cwbe coordinatez:
101
63540
63542
2109677
63692
861121

ABSOLUT
KYBERIA
permissions
you: r,
system: public
net: yes

neurons

stats|by_visit|by_K
source
tiamat
K|my_K|given_K
last
commanders
polls

total descendants::
total children::3
show[ 2 | 3] flat
Ahojte, potreboval by som radu tykajucu sa kofiguracie firewallu. Moje aktualne nastavenie je taketo:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p TCP -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p TCP -i eht0 --dport 22 -j ACCEPT
iptables -A INPUT -p UDP -i eht0 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 1.2.3.4 -j ACCEPT

problem je ale v tom, ze z/na pocitac sa neda pripajat
mam debian, jadro 2.4.26
viete mi poradit, co mam zle?
vdaka.




00000101000635400006354202109677000636920086112100861676
nudzo
 nudzo      25.05.2004 - 17:22:47 , level: 1, UP   NEW
Nezabudaj, ze po uspesnom spojeni na serverovom porte sa komunikacia redirektne na po niektory volny port povyse 1024... a ty vsetko okrem 80 a 22 dropujes...
Uprav si toto... http://iptables-tutorial.frozentux.net/scripts/rc.firewall.txt pripadne si to prestuduj... ;-)

0000010100063540000635420210967700063692008611210086167600861766
juraj
 juraj      25.05.2004 - 17:41:38 , level: 2, UP   NEW
neblbni, preco by sa redirektovala?

jurajbug:~ juraj$ sudo tcpdump -i en1 -n host www.kyberia.sk
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
17:37:18.282709 IP 192.168.2.110.50120 > 195.168.3.82.80: S 1547229166:1547229166(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 3641030868 0>
17:37:18.296930 IP 195.168.3.82.80 > 192.168.2.110.50120: S 4049419239:4049419239(0) ack 1547229167 win 5792 <mss 1460,nop,nop,timestamp 80340284 3641030868,nop,wscale 0>
17:37:18.297035 IP 192.168.2.110.50120 > 195.168.3.82.80: . ack 1 win 65535 <nop,nop,timestamp 3641030868 80340284>
17:37:21.398875 IP 192.168.2.110.50120 > 195.168.3.82.80: P 1:17(16) ack 1 win 65535 <nop,nop,timestamp 3641030875 80340284>
17:37:21.412205 IP 195.168.3.82.80 > 192.168.2.110.50120: . ack 17 win 5792 <nop,nop,timestamp 80340596 3641030875>
17:37:22.004650 IP 192.168.2.110.50120 > 195.168.3.82.80: P 17:19(2) ack 1 win 65535 <nop,nop,timestamp 3641030876 80340596>
17:37:22.021470 IP 195.168.3.82.80 > 192.168.2.110.50120: . ack 19 win 5792 <nop,nop,timestamp 80340657 3641030876>
17:37:22.025638 IP 195.168.3.82.80 > 192.168.2.110.50120: P 1:453(452) ack 19 win 5792 <nop,nop,timestamp 80340657 3641030876>
17:37:22.026155 IP 195.168.3.82.80 > 192.168.2.110.50120: F 453:453(0) ack 19 win 5792 <nop,nop,timestamp 80340657 3641030876>
17:37:22.026213 IP 192.168.2.110.50120 > 195.168.3.82.80: . ack 454 win 65535 <nop,nop,timestamp 3641030876 80340657>
17:37:22.029994 IP 192.168.2.110.50120 > 195.168.3.82.80: F 19:19(0) ack 454 win 65535 <nop,nop,timestamp 3641030876 80340657>
17:37:22.043851 IP 195.168.3.82.80 > 192.168.2.110.50120: . ack 20 win 5792 <nop,nop,timestamp 80340659 3641030876>

(v druhom okne som pustil telnet na www.kyberia.sk 80 a dal stiahnut stranku). nic sa nikde neredirektlo, na serveri je to port 80 stale.

akurat spojenie jednoznacne urcuje stvorica (zdrojova adresa, zdrojovy port, cielova adresa, cielovy port).

a to som prave vyriesil tym -m state --state ESTABLISHED,RELATED

000001010006354000063542021096770006369200861121008616760086176600862216
nudzo
 nudzo      25.05.2004 - 19:09:34 , level: 3, UP   NEW
Aaale sa mi vynorili dake cudne imprinty z cias, ked som riesil na cvika zadania typu napiste tcp server/client a nepouzite bsd sockety z libc... Takze zavaadzam... :-) No ale presne to iste som xel... -m state --state ESTABLISHED,RELATED a netreba sa zamyslat nad aktualnym stavom spojenia... BTW z toho dumpu sa da vidiet preco tie ruly povyse nie su dobre, resp. neficia spojenia. BTW2 pri ladeni posledne dva riadky pre INPUT odporucam:
iptables -A INPUT -p TCP -j LOG --log-prefix "TCP -> REJECT:"
iptables -A INPUT -p TCP -j REJECT
Obdobne UDP... 1. riadok loguje 2. odpoveda na cudne konekty s ICMP (traceroute ukaze na poslednom hope, to co ma, nie * * *)

00000101000635400006354202109677000636920086112100861676008617660086221600862734
juraj
 juraj      25.05.2004 - 21:52:29 , level: 4, UP   NEW
na log urcite este -m limit s nejakym rozumnym rateom.

0000010100063540000635420210967700063692008611210086167600861766008622160086273400865857
hroch
 hroch      26.05.2004 - 15:24:59 , level: 5, UP   NEW
diky chlapi

00000101000635400006354202109677000636920086112100861254
juraj
 juraj      25.05.2004 - 16:04:29 , level: 1, UP   NEW
k tym castiam, kde je port (pri tcp) pridaj este --syn a pridaj este

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

(najlepsie hned za tie -P, kedze to bude asi vacsina packetov, tak nech sa matchnu hned).

0000010100063540000635420210967700063692008611210086125400861433
hroch
 hroch      25.05.2004 - 16:41:58 , level: 2, UP   NEW
pridal som, aj rool pre UDP som upravil tak, ze bude akceptovat iba port 53.
bohuzial, nepomohlo to.. zrejme stale dropuje vsetko..

000001010006354000063542021096770006369200861121008612540086143300861469
uz.nebudem.tolko.fetovat
 uz.nebudem.tolko.fetovat      25.05.2004 - 16:53:04 , level: 3, UP   NEW
no jo... tak si popridavaj retazces targetom LOG a loguj, ze co by dropoval...

00000101000635400006354202109677000636920086112100861254008614330086146900861485
juraj
 juraj      25.05.2004 - 16:55:30 , level: 4, UP   NEW
yo

000001010006354000063542021096770006369200861121008612540086143300861467
juraj
 juraj      25.05.2004 - 16:52:28 , level: 3, UP   NEW
jaj, taky isty state rule daj aj pre output samozrejme.