ChrisAce Δημοσ. 16 Μαΐου 2004 Δημοσ. 16 Μαΐου 2004 Καλησπέρα.. Εχω ένα πρόβλημα με iptables - shorewall. Καταρχάς έχω σαν server redhat9. Εκεί είναι συνδεδεμένη η adsl. Απο το linuxbox παίρνουν νετ άλλα 4 pc με winxp συνδεδεμένα μεταξύ τους με switch. Έστεισα firewall στο linux με iptables / shorewall(2 interfaces). Tα rules που είχα βάλει είχαν σαν αποτέλεσμα να είναι όλα τα port stealth. Μέχρι εδώ όλα καλά. Είμουνα ευχαριστημένος απο τα πακέτα που τρώγανε πόρτα και δεν είχα ποτέ το παραμικρό πρόβλημα. Έλα όμως που τώρα χρειάζομαι να ανοίξω την port 113(ident). :? Όσο και άν προσπάθησα το μόνο που είχα καταφέρει ήταν να την κάνω να φαίνεται closed απο stealth. Εδωσα τις παρακάτω εντολές αλλά πάλι τίποτα. > iptables -I INPUT 1 -p tcp --dport 113 -j ACCEPT iptables -I INPUT 1 -p udp --dport 113 -j ACCEPT Έτσι έσβησα όλα τα νέα rules που είχα βάλει για να ανοίξω την 113 και τα αφησα όπως ήταν πρίν. Δηλαδή όλες οι ports να ειναι stealth. Για να πάρετε μιά γεύση απο τα τωρινά config μου. /etc/shorewall/interfaces >#ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,routefilter,norfc1918 loc eth0 detect loc eth1 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/policy >#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/masq >#INTERFACE SUBNET ADDRESS ppp0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules >#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT SET # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 #ACCEPT fw net tcp 21 #ACCEPT fw net udp 21 #ACCEPT fw net tcp 20 #ACCEPT fw net udp 20 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 ACCEPT loc fw tcp 21 ACCEPT loc fw udp 21 ACCEPT loc fw tcp 20 ACCEPT loc fw udp 20 ACCEPT loc fw tcp 80 ACCEPT loc fw udp 80 ACCEPT loc fw tcp 81 ACCEPT loc fw udp 81 ACCEPT loc fw tcp 139 # # Allow Ping To And From Firewall # ACCEPT loc fw udp 139 ACCEPT loc fw icmp 8 DROP net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall.shorewall.conf >################################################################################ # F I R E W A L L O P T I O N S ################################################################################ # NAME OF THE FIREWALL ZONE # # Name of the firewall zone -- if not set or if set to an empty string, "fw" # is assumed. # FW=fw # # ENABLE IP FORWARDING # # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # say "Off" or "off", packet forwarding will be disabled. You would only want # to disable packet forwarding if you are installing Shorewall on a # standalone system or if you want all traffic through the Shorewall system # to be handled by proxies. # # If you set this variable to "Keep" or "keep", Shorewall will neither # enable nor disable packet forwarding. # IP_FORWARDING=On # # AUTOMATICALLY ADD NAT IP ADDRESSES # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # ADD_IP_ALIASES=Yes # # AUTOMATICALLY ADD SNAT IP ADDRESSES # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless # you are sure that you need it -- most people don't!!! # ADD_SNAT_ALIASES=No # # ENABLE TRAFFIC SHAPING # # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic # shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and # you must enable packet mangling above. # TC_ENABLED=No # # Clear Traffic Shapping/Control # # If this option is set to 'No' then Shorewall won't clear the current # traffic control rules during [re]start. This setting is intended # for use by people that prefer to configure traffic shaping when # the network interfaces come up rather than when the firewall # is started. If that is what you want to do, set TC_ENABLED=Yes and # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That # way, your traffic shaping rules can still use the 'fwmark' # classifier based on packet marking defined in /etc/shorewall/tcrules. # # If omitted, CLEAR_TC=Yes is assumed. CLEAR_TC=Yes # # Mark Packets in the forward chain # # When processing the tcrules file, Shorewall normally marks packets in the # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set # this to "Yes". If not specified or if set to the empty value (e.g., # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # # Marking packets in the FORWARD chain has the advantage that inbound # packets destined for Masqueraded/SNATed local hosts have had their destination # address rewritten so they can be marked based on their destination. When # packets are marked in the PREROUTING chain, packets destined for # Masqueraded/SNATed local hosts still have a destination address corresponding # to the firewall's external interface. # # Note: Older