Re: [arch-general] Iptables

Hi, Am 11.02.20 um 16:15 schrieb NTS: > - The ssh port is fixed as TCP port 12500. Since 12500 >1024 this > is a non-priviledged port which is a security risk. Ports < 1024 > can only be opened (here: state LISTEN) by root, others by everyone. While technically this is true, I'm not convinced t

Re: [arch-general] Iptables

Hello Silvio, First of all, great idea and nice script! Two small things: - The ssh port is fixed as TCP port 12500. Since 12500 >1024 this is a non-priviledged port which is a security risk. Ports < 1024 can only be opened (here: state LISTEN) by root, others by everyone. If a user manages

Re: [arch-general] Iptables

Hi Silvio One general comment - your script uses the iptables command for each rule - this is extremely inefficient. This is probably not a big deal in your case but I'll mention it anyway. Far better way is to output the firewall in the same format as iptables-save uses, then simply use iptapl

Re: [arch-general] Iptables

Hi Andy, On Tue, 11 Feb 2020 09:10:03 + Andy Pieters wrote: > A more detailed description of what you're trying to do would be helpful. I have different servers, most with Arch but also with Debian. So I try to generate a firewall script for both systems that is customized depending on wh

Re: [arch-general] Iptables

Hi Silvio A more detailed description of what you're trying to do would be helpful. E.g. "The firewall needs to filter interface xyz and allow service such and such for these users etc etc" On Tue, 11 Feb 2020 at 07:52, siefke_lis...@web.de wrote: > > Hi, > > I am writing to a script to genera

Re: [arch-general] Iptables block https traffic apache

On Fri, Nov 4, 2016 at 7:12 AM Maykel Franco via arch-general < arch-general@archlinux.org> wrote: > How can block in apache? The traffic enter anyway...what I want is > that the requests do not enter? the apache does not process? > >From your description, it sounds like you want to block incomin

Re: [arch-general] Iptables block https traffic apache

2016-11-04 12:09 GMT+01:00 Björn Fries via arch-general : > As the traffic is encrypted, iptables cannot analyse it. Apache must be the > one who blocks here. > > > On 2016-11-04 12:07, Maykel Franco via arch-general wrote: >> >> Hi, I have configured apache + php + mysql in my house. I like block

Re: [arch-general] Iptables block https traffic apache

As the traffic is encrypted, iptables cannot analyse it. Apache must be the one who blocks here. On 2016-11-04 12:07, Maykel Franco via arch-general wrote: Hi, I have configured apache + php + mysql in my house. I like block the specific url traffic over https... I found this: iptables -A OUT

Re: [arch-general] iptables script

On Wed, Sep 11, 2013 at 1:20 PM, F. Gr. wrote: > Jakub Klinkovský [2013-09-10 20:01:01+0200]: > > [...] >> I don't know how you use the script, but you might consider using >> the 'iptables-restore' command to switch between multiple iptables >> configurations. If you still want to use the iptable

Re: [arch-general] iptables script

Jakub Klinkovský [2013-09-10 20:01:01+0200]: [...] > I don't know how you use the script, but you might consider using > the 'iptables-restore' command to switch between multiple iptables > configurations. If you still want to use the iptables.service, you > can make the file /etc/iptables/iptable

Re: [arch-general] iptables script

On 10.09.13 at 13:27, F. Gr. wrote: > I'm newbie about iptables. I use this script > for my system. It is based on > . Now I > want to add an iptables log chain and others. What is the correct > line to start

Re: [arch-general] iptables/ip6tables unit error

> Perhaps you want to pay attention to this line right here. There is only > a sample config shipped with iptables. > > > Nov 04 00:00:01 heybeavis systemd[1]: iptables.service: main process > > exited, code=exited, status=1/FAILURE > > Nov 04 00:00:01 heybeavis systemd[1]: Failed to start Packet F

Re: [arch-general] iptables/ip6tables unit error

On Sun, Nov 04, 2012 at 12:07:59AM -0300, Martín Cigorraga wrote: > Hi all, > > today I found this error with the iptables/ip6tables units, does anybody > know what is happening? > > ~ $ su root > /home/msx # systemctl enable iptables.service > ln -s '/usr/lib/systemd/system/iptables.service' > '

Re: [arch-general] iptables forward policy

Thanks all for your help I finally decided to go with a more simple port forwarding solution using socat a tool to forward tcp conections. This way I can filter forwarded ports by using the router's INPUT chain. Cheers On Sun, Aug 26, 2012 at 1:08 PM, Peter Baldridge wrote: > On Sun, Aug 26, 20

