Re: iptables to nftables?

On 2024-08-06, Dan Ritter wrote: > 200 is a lot for a human to manage. You may be able to simplify your > iptables rules by taking advantage of ipset for large numbers of > IPs (hash:ip) or ports (bitmap:port) that need similar > treatment. That's available in nftables as well. And udp/tcp ipv4/

Re: iptables to nftables?

Wesley wrote: > We have several debian servers, all running iptables. On average each has 200 > rules, mostly deny rules. From a best practice perspective, do we need to > upgrade to nftables? > iptables is currently implemented in terms of nftables. While it is possible that someday that inter

Re: iptables to nftables?

вт, 6 авг. 2024 г. в 16:05, Wesley : > We have several debian servers, all running iptables. On average each has 200 > rules, mostly deny rules. From a best practice perspective, do we need to > upgrade to nftables? Upgrade right now? No. Check and test? Yes. If your configuration works and ca

Re: iptables reject with TCP RST

Hello, On Mon, May 15, 2023 at 09:40:10AM +0800, Tom Reed wrote: > Yes after each telnet from client host, the count was increased. > > 0 0 REJECT tcp -- anyany anywhere > anywhere tcp dpt:imaps reject-with tcp-reset > 0 0 REJECT tcp --

Re: iptables reject with TCP RST

> Hello, > > On Mon, May 15, 2023 at 09:10:24AM +0800, Tom Reed wrote: >> If I clean iptables in the destination host, this telnet will get >> success >> at once. >> >> Any hints? > > Why have you not used "iptables -vL" to show the packet counts of > each rule so you can see which rules the pac

Re: iptables reject with TCP RST

Hello, On Mon, May 15, 2023 at 09:10:24AM +0800, Tom Reed wrote: > If I clean iptables in the destination host, this telnet will get success > at once. > > Any hints? Why have you not used "iptables -vL" to show the packet counts of each rule so you can see which rules the packets match? They ar

Re: iptables reject with TCP RST

> > so whatever your 193.106.250.x host is, maybe it did indeed block > the packets itself, but would be good to verify. > Hello I have checked for details but didn't get the luck. My destination host does have the rules: REJECT tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:9

Re: iptables reject with TCP RST

Hi, On Sun, May 14, 2023 at 08:14:04AM +0800, Tom Reed wrote: > I have these iptables rules which reject tcp connections with tcp rst. First question, why are you using iptables instead of nft? On a new Debian install you actually are using nftables with an iptables compat layer, but a new instal

Re: iptables reject with TCP RST

tcptraceroute might give you more clues as to where it's going wrong. In particular I'd look at local egress rules not allowing connections to port 587 outside of the lan. On Sun, 14 May 2023, Tom Reed wrote: On Sun, May 14, 2023 at 08:36:38AM +0800, Tom Reed wrote: tcp0 0 0.0.0.0

Re: iptables reject with TCP RST

> On Sun, May 14, 2023 at 08:36:38AM +0800, Tom Reed wrote: >> tcp0 0 0.0.0.0:587 0.0.0.0:* >> LISTEN >> 32157/master >> >> >> And the telnet results: >> >> $ telnet 193.106.250.xx 587 >> Trying 193.106.250.xx... >> telnet: Unable to connect to remote host: Connection

Re: iptables reject with TCP RST

On 14 May 2023 02:36, Tom Reed wrote: $ telnet 193.106.250.xx 587 Trying 193.106.250.xx... telnet: Unable to connect to remote host: Connection timed out Run wireshark/dumpcap or tcpdump on the client to check if you get the TCP reset packet. You can also run it server-side, to see if the ser

Re: iptables reject with TCP RST

On Sun, May 14, 2023 at 08:36:38AM +0800, Tom Reed wrote: > tcp0 0 0.0.0.0:587 0.0.0.0:* LISTEN > 32157/master > > > And the telnet results: > > $ telnet 193.106.250.xx 587 > Trying 193.106.250.xx... > telnet: Unable to connect to remote host: Connecti

