[gentoo-user] iptables question

[gentoo-user] iptables question

[Hiren Dave]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Hi,

I want to configure firewall such that network 192.168.1.0/24 can
only access http server from server1(192.168.0.2/24) and
network 192.168.0.0/24 can not access http server. So I tried this:

#service iptables stop
#iptables -P INPUT DROP
#iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT

But this command sends error that "Unknown arg: --dport"
HOW CAN I ACHIEVE THIS?

ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
IPTABLES?

TnR
Hiren

[-- Attachment #2: Type: text/html, Size: 746 bytes --]

Re: [gentoo-user] iptables question

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 790 bytes --]

On Tuesday 28 March 2006 07:38, "Hiren Dave" <hiren2k4@gmail.com> wrote 
about '[gentoo-user] iptables question':
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?

Raw IP doesn't have port numbers;  You'll have to match on the TCP or UDP 
protocol to be able to match ports.

> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
> IPTABLES?

Tldp is a good resource.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-user] iptables question

[Uwe Thiem]

On 28 March 2006 15:38, Hiren Dave wrote:
> Hi,
>
> I want to configure firewall such that network 192.168.1.0/24 can
> only access http server from server1(192.168.0.2/24) and
> network 192.168.0.0/24 can not access http server. So I tried this:
>
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?

Iptables is right, that line is nonsense.

>
> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
> IPTABLES?

I don't have the URL handy right now, but google for "Iptables Tutorial 
1.2.0".

Uwe

-- 
Why do consumers keep buying products they will live to curse?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables question

[JimD]

On Tue, 28 Mar 2006 19:08:38 +0530
"Hiren Dave" <hiren2k4@gmail.com> wrote:

> Hi,
> 
> I want to configure firewall such that network 192.168.1.0/24 can
> only access http server from server1(192.168.0.2/24) and
> network 192.168.0.0/24 can not access http server. So I tried this:
> 
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?

Because you need to put in a protocol like -p tcp.

> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING
> OF IPTABLES?

http://www.google.com/search?q=iptables+howto
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables question

[James]

Hiren Dave <hiren2k4 <at> gmail.com> writes:


> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY 
LEARNING OF IPTABLES?


The only current book I could find, that is centric around the 2.6 linux kernel,
and contains relevant, current examples is:

"Linux Firewalls" Third Edition

authors: Steve Suehring and Rober Ziegler


hth,

James





-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables question

[Dmitry S. Makovey]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]


somewhat offtopic, but since I need any help I can get:

how do I redirect trafic from outward facing interface 
(192.168.1.114:80) to loopback device (127.0.0.1:80) ?

my most obvious trick:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
	-j DNAT --to 127.0.0.1:80
and 
echo 1 > /proc/sys/net/ipv4/ip_forward
didn't help. Machine which is opening connection is hanging there 
indefinitely...

what did I miss?

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] Re: iptables question

[James]

Dmitry S. Makovey <dmitry <at> athabascau.ca> writes:

> somewhat offtopic, but since I need any help I can get:

> how do I redirect trafic from outward facing interface 
> (192.168.1.114:80) to loopback device (127.0.0.1:80) ?

> my most obvious trick:
> iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
> 	-j DNAT --to 127.0.0.1:80
> and 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> didn't help. Machine which is opening connection is hanging there 
> indefinitely...

> what did I miss?


Well, let me start off by saying that I'm still learning the
details of iptables.....

An excellent book has been recommended and I can confirm it is wonderful:
"Linux Firewalls Third Edition" 2005. by Steve Suehring and Robert L. Ziegler.
Novell press.

There are many examples covering forwarding, port redirection, dmz's and
proxies. It's hard to tell exactly what you are doing, or what you want to do.

>From the book: Enabling the loopback Interface page 111
"
Local services rely on the loop back network interface. After the system boots,
the systems's default policy is to accept all packets. Flushing any pre existing
chains has no effect. However, if the firewall is being reinitialized and had
previously used a deny-by-default policy, the drop policy would still be in
effect. Without any acceptance firewall rules, the loopback interface would
still be inaccessible. Because the loopback interface is a local, internal
interface, the firewall can allow loopback traffic immediately:

#for unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
"

Granted this is related to an example in the book, but hopefully it helps.
If you get frustrated, send me private email, maybe I can help. I will try.
Some folks on the list do not believe that direct control of iptables is
wise. I desent. Knowledge of iptables is of extreme value, but difficult 
to master. I'd like to see many example of iptable for 2.6 kernels published.
Updated material on iptables + 2.6 kernels, is scarcely available on the net.

hth,
James




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables question

[Dmitry S. Makovey]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

On Friday 20 January 2006 13:41, James wrote:
> #for unlimited traffic on the loopback interface
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT

since I've done my "flushing" all my rules are nice and permissive ;)

dimon2 ~ # iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
dimon2 ~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So I doubt I need specific rules for "lo" or any other device except 
for NAT rules to redirect my traffic.

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]