Re: [arch-general] iptables forward policy

On Sun, Aug 26, 2012 at 10:11 AM, Juan Diego Tascón wrote: > Is there any way to debug iptables, Juan, Another good way to debug IPTables (if you can limit the traffic to the box to just what you are troubleshooting) use the command : sudo iptables -Z && sudo watch -n .5 iptables -nvL ^zeros t

Re: [arch-general] iptables forward policy

Dear Juan, see the section on logging in the wiki: https://wiki.archlinux.org/index.php/Iptables#Logging Cheers Bastian On Sun, Aug 26, 2012 at 7:11 PM, Juan Diego Tascón wrote: > Thanks for both replies. The graphic does it a lot more > understandable. Is there any way to debug iptables, I me

Re: [arch-general] iptables forward policy

Thanks for both replies. The graphic does it a lot more understandable. Is there any way to debug iptables, I mean, like a tool where I can visualize the path of a packet and where exactly it gets dropped/accepted and also realtime packets headers (src, dst, proto, dport, sport, etc)? On Sat, Aug

Re: [arch-general] iptables forward policy

2012/8/25 Juan Diego Tascón : > Good day, Hello :) > I'm thinking of > setting the default FORWARD policy to ACCEPT as my default INPUT > policy is DROP and unless there is a valid FORWARD rule for a given > port the packets wont go anywhere. I'm I right on this? You're wrong. Either a packet go

Re: [arch-general] iptables forward policy

On 25.08.2012 18:47, Juan Diego Tascón wrote: Good day, I'm currently configuring a router. I'm setting the default policies to DROP in the INPUT OUTPUT AND FORWARD chains. I'm thinking of setting the default FORWARD policy to ACCEPT as my default INPUT policy is DROP and unless there is a valid

Re: [arch-general] iptables not working well?

On Mon, Jul 11, 2011 at 9:52 PM, Javier Vasquez wrote: > On Sun, Jul 10, 2011 at 6:35 PM, Robert Marmorstein wrote: >> ... >> >> It might help you to LOG packets that are REJECTED.  Then if you continue to >> have issues, you should be able to see more directly what's going on. >> >> To do that,

Re: [arch-general] iptables not working well?

On Sun, Jul 10, 2011 at 6:35 PM, Robert Marmorstein wrote: > ... > > It might help you to LOG packets that are REJECTED.  Then if you continue to > have issues, you should be able to see more directly what's going on. > > To do that, add rules like directly before the ones with -J REJECT: > > ipta

Re: [arch-general] iptables not working well?

On Sun, Jul 10, 2011 at 10:22 PM, Javier Vasquez wrote: > On Sun, Jul 10, 2011 at 6:25 PM, Damjan Georgievski wrote: >> Your config looks ok, but to double check, paste the output of: >> iptables -L -nv % sudo iptables -L -nv Password: Chain INPUT (policy ACCEPT 1 packets, 446 bytes) pkts bytes

Re: [arch-general] iptables not working well?

On Sun, Jul 10, 2011 at 6:25 PM, Damjan Georgievski wrote: > Your config looks ok, but to double check, paste the output of: > iptables -L -nv > iptables -t nat -L -nv > to see the exact situation. > > >> OK, on machines at the internal side of my LAN, I can ping everywhere. >>  But I can not use

Re: [arch-general] iptables not working well?

Your config looks ok, but to double check, paste the output of: iptables -L -nv iptables -t nat -L -nv to see the exact situation. > OK, on machines at the internal side of my LAN, I can ping everywhere. >  But I can not use the browser with all addresses, for example I can't > get to www.archlin

Re: [arch-general] iptables not working well?

>> If you have a static IP address on your ethernet card, you probably want to >> use SNAT rather than MASQUERADE. >> >> Also, I find it odd that you are using MASQUERADE on traffic TO the ppp0 >> interface.  Usually, ou MASQUERADE traffic FROM the ppp0 address.  You might >> try >> "-i" instead o

Re: [arch-general] iptables not working well?

