Jump to content

tvlad

Members
 View Profile  See their activity

  • Posts

    128

  • Joined

  • Last visited

 Content Type 

Posts posted by tvlad

  1. Firewall config.

    in Security

    Posted

    After getting white hair, i managed to modify the ip-masq howto to fit my own needs.I'm thinking of also blocking some ports from the inside, like the ones for kazaa, winmx........, because i don't want one guy to eat the bandwith of all.

     

    What other ports should i block from the inside ????

     

    From the outside there is no problem, because the fw is a stateful one and plus, i blocked all icmp, tcp, udp input for the ext interface.

  3. Realtime net monitoring software

    in Security

    Posted

    Before we bought an old pc, put linux on it and made it our server, one of the pc's in our network was sharing the net through Wingate.

     

    In wingate u could see how many opened sessions somenone had.What programs are there for linux that do the same thing and work in text mode.

  5. Iptables problems

    in Networking

    Posted

    I finally figured how to block by mac-address

     

    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m mac --mac-source 00:20:ED:50:A3:AA -d $UNIVERSE -j DROP

     

    Now, aru, are u sure that for 172.16.0.0, to cover the hole range of ip's u must put a /12, i understand why /16 for 192.168, why /8 for 10.0 , but not why /12 for 172.16.

  7. MNF PLEASE HELP ME

    in Security

    Posted

    What can i say, i downloaded Mnf and tried to install it on our server.The configuration was a nightmare (never going to use it AGAIN).

     

    It didn't detect the networking cards, and i had to configure them by hand, but that's not hard at all, the problem was getting it to accept conections on 8443.

     

    After strugling with it we finally managed to do this, but when we made a change through the browser interface, it blocked all our connections again, we had to login from the server itself and takedown shorewall.Finally, it wasn't blocking everytime we made a change, but although we configured it well (at least we think so), it just didn't work.

     

    And another reason i won't use it again, the usual networking files are modified automatically by files with the same names found in /usr/share/naat/templates/etc .And those files are ugly lookin scripts.

     

    That's why i switched to Mdk 9.0 for our server.The benefits are that u have total control over the config files and that u learn a lot during the process of setting up a server, unlike u would do with MNF.

  8. Iptables problems

    in Networking

    Posted

    If i want to block a range of ip's, how do i put it :

     

    iptables -A input -i eth1 -s 192.168.0-255.0-255 -d 0/0 -j DROP

    iptables -A input -i eth1 -s 192.168.0.101:192.168.255.255 -d 0/0 -j DROP

     

    because i tried like that and it didn't work.

     

    And one more thing, i want to block by mac adress:

     

    iptables -A INPUT -i eth1 --mac-source 00:40:F4:4B:35:3C -d 0/0 -j DROP

     

    is there smth wrong to it, because iptables says unknown arg --mac-source.

  9. SAMBA users

    in Networking

    Posted

    Tell me one thing, what does the browseable option do ?

     

    I found smth about it, but very little: Prevents browsing by default, MEANING what?

     

    Perhaps that u can see the share but can't browse it ???? :roll:

  12. NET SERVER CONFIG QUESTIONS.

    in Networking

    Posted

    I think this is what i should add to a normal firewall config :

     

    iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT

    iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080 . I also have to enable trasnparent proxying in squid as written in http://en.tldp.org/HOWTO/mini/TransparentProxy-4.html

     

    WHAT I HOPE THESE LINES DO IS:

     

    Let's say one of the network pc's tryies to make a connection to www.tomshardware.com The connection will arive to the server on port 80 and be redirected to squid (that's on the same server).Then when squid tryies to send the conection directly to the net, the last line of my config will send it to an ip of my choice.

     

     

    I'M STILL NOT SURE of one thing: when the request arrives to squid, should i use iptables afterwards to redirect all requests made through 3128 to whatever ip i want, or should i configure squid to send the request to another IP.

  13. NET SERVER CONFIG QUESTIONS.

    in Networking

    Posted

    Or shoud i do it like this :

     

    iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT

    iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080

     

    they should send all the requests to 3128( where squid is) and allow me to do user authentification and the send the requests to PROXY , right ?

     

    would this allow me to do transparent proxying ?

     

    I've read the trans proxy howto, but it doesn't tell me one thing, after i

    make the request go to squid, squid will send them directly, and i want squid to send them to a metroploitan proxy because i have trafic limit.

  14. NET SERVER CONFIG QUESTIONS.

    in Networking

    Posted

    I knew of squidguard, but it's only useful if u want to block acces to sites and perhaps user authentification, but i don't want to do that and concernig user authentification i found out how to do that with squid,

     

    What i still don't know exactly is how to do the proxy part.

     

    I'm thinking of doing it this way :

     

    adding this to my firewall

     

    iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT

    iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

     

    and this to squid

     

    cache_peer parentcache.METROPOLITAN_PROXY_IP parent 3128 0 no-query default

    acl all src 0.0.0.0/0.0.0.0

    never_direct allow all

     

     

    This will make all the request to port 80 to be transfered to 3128 where squid is and then squid will send the traffic to a metropolitan proxy.

     

    Did i get it right ????? :roll: [/b][/i]

  19. NET SERVER CONFIG QUESTIONS.

    in Networking

    Posted

    I am part of a network that has eight computers.We are planing of buying an old pc to use it as a server.The server will have the ip 192.168.0.1 and the rest of us 192.168.0.*

     

    Since not all of us pay for cable net we want to be able to restrict acces to the net and because we have a limit for downloads that aren't from Romania (if we go over 300 mb bye bye net ) i want to configure the server to go through a metropolitan proxy but i have no idea how to

    do that or how to allow acces to the net only if the user gives a username and password.

     

    I know how to share the net between the computers and how to make a decent firewall, because i

    have several examples, like IP-MASQ HOWTO etc....

     

    WHAT I DON'T KNOW is how to make the server use a proxy for all the traffic, so that a user isn't required to setup his own aplication to use a proxy (because some of the guys in my network don't and this results in trafic), the only thing he has to do is to put the server's local ip as a gateway and dns server, and from his point of view there isn't anything more to configure.

     

    ALSO i want to enable net acces based on a username

    and password.

     

    PLEASE, let me know if u have any ideas.

×
×
  • Create New...