71.133.232.116) to send the packets to the web server (123.123.123.2), but it appears that the packets are not going anywhere. Test: use a machine whose gateway is not 71.133.232.116 and execute: wget http://71.133.232.116/ 1. On the log file of the firewall, I see a log record indicating that the "[FWD-]" log was hit. 2. On the web server, I see no record in the access log file. 3. No response is received to the wget command. Isn't the prerouting command enough to get the packets to go? What do I need to do to get iptables to actually send the packet? -- William Perry From mrjk600 at gmail.com Sun May 20 07:28:23 2007 From: mrjk600 at gmail.com (Jonny K) Date: Sun May 20 08:30:26 2007 Subject: Help with DOS attack In-Reply-To: <cce02b410705192222s38bc0562g47aef08eba4e7@mail.gmail.com> References: <cce02b410705192222s38bc0562g47aef08eba4e7@mail.gmail.com> Message-ID: <cce02b410705192228r42bf262aj2e5367ef3db02d74@mail.gmail.com> > it looks like someone dos attack my server > any ideas how i can handle it ? > > (i allready sysctl and change the backlog queue to 4096 insted of 1024 and i mange SYN timeout to 9 sec) > > any other ideas ? > > > here is my netstat outputs > > > [root@MYHOST ~]# netstat -an | grep SYN_REC | wc > 372 2232 33108 > [root@MYHOST ~]# > > > > > Ip: > 496709034 total packets received > 0 forwarded > > 0 incoming packets discarded > 496547054 incoming packets delivered > 389034562 requests sent out > 55 fragments dropped after timeout > 499 reassemblies required > 54 packets reassembled ok > > 55 packet reassembles failed > 2 fragments received ok > Icmp: > 17083 ICMP messages received > 25 input ICMP message failed. > ICMP input histogram: > destination unreachable: 11255 > > timeout in transit: 1579 > source quenches: 353 > echo requests: 3880 > echo replies: 16 > 24339 ICMP messages sent > 0 ICMP messages failed > ICMP output histogram: > destination unreachable: 20459 > > echo replies: 3880 > Tcp: > 33725 active connections openings > 38693945 passive connection openings > 312156 failed connection attempts > 521243 connection resets received > 3 connections established > > 495811236 segments received > 388303537 segments send out > 14565173 segments retransmited > 10279 bad segments received. > 136512 resets sent > Udp: > 718164 packets received > 571 packets to unknown port received. > > 0 packet receive errors > 720360 packets sent > TcpExt: > 421 SYN cookies sent > 99 SYN cookies received > 43807 invalid SYN cookies received > 1188232 resets received for embryonic SYN_RECV sockets > > 14 packets pruned from receive queue because of socket buffer overrun > 221 ICMP packets dropped because they were out-of-window > 71 ICMP packets dropped because socket was locked > 34829434 TCP sockets finished time wait in fast timer > > 2 time wait sockets recycled by time stamp > 15358 packets rejects in established connections because of timestamp > 256833 delayed acks sent > 2653 delayed acks further delayed because of locked socket > > Quick ack mode was activated 119773 times > 74580 times the listen queue of a socket overflowed > 74580 SYNs to LISTEN sockets ignored > 39205589 packets directly queued to recvmsg prequeue. > 8376974 packets directly received from backlog > > 2265096902 packets directly received from prequeue > 806823 packets header predicted > 36687371 packets header predicted and directly queued to user > 238781476 acknowledgments not containing data received > > 125709890 predicted acknowledgments > 29275 times recovered from packet loss due to fast retransmit > 1927589 times recovered from packet loss due to SACK data > 1362 bad SACKs received > Detected reordering 6628 times using FACK > > Detected reordering 4312 times using SACK > Detected reordering 4875 times using reno fast retransmit > Detected reordering 11976 times using time stamp > 6435 congestion windows fully recovered > > 66640 congestion windows partially recovered using Hoe heuristic > TCPDSACKUndo: 957 > 16664 congestion windows recovered after partial ack > 4188573 TCP data loss events > TCPLostRetransmit: 1192 > > 5491 timeouts after reno fast retransmit > 260050 timeouts after SACK recovery > 200153 timeouts in loss state > 6505780 fast retransmits > 695080 forward retransmits > 4881678 retransmits in slow start > > 1084146 other TCP timeouts > TCPRenoRecoveryFail: 14786 > 306771 sack retransmits failed > 2225 times receiver scheduled too late for direct processing > 294 packets collapsed in receive queue due to low socket buffer > > 121753 DSACKs sent for old packets > 64 DSACKs sent for out of order packets > 1007539 DSACKs received > 1099 DSACKs for out of order packets received > 10295 connections reset due to unexpected data > > 102 connections reset due to early user close > 64688 connections aborted due to timeout > > From Joris at familiedobbelsteen.nl Sun May 20 14:04:50 2007 From: Joris at familiedobbelsteen.nl (Joris Dobbelsteen) Date: Sun May 20 15:05:00 2007 Subject: Help with DOS attack References: <cce02b410705192222s38bc0562g47aef08eba4e7@mail.gmail.com> <cce02b410705192228r42bf262aj2e5367ef3db02d74@mail.gmail.com> Message-ID: <73427AD314CC364C8DF0FFF9C4D693FF037B34@nehemiah.joris2k.local> Two things you probably want to do: 1) Enable Syn cookies (disables use of the TCP backlog). Its used in most systems to reduce the effects of a SYN flooding attack. 2) Contact your ISP. They can usually help you with such problems. In general they are not happy with attacks directed to their networks. - Joris >-----Original Message----- >From: netfilter-bounces@lists.netfilter.org >[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jonny K >Sent: zondag 20 mei 2007 7:28 >To: netfilter@lists.netfilter.org >Subject: Re: Help with DOS attack > >> it looks like someone dos attack my server any ideas how i >can handle >> it ? >> >> (i allready sysctl and change the backlog queue to 4096 >insted of 1024 and i mange SYN timeout to 9 sec) >> >> any other ideas ? >> >> >> here is my netstat outputs >> >> >> [root@MYHOST ~]# netstat -an | grep SYN_REC | wc >> 372 2232 33108 >> [root@MYHOST ~]# >> >> >> >> >> Ip: >> 496709034 total packets received >> 0 forwarded >> >> 0 incoming packets discarded >> 496547054 incoming packets delivered >> 389034562 requests sent out >> 55 fragments dropped after timeout >> 499 reassemblies required >> 54 packets reassembled ok >> >> 55 packet reassembles failed >> 2 fragments received ok >> Icmp: >> 17083 ICMP messages received >> 25 input ICMP message failed. >> ICMP input histogram: >> destination unreachable: 11255 >> >> timeout in transit: 1579 >> source quenches: 353 >> echo requests: 3880 >> echo replies: 16 >> 24339 ICMP messages sent >> 0 ICMP messages failed >> ICMP output histogram: >> destination unreachable: 20459 >> >> echo replies: 3880 >> Tcp: >> 33725 active connections openings >> 38693945 passive connection openings >> 312156 failed connection attempts >> 521243 connection resets received >> 3 connections established >> >> 495811236 segments received >> 388303537 segments send out >> 14565173 segments retransmited >> 10279 bad segments received. >> 136512 resets sent >> Udp: >> 718164 packets received >> 571 packets to unknown port received. >> >> 0 packet receive errors >> 720360 packets sent >> TcpExt: >> 421 SYN cookies sent >> 99 SYN cookies received >> 43807 invalid SYN cookies received >> 1188232 resets received for embryonic SYN_RECV sockets >> >> 14 packets pruned from receive queue because of socket >buffer overrun >> 221 ICMP packets dropped because they were out-of-window >> 71 ICMP packets dropped because socket was locked >> 34829434 TCP sockets finished time wait in fast timer >> >> 2 time wait sockets recycled by time stamp >> 15358 packets rejects in established connections because >of timestamp >> 256833 delayed acks sent >> 2653 delayed acks further delayed because of locked socket >> >> Quick ack mode was activated 119773 times >> 74580 times the listen queue of a socket overflowed >> 74580 SYNs to LISTEN sockets ignored >> 39205589 packets directly queued to recvmsg prequeue. >> 8376974 packets directly received from backlog >> >> 2265096902 packets directly received from prequeue >> 806823 packets header predicted >> 36687371 packets header predicted and directly queued to user >> 238781476 acknowledgments not containing data received >> >> 125709890 predicted acknowledgments >> 29275 times recovered from packet loss due to fast retransmit >> 1927589 times recovered from packet loss due to SACK data >> 1362 bad SACKs received >> Detected reordering 6628 times using FACK >> >> Detected reordering 4312 times using SACK >> Detected reordering 4875 times using reno fast retransmit >> Detected reordering 11976 times using time stamp >> 6435 congestion windows fully recovered >> >> 66640 congestion windows partially recovered using Hoe heuristic >> TCPDSACKUndo: 957 >> 16664 congestion windows recovered after partial ack >> 4188573 TCP data loss events >> TCPLostRetransmit: 1192 >> >> 5491 timeouts after reno fast retransmit >> 260050 timeouts after SACK recovery >> 200153 timeouts in loss state >> 6505780 fast retransmits >> 695080 forward retransmits >> 4881678 retransmits in slow start >> >> 1084146 other TCP timeouts >> TCPRenoRecoveryFail: 14786 >> 306771 sack retransmits failed >> 2225 times receiver scheduled too late for direct processing >> 294 packets collapsed in receive queue due to low socket buffer >> >> 121753 DSACKs sent for old packets >> 64 DSACKs sent for out of order packets >> 1007539 DSACKs received >> 1099 DSACKs for out of order packets received >> 10295 connections reset due to unexpected data >> >> 102 connections reset due to early user close >> 64688 connections aborted due to timeout >> >> > > From tiron_adrian at yahoo.com Fri May 18 19:38:28 2007 From: tiron_adrian at yahoo.com (Tiron Adrian) Date: Sun May 20 20:53:53 2007 Subject: pptp and iptables Message-ID: <785505.87708.qm@web58312.mail.re3.yahoo.com> Hello, Can somebody please explain me how should i set up forwarding (as i understood) with iptables for the poptopserver to work?I've read a little on forums about this but i didn't understand much. Also if you could explain in detail so i could understand(not just to work for me) it would be great. Thank you. ____________________________________________________________________________________Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC From cbernstein at cbernstein.com Sat May 19 05:15:32 2007 From: cbernstein at cbernstein.com (Craig Bernstein) Date: Sun May 20 20:54:07 2007 Subject: Logging NAT Translations Message-ID: <ae1f24730705182015j533102bah985e9ad0e905cd2a@mail.gmail.com> I can't believe this isn't a FAQ; I apologize if I missed something in my searches. Is there a way to log connections along with all of their NAT translation data? I am using a Debian (Sarge) system to SNAT guest users from private address space to the Internet, and I need to keep a record that includes both their internal and external addresses. Simply logging before the SNAT rule leaves out the external address, leaving me only with the original RFC1918 source address. /proc/net/ip_conntrack has the information I need, but no way to send it to the log it at the beginning and/or end of the session. There HAS to be an easy way to do this! Right? Thank you... -- ...Craig From mrjk600 at gmail.com Sun May 20 20:02:08 2007 From: mrjk600 at gmail.com (Jonny K) Date: Sun May 20 21:04:13 2007 Subject: Help with DOS attack In-Reply-To: <73427AD314CC364C8DF0FFF9C4D693FF037B34@nehemiah.joris2k.local> References: <cce02b410705192222s38bc0562g47aef08eba4e7@mail.gmail.com> <cce02b410705192228r42bf262aj2e5367ef3db02d74@mail.gmail.com> <73427AD314CC364C8DF0FFF9C4D693FF037B34@nehemiah.joris2k.local> Message-ID: <cce02b410705201102yd7e5854r419a977deb5df14f@mail.gmail.com> Well i realize that my system is down at 6am while the tcpsyncookies was 1 anything else On 5/20/07, Joris Dobbelsteen <Joris@familiedobbelsteen.nl> wrote: > Two things you probably want to do: > > 1) > Enable Syn cookies (disables use of the TCP backlog). Its used in most > systems to reduce the effects of a SYN flooding attack. > > 2) > Contact your ISP. They can usually help you with such problems. In > general they are not happy with attacks directed to their networks. > > - Joris > > >-----Original Message----- > >From: netfilter-bounces@lists.netfilter.org > >[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jonny K > >Sent: zondag 20 mei 2007 7:28 > >To: netfilter@lists.netfilter.org > >Subject: Re: Help with DOS attack > > > >> it looks like someone dos attack my server any ideas how i > >can handle > >> it ? > >> > >> (i allready sysctl and change the backlog queue to 4096 > >insted of 1024 and i mange SYN timeout to 9 sec) > >> > >> any other ideas ? > >> > >> > >> here is my netstat outputs > >> > >> > >> [root@MYHOST ~]# netstat -an | grep SYN_REC | wc > >> 372 2232 33108 > >> [root@MYHOST ~]# > >> > >> > >> > >> > >> Ip: > >> 496709034 total packets received > >> 0 forwarded > >> > >> 0 incoming packets discarded > >> 496547054 incoming packets delivered > >> 389034562 requests sent out > >> 55 fragments dropped after timeout > >> 499 reassemblies required > >> 54 packets reassembled ok > >> > >> 55 packet reassembles failed > >> 2 fragments received ok > >> Icmp: > >> 17083 ICMP messages received > >> 25 input ICMP message failed. > >> ICMP input histogram: > >> destination unreachable: 11255 > >> > >> timeout in transit: 1579 > >> source quenches: 353 > >> echo requests: 3880 > >> echo replies: 16 > >> 24339 ICMP messages sent > >> 0 ICMP messages failed > >> ICMP output histogram: > >> destination unreachable: 20459 > >> > >> echo replies: 3880 > >> Tcp: > >> 33725 active connections openings > >> 38693945 passive connection openings > >> 312156 failed connection attempts > >> 521243 connection resets received > >> 3 connections established > >> > >> 495811236 segments received > >> 388303537 segments send out > >> 14565173 segments retransmited > >> 10279 bad segments received. > >> 136512 resets sent > >> Udp: > >> 718164 packets received > >> 571 packets to unknown port received. > >> > >> 0 packet receive errors > >> 720360 packets sent > >> TcpExt: > >> 421 SYN cookies sent > >> 99 SYN cookies received > >> 43807 invalid SYN cookies received > >> 1188232 resets received for embryonic SYN_RECV sockets > >> > >> 14 packets pruned from receive queue because of socket > >buffer overrun > >> 221 ICMP packets dropped because they were out-of-window > >> 71 ICMP packets dropped because socket was locked > >> 34829434 TCP sockets finished time wait in fast timer > >> > >> 2 time wait sockets recycled by time stamp > >> 15358 packets rejects in established connections because > >of timestamp > >> 256833 delayed acks sent > >> 2653 delayed acks further delayed because of locked socket > >> > >> Quick ack mode was activated 119773 times > >> 74580 times the listen queue of a socket overflowed > >> 74580 SYNs to LISTEN sockets ignored > >> 39205589 packets directly queued to recvmsg prequeue. > >> 8376974 packets directly received from backlog > >> > >> 2265096902 packets directly received from prequeue > >> 806823 packets header predicted > >> 36687371 packets header predicted and directly queued to user > >> 238781476 acknowledgments not containing data received > >> > >> 125709890 predicted acknowledgments > >> 29275 times recovered from packet loss due to fast retransmit > >> 1927589 times recovered from packet loss due to SACK data > >> 1362 bad SACKs received > >> Detected reordering 6628 times using FACK > >> > >> Detected reordering 4312 times using SACK > >> Detected reordering 4875 times using reno fast retransmit > >> Detected reordering 11976 times using time stamp > >> 6435 congestion windows fully recovered > >> > >> 66640 congestion windows partially recovered using Hoe heuristic > >> TCPDSACKUndo: 957 > >> 16664 congestion windows recovered after partial ack > >> 4188573 TCP data loss events > >> TCPLostRetransmit: 1192 > >> > >> 5491 timeouts after reno fast retransmit > >> 260050 timeouts after SACK recovery > >> 200153 timeouts in loss state > >> 6505780 fast retransmits > >> 695080 forward retransmits > >> 4881678 retransmits in slow start > >> > >> 1084146 other TCP timeouts > >> TCPRenoRecoveryFail: 14786 > >> 306771 sack retransmits failed > >> 2225 times receiver scheduled too late for direct processing > >> 294 packets collapsed in receive queue due to low socket buffer > >> > >> 121753 DSACKs sent for old packets > >> 64 DSACKs sent for out of order packets > >> 1007539 DSACKs received > >> 1099 DSACKs for out of order packets received > >> 10295 connections reset due to unexpected data > >> > >> 102 connections reset due to early user close > >> 64688 connections aborted due to timeout > >> > >> > > > > > > From xpisar at fi.muni.cz Sun May 20 21:23:35 2007 From: xpisar at fi.muni.cz (Petr Pisar) Date: Sun May 20 22:26:57 2007 Subject: Logging NAT Translations References: <ae1f24730705182015j533102bah985e9ad0e905cd2a@mail.gmail.com> Message-ID: <slrnf5181o.lhk.xpisar@album.ics.muni.cz> On 2007-05-19, Craig Bernstein <cbernstein@cbernstein.com> wrote: > > Is there a way to log connections along with all of their NAT > translation data? > [...] > /proc/net/ip_conntrack has the information I need, but no way to send > it to the log it at the beginning and/or end of the session. > You can use tool "conntrack" that can almost in real time log conntrack events like creating new connction or destroying old one. -- Petr From glenn at webcat.no Mon May 21 13:32:14 2007 From: glenn at webcat.no (Glenn Terjesen) Date: Mon May 21 14:34:27 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? In-Reply-To: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> References: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> Message-ID: <1179747134.32083.19.camel@bathory.webcat.no> Hi, What i meant with "experimental tcp options" is that my ids (snort) keept logging these "experimental tcp options" # code 76 length 8 data 01019DEDBEF00005 I know this aint a snort list, but my servers don't serve any services that require this kind of traffic. So i was wondering if iptables has any way of blocking these. These to magic lines fixed it all iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP Thanks alot for the help. On Thu, 2007-05-17 at 13:18 -0400, Marc Cozzi wrote: > Paul, > > I believe that's correct. Although I'm still not > Sure what was originally meant by "experimental tcp options". > > -marc > > > -----Original Message----- > > From: Paul Blond? [mailto:jpb@entel.ca] > > Sent: Thursday, May 17, 2007 11:09 AM > > To: netfilter@lists.netfilter.org > > Subject: RE: is it possible to block ip packets that contains > > experimentaltcp options ? > > > > I assume that LOG-AND-DROP is your own chain, crafted so that > > you can perform both functions with a single entry? > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Paul Blond? > > > > > > > > > -----Original Message----- > > > From: netfilter-bounces@lists.netfilter.org > > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > > Marc Cozzi > > > Sent: Wednesday, May 16, 2007 5:19 AM > > > To: netfilter@lists.netfilter.org > > > Subject: RE: is it possible to block ip packets that contains > > > experimentaltcp options ? > > > > > > > > > > > > Glenn, > > > > > > Not sure what you mean by "experimental" however, there are some > > > conditions of flags that should never occur on the network. > > These can > > > be trapped with rules similar to the following. > > > > > > iptables -A BLOCKED -m state --state INVALID -j > > LOG-AND-DROP iptables > > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A > > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > > > > > --marc > > > > > > > > > > -----Original Message----- > > > > From: Glenn Terjesen [mailto:glenn@webcat.no] > > > > Sent: Wednesday, May 16, 2007 5:24 AM > > > > To: netfilter@lists.netfilter.org > > > > Subject: is it possible to block ip packets that contains > > > > experimental tcp options ? > > > > > > > > Hello, > > > > got a iptables firewall filtering our servers. > > > > > > > > Is it possible to block tcp packets that contains > > experimental tcp > > > > options ? > > > > > > > > AND is it smart to do so ? > > > > > > > > > > > > -- > > > > Mvh Glenn Terjesen @ Webcat AS > > > > Tlf: +47 37 02 20 20 > > > > E-post: support@webcat.no > > > > > > > > > > > > > -- Mvh Glenn Terjesen @ Webcat AS Tlf: +47 37 02 20 20 E-post: support@webcat.no From pakar at imperialnet.org Mon May 21 13:46:05 2007 From: pakar at imperialnet.org (patric) Date: Mon May 21 14:55:02 2007 Subject: mini-hack for country-based filter. In-Reply-To: <4649F42A.7010700@imperialnet.org> References: <4649F42A.7010700@imperialnet.org> Message-ID: <4651867D.1030901@imperialnet.org> Replying to my own topic just to see if the spam-filter for this mailinglist has been fixed. Ignore this... patric wrote: > Hi, > > > Just wanted to drop a note about a minimalistic, and ugly :), userspace > app that enables country-based filtering instead of the kernel-module > that's out there. I preferred this way since i dont like kernel-modules > doing user-space access in this specific way, and it should cause less > risk for crashed if there are any bugs in the code. The worst that could > happen in that the app crashes and needs to be restarted. > > > http://bladerunner.mine.nu/CJ > > > And, it's a work in progress so there are a few loose ends currently in > the source, but atleast it works.. Feel free to submit any patches.. > > > Enjoy, > > Patric > > > > From glenn at webcat.no Mon May 21 13:55:44 2007 From: glenn at webcat.no (Glenn Terjesen) Date: Mon May 21 14:57:55 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? In-Reply-To: <1179747134.32083.19.camel@bathory.webcat.no> References: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> <1179747134.32083.19.camel@bathory.webcat.no> Message-ID: <1179748544.32083.25.camel@bathory.webcat.no> Was a little to fast there.. iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP did not fix it.. Im gonna take a look at the Paul Blond? suggestion and just ignore the traffic I suppose.. On Mon, 2007-05-21 at 13:32 +0200, Glenn Terjesen wrote: > Hi, > What i meant with "experimental tcp options" is that my ids (snort) > keept logging these "experimental tcp options" > > # > code 76 > length 8 > data 01019DEDBEF00005 > > I know this aint a snort list, but my servers don't serve any services > that require this kind of traffic. > > So i was wondering if iptables has any way of blocking these. > > These to magic lines fixed it all > iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP > iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP > > > Thanks alot for the help. > > > On Thu, 2007-05-17 at 13:18 -0400, Marc Cozzi wrote: > > Paul, > > > > I believe that's correct. Although I'm still not > > Sure what was originally meant by "experimental tcp options". > > > > -marc > > > > > -----Original Message----- > > > From: Paul Blond? [mailto:jpb@entel.ca] > > > Sent: Thursday, May 17, 2007 11:09 AM > > > To: netfilter@lists.netfilter.org > > > Subject: RE: is it possible to block ip packets that contains > > > experimentaltcp options ? > > > > > > I assume that LOG-AND-DROP is your own chain, crafted so that > > > you can perform both functions with a single entry? > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > Paul Blond? > > > > > > > > > > > > > -----Original