Re: iptables reject with TCP RST

> > On 14/5/23 08:28, Tom Reed wrote: >> I telnet to host:587 not the port 23. >> And port 587 already reject access with tcp rst. > -- > > check if you are listening on port 587 > > netstat -tulpnW | grep 587 > > yes it does. tcp0 0 0.0.0.0:587 0.0.0.0:* LI

Re: iptables reject with TCP RST

On 14/5/23 08:28, Tom Reed wrote: I telnet to host:587 not the port 23. And port 587 already reject access with tcp rst. -- check if you are listening on port 587 netstat -tulpnW | grep 587 Jeremy

Re: iptables reject with TCP RST

> > On 14/5/23 08:14, Tom Reed wrote: >> /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with >> tcp-reset >> /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j REJECT --reject-with >> tcp-reset >> >> When I telnet from another host to the protected port, it gets timeout >> message

Re: iptables reject with TCP RST

On 14/5/23 08:14, Tom Reed wrote: /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with tcp-reset /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j REJECT --reject-with tcp-reset When I telnet from another host to the protected port, it gets timeout message as follows. telnet

Re: iptables and system reboot

> > On 13/5/23 18:56, Tom Reed wrote: >> for iptables-save, after system rebooting, does it know where to locate >> the file? > > Yes. That's all taken care of by the iptables-persistent package > > Also I made a typo. correction; > > sudo nano /etc/iptables/rules.v4 > > sudo nano /etc/iptables/rul

Re: iptables and system reboot

On 13/5/23 18:56, Tom Reed wrote: for iptables-save, after system rebooting, does it know where to locate the file? Yes. That's all taken care of by the iptables-persistent package Also I made a typo. correction; sudo nano /etc/iptables/rules.v4 sudo nano /etc/iptables/rules.v6 -- Jeremy

Re: iptables and system reboot

> > On 13/5/23 18:48, Tom Reed wrote: >> How to recovery iptable rules after system rebooting? >> I know I can put a @reboot crontab for this but there is maybe the >> better >> way. > > > sudo apt install iptables-persistent > > sudo iptables-save > /etc/iptables/rules.v4 > > sudo ip6tables-save >

Re: iptables and system reboot

On 13/5/23 18:48, Tom Reed wrote: How to recovery iptable rules after system rebooting? I know I can put a @reboot crontab for this but there is maybe the better way. sudo apt install iptables-persistent sudo iptables-save > /etc/iptables/rules.v4 sudo ip6tables-save > /etc/iptables/rules.

Re: iptables -Z option

On 2/9/2021 11:18 PM, Will Mengarini wrote: Your issue looks like this bug, but I don't know how to fix it: . * Bonno Bloksma [21-02/09=Tue 15:52 +]: For years I have had a firewall script the sets and/or resets my firewall rules.

Re: iptables -Z option

Your issue looks like this bug, but I don't know how to fix it: . * Bonno Bloksma [21-02/09=Tue 15:52 +]: > For years I have had a firewall script the sets and/or resets my > firewall rules. [It starts near] the top with some lines th

Re: iptables DROP before PREROUTING

On Fri, 2020-01-10 at 01:52 +0500, Alexander V. Makartsev wrote: > > The answer to your question, I believe, should look like this: > "iptables -I FORWARD -s 23.132.208.0/24 -j DROP" Thanks! That is what I am looking for. To be clear, I'm doing something much more complex, but the underlying iss

Re: iptables DROP before PREROUTING

On 10.01.2020 00:46, Jim Popovitch wrote: > Hello! > > Is there a way to have iptables DROP before PREROUTING. > > Consider this bit of rules on a home firewall, where 24.126.xx.yy is my > home external IP address. > > - > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -A INP

Re: iptables DROP before PREROUTING

Hi. On Thu, Jan 09, 2020 at 02:46:25PM -0500, Jim Popovitch wrote: > Is there a way to have iptables DROP before PREROUTING. What you meant is "before PREROUTING in nat". It's an important bit, see below. > What I want to do is prevent 23.132.208.0/24 from accessing a service > (port 123

