Re: netfilter digest, Vol 1 #1310 - 11 msgs

BILL CHANCE <whitesock95829@xxxxxxxxx> · Mon, 17 Nov 2003 07:51:05 -0800 (PST)

I am new studing Network Security and iptables. The questions and answers are very helpful as a student. Any quick way on how to write iptables and policy. I am struggling.

bill
netfilter-request@xxxxxxxxxxxxxxxxxxx wrote:
Send netfilter mailing list submissions to
netfilter@xxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.netfilter.org/mailman/listinfo/netfilter
or, via email, send a message with subject or body 'help' to
netfilter-request@xxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
netfilter-admin@xxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of netfilter digest..."

Today's Topics:

1. System Load (Rohit)
2. Caching of rules in PRE(POST)ROUTING chains? (Pavel V. Yanchenko)
3. iptables questions (Antti Korpela)
4. iptables ipforwarding issue (Michael Menges)
5. RE: A little help? (Chris Winfield-Blum)
6. Re: Documentation for the u32 module (Harald Welte)
7. Re: System Load (Ray Leach)
8. Re: Caching of
 rules in PRE(POST)ROUTING chains? (Ray Leach)
9. Re: Caching of rules in PRE(POST)ROUTING chains? (Antony Stone)
10. Changes in kernel >= 2.4.20 ? (Martin Petruzzi)
11. Re: System Load (bikrant@xxxxxxxxxxxx)

--__--__--

Message: 1
From: Rohit 
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: System Load
Date: Fri, 14 Nov 2003 15:19:11 +0545
Cc: lartc@xxxxxxxxxxxxxxx

Hi,
Is it possible to know how much system resources (cpu/memory load) that the 
netfilter module(s) is using? We are using HTB to shape our client traffic 
and there are 4 iptables rule for each client in the mangle table. I think it 
will be helpful to gather such data and graph it using mrtg.

I'm really sorry if someone has already asked about it.
Thanks a lot.

with regards,
Rohit Nepali

--__--__--

Message: 2
Date: Sat, 15 Nov 2003 11:07:35 +0300
From: "Pavel V. Yanchenko"

Reply-To: balrog@xxxxxxxxxxx
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Caching of rules in PRE(POST)ROUTING chains?

Hello.

As far as I understand, rules in PRE- and POSTROUTING chains are
cached? Because when I delete a rule with SNAT target for ip
192.168.10.10 this address's packets are still SNATed for several
minutes. The same thing happens for rules in PREROUTING chains.
Is it possible to disable this feature? Maybe there is some file in
/proc where cached rules are listed?

Thanks in advance.

-- 
Best regards,
Pavel mailto:balrog@xxxxxxxxxxx

--__--__--

Message: 3
From: "Antti Korpela" 
To: 
Subject: iptables questions
Date: Sat, 15 Nov 2003 12:51:40 +0200

This is a multi-part message in MIME format.

------=_NextPart_000_0033_01C3AB77.3702E3A0
Content-Type:
 text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,

I have here some questions and i hope you have some time to answer

1. What difference and which is better between: iptables -t nat -j =
MASQUERADE or SNAT --to IP if im using it for internet gateway =
NAT-machine in big LAN-parties, over 300 IP:s.
2. I have get this error often "too much work on eth0, dropping =
packet..." what this mean? do i have to put this on kernel:
echo "65000" > /proc/sys/net/ipv4/ip_conntrack_max ? is there any other =
solutions for this ?
3. Do you have some other tips for MASQ ? :)

Thanks for your time and support!
------=_NextPart_000_0033_01C3AB77.3702E3A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

charset=3Diso-8859-1">

Hi,

I have here some questions and i hope =
you have some=20
time to answer

1. What difference and which is better =
between:=20
iptables -t nat -j MASQUERADE or SNAT --to IP if im using it for ="">internet=20
gateway NAT-machine in big LAN-parties, over 300 IP:s.

2. I have get this error often "too =
much work on=20
eth0, dropping packet..." what this mean? do i have to put this on=20
kernel:

echo "65000" >=20
/proc/sys/net/ipv4/ip_conntrack_max ? is there any other solutions for ="">this=20
?

3. Do you have some =
other tips for="">MASQ ? :)

Thanks for your time and =

support!

