[KLUG Members] iptables
Bert Obbink
members@kalamazoolinux.org
Tue, 30 Jul 2002 17:19:36 +0200
--------------070808010108050408060301
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Bruce Smith heeft geschreven:
>>I have a couple of questions regarding iptables,
>>first, when I use 'iptables -L' to list the current config, a line of
>>the config apears one every two or three seconds, so the whole config
>>takes some time to show. I can't find out any reason for this behaviour.
>>
>>
>
>Probably a resolver delay. Try adding a "-n" to display only numbers.
>
> iptables -L -n
>
>
this did the trick, I included lines such as
iptables -A INPUT -i ${EXTERN} -s {LOCALADDR} -j LOG --log-prefix "SPOOFING"
this logs packets comming in on the external interface using a 127.x.x.x
address as spoofing packets. When I add a 127.0.0.0 line to the
/etc/hosts file the timeouts disappear, but adding such line does not
make much sense, does it.
$LOCALADDR equals to 127.0.0.1/8
without the -n the line shows as
LOG all -- loopback/8 anywhere
with the -n
LOG all -- 127.0.0.0/8 0.0.0.0
any suggestions? Clould this have any impact on how iptables functions
(speed etc)
>
>
>>second, I want to close the ident port (113) for all incomming
>>connections except for thoose there is already a connection open. Some
>>mail servers appear to need a open ident port before accepting email, or
>>at least need significant more time to accept email. How can I make
>>netfiler to accept incomming requests to this port when there is already
>>an active (smtp) connection?
>>
>>
>
>I don't know how (or if) that can be done, but you can eliminate the
>delay by sending port 113 to the REJECT target/rule instead of DROP.
>
I will try this, it could indeed that 'receivers' just want to connect.
>
>--------------------------------------------
>Bruce Smith bruce@armintl.com
>System Administrator / Network Administrator
>Armstrong International, Inc.
>Three Rivers, Michigan 49093 USA
>http://www.armstrong-intl.com/
>--------------------------------------------
>
>_______________________________________________
>Members mailing list
>Members@kalamazoolinux.org
>
>
>
--------------070808010108050408060301
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
Bruce Smith heeft geschreven:<br>
<blockquote type="cite"
cite="mid1028039474.16476.10.camel@lx1.armintl.com">
<blockquote type="cite">
<pre wrap="">I have a couple of questions regarding iptables,
first, when I use 'iptables -L' to list the current config, a line of
the config apears one every two or three seconds, so the whole config
takes some time to show. I can't find out any reason for this behaviour.
</pre>
</blockquote>
<pre wrap=""><!---->
Probably a resolver delay. Try adding a "-n" to display only numbers.
iptables -L -n
</pre>
</blockquote>
this did the trick, I included lines such as <br>
iptables -A INPUT -i ${EXTERN} -s {LOCALADDR} -j LOG --log-prefix "SPOOFING"<br>
<br>
this logs packets comming in on the external interface using a 127.x.x.x
address as spoofing packets. When I add a 127.0.0.0 line to the /etc/hosts
file the timeouts disappear, but adding such line does not make much sense,
does it. <br>
<br>
$LOCALADDR equals to 127.0.0.1/8 <br>
<br>
without the -n the line shows as <br>
LOG all -- loopback/8 anywhere<br>
with the -n<br>
LOG all -- 127.0.0.0/8 0.0.0.0<br>
<br>
any suggestions? Clould this have any impact on how iptables functions (speed
etc)<br>
<blockquote type="cite"
cite="mid1028039474.16476.10.camel@lx1.armintl.com">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">second, I want to close the ident port (113) for all incomming
connections except for thoose there is already a connection open. Some
mail servers appear to need a open ident port before accepting email, or
at least need significant more time to accept email. How can I make
netfiler to accept incomming requests to this port when there is already
an active (smtp) connection?
</pre>
</blockquote>
<pre wrap=""><!---->
I don't know how (or if) that can be done, but you can eliminate the
delay by sending port 113 to the REJECT target/rule instead of DROP.</pre>
</blockquote>
I will try this, it could indeed that 'receivers' just want to connect.<br>
<blockquote type="cite"
cite="mid1028039474.16476.10.camel@lx1.armintl.com">
<pre wrap="">
--------------------------------------------
Bruce Smith <a class="moz-txt-link-abbreviated" href="mailto:bruce@armintl.com">bruce@armintl.com</a>
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan 49093 USA
<a class="moz-txt-link-freetext" href="http://www.armstrong-intl.com/">http://www.armstrong-intl.com/</a>
--------------------------------------------
_______________________________________________
Members mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Members@kalamazoolinux.org">Members@kalamazoolinux.org</a>
<a class="moz-txt-link-freetext" href=""></a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>
--------------070808010108050408060301--