<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Jose,<br>
<br>
You will do yourself very much a favour be installing "shorewall" in
Ubuntu.<br>
<br>
Bob VE3TOK<br>
<br>
On 12-03-02 11:59 PM, Jose Ng Lee wrote:
<blockquote cite="mid:C9609DE7A5AD40889CBDE05C43762BF6@ngj"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.6001.19190">
<style>@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page WordSection1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; COLOR: black; FONT-SIZE: 12pt
}
LI.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; COLOR: black; FONT-SIZE: 12pt
}
DIV.MsoNormal {
MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"; COLOR: black; FONT-SIZE: 12pt
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
FONT-FAMILY: "Calibri","sans-serif"; COLOR: #1f497d; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.WordSection1 {
page: WordSection1
}
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div><font face="Arial">Hi Michael,</font></div>
<div> </div>
<div><font face="Arial">Thanks for the reply, good explanation of
Iptables and the references. Your right Iptables subject is
too broad.</font></div>
<div> </div>
<div><font face="Arial">My goal for now is to have Linux talk to
the Jnos through the tun device and viceversa. I was using
before Firestarter graphic interface to setup the firewall.
With the Firestarter disable was able to communicate linux to
Jnos. Firestarter on was not able to and just couldn't set it
up the rules.</font></div>
<div> </div>
<div><font face="Arial">So, I unistalled Firestarter. The default
Iptables firewall is on now but couldn't get it to communicate
Linux to Jnos. For an easier way to setup Iptables, I use
Webmin through the web browser to modify the rules. It got me
confuse how to setup the rules and tried declaring the IP but
doesn't work. Later, I tried declaring in the Incoming and
Outgoing packets to Accept the packets from the tun0 interface
and now is working. The tun0 interface is only on when jnos
is execute so have to declare other interface and write the
name tun0.</font></div>
<div> </div>
<div><font face="Arial">My next step is to setup the iptables to
allow telnet from internet to the Jnos. I tried and couldn't
telnet to my Jnos from the internet.</font></div>
<div> </div>
<div><font face="Arial">Thanks,</font></div>
<div><font face="Arial">Jose / HP2AT</font></div>
<blockquote style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT:
5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<div style="FONT: 10pt arial">----- Original Message ----- </div>
<div style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color:
black"><b>From:</b> <a moz-do-not-send="true"
title="n6mef@mefox.org" href="mailto:n6mef@mefox.org">Michael
Fox - N6MEF</a> </div>
<div style="FONT: 10pt arial"><b>To:</b> <a
moz-do-not-send="true" title="nos-bbs@tapr.org"
href="mailto:nos-bbs@tapr.org">'TAPR xNOS Mailing List'</a>
</div>
<div style="FONT: 10pt arial"><b>Sent:</b> Friday, March 02,
2012 10:57 PM</div>
<div style="FONT: 10pt arial"><b>Subject:</b> Re: [nos-bbs]
IPTABLES for TUN device</div>
<div><br>
</div>
<div class="WordSection1">
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Jose,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">It
looks like no one has responded to you yet. That may be
because you asked a rather broad question. You’ll need to
be much more specific about iptables.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">IPtables
is for filtering (among other things). For the best
security, you want to set a default policy of drop and
then specify the specific traffic that you want to allow.
So you need to define those traffic types first, then
translate to iptables rules. If you define what you want,
and take a stab at writing the rules, there are probably
several of us here who would be happy to help you refine
them.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">If
you’re new to iptables, here’s some background info to get
you started:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Iptables
has 3 principle filtering tables: input, forward,
output. Input is what traffic you want linux to accept
coming in on that interface. In other words, this is
traffic destined for linux that comes in on the tun0
interface. Forward is for traffic you want linux to allow
to pass through from one interface to another. This can
be two way on the tun0 device. For example, you may want
to allow certain ICMP traffic to go out from JNOS, through
Linux, to the internet, but not allow incoming traffic of
that type from the internet to reach JNOS. So you need to
define what traffic do you want to allow linux to forward
from other interfaces TO tun0 and what traffic do you
want linux to forward FROM tun0 to other interfaces.
Output is for what traffic you want linux to be able to
originate on that interface. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">To
specify the traffic types, you’ll need to define if
they’re IP, TCP, ICMP, etc., which ports (line TCP port 23
for default telnet, etc.), and possibily which source
and/or destination addresses to allow to send that
traffic. For example, you may want to allow linux to
forward telnet to JNOS as long as it is from a 44.x
address, but not from other addresses.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Once
you have figured out what traffic you want to allow, here
are three good references to help write the rules:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><a
moz-do-not-send="true"
href="https://help.ubuntu.com/community/IptablesHowTo">https://help.ubuntu.com/community/IptablesHowTo</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><a
moz-do-not-send="true"
href="http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html">http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html</a>
(this is how I learned – it has some good templates)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">O’Reilly
iptables pocket reference: <a moz-do-not-send="true"
href="http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell">http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Michael<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">N6MEF<o:p></o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:
'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"><o:p> </o:p></span></p>
<div>
<div style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium
none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in;
PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"><b><span
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR:
windowtext; FONT-SIZE: 10pt">From:</span></b><span
style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR:
windowtext; FONT-SIZE: 10pt"> <a class="moz-txt-link-abbreviated" href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a>
[<a class="moz-txt-link-freetext" href="mailto:nos-bbs-bounces@tapr.org">mailto:nos-bbs-bounces@tapr.org</a>] <b>On Behalf Of </b>Jose
Ng Lee<br>
<b>Sent:</b> Friday, March 02, 2012 11:20 AM<br>
<b>To:</b> TAPR xNOS Mailing List<br>
<b>Subject:</b> [nos-bbs] IPTABLES for TUN device<o:p></o:p></span></p>
</div>
</div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"><o:p> </o:p></p>
<div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"><span
style="FONT-FAMILY: 'Arial','sans-serif'">Hi,</span><o:p></o:p></p>
</div>
<div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"><span
style="FONT-FAMILY: 'Arial','sans-serif'">Anyone can
help me with a sample IPTABLES configuration that works
with TUN device.</span><o:p></o:p></p>
</div>
<div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"><span
style="FONT-FAMILY: 'Arial','sans-serif'">Thanks,</span><o:p></o:p></p>
</div>
<div>
<p style="MARGIN-LEFT: 0.5in" class="MsoNormal"><span
style="FONT-FAMILY: 'Arial','sans-serif'">Jose / HP2AT</span><o:p></o:p></p>
</div>
</div>
<p> </p>
<hr> _______________________________________________<br>
nos-bbs mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><br>
<a class="moz-txt-link-freetext" href="https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs">https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs</a><br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nos-bbs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a>
<a class="moz-txt-link-freetext" href="https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs">https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs</a>
</pre>
</blockquote>
<br>
</body>
</html>