Re: iptables help needed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 04.06.2008 01:03, Simon Slater a écrit :

|> The evolution request has been done from the desktop, not from the
|> laptop. Am I right? Packets are dropped because port 110 is not allowed
|> by the script, but, up to now this is not the problem.
|
| Yes, Evolution runs on the desktop. I added port 110 to your script
| under the SMPT and NEWS section last night and those packets are not
| being logged now.

And you can retrieve your mails!?


| I hope I have filled in the blanks for you. Following are the logs from
| the desktop this morning when i started the laptop and ran firefox. The
| web page it is looking for is http://start.fedoraproject.org/ . Hope
| this helps:

|
| <SNIP>
|
| Jun 4 08:49:51 ipex kernel: [IPTABLES DROP] : IN= OUT=ppp0
| SRC=59.101.220.253 DST=203.8.183.1 LEN=108 TOS=0x00 PREC=0xC0 TTL=64
| ID=1346 PROTO=ICMP TYPE=3 CODE=3 [SRC=203.8.183.1 DST=59.101.220.253
| LEN=80 TOS=0x00 PREC=0x00 TTL=252 ID=5354 DF PROTO=UDP SPT=53 DPT=39780
| LEN=60 ]

icmp packets are not allowed by the script and it is not a good idea
(sorry!) at least for these type=3. After:

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

add this to the script

#paquets icmp
#ping accepté en sortie mais pas en entrée
$IPTABLES -A INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -d 0/0 -j ACCEPT

#"network unreachable"
$IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d 0/0 --icmp-type 3 -j ACCEPT

And in the LAN part, after #"forwarding":

#icmp
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p icmp
- --icmp-type 0 -s 0/0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p icmp
- --icmp-type 8 -d 0/0 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p icmp
- --icmp-type 3 -s 0/0 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p icmp
- --icmp-type 3 -d 0/0 -j ACCEPT


Also uncomment this line:

#$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_DEVICE -j LOG --log-prefix
"[IPTABLES MASQ]"

rerun the script. If some requests to the Internet come from your
laptop, there will some lines like this in the logs of your desktop:

<quote>
Jun 4 09:45:44 dipankar kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=192.168.1.4 DST=213.251.134.188 LEN=76 TOS=0x00 PREC=0x00 TTL=63
ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
</quote>

Here the 192.168.1.4 computer makes an ntp request to 213.251.134.188


Also, on your desktop run:

lsmod | grep -i masquerade

There should be some kernel modules for masquerade (ipt_MASQUERADE,
nf_nat, ...)

FP
- --
François Patte
UFR de mathématiques et informatique
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)1 44 55 35 61
http://www.math-info.univ-paris5.fr/~patte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIRkzVdE6C2dhV2JURAhNNAKCtTFddCYoPY4OH27TRML6FKzFxmACgiEMg
eAJmvVmZrFtQ86ZpY0iUINY=
=Tp7J
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: iptables help needed
    ... when request to the Internet from the desktop: ... What is strange: we never see any request from the laptop: we should see ... some logged packets with SRC=laptop IP. ...
    (Fedora)
  • Re: iptables help needed
    ... Packets are dropped because port 110 is not allowed ... laptop, there will some lines like this in the logs of your desktop: ... when request to the Internet from the desktop: ...
    (Fedora)
  • Re: help with sockets please --second attempt
    ... I posted a request for help a few days ago but didn't get any answers. ... Therefore, here I am at it again requesting help on the same topic, but this time I replicated my problem with a smaller script than the last time. ... In the script below, when the checkbutton is selected for the first time, a socket is opened and data is sent and received back. ... for some reason you only see your own packets ...
    (comp.lang.tcl)
  • Re: notice and warning
    ... You expect some piece of data from a post in your script, ... So you use $_REQUEST["userid"] which works perfectly fine as long as you get the userid in via POST. ... Now you find yourself in the situation that when you call this script for any reason without the POST info, you will delete yourself if you prefer $_REQUEST over $_POST. ... Saying that using $_REQUEST 'scales better' is utter nonsense. ...
    (comp.lang.php)
  • Re: notice and warning
    ... You expect some piece of data from a post in your script, ... prefer $_REQUEST over $_POST. ... the different meanings the input should have based on how it arrives. ... that's bad design. ...
    (comp.lang.php)