IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1822.57 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-29
[14:32]<wjjmmwjjmlnacnz>I once knew the complete timezyklus of tcp connection. I was asked the other day and didn't know a bit any more.
[14:34]<rlraxne>syn -> syn,ack -> ack ? :P
[14:35]<wjjmmwjjmlnacnz>yes
[14:35]<rlraxne>what do you think of my badtcp chain ?
[14:36]<wgzggac>I asked for help here yesterday... I have two machines, the first one with dsl on eth0, and eth1 connected with eth0 on the other... I'm trying to make the 2nd acccess internet with the other setup as gateway, but nothing seems to work...
[14:36]<wjjmmwjjmlnacnz>Apachez: I like it.
[14:37]<wjjmmwjjmlnacnz>Maybe add some of the rules I have.
[14:37]<wjjmmwjjmlnacnz>But I don't think you need the "-m state" (but I didn't go through the complete firewall)
[14:37]<wgzggac>the funny thing is, while watching with netwatch, I can see the packages from it on both eth1 and ppp0 on the gateway, but I don't get an answer...
[14:38]<wjjmmwjjmlnacnz>werneck: I don't get you goal?
[14:39]<wgzggac>WoodyWoodpecker: I want both machines to have internet access, but I tried some nat rules and nothing seems to work
[14:40]<wgzggac>WoodyWoodpecker: right now I'm using
[14:40]<wgzggac>iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
[14:40]<wgzggac>iptables --append FORWARD --in-interface eth1 -j ACCEPT
[14:43]<wjjmmwjjmlnacnz>Ok, on the router you have two ppp-devices, lets call them ppp{0,1}.
[14:43]<wjjmmwjjmlnacnz>You want to be able to use both connection on the router at the same time?
[14:44]<dnzjzdsvnz>WoodyWoodpecker: I assume it only has ppp0
[14:44]<wjjmmwjjmlnacnz>Lets don't use the second computer for understanding.
[14:44]<wjjmmwjjmlnacnz>Oh
[14:44]<dnzjzdsvnz>yes :)
[14:44]<wjjmmwjjmlnacnz>You only have _one_ Inetnet device.
[14:44]<wjjmmwjjmlnacnz>Now I get you.
[14:44]<wjjmmwjjmlnacnz>ppp0 then.
[14:44]<wjjmmwjjmlnacnz>$IPT -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
[14:44]<wjjmmwjjmlnacnz>IPT=/sbin/iptables
[14:44]<wgzggac>WoodyWoodpecker: yes....ppp0 (dsl moem) connected to eth0, and eth1 connected to eth0 on the other box
[14:45]<wjjmmwjjmlnacnz>$IPT -A FORWARD -j ACCEPT
[14:45]<wjjmmwjjmlnacnz>werneck: If you connect to the internet, you have a new device available, called ppp0 which runs on/over eth0.
[14:45]<wjjmmwjjmlnacnz>Call it how ever you want.
[14:45]<wgzggac>WoodyWoodpecker: yes, of course
[14:45]<wjjmmwjjmlnacnz>But you have to use ppp0.
[14:45]<dnzjzdsvnz>not eth0 on the router ;)
[14:46]<wjjmmwjjmlnacnz>No, you don't use eth0 anymore. Well not for access in the internet.
[14:46]<wjjmmwjjmlnacnz>$IPT -P INPUT DROP
[14:46]<wjjmmwjjmlnacnz>$IPT -P OUTPUT DROP
[14:46]<dnzjzdsvnz>also you have to allow forward both ways..not just one like you originally did ;)
[14:46]<wjjmmwjjmlnacnz>$IPT -P FORWARD DROP
[14:47]<wjjmmwjjmlnacnz>$IPT -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
[14:47]<wgzggac>well... I'm not worried with firewalling yet... I just want to make it work
[14:47]<dnzjzdsvnz>WoodyWoodpecker: you're dropping forward :>
[14:48]<wjjmmwjjmlnacnz>Yes.
[14:48]<wjjmmwjjmlnacnz>Oh, I even wrote $IPT -A FORWARD -j ACCEPT
[14:48]<dnzjzdsvnz>;)
[14:48]<wgzggac>so... I'm supposed to use ppp0, not eth0 ?
[14:48]<dnzjzdsvnz>werneck: yeah
[14:48]<wgzggac>well... let me try... thanks
[14:49]<dnzjzdsvnz>and allow FORWARD both ways. basically what he said: $IPT -t nat -A POSTROUTING -o ppp0 -j MASQUERADE, $IPT -A FORWARD -j ACCEPT
[14:49]<dnzjzdsvnz>if that works, do the firewalling.
