IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[10:02]<aza>can someone help me get my iptables correct?
[10:03]<aza>i keep entering the gentoo home router instructions, modified for my home setup (im routing between a wireless lan and a 4-system local network)..
[10:03]<aza>when i type in iptables -I FORWARD -i ${LAN} -d 192.168.1.0/255.255.0.0 -j DROP
[10:03]<aza>iptables --list reports: DROP all -- anywhere 192.168.0.0/16
[10:03]<aza>the WAN (wireless lan) is 192.168.0.0, the LAN is 192.168.1.0
[10:04]<aza>i don't understand how it's confusing the numbers
[10:04]<rlraxne>as debug you could set the default policy to ACCEPT
[10:04]<rlraxne>until you have setup the networks so they work
[10:04]<rlraxne>and then start to work with iptables to narrow it down
[10:05]<aza>Apachez: I'm doing masquerade, not trying to firewall it
[10:05]<rlraxne>http://www.tbg.nu/iptables.txt
[10:06]<rlraxne>iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
[10:06]<aza>I'm doing these instructions: http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap5_pre2
[10:06]<aza>verbatim except its 192.168.1.0 instead of 192.168.0.0
[10:06]<rlraxne>they look a bit fubared
[10:13]<aza>um, no, the url you gave me is fubared.
[10:13]<aza>seriously.
[10:14]<aza>im already behind a nat. i dont need any protection from anything. i dont need a firewall. i just need to let these clients on my lan access my wrt54g router
[10:14]<aza>my local system running iptables is connected via wifi to the router.
[10:17]<aza>I just have a very simple question - why is it transposing my 192.168.1.0 for 192.168.0.0
[10:18]<aza>when i type this: iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
[10:18]<aza>why do I see this: ACCEPT all -- 192.168.0.0/16 anywhere
[10:18]<aza>er
[10:19]<aza>when i type: iptables -A FORWARD -i ${LAN} -s 192.168.1.0/255.255.0.0 -j ACCEPT
[11:12]<rlraxne>you are using wrong subnet
[11:13]<pejer>Hi, question: "Are they packets that are NEW and have one of this flags ACK,FIN,RST,URG,PSH ?" outsie of a scan ports of course
[11:14]<rlraxne>how you mean ?
[11:16]<pejer>every new packet that came to a service is SYN right?
[11:25]<rlraxne>depends
[11:25]<rlraxne>a new packet is one that currently isnt located to belong to a current state
[11:26]<rlraxne>for example a syn + ack is a new packet for outbound connection
[11:26]<rlraxne>since the handshake is IN syn -> OUT syn+ack -> IN ack
[11:26]<rlraxne>but sure for inbound connections NEW should be where only syn is set
[11:27]<rlraxne>but im not 100% sure that this is the case for all type of protocols
[11:28]<rlraxne>but that syn+ack packet will most likely trigger in the established row
[11:28]<rlraxne>if you log droped packets then you could just test and see what happends :P
[11:29]<pejer>I'm asking because i'dont know is a good idea to drop all packats NEW that are not SYN, include ACK, and all the rest
[11:30]<pejer>iptables -A INPUT -p tcp --tcp-flags ALL ACK,FIN,RST,URG,PSH -m state --state NEW -j DROP
[11:30]<rlraxne>ahh thats a common rule
[11:30]<pejer>waht do you say?
[11:30]<rlraxne>new not syn
[11:30]<rlraxne>iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j BADTCP_DROP
[11:31]<rlraxne>you have a badtcp list at http://www.tbg.nu/iptables.txt
[11:31]<rlraxne>also http://lists.netfilter.org/pipermail/netfilter/2004-November/057155.html have a more extended list but i dunno if its complete
[11:31]<pejer>but ! --syn accept SYN,RST,ACK SYN
[11:32]<rlraxne>iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_DROP
[11:32]<rlraxne>:P
[11:32]<rlraxne>look at the badtcp chain at http://www.tbg.nu/iptables.txt
[11:35]<pejer>i see the rules... but with that rules, what happens if i send you a new packet with only a ACK flag ?
[11:35]<pejer>it will accept it?
[11:40]<rlraxne>a new packet with only an ACK will be dropped by iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j BADTCP_DROP
[11:50]<pejer>ok, I'am understanding.... =) thanks Apachez
[12:06]<pejer>Apachez, when you can see it out http://www.e-solux.com.ar/inmolator-fw.tar.gz
[12:06]<pejer>;)
[12:08]<rlraxne>its written in spanish :/
[12:08]<pejer>yes... but the code is the same from everyone ;)
[12:10]<rlraxne>i mean looking at the README is like Manuel from Fawlty Towers: que?
[12:10]<rlraxne>:)
[12:11]<pejer>=) I'm from Argentina... thatÅ› why... and I don't speek english so well, but then i wil try to translate it =)
[12:15]<rlraxne>but other than that I dont understand a word from the comments in the code it looks nice
[12:15]<rlraxne>perhaps you should update that antispoof list
[12:17]<pejer>what i missed?
[12:19]<pejer>I should update it like http://www.tbg.nu/iptables.txt ?
[12:20]<rlraxne>for example :P
[12:20]<pejer>;)
[13:43]<[lyguw]>hello, can someone tell me what modules need loading in iptables ..
[13:43]<[lyguw]>my distro doesnt load all modules...
[13:44]<rlraxne>depends on what you want to do
[13:44]<rlraxne>I load: ipt_LOG
[13:44]<[lyguw]>i have gentoo
[13:44]<rlraxne>ipt_limit
[13:44]<[lyguw]>but my gentoo doesnt load all modules
[13:44]<rlraxne>and uhh thats about it
[13:45]<[lyguw]>but my /etc/modules.autoload.d/kernel-2.6
[13:45]<[lyguw]>got wiped
[13:45]<[lyguw]>and i had 7 autoload modules...
[13:45]<[lyguw]>AMDevolution daljeet # ./firewall --ssh
[13:45]<[lyguw]>iptables: No chain/target/match by that name
[13:45]<[lyguw]>iptables: No chain/target/match by that name
[14:01]<-- svgvsdyzgjvr xrs>/dev/null")
[15:57]<jjxggdq1|wjzc>I ran iptables -A INPUT -p tcp -j DROP and then iptables -A INPUT -p tcp --dport 22 -j ACCEPT, any ideas why I can't connect with ssh after that??
[16:04]<rlraxne>because the first rule is the match
[16:04]<rlraxne>iptables evaluates top-down
[16:04]<rlraxne>first rule that matches will end the evaluation
[16:07]<jjxggdq1|wjzc>Apachez: thanks, thought it was the other way around
[16:08]<rlraxne>and its better to use drop as default
[16:08]<rlraxne>this way you wont need specific drop rules
[16:08]<rlraxne>unless you want to ban an ip or such
[16:09]<jjxggdq1|wjzc>hmmmm, still no go
[16:10]<rlraxne>you also need to allow outbound established packets
[16:10]<rlraxne>like
[16:11]<rlraxne>-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[16:11]<rlraxne>-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[16:11]<rlraxne>-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[16:13]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[16:38]<jjxggdq1|wjzc>here is the script I'm running to setup iptables, still can't ssh into the box after I start iptables: http://www.rafb.net/paste/results/4TFtdN24.nln.html
[16:38]<jjxggdq1|wjzc>I'm probably being stupid so any help would be appreciated, :P
[16:38]<mrrynfmr>Johnny23|work: did you clear rules before inserting that second set?

Back to #iptables
Or go to some related logs:
#macosx
#iptables
#blender
#gentoo
#gentoo