|
|
Mensaje citado por: netfilter-request@xxxxxxxxxxxxxxx:
> Send netfilter mailing list submissions to
> netfilter@xxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.samba.org/listinfo/netfilter
> or, via email, send a message with subject or body 'help' to
> netfilter-request@xxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
> netfilter-admin@xxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of netfilter digest..."
>
>
> Today's Topics:
>
> 1. port forwarding and proxy (Javier I. Gaggino)
> 2. Re: GRE & IPTABLES Log entry help (Ramin Alidousti)
> 3. Ulogd (Paulo Andre)
> 4. Re: Load Balance and others... (Ramin Alidousti)
> 5. Re: SNAT timeout (Ramin Alidousti)
> 6. Re: ip_ct_tcp_timeout_listen and none (Jozsef Kadlecsik)
> 7. Re: "-j REJECT --reject-with icmp-time-exceeded" (Kaddouch
> Guillaume)
> 8. POSTROUTING chain not built... (Bob Hillegas)
> 9. Re: Compile problems with iptables-1.2.6a (nickd@xxxxxxxxxxxxxx)
> 10. Re: POSTROUTING chain not built... (Ramin Alidousti)
> 11. Re: "-j REJECT --reject-with icmp-time-exceeded" (Ramin
> Alidousti)
>
> --__--__--
>
> Message: 1
> Date: Tue, 30 Apr 2002 10:57:23 -0300
> Subject: port forwarding and proxy
> To: <netfilter@xxxxxxxxxxxxxxx>
> From: "Javier I. Gaggino" <JGaggino@xxxxxxxxxxxxx>
>
> I'm start using linux in production environment, I have one server
> runnig =
> iptables and squid.
> My problem is:
> We have clients accessing our PRIVATE network by ras, and we have route
> =
> defined so our linux are used as proxy, everything is ok but as
> the linux are forwarding http request to our internal web server, the
> =
> pages hosted are not visible nor by us neither by our clients.
> the error @ the browser is
>
> The system returned:=20
>
> (111) Connection refused
> What can I do?
>
> ---------------------------------------------------------------------------=
> ---------------------------
> static-routes
> ---------------------------------------------------------------------------=
> ---------------------------
> eth1 net 0.0.0.0 netmask 0.0.0.0 gw xxx.xxx.xxx.xxx
> eth0 net 10.0.0.0 netmask 255.0.0.0 gw 10.1.1.6
> ---------------------------------------------------------------------------=
> ---------------------------
>
> :PREROUTING ACCEPT [1636:122730]
> :POSTROUTING ACCEPT [84:4762]
> :OUTPUT ACCEPT [282:19816]
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 11702 -j
> =
> DNAT --to-
> destination 10.1.1.1:80
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 5910 -j
> =
> DNAT --to-d
> estination 10.1.1.114:5900
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 5909 -j
> =
> DNAT --to-d
> estination 10.1.1.112:5900
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 1677 -j
> =
> DNAT --to-d
> estination 10.1.1.1:1677
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 120 -j
> DNAT =
> --to-de
> stination 10.1.1.1:110
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 25 -j
> DNAT =
> --to-des
> tination 10.1.1.18:25
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 80 -j
> DNAT =
> --to-des
> tination 10.1.1.18:80
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 21 -j
> DNAT =
> --to-des
> tination 10.1.1.18:21
>
> -A PREROUTING -d xxx.xxx.xxx.xxx -i eth1 -p tcp -m tcp --dport 110 -j
> DNAT =
> --to-de
> stination 10.1.1.6:110
>
> -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx
>
> Javier Gaggino
> IT Dept.
> Netnix S.A.
> TE: 4292-7979
>
>
>
> --__--__--
>
> Message: 2
> Date: Tue, 30 Apr 2002 09:53:53 -0400
> From: Ramin Alidousti <ramin@xxxxxxxxxxxxxxxxxxxx>
> To: Mark Orenstein <mrofilter@xxxxxxxxxxxxxxxxxxxx>
> Cc: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: GRE & IPTABLES Log entry help
>
> OK. Here it goes:
>
> Your sites 68.15.53.176/25 and 68.15.53.174/25 are on the same subnet.
> However, due to the cable architecture they cannot see each other
> directly. The upstream router (which is visible to the world as
> 68.9.8.22) has a private IP 10.4.56.1, doing proxy arp for all
> the hosts on that subnet.
>
> *) When receiving packets from 68.15.53.174 destined for 68.15.53.176
> the router detects that the incoming and outgoing interface is the
> same which triggers the ICMP redirect that you were seeing. In this
> case you can/must ignore them.
>
> *) The fact that your UDP-based traceroute doesn't work can be due to
> the firewalling rules that you might have on 68.15.53.176.
>
> One question though, where does the GRE tunnel you were talking
> about come into play here?
>
> Ramin
>
> On Mon, Apr 29, 2002 at 10:36:03PM -0400, Mark Orenstein wrote:
>
> > 68.15.53.174 and 68.15.53.176 are the connections to the Internet for
> two
> > schools. The subnet mask is 255.255.255.128. Both connections are
> via cable
> > modems, most likely on the same cable segment. 10.4.56.1 must be the
> Cox
> > Communications router on the head end. When I traceroute from either
> side to
> > the other, it shows up as 1st in the traceroute output. An
> interesting thing
> > is that both traceroutes do not complete successfully to the other
> end.
> > However, a traceroute -I completes in two hops.
> >
> > [root@allsrv01 root]# traceroute 68.15.53.176
> > traceroute to 68.15.53.176 (68.15.53.176), 30 hops max, 38 byte
> packets
> > 1 10.4.56.1 (10.4.56.1) 8.714 ms 10.247 ms 9.723 ms
> > 2 * * *
> > 3 * * *
> > 4 * * *
> > 5 * * *
> > 6 * * *
> > 7 * * *
> > 8 * * *
> > 9 * * *
> > 10 * * *
> > 11 * * *
> > 12 * * *
> > 13 * * *
> > 14 * * *
> > 15 * * *
> > 16 * * *
> > 17 * * *
> > 18 * * *
> > 19 * *
> > [root@allsrv01 root]#
> >
> > [root@squidhs root]# traceroute -I 68.15.53.174
> > traceroute to 68.15.53.174 (68.15.53.174), 30 hops max, 38 byte
> packets
> > 1 10.4.56.1 (10.4.56.1) 8.854 ms 7.689 ms 8.126 ms
> > 2 wsip68-15-53-174.ri.ri.cox.net (68.15.53.174) 21.487 ms 23.157
> ms 15.164
> > ms
> > [root@squidhs root]#
>
>
> --__--__--
>
> Message: 3
> From: Paulo Andre <PAndre@xxxxxxxxxxxxxxxxxxxxx>
> To: "Netfilter (E-mail)" <netfilter@xxxxxxxxxxxxxxx>
> Subject: Ulogd
> Date: Tue, 30 Apr 2002 15:56:39 +0200
>
> Can anyone suggest a utility to generate html reports on log files
> (ulog)
> for iptables.
> Thanks
>
> Paulo
>
>
>
>
>
> --__--__--
>
> Message: 4
> Date: Tue, 30 Apr 2002 09:58:24 -0400
> From: Ramin Alidousti <ramin@xxxxxxxxxxxxxxxxxxxx>
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Cc: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: Load Balance and others...
>
> On Tue, Apr 30, 2002 at 12:52:43PM +0200, netfilter@xxxxxxxxxxxxxxxxxxx
> wrote:
>
> > Hi, how can i balance my bandwidth so when I am the only one
> downloading i
> > get full bandwith and when 2 computers are downloading bandwidth=bw/2
> ??
> >
> > I share a 300kbps cable conection with 4 computers....i heard
> something
> > about do this with tc, cbq...
>
> You heard right. Dig in iproute2.
>
> >
> > Other question:
> >
> > My slalckware8 works fine but now i have a big delay when i try to
> access
> > using SSH, if a type wrong password i get at the instant "acces
> denied" but
> > if i type correct password i wait more than 30 seconds the login
> prompt...
>
> Sounds like a dns problem while logging stuff. Try tcpdump to see
> what's
> holding up...
>
> Ramin
>
> >
> > With sendmail and ipop3 i wait the same time...but i did not installed
>
> > anything yesterday and all works without delay...