------=_NextPart_000_0033_01C3AB77.3702E3A0--

--__--__--

Message: 4
From: "Michael Menges" 
To: 
Subject: iptables ipforwarding issue
Date: Sat, 15 Nov 2003 22:31:04 -0500

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C3ABC8.27E2F4E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Just upgraded to 2.4.22 kernel from 2.2.x and now must learn iptables =
just when I got ipchains down. ;)
Anyhow, i need some help getting my firewall box to forward traffic for ="">certain services, formost https.

Here's what I have thus far:
iptables -P FORWARD DROP
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -p tcp -i eth0 -o eth1 -d
 12.249.0.0/16 =
--dport 443

12.249.0.0/16 is eth0 and is my inet connection. 192.168.0.0/24 is eth1 =
and is my localnet interface.
Where do I go from here to bridge the gap allowing access to my https =
server inside my localnet?

Thanks for any help you might spare me. ;)

Mike

------=_NextPart_000_0005_01C3ABC8.27E2F4E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

charset=3Diso-8859-1">

Just upgraded to 2.4.22 =
kernel from=20
2.2.x and now must learn iptables just when I got ipchains down. =
;)

Anyhow, i need some =
help getting my=20
firewall box to forward traffic for certain services, formost=20
https.

Here's what I have thus =

far:

iptables -P FORWARD =
DROP

iptables -A FORWARD -j =
ACCEPT -m=20
state --state ESTABLISHED,RELATED

iptables -A FORWARD -j =
ACCEPT -p tcp=20
-i eth0 -o eth1 -d 12.249.0.0/16 --dport 443

12.249.0.0/16 is eth0 =
and is my inet=20
connection.  192.168.0.0/24 is eth1 and is my localnet=20
interface.

Where do I go from =
here to=20
bridge the gap allowing access to my https server inside my=20
localnet?

Thanks for any help you =
might spare=20
me. ;)

Mike

------=_NextPart_000_0005_01C3ABC8.27E2F4E0--

--__--__--

Message: 5
Subject: RE: A little help?
Date: Mon, 17 Nov 2003 13:46:47 +0800
From: "Chris Winfield-Blum" 
To: , 

Hopefully My answers will help

Thanks Guys

-----Original Message-----
From: Mark E. Donaldson [mailto:markee@xxxxxxxxxxxxxxx]
Sent: Sunday, November 16, 2003 5:17 AM
To: Chris Winfield-Blum; netfilter@xxxxxxxxxxxxxxx
Subject: RE: A little help?

Chris - couple of questions for you:

1. You have supplied two scripts here. Which one are you trying to =
use, or
which one do you want help with to solve your problem? That will help
narrow the focus down.

# ANSWER #

I am currently using fw.leadside which is working but not allowing =
everything to be forwarded to the Proxy server as required.

fw_leadingside
 is the script that I started to write to do the proxy =
server side of it HOWEVER this is not working...
so when giving suggestions maybe use this one as the base

2. What specific problems are you having now with your firewall? You
mention that Guard Dog is "stuffing up" iptables, but this means very =
little
to me. If you could be more specific as to what is not working that =
would
be helpful.

# ANSWER #

I stopped using Guarddog and started writing the iptables script to =
enter all the information in...
At the moment I need to:
** create a "group" of $CLIENTS that are machine within the IP range of =
192.168.1.11-192.168.1.249
** have $CLIENTS automatically Forwarded to 3128 for web requests. (but =
leaving open 25 and 110 to go through normal firwall rules not the =
proxy)
** I then need everything other port blocked so that Yahoo and MSN etc =
wont go through another port.

3. What type of
 connection are your internal clients connected to? Do =
they
have static IP's, or are they being assigned IP's by DHCP?

# ANSWER #

Machines in the LAN are set IP's via DHCP which is done by another =
machine on the network. but servers etc are Static IP's

4. You have several Rule chains defined (i.e. firewalled, tcpflags,
silent), and yet I don't see any rules for these. What are you trying =
to do
here?

# ANSWER #

To be honest I dont know! haha I have pulled these things out of other =
scripts etc...

Clear up some of these questions and issues, and someone may be able to =
help
you. Right now, there are too many unknowns and unexplained issues.

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Chris
Winfield-Blum
Sent: Friday, November 14, 2003 12:46 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: A little
 help?