kernels do not support marking packets in the FORWARD chain and # setting this variable to Yes may cause startup problems. MARK_IN_FORWARD_CHAIN=No # # MSS CLAMPING # # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet # interface is some variant of PPP (PPTP or PPPoE). Your kernel must # have CONFIG_IP_NF_TARGET_TCPMSS set. # # [From the kernel help: # # This option adds a `TCPMSS' target, which allows you to alter the # MSS value of TCP SYN packets, to control the maximum size for that # connection (usually limiting it to your outgoing interface's MTU # minus 40). # # This is used to overcome criminally braindead ISPs or servers which # block ICMP Fragmentation Needed packets. The symptoms of this # problem are that everything works fine from your Linux # firewall/router, but machines behind it can never exchange large # packets: # 1) Web browsers connect, then hang with no data received. # 2) Small mail works fine, but large emails hang. # 3) ssh works fine, but scp hangs after initial handshaking. # ] # # If left blank, or set to "No" or "no", the option is not enabled. # CLAMPMSS=Yes # # ROUTE FILTERING # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces started while Shorewall is started (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. # Regardless of the setting of ROUTE_FILTER, you can still enable route filtering # on individual interfaces using the 'routefilter' option in the # /etc/shorewall/interfaces file. ROUTE_FILTER=No # # NAT BEFORE RULES # # Shorewall has traditionally processed static NAT rules before port forwarding # rules. If you would like to reverse the order, set this variable to "No". # # If this variable is not set or is set to the empty value, "Yes" is assumed. NAT_BEFORE_RULES=Yes # DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: # # DNAT net loc:192.168.1.3 tcp 80 # # it will forward TCP port 80 connections from the net to 192.168.1.3 # REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is # convenient for two reasons: # # a) If the the network interface has a dynamic IP address, the # firewall configuration will work even when the address # changes. # # b) It saves having to configure the IP address in the rule # while still allowing the firewall to be started before the # internet interface is brought up. # # This default behavior can also have a negative effect. If the # internet interface has more than one IP address then the above # rule will forward connection requests on all of these addresses; # that may not be what is desired. # # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # only if the original destination address is the primary IP address of # one of the interfaces associated with the source zone. Note that this # requires all interfaces to the source zone to be up when the firewall # is [re]started. DETECT_DNAT_IPADDRS=No # # MUTEX TIMEOUT # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall lock file. After the number # of seconds corresponding to the value of this variable, programs will assume # that the last program to hold the lock died without releasing the lock. # # If not set or set to the empty value, a value of 60 (60 seconds) is assumed. # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a "shorewall restart" command. MUTEX_TIMEOUT=60 # # NEWNOTSYN # # If this variable is set to "No" or "no", then when a TCP packet that does # not have the SYN flag set and the ACK and RST flags clear then unless the # packet is part of an established connection, it will be dropped by the # firewall # # If this variable is set to "Yes" or "yes" then such packets will not be # dropped but will pass through the normal rule processing. # # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # also need to select NEWNOTSYN=Yes. # # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # using the 'newnotsyn' option in /etc/shorewall/interfaces. NEWNOTSYN=No # # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT # # Normally, when a "shorewall stop" command is issued or an error occurs during # the execution of another shorewall command, Shorewall puts the firewall into # a state where only traffic to/from the hosts listed in # /etc/shorewall/routestopped is accepted. # # When performing remote administration on a Shorewall firewall, it is # therefore recommended that the IP address of the computer being used for # administration be added to the firewall's /etc/shorewall/routestopped file. # # Some administrators have a hard time remembering to do this with the result # that they get to drive across town in the middle of the night to restart # a remote firewall (or worse, they have to get someone out of bed to drive # across town to restart a very remote firewall). # # For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, # when the firewall enters the 'stopped' state: # # All traffic that is part of or related to established connections is still # allowed and all OUTPUT traffic is allowed. This is in addition to traffic # to and from hosts listed in /etc/shorewall/routestopped. # # If this variable is not set or it is set to the null value then # ADMINISABSENTMINDED=No is assumed. # ADMINISABSENTMINDED=Yes # # BLACKLIST Behavior # # Shorewall offers two types of blacklisting: # # - static blacklisting through the /etc/shorewall/blacklist file together # with the 'blacklist' interface option. # - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. # # The following variable determines whether the blacklist is checked for each # packet or for each new connection. # # BLACKLISTNEWONLY=Yes Only consult blacklists for new connection # requests # # BLACKLISTNEWONLY=No Consult blacklists for all packets. # # If the BLACKLISTNEWONLY option is not set or is set to the empty value then # BLACKLISTNEWONLY=No is assumed. # BLACKLISTNEWONLY=Yes ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ # # BLACKLIST DISPOSITION # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # DROP is assumed. # BLACKLIST_DISPOSITION=DROP # # MAC List Disposition # # This variable determines the disposition of connection requests arriving # on interfaces that have the 'maclist' option and that are from a device # that is not listed for that interface in /etc/shorewall/maclist. Valid # values are ACCEPT, DROP and REJECT. If not specified or specified as # empty (MACLIST_DISPOSITION="") then REJECT is assumed MACLIST_DISPOSITION=REJECT # # TCP FLAGS Disposition # # This variable determins the disposition of packets having an invalid # combination of TCP flags that are received on interfaces having the # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE /etc/shorewall/common.def >############################################################################ # Shorewall 1.4 -- /etc/shorewall/common.def # # This file defines the rules that are applied before a policy of # DROP or REJECT is applied. In addition to the rules defined in this file, # the firewall will also define a DROP rule for each subnet broadcast # address defined in /etc/shorewall/interfaces (including "detect"). # # Do not modify this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include # the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # run_iptables -A common -p icmp -j icmpdef ############################################################################ # NETBIOS chatter # run_iptables -A common -p udp --dport 135 -j DROP run_iptables -A common -p udp --dport 137:139 -j DROP run_iptables -A common -p udp --dport 445 -j DROP run_iptables -A common -p tcp --dport 139 -j DROP run_iptables -A common -p tcp --dport 445 -j DROP run_iptables -A common -p tcp --dport 135 -j DROP ############################################################################ # UPnP # run_iptables -A common -p udp --dport 1900 -j DROP ############################################################################ # BROADCASTS # run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ############################################################################ # AUTH -- Silently reject it so that connections don't get delayed. # run_iptables -A common -p tcp --dport 113 -j REJECT (Αυτή την γραμμή δέν την είχα βάλει οταν προσπαθούσα να ανοίξω την 113). ############################################################################ # DNS -- Silenty drop late replies run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP Αν έχετε να μου προτείνετε κανά καλύτερο και ασφαλέστερο για μένα config θα σας είμουν υπόχρεος. Βέβαια αυτό που με καίει πρώτα είναι να ανοίξω την 113 port. :? Thanks.
ranger_505 Δημοσ. 17 Μαΐου 2004 Δημοσ. 17 Μαΐου 2004 Voitha me ligo. Mporeis na steileis olo ton kodika ??? Kai deyteron : iptables -I INPUT 1 -p tcp --dport 113 -j ACCEPT Pos orizeis to 1 ?
Maniakos Δημοσ. 17 Μαΐου 2004 Δημοσ. 17 Μαΐου 2004 ChrisAce , πρέπει να βάλεις και στο policy του shorewall οτι θα δέχεσαι tcp connections απο 113. Τα υπόλοιπα φαίνονται σωστά και πολύ καλά έκανες που το έβαλες ως input 1 για να δεις άμα λειτουργεί σωστά αλλά σίγουρα μπήκε ώς Input 1 ? γιατί αμά έχει μπεί πιο κάτω στην λίστα και πιο πάνω βρίσκεται το reject 113 δεν πρόκειτε να λάβεις ποτέ τίποτα σε αυτό το port.
