iptables questions

iptables questions

[Tyler Littlefield]

Hello list,
I tried running endoshield, and got a ton of errors.
So, now I will try to do it manually. I'm going through a tutorial now, and I have a coupel questions.
I can do the following.
iptables -A INPUT -p tcp -dport 2200 -j queue
iptables -A INPUT -p tcp -sport 2200 -j queue
to allow for the traffic on port 2200 to go through. I think.
But, lets say I create a rule for each port. The ones I want to allow, and the ones I don't want to allow.
I think I can use a -s to make it only local if I want.
Then, how would I block the ports that I haven't created rules for?
next, if I set up the box as a DMZ, in front of the router, is there a way that I can make it manage all traffic coming in and out of the network? Just like the router would?
Thanks,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

Re: iptables questions

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 11, 2006 at 03:04:23PM -0600, Tyler Littlefield wrote:
> I tried running endoshield, and got a ton of errors.

When I first started using endoshield, I found the errors I got were
the result of not configuring all the iptables stuff during my kernel
config. So, your best bet in my humble opinion is to include all the
iptables, nat, and connection tracking stuff as modules, and tying
endoshield again. You could also post your errors, so we can see if a
lack of modules is the case here, or if it's something else.

> So, now I will try to do it manually. I'm going through a tutorial now, and I have a coupel questions.
> I can do the following.
> iptables -A INPUT -p tcp -dport 2200 -j queue
> iptables -A INPUT -p tcp -sport 2200 -j queue
> to allow for the traffic on port 2200 to go through. I think.

I've never used the queue target, so I can't help you here. I can only
tell you that when I want to open a port, I use the ACCEPT target to
do so.

> But, lets say I create a rule for each port. The ones I want to allow, and the ones I don't want to allow.
> I think I can use a -s to make it only local if I want.
> Then, how would I block the ports that I haven't created rules for?

Off the top of my head, without looking at the iptables docs, or at
the endoshield script, I believe you use the DROP target on the entire
input chain, and below that, use the ACCEPT target on the ports you
want to open. I do however stand to be corrected here.

> next, if I set up the box as a DMZ, in front of the router, is there a way that I can make it manage all traffic coming in and out of the network? Just like the router would?

Yes, this is called ip masquerading, and endoshield is a good example
of how it's done. Also note that if you intend to share your
connection with multiple machines, your main machine will need 2
network cards, one from the router to the pc, and the other from the
pc to the switch/hub that your other machines are connected to.

Greg




- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtFmy7s9z/XlyUyARAsrtAKDBUJ2A64LR4gOHroSFnORWAoSmvwCcC2En
78FEqOYvuvSIEOYuM8Ic3M4=
=MPIm
-----END PGP SIGNATURE-----

Re: iptables questions

[Tyler Littlefield]

Hello,
I don't understand how the maskerading works.
I currently have a router, that is connected to the modem.
Then, I have another 3 computers behind the router, one of which is the
linux. What I want to do is dmz linux so that it acts as a firewall.
Thanks,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "Gregory Nowak" <greg@romuald.net.eu.org>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Tuesday, July 11, 2006 8:08 PM
Subject: Re: iptables questions


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, Jul 11, 2006 at 03:04:23PM -0600, Tyler Littlefield wrote:
> > I tried running endoshield, and got a ton of errors.
>
> When I first started using endoshield, I found the errors I got were
> the result of not configuring all the iptables stuff during my kernel
> config. So, your best bet in my humble opinion is to include all the
> iptables, nat, and connection tracking stuff as modules, and tying
> endoshield again. You could also post your errors, so we can see if a
> lack of modules is the case here, or if it's something else.
>
> > So, now I will try to do it manually. I'm going through a tutorial now,
and I have a coupel questions.
> > I can do the following.
> > iptables -A INPUT -p tcp -dport 2200 -j queue
> > iptables -A INPUT -p tcp -sport 2200 -j queue
> > to allow for the traffic on port 2200 to go through. I think.
>
> I've never used the queue target, so I can't help you here. I can only
> tell you that when I want to open a port, I use the ACCEPT target to
> do so.
>
> > But, lets say I create a rule for each port. The ones I want to allow,
and the ones I don't want to allow.
> > I think I can use a -s to make it only local if I want.
> > Then, how would I block the ports that I haven't created rules for?
>
> Off the top of my head, without looking at the iptables docs, or at
> the endoshield script, I believe you use the DROP target on the entire
> input chain, and below that, use the ACCEPT target on the ports you
> want to open. I do however stand to be corrected here.
>
> > next, if I set up the box as a DMZ, in front of the router, is there a
way that I can make it manage all traffic coming in and out of the network?
Just like the router would?
>
> Yes, this is called ip masquerading, and endoshield is a good example
> of how it's done. Also note that if you intend to share your
> connection with multiple machines, your main machine will need 2
> network cards, one from the router to the pc, and the other from the
> pc to the switch/hub that your other machines are connected to.
>
> Greg
>
>
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEtFmy7s9z/XlyUyARAsrtAKDBUJ2A64LR4gOHroSFnORWAoSmvwCcC2En
> 78FEqOYvuvSIEOYuM8Ic3M4=
> =MPIm
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables questions

[Alex Snow]

What exactly are you trying to do? From yur message it seems like you 
want to do 1 of 2 things:
1.  Have the linux machine dmz'ed so services running on it can be 
accessed from the outside world.  For this you just need to set up 
iptables to block incoming connections on ports you don't want people 
to be able to connect to.
2.  have your linux box as a firewall for your entire lan.  For this 
you need 2 interfaces in your box, one from the modem and one to your 
existing router/switch.  Then you would set up iptables to nat, and 
add the proper firewall rules for your network.
On Wed, Jul 12, 2006 at 
09:40:41AM -0600, Tyler Littlefield wrote:
> Hello,
> I don't understand how the maskerading works.
> I currently have a router, that is connected to the modem.
> Then, I have another 3 computers behind the router, one of which is the
> linux. What I want to do is dmz linux so that it acts as a firewall.
> Thanks,
> ~~TheCreator~~
> website:
> http://tysplace.shaned.net
> msn:
> compgeek134@hotmail.com
> aim:
> st8amnd2005
> skype:
> st8amnd127
> moo coder/wizard and administrator
> 
> ----- Original Message ----- 
> From: "Gregory Nowak" <greg@romuald.net.eu.org>
> To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
> Sent: Tuesday, July 11, 2006 8:08 PM
> Subject: Re: iptables questions
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Tue, Jul 11, 2006 at 03:04:23PM -0600, Tyler Littlefield wrote:
> > > I tried running endoshield, and got a ton of errors.
> >
> > When I first started using endoshield, I found the errors I got were
> > the result of not configuring all the iptables stuff during my kernel
> > config. So, your best bet in my humble opinion is to include all the
> > iptables, nat, and connection tracking stuff as modules, and tying
> > endoshield again. You could also post your errors, so we can see if a
> > lack of modules is the case here, or if it's something else.
> >
> > > So, now I will try to do it manually. I'm going through a tutorial now,
> and I have a coupel questions.
> > > I can do the following.
> > > iptables -A INPUT -p tcp -dport 2200 -j queue
> > > iptables -A INPUT -p tcp -sport 2200 -j queue
> > > to allow for the traffic on port 2200 to go through. I think.
> >
> > I've never used the queue target, so I can't help you here. I can only
> > tell you that when I want to open a port, I use the ACCEPT target to
> > do so.
> >
> > > But, lets say I create a rule for each port. The ones I want to allow,
> and the ones I don't want to allow.
> > > I think I can use a -s to make it only local if I want.
> > > Then, how would I block the ports that I haven't created rules for?
> >
> > Off the top of my head, without looking at the iptables docs, or at
> > the endoshield script, I believe you use the DROP target on the entire
> > input chain, and below that, use the ACCEPT target on the ports you
> > want to open. I do however stand to be corrected here.
> >
> > > next, if I set up the box as a DMZ, in front of the router, is there a
> way that I can make it manage all traffic coming in and out of the network?
> Just like the router would?
> >
> > Yes, this is called ip masquerading, and endoshield is a good example
> > of how it's done. Also note that if you intend to share your
> > connection with multiple machines, your main machine will need 2
> > network cards, one from the router to the pc, and the other from the
> > pc to the switch/hub that your other machines are connected to.
> >
> > Greg
> >
> >
> >
> >
> > - -- 
> > web site: http://www.romuald.net.eu.org
> > gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> > skype: gregn1
> > (authorization required, add me to your contacts list first)
> >
> > - --
> > Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (GNU/Linux)
> >
> > iD8DBQFEtFmy7s9z/XlyUyARAsrtAKDBUJ2A64LR4gOHroSFnORWAoSmvwCcC2En
> > 78FEqOYvuvSIEOYuM8Ic3M4=
> > =MPIm
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and
the Ugly).
	-- Matt Welsh

Re: iptables questions

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Generally, if I don't understand how something works, there is a very
good chance that searching the web will give me at least one, if not
more, good explanations.

In short, masquerading does what your router does now. If you're still
laboring under the misconception that your ISP is assigning the
10.x.x.x addresses to your machine, the sooner you accept what I've
told you twice before, that your modem or router is actually doing
that, the easier it will be for you to understand
masquerading. Masquerading will simply allow you to assign an internal ip
to each of the machines on your LAN, and make any internet traffic
from those machines look as if it's coming from your single public IP,
assigned to you by your ISP. Like I've said, this is exactly what your
modem or router does currently.

Greg


On Wed, Jul 12, 2006 at 09:40:41AM -0600, Tyler Littlefield wrote:
> Hello,
> I don't understand how the maskerading works.
> I currently have a router, that is connected to the modem.
> Then, I have another 3 computers behind the router, one of which is the
> linux. What I want to do is dmz linux so that it acts as a firewall.
> Thanks,
> ~~TheCreator~~
> website:
> http://tysplace.shaned.net
> msn:
> compgeek134@hotmail.com
> aim:
> st8amnd2005
> skype:
> st8amnd127
> moo coder/wizard and administrator
> 



- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtTww7s9z/XlyUyARAjFNAKDVbewJEIqr88HgUhRmWGQ67Ism0wCgkwu8
1oqcXLQXttVDm/vbCcDD4K8=
=mT9Z
-----END PGP SIGNATURE-----

Re: iptables questions

[Tyler Littlefield]

>
> Generally, if I don't understand how something works, there is a very
> good chance that searching the web will give me at least one, if not
> more, good explanations.
>
> In short, masquerading does what your router does now. If you're still
> laboring under the misconception that your ISP is assigning the
> 10.x.x.x addresses to your machine, the sooner you accept what I've
> told you twice before, that your modem or router is actually doing
> that, the easier it will be for you to understand
> masquerading.
    Um... I called the ISP, and had to go up to the manager, because no one
else woudl tell me what was going on. It turned out that it **wasn't** the
modem/router, but I had a private IP. I ended up paying $5 extra a month for
a public.
 Masquerading will simply allow you to assign an internal ip
> to each of the machines on your LAN, and make any internet traffic
> from those machines look as if it's coming from your single public IP,
> assigned to you by your ISP. Like I've said, this is exactly what your
> modem or router does currently.
>
> Greg
>
>
> On Wed, Jul 12, 2006 at 09:40:41AM -0600, Tyler Littlefield wrote:
> > Hello,
> > I don't understand how the maskerading works.
> > I currently have a router, that is connected to the modem.
> > Then, I have another 3 computers behind the router, one of which is the
> > linux. What I want to do is dmz linux so that it acts as a firewall.
> > Thanks,
> > ~~TheCreator~~
> > website:
> > http://tysplace.shaned.net
> > msn:
> > compgeek134@hotmail.com
> > aim:
> > st8amnd2005
> > skype:
> > st8amnd127
> > moo coder/wizard and administrator
> >
>
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "Gregory Nowak" <greg@romuald.net.eu.org>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Wednesday, July 12, 2006 12:15 PM
Subject: Re: iptables questions


