[KLUG Members] iptables

Bruce Smith members@kalamazoolinux.org
30 Jul 2002 11:49:36 -0400

Previous message: [KLUG Members] iptables
Next message: [KLUG Members] iptables
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >>I have a couple of questions regarding iptables,
> >>first, when I use 'iptables -L' to list the current config, a line of 
> >>the config apears one every two or three seconds, so the whole config 
> >>takes some time to show. I can't find out any reason for this behaviour.
> >
> >Probably a resolver delay.  Try adding a "-n" to display only numbers.
> >
> >  iptables -L -n
>
> this did the trick, I included lines such as
> iptables -A INPUT -i ${EXTERN} -s {LOCALADDR} -j LOG --log-prefix "SPOOFING"
> 
> this logs packets comming in on the external interface using a 127.x.x.x 
> address as spoofing packets. When I add a 127.0.0.0 line to the 
> /etc/hosts file the timeouts disappear, but adding such line does not 
> make much sense, does it.

Yes, localhost should be in /etc/hosts, like:

127.0.0.1		localhost.localdomain localhost

> $LOCALADDR equals to 127.0.0.1/8
> 
> without the -n the line shows as
> LOG    all     --    loopback/8           anywhere
> with the -n
> LOG    all    --     127.0.0.0/8             0.0.0.0
> 
> any suggestions? Clould this have any impact on how iptables functions 
> (speed etc)

It makes no difference to iptables, since it's only on the display where
it tries to convert numbers to domain names.

Also check your /etc/resolv.conf to make sure the nameserver's listed
there are valid and working.

> >>second, I want  to close the ident port (113) for all incomming 
> >>connections except for thoose there is already a connection open. Some 
> >>mail servers appear to need a open ident port before accepting email, or 
> >>at least need significant more time to accept email. How can I make 
> >>netfiler to accept incomming requests to this port when there is already 
> >>an active (smtp) connection?
> >
> >I don't know how (or if) that can be done, but you can eliminate the
> >delay by sending port 113 to the REJECT target/rule instead of DROP.
> >
> I will try this, it could indeed that 'receivers' just want to connect.

REJECT will reply back with a ICMP reject message, and the servers will
realize that "ident" is not available on that server.  DROP will not
respond to the connect request on port 113, and the remote server will
wait until it times out (hence the delay).

--------------------------------------------
Bruce Smith                bruce@armintl.com
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan  49093  USA
http://www.armstrong-intl.com/
--------------------------------------------

Previous message: [KLUG Members] iptables
Next message: [KLUG Members] iptables
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]