Hi everyone.. i hope that one of you may be able to help...

Hi my name is Chris and I'm currently setting up a firewall for my =
office.
However I am pretty much a novice and am having some problems... I read =
one
of your scripts and thought you would be a good person to get in contact
with IF i could.
=20
I have a firewall up and running BUT my boss is wanting me to block =
Instant
Messaging... I have worked out HOW to do this however the system that I =
had
working was causing problems with the email (i was using Guarddog for ="">KDE)=20

So i have resorted to handwriting everything as I should probably have =
done
before hand.

I was hoping that you would be able to help me out... I am limited by =
what I
can do to the network because this is a "stable" network (even though =
they
did not have a firewall before I cam 3 weeks ago)=20

I have installed a Proxy server on the same box as the
 firewall and the
rules successfully prevent clients from accessing yahoo and msn (which a
normal firewall wouldnt because they would go through on port 80 etc)

BUT when guarddog was used it was stuffing up the IPtables.. (eg i would
open Port 80 and it would close it)

EXACTLY WHAT I NEED
------------------------------------

I need to have two sections to the firewall.. one being the server and
priviledged machine (kind of like DMZ BUT on the same ip range as the
clients much to my disgust)=20

Local Clients are from 192.168.1.11-192.168.1.249 (not my setup)

I want any machines that are not included in this to NOT have to go =
through
the Firewall if possible. If not all of them I need the mail server
(residing on 192.168.1.251) to not be if possible.

I would like the following ports FORWARDED to 192.168.1.251
25 80 110 443
that way the squid will do the rules to filter out bad ports etc =
(right?)

I
 would like all machines that are clients to be Automatically FORWARDED =
to
port 3128 so that the rules can stpo the chatting etc

I have given links my "attempt" at this but am really stuck on it.. I
realise you have probably got better things to spend your time with but =
I
would be eternally grateful. this would take me HOURS but probably take =
you
minutes. I hope to hear from you soon

http://web.igateway.com.au/~chrislive/iptables/fw.leadside
http://web.igateway.com.au/~chrislive/iptables/fw_leadingside

Thankyou

--__--__--

Message: 6
Date: Mon, 17 Nov 2003 09:56:01 +0100
From: Harald Welte 
To: William Stearns 
Cc: Fabrice Marie ,
ML-netfilter ,
ML-netfilter-devel ,
webmaster@xxxxxxxxxxxxx, Don Cohen 
Subject: Re:
 Documentation for the u32 module

--SO98HVl1bnMOfKZd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 15, 2003 at 05:06:38PM -0500, William Stearns wrote:
> > Would you be willing to merge your u32 documentation with that?
>=20
> Harald, I'd be honored to!

;) don't exaggerate.

> With the help of http://www.stearns.org/html2sgml :-), I've got=20
> that article in sgml form, ready to go. Fabrice, I've patched against=20
> your 1.30 Netfilter-extensions-HOWTO. Here are the files of interest:
>=20
> http://www.stearns.org/patches/netfilter-extensions-HOWTO.1.31.sgml

ok, i've merged your patch to our CVS repository. Will do a homepage
update soon, so it becomes visible to the public.

> Cheers,
> - Bill

--=20
- Harald Welte
 http://www.netfilter.org/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie

--SO98HVl1bnMOfKZd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/uI0hXaXGVTD0i/8RAi/4AJsENdkPLtyUSlkzbNR77q9knqNTaACcDF8m
cvZ4Rxn9E06CLEOvvd2odV0=
=FGKJ
-----END PGP SIGNATURE-----

--SO98HVl1bnMOfKZd--

--__--__--

Message: 7
Subject: Re: System Load
From: Ray Leach 
To: Netfilter Mailing List

Organization: Knowledge Factory
Date: Mon, 17 Nov 2003 11:16:25 +0200

--=-ZVqAuk+RHfflLEG46SSS
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2003-11-14 at 11:34, Rohit wrote:
> Hi,
> Is it possible to know how much system resources (cpu/memory load) that =
the=20
> netfilter module(s) is using? We are using HTB to shape our client traffi=
c=20
> and there are 4 iptables rule for each client in the mangle table. I thin=
k it=20
> will be helpful to gather such data and graph it using mrtg.
>=20
Just remember, iptables is only used to mark the traffic. tc is used to
classify and shape the traffic.