Re: iptables, routing problems

On 17/12/19 5:06 pm, Richard Hector wrote: > Hi all, > > I've got a networking issue that's confusing me. Got it, I think. I had previously been applying rules before switching to iptables-legacy - so I'd been adding nftables rules. Then I switched, without flushing (or rebooting), so both rules

Re: iptables firewall and web sites not loading

On Tue, 10 Dec 2019 07:22:05 +0100 Pascal Hambourg wrote: > Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : > > > > I am running an iptables firewall on an openwrt router I ve got. > > Which acts as Firewall/gateway and performs NATing for my internal > > network - debian PCs and android phon

Re: iptables firewall and web sites not loading

Le 10/12/2019 à 00:01, Nektarios Katakis a écrit : I am running an iptables firewall on an openwrt router I ve got. Which acts as Firewall/gateway and performs NATing for my internal network - debian PCs and android phones. All good but specific web sites are not loading for the machines that a

Re: iptables firewall and web sites not loading

On 12/10/2019 12:01 AM, Nektarios Katakis wrote: > Hello, > > I am running an iptables firewall on an openwrt router I ve got. Which > acts as Firewall/gateway and performs NATing for my internal network - > debian PCs and android phones. > > All good but specific web sites are not loading for the

Re: Iptables at boot, was fail2ban for apache2

On Monday 02 December 2019 07:46:22 Alessandro Vesely wrote: > On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote: > > You might want to install iptables-persistent, otherwise you'll have > > to roll-out your own solution. > > I'm not using iptables-persistent, but just looked at it out of > c

Re: Iptables at boot, was fail2ban for apache2

On Mon, Dec 02, 2019 at 01:46:22PM +0100, Alessandro Vesely wrote: > ### BEGIN INIT INFO > # Provides: netfilter-persistent > # Required-Start:mountkernfs $remote_fs > # Required-Stop: $remote_fs > # Default-Start: S > # Default-Stop: 0 1 6 > # Short-Description: Load boot

Re: Iptables at boot, was fail2ban for apache2

On Mon, Dec 02, 2019 at 01:46:22PM +0100, Alessandro Vesely wrote: > On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote: > > > > You might want to install iptables-persistent, otherwise you'll have to > > roll-out your own solution. > > I'm not using iptables-persistent, but just looked at i

Re: iptables why rejects this output?

I figured out, the packet is INVALID. I have absolutly no idea how can it happen. 2019.10.07 23:29 keltezéssel, Reco írta: Hi. On Mon, Oct 07, 2019 at 10:55:53PM +0200, BAGI Ákos wrote: you mean I should make the firewall settings public? good idea :) If your security depends on obscu

Re: iptables why rejects this output?

Hi. On Mon, Oct 07, 2019 at 10:55:53PM +0200, BAGI Ákos wrote: > you mean I should make the firewall settings public? > good idea :) If your security depends on obscurity, you do not have a security in the first place. Your INPUT rules can be probed. Your FORWARD rules aren't relevant to

Re: iptables why rejects this output?

you mean I should make the firewall settings public? good idea :) 2019.10.05 12:32 keltezéssel, deloptes írta: BAGI Ákos wrote: How can I enable it with iptables? (I have lot of iptables rules). Is it ok, to enable  it? without the iptables rules it is hard to tell - post the rules (iptables

Re: iptables why rejects this output?

BAGI Ákos wrote: > How can I enable it with iptables? (I have lot of iptables rules). > Is it ok, to enable  it? without the iptables rules it is hard to tell - post the rules (iptables-save)

Re: iptables issue with ASP.Net Core Port 5000

On Wed, 13 Feb 2019 11:30 pm Igor Cicimov On Wed, 13 Feb 2019 9:44 pm Patrick Kirk >> Hi all, >> >> I have a simple asp.net core site that runs with Postgres which works >> fine if I login as root and set it to run on port 80. SSL is done by >> cloudflare. I would prefer to use nginx or at leas

