[Linux-Anyway] Re: Uh-oh -- what have I done?
- From: Meph Istopheles <meph@xxxxxxxxxxxxxxxxxxx>
- To: Linux-Anyway@xxxxxxxxxxxxx
- Date: Mon, 17 Mar 2003 10:33:54 -0800 (PST)
> Whenever you catch yourself thinking that horror knows better,
> consider this a sure indicator that you're loosing your mind
> ;-)
Sounds familiar;-).
> > > ipchains -I forward -s <private IP's> -d <public IP's> -j ACCEPT
> > > ipchains -A forward -s <private IP's> -d <internet - 0.0.0.0> - j MASQ
> > > The precedence matters, in a chain, so a good choice
> > > whether to insert at the beginning (-I) or append (-A) to
> > > the chain is crucial. The masqing rules must come last.
> > Uh, I think you're talking here of setting this so that
> > whenever I reboot, it all comes back up without
> > trouble...yes?
> Er... no. The rules go the way of all electrons when you
> restart, and need to be set again when you restart.
Sheesh. OK. It's not like I don't have other things to do
too....
> A quick and dirty approach would be to put the iptables-command
> I've given you into any script that's started in runlevels 3
> and up (like, for instance /etc/init.d/network). A better one
> would be to include them in the rules set by your firewall.
Well, there are means & means.
> I believe, and I might be wrong, that RH firewall script uses
> the two cute utils comming with ipchains (and iptables as
> well): ipchains-save and ipchains-restore. ipchains-save will
> output to stdout a list of all current rules, which you can
> pipe into a file (they're basically just arguments to
> ipchains). ipchains-restore, surprisingly, can use the output
> of ipchains-save to restore the rules. You need to find the
> rules-file that the firewall feeds to ipchains-restore, and
> either add your masq rule in the forward chain, or set the
> masqing rule as before, verify that it works, use ipchains-save
> to create a new rules-file, and then replace the old one. See
> if you can find something firewally among the scripts in
> /etc/init.d/ and find out the position of the file by reading
> it. Or simply browse the /etc/sysconfig, I believe the
> rules-file is there somewhere.
I'll see if Scott's been following this thread. I may be able
to jog his chains memory, or, if not....
> By the way, I'm writing this on a machine that's protected by
> the all-new horrorwall. I've replaced the cryptic SuSE firewall
> with my own script - it works, but still needs some polishing.
> If you have iptables userspace utils, and iptables support
> compiled in the kernel, it would probably work for you too. I
> guess that it would work with ipchains as well without a big
> deal of hacking. The rules I'm using are simple, but effective,
> as I've ran it through several port scanners, and none could
> see the slightest trace of me...
I may see what's necessary to get table support & try your
script. Let's try to keep it simple for now, as I still know
almost nothing of chains (or tables) & I also have other stuff on
tap.
Lately I've been getting lots of returned mail. It's nothing
I've done -- other than to own a domain. Some unscrupulous
spammers have decided to use my .com as their reply-to address so
that they don't get the returns for user unknowns, etc. My Web
host tells me my only recourse is to complain to SpamCop, so I
have to study their site & forward header info from many of the
returns I've filtered into another folder. Fun, fun, fun.
--
I see a good deal of talk from Washington about lowering taxes.
I hope they do get 'em lowered down enough so people can afford
to pay 'em.
-The Best of Will Rogers
To unsubcribe send e-mail with the word unsubscribe in the body to:
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe
Other related posts:
