Solved

Newbie question

Posted on 2004-03-25
11
243 Views
Last Modified: 2013-12-15
I just installed redhat9, a bit of know how of the system,

i just wanna know in squid

cache_dir ufs /var/spool/squid 100 16 256

by default its written there, what exactly this means also how can i make a change to suite my system needs.

2ndly i want to make firewall rules and when i try to use the command

iptables -A PREROUTING -p icmp -m icmp --icmp-type 8 -j DROP

or any othercommand it just returns

iptables: No chain/target/match by that name

so any help
0
Comment
Question by:aejaz
  • 7
  • 4
11 Comments
 

Author Comment

by:aejaz
ID: 10676334
also /etc/sysconfig/iptables  i cant see any iptables there ,
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10676668
You can simply change /var/spool/squid to any other location. Then, stop squid, move /var/spool/squid to this other location and restart your squid.

I'm afraid building iptables requires much more than that. What happens here is that you tried to add a rule calling a specific module that does not exist (-m icmp).

You are trying to call a match extension which would be called ipt_icmp (once again that does not exist).

you could use the excellent fwbuilder (http://www.fwbuilder.org) if you want simpler things and a nice GUI.
0
 

Author Comment

by:aejaz
ID: 10684274
thanks for your reply, u didnt tell me what is 100 16 256 in the following line, n shud one have to change these values according to system

cache_dir ufs /var/spool/squid 100 16 256

also is tat fwbuilder is the same as iptables ? or its a graphical form of iptables ?

Regards
0
 

Author Comment

by:aejaz
ID: 10685076
also i need to know the basic tutorial from scratch like from installation of iptables checking and loading appropriate module of iptables for kernel and making it run ? so i want to read alot so ne good tutorials that will giv us the step by step procedure for installation and working of iptables.
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685904
100 means 100 Megs for the cache.
16 256 means create 16 level 1 directories and 256 level 2.

This means that your cache files will be split up upon 16 * 256 directories.
The need for this is quite historic (though not totally dealt up with up to now). No Unix system is very good at having tons of files in the same dir. Only trying to open a file in such a directory takes much longer than in one with fewer files.

So clever softwares that need to store lots of files "hash" their storage.

You should not need to change this unless you have an amazingly highly used squid (like for hundreds or more users).

The 100 though might be changed, but this should be largelly enough for your own use.

About iptables, yes. Unfortunately, iptables => security. And it's not so easy to improvise yourself as a security expert. It depends on what you are trying to achieve though.

There is a good tutorial on the following page :

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

I strongly advise for fwbuilder though. It's a nice interface a bit like the one checkpoint distributes with firewall-1. It has wizards that allow you to build up simple firewall rules. It generates your iptables script for you.


0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:aejaz
ID: 10693280

To run the pure basics of iptables you need to configure the following options into the kernel while doing make config or one of its related commands:

CONFIG_PACKET - This option allows applications and utilities that needs to work directly to various network devices. Examples of such utilities are tcpdump or snort.

and similarly
CONFIG_NETFILTER
CONFIG_NETFILTER
CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_FTP
CONFIG_IP_NF_IRC
CONFIG_IP_NF_IPTABLES
CONFIG_IP_NF_FILTER
CONFIG_IP_NF_NAT
CONFIG_IP_NF_MATCH_STATE
CONFIG_IP_NF_TARGET_LOG
CONFIG_IP_NF_MATCH_LIMIT
CONFIG_IP_NF_TARGET_MASQUERA

i just wanna know how to enable all these in redhat 9, iptable is installed, now what, when i try to read the material its easy to graps but when it says do tat with kernel and it never says how , then i m stuck. Kindly tell me the starting point from where i start my linux. For me , mastering iptable is the destination :), alsso i will gona try fwbuilder but later when there is no help on iptables.

Regards
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 20 total points
ID: 10694774
I'd honestly go the other way. It's much easier to grab fwbuilder, have it build your tables, and then, work on them. So that you have a base to work on/play with.

I don't know redhat 9. But I suppose that, as in most distribs, iptables is already configured as modules. So, you should not have to do all that kernel config.

If I refer to your first question, I suggest the following :

modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p icmp --icmp-type 8 -j DROP

This will work and be a start. Then, if you want to master it, you'll have to read, and read, and read ...etc :-)
0
 

Author Comment

by:aejaz
ID: 10782534
hi again, i just have managed to do a little bit with ip tables, :)

I just wanna know few things , after loading the modules

all the above commands are accepted at command prompt, but when i try to use this command

iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 where xxx is any IP and yyy is the subnet mask, it returns me the same message i.e.
iptables: No chain/target/match by that name

So it also give the same message with POSTROUTING.


also i dont wana load the modules and the commands each time the system starts, so when i type the commands i used iptables-save command to save tat, also is there ne possibility where i can store the command and execute when system startsup
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10782603
Once again, you have included a "-m" in your command line, thus asking to use a match module called tcp. This module does not exist.

Check the manpage of iptables, and read the chapter "MATCH EXTENSIONS".

I can give you more help if you need, but you might want to review your scoring here. 20 points with a grade of B for this work does not seem very rewarding.... Sorry, but I had to say it !
0
 

Author Comment

by:aejaz
ID: 10789324
iptables -A PREROUTING -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 where xxx is any IP and yyy is the subnet mask, it returns me the same message i.e.
iptables: No chain/target/match by that name


i find th answer and for your information n all others, "-t nat" after PREROUTING will do the job.

I wana ask you how to increase the points and this question

I typed all the iptables rules on root and afterwards used

iptables-save

command to commit, but when i restarted the system and used this command

iptables -L

it shows no rules. So how to make permanent changes ?
0
 

Author Comment

by:aejaz
ID: 10790626
ok ok i got the answer myself, ;0)

so for permanent save use this

/sbin/service iptables save

tat will do the trick ... that is for all newbies

aejazz
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now