ranger_505 Δημοσ. 17 Μαΐου 2004 Δημοσ. 17 Μαΐου 2004 Maniakos na se rotiso... Tin stigmh pou den exei o kodikas output den prepei sta forward na dosei 2 grammes tcp kai udp gia thn 113 h paizei etsi opos einai arkei ta access lists na einai sthn koryfi ?
apoikos Δημοσ. 17 Μαΐου 2004 Δημοσ. 17 Μαΐου 2004 ChrisAce, είχα ξεκινήσει να σου απαντώ στο pm αλλά έμεινα (και ακόμα έιμαι) χωρίς internet Οι εντολές που σου έδωσα (οι iptables -I INPUT 1 -p xxx --dport 113 -j ACCEPT) προφανώς δουλεύουν, γι' αυτό και σου γύρισε η θύρα από stealth σε closed! Το θέμα είναι ότι είναι closed γιατί προφανώς στο linuxόκουτο δεν τρέχεις identd service. Επιπλέον, αν δε σε ενδιαφέρει το ident για το linuxόκουτο αλλά για τα winpc's (και για να μην μπλέξεις με τη FORWARD chain) πρέπει να προσθέσεις στα rules του shorewall: > ACCEPT net loc tcp 113 ACCEPT net loc udp 113 Αυτά
Maniakos Δημοσ. 17 Μαΐου 2004 Δημοσ. 17 Μαΐου 2004 Το θέμα είναι ότι είναι closed γιατί προφανώς στο linuxόκουτο δεν τρέχεις identd service Σωστά! Αυτό δεν το πρόσεξα =) nice apoikos, και σταμάτα να σπαταλάς το bandwidth της σχολής στα forums : p ranger_505, όχι δεν χρειάζεται το forwarding επειδή πολύ απλά έχει NAT. btw, HI CHRIS! =D
ranger_505 Δημοσ. 17 Μαΐου 2004 Δημοσ. 17 Μαΐου 2004 Malista. Eyxaristo poly . Tora to epiasa kalytera
ChrisAce Δημοσ. 18 Μαΐου 2004 Μέλος Δημοσ. 18 Μαΐου 2004 Hi Maniakos, Σας ευχαριστώ καταρχάς για τις απαντήσεις σας. Λοιπόν... Έβαλα στα rules του shorewall τις εντολές που είπε ο apoikos μιάς και με ενδειαφέρει περισσότερο το ident για τα winpc's και οχι για το linuxόκουτο. Δηλαδή αυτές.. >ACCEPT net loc tcp 113 ACCEPT net loc udp 113 To αρχείο rules του shorewall δηλαδή έγινε έτσι.. >#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER # PORT PORT(S) DEST LIMIT SET # # Accept DNS connections from the firewall to the network # ACCEPT net loc tcp 113 ACCEPT net loc udp 113 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 #ACCEPT fw net tcp 21 #ACCEPT fw net udp 21 #ACCEPT fw net tcp 20 #ACCEPT fw net udp 20 [........] Δεν πείραξα τίποτα στο policy. Θά έπρεπε? Γιατί δεν κατάλαβα τι έπρεπε να βάλω. :? Παράλληλα στο /etc/shorewall/common.def εβαλα #(δοκίμασα και χωρίς #) μπροστά απο την εντολή run_iptables -A common -p tcp --dport 113 -j REJECT Μετά ξανάτρεξα τις αρχικές εντολές του apoikou μιάς και αφού έκανα restart το shorewall απο τα services, δεν άλλαξε τίποτα... Εδωσα λοιπόν αμέσως μετά αυτές τις εντολές.. >iptables -I INPUT 1 -p tcp --dport 113 -j ACCEPT iptables -I INPUT 1 -p udp --dport 113 -j ACCEPT Είδα ότι μπήκαν στην πρώτη σειρά της αλησίδας. Στο flashfxp και στο ultrafxp που χρησιμοποιώ και ήθελα να δουλέψει με το ident στο port 113, δεν δούλεψε.. Στο flashfxp μόλις ξεκίναγα εβγαζε "Ident Server: Unable to listen on port 113" Το ίδιο και στο mirc. Δέν έχω άλλο firewall προς το παρόν στα winpc's για να μήν νομίζετε ότι με κόβει αυτό. Έκανα scan(και απο τα winpc's και απο το linuxόκουτο) με το shields up και μου την εμφάνιζε πάλι closed. :? Τι δεν έχω κάνει καλά? :?
