IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[20:08]<xzgmzyx>mariooliveira, u could
[20:08]<xzgmzyx>if u can get his mac adress
[20:08]<xzgmzyx>:P
[20:09]<xzgmzyx>im pretty sure that
[20:09]<dzzyjjfyvnyzz>i mean i just want to allow my mac address
[20:09]<xzgmzyx>u just want to allow ur mac adress ?
[20:09]<dzzyjjfyvnyzz>someone told me the oposite mac adress block only works inside my lan
[20:10]<dzzyjjfyvnyzz>yes but from a remote pc
[20:10]<xzgmzyx>well see
[20:10]<dzzyjjfyvnyzz>we could make a litle test to make sure
[20:11]<xzgmzyx>iptables -A INPUT -s x.x.x.x -m mac --mac-source x:x:x:x:x:x -j DROP would drop it
[20:11]<xzgmzyx>and for a specifc port
[20:12]<xzgmzyx>$IPTABLES -A INPUT -p tcp --dport 8000 -s x.x.x.x -m mac --mac-source x:x:x:x:x:x -j ACCEPT
[20:12]<xzgmzyx>will only accept that ip with that mac adress on that port
[20:12]<dzzyjjfyvnyzz>try this ssh 82.155.204.163
[20:13]<xzgmzyx>dyou do -j DROP
[20:13]<xzgmzyx>or -j REJECT
[20:13]<dzzyjjfyvnyzz>you probably can get in
[20:13]<xzgmzyx>*cant
[20:14]<xzgmzyx>i cant get it atm
[20:14]<xzgmzyx>network error connection timed out
[20:14]<dzzyjjfyvnyzz>now give me your mac adress so i can allow it
[20:14]<xzgmzyx>erm
[20:14]<xzgmzyx>*thinks*
[20:14]<xzgmzyx>i forget what it is and i forget howto check what my internet mac adres is
[20:15]<xzgmzyx>:S
[20:15]<dzzyjjfyvnyzz>in a stamp on modem
[20:15]<xzgmzyx>meaning ?
[20:15]<xzgmzyx>sorry im tired
[20:16]<dzzyjjfyvnyzz>your modem has mac visible on a stamp
[20:16]<xzgmzyx>unless u ment this dsl-159-40.aei.ca im a bit lost and tired
[20:16]<xzgmzyx>i am far from that modem at th emoment lol
[20:16]<dzzyjjfyvnyzz>ok tanks
[20:16]<xzgmzyx>:S
[21:16]<dzzyjjfyvnyzz>help testing my firewall
[21:30]<-- sgvgzs xzs fuyv (>/dev/brain")
[21:36]<pdznsvzvz>where does iptables store its rules?
[21:40]<lnnayw>fyrestrtr: kernel memory
[21:40]<pdznsvzvz>so you are saying that I have to manually enter all the rules at system startup, via a script?
[21:41]<lnnayw>fyrestrtr: yes. there is iptables-save & iptables-restore binary to assist you in that task
[21:41]<lnnayw>fyrestrtr: most of the time, the distro you are using provide a /etc/init.d script for such
[21:41]<lnnayw>exemple: /etc/init.d/iptables save
[21:43]<pdznsvzvz>ah okay, sorry for the questions peejix -- I've just spent the past 4 hours trying to setup a server as a gateway, and I am just ... lost :( Everything is working okay (forwarding, masquerading) but I cannot figure out how to add some rules to the firewall for specific ports/services.
[21:47]<pdznsvzvz>on logging, how do I append the interface for which the packet has been logged?
[21:50]<lnnayw>fyrestrtr: you cannot do that using a single rule. You need a rule for each interface you want to log and use --log-prefix to specify what interface
[21:53]<vzrllysv>correct me if I'm wrong, but the in and out interfaces, if applicable, are in every iptables log
[21:57]<dzzyjjfyvnyzz>i need someone to help me test my firewall
[21:57]<pdznsvzvz>guys, can you please have a look at this http://pastebin.com/721110 -- I don't know if I'm doing anything wrong/right. I am trying to block everything, except SMTP port.
[21:58]<pdznsvzvz>then I would like to add additional exceptions -- basic policy is, block everything, only allows those that are listed.
[21:59]<dzzyjjfyvnyzz>what do you see in a webouser https://marinadecascais.no-ip.info:10000/ ???
[22:01]<pdznsvzvz>mariooliveira: can't connect.