> >
> > The first time i sarted with iptables something like this break my
> head...i
> > forgot accept input related established...so sendmail could not
> resolve my
> > server domain, but i did not change my iptables rules...
> >
> > please, can you help me?
> >
>
>
> --__--__--
>
> Message: 5
> Date: Tue, 30 Apr 2002 10:02:58 -0400
> From: Ramin Alidousti <ramin@xxxxxxxxxxxxxxxxxxxx>
> To: Steffen Persvold <sp@xxxxxxxxx>
> Cc: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: SNAT timeout
>
> On Tue, Apr 30, 2002 at 02:18:09PM +0200, Steffen Persvold wrote:
>
> > Hi all,
> >
> > How long is the iptables SNAT timeout on UDP connections ? The FAQ
> states
> > that it is longer than with the previous ipchains, but not how long.
>
> It seems to be 30 sec.
>
> Ramin
>
> >
> > Thanks in advance,
> > --
> > Steffen Persvold | Scalable Linux Systems | Try out the world's
> best
> > mailto:sp@xxxxxxxxx | www.scali.com">http://www.scali.com | performing MPI
> implementation:
> > Tel: (+47) 2262 8950 | Olaf Helsets vei 6 | - ScaMPI 1.13.8
> -
> > Fax: (+47) 2262 8951 | N0621 Oslo, NORWAY | >320MBytes/s and <4uS
> latency
> >
>
>
> --__--__--
>
> Message: 6
> Date: Tue, 30 Apr 2002 16:27:44 +0200 (CEST)
> From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
> To: Oskar Andreasson <blueflux@xxxxxxxxxxx>
> Cc: <netfilter@xxxxxxxxxxxxxxx>
> Subject: Re: ip_ct_tcp_timeout_listen and none
>
> Hi,
>
> On Tue, 30 Apr 2002, Oskar Andreasson wrote:
>
> > I've been mucking around with the timeout values in conntrack
> > recently, and ran into the LISTEN timeout and NONE timeout and have
> a
> > bit of a problem understanding them.
> >
> > First of all, how do we know when to set a conntrack entry to LISTEN
> > since there is no data sent that will cause this afaik, except
> > possibly FTP data connections etc. Would this in other words be used
> > by the RELATED state, or is it used at any time by the ESTABLISHED
> > state, and if so how?
>
> Conntrack entries never enter the LISTEN state :-). In the default TCP
> connection tracking the state is there but no packet leads to it.
> In the TCP window tracking code it is explicitly stated that the
> LISTEN
> state is not used.
>
> > The NONE state I have a even harder time understanding. Which state
> is
> > it indicating if referencing to RFC 793, page 23 (correct page? I
> may
> > be wrong about the page since I don't have it here, but it should be
> > figure 6 which explains the TCP states). Anyways, what is this state
> > used for and when is a conntrack entry set to state NONE?
>
> The NONE state is the initial one when the conntrack entry is created.
> Depending on the flags of the packet (which triggered creating the
> conntrack entry) the state changes at once to SYN_SENT, SYN_RECEIVED,
> ESTABLISHED, TIME_WAIT or CLOSE (default conntrack).
>
> So the timeout values of the NONE and LISTEN states are irrelevant :-)
>
> Regards,
> Jozsef
> -
> E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
> WWW-Home: www.kfki.hu/~kadlec">http://www.kfki.hu/~kadlec
> Address : KFKI Research Institute for Particle and Nuclear Physics
> H-1525 Budapest 114, POB. 49, Hungary
>
>
>
>
> --__--__--
>
> Message: 7
> From: "Kaddouch Guillaume" <gkweb@xxxxxxxxxx>
> To: <netfilter@xxxxxxxxxxxxxxx>
> Subject: Re: "-j REJECT --reject-with icmp-time-exceeded"
> Date: Tue, 30 Apr 2002 16:32:48 +0200
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0040_01C1F064.AA1A9830
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> ----- Original Message -----
> From: "Ramin Alidousti" <ramin@xxxxxxxxxxxxxxxxxxxx>
> To: "Kaddouch Guillaume" <gkweb@xxxxxxxxxx>
> Cc: <netfilter@xxxxxxxxxxxxxxx>
> Sent: Monday, April 29, 2002 7:18 PM
> Subject: Re: "-j REJECT --reject-with icmp-time-exceeded"
>
>
> > You should be able to do something like this:
> >
> > -t mangle -A PREROUTING <some restrictions to the rule> j TTL =
> --ttl-set 0
>
> I had forgot to say that it is for using with the "fake-source"
> patch-o-matic that is already install to have a rule like this:
>
> ... -j REJECT --reject-with icmp-time-exceeded --fake-source IPADDR
>
> The rule with "-t mangle ..." doesn't allow me to specify an IP
> address.