Message----- > > > > From: netfilter-bounces@lists.netfilter.org > > > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > > > Marc Cozzi > > > > Sent: Wednesday, May 16, 2007 5:19 AM > > > > To: netfilter@lists.netfilter.org > > > > Subject: RE: is it possible to block ip packets that contains > > > > experimentaltcp options ? > > > > > > > > > > > > > > > > Glenn, > > > > > > > > Not sure what you mean by "experimental" however, there are some > > > > conditions of flags that should never occur on the network. > > > These can > > > > be trapped with rules similar to the following. > > > > > > > > iptables -A BLOCKED -m state --state INVALID -j > > > LOG-AND-DROP iptables > > > > -A BLOCKED -p tcp --tcp-flags ALL ALL -j LOG-AND-DROP iptables -A > > > > BLOCKED -p tcp --tcp-flags ALL NONE -j LOG-AND-DROP > > > > > > > > --marc > > > > > > > > > > > > > -----Original Message----- > > > > > From: Glenn Terjesen [mailto:glenn@webcat.no] > > > > > Sent: Wednesday, May 16, 2007 5:24 AM > > > > > To: netfilter@lists.netfilter.org > > > > > Subject: is it possible to block ip packets that contains > > > > > experimental tcp options ? > > > > > > > > > > Hello, > > > > > got a iptables firewall filtering our servers. > > > > > > > > > > Is it possible to block tcp packets that contains > > > experimental tcp > > > > > options ? > > > > > > > > > > AND is it smart to do so ? > > > > > > > > > > > > > > > -- > > > > > Mvh Glenn Terjesen @ Webcat AS > > > > > Tlf: +47 37 02 20 20 > > > > > E-post: support@webcat.no > > > > > > > > > > > > > > > > > > From rgrover1 at gmail.com Mon May 21 06:05:10 2007 From: rgrover1 at gmail.com (Rohit Grover) Date: Mon May 21 18:28:22 2007 Subject: using packet filtering to discover TCP end-to-end latency Message-ID: <C4794891-5098-4238-BC18-2D54D2CB9859@gmail.com> Hello, I need to discover the TCP end-to-end latency between web clients and servers transparently (i.e. without altering the clients or the servers in any way). I have squid running as a proxy server on a linux box, sitting between the clients and the servers. I can have the clients change their proxy settings to have requests pass through squid. Squid can measure latencies between itself and the web servers. The problem is to measure the network latency when squid tries to forward the server responses back to clients. Can packet filtering help me with this? Can I, for example, filter for the client ACK of the last bit of data sent from squid back to the client? Also, I still need to device a solution to measure network latency experienced by the client's SYN sent to the squid box. Any ideas? thanks in advance, Rohit Grover. From swifty at freemail.hu Mon May 21 18:13:01 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Mon May 21 19:16:03 2007 Subject: Policy targets... In-Reply-To: <slrnf4j5ek.ic3.xpisar@album.ics.muni.cz> References: <464441F7.3050808@freemail.hu> <slrnf4j5ek.ic3.xpisar@album.ics.muni.cz> Message-ID: <4651C50D.7080605@freemail.hu> Hi! Petr Pisar ?rta: > On 2007-05-11, G?sp?r Lajos <swifty@freemail.hu> wrote: > >> Hi all, >> >> I was reading the iptables manual because I needed the correct arguments >> of the policy (-P) command. >> Here it is: >> >> -P, --policy chain target >> Set the policy for the chain to the given target. See the >> section TARGETS for the legal targets. Only built-in (non-user-defined) >> chains can >> have policies, and neither built-in nor user-defined >> chains can be policy targets. >> >> So I checked the TARGETS. >> >> TARGETS >> A firewall rule specifies criteria for a packet, and a target. >> If the packet does not match, the next rule in the chain is the >> examined; if it does >> match, then the next rule is specified by the value of the >> target, which can be the name of a user-defined chain or one of the >> special values ACCEPT, >> DROP, QUEUE, or RETURN. >> >> My question is: What is the difference between the ACCEPT and the RETURN >> target in policy ??? :D >> >> > I think this is missunderstadning in man page. If you read the TARGETS > section carefully you could see here is nothing about policy even if -P > paragraph referres to it. > Okay. That is right. There is nothing about policy in TARGETS section. But there is no "POLICYTARGETS" section! :D > My opinion is ACCEPT and DROP only are valid policies. I don't know > where I have this idea from but I'm pretty sure that other targets have > not sense in policy context. > > -- Petr I agree! I was just curious. :D Swifty From swifty at freemail.hu Mon May 21 17:59:39 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Mon May 21 19:35:13 2007 Subject: Packets lost In-Reply-To: <1845.10.107.26.27.1179384883.squirrel@gpo.iitb.ac.in> References: <3388.10.107.26.27.1179320821.squirrel@gpo.iitb.ac.in> <464B19A9.700@freemail.hu> <1845.10.107.26.27.1179384883.squirrel@gpo.iitb.ac.in> Message-ID: <4651C1EB.8090004@freemail.hu> Vasantha Kumar Puttappa ?rta: > Hi Lajos, > Thanks for responding so fast. I did try adding the forward rule, but > still packets are missing. > Let me give you more insight into what I am trying do. > I have a vitrual network interface and 2 physical network interface (one > Ethernet based, and other 802.11 based). The virtual network interface > dynamically binds to any one of the above physical interfaces for packet > transmission. The issue of packet loss occurs **only** during link > switching. > What is this "link switching" in real ? What about routing and source addresses ? > I feel that the following issues might be the possible reasons for the > packet loss. > > 1. Due to missing soft_IRQ interrupt for packets and hence packet loss ( i > have no proof to back this) > 2. Due to incompatible wireless device driver. > > > Any thoughts on this ? > What if you use a bridge on those three and the condition extension of iptables? Swifty From swifty at freemail.hu Mon May 21 18:03:58 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Mon May 21 19:35:25 2007 Subject: Default deny rule In-Reply-To: <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> Message-ID: <4651C2EE.2080803@freemail.hu> Hi, Gopinath ?rta: > Hi, > > My objective is to replace my existing firewall with a Linux firewall. > We have point to point connectivity through VSAT with one of our > customer. The only major thing which the firewall need to do is STATIC > NAT. As you may see since this is a point to point connectiviy all the > IPs employed are Private IPs. While checking the f/w in simulation > mode, things were working fine (except default denying). I already > tried to achieve DEFAULT DENY by changing the default behaviour of > FORWARD policy to DROP by issuing the command "iptables -P FORWARD > DROP". But when i do this all the traffic were getting dropped. So If EVERYTHING is dropped then your rules do not get hit by the traffic. (Your rules are wrong.) Try to capture the traffic. Maybe you can find the problem. > > again i tried by appending a policy in forward chain (last rule) to (policy is always the last rule... :D ) > drop all the packets by default. But even this didn't worked out. Hope > you can understand my requirement & how i do the NATTing from my > previous mail. > > Even though i have worked a bit with iptables before, I am a begginer > in building a linux firewall with iptables :-) > > Cheers :) > Gopinath.U Swifty From prieheck at iwu.edu Mon May 21 18:34:10 2007 From: prieheck at iwu.edu (Pat Riehecky) Date: Mon May 21 19:36:39 2007 Subject: Conntrack rule timeout problem Message-ID: <1179765250.12001.18.camel@thales.lan> I seem to be capturing way more packets than I intend (or even expect!). I am running squid and have the firewall rules below running on it. For some reason I am capturing hundreds of packets that I don't think should be caught. I have increased the timeouts in /proc/ (via sysctl) to fix this, but no dice. Anyone have any idea why the sample packet below would be captured? It is getting picked up by either the -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate INVALID -j DROP but sometimes the -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP The packet looks to have been requested by squid, it is coming on port 80... I also seem to be having the same behavior on the squid side where the FIN/ACK packets are being caught by the conntrack rule... I know I have something wrong, just what exactly is eluding me... Any help would be helpful! --- sample capture A --- IN=eth0 OUT= MAC=00:0a:e9:6b:9e:ba:00:10:80:ec:37:5f:08:00 SRC=199.239.137.245 DST=XXX.YYY.ZZZ.AAA LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=620 DF PROTO=TCP SPT=80 DPT=60338 WINDOW=37260 RES=0x00 ACK URGP=0 --sample capture B --- IN=eth0 OUT= MAC=00:0a:a9:60:9e:ba:00:10:80:ec:37:5f:08:00 SRC=222.28.249.164 DST=XXX.YYY.ZZZ.AAA LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=34912 DF PROTO=TCP SPT=1802 DPT=3128 WINDOW=65535 RES=0x00 ACK FIN URGP=0 --- sysctl.conf --- net.ipv4.netfilter.ip_conntrack_tcp_be_liberal=0 net.ipv4.netfilter.ip_conntrack_udp_timeout = 20 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 95 net.ipv4.netfilter.ip_conntrack_generic_timeout=650 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close=20 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=180 --- rules --- -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 4/sec --limit-burst 9 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT -A INPUT -j DROP -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s 255.0.0.0/255.0.0.0 -j DROP -A OUTPUT -s 0.0.0.0/255.0.0.0 -j DROP -A OUTPUT -s 192.168.0.0/255.255.0.0 -j DROP -A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 9/sec --limit-burst 15 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -A OUTPUT -j DROP From pascal.mail at plouf.fr.eu.org Mon May 21 20:27:15 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Mon May 21 21:30:05 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? In-Reply-To: <1179747134.32083.19.camel@bathory.webcat.no> References: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> <1179747134.32083.19.camel@bathory.webcat.no> Message-ID: <4651E483.9000204@plouf.fr.eu.org> Hello, Glenn Terjesen a ?crit : > What i meant with "experimental tcp options" is that my ids (snort) > keept logging these "experimental tcp options" > > # > code 76 > length 8 > data 01019DEDBEF00005 > > I know this aint a snort list, but my servers don't serve any services > that require this kind of traffic. > > So i was wondering if iptables has any way of blocking these. If you have a black list of options you want to drop (or a white list of allowed options), what about the "--tcp-option" option of the "tcp" match ? > These to magic lines fixed it all > iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP > iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP I wonder how these rules could drop packets according to TCP options. TCP flag combinations are not TCP options. From nokiairc at gmail.com Mon May 21 21:12:20 2007 From: nokiairc at gmail.com (TheNokia) Date: Mon May 21 22:14:34 2007 Subject: iptables doesn't keep chain list after reboot Message-ID: <b6d73fa90705211212g3cd8464lf48e380a9256a79d@mail.gmail.com> Ok, both of you tell me to put in /etc/rc.local but can you give me an example ? I don't want to do something wrong. From MuziniM at losrios.edu Mon May 21 21:50:59 2007 From: MuziniM at losrios.edu (Muzinich, Mike) Date: Mon May 21 22:53:16 2007 Subject: URL Logging In-Reply-To: <922E6125ECDCDB4F9F1B845B7DE99ECA015CCFCE@do-exch04.do.ad.losrios.edu> Message-ID: <922E6125ECDCDB4F9F1B845B7DE99ECA015CCFCF@do-exch04.do.ad.losrios.edu> Is anyone aware of a non-proxy product i.e. Squid that will log full URL information for HTTP requests that is meant to be run as a daemon on a Linux router/firewall?? I don't believe there is an elegant way to do this with IPTABLES. From altitude at funkware.com Tue May 22 02:30:34 2007 From: altitude at funkware.com (Alex Tang) Date: Tue May 22 03:33:08 2007 Subject: ip_conntrack table full after upgrade from RHEL3 (2.4/1.2.8) to RHEL4U4 (2.6.9/1.2.11) Message-ID: <465239AA.9020007@funkware.com> Hi folks. I've been having a problem on a machine that does a high volume of sendmail traffic. The machine gets approx 50,000 connections per hour to port 25. The machine was upgraded from a RHEL3 based system (kernel rpm 2.4.21-47.EL and iptables rpm 1.2.8-12.3) to a RHEL4 based system (kernel rpm 2.6.9-55.EL and iptables rpm 1.2.11-3.1.RHEL4). Since the upgrade has occurred, the conntrack table fills up relatively fast (within one day). The max size is 65536 (as per /proc/sys/net/ipv4/netfilter/ip_conntrack_max). I've been searching through the archives, faq, etc and have found the usual standard answer is to increase the ip_conntrack_max. However, I'm concerned for a couple of reasons that this may not be the proper answer. In particular, i have another machine which is still running the RHEL3 (kernel 2.4.21-47.EL/iptables 1.2.8-12.3), that gets more connections per hour (80,000 vs. 50,000), and there are only about 9000 entries in the ip_conntrack table on that machine. The problem with the conntrack table filling up fast started as soon as we did the upgrade. Also, on the machine that is currently experiencing problems, most (98%) of the connections are in the ESTABLISHED state, however the majority of these connections are not seen when doing a "netstat". I admit that I do not fully understand the details of the iptables implementation, but it seems that the connection close is not being "seen" by the conntrack code and connections that have already gone away are still in the ip_conntrack table, and we have to wait for these connections to "timeout" before they are expired from the conntrack table. I could of course, increase the max size of the table, or decrease the /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established, but it seems that would only mask the problem, not actually fix it. Is this a known issue in iptables? Or am I going down the wrong path? Thanks for your help. ...alex... From glenn at webcat.no Tue May 22 10:58:24 2007 From: glenn at webcat.no (Glenn Terjesen) Date: Tue May 22 12:00:39 2007 Subject: is it possible to block ip packets that contains experimental tcp options ? In-Reply-To: <4651E483.9000204@plouf.fr.eu.org> References: <F163413C9250D211A55C0060979D5280016AB361@hertz.rad.nd.edu> <1179747134.32083.19.camel@bathory.webcat.no> <4651E483.9000204@plouf.fr.eu.org> Message-ID: <1179824305.32083.69.camel@bathory.webcat.no> Thanks allot Pascal, iptables -A FORWARD -p tcp --tcp-option 76 -j REJECT seems to be working. On Mon, 2007-05-21 at 20:27 +0200, Pascal Hambourg wrote: > Hello, > > Glenn Terjesen a ?crit : > > What i meant with "experimental tcp options" is that my ids (snort) > > keept logging these "experimental tcp options" > > > > # > > code 76 > > length 8 > > data 01019DEDBEF00005 > > > > I know this aint a snort list, but my servers don't serve any services > > that require this kind of traffic. > > > > So i was wondering if iptables has any way of blocking these. > > If you have a black list of options you want to drop (or a white list of > allowed options), what about the "--tcp-option" option of the "tcp" match ? > > > These to magic lines fixed it all > > iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP > > iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP > > I wonder how these rules could drop packets according to TCP options. > TCP flag combinations are not TCP options. > > -- Mvh Glenn Terjesen @ Webcat AS Tlf: +47 37 02 20 20 E-post: support@webcat.no From pascal.mail at plouf.fr.eu.org Tue May 22 11:59:28 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 22 13:01:46 2007 Subject: ip_conntrack table full after upgrade from RHEL3 (2.4/1.2.8) to RHEL4U4 (2.6.9/1.2.11) In-Reply-To: <465239AA.9020007@funkware.com> References: <465239AA.9020007@funkware.com> Message-ID: <4652BF00.2080501@plouf.fr.eu.org> Hello, Alex Tang a ?crit : > > I've been having a problem on a machine that does a high volume of > sendmail traffic. The machine gets approx 50,000 connections per hour > to port 25. > The machine was upgraded from a RHEL3 based system (kernel rpm > 2.4.21-47.EL and iptables rpm 1.2.8-12.3) to a RHEL4 based system > (kernel rpm 2.6.9-55.EL and iptables rpm 1.2.11-3.1.RHEL4). You should really consider upgrading to something more recent, because kernel 2.6.9 and iptables 1.2.11 are *badly* outdated. > Since the upgrade has occurred, the conntrack table fills up relatively > fast (within one day). The max size is 65536 (as per > /proc/sys/net/ipv4/netfilter/ip_conntrack_max). > > I've been searching through the archives, faq, etc and have found the > usual standard answer is to increase the ip_conntrack_max. However, I'm > concerned for a couple of reasons that this may not be the proper answer. > > In particular, i have another machine which is still running the RHEL3 > (kernel 2.4.21-47.EL/iptables 1.2.8-12.3), that gets more connections > per hour (80,000 vs. 50,000), and there are only about 9000 entries in > the ip_conntrack table on that machine. > > The problem with the conntrack table filling up fast started as soon as > we did the upgrade. > > Also, on the machine that is currently experiencing problems, most (98%) > of the connections are in the ESTABLISHED state, however the majority of > these connections are not seen when doing a "netstat". > > I admit that I do not fully understand the details of the iptables > implementation, but it seems that the connection close is not being > "seen" by the conntrack code and connections that have already gone away > are still in the ip_conntrack table, and we have to wait for these > connections to "timeout" before they are expired from the conntrack table. And the default timeout for established TCP connections is 5 days, so it takes a looong time. A noticeable difference between kernel 2.6.9 and earlier versions is the TCP window tracking, which was added in 2.6.9. It adds TCP sequence number checking to the connection tracking, so any TCP packet with an out-of-window sequence number is tagged INVALID. If the TCP window tracking considers that the FIN packet sequence numbers are out-of-window for whatever reason, this may be the reason why the 2.6.9 kernel connection tracking keeps old connexions. You may add LOG iptables rules to track TCP FIN packets states. > I could of course, increase the max size of the table, or decrease the > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established, but > it seems that would only mask the problem, not actually fix it. I agree. You could also decrease the value of /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established to something much shorter than 5 days but again this would only mask the problem. Try to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1. This setting makes TCP window tracking more liberal, so only out-of-window TCP RST packets are tagged INVALID. Note that later kernel versions provided some bugfixes for the TCP window tracking that may fix this issue. From andang76 at gmail.com Tue May 22 12:30:11 2007 From: andang76 at gmail.com (Andrea) Date: Tue May 22 13:32:28 2007 Subject: problems applying ipset patch Message-ID: <4652C633.902@gmail.com> hi, this is my first post here. [don't know if I have to use the developer mailing list, sorry if i'm wrong]. I've tried to apply the ipset patch in my CentOS 4.4 distribution, without success. I've followed instructions here http://www.howtoforge.com/kernel_compilation_centos_p2?s=aabdb730a09fa747d00f2b9a3ff431cc& (CentOS Kernel Compile) and here http://ipset.netfilter.org/install.html (ipset patch apply). The patch is applied successfully, but when I try to recompile, I obtain these errors (after a long list of compiled files): ... LD .tmp_vmlinux1 net/built-in.o(.init.text+0x16f1): In function `ipt_ipset_init': net/ipv4/netfilter/ipt_set.c:133: undefined reference to `xt_register_match' net/built-in.o(.init.text+0x1700): In function `ipt_SET_init': net/ipv4/netfilter/ipt_SET.c:151: undefined reference to `xt_register_target' net/built-in.o(.exit.text+0x41): In function `ipt_ipset_fini': net/ipv4/netfilter/ipt_set.c:138: undefined reference to `xt_unregister_match' net/built-in.o(.exit.text+0x50): In function `ipt_SET_fini': net/ipv4/netfilter/ipt_SET.c:156: undefined reference to `xt_unregister_target' make: *** [.tmp_vmlinux1] Error 1 I've tried twice, using two combinations of kernel (downloaded from www.kernel.org) and patch-o-matic (downloaded first time from http://ipset.netfilter.org/, second from patch-o-matic snaptshots). I've applied only the ipset patch (launching only the ./runme set command, just as explained in the ipset site). Maybe do I need to apply other patches from patch-o-matic? Thanks for the help From Michal.Filka at sitronicsts.com Tue May 22 14:35:54 2007 From: Michal.Filka at sitronicsts.com (Filka Michal) Date: Tue May 22 15:39:08 2007 Subject: simple question Message-ID: <2DD3CA89774593478BC28081C7392595BEC225@exalfa.stromtelecom.cz> Hi, Can anyone tell me what exactly means an update event. Of course, I have an idea, but I need to confirm it. So, does it mean that "state" attribute changed (E.g. connection state, counter, ... ), or is it related to a "configuration" attribute? Thanks, Michal Filka From lcguy229 at yahoo.com Tue May 22 16:28:08 2007 From: lcguy229 at yahoo.com (Jon Tim) Date: Tue May 22 17:30:30 2007 Subject: Bridge Transparent Proxy Message-ID: <915989.4708.qm@web38509.mail.mud.yahoo.com> HI Expert, Please allow me to ask bridge transparent proxy. I have public iP address 203.X.X.X and I used Bridge between Wireless LAN access point and HUB. So, all IP are in 203.X.X.X with same subnet mask 255.255.255.0. Interenet----------> eth0------>bridge<------eth1<--------WirlessAP Bridge is working well with 2 NICs. My question is I would like to forward only port 80 and 443 from eth1 to eth0 and would like to log http traffic pass through bridge. Please let me know which command to type in iptables. Best regards, Jon ____________________________________________________________________________________Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. http://new.toolbar.yahoo.com/toolbar/features/mail/index.php From robert at leblancnet.us Tue May 22 16:35:50 2007 From: robert at leblancnet.us (Robert LeBlanc) Date: Tue May 22 17:38:07 2007 Subject: Bridge Transparent Proxy In-Reply-To: <915989.4708.qm@web38509.mail.mud.yahoo.com> Message-ID: <C2785BE6.1C244%robert@leblancnet.us> You will need to look at ebtables. Bridging will bypass iptables. Ebtables is much like iptables, but there are some subtle differences that may choke you up. Haven't worked much with it though. Robert On 5/22/07 8:28 AM, "Jon Tim" <lcguy229@yahoo.com> wrote: > HI Expert, > > Please allow me to ask bridge transparent proxy. > > I have public iP address 203.X.X.X and I used Bridge > between Wireless LAN access point and HUB. So, all IP > are in 203.X.X.X with same subnet mask 255.255.255.0. > > Interenet----------> > eth0------>bridge<------eth1<--------WirlessAP > > Bridge is working well with 2 NICs. > > My question is I would like to forward only port 80 > and 443 from eth1 to eth0 and would like to log http > traffic pass through bridge. > > Please let me know which command to type in iptables. > > Best regards, > Jon > > > > ______________________________________________________________________________ > ______Get the Yahoo! toolbar and be alerted to new email wherever you're > surfing. > http://new.toolbar.yahoo.com/toolbar/features/mail/index.php > Robert LeBlanc BioAg Computer Support Brigham Young University leblanc@byu.edu (801)422-1882 From jpb at entel.ca Tue May 22 17:46:04 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Tue May 22 18:48:31 2007 Subject: iptables doesn't keep chain list after reboot In-Reply-To: <b6d73fa90705211212g3cd8464lf48e380a9256a79d@mail.gmail.com> Message-ID: <000a01c79c88$4e494b20$5a05a8c0@nisgaa.net> I recommend you read the site iptablesrocks.org very carefully while you are making changes to your iptables firewall, as you can easily lock yourself out of your own computer with netfilter. If you had, as I suggested before, you would have found these instructions: (assuming you made a file called primary_firewall in the home directory of the root user, as the instructions on the site indicate) copy the firewall file somewhere usefull: cp /root/primary_firewall /etc/sysconfig/iptables edit /etc/rc.local with your favourite text editor: emacs /etc/rc.local (or vi, vim, xemacs, whatever) add the following line: /sbin/insmod ip_conntrack_ftp I had to use a different method because the server I "inherited" from the person who set it up was really messed up, but it should work on your average Linux box. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? Web Programmer enTel Communications Inc jpb@entel.ca 250.633.5151 866.633.2644 > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of TheNokia > Sent: Monday, May 21, 2007 12:12 PM > To: netfilter@lists.netfilter.org > Subject: iptables doesn't keep chain list after reboot > > > Ok, both of you tell me to put in /etc/rc.local but can you > give me an example ? > > I don't want to do something wrong. > From pascal.mail at plouf.fr.eu.org Tue May 22 18:06:12 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 22 19:08:32 2007 Subject: Bridge Transparent Proxy In-Reply-To: <C2785BE6.1C244%robert@leblancnet.us> References: <C2785BE6.1C244%robert@leblancnet.us> Message-ID: <465314F4.1060007@plouf.fr.eu.org> Hello, Robert LeBlanc a ?crit : > You will need to look at ebtables. Bridging will bypass iptables. Bridged IPv4 packets traverse the iptables chains if the kernel was compiled with Netfilter bridge support (CONFIG_BRIDGE_NETFILTER=y). It allows finer filtering than ebtables, for instance accepting only outgoing HTTP/HTTPS connections and related ICMP messages in both directions thanks to connection tracking, e.g. : iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth1 -m state --state NEW \ -p tcp -m multiport --dports 80,443 -j ACCEPT From gtaylor at riverviewtech.net Tue May 22 18:09:28 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue May 22 19:10:23 2007 Subject: Bridge Transparent Proxy In-Reply-To: <C2785BE6.1C244%robert@leblancnet.us> References: <C2785BE6.1C244%robert@leblancnet.us> Message-ID: <465315B8.1070304@riverviewtech.net> On 05/22/07 09:35, Robert LeBlanc wrote: > You will need to look at ebtables. Bridging will bypass iptables. Ebtables > is much like iptables, but there are some subtle differences that may choke > you up. Haven't worked much with it though. You can configure the kernel to apply IPTables Net Filters (Layer 3) to EBTables bridged (Layer 2) traffic. To quote the (2.6.8.1) kernel source: """ CONFIG_BRIDGE_NETFILTER - Enabling this option will let arptables resp. iptables see bridged ARP resp. IP traffic. If you want a bridging firewall, you probably want this option enabled. Enabling or disabling this option doesn't enable or disable ebtables. """ Grant. . . . From jpb at entel.ca Tue May 22 18:10:13 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Tue May 22 19:12:36 2007 Subject: ip_conntrack table full after upgrade from RHEL3 (2.4/1.2.8) to RHEL4U4 (2.6.9/1.2.11) In-Reply-To: <4652BF00.2080501@plouf.fr.eu.org> Message-ID: <000b01c79c8b$adc478b0$5a05a8c0@nisgaa.net> Note that since RHEL is the enterprise Linux version from RedHat, you should probably keep your updates fairly close to theirs. The focus of enterprise releases of Linux is stability and security, so you would be better off updating to RHEL5 than RHEL4 at this time. This will also ensure that you get at least a reasonably recent version of netfilter/iptables, although it wouldn't hurt to update that further if it is not the latest. There is also a good list of PREROUTING filters for a number of purposes at the iptablesrocks.org site, I have used their "general web server firewall" configuration virtually unchanged with much success. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > Pascal Hambourg > Sent: Tuesday, May 22, 2007 2:59 AM > To: netfilter@lists.netfilter.org > Subject: Re: ip_conntrack table full after upgrade from RHEL3 > (2.4/1.2.8) to RHEL4U4 (2.6.9/1.2.11) > > > Hello, > > Alex Tang a ?crit : > > > > I've been having a problem on a machine that does a high volume of > > sendmail traffic. The machine gets approx 50,000 > connections per hour > > to port 25. > > The machine was upgraded from a RHEL3 based system (kernel rpm > > 2.4.21-47.EL and iptables rpm 1.2.8-12.3) to a RHEL4 based system > > (kernel rpm 2.6.9-55.EL and iptables rpm 1.2.11-3.1.RHEL4). > > You should really consider upgrading to something more > recent, because > kernel 2.6.9 and iptables 1.2.11 are *badly* outdated. > > > Since the upgrade has occurred, the conntrack table fills > up relatively > > fast (within one day). The max size is 65536 (as per > > /proc/sys/net/ipv4/netfilter/ip_conntrack_max). > > > > I've been searching through the archives, faq, etc and have > found the > > usual standard answer is to increase the ip_conntrack_max. > However, I'm > > concerned for a couple of reasons that this may not be the > proper answer. > > > > In particular, i have another machine which is still > running the RHEL3 > > (kernel 2.4.21-47.EL/iptables 1.2.8-12.3), that gets more > connections > > per hour (80,000 vs. 50,000), and there are only about 9000 > entries in > > the ip_conntrack table on that machine. > > > > The problem with the conntrack table filling up fast > started as soon as > > we did the upgrade. > > > > Also, on the machine that is currently experiencing > problems, most (98%) > > of the connections are in the ESTABLISHED state, however > the majority of > > these connections are not seen when doing a "netstat". > > > > I admit that I do not fully understand the details of the iptables > > implementation, but it seems that the connection close is not being > > "seen" by the conntrack code and connections that have > already gone away > > are still in the ip_conntrack table, and we have to wait for these > > connections to "timeout" before they are expired from the > conntrack table. > > And the default timeout for established TCP connections is 5 > days, so it > takes a looong time. > > A noticeable difference between kernel 2.6.9 and earlier > versions is the > TCP window tracking, which was added in 2.6.9. It adds TCP sequence > number checking to the connection tracking, so any TCP packet with an > out-of-window sequence number is tagged INVALID. If the TCP window > tracking considers that the FIN packet sequence numbers are > out-of-window for whatever reason, this may be the reason why > the 2.6.9 > kernel connection tracking keeps old connexions. You may add LOG > iptables rules to track TCP FIN packets states. > > > I could of course, increase the max size of the table, or > decrease the > > > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_establis > hed, but > > it seems that would only mask the problem, not actually fix it. > > I agree. You could also decrease the value of > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established to > something much shorter than 5 days but again this would only mask the > problem. > > Try to set > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to > 1. This setting makes TCP window tracking more liberal, so only > out-of-window TCP RST packets are tagged INVALID. > > Note that later kernel versions provided some bugfixes for the TCP > window tracking that may fix this issue. > > From pablo at netfilter.org Tue May 22 19:00:01 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Tue May 22 20:02:28 2007 Subject: [ANNOUNCE] Release libnfnetlink_conntrack Message-ID: <46532191.3050705@netfilter.org> Hi! The netfilter project proudly presents libnetfilter_conntrack-0.0.75 libnetfilter_conntrack is a userspace library providing a programming interface (API) to the in-kernel connection tracking state table. You can download it from: http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-0.0.75.tar.bz2 Happy tracking, Pablo (on behalf of the Netfilter Project) -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris -------------- next part -------------- libnetfilter_conntrack 0.0.75 ====================================================================== Changes from 0.0.50: - Fix inconsistency in the status flags bits [Pablo Neira] - Fix icmp_id setter and documentation [Phil Dibowitz] - Fix compilation with old glibc versions [Thomas Jarosch] - Fix inconsistency in the behaviour of nfct_set_attr with ATTR_STATUS [Pablo Neira] - Relax checkings in the NAT detector functions [Pablo Neira] - Fix wrong documentation in nfct_get_attr_u[*] [Pablo Neira] - introduce new expectation API [Pablo Neira] - fix wrong port display in the XML output [Morten Isaksen] - use ntohs instead htons in snprintf_default.c [Pablo Neira] - introduce examples files under utils/, remove old deprecated API test file [Pablo Neira] From robert at leblancnet.us Tue May 22 19:07:18 2007 From: robert at leblancnet.us (Robert LeBlanc) Date: Tue May 22 20:09:49 2007 Subject: Bridge Transparent Proxy In-Reply-To: <465315B8.1070304@riverviewtech.net> Message-ID: <C2787F66.1C272%robert@leblancnet.us> On 5/22/07 10:09 AM, "Grant Taylor" <gtaylor@riverviewtech.net> wrote: > On 05/22/07 09:35, Robert LeBlanc wrote: >> You will need to look at ebtables. Bridging will bypass iptables. Ebtables >> is much like iptables, but there are some subtle differences that may choke >> you up. Haven't worked much with it though. > > You can configure the kernel to apply IPTables Net Filters (Layer 3) to > EBTables bridged (Layer 2) traffic. > > To quote the (2.6.8.1) kernel source: > """ > CONFIG_BRIDGE_NETFILTER - Enabling this option will let arptables resp. > iptables see bridged ARP resp. IP traffic. If you want a bridging > firewall, you probably want this option enabled. > > Enabling or disabling this option doesn't enable or disable ebtables. > """ > > > > > Grant. . . . > Thanks, I wasn't aware of this option as I haven't done much with bridging since I had lots of trouble with trying to bridge and NAT on the same network (use allow the same physical network after my linux gateway to carry my public network and the NATed private network). I will have to look into it again, this option may have been a cause of some of my issues. Robert LeBlanc BioAg Computer Support Brigham Young University leblanc@byu.edu (801)422-1882 From jpb at entel.ca Tue May 22 17:46:04 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Tue May 22 20:27:44 2007 Subject: iptables doesn't keep chain list after reboot In-Reply-To: <b6d73fa90705211212g3cd8464lf48e380a9256a79d@mail.gmail.com> Message-ID: <000a01c79c88$4e494b20$5a05a8c0@nisgaa.net> I recommend you read the site iptablesrocks.org very carefully while you are making changes to your iptables firewall, as you can easily lock yourself out of your own computer with netfilter. If you had, as I suggested before, you would have found these instructions: (assuming you made a file called primary_firewall in the home directory of the root user, as the instructions on the site indicate) copy the firewall file somewhere usefull: cp /root/primary_firewall /etc/sysconfig/iptables edit /etc/rc.local with your favourite text editor: emacs /etc/rc.local (or vi, vim, xemacs, whatever) add the following line: /sbin/insmod ip_conntrack_ftp I had to use a different method because the server I "inherited" from the person who set it up was really messed up, but it should work on your average Linux box. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? Web Programmer enTel Communications Inc jpb@entel.ca 250.633.5151 866.633.2644 > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of TheNokia > Sent: Monday, May 21, 2007 12:12 PM > To: netfilter@lists.netfilter.org > Subject: iptables doesn't keep chain list after reboot > > > Ok, both of you tell me to put in /etc/rc.local but can you > give me an example ? > > I don't want to do something wrong. > From gtaylor at riverviewtech.net Tue May 22 20:30:28 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue May 22 21:31:05 2007 Subject: Bridge Transparent Proxy In-Reply-To: <C2787F66.1C272%robert@leblancnet.us> References: <C2787F66.1C272%robert@leblancnet.us> Message-ID: <465336C4.5060600@riverviewtech.net> On 05/22/07 12:07, Robert LeBlanc wrote: > Thanks, I wasn't aware of this option as I haven't done much with > bridging since I had lots of trouble with trying to bridge and NAT on > the same network (use allow the same physical network after my linux > gateway to carry my public network and the NATed private network). I > will have to look into it again, this option may have been a cause of > some of my issues. *nod* Bridging Routers can be interesting critters to work with. Brouters are usually used to allow globally routable systems IP addresses to be used in front of and behind a firewall (of sorts). I.e. a small block of IP addresses that the brouter uses for its external IP address as well as internal public servers use IP addresses from to be directly accessible from the net with out any sort of NAT. (INet) --- (Cable / DSL modem) --- (BRouter) --- (Server(s) --- (Workstation(s)) To pull this off usually you bridge the internal and external NICs together and multi home the bridge interface for your internal and external IP addresses. I.e. bri0 = A.B.C.D and bri0:1 = 192.168.144.254 are your IP addresses. In this case, you only bridge traffic to / from the A.B.C.x network and route any thing else. You can even serve DHCP on the internal LAN with out a problem. In this scenario, you can use either EBTables or IPTables to do your filtering. The only thing you need to remember is to not bridge (DROP in the brouting table / BROUTE chain) any internal traffic and force it to be routed. Another way to say it is to only bridge traffic to / from your globally routable IP addresses. Remember that you will need to pass some ARP traffic too. Grant. . . . From pascal.mail at plouf.fr.eu.org Tue May 22 20:36:50 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 22 21:39:41 2007 Subject: Bridge Transparent Proxy In-Reply-To: <465336C4.5060600@riverviewtech.net> References: <C2787F66.1C272%robert@leblancnet.us> <465336C4.5060600@riverviewtech.net> Message-ID: <46533842.9080404@plouf.fr.eu.org> Grant Taylor a ?crit : > > Brouters are usually used to allow globally routable systems IP > addresses to be used in front of and behind a firewall (of sorts). I.e. > a small block of IP addresses that the brouter uses for its external IP > address as well as internal public servers use IP addresses from to be > directly accessible from the net with out any sort of NAT. I'm curious : why is a bridge needed for this ? Doesn't a simple router do the job as well ? From robert at leblancnet.us Tue May 22 20:39:16 2007 From: robert at leblancnet.us (Robert LeBlanc) Date: Tue May 22 21:41:32 2007 Subject: Bridge Transparent Proxy In-Reply-To: <465336C4.5060600@riverviewtech.net> Message-ID: <C27894F4.1C28B%robert@leblancnet.us> On 5/22/07 12:30 PM, "Grant Taylor" <gtaylor@riverviewtech.net> wrote: > On 05/22/07 12:07, Robert LeBlanc wrote: >> Thanks, I wasn't aware of this option as I haven't done much with >> bridging since I had lots of trouble with trying to bridge and NAT on >> the same network (use allow the same physical network after my linux >> gateway to carry my public network and the NATed private network). I >> will have to look into it again, this option may have been a cause of >> some of my issues. > > *nod* Bridging Routers can be interesting critters to work with. > > Brouters are usually used to allow globally routable systems IP > addresses to be used in front of and behind a firewall (of sorts). I.e. > a small block of IP addresses that the brouter uses for its external IP > address as well as internal public servers use IP addresses from to be > directly accessible from the net with out any sort of NAT. > > (INet) --- (Cable / DSL modem) --- (BRouter) --- (Server(s) > --- (Workstation(s)) > > To pull this off usually you bridge the internal and external NICs > together and multi home the bridge interface for your internal and > external IP addresses. I.e. bri0 = A.B.C.D and bri0:1 = 192.168.144.254 > are your IP addresses. > > In this case, you only bridge traffic to / from the A.B.C.x network and > route any thing else. You can even serve DHCP on the internal LAN with > out a problem. > > In this scenario, you can use either EBTables or IPTables to do your > filtering. The only thing you need to remember is to not bridge (DROP > in the brouting table / BROUTE chain) any internal traffic and force it > to be routed. Another way to say it is to only bridge traffic to / from > your globally routable IP addresses. Remember that you will need to > pass some ARP traffic too. > > > > > Grant. . . . > That is what I did, I think there was a slight mis-configuration and my NAT was dropping traffic like crazy. It would only happen after a period of time though, no error messages that I could see. I had three separate internal nets and the 192.168.1.x would not work, but 192.168.2.x would more then the other one. I never did try out 192.168.3.x because I had so many issues with the first two. I'll have to look into it again someday. I just moved my servers out in front of my gateway for the time being. Robert LeBlanc BioAg Computer Support Brigham Young University leblanc@byu.edu (801)422-1882 From gtaylor at riverviewtech.net Tue May 22 20:51:04 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue May 22 21:51:43 2007 Subject: Bridge Transparent Proxy In-Reply-To: <46533842.9080404@plouf.fr.eu.org> References: <C2787F66.1C272%robert@leblancnet.us> <465336C4.5060600@riverviewtech.net> <46533842.9080404@plouf.fr.eu.org> Message-ID: <46533B98.9030706@riverviewtech.net> On 05/22/07 13:36, Pascal Hambourg wrote: > I'm curious : why is a bridge needed for this ? Doesn't a simple router > do the job as well ? No. Let me re-layout the network including IP addresses. (INet [A.B.C.Z]) --- (BRouter [A.B.C.D]) --- ([A.B.C.E] Server(s) [192.168.144.254] --- ([192.168.144.1-100]) Here you can see that you have the same subnet of A.B.C.x on both sides of the bridging router. There is no good (read easy) way to have the same subnet on multiple sides of a router short of double natting which in and of its self is not easy to do on a singular box. So what you do is bridge the A.B.C.x traffic to both networks and route the other subnet(s) as needed. Does this help? Grant. . . . From jpb at entel.ca Tue May 22 21:26:07 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Tue May 22 22:28:35 2007 Subject: NAT addresses - RFC or tradition? In-Reply-To: <46533B98.9030706@riverviewtech.net> Message-ID: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> I've noticed that a lot of people use the 192.168.X.X subnet for internal networks, is this (and the less-used 10-series) a requirement of some RFC, or a recommendation that has become tradition? We are using a completely different subnet, something similar to (for example) 42.127.129.X to further obfuscate the internal network from outside. This, and many other examples, produces a class-A subnet mask (some produce a class-B) when entered in WinXP's TCP/IP dialog, although the actual mask we use with it is class-C. Is this a no-no? Will it break our server's IPTables when communicating with it? Am I in for a lot of trouble? The addresses don't seem to cause any problems, but I don't want this to jump up and bite us in the bottom sometime down the road. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? From ramoni at databras.com.br Tue May 22 21:46:25 2007 From: ramoni at databras.com.br (Andre =?iso-8859-1?q?Guimar=E3es?=) Date: Tue May 22 22:49:15 2007 Subject: NAT addresses - RFC or tradition? In-Reply-To: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> References: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> Message-ID: <200705221646.25925.ramoni@databras.com.br> It's quite simple. You're using public IPs in your internal networks. Some of these IPs may exist and have an owner an maybe even a web site. You'll be in trouble in the day you wish to acess one of these IPs on the internet because you won't reach them because you have them on your network and so won't route the packets to the internet. The IP's in fact, don't have any thing different, so you can use them and iptables will not have any problems. It's just a route problem, that as you chose to use these IP's, you won't be able to reach these real public IP's in the internet. Sorry for the bad english. On Tuesday 22 May 2007 16:26, Paul Blond? wrote: > I've noticed that a lot of people use the 192.168.X.X subnet for internal > networks, is this (and the less-used 10-series) a requirement of some RFC, > or a recommendation that has become tradition? > > We are using a completely different subnet, something similar to (for > example) 42.127.129.X to further obfuscate the internal network from > outside. This, and many other examples, produces a class-A subnet mask > (some produce a class-B) when entered in WinXP's TCP/IP dialog, although > the actual mask we use with it is class-C. > > Is this a no-no? Will it break our server's IPTables when communicating > with it? Am I in for a lot of trouble? The addresses don't seem to cause > any problems, but I don't want this to jump up and bite us in the bottom > sometime down the road. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Paul Blond? -- Andr? Guimar?es Databras Inform?tica Matriz RJ - 55 (21) 2518-2363 Filial ES - 55 (27) 3233-0098 http://www.databras.com.br From tkevans at tkevans.com Tue May 22 21:57:07 2007 From: tkevans at tkevans.com (Tim Evans) Date: Tue May 22 22:59:44 2007 Subject: NAT addresses - RFC or tradition? In-Reply-To: <200705221646.25925.ramoni@databras.com.br> References: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> <200705221646.25925.ramoni@databras.com.br> Message-ID: <20070522195618.M46626@tkevans.com> On Tue, 22 May 2007 16:46:25 -0300, Andre Guimar?es wrote > It's quite simple. > You're using public IPs in your internal networks. > Some of these IPs may exist and have an owner an maybe even a web site. > You'll be in trouble in the day you wish to acess one of these IPs > on the internet because you won't reach them because you have them > on your network and so won't route the packets to the internet. In other words, the RFC addresses are specifically for use in internal networks, since they are guaranteed not to be used on the public internet, and not routed to by any public internet router. -- Tim Evans, TKEvans.com, Inc. | 5 Chestnut Court tkevans@tkevans.com | Owings Mills, MD 21117 http://www.tkevans.com/ | 443-394-3864 http://www.come-here.com/News/ | From marius-iulian.corici at fokus.fraunhofer.de Tue May 22 22:02:35 2007 From: marius-iulian.corici at fokus.fraunhofer.de (Marius-Iulian Corici) Date: Tue May 22 23:05:08 2007 Subject: NAT addresses - RFC or tradition? In-Reply-To: <20070522195618.M46626@tkevans.com> References: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> <200705221646.25925.ramoni@databras.com.br> <20070522195618.M46626@tkevans.com> Message-ID: <46534C5B.7020303@fokus.fraunhofer.de> rfc 1918 Tim Evans wrote: > On Tue, 22 May 2007 16:46:25 -0300, Andre Guimar?es wrote > >> It's quite simple. >> You're using public IPs in your internal networks. >> Some of these IPs may exist and have an owner an maybe even a web site. >> You'll be in trouble in the day you wish to acess one of these IPs >> on the internet because you won't reach them because you have them >> on your network and so won't route the packets to the internet. >> > > In other words, the RFC addresses are specifically for use in internal > networks, since they are guaranteed not to be used on the public internet, and > not routed to by any public internet router. > -- > Tim Evans, TKEvans.com, Inc. | 5 Chestnut Court > tkevans@tkevans.com | Owings Mills, MD 21117 > http://www.tkevans.com/ | 443-394-3864 > http://www.come-here.com/News/ | > > > From leolistas at solutti.com.br Tue May 22 22:02:52 2007 From: leolistas at solutti.com.br (=?ISO-8859-1?Q?Leonardo_Rodrigues_Magalh=E3es?