LHN Linux Forums - Linux - Hardware, Networking & Security

what is the --kerneltz in iptables command.

pradiptart — Thu, 16 May 2013 12:12:51 GMT

Hi all,
I am using iptables for my project but facing some problem as follow.

1.in iptables 1.4.7

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

or

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --localtz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

output of date command

Thu May 16 15:52:11 IST 2013

both the commands above is not working. As i can able to ping form 10.0.4.247 to the machine.

why this is not working as default it should be --localtz.(man page of iptables v 1.4.7)

2.in iptables v 1.4.12

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --kerneltz --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

This is working as I am not able to ping from the ip 10.0.4.247

Quote:

iptables -A INPUT -s 10.0.4.247 -m time --datestart 2013-5-16T12 --datestop 2013-5-16T16 -j DROP

This rule by default set to follow UTC timezone but in man page it showing,the default is --kerneltz.[man of iptables v1.4.12]

can any one tell me what is problem with the iptables ,I need to block some ip/port for a specified time duration,but unable find what to do.

what is actually meaning of --kerneltz and is it safe to use this.

kindly tell some answer

Thanks

Application reconnect problem with multiple uplink routing

lingeek — Wed, 08 May 2013 12:08:41 GMT

Hi,
I converted a Fedora 13 system as multiple uplink router using the steps mentioned at lartc.org with 1 LAN (eth0) and load balance with two WAN(eth1, eth2).
Now the problem is,
we have an application which is connecting to its server on internet at every 5 minutes. so when application first connected to the server it connected through eth1 which can be seen from ip route show cache command.
As kernel automatically flushes the routing cache after some time, when the application tried to connect, it went through eth2 as load balance is ON. When the application goes through eth2 it is not able to connect to the server.
What could be the possible reasons for this behavior? and what will be the solution for it?
Thanks in advance.
lingeek

Network Configuration Manager

JackNaples — Fri, 05 Apr 2013 13:46:19 GMT

Hello,

I could use an open source tool to save the configuration of the devices of various vendors, and possibly make a diff between the various configurations saved for each device. I do not care to have a graphical interface, I'm interested in is open source.

Do you know any tool?

Problem with subnets.

stimburg — Fri, 08 Mar 2013 02:50:02 GMT

I have a linux router that has 3 adapters, 2 wired one wireless. The wired adapter is connected to a few machines on the network through a switch and works fine. All those machine can access the webserver running on the gateway and can ssh into and ping the gateway using the external ip address. All of the wireless devices can access the internet and ping anything in the outside world just fine. The only thing anything connected to wlan0 can't do is access any service like ssh, apache, or ping the gateway using the external adapter.

I'm thinking it's probably something I need to turn on or allow in iptables to let wlan0 talk to eth0 (the adapter plugged into the modem that has the external ip address). Anything connected to wlan0 can ping the internal ip address and be pinged from anything on the network, it just can't talk to eth0. I just don't know what to do because I rarely mess with iptables.

I've posted some info below.

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 75.137.104.1 0.0.0.0 UG 203 0 0 eth0 75.137.104.0 0.0.0.0 255.255.248.0 U 203 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0

eth0: flags=4163 mtu 576 inet xx.xxx.xxx.xxx netmask 255.255.248.0 broadcast 255.255.255.255 ether 00:04:4b:05:71:76 txqueuelen 1000 (Ethernet) RX packets 3239621 bytes 1751454322 (1.6 GiB) RX errors 2002 dropped 0 overruns 2001 frame 1 TX packets 870903 bytes 102968145 (98.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163 mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::204:4bff:fe05:7177 prefixlen 64 scopeid 0x20 ether 00:04:4b:05:71:77 txqueuelen 1000 (Ethernet) RX packets 48670106 bytes 3406025407 (3.1 GiB) RX errors 0 dropped 10 overruns 0 frame 0 TX packets 40039645 bytes 248158180873 (231.1 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 0 (Local Loopback) RX packets 8061 bytes 1018138 (994.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8061 bytes 1018138 (994.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163 mtu 1500 inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::92f6:52ff:fee5:780a prefixlen 64 scopeid 0x20 ether 90:f6:52:e5:78:0a txqueuelen 1000 (Ethernet) RX packets 373525 bytes 50509081 (48.1 MiB) RX errors 0 dropped 6 overruns 0 frame 0 TX packets 521972 bytes 603511606 (575.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

IP fragmentation problem

arichard — Tue, 19 Feb 2013 16:03:51 GMT

Hello all, I am experiencing a problem with IP fragmentation.
I am receiving an udp packet that is larger than the MTU and it is fragmented along the network.
I am receiving the two fragments but they are not being reassembled correclty.

The MTU of the system is 1500 and I cannot increase it, because I am getting this error: SIOCSIFMTU: Numerical result out of range.
Is it necessary to build the kernel with support for jumbo frames?

There's any option that should be enabled on the kernel (2.6.34.8) to support this feature? Shouldn't this be a default feature?

Any hint that may assist in debugging this issue is welcome.

The first packet it is considered (bad) as a complete packet and I am getting an error at the app level.
https://picasaweb.google.com/1053854...94371327482338

The second packet is the last part of the fragment which should be ignored completely:
https://picasaweb.google.com/1053854...94366260648562

As reference I am sending the same packet to my laptop which is implementing correctly the fragmentation re-assembly:
https://picasaweb.google.com/1053854...94364006259698

Networking with cisco in a linux PC

clownix — Mon, 11 Feb 2013 23:52:25 GMT

http://clownix.net[/url]

How to establish site to site vpn - Linux machine and cisco asa?

ashokoffice — Sat, 02 Feb 2013 16:17:32 GMT

Hi,

I am trying to establish vpn between my linux server and cisco asa at client side.

I installed openswan on my cent os.

Linux Server

Code:

eth0 - 182.2.29.10 [ I have public IP]
Gateway - 182.2.29.1 [ and gw]
eth1 - 192.9.200.75 [ Internal Lan i/f]

I have simple IPtables Like
WAN="eth0"
LAN="eth1"
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 182.2.29.10
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -i $WAN -j ACCEPT

iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s 192.9.200.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -d 192.9.200.0/255.255.255.0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-------------------------------
Client side Cisco ASA - Device
Provided details :

BD gateway ip is 212.2.7.15 [ Public IP]
Source IP :- 192.168.91.224
ESP-3DES-SHA1
Lifetime is 86400 seconds (Phase-1) & 3600 seconds (Phase-2)
Authentication is pre-shared

I need advise on configuring ipsec.conf and ipsec.secrets and what IP tables rules I need to add / modify.

Thanks

Best
Ashok