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Generally, if I don't understand how something works, there is a very
> good chance that searching the web will give me at least one, if not
> more, good explanations.
>
> In short, masquerading does what your router does now. If you're still
> laboring under the misconception that your ISP is assigning the
> 10.x.x.x addresses to your machine, the sooner you accept what I've
> told you twice before, that your modem or router is actually doing
> that, the easier it will be for you to understand
> masquerading. Masquerading will simply allow you to assign an internal ip
> to each of the machines on your LAN, and make any internet traffic
> from those machines look as if it's coming from your single public IP,
> assigned to you by your ISP. Like I've said, this is exactly what your
> modem or router does currently.
>
> Greg
>
>
> On Wed, Jul 12, 2006 at 09:40:41AM -0600, Tyler Littlefield wrote:
> > Hello,
> > I don't understand how the maskerading works.
> > I currently have a router, that is connected to the modem.
> > Then, I have another 3 computers behind the router, one of which is the
> > linux. What I want to do is dmz linux so that it acts as a firewall.
> > Thanks,
> > ~~TheCreator~~
> > website:
> > http://tysplace.shaned.net
> > msn:
> > compgeek134@hotmail.com
> > aim:
> > st8amnd2005
> > skype:
> > st8amnd127
> > moo coder/wizard and administrator
> >
>
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEtTww7s9z/XlyUyARAjFNAKDVbewJEIqr88HgUhRmWGQ67Ism0wCgkwu8
> 1oqcXLQXttVDm/vbCcDD4K8=
> =mT9Z
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables questions

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jul 12, 2006 at 12:20:19PM -0600, Tyler Littlefield wrote:
>     Um... I called the ISP, and had to go up to the manager, because no one
> else woudl tell me what was going on. It turned out that it **wasn't** the
> modem/router, but I had a private IP. I ended up paying $5 extra a month for
> a public.

Ok, but that's one heck of a rip off if you ask me. A decent ISP will
give you a dynamic publicly accessible IP for free, and charge you
extra for your own public static address. For an ISP to be doing NAT
on it's network for it's customers, and be charging to give them a
public IP which I'm guessing is still dynamic, is a rip off.

Anyway, you have 3 machines you said with internet
connections. However, you still have one public IP address, unless you
purchased a block of static addresses. So, my point still stands, your
modem or router is still doing IP masquerading for you, and assigning
an internal IP to each of your 3 machines.

Greg



- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtUCV7s9z/XlyUyARAmaBAJ954cyPQYqHfdAom9PZvxp61tj5UgCgtl27
Jf9c9b4pAzpM1UIQLByybHk=
=4SGI
-----END PGP SIGNATURE-----

Re: iptables questions

[Tyler Littlefield]

Yay, I agree that it is.
They called my grandma, and told her that they were "upgrading."
So, the tech came down, and "upgraded." I had the router all set up on
different ports and stuff, (web admin, on 8000) so I could help her when she
needed it.
They changed it over... Anyway, it was a public static before they
"upgraded." but then they jsut locked us in behind there firewall, or what
ever they did.
Thanks,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "Gregory Nowak" <greg@romuald.net.eu.org>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Wednesday, July 12, 2006 12:33 PM
Subject: Re: iptables questions


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, Jul 12, 2006 at 12:20:19PM -0600, Tyler Littlefield wrote:
> >     Um... I called the ISP, and had to go up to the manager, because no
one
> > else woudl tell me what was going on. It turned out that it **wasn't**
the
> > modem/router, but I had a private IP. I ended up paying $5 extra a month
for
> > a public.
>
> Ok, but that's one heck of a rip off if you ask me. A decent ISP will
> give you a dynamic publicly accessible IP for free, and charge you
> extra for your own public static address. For an ISP to be doing NAT
> on it's network for it's customers, and be charging to give them a
> public IP which I'm guessing is still dynamic, is a rip off.
>
> Anyway, you have 3 machines you said with internet
> connections. However, you still have one public IP address, unless you
> purchased a block of static addresses. So, my point still stands, your
> modem or router is still doing IP masquerading for you, and assigning
> an internal IP to each of your 3 machines.
>
> Greg
>
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEtUCV7s9z/XlyUyARAmaBAJ954cyPQYqHfdAom9PZvxp61tj5UgCgtl27
> Jf9c9b4pAzpM1UIQLByybHk=
> =4SGI
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables questions

[John Heim]

When the tech support guys at Tyler's ISP told him he had a "private" 
IP, they probably meant they're blocking incoming connections.  He had 
to pay $5 extra to get them to punch a hole in their firewall.  Lots of 
ISPs block some ports so you can't set up your own smtp server, for 
example.  Maybe Tyler's ISP blocks all incoming connections by default 
and allows only outgoing and existing connections.

I can't believe an ISP would hand out 10.0.0/24 addresses. Hand out 
private IP addresses and do NAT for every customer? Impossible (I 
think). It may even be illegal.

More likely, they have a range of IP addresses that are not blocked by 
their firewall. They had to reassign him one from that range. That's 
what cost $5. I think "private" is marketing-speak for "blocked".

Gregory Nowak wrote:
>

+

  -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Jul 12, 2006 at 12:20:19PM -0600, Tyler Littlefield wrote:
>>     Um... I called the ISP, and had to go up to the manager, because no one
>> else woudl tell me what was going on. It turned out that it **wasn't** the
>> modem/router, but I had a private IP. I ended up paying $5 extra a month for
>> a public.
> 
> Ok, but that's one heck of a rip off if you ask me. A decent ISP will
> give you a dynamic publicly accessible IP for free, and charge you
> extra for your own public static address. For an ISP to be doing NAT
> on it's network for it's customers, and be charging to give them a
> public IP which I'm guessing is still dynamic, is a rip off.
> 
> Anyway, you have 3 machines you said with internet
> connections. However, you still have one public IP address, unless you
> purchased a block of static addresses. So, my point still stands, your
> modem or router is still doing IP masquerading for you, and assigning
> an internal IP to each of your 3 machines.
> 
> Greg
> 
> 
> 
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
> 
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> 
> iD8DBQFEtUCV7s9z/XlyUyARAmaBAJ954cyPQYqHfdAom9PZvxp61tj5UgCgtl27
> Jf9c9b4pAzpM1UIQLByybHk=
> =4SGI
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables questions

[Tyler Littlefield]

When I looked at my router, I seen that it was a 10.x IP.
When I signed up, they gave me a new 206 ip to use.
Thanks,
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "John Heim" <jheim@math.wisc.edu>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Wednesday, July 12, 2006 6:46 PM
Subject: Re: iptables questions


> When the tech support guys at Tyler's ISP told him he had a "private"
> IP, they probably meant they're blocking incoming connections.  He had
> to pay $5 extra to get them to punch a hole in their firewall.  Lots of
> ISPs block some ports so you can't set up your own smtp server, for
> example.  Maybe Tyler's ISP blocks all incoming connections by default
> and allows only outgoing and existing connections.
>
> I can't believe an ISP would hand out 10.0.0/24 addresses. Hand out
> private IP addresses and do NAT for every customer? Impossible (I
> think). It may even be illegal.
>
> More likely, they have a range of IP addresses that are not blocked by
> their firewall. They had to reassign him one from that range. That's
> what cost $5. I think "private" is marketing-speak for "blocked".
>
> Gregory Nowak wrote:
> >
>
> +
>
>   -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Wed, Jul 12, 2006 at 12:20:19PM -0600, Tyler Littlefield wrote:
> >>     Um... I called the ISP, and had to go up to the manager, because no
one
> >> else woudl tell me what was going on. It turned out that it **wasn't**
the
> >> modem/router, but I had a private IP. I ended up paying $5 extra a
month for
> >> a public.
> >
> > Ok, but that's one heck of a rip off if you ask me. A decent ISP will
> > give you a dynamic publicly accessible IP for free, and charge you
> > extra for your own public static address. For an ISP to be doing NAT
> > on it's network for it's customers, and be charging to give them a
> > public IP which I'm guessing is still dynamic, is a rip off.
> >
> > Anyway, you have 3 machines you said with internet
> > connections. However, you still have one public IP address, unless you
> > purchased a block of static addresses. So, my point still stands, your
> > modem or router is still doing IP masquerading for you, and assigning
> > an internal IP to each of your 3 machines.
> >
> > Greg
> >
> >
> >
> > - -- 
> > web site: http://www.romuald.net.eu.org
> > gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> > skype: gregn1
> > (authorization required, add me to your contacts list first)
> >
> > - --
> > Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (GNU/Linux)
> >
> > iD8DBQFEtUCV7s9z/XlyUyARAmaBAJ954cyPQYqHfdAom9PZvxp61tj5UgCgtl27
> > Jf9c9b4pAzpM1UIQLByybHk=
> > =4SGI
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables questions

