[KLUG Members] iptables

Bert Obbink members@kalamazoolinux.org
Tue, 30 Jul 2002 17:19:36 +0200
Previous message: [KLUG Members] iptables
Next message: [KLUG Members] iptables
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------070808010108050408060301
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Bruce Smith heeft geschreven:

>>I have a couple of questions regarding iptables,
>>first, when I use 'iptables -L' to list the current config, a line of 
>>the config apears one every two or three seconds, so the whole config 
>>takes some time to show. I can't find out any reason for this behaviour.
>>    
>>
>
>Probably a resolver delay.  Try adding a "-n" to display only numbers.
>
>  iptables -L -n
>  
>
this did the trick, I included lines such as
iptables -A INPUT -i ${EXTERN} -s {LOCALADDR} -j LOG --log-prefix "SPOOFING"

this logs packets comming in on the external interface using a 127.x.x.x 
address as spoofing packets. When I add a 127.0.0.0 line to the 
/etc/hosts file the timeouts disappear, but adding such line does not 
make much sense, does it.

$LOCALADDR equals to 127.0.0.1/8

without the -n the line shows as
LOG    all     --    loopback/8           anywhere
with the -n
LOG    all    --     127.0.0.0/8             0.0.0.0

any suggestions? Clould this have any impact on how iptables functions 
(speed etc)

>  
>
>>second, I want  to close the ident port (113) for all incomming 
>>connections except for thoose there is already a connection open. Some 
>>mail servers appear to need a open ident port before accepting email, or 
>>at least need significant more time to accept email. How can I make 
>>netfiler to accept incomming requests to this port when there is already 
>>an active (smtp) connection?
>>    
>>
>
>I don't know how (or if) that can be done, but you can eliminate the
>delay by sending port 113 to the REJECT target/rule instead of DROP.
>
I will try this, it could indeed that 'receivers' just want to connect.

>
>--------------------------------------------
>Bruce Smith                bruce@armintl.com
>System Administrator / Network Administrator
>Armstrong International, Inc.
>Three Rivers, Michigan  49093  USA
>http://www.armstrong-intl.com/
>--------------------------------------------
>
>_______________________________________________
>Members mailing list
>Members@kalamazoolinux.org
>
>  
>



--------------070808010108050408060301
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title></title>
</head>
<body>
Bruce Smith heeft geschreven:<br>
<blockquote type="cite"
 cite="mid1028039474.16476.10.camel@lx1.armintl.com">
  <blockquote type="cite">
    <pre wrap="">I have a couple of questions regarding iptables,
first, when I use 'iptables -L' to list the current config, a line of 
the config apears one every two or three seconds, so the whole config 
takes some time to show. I can't find out any reason for this behaviour.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Probably a resolver delay.  Try adding a "-n" to display only numbers.

  iptables -L -n
  </pre>
</blockquote>
this did the trick, I included lines such as <br>
iptables -A INPUT -i ${EXTERN} -s {LOCALADDR} -j LOG --log-prefix "SPOOFING"<br>
<br>
this logs packets comming in on the external interface using a 127.x.x.x
address as spoofing packets. When I add a 127.0.0.0 line to the /etc/hosts
file the timeouts disappear, but adding such line does not make much sense,
does it. <br>
<br>
$LOCALADDR equals to 127.0.0.1/8 <br>
<br>
without the -n the line shows as <br>
LOG    all     --    loopback/8           anywhere<br>
with the -n<br>
LOG    all    --     127.0.0.0/8             0.0.0.0<br>
<br>
any suggestions? Clould this have any impact on how iptables functions (speed
etc)<br>
<blockquote type="cite"
 cite="mid1028039474.16476.10.camel@lx1.armintl.com">
  <pre wrap="">
  </pre>
  <blockquote type="cite">
    <pre wrap="">second, I want  to close the ident port (113) for all incomming 
connections except for thoose there is already a connection open. Some 
mail servers appear to need a open ident port before accepting email, or 
at least need significant more time to accept email. How can I make 
netfiler to accept incomming requests to this port when there is already 
an active (smtp) connection?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
I don't know how (or if) that can be done, but you can eliminate the
delay by sending port 113 to the REJECT target/rule instead of DROP.</pre>
</blockquote>
I will try this, it could indeed that 'receivers' just want to connect.<br>
<blockquote type="cite"
 cite="mid1028039474.16476.10.camel@lx1.armintl.com">
  <pre wrap="">

--------------------------------------------
Bruce Smith                <a class="moz-txt-link-abbreviated" href="mailto:bruce@armintl.com">bruce@armintl.com</a>
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan  49093  USA
<a class="moz-txt-link-freetext" href="http://www.armstrong-intl.com/">http://www.armstrong-intl.com/</a>
--------------------------------------------

_______________________________________________
Members mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Members@kalamazoolinux.org">Members@kalamazoolinux.org</a>
<a class="moz-txt-link-freetext" href=""></a>
  </pre>
</blockquote>
<br>
<br>
</body>
</html>

--------------070808010108050408060301--
Previous message: [KLUG Members] iptables
Next message: [KLUG Members] iptables
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]