=) Date: Tue May 22 23:05:36 2007 Subject: NAT addresses - RFC or tradition? In-Reply-To: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> References: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> Message-ID: <46534C6C.3050706@solutti.com.br> Paul Blond? escreveu: > I've noticed that a lot of people use the 192.168.X.X subnet for internal > networks, is this (and the less-used 10-series) a requirement of some RFC, > or a recommendation that has become tradition? > > We are using a completely different subnet, something similar to (for > example) 42.127.129.X to further obfuscate the internal network from > outside. This, and many other examples, produces a class-A subnet mask (some > produce a class-B) when entered in WinXP's TCP/IP dialog, although the > actual mask we use with it is class-C. > > Is this a no-no? Will it break our server's IPTables when communicating with > it? Am I in for a lot of trouble? The addresses don't seem to cause any > problems, but I don't want this to jump up and bite us in the bottom > sometime down the road. > Yes, those 'reserved' IP addresses are declared by RFC 1918. Please check: http://tools.ietf.org/html/rfc1918 http://en.wikipedia.org/wiki/Private_network Your network will work with no problems, except if you had to access some far-far-far away network which uses your local addresses, which should never be used as local ones. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, N?O mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it From jengelh at linux01.gwdg.de Tue May 22 22:09:56 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue May 22 23:12:33 2007 Subject: Logging NAT Translations In-Reply-To: <ae1f24730705182015j533102bah985e9ad0e905cd2a@mail.gmail.com> References: <ae1f24730705182015j533102bah985e9ad0e905cd2a@mail.gmail.com> Message-ID: <Pine.LNX.4.61.0705222208440.4452@yvahk01.tjqt.qr> On May 18 2007 20:15, Craig Bernstein wrote: > > I can't believe this isn't a FAQ; I apologize if I missed something in > my searches. > > Is there a way to log connections along with all of their NAT translation > data? iptables -t nat -N yes_do_me_1 iptables -t nat -A yes_do_me_1 -j LOG ... iptables -t nat -A yes_do_me_1 -j SNAT ... iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1 Or you could use `conntrack -E`... or conntrack -L for a momentary state. > > I am using a Debian (Sarge) system to SNAT guest users from private > address space to the Internet, and I need to keep a record that > includes both their internal and external addresses. > > Simply logging before the SNAT rule leaves out the external address, > leaving me only with the original RFC1918 source address. > /proc/net/ip_conntrack has the information I need, but no way to send > it to the log it at the beginning and/or end of the session. > > There HAS to be an easy way to do this! Right? > > Thank you... > > -- > ...Craig > > Jan -- From gtaylor at riverviewtech.net Tue May 22 22:22:50 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue May 22 23:23:30 2007 Subject: NAT addresses - RFC or tradition? In-Reply-To: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> References: <001c01c79ca7$0c1717e0$5a05a8c0@nisgaa.net> Message-ID: <4653511A.5020205@riverviewtech.net> On 05/22/07 14:26, Paul Blond? wrote: > I've noticed that a lot of people use the 192.168.X.X subnet for > internal networks, is this (and the less-used 10-series) a > requirement of some RFC, or a recommendation that has become > tradition? 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255 are reserved for private (read internal) use and guaranteed to not be globally routable. As others have stated, you can use any address you want, though you run the risk of being in conflict with some subnet somewhere. Granted it is VERY unlikely that you will effect any one other than your self as the world will route to the other subnet, not you. Please reference RFC 3330 - "Special-Use IPv4 Addresses" (http://www.rfc-editor.org/rfc/rfc3330.txt) for more information on these and other reserved subnets. > We are using a completely different subnet, something similar to (for > example) 42.127.129.X to further obfuscate the internal network from > outside. This, and many other examples, produces a class-A subnet > mask (some produce a class-B) when entered in WinXP's TCP/IP dialog, > although the actual mask we use with it is class-C. *nod* > Is this a no-no? Will it break our server's IPTables when > communicating with it? Am I in for a lot of trouble? The addresses > don't seem to cause any problems, but I don't want this to jump up > and bite us in the bottom sometime down the road. Well, the 42.x.y.z is not too bad as far as conflicting with someone else seeing as how IANA has it "Reserved". Take a look at the "Internet Protocol v4 Address Space" page (http://www.iana.org/assignments/ipv4-address-space) on IANA's web site for more information. Grant. . . . From jengelh at linux01.gwdg.de Tue May 22 22:26:00 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue May 22 23:28:35 2007 Subject: URL Logging In-Reply-To: <922E6125ECDCDB4F9F1B845B7DE99ECA015CCFCF@do-exch04.do.ad.losrios.edu> References: <922E6125ECDCDB4F9F1B845B7DE99ECA015CCFCF@do-exch04.do.ad.losrios.edu> Message-ID: <Pine.LNX.4.61.0705222225350.4452@yvahk01.tjqt.qr> On May 21 2007 12:50, Muzinich, Mike wrote: > >Is anyone aware of a non-proxy product i.e. Squid that will log full >URL information for HTTP requests that is meant to be run as a >daemon on a Linux router/firewall?? I don't believe there is an >elegant way to do this with IPTABLES. _What_ can't squid do for you? Jan -- From xpisar at fi.muni.cz Tue May 22 23:39:58 2007 From: xpisar at fi.muni.cz (Petr Pisar) Date: Wed May 23 00:42:47 2007 Subject: Bridge Transparent Proxy References: <C2787F66.1C272%robert@leblancnet.us> <465336C4.5060600@riverviewtech.net> <46533842.9080404@plouf.fr.eu.org> <46533B98.9030706@riverviewtech.net> Message-ID: <slrnf56ope.emr.xpisar@album.ics.muni.cz> On 2007-05-22, Grant Taylor <gtaylor@riverviewtech.net> wrote: > On 05/22/07 13:36, Pascal Hambourg wrote: >> I'm curious : why is a bridge needed for this ? Doesn't a simple router >> do the job as well ? > > No. > > Let me re-layout the network including IP addresses. > > (INet [A.B.C.Z]) --- (BRouter [A.B.C.D]) --- ([A.B.C.E] Server(s) > [192.168.144.254] --- ([192.168.144.1-100]) > > Here you can see that you have the same subnet of A.B.C.x on both sides > of the bridging router. There is no good (read easy) way to have the > same subnet on multiple sides of a router short of double natting which > in and of its self is not easy to do on a singular box. > > So what you do is bridge the A.B.C.x traffic to both networks and route > the other subnet(s) as needed. > Or you switch on arp proxy on the public interface of router ;) -- Petr From pascal.mail at plouf.fr.eu.org Wed May 23 00:07:43 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Wed May 23 01:10:02 2007 Subject: Bridge Transparent Proxy In-Reply-To: <46533B98.9030706@riverviewtech.net> References: <C2787F66.1C272%robert@leblancnet.us> <465336C4.5060600@riverviewtech.net> <46533842.9080404@plouf.fr.eu.org> <46533B98.9030706@riverviewtech.net> Message-ID: <465369AF.2060107@plouf.fr.eu.org> Grant Taylor a ?crit : > > Let me re-layout the network including IP addresses. > > (INet [A.B.C.Z]) --- (BRouter [A.B.C.D]) --- ([A.B.C.E] Server(s) > [192.168.144.254] --- ([192.168.144.1-100]) > > Here you can see that you have the same subnet of A.B.C.x on both sides > of the bridging router. Now I see. But wouldn't it be worth subnetting A.B.C.x ? > There is no good (read easy) way to have the > same subnet on multiple sides of a router Do you mean that ARP proxy would not be a good way ? Ok, I guess it would disrupt IP broadcasts a bit... > short of double natting which > in and of its self is not easy to do on a singular box. Anyway NAT is evil. Don't use unless you can't avoid it. From gtaylor at riverviewtech.net Wed May 23 02:25:56 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed May 23 03:28:25 2007 Subject: Bridge Transparent Proxy In-Reply-To: <465369AF.2060107@plouf.fr.eu.org> References: <C2787F66.1C272%robert@leblancnet.us> <465336C4.5060600@riverviewtech.net> <46533842.9080404@plouf.fr.eu.org> <46533B98.9030706@riverviewtech.net> <465369AF.2060107@plouf.fr.eu.org> Message-ID: <46538A14.608@riverviewtech.net> On 5/22/2007 5:07 PM, Pascal Hambourg wrote: > Now I see. But wouldn't it be worth subnetting A.B.C.x ? If you have the option, yes. However, that is seldom an option, even less so with out the providers support. Consider a cable modem / DSL install where you get 4 IP addresses, having nothing to do with subnets. I.e. .62, .63, .64, and .65. You can not do any viable subnetting with this. Even if you can viably do subnetting, you have to have the provider configure the remaining IPs available via the IP facing them. It has been my experience that it is much easier to do BRouting in these cases. > Do you mean that ARP proxy would not be a good way ? Ok, I guess it > would disrupt IP broadcasts a bit... I have never actually used ARP proxy, so I can't say for sure. However when I have read about ARP proxying in the past, it never sat very well with me. It always seemed like it solved part of the problem but caused others. > Anyway NAT is evil. Don't use unless you can't avoid it. I'll have to disagree with you on that statement. Now if you amend it a bit, I can live with it. "NATing in the wrong locations is evil." NAT in and of its self is a good tool to use. However it is not the end all, be all tool that some would like it to be. NATing a private network out to a single IP on the internet for outbound internet access is very good. If you want to start having some inbound internet access it is not as good for very long. Grant. . . . From Michal.Filka at sitronicsts.com Wed May 23 07:33:41 2007 From: Michal.Filka at sitronicsts.com (Filka Michal) Date: Wed May 23 08:36:01 2007 Subject: simple question In-Reply-To: <da3a2a260705221120x3216601doee80f297904493a0@mail.gmail.com> References: <2DD3CA89774593478BC28081C7392595BEC225@exalfa.stromtelecom.cz> <da3a2a260705221120x3216601doee80f297904493a0@mail.gmail.com> Message-ID: <2DD3CA89774593478BC28081C7392595BEC47B@exalfa.stromtelecom.cz> I would like to somehow use conntrack's events for very simple synchronization of two connection tracking tables. So, I need to know what should be a reason for particular events. As far as I know there are NEW, UPDATE and DESTROY events available. In case of UPDATE event I'm not sure when it occurs ... So, when is UPDATE event issued? Thanks, Michal Filka > > I'm assuming that "update" originates from the idea of a database > trigger. A trigger is an action performed after another action occurs. > For example, when entering a new record, you could call a procedure to > error check the formatting of the entry. Another example might be to > add a record to a log table which logs the activity which occurs after > a record is updated. > > I'd imagine that what you are talking about (update) is an event > similar to a trigger. This means that the answer would depend on what > the trigger is set for. Maybe it is when state is updated, or maybe it > is when the configuration is updated. Maybe both. > > I have no idea to what you are referring or asking about, so beyond > what I have detailed above, I cannot give you an aswer. > > Sorry. > > On 5/22/07, Filka Michal <Michal.Filka@sitronicsts.com> wrote: > > Hi, > > > > Can anyone tell me what exactly means an update event. Of course, I have > > an idea, but I need to confirm it. > > > > So, does it mean that "state" attribute changed (E.g. connection state, > > counter, ... ), or is it related to a "configuration" attribute? > > > > Thanks, > > > > Michal Filka > > > > > > > > > > -- > I thought about building you a boat to survive the river of tears I'm > crying for you, but the world's smallest violins just aren't a > reliable source of lumber, and that cross you're nailing yourself to > seems buoyant enough anyways - Dr Gregory House, M.D. From lcguy229 at yahoo.com Wed May 23 07:56:55 2007 From: lcguy229 at yahoo.com (Jon Tim) Date: Wed May 23 08:59:17 2007 Subject: Bridge Transparent Proxy In-Reply-To: <465314F4.1060007@plouf.fr.eu.org> Message-ID: <390179.89889.qm@web38509.mail.mud.yahoo.com> Hello, Many thanks for all reply to my Bridge Transparent Proxy post. But, please let me know more how to enable "netfilter Bridge Support" in kernel. Can I add a linke CONFIG_BRIDGE_NETFILTER=y" in /etc/sysctl.conf ?? And, in the second iptables command what is physdev and physdev-in?? Does this mean physdev= eth0 and physdev-in = eth1?? Sorry for my quetion. I am newbie in iptables and don't understand very well? My another qutesion is, do I need to use NAT command in iptables? As I have all public address and why I have to use NAT to redirect? Jon. --- Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote: > Hello, > > Robert LeBlanc a ?crit : > > You will need to look at ebtables. Bridging will > bypass iptables. > > Bridged IPv4 packets traverse the iptables chains if > the kernel was > compiled with Netfilter bridge support > (CONFIG_BRIDGE_NETFILTER=y). It > allows finer filtering than ebtables, for instance > accepting only > outgoing HTTP/HTTPS connections and related ICMP > messages in both > directions thanks to connection tracking, e.g. : > > iptables -A FORWARD -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -m physdev --physdev-in eth1 -m > state --state NEW \ > -p tcp -m multiport --dports 80,443 -j ACCEPT > > ____________________________________________________________________________________Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz From jengelh at linux01.gwdg.de Wed May 23 09:43:48 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed May 23 10:46:32 2007 Subject: redirect 127.0.0.1:25 -> 127.0.0.1:2000 In-Reply-To: <464E2CAC.8060702@funkware.com> References: <464E2A63.3020903@funkware.com> <464E2CAC.8060702@funkware.com> Message-ID: <Pine.LNX.4.61.0705230943120.4452@yvahk01.tjqt.qr> On May 18 2007 15:46, Alex Tang wrote: > > which answered my question. > I verified that the kernel had IP_NF_NAT_LOCAL set to y, and i see that I was > missing the "iptables -t nat -A OUTUPT" line. Everything works now. Whoohoo! IP_NF_NAT_LOCAL is removed in later kernels, so don't even think about starting to use it. You will be perfectly fine when not having that enabled, -A OUTPUT does it all. Jan -- From trellmor at freewlan.info Wed May 23 11:22:16 2007 From: trellmor at freewlan.info (trellmor@freewlan.info) Date: Wed May 23 12:24:32 2007 Subject: Rules to block traffic form an interface to a netblock Message-ID: <20070523092216.A3B1320A8CB7@server11.web4a.de> Hello! I tried to create a rule to block all traffic from a interface (ath1) to a netblock (192.168.0.0/16). The device is a WLAN router and the ath1 interface is unencrypted, allowing visitors to login. But i want to restrict access to my private lan (192.168.0.0/16). The router performs nat between the ath1 and the ath0. So forwared packets need to reach the next hop (192.168.0.1), allowing visitors to access the internet. The router itself (and other interfaces on the router) should still be able to reach 192.168.0.0/16. I tried to come up with a rule for that, but my solutions doesn't seem to work. I hope anyone can give me a solution for this problem, or at least an idea how to solve it. -- Yours truly Daniel Triendl trellmor@freewlan.info http://dani.tac-ops.net From swifty at freemail.hu Wed May 23 14:47:29 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Wed May 23 16:08:16 2007 Subject: Conntrack rule timeout problem In-Reply-To: <1179765250.12001.18.camel@thales.lan> References: <1179765250.12001.18.camel@thales.lan> Message-ID: <465437E1.9030600@freemail.hu> Hi, Pat Riehecky ?rta: > I seem to be capturing way more packets than I intend (or even expect!). > I am running squid and have the firewall rules below running on it. For > some reason I am capturing hundreds of packets that I don't think should > be caught. > Maybe someone is scanning you.... > I have increased the timeouts in /proc/ (via sysctl) to fix this, but no > dice. Anyone have any idea why the sample packet below would be > captured? It is getting picked up by either the > -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate INVALID -j DROP > but sometimes the > -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP > Take a look on nmap... > The packet looks to have been requested by squid, it is coming on port > 80... I also seem to be having the same behavior on the squid side > where the FIN/ACK packets are being caught by the conntrack rule... > > I know I have something wrong, just what exactly is eluding me... > > Any help would be helpful! > Swifty From swifty at freemail.hu Wed May 23 15:39:49 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Wed May 23 16:42:54 2007 Subject: Bridge Transparent Proxy In-Reply-To: <390179.89889.qm@web38509.mail.mud.yahoo.com> References: <390179.89889.qm@web38509.mail.mud.yahoo.com> Message-ID: <46544425.1080101@freemail.hu> Jon Tim ?rta: > Hello, > > Many thanks for all reply to my Bridge Transparent > Proxy post. > > But, please let me know more how to enable "netfilter > Bridge Support" in kernel. Can I add a linke > CONFIG_BRIDGE_NETFILTER=y" in /etc/sysctl.conf ?? > > No. This is an option in your kernel config. Search the net about building a kernel. > And, in the second iptables command what is physdev > and physdev-in?? Does this mean physdev= eth0 and > physdev-in = eth1?? > man iptables -m physdev => iptables will use the physdev module (-m) --physdev-in eth1 => the incoming (physical) device is eth1 > Sorry for my quetion. I am newbie in iptables and > don't understand very well? > > My another qutesion is, do I need to use NAT command > in iptables? As I have all public address and why I > have to use NAT to redirect? > NAT and REDIRECT is mainly to support a firewalled network or change the source/destination of a connection. > Jon. > > Swifty From prieheck at iwu.edu Wed May 23 15:42:11 2007 From: prieheck at iwu.edu (Pat Riehecky) Date: Wed May 23 16:44:32 2007 Subject: Conntrack rule timeout problem In-Reply-To: <465437E1.9030600@freemail.hu> References: <1179765250.12001.18.camel@thales.lan> <465437E1.9030600@freemail.hu> Message-ID: <1179927731.28690.16.camel@thales.lan> On Wed, 2007-05-23 at 14:47 +0200, G?sp?r Lajos wrote: > Hi, > > Pat Riehecky ?rta: > > I seem to be capturing way more packets than I intend (or even expect!). > > I am running squid and have the firewall rules below running on it. For > > some reason I am capturing hundreds of packets that I don't think should > > be caught. > > > Maybe someone is scanning you.... > > I have increased the timeouts in /proc/ (via sysctl) to fix this, but no > > dice. Anyone have any idea why the sample packet below would be > > captured? It is getting picked up by either the > > -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate INVALID -j DROP > > but sometimes the > > -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP > > > Take a look on nmap... > > The packet looks to have been requested by squid, it is coming on port > > 80... I also seem to be having the same behavior on the squid side > > where the FIN/ACK packets are being caught by the conntrack rule... > > > > I know I have something wrong, just what exactly is eluding me... > > > > Any help would be helpful! > > > Swifty > I am about 90% certain that I am not being scanned as a bunch of the dropped packets are coming from places like the New York Times, Microsoft, and Google. Admittedly they could be spoofed IP addresses. but the packets are all coming from 80 or 443 and they are all destined for TCP Ports in the ephemeral range. Additionally in my squid logs I have a corresponding entry requesting data from that server. All evidence I have points to some sort of conntrack timeout. Occasionally I can find the IP addresses in the output from iptstate, but... Thanks for the ideas, any chance for more theories? Pat From michael.ransburg at gmail.com Wed May 23 17:58:04 2007 From: michael.ransburg at gmail.com (Michael Ransburg) Date: Wed May 23 19:00:30 2007 Subject: Queued packet in user space: network order or host order? Message-ID: <22b256140705230858u125619f4kdcdcca6f424a9ed1@mail.gmail.com> Hi all, I'm using ip_queue to process packets in user space. It seems that these packets are already in host order when I process them - is this correct? Does the network order --> host order conversion happen before any packets are queued for userspace handling? Many thanks, Michael -- icq: 71772353 | skype: daneel1409 | msn: mike@unfolded.com From swifty at freemail.hu Wed May 23 18:27:55 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Wed May 23 19:31:03 2007 Subject: Conntrack rule timeout problem In-Reply-To: <1179927731.28690.16.camel@thales.lan> References: <1179765250.12001.18.camel@thales.lan> <465437E1.9030600@freemail.hu> <1179927731.28690.16.camel@thales.lan> Message-ID: <46546B8B.9040705@freemail.hu> Pat Riehecky ?rta: > I am about 90% certain that I am not being scanned as a bunch of the > dropped packets are coming from places like the New York Times, > Microsoft, and Google. Admittedly they could be spoofed IP addresses. > but the packets are all coming from 80 or 443 and they are all destined > for TCP Ports in the ephemeral range. Additionally in my squid logs I > have a corresponding entry requesting data from that server. > > Well... Read this: http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=10640&mode=thread&order=0&thold=0 The interesting part starts at *"Camouflaging your ip address"...