[22:01]<dzzyjjfyvnyzz>good
[22:01]<dzzyjjfyvnyzz> what is your ip adress so i can allow it
[22:02]<lnnayw>trappist: yeah, you're right!
[22:03]<pdznsvzvz>peejix: any idea on my pastebin? :)
[22:06]<dzzyjjfyvnyzz>im not very good with iptables
[22:07]<-- mzwzuvxjzmvm xzs>die produktivität der leute ist invers proportional zu ihrem auftreten im #tuwien")
[22:07]<dzzyjjfyvnyzz>what is your ip so i can try to enable in my firewall
[22:12]<dzzyjjfyvnyzz>whats your ip adress joga so i can enable on my firewall
[22:16]<pdznsvzvz>gaaah!!! how do I enable port 25 to be forwarded to the internet?!?! -- the incoming is working, the outgoing -- nope.
[22:21]<drvvx_>mariooliveira: you're definitly wrong trying to filter ppl from the net with their mac adress
[22:23]<drvvx_>mac adress is at ethernet layer (2), and does only have a meaning inside your ethernet segment from your computer point of view
[22:24]<drvvx_>every ppl coming from the internet will be seen at layer 2 as your default gw's (mostly) mac adress
[22:24]<drvvx_>look for some network courses
[22:32]<pdznsvzvz>matth_: can you help me with something, please?
[22:34]<pdznsvzvz>I am trying to forward port 25 from the local net interface, to the external interface using http://pastebin.com/721110 -- but I cannot telnet on 25 from the host, any idea?
[22:40]<drvvx_>I see a problem
[22:41]<drvvx_>iptables -I FORWARD -i $INTERNET -p tcp -s $MAILSERVER --dport 25 -j ACCEPT
[22:41]<drvvx_>you want to allow -d $MAILSERVER instead I guess
[22:42]<drvvx_>If you want to allow people from the internet to reach you mailserver inside your private lan
[22:43]<drvvx_>another thing, they won't contact $MAILSERVER:25 but instead $ROUTER:25
[22:43]<drvvx_>so they will hit the INPUT chain
[22:44]<drvvx_>you got to enable incoming tcp/25 to your routing box
[22:44]<drvvx_>does that sound ok ?
[22:55]<pdznsvzvz>yeah
[22:56]<pdznsvzvz>I guess -- I am swimming in routers, chains, rules right now.
[22:56]<pdznsvzvz>basically, I need only one machine -- that $MAILSERVER to be able to talk on 25 and receive on 25, no one else.
[22:59]<pdznsvzvz>god damn this $%$$^@$%$@%$@
[23:01]<pdznsvzvz>I can't get port 25 open!
[23:01]<pdznsvzvz>its 23:01 right now, been doing this since 15:00
[23:02]<drvvx_>heh that took me around 1mn to test it on my setup :p
[23:03]<pdznsvzvz>okay *sigh* -- how do I start from scratch?
[23:03]<drvvx_>how do you diagnose that ?
[23:03]<pdznsvzvz>telnet gmail.com 25 <-- from the $MAILSERVER
[23:03]<pdznsvzvz>also, none of my emails are going out.
[23:04]<pdznsvzvz>can I clear all the rules except masq + forwarding? Otherwise, I will lose my connection to the internet.
[23:05]<pdznsvzvz>my latest attempt was to use http://www.malibyte.net/iptables/scripts/fwscripts.html
[23:05]<drvvx_>before starting from scratch just diagnose a little bit to see where that's blocking
[23:06]<pdznsvzvz>well the thing is, I don't know how to clear it out because I have been adding rules, modifying them, etc. etc.
[23:06]<drvvx_>did you modify the conf since http://pastebin.com/721110 ?
[23:06]<pdznsvzvz>LOL yeah -- err, a LOT.
[23:07]<pdznsvzvz>I actually just wrote that conf myself to keep track of what I was doing.
[23:07]<pdznsvzvz>then I started adding things.
[23:07]<drvvx_>is the first route line really useful ?
[23:08]<pdznsvzvz>no, I just added that in there as a reminder
[23:08]<pdznsvzvz>I don't actually run that script, its just a series of steps that I am doing.
[23:08]<pdznsvzvz>and I added the variables there to keep track of my interfaces.

Back to #iptables
Or go to some related logs:
#gentoo
#gentoo
#gentoo
#gentoo
#gentoo