IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1822.67 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-29
[15:01]<rlraxne>so that is why i have specified the state in my badtcp
[15:01]<wjjmmwjjmlnacnz>mom
[15:01]<wjjmmwjjmlnacnz>'/j #bfa
[15:01]<rlraxne>because a packet which has only SYN set can not be something else than a new connection which starts with the tcp handshake where the first packet is a syn
[15:02]<wjjmmwjjmlnacnz>Please join Apachez
[15:03]<wjjmmwjjmlnacnz>Apachez: ^^
[15:23]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[17:22]<nnndjzn>should "iptables -F" clear my iptables rules? because i can't seem to deactivate the rules without rebooting the machine
[17:22]<nnndjzn>which makes debugging a bit of a pain...
[17:24]<wgzggac>WoodyWoodpecker: well... seems like there's still something wrong here... seems like the forwarding doesn't work very well, for instance, with HTTP sometimes I can't access something from it (timeout ) but it works from the gateway machine
[17:25]<wjjmmwjjmlnacnz>eeeyore: iptables -F only flushes your filter table.
[17:25]<nnndjzn>they are only filter rules i think
[17:25]<wjjmmwjjmlnacnz>werneck: What kernel version? '' uname -r ''
[17:25]<wjjmmwjjmlnacnz>eeeyore: You think?
[17:25]<wgzggac>WoodyWoodpecker: 2.4.31
[17:25]<wjjmmwjjmlnacnz>update
[17:26]<nnndjzn>well i'm not doing anything with NAT
[17:26]<wgzggac>:(
[17:26]<nnndjzn>they are all INPUT OUTPUT rules
[17:26]<wjjmmwjjmlnacnz>eeeyore: Deactivate is what for you?
[17:26]<wgzggac>WoodyWoodpecker: latest 2.4 is ok ?
[17:26]<wjjmmwjjmlnacnz>werneck: Use a recent 2.6 release.
[17:26]<nnndjzn>I am writing a firewall script (a list of rules)
[17:26]<wjjmmwjjmlnacnz>2.6.17
[17:27]<wgzggac>WoodyWoodpecker: well... ok
[17:27]<nnndjzn>I'm sure when i used to use iptables, i used to enter iptables -F
[17:27]<nnndjzn>and that would set it back to normal (no rules)
[17:27]<wjjmmwjjmlnacnz>werneck: You don't need it, but 2.4 has some issues what aren't really _good_.
[17:27]<nnndjzn>and everything would work
[17:27]<nnndjzn>now, when i do iptables -F everything is still blocked
[17:27]<wjjmmwjjmlnacnz>eeeyore: Do you set your default rule back to ACCEPT?
[17:27]<wjjmmwjjmlnacnz>I bet you don't.
[17:27]<nnndjzn>ah
[17:28]<wgzggac>WoodyWoodpecker: ok... but I'm using some old hardware and I'm not sure 2.6 has support for all of it... but I'll try it first... thanks
[17:28]<wjjmmwjjmlnacnz>2.6 has all the support 2.4 had, only _lots_ more.
[17:28]<wjjmmwjjmlnacnz>Well maybe isdn not, but that is something different.
[17:29]<nnndjzn>correct, thanks. I obviously never changed the default rules when i used iptables previously
[17:30]<wgzggac>WoodyWoodpecker: I mean third party drivers, but I'll try it first...
[17:30]<wjjmmwjjmlnacnz>werneck: Should work too.
[17:30]<wjjmmwjjmlnacnz>Mention them, maybe I know.
[17:30]<wjjmmwjjmlnacnz>Or if not sure go ask in #kernel
[17:30]<nnndjzn>in fact it does say the default rules in iptables -L i just didn't notice
[17:31]<wjjmmwjjmlnacnz>Yes it does.
[17:31]<wjjmmwjjmlnacnz>sorry, wrong window.
[17:32]<nnndjzn>i have a rule that prevents establishing ssh connection
[17:32]<nnndjzn>(outbound)
[17:32]<wgzggac>WoodyWoodpecker: nvidia RivaTNT2, spca5xx chipset webcam...
[17:33]<nnndjzn>actually never mind
[17:33]<wjjmmwjjmlnacnz>werneck: Any you use third party drivers with linus??
[17:33]<wjjmmwjjmlnacnz>s/linus/linux/
[17:33]<nnndjzn>actually yes, is it possible/safe to prevent establishing oubound http connections without messing up inbound http traffic?