>
> But I haven't the sufficient skill to do myself the patch.
> Is it scheduled?
>
> Or are they an other method?
>
> Thanks for your answers.
>
> Guillaume.
>
> >
> > Ramin
> >
> > On Mon, Apr 29, 2002 at 06:27:24PM +0200, Kaddouch Guillaume wrote:
> >
> > > For certains raison I have to reject a packet with a
> "time-exceeded"
> icmp reply. However, this type of packet don't seem to be sendable by
> =
> target
> REJECT.
> > > Is exist a patch to do it?
> > >
> > > Thanks.
> > >
> > > Guillaume.
> >
>
>
> ------=_NextPart_000_0040_01C1F064.AA1A9830
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Diso-8859-1">
> <META content=3D"MSHTML 6.00.2715.400" name=3DGENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=3D#ffffff>
> <DIV>
> <DIV>----- Original Message -----<BR>From: "Ramin Alidousti" <<A=20
> href=3D"mailto:ramin@xxxxxxxxxxxxxxxxxxxx";>ramin@xxxxxxxxxxxxxxxxxxxx</A>=
> ><BR>To:=20
> "Kaddouch Guillaume" <<A=20
> href=3D"mailto:gkweb@xxxxxxxxxx";>gkweb@xxxxxxxxxx</A>><BR>Cc:
> <<A=20
> href=3D"mailto:netfilter@xxxxxxxxxxxxxxx";>netfilter@xxxxxxxxxxxxxxx</A>&g=
> t;<BR>Sent:=20
> Monday, April 29, 2002 7:18 PM<BR>Subject: Re: "-j REJECT
> --reject-with=20
> icmp-time-exceeded"<BR><BR><BR>> You should be able to do something
> =
> like=20
> this:<BR>><BR>> -t mangle -A PREROUTING <some restrictions to
> =
> the=20
> rule> j TTL --ttl-set 0<BR><BR>I had forgot to say that it is for =
> using with=20
> the "fake-source"<BR>patch-o-matic that is already install to have a =
> rule like=20
> this:<BR><BR>... -j REJECT --reject-with
> icmp-time-exceeded =20
> --fake-source IPADDR<BR><BR>The rule with "-t mangle ..." doesn't allow
> =
> me to=20
> specify an IP address.<BR><BR>But I haven't the sufficient skill to do
> =
> myself=20
> the patch.<BR>Is it scheduled?<BR><BR>Or are they an other =
> method?<BR><BR>Thanks=20
> for your answers.<BR><BR> =20
> Guillaume.<BR><BR>><BR>> Ramin<BR>><BR>> On Mon, Apr 29, =
> 2002 at=20
> 06:27:24PM +0200, Kaddouch Guillaume wrote:<BR>><BR>> > For =
> certains=20
> raison I have to reject a packet with a "time-exceeded"<BR>icmp reply.
> =
> However,=20
> this type of packet don't seem to be sendable by =
> target<BR>REJECT.<BR>> >=20
> Is exist a patch to do it?<BR>> ><BR>> >
> Thanks.<BR>>=20
> ><BR>> > =20
> Guillaume.<BR>><BR></DIV></DIV></BODY></HTML>
>
> ------=_NextPart_000_0040_01C1F064.AA1A9830--
>
>
>
> --__--__--
>
> Message: 8
> Date: Tue, 30 Apr 2002 09:23:00 -0500 (CDT)
> From: Bob Hillegas <bobhillegas@xxxxxxx>
> To: netfilter@xxxxxxxxxxxxxxx
> Subject: POSTROUTING chain not built...
