tvlad

After getting white hair, i managed to modify the ip-masq howto to fit my own needs.I'm thinking of also blocking some ports from the inside, like the ones for kazaa, winmx........, because i don't want one guy to eat the bandwith of all. What other ports should i block from the inside ???? From the outside there is no problem, because the fw is a stateful one and plus, i blocked all icmp, tcp, udp input for the ext interface.

I know about netstat, but it's not exactly what i need. I don't want them to work in X, just to have a ncurses interface.

Before we bought an old pc, put linux on it and made it our server, one of the pc's in our network was sharing the net through Wingate. In wingate u could see how many opened sessions somenone had.What programs are there for linux that do the same thing and work in text mode.

Look at the nic's chip: If it says smth like BC 001 USA it's a myson card and the driver for it is fealnx, also if it says realtek, the driver should be compiled int the kernel.

I finally figured how to block by mac-address $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m mac --mac-source 00:20:ED:50:A3:AA -d $UNIVERSE -j DROP Now, aru, are u sure that for 172.16.0.0, to cover the hole range of ip's u must put a /12, i understand why /16 for 192.168, why /8 for 10.0 , but not why /12 for 172.16.

REALLY REALLY USEFUL, this should be in the TIPS SECTION.

What can i say, i downloaded Mnf and tried to install it on our server.The configuration was a nightmare (never going to use it AGAIN). It didn't detect the networking cards, and i had to configure them by hand, but that's not hard at all, the problem was getting it to accept conections on 8443. After strugling with it we finally managed to do this, but when we made a change through the browser interface, it blocked all our connections again, we had to login from the server itself and takedown shorewall.Finally, it wasn't blocking everytime we made a change, but although we configured it well (at least we think so), it just didn't work. And another reason i won't use it again, the usual networking files are modified automatically by files with the same names found in /usr/share/naat/templates/etc .And those files are ugly lookin scripts. That's why i switched to Mdk 9.0 for our server.The benefits are that u have total control over the config files and that u learn a lot during the process of setting up a server, unlike u would do with MNF.

If i want to block a range of ip's, how do i put it : iptables -A input -i eth1 -s 192.168.0-255.0-255 -d 0/0 -j DROP iptables -A input -i eth1 -s 192.168.0.101:192.168.255.255 -d 0/0 -j DROP because i tried like that and it didn't work. And one more thing, i want to block by mac adress: iptables -A INPUT -i eth1 --mac-source 00:40:F4:4B:35:3C -d 0/0 -j DROP is there smth wrong to it, because iptables says unknown arg --mac-source.

Tell me one thing, what does the browseable option do ? I found smth about it, but very little: Prevents browsing by default, MEANING what? Perhaps that u can see the share but can't browse it ???? :roll:

I stumbled across a doc at Redhat's site which said that if u wanted to restart all the network interfaces u had to type: network restart and press enter :D If it doesn't work try restart network, and if it still doesn't go to Rh and look at the Rh8 docs.

When i tried to use netconf it always found errors and asked me if i wanted to corect them, although the configs were just fine. So nowadays i'm not using netconf, i'm modyfying the files by hand.

I think this is what i should add to a normal firewall config : iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080 . I also have to enable trasnparent proxying in squid as written in http://en.tldp.org/HOWTO/mini/TransparentProxy-4.html WHAT I HOPE THESE LINES DO IS: Let's say one of the network pc's tryies to make a connection to www.tomshardware.com The connection will arive to the server on port 80 and be redirected to squid (that's on the same server).Then when squid tryies to send the conection directly to the net, the last line of my config will send it to an ip of my choice. I'M STILL NOT SURE of one thing: when the request arrives to squid, should i use iptables afterwards to redirect all requests made through 3128 to whatever ip i want, or should i configure squid to send the request to another IP.

Or shoud i do it like this : iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080 they should send all the requests to 3128( where squid is) and allow me to do user authentification and the send the requests to PROXY , right ? would this allow me to do transparent proxying ? I've read the trans proxy howto, but it doesn't tell me one thing, after i make the request go to squid, squid will send them directly, and i want squid to send them to a metroploitan proxy because i have trafic limit.

I knew of squidguard, but it's only useful if u want to block acces to sites and perhaps user authentification, but i don't want to do that and concernig user authentification i found out how to do that with squid, What i still don't know exactly is how to do the proxy part. I'm thinking of doing it this way : adding this to my firewall iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 and this to squid cache_peer parentcache.METROPOLITAN_PROXY_IP parent 3128 0 no-query default acl all src 0.0.0.0/0.0.0.0 never_direct allow all This will make all the request to port 80 to be transfered to 3128 where squid is and then squid will send the traffic to a metropolitan proxy. Did i get it right ????? :roll: [/b][/i]

Don't get me the wrong way guys(AA, johnyv), but look at my original post and what u told me.

I posted the same subject on another forum and someone told me to redirect the trafic to squid. After i redirect the trafic to squid, shouldn't i configure squid to redirect the traffic to a proxy of my choosing ????

Please, other ideas ????

I thought of doing that, but it will take some time until i download MNF and i still want to know how to do it on a normal linux distro.

I am part of a network that has eight computers.We are planing of buying an old pc to use it as a server.The server will have the ip 192.168.0.1 and the rest of us 192.168.0.* Since not all of us pay for cable net we want to be able to restrict acces to the net and because we have a limit for downloads that aren't from Romania (if we go over 300 mb bye bye net ) i want to configure the server to go through a metropolitan proxy but i have no idea how to do that or how to allow acces to the net only if the user gives a username and password. I know how to share the net between the computers and how to make a decent firewall, because i have several examples, like IP-MASQ HOWTO etc.... WHAT I DON'T KNOW is how to make the server use a proxy for all the traffic, so that a user isn't required to setup his own aplication to use a proxy (because some of the guys in my network don't and this results in trafic), the only thing he has to do is to put the server's local ip as a gateway and dns server, and from his point of view there isn't anything more to configure. ALSO i want to enable net acces based on a username and password. PLEASE, let me know if u have any ideas.

Anyone ?

I did it as i sad in my first post, and everything works fine.The /etc/HOSTNAME file i was asking, i later found that it used to exist on older versions of linux.

What should i modify to make Mandrake update use a proxy, instead of a direct connection ????

If i want to change my hostname i must change /etc/sysconfig/network and /etc/hosts.Shoul i change any other file ????? Because i read in config howto that i should also change /etc/HOSTNAME, but there is no such file on my system.

Well if you want to try CrossOver go here : ftp.proconfort.ro You will also find WineX 2.2 PS:It's not my ftp site, i found the link on www.linux.ro

Could u point to me a good download mangager ????