Maniakos Δημοσ. 18 Μαΐου 2004 Δημοσ. 18 Μαΐου 2004 ChrisAce, όπως είπε και ο apoikos είσαι σίγουρος ότι τρέχει το identd ? Κάνε ps aux | grep identd και δες αμα κάνει return τίποτα. Αμα όχι τότε ή δεν το έχεις κάνει install ή δεν το έχεις κάνει start. Αμα τρέχει τότε το πρόβλημα είναι στο λάθος configuration του firewall ή του shorewall αν και μου φαίνονται σωστά. Μάλλον δεν το τρέχεις. Αμα το τρέξεις και ακόμα έχεις πρόβλημα υπάρχουν 1-2 τρόποι να βρούμε τι τρέχει όποτε βεβαιώσου πρώτα ότι είναι a) Installed and it is running
ChrisAce Δημοσ. 18 Μαΐου 2004 Μέλος Δημοσ. 18 Μαΐου 2004 Maniakos, έδωσα ps aux | grep identd και απάντησε.. root 13666 0.0 0.2 3572 628 pts/2 S 21:19 0:00 grep identd Παράλληλα δοκίμασα και την εντολή.. iptables -L και μου έδειξε.. >Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:auth ACCEPT tcp -- anywhere anywhere tcp dpt:auth ACCEPT all -- anywhere anywhere DROP !icmp -- anywhere anywhere state INVALID ppp0_in all -- anywhere anywhere eth0_in all -- anywhere anywhere eth1_in all -- anywhere anywhere common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:INPUT:REJECT:' reject all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DROP !icmp -- anywhere anywhere state INVALID TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SY N TCPMSS clamp to PMTU ppp0_fwd all -- anywhere anywhere eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere DROP !icmp -- anywhere anywhere state INVALID ACCEPT udp -- anywhere anywhere udp dpts:bootps:boot pc fw2net all -- anywhere anywhere fw2loc all -- anywhere 192.168.254.254 fw2loc all -- anywhere 192.168.0.5 fw2loc all -- anywhere anywhere fw2loc all -- anywhere anywhere common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:OUTPUT:REJECT:' reject all -- anywhere anywhere Chain all2all (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:all2all:REJECT:' reject all -- anywhere anywhere Chain common (5 references) target prot opt source destination icmpdef icmp -- anywhere anywhere DROP udp -- anywhere anywhere udp dpt:135 DROP udp -- anywhere anywhere udp dpts:netbios-ns: netbios-ssn DROP udp -- anywhere anywhere udp dpt:microsoft-ds DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds DROP tcp -- anywhere anywhere tcp dpt:135 DROP udp -- anywhere anywhere udp dpt:1900 DROP all -- anywhere 255.255.255.255 DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4 DROP udp -- anywhere anywhere udp spt:domain state NEW DROP all -- anywhere 192.168.254.255 DROP all -- anywhere 192.168.0.255 Chain dynamic (6 references) target prot opt source destination Chain eth0_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state NEW loc_frwd all -- 192.168.254.254 anywhere loc_frwd all -- anywhere anywhere Chain eth0_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state NEW loc2fw all -- 192.168.254.254 anywhere loc2fw all -- anywhere anywhere Chain eth1_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state NEW loc_frwd all -- 192.168.0.5 anywhere loc_frwd all -- anywhere anywhere Chain eth1_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state NEW loc2fw all -- 192.168.0.5 anywhere loc2fw all -- anywhere anywhere Chain fw2loc (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN ACCEPT icmp -- anywhere anywhere icmp echo-request all2all all -- anywhere anywhere Chain fw2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:do main ACCEPT udp -- anywhere anywhere state NEW udp dpt:do main ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT all -- anywhere anywhere Chain icmpdef (1 references) target prot opt source destination Chain loc2fw (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ss h ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ft p ACCEPT udp -- anywhere anywhere state NEW udp dpt:ft p ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ft p-data ACCEPT udp -- anywhere anywhere state NEW udp dpt:ft p-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ht tp ACCEPT udp -- anywhere anywhere state NEW udp dpt:ht tp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:81 ACCEPT udp -- anywhere anywhere state NEW udp dpt:81 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ne tbios-ssn ACCEPT udp -- anywhere anywhere state NEW udp dpt:ne tbios-ssn ACCEPT icmp -- anywhere anywhere icmp echo-request all2all all -- anywhere anywhere Chain loc2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere Chain loc_frwd (4 references) target prot opt source destination loc2net all -- anywhere anywhere ACCEPT all -- anywhere 192.168.254.254 ACCEPT all -- anywhere 192.168.0.5 ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain logdrop (58 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:logdrop:DROP:' DROP all -- anywhere anywhere Chain net2all (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:net2all:DROP:' DROP all -- anywhere anywhere Chain net2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN DROP icmp -- anywhere anywhere icmp echo-request net2all all -- anywhere anywhere Chain net2loc (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABL ISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags: !SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:au th ACCEPT udp -- anywhere anywhere state NEW udp dpt:au th net2all all -- anywhere anywhere Chain newnotsyn (8 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefi x `Shorewall:newnotsyn:DROP:' DROP all -- anywhere anywhere Chain ppp0_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state NEW rfc1918 all -- anywhere anywhere state NEW net2loc all -- anywhere 192.168.254.254 net2loc all -- anywhere 192.168.0.5 net2loc all -- anywhere anywhere net2loc all -- anywhere anywhere Chain ppp0_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state NEW ACCEPT udp -- anywhere anywhere udp dpts:bootps:boot pc rfc1918 all -- anywhere anywhere state NEW net2fw all -- anywhere anywhere Chain reject (4 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-rese t REJECT udp -- anywhere anywhere reject-with icmp-por t-unreachable REJECT icmp -- anywhere anywhere reject-with icmp-hos t-unreachable REJECT all -- anywhere anywhere reject-with icmp-hos t-prohibited Chain rfc1918 (2 references) target prot opt source destination RETURN all -- 255.255.255.255 anywhere RETURN all -- anywhere anywhere ctorigdst 255.255.25 5.255 DROP all -- 169.254.0.0/16 anywhere DROP all -- anywhere anywhere ctorigdst 169.254.0. 0/16 logdrop all -- 172.16.0.0/12 anywhere logdrop all -- anywhere anywhere ctorigdst 172.16.0.0 /12 logdrop all -- 192.0.2.0/24 anywhere logdrop all -- anywhere anywhere ctorigdst 192.0.2.0/24 logdrop all -- 192.168.0.0/16 anywhere logdrop all -- anywhere anywhere ctorigdst 192.168.0.0/16 logdrop all -- 0.0.0.0/7 anywhere logdrop all -- anywhere anywhere ctorigdst 0.0.0.0/7 logdrop all -- 2.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 2.0.0.0/8 logdrop all -- 5.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 5.0.0.0/8 logdrop all -- 7.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 7.0.0.0/8 logdrop all -- 10.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 10.0.0.0/8 logdrop all -- 23.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 23.0.0.0/8 logdrop all -- 27.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 27.0.0.0/8 logdrop all -- 31.