public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] iptables question...
@ 2011-12-16 15:17 Tanstaafl
  2011-12-17 16:34 ` Hari Purnama
  0 siblings, 1 reply; 17+ messages in thread
From: Tanstaafl @ 2011-12-16 15:17 UTC (permalink / raw
  To: gentoo-user

Hi all,

I was reading up on some iptables rules in the gentoo security handbook:

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable

It mentions DROPing packets with an INVALID state.

It sounded/sounds like a good idea, so I added the following rule:

-A INPUT -i eth0 -m state --state INVALID -j LOG

As suggested, I addd this rule just ABOVE this one:

-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

I also changed the DROP action to LOG so I could see what it did if 
anything.

Right after adding this rule, I started seeing lines like this in the log:

Dec 16 10:15:31 myhost kernel: IN=eth0 OUT= 
MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233 
DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP 
SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0

What I don't understand is why it isn't using my LOG prefix that is used 
for everything else:

-A INPUT -j LOG --log-prefix "(>fw-drop): " --log-level 7

Anyone?



^ permalink raw reply	[flat|nested] 17+ messages in thread
* [gentoo-user] IPtables question
@ 2007-01-31 20:36 James Colby
  2007-01-31 20:56 ` Albert Hopkins
                   ` (2 more replies)
  0 siblings, 3 replies; 17+ messages in thread
From: James Colby @ 2007-01-31 20:36 UTC (permalink / raw
  To: gentoo-user

List members -

I have a small home server that I have connected to the internet
through a linksys router and cable modem.  The linksys router is
currently forwarding all ssh traffic to my gentoo box.  What I would
like to do is set up iptables to only allow ssh logins from a small
number of internet hosts, and to reject and log all other ssh
attempts.  Can someone please help me out with this.  All of the
tutorials and documentation that I have found are setting up a fully
functioning firewall / NAT / proxy, and I think that is a little
overkill for my needs.

Thanks for any help that you may be able to provide,
James
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 17+ messages in thread
* [gentoo-user] iptables question
@ 2006-03-28 13:38 Hiren Dave
  2006-03-28 14:06 ` Boyd Stephen Smith Jr.
                   ` (2 more replies)
  0 siblings, 3 replies; 17+ messages in thread
From: Hiren Dave @ 2006-03-28 13:38 UTC (permalink / raw
  To: gentoo-user, VGLUG

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Hi,

I want to configure firewall such that network 192.168.1.0/24 can
only access http server from server1(192.168.0.2/24) and
network 192.168.0.0/24 can not access http server. So I tried this:

#service iptables stop
#iptables -P INPUT DROP
#iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT

But this command sends error that "Unknown arg: --dport"
HOW CAN I ACHIEVE THIS?

ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
IPTABLES?

TnR
Hiren

[-- Attachment #2: Type: text/html, Size: 746 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread
* [gentoo-user] iptables question
@ 2006-01-20 19:49 Dmitry S. Makovey
  2006-01-20 20:49 ` Trenton Adams
  0 siblings, 1 reply; 17+ messages in thread
From: Dmitry S. Makovey @ 2006-01-20 19:49 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]


somewhat offtopic, but since I need any help I can get:

how do I redirect trafic from outward facing interface 
(192.168.1.114:80) to loopback device (127.0.0.1:80) ?

my most obvious trick:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
	-j DNAT --to 127.0.0.1:80
and 
echo 1 > /proc/sys/net/ipv4/ip_forward
didn't help. Machine which is opening connection is hanging there 
indefinitely...

what did I miss?

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2011-12-17 17:26 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-16 15:17 [gentoo-user] iptables question Tanstaafl
2011-12-17 16:34 ` Hari Purnama
2011-12-17 17:25   ` Tanstaafl
  -- strict thread matches above, loose matches on Subject: below --
2007-01-31 20:36 [gentoo-user] IPtables question James Colby
2007-01-31 20:56 ` Albert Hopkins
2007-01-31 23:25   ` Mick
2007-02-01  3:58 ` Norberto Bensa
2007-02-02  8:45 ` Pawel Kraszewski
2007-02-02  9:54   ` Hans-Werner Hilse
2007-02-02 11:01     ` Pawel Kraszewski
2006-03-28 13:38 [gentoo-user] iptables question Hiren Dave
2006-03-28 14:06 ` Boyd Stephen Smith Jr.
2006-03-28 14:35 ` Uwe Thiem
2006-03-29  2:24 ` JimD
2006-01-20 19:49 Dmitry S. Makovey
2006-01-20 20:49 ` Trenton Adams
2006-01-20 22:21   ` Dmitry S. Makovey

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox