IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[17:31]<vzrllysv>if you use DROP and you try to ssh, it'll take a long time and it'll timeout. if you use REJECT it'll just say connection refused.
[17:32]<vzrllysv>before what?
[17:32]<fzlzvjz>iptables -I INPUT -p tcp -i ppp0 --dport 22
[17:32]<fzlzvjz>you dont put any -j option
[17:33]<vzrllysv>on a real rule I do
[17:33]<vzrllysv>I meant if you say iptables -I INPUT -p tcp -i ppp0 --dport 22 -j DROP
[17:34]<fzlzvjz>ok
[17:34]<fzlzvjz>trappist~ can i paste you my iptable -nL in a private to see it ?
[17:35]<vzrllysv>use iptables-save instead. it's easier to read.
[17:35]<fzlzvjz>sure
[17:37]<vzrllysv>my god, why do you open all those ports?
[17:38]<fzlzvjz>trappist~ :)
[17:38]<fzlzvjz>huh
[17:38]<vzrllysv>you don't want all those ports open
[17:39]<fzlzvjz>if you portscan me there are stealth.
[17:39]<fzlzvjz>trappist~ do you want to ?
[17:40]<vzrllysv>what makes you think that?
[17:40]<fzlzvjz>the grc.com . also i scan my self
[17:40]<vzrllysv>ACCEPT doesn't make them stealth
[17:41]<fzlzvjz>policy DROP
[17:41]<vzrllysv>but the policy only gets used if there's no matching rule, and you have rules to accept almost all ports!
[17:41]<fzlzvjz>trappist~ can you make a portscan to me ?
[17:41]<vzrllysv>doing it now
[17:42]<fzlzvjz>ok
[17:42]<vzrllysv>but if grc says you're stealth, and those are your rules, you must have a router between you and the internet
[17:42]<fzlzvjz>trappist~ i use nmap -v -sT -P0 -p- localhost
[17:42]<vzrllysv>scanning localhost doesn't count
[17:42]<vzrllysv>you have to scan from the outside
[17:42]<fzlzvjz>trappist~ no i havend.. i am behind a 56K modem
[17:42]<fzlzvjz>:(
[17:43]<vzrllysv>most of your rules are for ppp0 and localhost doesn't go through ppp0
[17:43]<fzlzvjz>trappist~ also insteed of localhost use the real ip of ppp0
[17:43]<vzrllysv>it really isn't a valid scan unless you do it from the outside
[17:44]<fzlzvjz>ok.. you do it for me :)
[17:44]<vzrllysv>it's scanning now
[17:44]<fzlzvjz>and i am glaf about that :)
[17:44]<vzrllysv>brb, smoke
[17:44]<fzlzvjz>glad
[17:44]<fzlzvjz>also do you know what i dont understand on the iptables-save that i paste to you ?
[17:45]<fzlzvjz>the last rule of the input: "A INPUT -i ppp0 -j REJECT --reject-with icmp-port-unreachable"
[17:45]<fzlzvjz>is there any reason for that ??
[17:47]<fzlzvjz>trappist~ ?
[17:47]<drwygn>somebody said trappist~ was it correct ?
[17:47]<fzlzvjz>trappist~ ?
[17:47]<drwygn>well, trappist~ is it correct ?
[17:48]<fzlzvjz>huh.. bot
[17:48]<vzrllysv>yeah she's a bot
[17:49]<fzlzvjz>trappist~ do you give a look at that rule ?
[17:49]<vzrllysv>ah I didn't see that. that one rule means ALL the other rules for ppp0 are ignored
[17:50]<vzrllysv>so, all your ports are listed as closed on my scan
[17:50]<vzrllysv>closed is not stealth :)
[17:50]<vzrllysv>wait...
[17:50]<fzlzvjz>trappist~ what command do you used ?
[17:51]<fzlzvjz>for the scan
[17:51]<vzrllysv>ok I misread that rule...
[17:51]<vzrllysv>I just said nmap yourip
[17:51]<vzrllysv>nothing special
[17:51]<fzlzvjz>ok
[17:52]<fzlzvjz>does that rule do anything ? cause i allready have policy DROP
[17:52]<vzrllysv>again, your policy only works on packets that don't match any rules. since that's a catch-all rule, your policy is never used.
[17:53]<rjvxyrrduax>http://nothingmuch.woobling.org/bandwidth.html
[17:55]<fzlzvjz>ok i got it
[17:55]<fzlzvjz>something last..!
[17:56]<fzlzvjz>from where the sules is read? from top to the buton or with reverse mode?
[17:56]<fzlzvjz>bottom
[17:57]<vzrllysv>every time you say -A INPUT a rule is added to the end. if you use -I INPUT instead, the rule goes at the beginning. then the rules are read from top to bottom.
[17:58]<fzlzvjz>cause when i add a rule with -A: ex: iptables -A INPUT -j MyNewChain
[17:58]<fzlzvjz>the next rules to the MyNewChain dont work. if i do the same command with -I .. works.
[17:58]<vzrllysv>right.
[17:59]<fzlzvjz>why this is happening ?
[17:59]<vzrllysv>what you want to do is put your rules into a script. the first thing the script should do is flush your rules, then it will rebuild them from scratch.
[17:59]<vzrllysv>because when you say -A, the rule goes at the end - so if a packet matches a rule BEFORE the new rule, which it will, it will use that rule and stop going through the rules.
[18:00]<fzlzvjz>cool :)
[18:01]<fzlzvjz>also.. if i dont want my computer to be able to send any packet to my brothers computer with 192.168.1.5 i can use that command ?
[18:02]<fzlzvjz>iptables -I OUTPUT -d 192.168.1.5 -j REJECT
[18:02]<vzrllysv>yes
[18:03]<fzlzvjz>and if i dont want to recive a packet from him . iptables -I INPUT -s 192.168.1.5 -j REJEC
[18:03]<fzlzvjz>t
[18:04]<vzrllysv>yes
[18:04]<fzlzvjz>ok.
[18:04]<fzlzvjz>now what ports i must have open ?
[18:05]<fzlzvjz>ex: web browsing? 1024:5999
[18:05]<fzlzvjz>?
[18:05]<vzrllysv>any ports you want to run servers on and be available from the internet
[18:05]<vzrllysv>no ports if you aren't running servers
[18:05]<vzrllysv>just do this:
[18:05]<vzrllysv>iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[18:07]<fzlzvjz>what will do exactly? i know but not exactly
[18:07]<fzlzvjz>:(
[18:07]<fzlzvjz>allow enstablised connection and related
[18:07]<vzrllysv>it will allow packets that belong to established or related connections, which means...
[18:08]<vzrllysv>when you make a connection to, say, a website, the packets that come back from that website will be allowed, because you started the connection. but if you don't open any ports, people can't start connections to you.
[18:09]<fzlzvjz>i dont have that rule

Back to #iptables
Or go to some related logs:
#gentoo
#gentoo
#ubuntu
#gentoo
#gentoo