Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have set up a redhat firewall using iptables protecting a redhat 8 server running services. It works fine and the only allows to the ports I wish, however when trying to gain access to a proted port eg ftp the connection just hangs. Is it possible to get a 'connection refused' message back instead?
Also, I have had to set the 2 NICs on the firewall to different subnets, otherwise they don't forward. Is this the only was to set them up? And I can only access the server by using SNAT or MASQ. Is there any way I can just forward the packets through so they keep their original source address?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The connection hangs because packets are silently being dropped, this is a result of DROP action in iptables. Usually this is preferred (at least, to outside connections) but in some cases you want to refuse the connection and let the client know you're not going to take it. I think iptables has something like a REJECT which would cause "connection refused" instead of a time-out.
Next, yes you have to put each NIC on it's own subnet. You cause all kinds of routing "Badness(TM)" if you attempt to put two NICs from one machine on the same network. That especially won't work well for a firewall since you're accepting packets off the wire and putting them back on the same network, you won't be able to do a lot of spoofing detection, etc.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well generally IPs that end in 0 are network numbers, but there's no way of telling what size the network is from just the IP, that's why people use subnet notation. Dotted decimal is very commonly recognized (192.168.0.0/255.255.0.0) but CIDR is preferred because it's more compact (192.168.0.0/16).
If you mean in an iptables rule, I *think* iptables recognizes CIDR notation, but I'm not certain (since I don't have any Linux boxes any more).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.