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 31.0.0.0/8 logdrop all -- 36.0.0.0/7 anywhere logdrop all -- anywhere anywhere ctorigdst 36.0.0.0/7 logdrop all -- 39.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 39.0.0.0/8 logdrop all -- 41.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 41.0.0.0/8 logdrop all -- 42.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 42.0.0.0/8 logdrop all -- 49.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 49.0.0.0/8 logdrop all -- 50.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 50.0.0.0/8 logdrop all -- 58.0.0.0/7 anywhere logdrop all -- anywhere anywhere ctorigdst 58.0.0.0/7 logdrop all -- 032-238-079.area1.spcsdns.net/7 anywhere logdrop all -- anywhere anywhere ctorigdst 032-238-079.area1.spcsdns.net/7 logdrop all -- 72.0.0.0/5 anywhere logdrop all -- anywhere anywhere ctorigdst 72.0.0.0/5 logdrop all -- 83.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 83.0.0.0/8 logdrop all -- 84.0.0.0/6 anywhere logdrop all -- anywhere anywhere ctorigdst 84.0.0.0/6 logdrop all -- 88.0.0.0/5 anywhere logdrop all -- anywhere anywhere ctorigdst 88.0.0.0/5 logdrop all -- 96.0.0.0/3 anywhere logdrop all -- anywhere anywhere ctorigdst 96.0.0.0/3 logdrop all -- 127.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 127.0.0.0/8 logdrop all -- 197.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 197.0.0.0/8 logdrop all -- 198.18.0.0/15 anywhere logdrop all -- anywhere anywhere ctorigdst 198.18.0.0/15 logdrop all -- 223.0.0.0/8 anywhere logdrop all -- anywhere anywhere ctorigdst 223.0.0.0/8 logdrop all -- 240.0.0.0/4 anywhere logdrop all -- anywhere anywhere ctorigdst 240.0.0.0/4 Chain shorewall (0 references) target prot opt source destination
apoikos Δημοσ. 18 Μαΐου 2004 Δημοσ. 18 Μαΐου 2004 Η επιστροφή της grep σημαίνει ότι δεν τρέχεις identd. Γιατί ακριβώς το θες το identd; Γενικά δεν είναι πολύ καλή ιδέα να το ενεργοποιήσεις....
ChrisAce Δημοσ. 18 Μαΐου 2004 Μέλος Δημοσ. 18 Μαΐου 2004 Το χρειάζομαι δυστηχώς... Κοίταξα στα services και όντως δεν είδα να τρέχει το identd. Από πού μπορώ να το εγκαταστήσω και να το ενεργοποιήσω μιάς και δεν είδα πουθενά στα services να υπάρχει το identd?
apoikos Δημοσ. 18 Μαΐου 2004 Δημοσ. 18 Μαΐου 2004 Συνήθως ξεκινά με τον inetd ή τον xinetd (<- πιθανότερο στο redhat). Δες το /etc/xinetd.conf και το /etc/xinetd.d/ για commented καταχώρηση του identd.
ChrisAce Δημοσ. 19 Μαΐου 2004 Μέλος Δημοσ. 19 Μαΐου 2004 Λοιπόν το έχει xinetd στο redhat. Έτρεχε απο οτι είδα στα services απο την αρχή απλά δεν πήγε το μιαλό μου ότι θα λέγεται έτσι. Εγώ έψαχνα το identd. :? Στο /etc/xinetd.d/ δεν υπάρχει κάποια καταχώρηση του identd. Yπάρχουν διάφορα αρχεία μέσα αλλα όχι κάτι για το identd. Στο /etc/xinetd.conf υπάρχουν μέσα μόνο αυτές οι καταχωρήσεις.. ># # Simple configuration file for xinetd # # Some defaults, and include /etc/xinetd.d/ defaults { instances = 60 log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST cps = 25 30 } includedir /etc/xinetd.d Τι πρέπει να βάλω? Thanks apoikos.
Maniakos Δημοσ. 19 Μαΐου 2004 Δημοσ. 19 Μαΐου 2004 ChrisAce, θα πρέπει τότε να κάνεις install το identd. Στο ftp.ntua.gr θα το βρείς και σε rpm για το distro σου. Πρωτού το κάνεις install σιγούρεψε ότι δεν είναι ήδη όμως στα installed rpms σου. Ενα Note. Το xinetd είναι το ίδιο πράγμα με inetd απλα μερικά distros χρησιμοποιούνε το xinetd ( όπως το RedHat ) ενώ άλλα το inetd ( slackware ). Εχουν διαφορά σε μια λεπτομέρια που μου διαφεύγει τώρα αλλά βασικά έχουν τον ίδιο σκοπό οπότε no worries.
Προτεινόμενες αναρτήσεις
Αρχειοθετημένο
Αυτό το θέμα έχει αρχειοθετηθεί και είναι κλειστό για περαιτέρω απαντήσεις.