Re: [suse-security] reject identd on firewall
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andreas, hi Gert, now it works! I don't know exactly what was the problem, but I've now included only these rules für every mailserver: ~ $IPTABLES -I INPUT 1 -p TCP -s $ms --dport 113 -j REJECT - --reject-with tcp-reset ~ $IPTABLES -I FORWARD 1 -p TCP -s $ms --dport 113 -j REJECT - --reject-with tcp-reset and now I can send mail instantly, no DENYs any more. Without the --reject-with it did not work though, looks like Gert was right - packages without a reject-type seem to be just dropped, although iptables -L -v said something else. Thank you very much for your help! Best regards, Ralf Andreas Baetz wrote: | On Wednesday 27 November 2002 18:34, Ralf Ronneburger wrote: | |>Hi Andreas, |> |>Andreas Baetz wrote: |> |>>You could try more general rules like |>>iptables -I INPUT 1 -p TCP --dport 113 -j REJECT |>>iptables -I INPUT 1 -p TCP --dport 113 -j LOG --log-prefix " Input |>>identd" iptables -I FORWARD 1 -p TCP --dport 113 -j REJECT |>>iptables -I FORWARD 1 -p TCP --dport 113 -j LOG --log-prefix " Forward |>>identd" |>> |>>In this case the first 2 rules should be |>>1. Logging |>>2. Rejecting |>>anything that goes to port 113 |> |>Thanks for your help. But now it becomes even more strange: First I get |>two log-entries for droped packages, then I get two log-entries for |>rejected packages. But they look very much the same to me: |> |> |>Nov 27 18:25:29 internet kernel: DROP-TCP IN=ppp0 OUT= MAC= |>SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 |>ID=32011 PROTO=TCP SPT=1953 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 |> |>Nov 27 18:28:15 internet kernel: Input identd IN=ppp0 OUT= MAC= |>SRC=<Mailserver-IP> DST=<External-IP> LEN=44 TOS=0x00 PREC=0x00 TTL=52 |>ID=36212 PROTO=TCP SPT=1991 DPT=113 WINDOW=16384 RES=0x00 SYN URGP=0 |> | | You could check the following: | What happens if you comment out the actual REJECT Rule, leaving only | the LOG Rule in place ? Does one packet get logged twice ? | Do you have the netfilter code compiled as modules or into the kernel ? Maybe | not all modules are loaded the first time ? | | Andreas | | - -- - ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.de/gpg/ralf_ronneburger.asc - ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE95oHTLbWu9MVtJiYRAiSTAJ9UvwXGWO0VP36eKL9Hud37nXSwRQCglEPR G4X4ytNvWof4V16/AVm4xHw= =WAZS -----END PGP SIGNATURE-----
participants (1)
-
Ralf Ronneburger