[17:34]<wjjmmwjjmlnacnz>eeeyore: Rephrase.
[17:35]<nnndjzn>this rule allows established ssh connections but not creating new connections outbound for ssh:
[17:35]<nnndjzn>iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
[17:35]<wgzggac>WoodyWoodpecker: well... nvidia use a proprietary driver, and this one is on "Legacy Drivers", so, I'm not sure if it'll be available for 2.6...
[17:35]<nnndjzn>is a similar rule possible for http without adversely affecting incoming http traffic?
[17:35]<wjjmmwjjmlnacnz>werneck: But not for the RivaTNT2. Yes it is available.
[17:36]<wjjmmwjjmlnacnz>eeeyore: You don't need -d 0/0. Why do you use --dport 513:65535?
[17:36]<wgzggac>WoodyWoodpecker: ok... I'll try it... thanks for the help
[17:37]<wjjmmwjjmlnacnz>--dport 1024:65535
[17:37]<wjjmmwjjmlnacnz>1025:65535 if you use any dport restrictions.
[17:38]<wjjmmwjjmlnacnz>eeeyore: Use '' -o <device> ''.
[17:38]<wjjmmwjjmlnacnz>Or just poste the complete ruleset.
[20:40]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[21:01]<zdrg|xjdn>I'm interested in monitoring connections made via my intranet -> iptables -> internet on my iptables box. Whats a good piece of software to help with this?
[21:02]<zdrg|xjdn>first guess is snort
[21:06]<duz2>if you just want a record of all connections look at fprobe + a netflow collector
[21:06]<duz2>if you want something that is gui and just works look at ntop
[21:07]<zdrg|xjdn>my server is cli only, thanks for the suggestion ill get to reading up on them :)
[21:07]<duz2>ryan|home: ntop exports the guiness via http
[21:07]<zdrg|xjdn>nice!
[22:09]<vrsugmxrw> I have to connect to client VPN using pre established LAN, using RSA keyfob is there any tool that helps me to put the ip, pin and display of the keyfob for LINUX ? if there is one such tool by nortel what changes should I be doing in IPtables and how ?
[22:15]<vrsugmxrw>any one who can suggest please give me the solution ... about RSA - key fob authentication in Linux
[22:17]<duz2>vasundha1: you mean securID?
[22:17]<vrsugmxrw>yes
[22:18]<duz2>racoon/ipsec-tools *might* support that stuff.
[22:18]<vrsugmxrw>Ok
[22:19]<vrsugmxrw>many thanks murb
[22:54]<rlraxne>what do you think about Aggressive OS guesses: Checkpoint SecurePlatform NG FP3 (92%) and Insufficient responses for TCP sequencing (0), OS detection may be less accurate ? :)
[23:00]<vrsugmxrw>murb: Thanks a lot, It looks clear and working
[23:15]<afnxnztnah>vice-versa, hi, whats up?
[23:16]<afnxnztnah>vice-versa, i have finished the script
[23:16]<afnxnztnah>vice-versa, look http://pastebin.ca/104289
[23:16]<afnxnztnah>vice-versa, the coments on the script are in spanish... :p
[23:18]<vyrn-vnzsr>AleXerTecH: looks good
[23:19]<afnxnztnah>vice-versa, some suggestions ?
[23:20]<vyrn-vnzsr>AleXerTecH: not really, they would just be personal scripting preferences anyway
[23:27]<afnxnztnah>vice-versa, right
[23:27]<afnxnztnah>vice-versa, well, all done :p
[23:27]<vyrn-vnzsr>AleXerTecH: hmm, actually I think I would prefer to see the echo "1" > /proc/sys/net/ipv4/ip_forward at or near the end of the script so the rules are set before forwarding is enabled
[23:28]<vyrn-vnzsr>minor but makes sense
[23:28]<rlraxne>also MASQUARADE is more for dynamic connections and not if you have a static ip
[23:28]<afnxnztnah>vice-versa, right
[23:28]<afnxnztnah>well
[23:28]<afnxnztnah>that script its for share internet
[23:28]<rlraxne>also personally I prefer to write the name of the icmp type instead of just the number
[23:28]<afnxnztnah>but i writed in a machine with one ethernet
[23:29]<afnxnztnah>Apachez, ok, i would change that ;)
