IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.84 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-09-01
[00:32]<-- czydygrffc9 xrs f>www.FileRip.com - Download videos off youtube, myspace, google, putfile!")
[01:00]<aa>seen maxine?
[01:00]<drwygn>I haven't seen 'maxine', cj
[01:00]<aa>dork
[01:00]<aa>seen cj_?
[01:00]<drwygn>I haven't seen 'cj_', cj
[01:00]<aa>seen danieldg ?
[01:00]<drwygn>danieldg was last seen on #iptables 5 hours, 55 minutes and 25 seconds ago, saying: it's ACCEPT not ALLOW [1157039903]
[01:01]<mrrynfmr>seen cj?
[01:01]<drwygn>cj was last seen on #iptables 1 minutes and 5 seconds ago, saying: seen danieldg ? [1157061228]
[01:02]<synrnx>seen maxine?
[01:02]<drwygn>I haven't seen 'maxine', SiegeX
[01:02]<synrnx>thats too bad
[01:04]<aa>maxine: 1 minutes?
[01:04]<drwygn>cj: i haven't a clue
[01:04]<aa>dork.
[01:10]<aa>maxine: seen cj?
[01:10]<drwygn>cj was last seen on #iptables 1 second ago, saying: maxine: seen cj? [1157061805]
[01:50]<dnaj>hello
[01:50]<dnaj>i run firehol as firewall on a server.
[01:51]<dnaj>if i run 'iptables -F', all rules should be deleted, and everything is open, correct?
[01:51]<dnaj>may i render my system unavailable this way?
[01:51]<ryac66>If I have -P OUTPUT ACCEPT and INPUT and FORWARD set to DROP should I be able to see a port open if I do a port scan ?
[01:52]<ryac66>I keep seeing ports 25 and 110 open
[01:53]<ryac66>mejo: you also have to check your policies
[01:53]<synrnx>iptables -F only flushes the filter table
[01:53]<synrnx>there might be rules in the nat or mangle or raw tables
[01:53]<synrnx>most likly the former
[01:54]<synrnx>Rick77: not unless you specifically allow it
[01:55]<dnaj>if i have policy drop, then nothing will work after flushing the tables?
[01:55]<ryac66>SiegeX: i'm not allowing anything but I still see them open everytime I do a scan. only if I set OUTPUt to DROP I won't see them but of course that blocks the rest of the traffic
[01:56]<synrnx>how long is your rule list
[01:56]<ryac66>hum like three lines
[01:56]<synrnx>mejo: if you have policy drop for all 3 and have no rules, then yes the default policy will be hit and drop
[01:57]<dnaj>bad, i have policy drop (that's what firehol seems to do).
[01:57]<synrnx>again, this is just for the filter table since you didnt specify another table with the -t option
[01:59]<dnaj>iptables -L -t nat,mangle,raw gives all emtpy tables with policy accept.
[02:00]<dnaj>so only the filter tables has policy drop, and a lot of rules to accept default networking.
[02:00]<dnaj>the problem is, that i'm not able to connect a remote host over ssh on port 4033.
[02:00]<dnaj>from any other system, i'm able to connect this host.
[02:02]<dnaj>very strange, because until yesterday, i was able to connect the server on port 4033 from the same system.
[02:03]<synrnx>localhost 4033?
[02:06]<dnaj>works
[02:07]<ryac66>SiegeX: I have only one line and all the policies are set to accept exept INPUT and FORWARD. this is the line I have:
[02:07]<ryac66>-A INPUT -i eth0 -p icmp --icmp-type any -j ACCEPT
[02:08]<synrnx>nothing in your NAT table REDIRECTING or DNAT'ing 22
[02:09]<dnaj>SiegeX: you mean me?
[02:09]<synrnx>no
[02:11]<ryac66>SiegeX: the nat table shows empty
[02:12]<synrnx>paste the output of 'iptables-save' to http://rafb.net/paste/
[02:16]<dnaj>as user root, 'nmap -p4033 <host>' gives open, as user backuppc, it gives filtered.
[02:16]<dnaj>but for both, ssh doesn't work.
[02:16]<synrnx>where is this nmap scan being done from
[02:17]<dnaj>from the host from which i try to ssh to the other host.
[02:17]<dnaj>i have two hosts, both running firehol, and both running ssh on port 4033.
[02:17]<dnaj>i cannot ssh from one to another.
[02:18]<dnaj>but i can ssh from a third system to both.
[02:18]<dnaj>ping works between the two hosts, http traffic too.
[02:18]<drwygn>I can't find works in the DNS.
[02:19]<ryac66>SiegeX: http://rafb/paste/results/E8moJg17.html
[02:21]<ryac66>SiegeX: http://rafb.net/paste/results/E8moJg17.html
[02:23]<synrnx>Rick: is this firewall the same ip you are irc'ing from?
[02:23]<synrnx>ie 204.17.125.42
[02:23]<ryac66>no
[02:24]<synrnx>try scanning yourself from grc.com shields up
[02:24]<dnaj>why may nmap give different results for different system users?
[02:24]<ryac66>hum ok, let me try that
[02:25]<synrnx>mejo: do the ssame thing rick77 did with iptabes-save and nopaste
[02:26]<ryac66>well the only problem is that I have a test network within a firewall
[02:26]<ryac66>I don't have direct outside acces with this box
[02:28]<synrnx>well unless you're not scanning the right ip, then iptables seems to be fubar because hitting anyport on that box should hit the default policy and be dropped
[02:28]<synrnx>minus icmp
[02:29]<dnaj>http://rafb.net/paste/results/480EeH99.html <- it's very long :-(
[02:31]<ryac66>SiegeX: I had firestarter installed earlier, could that be a problem ?
[02:39]<synrnx>maybe, i just use the bare essentials, bash + raw rules
[02:41]<synrnx>holy shit, whats with all the user defined chains?
[02:41]<dnaj>i guess this is firehol
[02:41]<synrnx>no wonder it doesnt work, that thing is a mess
[02:42]<dnaj>so how can i stop it without making my host unavailable?
[02:42]<synrnx>are you on the box, or ssh'd in
[02:42]<dnaj>ssh to another host on port 2200 doesn't work as well.
[02:42]<dnaj>ssh
[02:42]<dnaj>no physical access.
[02:43]<synrnx>is physical access hard/impossible to achieve
[02:43]<dnaj>i would have to call the colo to reboot the machine.
[02:44]<dnaj>is it impossible to simply set policy for filter tables to accept?
[02:45]<synrnx>well you could make a little script on the box which will flush everything, then set all default policies to ACCEPT
[02:45]<synrnx>then your box would be wide open until you add rules that arnt so convoluted
[02:45]<dnaj>what would happen if i set default policies to accept without flushing everything firest.
[02:45]<synrnx>all the DROP's will still take precedence
[02:46]<synrnx>default policy is only hit after all the chains have been traversed
[02:46]<synrnx>...without matching any rules
[02:46]<dnaj>so the best will be to write such a script, enter it as cronjob in a few minutes, and wait until it is run.
[02:47]<dnaj>unfortunately i've no skills to write such a script.
[02:47]<synrnx>or just run it manually
[02:47]<synrnx>it might drop your connection when it flushes everything, but you should be able to connect back
[02:48]<dnaj>iptables -F -t filter; iptables -F -t nat; iptables -F -t raw; iptables -F -t mangle; and then?