* > All evidence I have points to some sort of conntrack timeout. > Occasionally I can find the IP addresses in the output from iptstate, > but... > > Thanks for the ideas, any chance for more theories? > Pat > Swifty From m at rtij.nl Mon May 21 19:25:05 2007 From: m at rtij.nl (Martijn Lievaart) Date: Wed May 23 21:33:49 2007 Subject: using packet filtering to discover TCP end-to-end latency In-Reply-To: <C4794891-5098-4238-BC18-2D54D2CB9859@gmail.com> References: <C4794891-5098-4238-BC18-2D54D2CB9859@gmail.com> Message-ID: <4651D5F1.2080701@rtij.nl> Rohit Grover wrote: > Hello, > > I need to discover the TCP end-to-end latency between web clients and > servers transparently (i.e. without altering the clients or the > servers in any way). I have squid running as a proxy server on a linux > box, sitting between the clients and the servers. I can have the > clients change their proxy settings to have requests pass through > squid. Squid can measure latencies between itself and the web servers. > The problem is to measure the network latency when squid tries to > forward the server responses back to clients. > > Can packet filtering help me with this? Can I, for example, filter for > the client ACK of the last bit of data sent from squid back to the > client? > > Also, I still need to device a solution to measure network latency > experienced by the client's SYN sent to the squid box. Any ideas? > I would hire a packeteer for this. Expensive, but is perfect for this job. Otherwise, capture with wireshark (formerly Ethereal), export to csv, write a small program. (I don't think wireshark has a plugin for exactly this). I would NOT do this with packet filtering unless I need (near) realtime analysis. And even then. HTH, M4 From pablo at netfilter.org Wed May 23 21:41:45 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Wed May 23 22:44:15 2007 Subject: [ANNOUNCE] Release conntrack-tools 0.9.3 Message-ID: <465498F9.8000804@netfilter.org> Hi! The netfilter project proudly presents conntrack-tools-0.9.3 The userspace daemon conntrackd covers the specific aspects of stateful Linux firewalls to enable high availability solutions, and can be used as statistics collector of the firewall use as well. The daemon is highly configurable and easily extensible. On the other hand, the command line conntrack provides an interface to add, delete and update flow entries, list current active flows and flush the complete connection tracking table. You can download it from: http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-0.9.3.tar.bz2 Enjoy, Pablo (on behalf of the Netfilter Project) -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris -------------- next part -------------- version 0.9.3 ------------- = conntrackd = o fix commit of confirmed expectations (reported by Nishit Shah) o fix double increment of counters in cache_update_force() (Niko Tyni) o nl_dump_handler must return NFCT_CB_CONTINUE (Niko Tyni) o initialize buffer in nl_event_handler() and nl_dump_handler() (Niko Tyni) o CacheCommit value can be set via conntrackd.conf for the NACK approach o fix leaks in the hashtable/cache flush path (Niko Tyni) o fix leak if a connection already exists in the cache (Niko Tyni) o introduce a new header that encapsulates netlink messages o remove all '_entry' tail from all functions in cache.c o split cache.c: move cache iterators to file cache_iterators.c o fix inconsistencies in the cache API related to counters o cleanup 'usage' message o fix typo in examples/sync/nack/node1/conntrackd.conf o introduce message checksumming as described in RFC1071 (enabled by default) o major cleanups in the synchronization code o just warn once that the maximum netlink socket buffer has been reached o fix ignore conntrack entries by IP and introduce ignore pool abstraction layer o introduce netlink socket buffer overrun handler o constification of hash, compare and hashtable_test functions in hash.c o introduce ACKnowledgement mechanisms to reduce the size of the resend queue o remove OK messages at startup since provide useless data o fix compilation warning in mcast.c: recvfrom takes socklen_t not size_t o add a lock per buffer: makes buffer code thread safe o introduce 'Replicate' clause to explicitely set states to be replicated o kill cache feature abuse: introduce nicer cache hooks for sync algorithms o fix oversized buffer allocated in the stack in the cache functions o add support to dump internal/external cache in XML format '-x' o add script for keepalived fault state (eg. unplugged cable/link down) = conntrack = o port conntrack to the new libnetfilter_conntrack API o introduce '--output xml,extended,timestamp' option for '-L', '-G' and '-E' o deprecated '--id' o replace '-a' by '--src-nat' and '--dst-nat' o use positive logic in error handling o remove sctp support until is fully supported in the kernel side o update conntrack manpage o update test.sh file in examples/cli/ o several fixes for the output of usage messages From m at rtij.nl Mon May 21 22:57:21 2007 From: m at rtij.nl (Martijn Lievaart) Date: Wed May 23 22:49:33 2007 Subject: URL Logging In-Reply-To: <922E6125ECDCDB4F9F1B845B7DE99ECA015CCFCF@do-exch04.do.ad.losrios.edu> References: <922E6125ECDCDB4F9F1B845B7DE99ECA015CCFCF@do-exch04.do.ad.losrios.edu> Message-ID: <465207B1.50209@rtij.nl> Muzinich, Mike wrote: > Is anyone aware of a non-proxy product i.e. Squid that will log full URL information for HTTP requests that is meant to be run as a daemon on a Linux router/firewall? I don't believe there is an elegant way to do this with IPTABLES. > > Run tethereal on the ports you're interested in, grep the output for the http commands you're interested in and postprocess the output to show only the information you want. HTH, M4 From prieheck at iwu.edu Thu May 24 16:16:53 2007 From: prieheck at iwu.edu (Pat Riehecky) Date: Thu May 24 17:20:03 2007 Subject: Conntrack rule timeout problem In-Reply-To: <46546B8B.9040705@freemail.hu> References: <1179765250.12001.18.camel@thales.lan> <465437E1.9030600@freemail.hu> <1179927731.28690.16.camel@thales.lan> <46546B8B.9040705@freemail.hu> Message-ID: <1180016213.6265.41.camel@thales.lan> That is an excellent article! I attempted to simplify the oddities I am seeing to avoid being overly complex, but it seems that was in error.... Here is a packet that was caught on its way out of my server, it cannot be part of a FORWARD chain as my FORWARD chain looks like this :FORWARD DROP [0:0] -A FORWARD -j LOG --log-prefix "Default DROP (FORWARD): " -A FORWARD -j DROP Simply put the answer to any forward is "NO" The packet is : Default DROP (OUTPUT): IN= OUT=eth0 SRC=192.168.12.74 DST=66.28.242.99 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=13688 DF PROTO=TCP SPT=60155 DPT=80 WINDOW=5840 RES=0x00 ACK FIN URGP=0 It tries for a while and then gives up. This feels identical to the input scenario. The last packet seems to not be getting through as RELATED/ESTABLISHED. After studying the flow with iptstate (a bit poorly, but it was a start) this seems to occur when a connection is closed - but not when all connections are closed. This leads me to believe that it has to be related to conntrack. Is my reasoning on this flawed? Pat On Wed, 2007-05-23 at 18:27 +0200, G?sp?r Lajos wrote: > Pat Riehecky ?rta: > > I am about 90% certain that I am not being scanned as a bunch of the > > dropped packets are coming from places like the New York Times, > > Microsoft, and Google. Admittedly they could be spoofed IP addresses. > > but the packets are all coming from 80 or 443 and they are all destined > > for TCP Ports in the ephemeral range. Additionally in my squid logs I > > have a corresponding entry requesting data from that server. > > > > > Well... Read this: > > http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=10640&mode=thread&order=0&thold=0 > > The interesting part starts at *"Camouflaging your ip address"...* > > All evidence I have points to some sort of conntrack timeout. > > Occasionally I can find the IP addresses in the output from iptstate, > > but... > > > > Thanks for the ideas, any chance for more theories? > > Pat > > > Swifty > From pharlow at skld.com Thu May 24 18:31:56 2007 From: pharlow at skld.com (Paul Harlow) Date: Thu May 24 19:30:20 2007 Subject: Dynamic kernel module load Message-ID: <9875566032E2AE41ADB6D9CF037D312652F8F2@skyline.skld.net> Hi all, Fedora 5 patched, i386 SMP I am looking for info on how to dynamically load a particular kernel module when I restart IPTables. I have firewalling rules in place for FTP traffic (both passive and active) however when I restart IPTables I notice that the module ip_conntrack_ftp does not load, I have to load it manually. This presents a problem if someone other than myself has to reload firewall rules on this machine but isn't aware of the FTP rules/needs. Will adding the line "ip_conntrack_ftp" to the modules.conf file solve this problem and leave the particular module in permanently? Paul Harlow System and Network Administrator SKLD Information Services LLC 9540 E. Jewell Ave. Suite A Denver, CO?? 80247 303.695.3861 - desk 303.913.2804 - cell From jengelh at linux01.gwdg.de Thu May 24 18:35:44 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 24 19:38:32 2007 Subject: Dynamic kernel module load In-Reply-To: <9875566032E2AE41ADB6D9CF037D312652F8F2@skyline.skld.net> References: <9875566032E2AE41ADB6D9CF037D312652F8F2@skyline.skld.net> Message-ID: <Pine.LNX.4.61.0705241833220.31549@yvahk01.tjqt.qr> On May 24 2007 10:31, Paul Harlow wrote: >Hi all, > >Fedora 5 patched, i386 SMP > >I am looking for info on how to dynamically load a particular kernel >module when I restart IPTables. I have firewalling rules in place for FTP >traffic (both passive and active) however when I restart IPTables I >notice that the module ip_conntrack_ftp does not load, I have to load it >manually. That is because your ruleset only depends [as in: symbols] on iptable_filter, ip_conntrack and such, but not ip_conntrack_ftp. >This presents a problem if someone other than myself has to >reload firewall rules on this machine but isn't aware of the FTP >rules/needs. > >Will adding the line "ip_conntrack_ftp" to the modules.conf file solve >this problem and leave the particular module in permanently? Adding it to /etc/sysconfig/kernel variable MODULES_LOADED_ON_BOOT (opensuse; YMMV) will do that, yes. (modprobe.conf? I do not think that is the right place.) Until someone manually rmmods it (,yes). Jan -- From jengelh at linux01.gwdg.de Thu May 24 18:37:50 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Thu May 24 19:40:35 2007 Subject: Rules to block traffic form an interface to a netblock In-Reply-To: <20070523092216.A3B1320A8CB7@server11.web4a.de> References: <20070523092216.A3B1320A8CB7@server11.web4a.de> Message-ID: <Pine.LNX.4.61.0705241836500.31549@yvahk01.tjqt.qr> On May 23 2007 11:22, trellmor@freewlan.info wrote: > >Hello! > >I tried to create a rule to block all traffic from a interface (ath1) to >a netblock (192.168.0.0/16). -i ath1 -d 192.168.0.0/16 ... >The device is a WLAN router and the ath1 interface is unencrypted, >allowing visitors to login. But i want to restrict access to my private >lan (192.168.0.0/16). The router performs nat between the ath1 and the >ath0. So forwared packets need to reach the next hop (192.168.0.1), >allowing visitors to access the internet. The router itself (and other >interfaces on the router) should still be able to reach 192.168.0.0/16. > >I tried to come up with a rule for that, but my solutions doesn't seem >to work. I hope anyone can give me a solution for this problem, or at >least an idea how to solve it. Jan -- From m at rtij.nl Thu May 24 19:08:55 2007 From: m at rtij.nl (Martijn Lievaart) Date: Thu May 24 20:11:04 2007 Subject: Dynamic kernel module load In-Reply-To: <9875566032E2AE41ADB6D9CF037D312652F8F2@skyline.skld.net> References: <9875566032E2AE41ADB6D9CF037D312652F8F2@skyline.skld.net> Message-ID: <4655C6A7.2050303@rtij.nl> Paul Harlow wrote: > Hi all, > > Fedora 5 patched, i386 SMP > > I am looking for info on how to dynamically load a particular kernel module when I restart IPTables. I have firewalling rules in place for FTP traffic (both passive and active) however when I restart IPTables I notice that the module ip_conntrack_ftp does not load, I have to load it manually. This presents a problem if someone other than myself has to reload firewall rules on this machine but isn't aware of the FTP rules/needs. > > Will adding the line "ip_conntrack_ftp" to the modules.conf file solve this problem and leave the particular module in permanently? > Patch /etc/sysconfig/iptables-config, mine looks like: # Additional iptables modules (nat helper) # Default: -empty- IPTABLES_MODULES="ip_conntrack_ftp" (snip) HTH, M4 From jpb at entel.ca Thu May 24 19:10:23 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Thu May 24 20:13:01 2007 Subject: Dynamic kernel module load In-Reply-To: <9875566032E2AE41ADB6D9CF037D312652F8F2@skyline.skld.net> Message-ID: <000901c79e26$6a5dda70$5a05a8c0@nisgaa.net> You will either want to add the loading of ip_conntrack_ftp to /etc/rc.local (see http://iptablesrocks.org), or insert a line into /etc/sysconfig/iptables-config (or wherever you keep your iptables configuration file) like this: IPTABLES_MODULES="ip_conntrack_ftp" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? From linuxsemi at gmail.com Thu May 24 22:12:37 2007 From: linuxsemi at gmail.com (semi linux) Date: Thu May 24 23:15:09 2007 Subject: Two NICs, same network... In-Reply-To: <4641CC42.2000005@alpha2.com> References: <e53321d30705081317w3d7e6f5bsb38161f155c883da@mail.gmail.com> <Pine.LNX.4.63.0705081251200.20281@qynat.qvtvafvgr.pbz> <e53321d30705081402n2fa7e3c5pcd0ed7baeecebef4@mail.gmail.com> <4641CC42.2000005@alpha2.com> Message-ID: <e53321d30705241312l6aee149bp3557f72476940bc@mail.gmail.com> Sorry for the latent reply on this one guys - I got pulled off this project and after this thread progressed I had a lot of test cases and scenarios to work my way through. While I haven't finished testing and I'm not sure I adequately explained the situation I think I have found a workable resolution. Adding ETH0 to the bridge just got really compilcated and messy. Packets started to be routed to all kinds of places in different network scenarios and it wasn't the right answer to the problem although it did show quite a bit of promise initially. With this approach, we also lost the ability to fine-tune the bridge routing and left it up to the STP and other bridge algorithms. Channel bonding is nice, but also not what we were after. It worked but in certain deployment scenarios we would need eth0 to be on different network(s) from the rest of the machine and the setup of this would be on a case-by-case basis. this is a little too hands-on for the guys who would be deploying the solution ;-) Finally, we looked into modifying our default routing table. I _think_ this is going to be our end solution. I have devised a set of tests and hopefully it will expose any and all bugs that might come from this solution. Preliminary tests suggest that this will work well and can be easily adapted to suit our installations. thanks for all the help and suggestions guys! I knew this was possible but I didn't figure on there being 2-3 workable solutions. Means to an end, I guess. Thanks! - Gareth On 5/9/07, Mark L. Wise <mark@alpha2.com> wrote: > Is this not a routing issue? > > route add -host 10.1.1.3 gw <eth2 ethernet address> eth2 > > This would route all traffic to 10.1.1.3 to eth2 > > Mark > > > > semi linux wrote: > > On 5/8/07, David Lang <david.lang@digitalinsight.com> wrote: > >> On Tue, 8 May 2007, semi linux wrote: > >> > >> > I've got an odd problem where I've got two NICs on the same network > >> > and I want all traffic to one IP to go out one interface and all other > >> > traffic to use the second interface. I'm going to try an simplify my > >> > actual setup, because a lot of it makes no difference to this post... > >> > > >> > I know this has to be a iptables sort of setup since the routing table > >> > can only make a difference on different networks and not based on > >> > looking for a specific IP address. > >> > > >> > The question is: > >> > > >> > eth0 IP: 10.1.1.1 > >> > eth1 IP: 10.1.1.2 > >> > > >> > target: 10.1.1.3 > >> > > >> > (these IPs are just examples, there are no hard-fast rules surrounding > >> > the other possibilities) > >> > > >> > How do I make sure this goes out eth1 instead of eth0? Do I use the > >> > mangle rule with the physdev module? > >> > > >> > I feel like I'm overlooking something or forgetting my basic network > >> > ideas here... > >> > >> you haven't quite given enough info here > >> > >> if you have target2 10.1.1.4 and you want all traffic to target to go > >> out eth0 > >> and all traffic to target2 to go out eth1 then you would want to > >> start out with > >> defining host routes (the routing table _can_ look at specific hosts, > >> not just > >> networks) > >> > >> in addition, I believe that you will need to play around with arp > >> filtering to > >> make sure that each NIC only responds to arp requests for it's IP > >> addresses. > >> > >> if you really only have one remote IP address and two local addresses > >> and you > >> want all communications between the target and 10.1.1.1 to use eth0 > >> while > >> all communications between the target and 10.1.1.2 to use eth1 things > >> get more > >> complicated > >> > >> you would need to look into packet/connection tagging and iptables > >> routeing > >> decisions. > >> > >> rather then try and go into that right now why don't you try to be a > >> little > >> clearer about exactly what you are trying to do. > >> > >> David Lang > >> > > > > Ok... you asked for the whole thing, here it is (forget my previous > > example): > > > > eth0 - 10.1.1.1 > > eth1 - N/A > > eth2 - N/A > > br0 (eth1, eth2) - 10.1.1.2 > > target - 10.1.1.3 > > > > The bridge (br0) is setup using brctl and seems to work w/o problem... > > The eth1 and eth2 IP addresses really don't matter since they are both > > referenced via the bridge and are set to something invalid. 10.1.1.3 > > is connected via cross-over cable to eth2 port. br0 and eth0 are > > connected to my network on the same subnet. > > > > What I'd like: > > - all packets (from the network or local) where destination=10.1.1.3 > > to be routed to eth2. > > - otherwise, all traffic from the network to use eth0 for I/O. > > > > Basically, I want to specify that ONLY traffic for 10.1.1.3 is to use > > eth2. > > > > -- > Mark L. Wise > > Alpha II Service, Inc. > 1312 Epworth Ave > Reynoldsburg, Ohio 43068-2116 > USA > > Office: (614) 868-5033 > Fax: (614) 868-1060 > Email: mark@alpha2.com > WEB: www.alpha2.com > > From jweber at amsuper.com Sat May 26 00:17:27 2007 From: jweber at amsuper.com (Jeff Weber) Date: Sat May 26 01:20:21 2007 Subject: DNAT rule requires extra firewall pinhole Message-ID: <200705251717.27252.jweber@amsuper.com> I've setup DNAT on gateway such that external clients connecting to TCP port $SCADA_PORT on the gateway are actually connected to the node $MCB_IP on a private network. Here's my rule: $IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT \ -i $DAS_SCADA_IF -j DNAT --to $MCB_IP:$SCADA_PORT The gateway knows how to forward packets between the internal and external interfaces. The above rule works fine. I've added a firewall rule to block external requests to forward through the gateway: $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP The trouble is, I just found out that the above firewall rule is not compatible with my DNAT rule. That is, DNAT rewrites the destination IP [as it should] to the $MCB_IP, then forwards the packet, which then encounters the new firewall rule, and is dropped. So I preceeded the above firewall rule with another rule: $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s $SCADANET -d $MCB_IP \ --dport $SCADA_PORT -j ACCEPT which enables the DNAT to work again. However, a side effect is that now external nodes on $SCADANET can forward port=$SCADA_PORT to IP=$MCB_IP directly through the firewall. Granted this is a small pinhole, but I'd like to plug it if possible. I would think that it should be possible to prevent all external nodes from forwarding through the firewall, and to prevent external hosts from directly "seeing" an internal node on the private net. Any suggestions? TIA, Jeff From jengelh at linux01.gwdg.de Sat May 26 15:44:04 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Sat May 26 16:47:13 2007 Subject: DNAT rule requires extra firewall pinhole In-Reply-To: <200705251717.27252.jweber@amsuper.com> References: <200705251717.27252.jweber@amsuper.com> Message-ID: <Pine.LNX.4.61.0705261542250.7344@yvahk01.tjqt.qr> On May 25 2007 17:17, Jeff Weber wrote: > >I've added a firewall rule to block external requests to forward through the >gateway: > >$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP Well that sounds a little broken, because the first packet of a TCP connection _is_ SYN. So you might want -p tcp ! -d destaddr ! --dport destport --syn -j DROP here... Alternatively ... -p tcp --syn -m conntrack --ctstate DNAT -j ACCEPT -p tcp --syn -j DROP Jan -- From pascal.mail at plouf.fr.eu.org Sat May 26 16:52:31 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Sat May 26 17:55:17 2007 Subject: DNAT rule requires extra firewall pinhole In-Reply-To: <200705251717.27252.jweber@amsuper.com> References: <200705251717.27252.jweber@amsuper.com> Message-ID: <465849AF.7080207@plouf.fr.eu.org> Hello, Jeff Weber a ?crit : > I've setup DNAT on gateway such that external clients connecting to TCP port > $SCADA_PORT on the gateway are actually connected to the node $MCB_IP on a > private network. Here's my rule: > > $IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT \ > -i $DAS_SCADA_IF -j DNAT --to $MCB_IP:$SCADA_PORT > > I've added a firewall rule to block external requests to forward through the > gateway: > > $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP > > The trouble is, I just found out that the above firewall rule is not > compatible with my DNAT rule. Indeed. The TCP SYN packet arrives on $DAS_SCADA_IF, so it matches the rule. > That is, DNAT rewrites the destination IP [as > it should] to the $MCB_IP, then forwards the packet, which then encounters > the new firewall rule, and is dropped. Actually DNAT only rewrites the destination and does nothing more. It is the routing decision which forwards the packet. > So I preceeded the above firewall rule with another rule: > $IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s $SCADANET -d $MCB_IP \ > --dport $SCADA_PORT -j ACCEPT > > which enables the DNAT to work again. However, a side effect is that now > external nodes on $SCADANET can forward port=$SCADA_PORT to IP=$MCB_IP > directly through the firewall. Yes, this is a known side effect. Like you I used to worry about it but not any more now, considering that accesses via either the internal and external addresses have exactly the same effects. Besides, one has to know about the internal address in order to use it, so why hide it ? > Granted this is a small pinhole, but I'd like > to plug it if possible. I would think that it should be possible to prevent > all external nodes from forwarding through the firewall, and to prevent > external hosts from directly "seeing" an internal node on the private net. I can think of the following options : - Drop packets which match "-d $MCB_IP" in the mangle/PREROUTING chain. The mangle table is not the preffered way for filtering (you cannot use REJECT there) but it works. Do not use the nat table for filtering. - MARK packets which match "-p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT" in the mangle/PREROUTING, then DNAT the marked packet in the nat/PREROUTING chain and ACCEPT them in the filter/FORWARD table