> I'm really sorry if someone has already asked about it.
> Thanks a lot.
>=20
> with regards,
> Rohit Nepali
--=20
--
Raymond Leach 
Network Support
 Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint =3D 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--

--=-ZVqAuk+RHfflLEG46SSS
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQA/uJHoh1fuR/Bv+ygRAjUcAKCtTAFtc542TkCT2IkWU/0L1deEJQCfXxlV
qtrQURczttsOsmUpusF3eB0=
=/ohx
-----END PGP SIGNATURE-----

--=-ZVqAuk+RHfflLEG46SSS--

--__--__--

Message: 8
Subject: Re: Caching of rules in PRE(POST)ROUTING chains?
From: Ray Leach 
To: Netfilter Mailing List 
Organization: Knowledge Factory
Date: Mon, 17 Nov 2003 11:17:51 +0200

--=-R6kr7jzDTsYK5346dY5I
Content-Type:
 text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, 2003-11-15 at 10:07, Pavel V. Yanchenko wrote:
> Hello.
>=20
> As far as I understand, rules in PRE- and POSTROUTING chains are
> cached? Because when I delete a rule with SNAT target for ip
> 192.168.10.10 this address's packets are still SNATed for several
> minutes. The same thing happens for rules in PREROUTING chains.
Isn't it the connection tracking table that's cached and NOT the rules?
Active connections need to timeout first.

> Is it possible to disable this feature? Maybe there is some file in
> /proc where cached rules are listed?
>=20
> Thanks in advance.
--=20
--
Raymond Leach 
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint =3D 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F
 FB28
--

--=-R6kr7jzDTsYK5346dY5I
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQA/uJI+h1fuR/Bv+ygRAn4bAJ9tYmiWX2PA+cS18dFKoqmQViRBhwCffyZL
0j3VRb3ceKZow9N0BFR+XMk=
=RYO/
-----END PGP SIGNATURE-----

--=-R6kr7jzDTsYK5346dY5I--

--__--__--

Message: 9
From: Antony Stone 
Organization: Software Solutions
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Caching of rules in PRE(POST)ROUTING chains?
Date: Mon, 17 Nov 2003 09:24:42 +0000

On Saturday 15 November 2003 8:07 am, Pavel V. Yanchenko wrote:

> Hello.
>
> As far as I understand, rules in PRE- and POSTROUTING chains are
> cached? Because when I delete a rule with SNAT target for ip
> 192.168.10.10 this address's packets are still
 SNATed for several
> minutes. The same thing happens for rules in PREROUTING chains.
> Is it possible to disable this feature? Maybe there is some file in
> /proc where cached rules are listed?

No, there is no caching of rules in netfilter; however, packets which are 
part of an ESTABLISHED connection will continue to be processed without 
reference to the rules in PRE/POSTROUTING because of the connection tracking 
table entry - onlt the first packets of connections ever go through the 
explicit rules in these tables - all following packets are automagically 
processed behind the scenes.

This is the effect you are seeing, I'm sure.

Antony.

-- 

Christianity tells you to work hard today for little or no reward, and 
tomorrow you will die and awake in paradise.

Marxism says work hard today for little or no reward; tomorrow you will die 
and your children will awake in paradise.

- Len Deighton,
 Billion Dollar Brain
Please reply to the list;
please don't CC me.

--__--__--

Message: 10
Date: Mon, 17 Nov 2003 11:06:42 +0100
From: Martin Petruzzi 
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Changes in kernel >= 2.4.20 ?

Hello

Apparently there have been changes in kernel since 2.4.20 concerning netfilters. NAT, masqerading, forwarding or whatever it is called does not work the same as before. I have the rules as following:

#!/bin/bash
/sbin/modprobe iptable_nat
/opt/sbin/iptables -F
/opt/sbin/iptables -X
/opt/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
...
and so on.

This worked perfect with kernels < 2.4.20. Now I'm on 2.4.22 and NAT only works partially. The system is RH7.2. I tried the latest iptables from updates.redhat.com and also compiled the latest from netfilter.org. I had no errors at all, nor while
 compiling (kernel/iptables) neigther while installing or inserting the roules.

=== message truncated ===