Re: iptables issue with ASP.Net Core Port 5000

Le 2019-02-13 11:43, Patrick Kirk a écrit : Hi all, I have a simple asp.net core site that runs with Postgres which works fine if I login as root and set it to run on port 80.  SSL is done by cloudflare.  I would prefer to use nginx or at least have an iptable rule to redirect the port 80 traffi

Re: iptables issue with ASP.Net Core Port 5000

On Wed, 13 Feb 2019 9:44 pm Patrick Kirk Hi all, > > I have a simple asp.net core site that runs with Postgres which works > fine if I login as root and set it to run on port 80. SSL is done by > cloudflare. I would prefer to use nginx or at least have an iptable > rule to redirect the port 80 t

Re: iptables config resets after restarting system

Le 10/08/2018 à 22:29, Hubert Hauser a écrit : echo " * allowing ping responses" ${IPTABLES} -A INPUT -p ICMP -j ACCEPT ${IP6TABLES} -A INPUT -p ICMPv6 -j ACCEPT Replies to unicast echo requests have the ESTABLISHED state. So you don't need an extra rule to accept them, unless you are sendin

Re: iptables config resets after restarting system

On 08/11/2018 05:29 AM, Hubert Hauser wrote: > Good afternoon! > > I've problem with resetting iptables after restarting system. Here's my > /usr/local/bin/fwall-rules file: > > Running command fwall-rules after restarting system works. What am I > doing wrong? > > -- > Best regards, > Hubert Ha

Re: iptables geoip not working after update to jessie

Hi, So, I removed xtables-addons-source: apt-get remove xtables-addons-source And reinstalled xtables-addons-dkms: apt-get install --reinstall xtables-addons-dkms That built the module, and things started working again. Thanks Reco! On 9-5-2018 10:38, Reco wrote: Hi. On Wed, Ma

Re: iptables geoip not working after update to jessie

Hi Reco, Thanks for your reply. Holidays here now, I will try your suggestions next week, and report back then. Thanks! MJ On 05/09/2018 10:38 AM, Reco wrote: Hi. On Wed, May 09, 2018 at 08:37:52AM +0200, mj wrote: Hi, Yesterday I upgraded a server from wheezy to jessie. Went fine

Re: iptables geoip not working after update to jessie

Hi. On Wed, May 09, 2018 at 08:37:52AM +0200, mj wrote: > Hi, > > Yesterday I upgraded a server from wheezy to jessie. Went fine, with one > exception: my geoip iptables rules no longer work: > > > root@jessie:~# iptables -A INPUT -m geoip --src-cc RU -j DROP > > iptables: No chain/targe

Re: Iptables at boot

On 2/14/18 4:51 PM, Rodary Jacques wrote: I was just going to give up , and I even installed shorewall, when my last attempt with my very old iptables config (from redhat 7.2) did work. I of course to still get rid of stupid systemd config, but I don't really care since my server is allways up

Re: Iptables at boot

I was just going to give up , and I even installed shorewall, when my last attempt with my very old iptables config (from redhat 7.2) did work. I of course to still get rid of stupid systemd config, but I don't really care since my server is allways up!. Thank you anyway for your hints. Jacques

Re: Re: Iptables at boot

Thank you.As soon as I can I will try it

Re: Iptables at boot

On 1/31/18 12:28 PM, Jacques Rodary wrote: Hi Many things happened since my first message: I first had to get rid of connman (connection manager), which insisted to preset iptables rules without any notice. My Debian box is uset as a DNS chrooted server (also I had to modify bind9.service be

Re: Re: Iptables at boot

Hi Many things happened since my first message: I first had to get rid of connman (connection manager), which insisted to preset iptables rules without any notice. My Debian box is uset as a DNS chrooted server (also I had to modify bind9.service behaviour), and I use iptabl

Re: Iptables at boot

On Sun 21/Jan/2018 20:53:43 +0100 Ben Caradoc-Davies wrote: > On 21/01/18 16:05, Mark Fletcher wrote: >> To get you started [addressing the OP], here is the service file I use: > > Mine is slightly different and has the commands inline: > > > $ cat /etc/iptables/iptables.service > [Unit] > Descr