before the DROP rule. Or MARK the packets which do not match, don't DNAT them and DROP/REJECT them. - In the filter/FORWARD chain, ACCEPT only packets matching "-m conntrack --ctstate DNAT --ctorigdst $DAS_SCADA_IP", that is with the external original destination address. From andrex at alumni.utexas.net Mon May 28 13:20:57 2007 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Mon May 28 14:24:03 2007 Subject: iptables 1.3.7 doesn't properly test for condition patch Message-ID: <bgel53lion8nqn77p455vughf1071fgple@4ax.com> I have kernel 2.6.21, iptables 1.3.7, and pom-ng 20070527. I run ./runme --download --batch condition and the patch applies successfully. But when I build iptables, the condition extension isn't included. This is because iptables-1.3.7/extensions/.condition-test tests for the existence of $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h But the condition patch doesn't create that file any more; it now creates $KERNEL_DIR/include/linux/netfilter/xt_condition.h I guess that .condition-test needs to check for the kernel version that it's being built against before deciding which header file it wants to look for. Thanks, Andrew. From gopinath.u at gmail.com Mon May 28 15:45:11 2007 From: gopinath.u at gmail.com (Gopinath) Date: Mon May 28 16:48:11 2007 Subject: Default deny rule In-Reply-To: <4651C2EE.2080803@freemail.hu> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> <4651C2EE.2080803@freemail.hu> Message-ID: <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> Hi Lajos, Thanks for your suggestion. I had upgraded my OS to fedora 6, and also enabled logging option for the DROP packets. Now the Default denying functionality is working fine. But this time I face another problem. ie., i have applied static NAT on my firewall. In my simulation setup i am able to connect the other end (INTERNAL) machine using the NAT IP assigned, from the EXTERNAL machine as well through the actual IP of the machine(INTERNAL). This spoil my purpose for NATTING. I don't know why this happen. I suspect that there could be some problem with my NAT module. Please suggest... Is there any need to upgrade my kernel to add further support ? Regards, Gopinath. U On 5/21/07, G?sp?r Lajos <swifty@freemail.hu> wrote: > Hi, > > Gopinath ?rta: > > Hi, > > > > My objective is to replace my existing firewall with a Linux firewall. > > We have point to point connectivity through VSAT with one of our > > customer. The only major thing which the firewall need to do is STATIC > > NAT. As you may see since this is a point to point connectiviy all the > > IPs employed are Private IPs. While checking the f/w in simulation > > mode, things were working fine (except default denying). I already > > tried to achieve DEFAULT DENY by changing the default behaviour of > > FORWARD policy to DROP by issuing the command "iptables -P FORWARD > > DROP". But when i do this all the traffic were getting dropped. So > If EVERYTHING is dropped then your rules do not get hit by the traffic. > (Your rules are wrong.) > Try to capture the traffic. Maybe you can find the problem. > > > > again i tried by appending a policy in forward chain (last rule) to > (policy is always the last rule... :D ) > > drop all the packets by default. But even this didn't worked out. Hope > > you can understand my requirement & how i do the NATTing from my > > previous mail. > > > > Even though i have worked a bit with iptables before, I am a begginer > > in building a linux firewall with iptables :-) > > > > Cheers :) > > Gopinath.U > > Swifty > > From mark at renton.name Mon May 28 19:46:50 2007 From: mark at renton.name (Ernest Davnis) Date: Mon May 28 20:50:21 2007 Subject: -m owner and INPUT chain Message-ID: <20070528174650.GA50672@diabolo.evga.ru> Hi, I've got a problem which i can't solve with the help of Linux. The problem is such: there's a server with many shell accounts, i have to check what incoming/outcoming traffic generate these users. No problem with outgoing traff: iptables -D OUTPUT -m owner --uid-owner 500 -p all -j ACCEPT but it's said in man iptables: owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match. It means that I can't use owner module for INPUT chain I've also found a patch: http://svn.netfilter.org/cgi-bin/viewcvs.cgi/branches/patch-o-matic-ng/linux-2.6.11/owner-socketlookup/ but i can't make it work on linux kernel 2.6.20+, as there's a difference in tcp.h, udp.h and etc or anything else that I don't know. Using FreeBSD to solve such a problem is the following: # ipfw add ip from any to me in uid 500 # ipfw add ip from me to any out uid 500 Can I make smth similar on Linux? -- BRGDS. Ernest Davnis. From fernando at intrace.com.br Mon May 28 21:14:45 2007 From: fernando at intrace.com.br (Fernando R. Durso) Date: Mon May 28 22:21:27 2007 Subject: -m owner and INPUT chain In-Reply-To: <20070528174650.GA50672@diabolo.evga.ru> References: <20070528174650.GA50672@diabolo.evga.ru> Message-ID: <465B2A25.7030502@intrace.com.br> Have you tried "iptables -D OUTPUT -o lo -m owner --uid-owner 500 -p all -j ACCEPT" ???? I mean specifying the output interface as lo with -o lo ???? Ernest Davnis escreveu: > Hi, > > I've got a problem which i can't solve with the help of Linux. The > problem is such: > there's a server with many shell accounts, i have to check what > incoming/outcoming traffic generate these users. > No problem with outgoing traff: > > iptables -D OUTPUT -m owner --uid-owner 500 -p all -j ACCEPT > but it's said in man iptables: > > owner > This module attempts to match various characteristics of the > packet creator, for locally-generated packets. > It is only valid in the OUTPUT chain, and even this > some packets (such as ICMP ping responses) may have no > owner, and hence never match. > > It means that I can't use owner module for INPUT chain > I've also found a patch: > http://svn.netfilter.org/cgi-bin/viewcvs.cgi/branches/patch-o-matic-ng/linux-2.6.11/owner-socketlookup/ > but i can't make it work on linux kernel 2.6.20+, as there's a > difference in tcp.h, udp.h and etc or anything else that > I don't know. > > Using FreeBSD to solve such a problem is the following: > # ipfw add ip from any to me in uid 500 > # ipfw add ip from me to any out uid 500 > > Can I make smth similar on Linux? > > From faperea at gmail.com Fri May 25 18:41:01 2007 From: faperea at gmail.com (Francisco Perea) Date: Tue May 29 13:00:40 2007 Subject: Newbies questions compiling uClinux-dist-20070130 with m68k-uclinux-tools-20061214 In-Reply-To: <6bc01b0f0705241228w3e37e968if4ea3c7fe5c261d0@mail.gmail.com> References: <6bc01b0f0705241228w3e37e968if4ea3c7fe5c261d0@mail.gmail.com> Message-ID: <6bc01b0f0705250941q445d1099m33d066d1272e2fe9@mail.gmail.com> Hi, I'm newbie in Linux land. I'm trying to build a small router for GPRS applications and I downloaded last version of uclinux (uClinux-dist-20070130) and m68k-tools (m68k-uclinux-tools-20061214) for a M5272C3 EVB. It compiles fine for default options, but when I set routing functions, linker stage for libnfnetlink doesn't works. Here it's output: make[5]: Entering directory `/uClinux-dist/lib/libnfnetlink/build/src' /bin/sh ../libtool --mode=link ucfront-gcc m68k-elf-gcc -m5307 -DCONFIG_COLDFIRE -fPIC -Wall -O2 -g -fomit-frame-pointer -pipe -fno-common -fno-builtin -Wall -DEMBED -msep-data -Dlinux -D__linux__ -Dunix -D__uClinux__ -Wl,--fatal-warnings -Wl,-elf2flt -Wl,-move-rodata -msep-data -Wl,--fatal-warnings -Wl,-elf2flt -Wl,-move-rodata -msep-data -o libnfnetlink.la -rpath /lib -Wc,-nostartfiles libnfnetlink.lo rm -fr .libs/libnfnetlink.so.0.0.0.elf .libs/libnfnetlink.so.0.0.0.elf2flt ucfront-gcc m68k-elf-gcc -m5307 -DCONFIG_COLDFIRE -shared .libs/libnfnetlink.o -m5307 -msep-data -Wl,--fatal-warnings -Wl,-elf2flt -Wl,-move-rodata -msep-data -Wl,--fatal-warnings -Wl,-elf2flt -Wl,-move-rodata -msep-data -nostartfiles -Wl,-soname -Wl,libnfnetlink.so.0 -o .libs/libnfnetlink.so.0.0.0 /usr/local/lib/gcc/m68k-uclinux/4.1.1/../../../../m68k-uclinux/bin/ld.real: warning: cannot find entry symbol _start; defaulting to 00000000 .libs/libnfnetlink.so.0.0.0.elf2flt: In function `__uClibc_start_main': : undefined reference to `main' collect2: ld returned 1 exit status make[5]: *** [libnfnetlink.la] Error 1 make[5]: Leaving directory `/uClinux-dist/lib/libnfnetlink/build/src' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/uClinux-dist/lib/libnfnetlink/build' make[3]: *** [all] Error 2 make[3]: Leaving directory `/uClinux-dist/lib/libnfnetlink' make[2]: *** [libnfnetlink] Error 2 make[2]: Leaving directory `/uClinux-dist/lib' make[1]: *** [all] Error 2 make[1]: Leaving directory `/uClinux-dist/lib' make: *** [subdirs] Error 1 [root@localhost uClinux-dist]# It didn't works for kernel 2.4 neither kernel 2.6 I also compile my own version of tools just to see if that solves the problem, but it doesn't. I guess all problem is a symbolink link to tell compiler where to search for uClibc libraries. But problem is where to put symbolic link? I also have tried switching from uClibc to uC-lib and kernel and libraries stages compile fine, but user apps won't compile. By the way, uC-lib isn't to old now for user apps now? I also change user to root, isn't the best practice, but I have to try! ;) -- Francisco Perea Ing. Electricista From dummy at sapmail.pg.com Mon May 28 04:21:36 2007 From: dummy at sapmail.pg.com (dummy@sapmail.pg.com) Date: Tue May 29 13:00:54 2007 Subject: Port forwarding without masquerading..??? Message-ID: <3143.67.190.128.248.1180318896.squirrel@webmail.usermail.com> All, I am changing data centers and want to forward traffic hitting server A to Server B in another data center. I was using masquerading and it was working fine, however a problem has popped its ugly head. Server B needs to know the IP address of the client connecting to it. If it gets forwarded through Server A, the IP address of Server A is what is given. I tried to make this work without masquerading but I break the port forwarding. I've also Googled myself silly. Any thoughts? TIA, Q From unclejamil at gmail.com Tue May 29 05:25:56 2007 From: unclejamil at gmail.com (jamil egdemir) Date: Tue May 29 13:01:04 2007 Subject: T1 router and multiple public ips Message-ID: <5009b2270705282025q2a2243b6u7e4d3e1d7dcbd0c@mail.gmail.com> Hi, I have a T1 router that provides me with two public ips: 13.47.77.2 and 13.47.77.3. There are two linux boxes, (each with two Ethernet cards) acting as the gateways to a 192.168.1.0 network sitting behind each public ip. My question is how do I get a browser on 192.168.1.30 sitting behind 13.47.77.2 to reach a web server on 192.168.1.2 sitting behind 13.47.77.3. Usually I use something like the following rule to forward ports from outside ips to internal ips on the 192.168.1.0 networks: '/sbin/iptables -t nat -A PREROUTING -p tcp --dport $MYPORT -j DNAT --to 192.168.1.2:80' so.. all my previous natting experience was for trying to let machines on the outside communicate with my networks behind the 13.47.77.2 and 13.47.77.3 public ips.. the iptables command above works great fot that. let's say the hostname(eth0-ip, eth1-ip) of the first gateway are floyd1(13.47.77.2, 192.168.1.1) and the hostname(eth0-ip, eth1-ip) of the 2nd gateway floyd2(13.47.77.3, 192.168.1.1)and I'm trying to make a browser on 192.168.1.30 behind floyd1 talk to the web server on 192.168.1.2 behind floyd2 that is listening on port 80. The default gateways are currently set to 13.47.77.1 on both floyd1 and floyd2. What are the iptables commands that I need to make this thing fly? I feel like I should have a pair of iptables commands on each gateway to do the job. One of them being a -j DNAT and the other being a -j SNAT to handle both directions.. I'm also wondering what is the 'best practice' for this situation where you have a T1 router with networks sitting behind each public ip that need to talk to each other.. -- -jamil ------------------------------------------------------------- Jamil Egdemir unclejamil@gmail.com AIM: unclejamil YahooMessenger: uncle_jamil http://grad.physics.sunysb.edu/~jamil (631) 338-3170 (cell) ------------------------------------------------------------- From andrex at alumni.utexas.net Tue May 29 12:11:46 2007 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Tue May 29 13:15:23 2007 Subject: time match: build errors with kernel 2.6.21 Message-ID: <osun53dmddsubdnjb6492ceq4buai332pk@4ax.com> I'm trying to build kernel 2.6.21 with the time match patch. The build fails as follows: CC [M] net/ipv4/netfilter/ipt_time.o net/ipv4/netfilter/ipt_time.c: In function 'init': net/ipv4/netfilter/ipt_time.c:142: warning: implicit declaration of function 'ipt_register_match' net/ipv4/netfilter/ipt_time.c: In function 'fini': net/ipv4/netfilter/ipt_time.c:147: warning: implicit declaration of function 'ipt_unregister_match' <snip> Building modules, stage 2. MODPOST 253 modules WARNING: "ipt_register_match" [net/ipv4/netfilter/ipt_time.ko] undefined! WARNING: "ipt_unregister_match" [net/ipv4/netfilter/ipt_time.ko] undefined! make[2]: *** [__modpost] Error 1 Any help would be appreciated. Thanks, Andrew. From andrex at alumni.utexas.net Tue May 29 12:18:19 2007 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Tue May 29 13:21:54 2007 Subject: condition match: incompatible pointer types Message-ID: <53vn53ta7s8173jvsiamu2daldv782pq5l@4ax.com> I'm building kernel 2.6.21 with the condition patch. The build succeeds, but there are some suspicious-looking errors: CC [M] net/netfilter/xt_condition.o net/netfilter/xt_condition.c:259: warning: initialization from incompatible pointer type net/netfilter/xt_condition.c:260: warning: initialization from incompatible pointer type net/netfilter/xt_condition.c:269: warning: initialization from incompatible pointer type net/netfilter/xt_condition.c:270: warning: initialization from incompatible pointer type These correspond to the checkentry and destroy fields of condition_match and condition6_match. Thanks, Andrew. From andrex at alumni.utexas.net Tue May 29 12:34:37 2007 From: andrex at alumni.utexas.net (Andrew Schulman) Date: Tue May 29 13:37:58 2007 Subject: iptables 1.3.7 doesn't properly test for condition patch References: <bgel53lion8nqn77p455vughf1071fgple@4ax.com> Message-ID: <jb0o53l444mih7lnb29k4uba93jhsbfb3d@4ax.com> > I have kernel 2.6.21, iptables 1.3.7, and pom-ng 20070527. I run > > ./runme --download --batch condition > > and the patch applies successfully. But when I build iptables, the > condition extension isn't included. This is because > iptables-1.3.7/extensions/.condition-test tests for the existence of > > $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h > > But the condition patch doesn't create that file any more; it now creates > > $KERNEL_DIR/include/linux/netfilter/xt_condition.h For the archive, Massimilano Hofer sent me the attached patch, which solves the problem. It seems that this patch should be merged into iptables. Andrew. diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test iptables-1.3.5-20060922.new/extensions/.condition-test --- iptables-1.3.5-20060922.orig/extensions/.condition-test 2002-11-02 16:00:15.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/.condition-test 2006-09-26 12:56:01.000000000 +0200 @@ -1,3 +1,5 @@ #!/bin/sh # True if condition is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition +( [ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] || + [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) && + echo condition diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test6 iptables-1.3.5-20060922.new/extensions/.condition-test6 --- iptables-1.3.5-20060922.orig/extensions/.condition-test6 2003-02-25 12:54:56.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/.condition-test6 2006-09-26 12:55:23.000000000 +0200 @@ -1,3 +1,5 @@ #!/bin/sh # True if condition6 is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition +( [ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] || + [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) && + echo condition diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c iptables-1.3.5-20060922.new/extensions/libip6t_condition.c --- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c 2005-02-14 14:13:04.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.c 2006-09-26 13:04:09.000000000 +0200 @@ -6,7 +6,14 @@ #include <ip6tables.h> #include<linux/netfilter_ipv6/ip6_tables.h> + +#ifndef _X_TABLES_H #include<linux/netfilter_ipv6/ip6t_condition.h> +#define condition_info condition6_info +#define CONDITION_NAME_LEN CONDITION6_NAME_LEN +#else +#include<linux/netfilter/xt_condition.h> +#endif static void @@ -29,8 +36,12 @@ const struct ip6t_entry *entry, unsigned int *nfcache, struct ip6t_entry_match **match) { - struct condition6_info *info = - (struct condition6_info *) (*match)->data; + static const char * const forbidden_names[]={ "", ".", ".." }; + const char *name; + int i; + + struct condition_info *info = + (struct condition_info *) (*match)->data; if (c == 'X') { if (*flags) @@ -39,12 +50,26 @@ check_inverse(optarg, &invert, &optind, 0); - if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN) - strcpy(info->name, argv[optind - 1]); - else + name = argv[optind - 1]; + /* We don't want a '/' in a proc file name. */ + for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++) + if (name[i] == '/') + exit_error(PARAMETER_PROBLEM, + "Can't have a '/' in a condition name"); + + /* We can't handle file names longer than CONDITION_NAME_LEN and */ + /* we want a NULL terminated string. */ + if (i == CONDITION_NAME_LEN) exit_error(PARAMETER_PROBLEM, "File name too long"); + /* We don't want certain reserved names. */ + for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++) + if(strcmp(name, forbidden_names[i])==0) + exit_error(PARAMETER_PROBLEM, + "Forbidden condition name"); + + strcpy(info->name, name); info->invert = invert; *flags = 1; return 1; @@ -67,8 +92,8 @@ print(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match, int numeric) { - const struct condition6_info *info = - (const struct condition6_info *) match->data; + const struct condition_info *info = + (const struct condition_info *) match->data; printf("condition %s%s ", (info->invert) ? "!" : "", info->name); } @@ -78,8 +103,8 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) { - const struct condition6_info *info = - (const struct condition6_info *) match->data; + const struct condition_info *info = + (const struct condition_info *) match->data; printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name); } @@ -88,8 +113,8 @@ static struct ip6tables_match condition = { .name = "condition", .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct condition6_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)), + .size = IP6T_ALIGN(sizeof(struct condition_info)), + .userspacesize = IP6T_ALIGN(sizeof(struct condition_info)), .help = &help, .parse = &parse, .final_check = &final_check, diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man iptables-1.3.5-20060922.new/extensions/libip6t_condition.man --- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man 2006-01-30 09:50:09.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.man 2006-09-26 09:31:40.000000000 +0200 @@ -1,4 +1,4 @@ This matches if a specific /proc filename is '0' or '1'. .TP .BR "--condition " "[!] \fIfilename" -Match on boolean value stored in /proc/net/ip6t_condition/filename file +Match on boolean value stored in /proc/net/nf_condition/filename file diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.c iptables-1.3.5-20060922.new/extensions/libipt_condition.c --- iptables-1.3.5-20060922.orig/extensions/libipt_condition.c 2005-02-14 14:13:04.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libipt_condition.c 2006-09-26 12:01:57.000000000 +0200 @@ -6,7 +6,12 @@ #include <iptables.h> #include<linux/netfilter_ipv4/ip_tables.h> + +#ifndef _X_TABLES_H #include<linux/netfilter_ipv4/ipt_condition.h> +#else +#include<linux/netfilter/xt_condition.h> +#endif static void @@ -29,6 +34,10 @@ const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match) { + static const char * const forbidden_names[]={ "", ".", ".." }; + const char *name; + int i; + struct condition_info *info = (struct condition_info *) (*match)->data; @@ -39,12 +48,26 @@ check_inverse(optarg, &invert, &optind, 0); - if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN) - strcpy(info->name, argv[optind - 1]); - else + name = argv[optind - 1]; + /* We don't want a '/' in a proc file name. */ + for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++) + if (name[i] == '/') + exit_error(PARAMETER_PROBLEM, + "Can't have a '/' in a condition name"); + + /* We can't handle file names longer than CONDITION_NAME_LEN and */ + /* we want a NULL terminated string. */ + if (i == CONDITION_NAME_LEN) exit_error(PARAMETER_PROBLEM, "File name too long"); + /* We don't want certain reserved names. */ + for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++) + if(strcmp(name, forbidden_names[i])==0) + exit_error(PARAMETER_PROBLEM, + "Forbidden condition name"); + + strcpy(info->name, name); info->invert = invert; *flags = 1; return 1; diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.man iptables-1.3.5-20060922.new/extensions/libipt_condition.man --- iptables-1.3.5-20060922.orig/extensions/libipt_condition.man 2006-01-30 09:50:09.