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jul 12, 2006 at 07:46:34PM -0500, John Heim wrote:
> Lots of 
> ISPs block some ports so you can't set up your own smtp server, for 
> example.  Maybe Tyler's ISP blocks all incoming connections by default 
> and allows only outgoing and existing connections.
> 

I know, my former ISP blocked outgoing smtp, and what's even worse is
that when they out-sourced their tech support, those people insisted
that they didn't block any ports. I also have a friend who has some
incoming ports blocked as well, so I'm familiar with the port blocking
problem, though I've never heard those situations described as
public or private ip addressing.

> I can't believe an ISP would hand out 10.0.0/24 addresses. Hand out 
> private IP addresses and do NAT for every customer? Impossible (I 
> think). It may even be illegal.
> 

I agree totally. However, Tyler insisted on several occasions in private
messages that his ISP handed out 10.0.0/24 addresses to him, and I
repeatedly kept telling him that it was either his modem or router
that was doing that. As you said, for an ISP to be doing NAT for all
its customers would be more costly then having a pool of dynamic
public IPS to hand out.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtWH27s9z/XlyUyARAuQ9AJ0bd/+uhKph27XpWxKiOEX/dQUGOgCgkVLm
1DAtvLZe8hNyd6EX4QzAmq4=
=E+fP
-----END PGP SIGNATURE-----

Re: iptables questions

[Tyler Littlefield]

OK.
With a router set to static, and the IP as 10. That tells me its the isp
doing it. especially when the gateway is also a 10 address.
~~TheCreator~~
website:
http://tysplace.shaned.net
msn:
compgeek134@hotmail.com
aim:
st8amnd2005
skype:
st8amnd127
moo coder/wizard and administrator

----- Original Message ----- 
From: "Gregory Nowak" <greg@romuald.net.eu.org>
To: <jheim@math.wisc.edu>; "Speakup is a screen review system for Linux."
<speakup@braille.uwo.ca>
Sent: Wednesday, July 12, 2006 2:56 PM
Subject: Re: iptables questions


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, Jul 12, 2006 at 07:46:34PM -0500, John Heim wrote:
> > Lots of
> > ISPs block some ports so you can't set up your own smtp server, for
> > example.  Maybe Tyler's ISP blocks all incoming connections by default
> > and allows only outgoing and existing connections.
> >
>
> I know, my former ISP blocked outgoing smtp, and what's even worse is
> that when they out-sourced their tech support, those people insisted
> that they didn't block any ports. I also have a friend who has some
> incoming ports blocked as well, so I'm familiar with the port blocking
> problem, though I've never heard those situations described as
> public or private ip addressing.
>
> > I can't believe an ISP would hand out 10.0.0/24 addresses. Hand out
> > private IP addresses and do NAT for every customer? Impossible (I
> > think). It may even be illegal.
> >
>
> I agree totally. However, Tyler insisted on several occasions in private
> messages that his ISP handed out 10.0.0/24 addresses to him, and I
> repeatedly kept telling him that it was either his modem or router
> that was doing that. As you said, for an ISP to be doing NAT for all
> its customers would be more costly then having a pool of dynamic
> public IPS to hand out.
>
> Greg
>
>
> - -- 
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager@EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEtWH27s9z/XlyUyARAuQ9AJ0bd/+uhKph27XpWxKiOEX/dQUGOgCgkVLm
> 1DAtvLZe8hNyd6EX4QzAmq4=
> =E+fP
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: iptables questions