Re: Iptables at boot

On 2018-01-21 1:02, Dejan Jocic wrote: > On 20-01-18, Jacques Rodary wrote: >> Hi >> How can I start iptables at boot. I don't find  an equivalent to  " service >> iptables start" with systemd and does'nt know how to create a new >> iptables.service. The manpages aren't quite clear for me. Thanks f

Re: Iptables at boot

On 21/01/18 16:05, Mark Fletcher wrote: To get you started [addressing the OP], here is the service file I use: Mine is slightly different and has the commands inline: $ cat /etc/iptables/iptables.service [Unit] Description=iptables rules After=network.target [Service] Type=oneshot ExecStart

Re: Iptables at boot

On 21-01-18, Mark Fletcher wrote: > On Sun, Jan 21, 2018 at 02:02:07AM +0100, Dejan Jocic wrote: > > On 20-01-18, Jacques Rodary wrote: > > > Hi > > > How can I start iptables at boot. I don't find  an equivalent to  " > > > service > > > iptables start" with systemd and does'nt know how to create

Re: Iptables at boot

On Sun, Jan 21, 2018 at 02:02:07AM +0100, Dejan Jocic wrote: > On 20-01-18, Jacques Rodary wrote: > > Hi > > How can I start iptables at boot. I don't find  an equivalent to  " service > > iptables start" with systemd and does'nt know how to create a new > > iptables.service. The manpages aren't qu

Re: Iptables at boot

On 20-01-18, Jacques Rodary wrote: > Hi > How can I start iptables at boot. I don't find  an equivalent to  " service > iptables start" with systemd and does'nt know how to create a new > iptables.service. The manpages aren't quite clear for me. Thanks for any > help. >   Jacques > There are two

Re: iptables question

Le 14/11/2016 à 00:48, deloptes a écrit : Pascal Hambourg wrote: Well then, all I can suggest is to run a packet capture and try to see what's going on. I guess you mean on the firewall? Yes.

Re: iptables question

Henning Follmann wrote: > Last time I chime in here. > I understand growth and chaos, believe me. However sometimes we need a > nudge or a kick in the but to clean up. Maybe this is your call.. It is kicking me and calling me since some time but I can not do this before next summer. I have to sit

Re: iptables question

On Mon, Nov 14, 2016 at 12:45:20AM +0100, deloptes wrote: > Henning wrote: > > > And usually there is no reason for two separate rfc1918 address ranges. > > Pick one matching your address space needs and design subnets. > > There is only one single reason for nat: you have more hosts than routable

Re: iptables question

deloptes wrote: > Igor Cicimov wrote: > >> Run tcpdump and check whats happening > > That is strange - I will look into this direction - let me know if you > have any ideas > > regards > > > tcpdump -vvv dst 10.0.0.7 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65

Re: iptables question

Igor Cicimov wrote: > Run tcpdump and check whats happening That is strange - I will look into this direction - let me know if you have any ideas regards tcpdump -vvv dst 10.0.0.7 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 08:07:11.591763 ARP, Ethernet (l

Re: iptables question

On 13 Nov 2016 11:20 am, "deloptes" wrote: > > Joe wrote: > > > On Sat, 12 Nov 2016 22:15:45 +0100 > > deloptes wrote: > > > >> Hi, > >> I need some help and I'll appreciate it. > >> > >> I have a firewall with iptables behind the modem. > >> on this firewall I have > >> eth0 with ip 10..