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libipt_condition.man 2006-09-26 09:31:42.000000000 +0200 @@ -1,4 +1,4 @@ This matches if a specific /proc filename is '0' or '1'. .TP .BI "--condition " "[!] \fIfilename\fP" -Match on boolean value stored in /proc/net/ipt_condition/filename file +Match on boolean value stored in /proc/net/nf_condition/filename file From eric at inl.fr Tue May 29 14:49:03 2007 From: eric at inl.fr (Eric Leblond) Date: Tue May 29 15:53:37 2007 Subject: [Announce] NuFW 2.2 is available Message-ID: <1180442943.26407.5.camel@localhost.localdomain> Hi, NuFW Core team is proud to announce the availability of NuFW 2.2.0, first release of the new stable branch 2.2. NuFW fully integrates with Netfilter and Iptables and adds authentication capabilities. Its algorithm allows authenticated filtering even on multiuser computers. The set of new features is quiet impressive : * Full IPv6 support * Advanced marking policy for QoS and routing: * per user * per application * per OS name * Command mode for nuauth: * Display connected users * Disconnect selected users * List connected nufw firewalls * Change debug level and debug areas * Backward compatibility with NuFW 2.0 * Protocol improvments: * Network interfaces information are available * Connection accounting NuFW : http://www.nufw.org/ NuFW 2.2, what?s in the .2 ? : http://www.nufw.org/NuFW-2-2-what-s-in-the-2.html Best regards, -- Eric Leblond <eric@inl.fr> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= Url : /pipermail/netfilter/attachments/20070529/708561c8/attachment.pgp From swifty at freemail.hu Tue May 29 15:04:32 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Tue May 29 16:08:49 2007 Subject: Default deny rule In-Reply-To: <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> <4651C2EE.2080803@freemail.hu> <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> Message-ID: <465C24E0.8010001@freemail.hu> Hi Gopinath, > Hi Lajos, > > Thanks for your suggestion. > > I had upgraded my OS to fedora 6, and also enabled logging option for > the DROP packets. Now the Default denying functionality is working > fine. But this time I face another problem. ie., i have applied static > NAT on my firewall. In my simulation setup i am able to connect the > other end (INTERNAL) machine using the NAT IP assigned, from the > EXTERNAL machine as well through the actual IP of the > machine(INTERNAL). This spoil my purpose for NATTING. I don't know why > this happen. I suspect that there could be some problem with my NAT > module. Please suggest... I think that this is not a NATing but a routing problem. I do not know your current script but maybe there is an accept that allows this state. I would add the following option to the ACCEPT rule in the FORWARD chain: -m conntrack --ctstate DNAT > > Is there any need to upgrade my kernel to add further support ? > I do not think so but it is good to have an up-to-date system. > Regards, > Gopinath. U Swifty From gopinath.u at gmail.com Tue May 29 16:44:44 2007 From: gopinath.u at gmail.com (Gopinath) Date: Tue May 29 17:47:51 2007 Subject: Default deny rule In-Reply-To: <465C24E0.8010001@freemail.hu> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> <4651C2EE.2080803@freemail.hu> <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> <465C24E0.8010001@freemail.hu> Message-ID: <d2af4f000705290744i4518ae7bu11b1fb7e2eb14a68@mail.gmail.com> Thank your very much Lajos !!!!!!!!!!!!!!! It is working fine now after adding the line "-m conntrack --ctstate DNAT" in the ACCEPT statement of the FORWARD chain as you've said in previous mail. Could you please explain how it works after adding the line "-m conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm very eager to know this :-) Regards, Gopinath.U I have also upgraded my iptables to version 1.3.7 On 5/29/07, G?sp?r Lajos <swifty@freemail.hu> wrote: > Hi Gopinath, > > Hi Lajos, > > > > Thanks for your suggestion. > > > > I had upgraded my OS to fedora 6, and also enabled logging option for > > the DROP packets. Now the Default denying functionality is working > > fine. But this time I face another problem. ie., i have applied static > > NAT on my firewall. In my simulation setup i am able to connect the > > other end (INTERNAL) machine using the NAT IP assigned, from the > > EXTERNAL machine as well through the actual IP of the > > machine(INTERNAL). This spoil my purpose for NATTING. I don't know why > > this happen. I suspect that there could be some problem with my NAT > > module. Please suggest... > I think that this is not a NATing but a routing problem. > I do not know your current script but maybe there is an accept that > allows this state. > I would add the following option to the ACCEPT rule in the FORWARD chain: > > -m conntrack --ctstate DNAT > > > > > Is there any need to upgrade my kernel to add further support ? > > > I do not think so but it is good to have an up-to-date system. > > Regards, > > Gopinath. U > > Swifty > From dufresne at sysinfo.com Tue May 29 17:33:11 2007 From: dufresne at sysinfo.com (R. DuFresne) Date: Tue May 29 18:33:38 2007 Subject: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel. In-Reply-To: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> References: <bf0ca81a0705161135y12499869yc93ea9043eec44bc@mail.gmail.com> Message-ID: <Pine.LNX.4.64.0705291126290.8300@darkstar.sysinfo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 May 2007, Bill Ries-Knight wrote: > ok, I have a solution issue... > > We just had a server cracked (fc4, built by my predecessor) > > The server acts as a firewall, VPN Server, content filtering system, > samba server for files and ssh tunnel to the network. > > There are 3 nics covering 2 physical subnets , school > administration/teachers and computer lab for the sudents, each with > thier own NIC and the gateway to the internet on the third. Openvpn > provides a tun interface with a third subnet to manage. > > Software we are running is iptables for the firewall, Openvpn for the > vpn tunnel between physical sites, samba and clamav/squid/dansguardian > for content filtering and openssh for remote access. > > I am using Debia Etch for the server. > > Is there anyone with a reference on how to manage this one? > > I can get the old firewall rules into place, but adding ipmasq munges > it all up. Without ipmasq there is no name based browsing at all. > > At various times I can get the vpn happy, but no browsing. if I try > to bring both physical subnets into play, it munges. I have issues > with name based internet browsing, or a few minutes later, I have > issues with the ip address based access. Ie: I can ping out, but not > name browse.. a bit later I cannot even ping out. > > I am really lost here. > First off, a firewall is a security device. And should be a dedicated device for that purpose only. Perhapos the open vpn might reside here, but all the rest, belongs on different secured systems. Especially samba! I'd at this point look at a project to divide all these services to their own secured systems, and redo the firewall, perhaps with vpn tunneling application as it's own dedicated system. Anything less, and you are likely to be facing the same issue of trying to recover hacked/cracked servers in the near future again. As for samba services, they should either be stopped at the inside perimiter of the network, or if really reqiured outside the network then only provided in a secure tunnle. This is ancient knowledge in the security realm. The point here is; there is no quick fix for this setup. Once a system is hacked as you state yours has been, you face a total remake of the system<s> involved. And in this case, since the setup was dubious to begin with, you have a major project no at hand. thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGXEe6st+vzJSwZikRAkHNAJ9ZQebF8ovwk3ReSIvGvYNa9sDT3gCfReD0 c/BVC8mYqqIrqip8NiLtLIw= =xz2P -----END PGP SIGNATURE----- From jpb at entel.ca Tue May 29 17:39:02 2007 From: jpb at entel.ca (=?iso-8859-1?Q?Paul_Blond=E9?=) Date: Tue May 29 18:42:12 2007 Subject: T1 router and multiple public ips In-Reply-To: <5009b2270705282025q2a2243b6u7e4d3e1d7dcbd0c@mail.gmail.com> Message-ID: <001801c7a207$7b734090$5a05a8c0@nisgaa.net> Shouldn't the T1 router be configured to handle the traffic between the two public IPs? Or are the gateways able to talk to one another from the "inside"? Are your gateways both using the same segment? I would have floyd1 using 192.168.10.x and floyd2 using 192.168.11.x or something like that so you could do the following: Set up hosts files on the gateways to point traffic directed to each others' networks at each other (or on each machine, but that's a pain unless you insert in each users' startup script a command to copy the hosts from from a file server), so for example if you have a domain "www.floyd1sapacheserver.com" that points to the public IP 13.47.77.2, you would have an entry in the hosts file of floyd2 point to 192.168.10.x, and the reverse applies to "www.floyd2siisserver.com", you would have an entry in the hosts file of floyd1 that pointed to 192.168.11.x, at least that's what I would try. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Blond? > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of > jamil egdemir > Sent: Monday, May 28, 2007 8:26 PM > To: netfilter@lists.netfilter.org > Subject: T1 router and multiple public ips > > > Hi, > > I have a T1 router that provides me with two public ips: 13.47.77.2 > and 13.47.77.3. There are two linux boxes, (each with two Ethernet > cards) acting as the gateways to a 192.168.1.0 network sitting behind > each public ip. My question is how do I get a browser on 192.168.1.30 > sitting behind 13.47.77.2 to reach a web server on 192.168.1.2 sitting > behind 13.47.77.3. > > Usually I use something like the following rule to forward ports from > outside ips to internal ips on the 192.168.1.0 networks: > > '/sbin/iptables -t nat -A PREROUTING -p tcp --dport $MYPORT > -j DNAT --to > 192.168.1.2:80' > > so.. all my previous natting experience was for trying to let machines > on the outside communicate with my networks behind the 13.47.77.2 and > 13.47.77.3 public ips.. the iptables command above works great fot > that. > > let's say the hostname(eth0-ip, eth1-ip) of the first gateway are > floyd1(13.47.77.2, 192.168.1.1) and the hostname(eth0-ip, eth1-ip) of > the 2nd gateway floyd2(13.47.77.3, 192.168.1.1)and I'm trying to make > a browser on 192.168.1.30 behind floyd1 talk to the web server on > 192.168.1.2 behind floyd2 that is listening on port 80. The default > gateways are currently set to 13.47.77.1 on both floyd1 and floyd2. > > What are the iptables commands that I need to make this thing fly? I > feel like I should have a pair of iptables commands on each gateway to > do the job. One of them being a -j DNAT and the other being a -j SNAT > to handle both directions.. > > I'm also wondering what is the 'best practice' for this situation > where you have a T1 router with networks sitting behind each public ip > that need to talk to each other.. > > > -- > -jamil > > ------------------------------------------------------------- > Jamil Egdemir > unclejamil@gmail.com > AIM: unclejamil > YahooMessenger: uncle_jamil > http://grad.physics.sunysb.edu/~jamil > (631) 338-3170 (cell) > ------------------------------------------------------------- > From neil at JAMMConsulting.com Tue May 29 19:31:23 2007 From: neil at JAMMConsulting.com (Neil Aggarwal) Date: Tue May 29 20:34:29 2007 Subject: NAT rules for VPN only allowing one user? Message-ID: <000c01c7a217$2e0ab670$dededede@neilhp> Hello: I have a Linux machine acting as a firewall for my network. I have a couple of remote users that need access to the internal network, so I put a Linksys RV042 VPN Router on my internal switch. On the Linux box, I set these iptables rules (Line breaks added for readability): /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723 /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p tcp --sport 1024: --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 -j DNAT --to $LINKSYS_VPN_IP /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p gre -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p gre -j SNAT --to-source $ETH1_IP /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP -d $ETH1_IP -p gre -j ACCEPT /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p gre -j ACCEPT Either one of my remote users can connect to the VPN using the Windows XP VPN client. But, if one of them is connected and the other tries to connect, the second person gets to the verifying username and password screen and then gets an Error 619 that they are not able to connect. I think somehow the existing connection is mis-routing the login for the second connection. Any ideas what could be going on? Thanks, Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. From pascal.mail at plouf.fr.eu.org Tue May 29 19:53:20 2007 From: pascal.mail at plouf.fr.eu.org (Pascal Hambourg) Date: Tue May 29 20:56:51 2007 Subject: Port forwarding without masquerading..??? In-Reply-To: <3143.67.190.128.248.1180318896.squirrel@webmail.usermail.com> References: <3143.67.190.128.248.1180318896.squirrel@webmail.usermail.com> Message-ID: <465C6890.9000106@plouf.fr.eu.org> Hello, dummy@sapmail.pg.com a ?crit : > > I am changing data centers and want to forward traffic hitting server A to > Server B in another data center. I was using masquerading and it was > working fine, however a problem has popped its ugly head. Server B needs > to know the IP address of the client connecting to it. If it gets > forwarded through Server A, the IP address of Server A is what is given. > > I tried to make this work without masquerading but I break the port > forwarding. The reply packets *must* go back to the forwarding box (A) by any means in order for the DNAT to work properly. Masquerading on box A was an easy way to achieve this, but the drawback is it hides the real source address. Another problem may be that some router or firewall in the path between box A's and box B drops forwarded packets with a "foreign" source address. The only workaround I can think of when box A and box B are not in the same network is some tunnel or VPN between them and advanced routing on box B set up so it sends the reply packets of forwarded connections back to box A through the tunnel/VPN. This way, intermediate routers do not see foreign source addresses and box B sends the reply traffic back to box A regardless of the destination address. The advanced routing rule may be based on the destination address (if the traffic is forwarded to a specific address such as a private tunnel address), the protocol, the destination port or a connection mark. From jengelh at linux01.gwdg.de Tue May 29 20:12:40 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue May 29 21:16:08 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <000c01c7a217$2e0ab670$dededede@neilhp> References: <000c01c7a217$2e0ab670$dededede@neilhp> Message-ID: <Pine.LNX.4.61.0705292011230.11140@yvahk01.tjqt.qr> On May 29 2007 12:31, Neil Aggarwal wrote: >/sbin/iptables -t nat -A POSTROUTING -o eth1 > -d $LINKSYS_VPN_IP -p tcp --dport 1723 > -j SNAT --to-source $ETH1_IP This is redundant. >Either one of my remote users can connect to the VPN using >the Windows XP VPN client. But, if one of them is connected >and the other tries to connect, the second person gets to >the verifying username and password screen and then >gets an Error 619 that they are not able to connect. > >I think somehow the existing connection is mis-routing >the login for the second connection. > >Any ideas what could be going on? Use the holy tcpdump. Jan -- From mmckeay at stillsecure.com Tue May 29 18:51:46 2007 From: mmckeay at stillsecure.com (Martin McKeay) Date: Wed May 30 09:31:01 2007 Subject: Looking for feedback on our GUI Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3029374C1@webmail.latis.com> My name is Martin McKeay and I've been lurking on the list for a little while. I'm the Product Evangelist for Cobia and I've been working at StillSecure for about 3 months now. A large part of my job is outreach and getting feedback from the community. We think we've come up with an exciting product in Cobia, our unified network platform, but we'd like to get some feedback from the people who are the experts on Iptables so we can make it better. One of the first modules we've created is a web interface for Iptables. We're very proud of the GUI, it's easy to use whether you're a new user or an expert. What I'd like to know is if we've missed anything; is there a feature in Iptables that we've missed or not implemented as well as we could of? Or have we done something that's confusing or poorly documented? Or could we just be doing it better? Cobia comes as an ISO or a VMWare image and can be downloaded at http://cobia.stillsecure.com/?q=node/16. Cobia is free to download, and our existing modules are based on open source projects like Iptables. We have partners who are working on creating additional modules, but it's the firewall module that I'd like some feedback on. Please give it a try and let me know what you think, either on the list, in the Cobia forums or by contacting me directly. Thanks, Martin Martin McKeay, CISSP, GSNA Product Evangelist StillSecure martin@stillsecure.com <mailto:mmckeay@stillsecure.com> 707-495-7926 http://cobia.stillsecure.com/mckeay From jengelh at linux01.gwdg.de Tue May 29 22:33:21 2007 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Wed May 30 13:14:19 2007 Subject: iptables 1.3.7 doesn't properly test for condition patch In-Reply-To: <jb0o53l444mih7lnb29k4uba93jhsbfb3d@4ax.com> References: <bgel53lion8nqn77p455vughf1071fgple@4ax.com> <jb0o53l444mih7lnb29k4uba93jhsbfb3d@4ax.com> Message-ID: <Pine.LNX.4.61.0705292230480.11140@yvahk01.tjqt.qr> cc nf-dev On May 29 2007 06:34, Andrew Schulman wrote: > >For the archive, Massimilano Hofer sent me the attached patch, which solves >the problem. It seems that this patch should be merged into iptables. > >Andrew. > >diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test iptables-1.3.5-20060922.new/extensions/.condition-test >--- iptables-1.3.5-20060922.orig/extensions/.condition-test 2002-11-02 16:00:15.000000000 +0100 >+++ iptables-1.3.5-20060922.new/extensions/.condition-test 2006-09-26 12:56:01.000000000 +0200 >@@ -1,3 +1,5 @@ > #!/bin/sh > # True if condition is applied. >-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition >+( [ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] || >+ [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) && >+ echo condition While it is valid, why not use one '[ ]' test instead of two? [ -f "$KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h" -o \ -f "$KERNEL_DIR/include/linux/netfilter/xt_condition.h" ] && \ echo condition; Of course, the common prefix can be merged, i.e.: S="$KERNEL_DIR/include/linux"; [ -f "$S/netfilter_ipv4/ipt_condition.h" -o "$S/netfilter/xt_condition.h" ] ... Jan -- From neil at JAMMConsulting.com Wed May 30 07:17:14 2007 From: neil at JAMMConsulting.com (Neil Aggarwal) Date: Wed May 30 13:25:46 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <Pine.LNX.4.61.0705292011230.11140@yvahk01.tjqt.qr> Message-ID: <000001c7a279$c93477f0$dededede@neilhp> Jan: Actually, I need the SNAT rule to make my remote users look like they are coming from the local network. For some reason, the Linksys does not respond to the connection unless I have that. Thanks, Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan Engelhardt Sent: Tuesday, May 29, 2007 1:13 PM To: Neil Aggarwal Cc: netfilter@lists.netfilter.org Subject: Re: NAT rules for VPN only allowing one user? On May 29 2007 12:31, Neil Aggarwal wrote: >/sbin/iptables -t nat -A POSTROUTING -o eth1 > -d $LINKSYS_VPN_IP -p tcp --dport 1723 > -j SNAT --to-source $ETH1_IP This is redundant. >Either one of my remote users can connect to the VPN using >the Windows XP VPN client. But, if one of them is connected >and the other tries to connect, the second person gets to >the verifying username and password screen and then >gets an Error 619 that they are not able to connect. > >I think somehow the existing connection is mis-routing >the login for the second connection. > >Any ideas what could be going on? Use the holy tcpdump. Jan -- From michael.gale at pason.com Wed May 30 16:37:07 2007 From: michael.gale at pason.com (Michael Gale) Date: Wed May 30 17:40:27 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <000001c7a279$c93477f0$dededede@neilhp> References: <000001c7a279$c93477f0$dededede@neilhp> Message-ID: <465D8C13.6010904@pason.com> Hey, This sounds like a problem on the VPN gateway device, you should remove the rule: "/sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP" And resolve that issue, what is most likely currently happening. Your VPN router is only setup for or only supports 1 VPN connection per IP address. So a second connection would over write the first one. Michael Neil Aggarwal wrote: > Jan: > > Actually, I need the SNAT rule to make my remote > users look like they are coming from the local network. > > For some reason, the Linksys does not respond to the > connection unless I have that. > > Thanks, > Neil > > -- > Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com > FREE! Eliminate junk email and reclaim your inbox. > Visit http://www.spammilter.com for details. > > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan Engelhardt > Sent: Tuesday, May 29, 2007 1:13 PM > To: Neil Aggarwal > Cc: netfilter@lists.netfilter.org > Subject: Re: NAT rules for VPN only allowing one user? > > On May 29 2007 12:31, Neil Aggarwal wrote: > >> /sbin/iptables -t nat -A POSTROUTING -o eth1 >> -d $LINKSYS_VPN_IP -p tcp --dport 1723 >> -j SNAT --to-source $ETH1_IP > > This is redundant. > >> Either one of my remote users can connect to the VPN using >> the Windows XP VPN client. But, if one of them is connected >> and the other tries to connect, the second person gets to >> the verifying username and password screen and then >> gets an Error 619 that they are not able to connect. >> >> I think somehow the existing connection is mis-routing >> the login for the second connection. >> >> Any ideas what could be going on? > > Use the holy tcpdump. > > > Jan -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. From mmckeay at stillsecure.com Wed May 30 17:16:30 2007 From: mmckeay at stillsecure.com (Martin McKeay) Date: Wed May 30 18:19:47 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <465D8C13.6010904@pason.com> Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F3029377CC@webmail.latis.com> So this is a limitation of the Linksys router, correct? What are the real requirements for user connections? Linksys has the BEFVP41, that supports up to 50 VPN connections. Maybe an upgrade to this box is in order. It's on Amazon for $99. What router are you using right now? If it's a WRT54 series wireless router, there might even be an image you can flash it with to do what you want right now. Martin Martin McKeay, CISSP, GSNA Product Evangelist StillSecure martin@stillsecure.com 707-495-7926 http://cobia.stillsecure.com/mckeay -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Michael Gale Sent: Wednesday, May 30, 2007 8:37 AM To: Neil Aggarwal Cc: netfilter@lists.netfilter.org Subject: Re: NAT rules for VPN only allowing one user? Hey, This sounds like a problem on the VPN gateway device, you should remove the rule: "/sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP" And resolve that issue, what is most likely currently happening. Your VPN router is only setup for or only supports 1 VPN connection per IP address. So a second connection would over write the first one. Michael Neil Aggarwal wrote: > Jan: > > Actually, I need the SNAT rule to make my remote users look like they > are coming from the local network. > > For some reason, the Linksys does not respond to the connection unless > I have that. > > Thanks, > Neil > > -- > Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate > junk email and reclaim your inbox. > Visit http://www.spammilter.com for details. > > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan > Engelhardt > Sent: Tuesday, May 29, 2007 1:13 PM > To: Neil Aggarwal > Cc: netfilter@lists.netfilter.org > Subject: Re: NAT rules for VPN only allowing one user? > > On May 29 2007 12:31, Neil Aggarwal wrote: > >> /sbin/iptables -t nat -A POSTROUTING -o eth1 >> -d $LINKSYS_VPN_IP -p tcp --dport 1723 >> -j SNAT --to-source $ETH1_IP > > This is redundant. > >> Either one of my remote users can connect to the VPN using the >> Windows XP VPN client. But, if one of them is connected and the >> other tries to connect, the second person gets to the verifying >> username and password screen and then gets an Error 619 that they are >> not able to connect. >> >> I think somehow the existing connection is mis-routing the login for >> the second connection. >> >> Any ideas what could be going on? > > Use the holy tcpdump. > > > Jan -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. From pablo at netfilter.org Wed May 30 17:25:44 2007 From: pablo at netfilter.org (Pablo Neira Ayuso) Date: Wed May 30 18:28:45 2007 Subject: iptables 1.3.7 doesn't properly test for condition patch In-Reply-To: <Pine.LNX.4.61.0705292230480.11140@yvahk01.tjqt.qr> References: <bgel53lion8nqn77p455vughf1071fgple@4ax.com> <jb0o53l444mih7lnb29k4uba93jhsbfb3d@4ax.com> <Pine.LNX.4.61.0705292230480.11140@yvahk01.tjqt.qr> Message-ID: <465D9778.1090005@netfilter.org> Jan Engelhardt wrote: > cc nf-dev > > On May 29 2007 06:34, Andrew Schulman wrote: >> For the