>
> I am using RH 7.1, kernel 2.4.9-21 and iptables.1.2.4-0.71.2 from a
> RedHat
> rpm.
>
> When I run the following script and then produce a rules listing
> (/sbin/iptables --list -nv --line-numbers) I do NOT get any indication
>
> that the POSTROUTING chain has been built.
>
> What do I check next?
>
> Thanks, BobH
>
>
#-----------<script>---------------------------------------------------------------
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> # Enable IP forwarding between interfaces FIRST (sets defaults for
> others)
> # Needed for MASQUERADE'ing
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Remove any existing rules from all chains
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
>
> # Unlimited traffic on the loopback interface
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Unlimited traffic on the local LAN interface
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A OUTPUT -o eth0 -j ACCEPT
>
> # Set the default policy to drop
> iptables --policy INPUT DROP
> iptables --policy OUTPUT DROP
> iptables --policy FORWARD DROP
>
> iptables -t nat --policy PREROUTING ACCEPT
> iptables -t nat --policy POSTROUTING ACCEPT
>
> # Remove any pre-existing user-defined chains
> iptables --delete-chain
> iptables -t nat --delete-chain
> iptables -t mangle --delete-chain
>
> #...........................
> # More general rule
>
> iptables -t nat -A POSTROUTING -o ppp0 \
> -j MASQUERADE
>
> # Disallow NEW & INVALID incoming or forwarded packets from ppp0
>
> iptables -A INPUT -i ppp0 \
> -m state --state NEW,INVALID \
> -j DROP
>
> iptables -A FORWARD -i ppp0 \
> -m state --state NEW,INVALID \
> -j DROP
>
> #-----------</script>------------------------------
>
> Output of /sbin/iptables --list -nv --line-numbers:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 2 1 76 ACCEPT all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0
> 3 0 0 DROP all -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 DROP all -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 0 0 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
> 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
>
>
> --
> -------------------------------------------------
> Bob Hillegas
> <bobhillegas@xxxxxxx>
> 281.546.9311
>
>
>
>
>
>
> --__--__--
>
> Message: 9
> Date: Tue, 30 Apr 2002 15:49:24 +0100
> To: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: Compile problems with iptables-1.2.6a
> From: <nickd@xxxxxxxxxxxxxx>
>
> On Tue, Apr 30, 2002 at 01:44:58PM +0200, Bart Boelaert wrote:
>
> > >I've only done this twice, so I'm not expert, but would it be worth
> you
> > >running the "patch-o-matic" to see exactly what patch causes the
> error?
> > >Plus using the "T" option to test each patch before application
> *might*
> > give
> > >you more information.
> >
> > Could you please give me the exact make command? I couldn't find the
> "T"
> > option in the Makefile.
>
> Read the "FEELING BRAVE?" section of the INSTALL file that comes with
> iptables 1.2.6a, you'll see the "T" option if you run "make
> patch-o-matic".
>
> And heed the warnings :)
>
> --
> FunkyJesus System Administration Team
>
>
>
> --__--__--
>
> Message: 10
> Date: Tue, 30 Apr 2002 10:53:11 -0400
> From: Ramin Alidousti <ramin@xxxxxxxxxxxxxxxxxxxx>
> To: Bob Hillegas <bobhillegas@xxxxxxx>
> Cc: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: POSTROUTING chain not built...
>
> Try:
>
> /sbin/iptables -L -nv -t filter
> /sbin/iptables -L -nv -t nat
> /sbin/iptables -L -nv -t mangle
>
> to see everything.
>
> Ramin
>
> On Tue, Apr 30, 2002 at 09:23:00AM -0500, Bob Hillegas wrote:
>
> > I am using RH 7.1, kernel 2.4.9-21 and iptables.1.2.4-0.71.2 from a
> RedHat
> > rpm.
> >
> > When I run the following script and then produce a rules listing
> > (/sbin/iptables --list -nv --line-numbers) I do NOT get any indication
>
> > that the POSTROUTING chain has been built.
> >
> > What do I check next?