Re: iptables question

On 14 Nov 2016 12:50 am, "Pascal Hambourg" wrote: > > Le 13/11/2016 à 13:37, Joe a écrit : >>> >>> >>> PPTP rather falls into the "complex protocols" described below. >> >> >> Exactly so. You wouldn't believe how many routers of ten years ago or >> so didn't handle it properly, at least with their

Re: iptables question

Pascal Hambourg wrote: > Well then, all I can suggest is to run a packet capture and try to see > what's going on. I guess you mean on the firewall? I am not even sure I can install tcpdump there, but I will try and ask again for help here for sure thanks

Re: iptables question

Henning wrote: > And usually there is no reason for two separate rfc1918 address ranges. > Pick one matching your address space needs and design subnets. > There is only one single reason for nat: you have more hosts than routable > ip addresses. I guess 10.0.0.0 meets even the biggest organizatio

Re: iptables question

> On Nov 13, 2016, at 5:19 PM, Pascal Hambourg wrote: > >> Le 13/11/2016 à 22:27, Henning a écrit : >> I followed this thread and i wonder if there is a sane reason why you do nat >> inside your network. Why don't you just route between different subnets i.e. >> 10.0.1.0/24 and 10.0.2.0/24 >

Re: iptables question

Le 13/11/2016 à 21:43, deloptes a écrit : Pascal Hambourg wrote: replace 10.0.0.1/32 with 10.0.0.0/24 it does not work You should double check that. I checked replaced 10.0.0.1/32 with 10.0.0.0/24. Just insert this rule and check whether it changes anything : iptables -I FORWARD -j ACCEP

Re: iptables question

Le 13/11/2016 à 22:27, Henning a écrit : I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 Probably because the modem and hosts in 10.0.0.0/24 don't know about

Re: iptables question

I followed this thread and i wonder if there is a sane reason why you do nat inside your network. Why don't you just route between different subnets i.e. 10.0.1.0/24 and 10.0.2.0/24 you still can have a firewall between those subnets -H

Re: iptables question

Pascal Hambourg wrote: >> replace 10.0.0.1/32 with 10.0.0.0/24 it does not work > > You should double check that. > I checked replaced 10.0.0.1/32 with 10.0.0.0/24. >>> This ruleset does not need improvements but a total rewrite. >> >> Yes I was thinking the same, I'll put it on the TODO. I ev

Re: iptables question

Le 13/11/2016 à 20:40, deloptes a écrit : Pascal Hambourg wrote: Did you check the routing table on the firewall and the targets ? Do they have a route to all the 10.0.0.0/24 range ? the one I posted is on the firewall - firewall is the one I am trying to modify. The one you posted ? I didn

Re: iptables question

Pascal Hambourg wrote: > Le 13/11/2016 à 16:05, deloptes a écrit : >> >> These are the rules - a friend created this like 10y ago. I added few >> rules to forward ports from outside to the intranet and to be able to >> handle VPN. >> You can ignore 192.168.60.1 on eth2 - not used. > > IMO, this

Re: iptables question

Le 13/11/2016 à 16:05, deloptes a écrit : These are the rules - a friend created this like 10y ago. I added few rules to forward ports from outside to the intranet and to be able to handle VPN. You can ignore 192.168.60.1 on eth2 - not used. IMO, this ruleset is totally insane. However, afte

Re: iptables question

Michael Milliman wrote: > Again, posting the exact ruleset would be helpful. These are the rules - a friend created this like 10y ago. I added few rules to forward ports from outside to the intranet and to be able to handle VPN. You can ignore 192.168.60.1 on eth2 - not used. Another important

Re: iptables question

Le 13/11/2016 à 13:37, Joe a écrit : PPTP rather falls into the "complex protocols" described below. Exactly so. You wouldn't believe how many routers of ten years ago or so didn't handle it properly, at least with their initial firmware. But Why wouldn't I ? Knowing how NAT is tricky, I am

Re: iptables question

On Sun, 13 Nov 2016 11:29:48 +0100 Pascal Hambourg wrote: > Le 13/11/2016 à 11:09, Joe a écrit : > > Pascal Hambourg wrote: > > > >> Le 12/11/2016 à 23:32, Joe a écrit : > >>> > >>> The SNAT should not be an issue, it can handle all protocols > >>> transparently > >> > >> No it cannot. NAT

Re: iptables question

On 11/12/2016 06:19 PM, deloptes wrote: Joe wrote: On Sat, 12 Nov 2016 22:15:45 +0100 deloptes wrote: Hi, I need some help and I'll appreciate it. I have a firewall with iptables behind the modem. on this firewall I have eth0 with ip 10..1 to the modem ip: 10..12 eth1 wi