archive, Massimilano Hofer sent me the attached patch, which solves >> the problem. It seems that this patch should be merged into iptables. I don't find this patch in the archives, did it get lost or never post it to netfilter-devel? Massimiliano? -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris From neil at JAMMConsulting.com Wed May 30 17:28:20 2007 From: neil at JAMMConsulting.com (Neil Aggarwal) Date: Wed May 30 18:31:37 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <5C9E8CCEEB81ED498AC0C3B0054704F3029377CC@webmail.latis.com> Message-ID: <000c01c7a2cf$279080a0$dededede@neilhp> Martin: I am using a LinkSys RV042. Since my remote users are using the Microsoft XP VPN client, I set up the PPTP server on the router. I will have to investigate. Thanks, Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Martin McKeay Sent: Wednesday, May 30, 2007 10:17 AM To: netfilter@lists.netfilter.org Subject: RE: NAT rules for VPN only allowing one user? So this is a limitation of the Linksys router, correct? What are the real requirements for user connections? Linksys has the BEFVP41, that supports up to 50 VPN connections. Maybe an upgrade to this box is in order. It's on Amazon for $99. What router are you using right now? If it's a WRT54 series wireless router, there might even be an image you can flash it with to do what you want right now. Martin Martin McKeay, CISSP, GSNA Product Evangelist StillSecure martin@stillsecure.com 707-495-7926 http://cobia.stillsecure.com/mckeay -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Michael Gale Sent: Wednesday, May 30, 2007 8:37 AM To: Neil Aggarwal Cc: netfilter@lists.netfilter.org Subject: Re: NAT rules for VPN only allowing one user? Hey, This sounds like a problem on the VPN gateway device, you should remove the rule: "/sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP" And resolve that issue, what is most likely currently happening. Your VPN router is only setup for or only supports 1 VPN connection per IP address. So a second connection would over write the first one. Michael Neil Aggarwal wrote: > Jan: > > Actually, I need the SNAT rule to make my remote users look like they > are coming from the local network. > > For some reason, the Linksys does not respond to the connection unless > I have that. > > Thanks, > Neil > > -- > Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate > junk email and reclaim your inbox. > Visit http://www.spammilter.com for details. > > -----Original Message----- > From: netfilter-bounces@lists.netfilter.org > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jan > Engelhardt > Sent: Tuesday, May 29, 2007 1:13 PM > To: Neil Aggarwal > Cc: netfilter@lists.netfilter.org > Subject: Re: NAT rules for VPN only allowing one user? > > On May 29 2007 12:31, Neil Aggarwal wrote: > >> /sbin/iptables -t nat -A POSTROUTING -o eth1 >> -d $LINKSYS_VPN_IP -p tcp --dport 1723 >> -j SNAT --to-source $ETH1_IP > > This is redundant. > >> Either one of my remote users can connect to the VPN using the >> Windows XP VPN client. But, if one of them is connected and the >> other tries to connect, the second person gets to the verifying >> username and password screen and then gets an Error 619 that they are >> not able to connect. >> >> I think somehow the existing connection is mis-routing the login for >> the second connection. >> >> Any ideas what could be going on? > > Use the holy tcpdump. > > > Jan -- Michael Gale Red Hat Certified Engineer Network Administrator Pason Systems Corp. From mmckeay at stillsecure.com Wed May 30 18:12:13 2007 From: mmckeay at stillsecure.com (Martin McKeay) Date: Wed May 30 19:15:26 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <000001c7a2ce$6d4a5860$dededede@neilhp> Message-ID: <5C9E8CCEEB81ED498AC0C3B0054704F302937827@webmail.latis.com> I took a quick look at the user guide but didn't see a lot of information on the VPN. Does Linksys have a forum or mailing list that addresses this? Maybe someone there's run into a similar problem. Martin McKeay, CISSP, GSNA Cobia Product Evangelist StillSecure martin@stillsecure.com <mailto:mmckeay@stillsecure.com> 707-495-7926 http:// <http:///> www.cobiablog.com ________________________________ From: Neil Aggarwal [mailto:neil@JAMMConsulting.com] Sent: Wednesday, May 30, 2007 9:23 AM To: Martin McKeay; netfilter@lists.netfilter.org Subject: RE: NAT rules for VPN only allowing one user? Martin: I am using the LinkSys RV042: http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US %2FLayout&cid=1123638171618&pagename=Linksys%2FCommon%2FVisitorWrapper&l id=7161822279B01 <http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=U S%2FLayout&cid=1123638171618&pagename=Linksys%2FCommon%2FVisitorWrapper& lid=7161822279B01> Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com <http://www.spammilter.com> for details. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org <mailto:netfilter-bounces@lists.netfilter.org> ] On Behalf Of Martin McKeay Sent: Wednesday, May 30, 2007 10:17 AM To: netfilter@lists.netfilter.org Subject: RE: NAT rules for VPN only allowing one user? So this is a limitation of the Linksys router, correct? What are the real requirements for user connections? Linksys has the BEFVP41, that supports up to 50 VPN connections. Maybe an upgrade to this box is in order. It's on Amazon for $99. What router are you using right now? If it's a WRT54 series wireless router, there might even be an image you can flash it with to do what you want right now. Martin Martin McKeay, CISSP, GSNA Product Evangelist StillSecure martin@stillsecure.com 707-495-7926 http://cobia.stillsecure.com/mckeay <http://cobia.stillsecure.com/mckeay> -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org <mailto:netfilter-bounces@lists.netfilter.org> ] On Behalf Of Michael Gale Sent: Wednesday, May 30, 2007 8:37 AM To: Neil Aggarwal Cc: netfilter@lists.netfilter.org Subject: Re: NAT rules for VPN only allowing one user? Hey, This sounds like a problem on the VPN gateway device, you should remove the rule: "/sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP" And resolve that issue, what is most likely currently happening. Your VPN router is only setup for or only supports 1 VPN connection per IP address. So a second connection would over write the first one. Michael From m at rtij.nl Wed May 30 23:06:37 2007 From: m at rtij.nl (Martijn Lievaart) Date: Thu May 31 02:22:54 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <000c01c7a217$2e0ab670$dededede@neilhp> References: <000c01c7a217$2e0ab670$dededede@neilhp> Message-ID: <465DE75D.5070006@rtij.nl> Neil Aggarwal wrote: > Hello: > > I have a Linux machine acting as a firewall for my > network. I have a couple of remote users that need > access to the internal network, so I put a Linksys > RV042 VPN Router on my internal switch. > > On the Linux box, I set these iptables rules (Line breaks > added for readability): > > /sbin/iptables -t nat -A PREROUTING -p tcp > -i eth0 -d $ETH0_IP > --sport 1024: --dport 1723 > -j DNAT --to $LINKSYS_VPN_IP:1723 > /sbin/iptables -A FORWARD -i eth0 -o eth1 > -d $LINKSYS_VPN_IP -p tcp > --sport 1024: --dport 1723 > -m state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o eth1 > -d $LINKSYS_VPN_IP -p tcp --dport 1723 > -j SNAT --to-source $ETH1_IP > /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 > -j DNAT --to $LINKSYS_VPN_IP > /sbin/iptables -A FORWARD -i eth0 -o eth1 > -d $LINKSYS_VPN_IP -p gre -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o eth1 > -d $LINKSYS_VPN_IP -p gre -j SNAT --to-source $ETH1_IP > /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP > -d $ETH1_IP -p gre -j ACCEPT > /sbin/iptables -A FORWARD -i eth1 -o eth0 > -s $LINKSYS_VPN_IP -p gre -j ACCEPT > > Either one of my remote users can connect to the VPN using > the Windows XP VPN client. But, if one of them is connected > and the other tries to connect, the second person gets to > the verifying username and password screen and then > gets an Error 619 that they are not able to connect. > > I think somehow the existing connection is mis-routing > the login for the second connection. > IIRC, for this to work a helper must be loaded to fixup the GRE stream. And older implementations only allowed one connection. I might be totally of on this one, but maybe a newer kernel will fix your problem. You might ask in the netfilter-devel list where there is more expertise on this. HTH, M4 From gcarter at aesgi.com Thu May 31 02:24:11 2007 From: gcarter at aesgi.com (Gregory Carter) Date: Thu May 31 03:27:50 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <465DE75D.5070006@rtij.nl> References: <000c01c7a217$2e0ab670$dededede@neilhp> <465DE75D.5070006@rtij.nl> Message-ID: <465E15AB.2070305@aesgi.com> That is correct. Please use the latest in stream kernel for your distro, or build the latest one from kernel.org. -gc Martijn Lievaart wrote: > Neil Aggarwal wrote: > >> Hello: >> >> I have a Linux machine acting as a firewall for my >> network. I have a couple of remote users that need >> access to the internal network, so I put a Linksys >> RV042 VPN Router on my internal switch. >> >> On the Linux box, I set these iptables rules (Line breaks >> added for readability): >> >> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP >> --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723 >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p >> tcp --sport 1024: --dport 1723 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP >> -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP >> /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 -j DNAT --to >> $LINKSYS_VPN_IP >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p >> gre -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP >> -p gre -j SNAT --to-source $ETH1_IP >> /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP -d >> $ETH1_IP -p gre -j ACCEPT >> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p >> gre -j ACCEPT >> >> Either one of my remote users can connect to the VPN using >> the Windows XP VPN client. But, if one of them is connected >> and the other tries to connect, the second person gets to >> the verifying username and password screen and then >> gets an Error 619 that they are not able to connect. >> >> I think somehow the existing connection is mis-routing >> the login for the second connection. >> > > > IIRC, for this to work a helper must be loaded to fixup the GRE > stream. And older implementations only allowed one connection. I might > be totally of on this one, but maybe a newer kernel will fix your > problem. > > You might ask in the netfilter-devel list where there is more > expertise on this. > > HTH, > M4 > From neil at JAMMConsulting.com Thu May 31 03:07:55 2007 From: neil at JAMMConsulting.com (Neil Aggarwal) Date: Thu May 31 04:11:14 2007 Subject: NAT rules for VPN only allowing one user? In-Reply-To: <465E15AB.2070305@aesgi.com> Message-ID: <000001c7a320$1fb1b790$dededede@neilhp> Gregory: I originally installed CentOS 4.4, I have done some yum updates since the install. I just ran another yum update and it tells me there is a 2.6.9-55.EL kernel available. I started the update just now. Will that kernel have the fix for the GRE stream in it? Thanks, Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com FREE! Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. -----Original Message----- From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Gregory Carter Sent: Wednesday, May 30, 2007 7:24 PM To: netfilter@lists.netfilter.org Subject: Re: NAT rules for VPN only allowing one user? That is correct. Please use the latest in stream kernel for your distro, or build the latest one from kernel.org. -gc Martijn Lievaart wrote: > Neil Aggarwal wrote: > >> Hello: >> >> I have a Linux machine acting as a firewall for my >> network. I have a couple of remote users that need >> access to the internal network, so I put a Linksys >> RV042 VPN Router on my internal switch. >> >> On the Linux box, I set these iptables rules (Line breaks >> added for readability): >> >> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP >> --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723 >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p >> tcp --sport 1024: --dport 1723 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP >> -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP >> /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 -j DNAT --to >> $LINKSYS_VPN_IP >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p >> gre -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP >> -p gre -j SNAT --to-source $ETH1_IP >> /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP -d >> $ETH1_IP -p gre -j ACCEPT >> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p >> gre -j ACCEPT >> >> Either one of my remote users can connect to the VPN using >> the Windows XP VPN client. But, if one of them is connected >> and the other tries to connect, the second person gets to >> the verifying username and password screen and then >> gets an Error 619 that they are not able to connect. >> >> I think somehow the existing connection is mis-routing >> the login for the second connection. >> > > > IIRC, for this to work a helper must be loaded to fixup the GRE > stream. And older implementations only allowed one connection. I might > be totally of on this one, but maybe a newer kernel will fix your > problem. > > You might ask in the netfilter-devel list where there is more > expertise on this. > > HTH, > M4 > From gopinath.u at gmail.com Thu May 31 07:11:23 2007 From: gopinath.u at gmail.com (Gopinath) Date: Thu May 31 08:14:37 2007 Subject: Default deny rule In-Reply-To: <465D5103.3000507@freemail.hu> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> <4651C2EE.2080803@freemail.hu> <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> <465C24E0.8010001@freemail.hu> <d2af4f000705290744i4518ae7bu11b1fb7e2eb14a68@mail.gmail.com> <465D5103.3000507@freemail.hu> Message-ID: <d2af4f000705302211k2c7309fy7045fca769717dd4@mail.gmail.com> Hi Lajos, That's a good explanation. I got the point :-) Thanks & Regards, Gopinath.U On 5/30/07, G?sp?r Lajos <swifty@freemail.hu> wrote: > Gopinath ?rta: > > Thank your very much Lajos !!!!!!!!!!!!!!! > > > > It is working fine now after adding the line "-m conntrack --ctstate > > DNAT" in the ACCEPT statement of the FORWARD chain as you've said in > > previous mail. > > > > Could you please explain how it works after adding the line "-m > > conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm > > very eager to know this :-) > > > Okay... :D > > I have attached an image that shows the route of the packet. > > In the PREROUTING nat table the destination address gets DNATed IF the > client wants to talk to the EXTERNAL address. > But if the INTERNAL address is used at a new connection then this rule > does not get hit !!! (No DNAT!!!) > > In the FORWARD filter table you were accepting EVERY connection that has > an INTERNAL destination address. > If you use the conntrack module then ONLY the DNATed packets gets > accepted!!! > > > Regards, > > Gopinath.U > > > > > > I have also upgraded my iptables to version 1.3.7 > Good to hear... :D > > Swifty > > From bilal.amna at yahoo.com Thu May 31 13:09:17 2007 From: bilal.amna at yahoo.com (bilal.amna@yahoo.com) Date: Thu May 31 14:12:55 2007 Subject: Confirm your subscription Message-ID: <20070531110917.CA39E17D79@localhost.localdomain> Please click the link below to confirm your subscription to the Mailing List . http://pub6.bravenet.com/elist/add.php?usernum=512018650&action=confirm&id=4676834 If you like The Oprah Winfrey Show, sign up now for a free trip for you and a friend to see her live, including airfare and hotel accommodations. Click here! (US Residents Only) http://mercury.bravenet.com/rover/c?id=42003 From bilal.amna at yahoo.com Thu May 31 13:14:23 2007 From: bilal.amna at yahoo.com (bilal.amna@yahoo.com) Date: Thu May 31 14:17:38 2007 Subject: Welcome to the Mailing List. Message-ID: <20070531111423.533E518DAED@localhost.localdomain> You have successfully been added to the Mailing List at . Thank you for joining! Take a short survey for a chance to win a $50,000 scholarship or $50,000 cash! Click here! http://mercury.bravenet.com/rover/c?id=39241 From bilal.amna at yahoo.com Thu May 31 13:18:01 2007 From: bilal.amna at yahoo.com (amna bilal) Date: Thu May 31 14:21:21 2007 Subject: Need to get source and destination IP? Message-ID: <731014.57000.qm@web57411.mail.re1.yahoo.com> Hi, I would like to know if there is any way of getting the source and the destination IP of the packet when it has been sent of to the userspace Queue by iptables. i.e. is there any way of determining the source and destination ip of the packet in userspace, i mean can I access it in userspace somehow. Any other way besides the logs. Thanks Amna Bilal ____________________________________________________________________________________Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469 From bgs at bgs.hu Thu May 31 18:19:14 2007 From: bgs at bgs.hu (Bgs) Date: Thu May 31 19:22:31 2007 Subject: syn DDoS attack solution Message-ID: <465EF582.4070904@bgs.hu> Hi all, We recently got under a low traffic botnet DDoS attack. All attacker nodes opened a single tcp session (just SYN part) and then did nothing. This rules out rate limiting solutions and syncookie doesn't help either. (Thousands of attacking nodes). I'd like to know you thoughts about two possible approaches in solving this: - syn proxy: already used for example by Cisco. The router handles the first part of the connection and only routes packets to the client if the connection seems good. (Good against single/spoofed incoming SYNs but may be used to wait for the first packet with actual data as well). - Implement a conntrack solution that gives a timestamp to the connection. Then this timestamp could be used to drop the connection if no data arrives within a configured time limit (good for open inactive connections only). Of course appropriate close toward the local client has to be done as well. What's your opinion? Bye Bgs From dufresne at sysinfo.com Thu May 31 21:57:27 2007 From: dufresne at sysinfo.com (R. DuFresne) Date: Thu May 31 22:57:54 2007 Subject: syn DDoS attack solution In-Reply-To: <465EF582.4070904@bgs.hu> References: <465EF582.4070904@bgs.hu> Message-ID: <Pine.LNX.4.64.0705311556240.17506@darkstar.sysinfo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 31 May 2007, Bgs wrote: > > Hi all, > > > We recently got under a low traffic botnet DDoS attack. All attacker nodes > opened a single tcp session (just SYN part) and then did nothing. This rules > out rate limiting solutions and syncookie doesn't help either. (Thousands of > attacking nodes). > > > I'd like to know you thoughts about two possible approaches in solving this: > > - syn proxy: already used for example by Cisco. The router handles the first > part of the connection and only routes packets to the client if the > connection seems good. (Good against single/spoofed incoming SYNs but may be > used to wait for the first packet with actual data as well). > - Implement a conntrack solution that gives a timestamp to the connection. > Then this timestamp could be used to drop the connection if no data arrives > within a configured time limit (good for open inactive connections only). Of > course appropriate close toward the local client has to be done as well. > > What's your opinion? > That you knowledge ot TCP/IP is poor. Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGXyiqst+vzJSwZikRAih2AJ0SY0npal/EqdwWK+/4SYOGaXY/uACggRtl uhPlH5F7JzCJGHf2RgryJT4= =Y3xX -----END PGP SIGNATURE----- From kilroy at WasHere.COM Thu May 31 22:08:01 2007 From: kilroy at WasHere.COM (Ric Messier) Date: Thu May 31 23:11:59 2007 Subject: syn DDoS attack solution In-Reply-To: <465EF582.4070904@bgs.hu> References: <465EF582.4070904@bgs.hu> Message-ID: <015e01c7a3bf$64fbe7e0$2ef3b7a0$@COM> Bgs writes: > > We recently got under a low traffic botnet DDoS attack. All attacker > nodes opened a single tcp session (just SYN part) and then did nothing. > This rules out rate limiting solutions and syncookie doesn't help > either. (Thousands of attacking nodes). > This is simply a SYN flood attack. It may or may not be a botnet (though saying botnet makes it sound sexier :-) ). A decent SYN flood attack tool would randomize the source address anyway. You should try reading the following as a starting point: http://www.securityfocus.com/infocus/1729 Your second suggestion has been implemented in the TCP/IP stack forever. The article above gives guidance on how to tune it in a Linux implementation. Ric From chris at castellan.net Thu May 31 22:17:12 2007 From: chris at castellan.net (Chris Willis) Date: Thu May 31 23:21:04 2007 Subject: Enabling internal connections to transparently connect via external IP address Message-ID: <BBC99700C9F0FA49A9C6E005863D603107A19C1920@MULTAN.castellan.net> Environment: Windows XP laptop machine, part of domain acme.int, IP 192.168.1.150 Windows 2003 Server running Exchange 2003 (exchange.acme.int, 192.168.1.10) External Domain: acme.com (T1 line, firewall external IP & MX record mail.acme.com 60.60.60.60) Firewall: PC running Fedora Core 6, IPTables, using FWBuilder to create a ruleset, 2 NICs (eth0 192.168.1.1, eth1 60.60.60.60) Problem: when a laptop user (works in office and remotely) goes to https://mail.acme.com, it works fine from the outside, but not from the inside. Goal: when an internal (192.168.1.X) client goes to https://mail.acme.com, the firewall should accept the packets, route them to the exchange box, and then route return packets back to the client. This works just fine on a netscreen firewall I tested with at the client site (same IP addresses as linux box above). Chris Willis From swifty at freemail.hu Wed May 30 12:25:07 2007 From: swifty at freemail.hu (=?ISO-8859-2?Q?G=E1sp=E1r_Lajos?=) Date: Fri Jun 1 19:05:00 2007 Subject: Default deny rule In-Reply-To: <d2af4f000705290744i4518ae7bu11b1fb7e2eb14a68@mail.gmail.com> References: <d2af4f000705092228x3746eb10u9b81264581a57e46@mail.gmail.com> <464440C4.7000605@freemail.hu> <d2af4f000705132302t3d8b2c8eo6158406d02af9f91@mail.gmail.com> <4648570D.4040308@freemail.hu> <d2af4f000705150134r4d5bbf84r96d0f91aae9a725d@mail.gmail.com> <4651C2EE.2080803@freemail.hu> <d2af4f000705280645j74a57571j65bb21ab0bfcee40@mail.gmail.com> <465C24E0.8010001@freemail.hu> <d2af4f000705290744i4518ae7bu11b1fb7e2eb14a68@mail.gmail.com> Message-ID: <465D5103.3000507@freemail.hu> Gopinath ?rta: > Thank your very much Lajos !!!!!!!!!!!!!!! > > It is working fine now after adding the line "-m conntrack --ctstate > DNAT" in the ACCEPT statement of the FORWARD chain as you've said in > previous mail. > > Could you please explain how it works after adding the line "-m > conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm > very eager to know this :-) > Okay... :D I have attached an image that shows the route of the packet. In the PREROUTING nat table the destination address gets DNATed IF the client wants to talk to the EXTERNAL address. But if the INTERNAL address is used at a new connection then this rule does not get hit !!! (No DNAT!!!) In the FORWARD filter table you were accepting EVERY connection that has an INTERNAL destination address. If you use the conntrack module then ONLY the DNATed packets gets accepted!!! > Regards, > Gopinath.U > > > I have also upgraded my iptables to version 1.3.7 Good to hear... :D Swifty