Topic: iptables

[Muzo]

Ok.
And how about compiled iptables with mod_string?
Send me a PM to tell me what to do.

[bhairav]

hi I am unable to send pm to u it says pm is disabled on this board so can we talk on yahoo messenger give me ur id

[Muzo]

I got no yahoo messenger. And if i got one, i can't use it at work.

Mail received.  

[kingnugian]

Is this masq-manager confirmed working 100% with 6.0??

If so are there any differences to getting it working as compared to 5.6??

[Muzo]

Nobody said me that masq-manager dont work with 6.0.

[mbachmann]

I have a 6.0 box here and would give the masq manager a try. Installed is.

e-smith-portforwarding-0.2.0-02
e-smith-packetfilter-1.14.0-02
iptables-1.2.5-3

But since the versions differ i am afraid to mess things up.

[Muzo]

I have a 6.0 box here and would give the masq manager a try. Installed is.

e-smith-portforwarding-0.2.0-02
e-smith-packetfilter-1.14.0-02
iptables-1.2.5-3

But since the versions differ i am afraid to mess things up.

Mmmh, i must have a look to new e-smith-packetfilter.
Where did you find it?

Anyway, masq-manager modify e-smith-packetfilter templates, these one are :
- 40AllowICMPIn
- 40AllowICMPOut
- and I add a new one for AntiSpoofing (I can't remember it's name and number).

Can you take a look to this templates to validate 6.0 compatibility, please? thanks a lot.

[Anonymous]

packetfilter/portforwarding:
 ftp://public.planetmirror.com/pub/e-smith/dev/6.0dev/updates/6.0beta3/RPMS/

My skills in checking the packetfilter templates are quite limited. I issued rpm -ivh --test for your masqmgr which went o.k., then tried install, o.k. The masqmgr appears under "Unknown - firewall" in the server manager. This happend to a few contribs and only got fixed with post upgrade. No errors yet, everything looks good. Created some rules and will watch it for some days.

If you wouldn't mind telling me how to exactly verify 6.0 compatibility i'll do.

Congrats for your great contrib.

[mbachmann]

Above was me. Disconnection time is too low. Should be an hour or configureable.

[Muzo]

Thanks,

To see if anti spoofing is enabled, try this command line :
iptables nat -L -n

Now, to validate compatibility, we must compare Templates. But i can't remember files path.

I'll post tonight all files path.

thanks again mbachmann.

[Muzo]

So go to dir :
/etc/e-smith/templates/etc/rc.d/init.d/masq

It's where are all masq templates.
There 2 templates interest us :
First one : 40AllowIcmp, icmpIn chain must be created.
This is e-smith-packetfilter-1.13.0-04.noarch.rpm code :

Code: [Select]

   /sbin/iptables --new-chain icmpIn
    /sbin/iptables --append INPUT --protocol icmp --jump icmpIn
{
    use esmith::NetworksDB;

    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
qw(
   echo-request
   echo-reply
   destination-unreachable
   source-quench
   time-exceeded
   parameter-problem
) );

    my $stealth = $masq{Stealth} || 'no';
    if ($stealth eq 'yes')
    {
$OUT .= <<HERE
    /sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
    }

    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <<HERE;
    /sbin/iptables --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}

Second one : 40AllowICMPOut icmpOut chain must be created. This is e-smith-packetfilter-1.13.0-04.noarch.rpm code :

Code: [Select]

   /sbin/iptables --new-chain icmpOut
    /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
{
    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    foreach my $icmpType (
qw( echo-request
   echo-reply
   destination-unreachable
   source-quench
   time-exceeded
   parameter-problem
) )
    {
        $OUT .= <<HERE;
    /sbin/iptables --append icmpOut --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
    }
}


Must import is 2 chains (icmpIn and icmpOut) must be created, if they are not, tell me their new name (if they have a new one of course).

And there must be no problem for antispoofing, because it's a new template.

[mbachmann]

Muzo i'm away for two days and will report back on 09.02.04.

I have created an anti-spoofing rule but iptables nat -L -n  "my" iptables does not understand the nat option: Bad argument nat'

I've had already looked at 40AllowIcmp... in my server but was unable to compare "my" rules to those in your masq rpm.

Thx so far

[Muzo]

I have created an anti-spoofing rule but iptables nat -L -n  "my" iptables does not understand the nat option: Bad argument nat'

Doh! I write something wrong! I'll check "man iptables" to correct this  

[bhairav]

i think u should use
iptables -t nat -L -n

[treco]

hi you all, maybe i'm in the wrong place in this forum, but by searching into it, i've read this part of, and sorry by to interfere with it, but i'm trying to install some sort of ip upload / download traffic monitor in the version 6.0 of SME server as server and gatway, and, i dont get it how to put any to work. Any hints or help?!

thanks and sorry for the interfernce