> >
> > Thanks, BobH
> >
> >
>
#-----------<script>---------------------------------------------------------------
> > modprobe ip_conntrack_ftp
> > modprobe ip_nat_ftp
> >
> > # Enable IP forwarding between interfaces FIRST (sets defaults for
> others)
> > # Needed for MASQUERADE'ing
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > # Remove any existing rules from all chains
> > iptables --flush
> > iptables -t nat --flush
> > iptables -t mangle --flush
> >
> > # Unlimited traffic on the loopback interface
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> >
> > # Unlimited traffic on the local LAN interface
> > iptables -A INPUT -i eth0 -j ACCEPT
> > iptables -A OUTPUT -o eth0 -j ACCEPT
> >
> > # Set the default policy to drop
> > iptables --policy INPUT DROP
> > iptables --policy OUTPUT DROP
> > iptables --policy FORWARD DROP
> >
> > iptables -t nat --policy PREROUTING ACCEPT
> > iptables -t nat --policy POSTROUTING ACCEPT
> >
> > # Remove any pre-existing user-defined chains
> > iptables --delete-chain
> > iptables -t nat --delete-chain
> > iptables -t mangle --delete-chain
> >
> > #...........................
> > # More general rule
> >
> > iptables -t nat -A POSTROUTING -o ppp0 \
> > -j MASQUERADE
> >
> > # Disallow NEW & INVALID incoming or forwarded packets from ppp0
> >
> > iptables -A INPUT -i ppp0 \
> > -m state --state NEW,INVALID \
> > -j DROP
> >
> > iptables -A FORWARD -i ppp0 \
> > -m state --state NEW,INVALID \
> > -j DROP
> >
> > #-----------</script>------------------------------
> >
> > Output of /sbin/iptables --list -nv --line-numbers:
> >
> > Chain INPUT (policy DROP 0 packets, 0 bytes)
> > num pkts bytes target prot opt in out source
> destination
> > 1 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> > 2 1 76 ACCEPT all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0
> > 3 0 0 DROP all -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
> >
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> > num pkts bytes target prot opt in out source
> destination
> > 1 0 0 DROP all -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
> >
> > Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> > num pkts bytes target prot opt in out source
> destination
> > 1 0 0 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
> > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> >
> >
> > --
> > -------------------------------------------------
> > Bob Hillegas
> > <bobhillegas@xxxxxxx>
> > 281.546.9311
> >
> >
> >
> >
>
>
> --__--__--
>
> Message: 11
> Date: Tue, 30 Apr 2002 11:00:15 -0400
> From: Ramin Alidousti <ramin@xxxxxxxxxxxxxxxxxxxx>
> To: Kaddouch Guillaume <gkweb@xxxxxxxxxx>
> Cc: netfilter@xxxxxxxxxxxxxxx
> Subject: Re: "-j REJECT --reject-with icmp-time-exceeded"
>
> Thanks for the repost.
>
> On Tue, Apr 30, 2002 at 04:32:48PM +0200, Kaddouch Guillaume wrote:
>
> > > You should be able to do something like this:
> > >
> > > -t mangle -A PREROUTING <some restrictions to the rule> j TTL
> --ttl-set 0
> >
> > I had forgot to say that it is for using with the "fake-source"
> > patch-o-matic that is already install to have a rule like this:
> >
> > ... -j REJECT --reject-with icmp-time-exceeded --fake-source
> IPADDR
> >
> > The rule with "-t mangle ..." doesn't allow me to specify an IP
> address.
>
> OK. Try to set the TTL in PREROUTING:
>
> -t mangle -A PREROUTING <some restrictions to the rule> j TTL --ttl-set
> 0
>
> and then when your box generates the time-exceeded in response to this
> rule, set the src in POSTROUTING:
>
> -t nat A POSTROUTING -m ttl --ttl-eq 0 -j SNAT --to IPADDR
>
> Ramin
>
> >
> > But I haven't the sufficient skill to do myself the patch.
> > Is it scheduled?
> >
> > Or are they an other method?
> >
> > Thanks for your answers.
> >
> > Guillaume.
> >
> > >
> > > Ramin
>
>
>
> --__--__--
>
> _______________________________________________
> netfilter mailing list
> netfilter@xxxxxxxxxxxxxxx
> lists.samba.org/listinfo/netfilter">http://lists.samba.org/listinfo/netfilter
>
>
> End of netfilter Digest
>
|
|