IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.75 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-08
[11:11]<sgnzcm_bzsvzzm>as you will be seeing many hundreds or thousands of attacking zombie machines
[11:11]<qzgvjuzysa>Sneaky_Bastard: you would have 10 000 houses to drive by though :D
[11:12]<xzgmzyx>lol
[11:12]<xzgmzyx>u could always get a cisco pix
[11:12]<xzgmzyx>and an opl4 connection
[11:12]<xzgmzyx>try fludding 4gbps
[11:13]<qzgvjuzysa>anyhows back to the cpu protection
[11:13]<xzgmzyx>change ur ulimit dont set it to unlimited and install grsec patch
[11:13]<drwygn>XandriX: that doesn't look right
[11:13]<xzgmzyx>all i can suggest
[11:13]<xzgmzyx>maxine, what my anti rape line ?
[11:13]<drwygn>xandrix: bugger all, i dunno
[11:14]<qzgvjuzysa>but 2Mbps can't draw a cpu full right ?
[11:14]<qzgvjuzysa>unless you do package tracing
[11:14]<xzgmzyx>Qantourisc, ish depends on the attack
[11:15]<xzgmzyx>like i said change your ulimit and install the grsecurity kernel patch
[11:18]<vzynm>i'm using
[11:19]<vzynm>iptables -t nat -A PREROUTING --dst $OUT_IP -p tcp --dport 443 -j DNAT --to-destination 192.168.1.100
[11:19]<xzgmzyx>Qantourisc, read up on it
[11:19]<vzynm>that destination is on one of 3 interfaces
[11:19]<vzynm>would that matter for nat'n things?
[11:19]<xzgmzyx>Qantourisc, that and all the security update to your distro
[11:19]<xzgmzyx>and services u run
[11:20]<vzynm>according to the topic's tutorial that's the only line i would need for iptables?
[11:20]<vzynm>except i'll experience difficulties in the nating
[11:20]<vzynm>which are explained below...
[11:23]<qzgvjuzysa>XandriX: ok thx (atm i apear to lack internet on the box :D)
[11:24]<xzgmzyx>lol
[11:24]<qzgvjuzysa>XandriX: duno what wen't wrong :)
[11:24]<qzgvjuzysa>o wait
[11:24]<xzgmzyx>its what i suggest its very important to keep upto date with your services and apps on your box and grsec allows you to secure your kernel very well
[11:25]<xzgmzyx>Qantourisc, altho i suggest reading the guide on the grsec patch cuz it is complicated to use
[11:25]<qzgvjuzysa>XandriX: gateway on wrong eth0 :)
[11:25]<xzgmzyx>lol
[11:25]<vzynm>grsec aint that complicated
[11:25]<qzgvjuzysa>XandriX: well eth0 didn't even excist anymore
[11:25]<vzynm>it works by itself
[11:25]<vzynm>lol
[11:25]<vzynm>just gotta enable and read ? in kernel options
[11:25]<vzynm>unless you're doing RBAC - that can be a bitch ;0
[11:26]<xzgmzyx>tried, i ment configuring it properly and activating its switches on bootup and i suggest rbac lol
[11:26]<vzynm>ah
[11:26]<vzynm>RBAC is a nice thing ;-)
[11:27]<xzgmzyx>i agree on it beeing a pain tho
[11:27]<qzgvjuzysa>but atm i should be studying computer architectures ... not iptables ....
[11:27]<vzynm>ever have to learn policy and tune the conf?
[11:27]<vzynm>such a bitch heh
[11:27]<xzgmzyx>yeah i did lol
[11:28]<qzgvjuzysa>XandriX: hold on let me message nickserv
[11:28]<xzgmzyx>try tuning grsec properly to be able to use x and still be insanely secure and that no one else can access ur x and still have rbac
[11:28]<xzgmzyx>its abitch trust me
[11:28]<vzynm>yea haha
[11:29]<xzgmzyx>lol
[11:29]<xzgmzyx>feel my pain
[11:29]<vzynm>i do lol
[11:29]<xzgmzyx>i needed x for vmware and thats a bitch to lol
[11:30]<vzynm>ahah vmware was bad with rbac
[11:30]<vzynm>but gentoo had it set up pretty nicely to start with
[11:30]<vzynm>and i got alot of help ;-)
[11:30]<vzynm>and pax didnt' have a problem with vmware
[11:30]<xzgmzyx>i know
[11:31]<xzgmzyx>but im a slackware user here and didi it all by myself
[11:31]<xzgmzyx>and im not done yet lol
[11:31]<vzynm>ah shit lol
[11:31]<vzynm>i'm not putting grsec on slax heh
[11:31]<xzgmzyx>naww u should
[11:31]<vzynm>using it to work on a few things that grsec is going to hinder -- binary testing, etc.
[11:31]<xzgmzyx>it kicks fucking ass
[11:31]<vzynm>i bet it does
[11:31]<xzgmzyx>lol
[11:31]<vzynm>but binary testing will fail automatically heh
[11:32]<vzynm>atleast problems found won't be the same on other systems
[11:32]<xzgmzyx>fair enough
[11:32]<xzgmzyx>time to watch prison break
[11:32]<vzynm>pz
[11:32]<vzynm>anyways, does anyone know why a rule like
[11:32]<vzynm>iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
[11:32]<vzynm>doesn't work by itself?
[11:32]<vzynm>i added -j ULOG to check logs
[11:32]<qzgvjuzysa>XandriX: so this patch means: thight acces control on nearly all kernel functions ?
[11:33]<vzynm>it seems to be accepting the packet or atleast attemping, but it won't route, and i do have the ip's correct
[11:33]<xzgmzyx>Qantourisc, yes
[11:33]<xzgmzyx>and dont forget to modify ur ulimit
[11:34]<xzgmzyx>wich reminds me i haveto readjust mine and i forgot how
[11:34]<qzgvjuzysa>XandriX: well there is a problem there
[11:34]<qzgvjuzysa>XandriX: sometimes it's NORMAL that the pipe is open 100% ...
[11:35]<xzgmzyx>Qantourisc, i know but ulimit should stil be readjusted
[11:35]<qzgvjuzysa>?
[11:35]<qzgvjuzysa>elaborate how this helps please ...
[11:36]<xzgmzyx>some forms of DoS create forks
[11:36]<xzgmzyx>if ur ulimit is set to unlimited ur screwd
[11:36]<qzgvjuzysa>forks ?
[11:36]<qzgvjuzysa>RELATED traffic ?
[11:37]<xzgmzyx>no but some dos attacks attack a service on your server creating a fork
[11:37]<xzgmzyx>dos is not always fludd bro
[11:37]<qzgvjuzysa>XandriX: ow ...
[11:38]<qzgvjuzysa>XandriX: thanks for reminding me
[11:38]<xzgmzyx>lol np
[11:38]<xzgmzyx>thats why i say the updates and everything
[11:38]<xzgmzyx>and grsec