On Sun, Jul 10, 2011 at 5:02 PM, Dr. Robert Marmorstein wrote: > If you have a static IP address on your ethernet card, you probably want to > use SNAT rather than MASQUERADE. > > Also, I find it odd that you are using MASQUERADE on traffic TO the ppp0 > interface.  Usually, ou MASQUERADE traffic

Re: [arch-general] IPTables DDoS

On Mon, 2010-07-19 at 22:43 +0530, Nilesh Govindarajan wrote: > Hi, > Can someone tell me how to use IPTables to prevent DDoS attacks? > I'm sure IPTables has the relevant modules (limit, recent I think) > after reading some docs, but still in doubt about its implementation. > I realize I am late

Re: [arch-general] IPTables DDoS

On Tue, Jul 20, 2010 at 6:55 PM, vlad wrote: > On Tue, Jul 20, 2010 at 06:47:00PM +0530, Nilesh Govindarajan wrote: >> On Tue, Jul 20, 2010 at 1:21 PM, vlad wrote: >> > Hello, >> > >> > The recent module is good for that: >> > http://www.sollers.ca/blog/2008/iptables_recent >> > http://www.google

Re: [arch-general] IPTables DDoS

On Tue, Jul 20, 2010 at 06:47:00PM +0530, Nilesh Govindarajan wrote: > On Tue, Jul 20, 2010 at 1:21 PM, vlad wrote: > > Hello, > > > > The recent module is good for that: > > http://www.sollers.ca/blog/2008/iptables_recent > > http://www.google.com/search?q=iptables+recent > > I have in my fw scri

Re: [arch-general] IPTables DDoS

On Tue, Jul 20, 2010 at 1:21 PM, vlad wrote: > Hello, > > The recent module is good for that: > http://www.sollers.ca/blog/2008/iptables_recent > http://www.google.com/search?q=iptables+recent > I have in my fw script: > " >  $TABLES -A limitations -m recent --name RECENT_FILTER --set >  $TABLES -

Re: [arch-general] IPTables DDoS

Hello, On Mon, Jul 19, 2010 at 10:43:45PM +0530, Nilesh Govindarajan wrote: > Hi, > Can someone tell me how to use IPTables to prevent DDoS attacks? > I'm sure IPTables has the relevant modules (limit, recent I think) > after reading some docs, but still in doubt about its implementation. The rece

Re: [arch-general] IPTables DDoS

On Tue, Jul 20, 2010 at 12:01 AM, C Anthony Risinger wrote: > On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan wrote: >> On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums wrote: >>> Am Mon, 19 Jul 2010 22:43:45 +0530 >>> schrieb Nilesh Govindarajan : >>> Hi, Can someone tell me how to

Re: [arch-general] IPTables DDoS

On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan wrote: > On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums wrote: >> Am Mon, 19 Jul 2010 22:43:45 +0530 >> schrieb Nilesh Govindarajan : >> >>> Hi, >>> Can someone tell me how to use IPTables to prevent DDoS attacks? >>> I'm sure IPTables has the r

Re: [arch-general] IPTables DDoS

Am Mon, 19 Jul 2010 23:37:01 +0530 schrieb Nilesh Govindarajan : > Thanks a lot man. But I have a doubt (may sound quite weird, but I > really don't know about it). > Suppose I set this- > iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT > will this affect HTTP connections? This

Re: [arch-general] IPTables DDoS

On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums wrote: > Am Mon, 19 Jul 2010 22:43:45 +0530 > schrieb Nilesh Govindarajan : > >> Hi, >> Can someone tell me how to use IPTables to prevent DDoS attacks? >> I'm sure IPTables has the relevant modules (limit, recent I think) >> after reading some docs, b

Re: [arch-general] IPTables DDoS

Am Mon, 19 Jul 2010 22:43:45 +0530 schrieb Nilesh Govindarajan : > Hi, > Can someone tell me how to use IPTables to prevent DDoS attacks? > I'm sure IPTables has the relevant modules (limit, recent I think) > after reading some docs, but still in doubt about its implementation. There's the --limi

Re: [arch-general] IPTables DDoS

On Mon, Jul 19, 2010 at 10:50 PM, C Anthony Risinger wrote: > On Mon, Jul 19, 2010 at 12:13 PM, Nilesh Govindarajan > wrote: >> Hi, >> Can someone tell me how to use IPTables to prevent DDoS attacks? >> I'm sure IPTables has the relevant modules (limit, recent I think) >> after reading some docs

Re: [arch-general] IPTables DDoS

On Mon, Jul 19, 2010 at 12:13 PM, Nilesh Govindarajan wrote: > Hi, > Can someone tell me how to use IPTables to prevent DDoS attacks? > I'm sure IPTables has the relevant modules (limit, recent I think) > after reading some docs, but still in doubt about its implementation. DDoS? do you mean jus