[Willem van der Walt]

On Tue, 11 Jul 2006, Tyler Littlefield wrote:

> Hello list,
> I tried running endoshield, and got a ton of errors.
> So, now I will try to do it manually. I'm going through a tutorial now, and I have a coupel questions.
> I can do the following.
> iptables -A INPUT -p tcp -dport 2200 -j queue
> iptables -A INPUT -p tcp -sport 2200 -j queue
> to allow for the traffic on port 2200 to go through. I think.
> But, lets say I create a rule for each port. The ones I want to allow, and the ones I don't want to allow.
> I think I can use a -s to make it only local if I want.
> Then, how would I block the ports that I haven't created rules for?
iptables -P INPUT DROP

>
next, if I set up the box as a DMZ, in front of the router, is there a way
  that I can make it manage all traffic coming in and out of the network?
  Just like the router would?
Yes, use two nics, bring your router in on the esternal one and your lan 
on the internal one.
HTH, Willem

> Thanks,
> website:
> http://tysplace.shaned.net
> msn:
> compgeek134@hotmail.com
> aim:
> st8amnd2005
> skype:
> st8amnd127
> moo coder/wizard and administrator
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

-- 
This message is subject to the CSIR's copyright, terms and conditions and
e-mail legal notice. Views expressed herein do not necessarily represent the
views of the CSIR.
 
CSIR E-mail Legal Notice
http://mail.csir.co.za/CSIR_eMail_Legal_Notice.html 
 
CSIR Copyright, Terms and Conditions
http://mail.csir.co.za/CSIR_Copyright.html 
 
For electronic copies of the CSIR Copyright, Terms and Conditions and the CSIR
Legal Notice send a blank message with REQUEST LEGAL in the subject line to
HelpDesk@csir.co.za.


This message has been scanned for viruses and dangerous content by MailScanner, 
and is believed to be clean.  MailScanner thanks Transtec Computers for their support.

IPTABLES QUESTIONS

[Doug Lawlor]

Hello list,  When I forward ports to a machine behind a firewall
traffic only seems to be going to the lowest port in the range.    The
following list using the command 'iptables -t nat -L' illustrates this.  

DNAT       udp  --  anywhere
hostname.domainudp dpts:2074:2076
to:192.168.0.2:2074
DNAT       udp  --  anywhere
hostname.domainudp dpts:4074:4076
to:192.168.0.2:4074

The commands used to forward the ports are as follows:

# Forward ports 2074-2076 to 192.168.0.2
iptables -A PREROUTING -t nat -p udp -d $MYIP --dport 2074:2076 -j DNAT
--to 192.168.0.2:2074:2076
# Forward ports 4074-4076 to 192.168.0.2
iptables -A PREROUTING -t nat -p udp -d $MYIP --dport 4074:4076 -j DNAT
--to 192.168.0.2:4074:4076

$MYIP is a variable which gets the current dynamically assigned IP
from
eth0 using the following sed expression
MYIP=`ifconfig eth0 | sed '/.*addr:/!d;s///;s/ .*//'`

If I am thinking straight the list generated with 'iptables -t nat -L'
should look like the following.  

DNAT       udp  --  anywhere
hostname.domainudp dpts:2074:2076
to:192.168.0.2:2074:2076
DNAT       udp  --  anywhere
hostname.domainudp dpts:4074:4076
to:192.168.0.2:4074:4076

How can I make this happen?  The iptables commands I am using in the
firewall script are just not doing it.  

Thanks in advance,  

Doug

-- 
Make sure your E-mail can be read by everyone!
http://www.betips.net/etc/evilmail.html

Doug Lawlor <dlawlor@roadrunner.nf.net>