[14:49]<wgzggac>ok
[14:49]<wjjmmwjjmlnacnz>Yes.
[14:49]<wjjmmwjjmlnacnz>You need SCT (Statefull Connection Tracking)
[14:49]<wjjmmwjjmlnacnz>Like
[14:49]<wjjmmwjjmlnacnz>$IPT -A INPUT -i ppp0 -m state --state ESTABLISHED,REALTED -j ACCEPT
[14:50]<wjjmmwjjmlnacnz>Then allow everything you need.
[14:50]<wjjmmwjjmlnacnz>Or even everything in the beginning.
[14:50]<wgzggac>great... it's working now...
[14:50]<wjjmmwjjmlnacnz> $IPT -A OUTPUT -o ppp0 -j ACCEPT
[14:51]<wgzggac>I think forwarding both ways was the point, because from watching on netwatch it seemed like packets were being forward from box2 to the internet, but not back to it... isn't it ?
[14:52]<wjjmmwjjmlnacnz>Yes. As soon as you use -i or -o in the forward Chain you ned SCT one way or the other, depending on how you used -i/-o.
[14:53]<wgzggac>ok...
[14:53]<rlraxne>WoodyWoodpecker: the thing is that I want to tighten up the security, thats why i dont use RELATED for example
[14:53]<rlraxne>also the state will make sure that there will be no leakage of the badtcp flags
[14:53]<wgzggac>thanks WoodyWoodpecker, DerJamster... let's do the firewalling now... thank you
[14:54]<rlraxne>for example, syn should only exist along with state=new
[14:54]<rlraxne>and ack should only exist with state=established and so on
[14:54]<wjjmmwjjmlnacnz>Apachez: related is only for ftp
[14:54]<rlraxne>and icmp
[14:54]<wjjmmwjjmlnacnz>http://wooledge.org/mywiki/FtpMustDie
[14:54]<rlraxne>as I found out this night when I ran the new rules :P
[14:54]<wjjmmwjjmlnacnz>icmp I do manually.
[14:54]<rlraxne>yeah i do that too now :P
[14:55]<rlraxne>the thing is that with "related" it can be all sort of things like if you accidently use a conntrack helper and such
[14:55]<rlraxne>but since i dont use any conntrack helpers there is no need for related
[14:55]<wjjmmwjjmlnacnz>Apachez: If you don't use '' -m state '' you have '' NEW,ESTABLISHED,RELATED '' automatically, do you?
[14:55]<rlraxne>nope
[14:56]<wjjmmwjjmlnacnz>fu, really?
[14:56]<rlraxne>err
[14:56]<wjjmmwjjmlnacnz>You are really sure?
[14:56]<rlraxne>yes if state is not mentioned then its valid for no matter of state
[14:56]<wjjmmwjjmlnacnz>I don't really know.
[14:56]<rlraxne>if you dont mention state that means that the packet can be in any state
[14:56]<wjjmmwjjmlnacnz>Ok, so you don't need it :D
[14:57]<rlraxne>yes i need it in badtcp
[14:57]<rlraxne>or how do you mean?
[14:57]<wjjmmwjjmlnacnz>Unfortunally, I don't understand english too well :-/
[14:58]<wjjmmwjjmlnacnz>You said if you don't use '' -m state '' at all, you have automatically '' -m state --state NEW,ESTABLISHED,REALTED ''.
[14:58]<wjjmmwjjmlnacnz>Well that is what I understood.
[14:59]<rlraxne>yes
[14:59]<rlraxne>if you have a rule such as
[14:59]<rlraxne>iptables -p tcp --dport 80 -j ACCEPT
[14:59]<rlraxne>that means that it doesnt matter if the packet is new, est or rel according to the statetable
[14:59]<rlraxne>you simply doesnt care which state it is with the above rule
[14:59]<rlraxne>however I dont know how INVALID is taken care of by iptables
[15:00]<rlraxne>but if you specify iptables -p --dport 80 -m state -state NEW -j ACCEPT that means that the packet will only match if it is NEW according to the statetable
[15:00]<wjjmmwjjmlnacnz>I drop invalid before I do the rest.
[15:00]<rlraxne>if it is for example ESTABLISHED then it wont match
[15:00]<wjjmmwjjmlnacnz>Ok, so my statement is correct ?!
[15:00]<rlraxne>yeah i do that too
[15:00]<rlraxne>better safe than sorry :P
[15:00]<wjjmmwjjmlnacnz>:=)