Re: iptables question

Le 13/11/2016 à 11:09, Joe a écrit : Pascal Hambourg wrote: Le 12/11/2016 à 23:32, Joe a écrit : The SNAT should not be an issue, it can handle all protocols transparently No it cannot. NAT is not possible with some IP protocols. Plain IPSec (without NAT-T encapsulation) is the first one t

Re: iptables question

On Sun, 13 Nov 2016 10:35:29 +0100 Pascal Hambourg wrote: > Le 12/11/2016 à 23:32, Joe a écrit : > > > > The SNAT should not be an issue, it can handle all protocols > > transparently > > No it cannot. NAT is not possible with some IP protocols. Plain IPSec > (without NAT-T encapsulation) is

Re: iptables question

Le 13/11/2016 à 01:19, deloptes a écrit : Yes, it is not working How is it not working ? What do you do and what happens ? From one computer ip 10..6 I can ssh to 10..7 and vv. That does not concern the firewall between the modem and the LAN. I also see that iptables forwards to the outp

Re: iptables question

Le 12/11/2016 à 23:32, Joe a écrit : The SNAT should not be an issue, it can handle all protocols transparently No it cannot. NAT is not possible with some IP protocols. Plain IPSec (without NAT-T encapsulation) is the first one that comes in mind. Also many complex protocols such as FTP or

Re: iptables question

Joe wrote: > On Sat, 12 Nov 2016 22:15:45 +0100 > deloptes wrote: > >> Hi, >> I need some help and I'll appreciate it. >> >> I have a firewall with iptables behind the modem. >> on this firewall I have >> eth0 with ip 10..1 to the modem ip: 10..12 >> eth1 with ip 192..1 to the i

Re: iptables question

On Sat, 12 Nov 2016 22:15:45 +0100 deloptes wrote: > Hi, > I need some help and I'll appreciate it. > > I have a firewall with iptables behind the modem. > on this firewall I have > eth0 with ip 10..1 to the modem ip: 10..12 > eth1 with ip 192..1 to the intranet > > iptables is

Re: iptables advice

Le 27/10/2016 à 13:36, Pol Hallen a écrit : I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules: Please be more precise. Iptables rules are created on nodes (hosts and routers), not networks. iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT iptables -A FORWARD -m state --state E

Re: iptables advice

On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote: > Hello all :-) > > I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules: > > iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/24 -j > ACCEPT > > and same

Re: iptables advice

iptables -A FORWARD -s 192.168.2/24 -d 192.168.1/24 -m conntrack \ --ctstate NEW -m comment --comment 'lan2 cannot see lan1' -j DROP [...] cheers! :-p Pol

Re: iptables advice

Hi. In-Reply-To: On Thu, Oct 27, 2016 at 01:36:23PM +0200, Pol Hallen wrote: > Hello all :-) > > I've 2LAN (192.168.1/24 and 192.168.2/24) with these rules: > > iptables -A FORWARD -s 192.168.1/24 -d 0/0 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d 192.168.1/

Re: iptables redirect

On 8 Sep 2016 1:56 am, "Dan Ritter" wrote: > > On Wed, Sep 07, 2016 at 09:24:18AM +0200, Pol Hallen wrote: > > Hi all, > > > > I've a small lan: > > > > dsl<--->server1<--->lan1-192.168.10.0/24 (NIC1) > > lan2-192.168.20.0/24 (NIC2) > > > > I've squid proxy on lan2 (ip192.168.2

Re: iptables redirect

On Wed, Sep 07, 2016 at 09:24:18AM +0200, Pol Hallen wrote: > Hi all, > > I've a small lan: > > dsl<--->server1<--->lan1-192.168.10.0/24 (NIC1) > lan2-192.168.20.0/24 (NIC2) > > I've squid proxy on lan2 (ip192.168.20.250) > > iptables -t nat -A OUTPUT -p tcp --dport 80 -j DN

Re: iptables changes triggering audit messages, despite auditd not being installed

On May 5, 2016 8:10 AM, "Tony Evans" wrote: > > Firstly, apologies for double-posting the issue originally. > > On 5 May 2016 at 13:05, shawn wilson wrote: > > > > On May 5, 2016 6:03 AM, "Tony Evans" wrote: > >> > > > >> I can't find why the log entries are being created (i.e. I know the > >> t

Re: iptables changes triggering audit messages, despite auditd not being installed

Firstly, apologies for double-posting the issue originally. On 5 May 2016 at 13:05, shawn wilson wrote: > > On May 5, 2016 6:03 AM, "Tony Evans" wrote: >> > >> I can't find why the log entries are being created (i.e. I know the >> trigger, but I can't work out why that trigger is now generating

Re: iptables changes triggering audit messages, despite auditd not being installed

On May 5, 2016 6:03 AM, "Tony Evans" wrote: > > I can't find why the log entries are being created (i.e. I know the > trigger, but I can't work out why that trigger is now generating log > entries when it wasn't doing that before I installed and removed > auditd). > I'm guessing the removal scri

Re: iptables rules disappear

On 03/25/2015 02:06 PM, Linux4Bene wrote: > Op Wed, 25 Mar 2015 11:46:21 +0100, schreef Diogene Laerce: > >> Hi, >> >> I have a strange behavior of iptables lately : all rules are cleaned up >> after a few minutes. >> >> iptables-persistent is installed and if I reboot just after restoring >> all

Re: iptables rules disappear

Op Wed, 25 Mar 2015 11:46:21 +0100, schreef Diogene Laerce: > Hi, > > I have a strange behavior of iptables lately : all rules are cleaned up > after a few minutes. > > iptables-persistent is installed and if I reboot just after restoring > all rules, > all rules are still loaded. But a few minu

Re: iptables firewall

On Wed, Jul 30, 2014 at 08:33:56PM +0200, Nemeth Gyorgy wrote: > 2014-07-30 09:18 keltez?ssel, Joe ?rta: > > Something else you might do now is to place temporary logging rules > > before your 'DROP' rules, to confirm whether it is indeed iptables > > which is blocking those packets. No logs, it's

Re: iptables firewall

On Wed, 30 Jul 2014 21:34:07 +0200 Pascal Hambourg wrote: > Joe a écrit : > > > > Something else you might do now is to place temporary logging rules > > before your 'DROP' rules, to confirm whether it is indeed iptables > > which is blocking those packets. > > Or just run tcpdump while the por

Re: iptables firewall

Joe a écrit : > > Something else you might do now is to place temporary logging rules > before your 'DROP' rules, to confirm whether it is indeed iptables > which is blocking those packets. Or just run tcpdump while the port scan is running. > No logs, it's somebody or something > else. And if y

Re: iptables firewall

2014-07-30 09:18 keltezéssel, Joe írta: > Something else you might do now is to place temporary logging rules > before your 'DROP' rules, to confirm whether it is indeed iptables > which is blocking those packets. No logs, it's somebody or something > else. Perhaps it is not needed. iptables -L -v

Re: iptables firewall

2014-07-30 17:33 keltezéssel, Mike McClain írta: >> And as someone else asked, why are you worried about this 'stealth'? As >> long as the bad packets don't get in, what does it matter? > > Why is there a DROP instruction in iptables as well as REJECT? To allow you to do what you want. e.g DROP c

Re: iptables firewall

Mike McClain wrote: > On Wed, Jul 30, 2014 at 08:18:51AM +0100, Joe wrote: >> And as someone else asked, why are you worried about this 'stealth'? >> As long as the bad packets don't get in, what does it matter? > Why is there a DROP instruction in iptables as well as REJECT? Sometimes you want

Re: iptables firewall

Sven Hartge wrote: > If I try to connect to a system on (for example) IP 192.168.40.60 and > port 80 and there is no system with that IP, the router for the > network will tell me via an "ICMP host unreachable" package. Erm, please replace "package" with "packet" while reading, thanks. Grüße, S

  1   2   3   4   5   6   7   8   >