IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[04:51]<sfun>are binary incompatible.
[04:52]<cxjwmgyggm>hello
[04:52]<mrrynfmr>oh. You don't have a threaded version of perl...
[04:52]<mrrynfmr>and I use threads quite a bit in that program.
[04:52]<mrrynfmr>what version of perl do you have?
[04:53]<mrrynfmr>Chowmeined: hello
[04:53]<cxjwmgyggm>Does anybody know why iptables would hang while I am trying to --list? It happens after I add certain rules but not others i'm not exactly sure what is up with it
[04:53]<mrrynfmr>Chowmeined: looking up DNS, try iptables -vnL
[04:54]<mrrynfmr>maxine: show ruleset
[04:54]<drwygn>Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
[04:54]<mrrynfmr>you don't need to actually paste though :)
[04:54]<cxjwmgyggm>oh that worked thank you
[04:55]<cxjwmgyggm>I don't remember it doing that before though.. is it really needed if im doing somthing like -s 0/0 -j DROP?
[04:55]<sfun>danieldg, router linux # perl -V
[04:55]<sfun>Summary of my perl5 (revision 5 version 8 subversion 7) configuration:
[04:56]<mrrynfmr>sque: can you recompile with usethreads=define?
[04:57]<sfun>atm... I think it's time for me to sleep
[04:57]<sfun>:p
[04:58]<sfun>and nobody is alive at #netfilter
[04:58]<sfun>damn
[04:58]<sfun>cya tomorrow
[04:58]<sfun>danieldg, many manny thanks :)))))))))
[04:58]<mrrynfmr>you're welcome
[05:04]<zn_m>cant build iptables
[05:04]<zn_m>anyone here?
[05:04]<drwygn>nobody is here except for those that are here, and me, but I'm a bot. Ask a question, and someone might respond
[05:05]<zn_m>+ make 'COPT_FLAGS=-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fno-omit-frame-pointer -DNDEBUG' KERNEL_DIR=/home/mmodem/rpm/BUILD/iptables/linux-2.6-pom LIBDIR=/lib all
[05:05]<zn_m>Unable to resolve dependency on /usr/lib/gcc/i486-linux-gnu/4.0.2/include/stddef
[05:05]<zn_m>i get this build error
[05:06]<mrrynfmr>what are you building? iptables itself?
[05:07]<mrrynfmr>what version?
[05:07]<zn_m>yes
[05:07]<zn_m>1.3.5
[05:07]<zn_m>but i use a spec
[05:07]<mrrynfmr>spec?
[05:07]<zn_m>a rpm spec
[05:08]<zn_m>a mandriva rpm spec used to build a previous version
[05:09]<mrrynfmr>does it work directly?
[05:09]<zn_m>if i do just make i get this error:
[05:09]<zn_m>Unable to resolve dependency on /usr/lib/gcc/i486-linux-gnu/4.0.2/include/stddef.h. Try 'make clean'.
[05:09]<zn_m>wish is the same error
[05:09]<mrrynfmr>and if you make clean?
[05:10]<zn_m>same thing
[05:10]<mrrynfmr>on the make clean, or the make?
[05:11]<zn_m>+ make
[05:11]<zn_m>Unable to resolve dependency on /usr/lib/gcc/i486-linux-gnu/4.0.2/include/stddef.h. Try 'make clean'.
[05:12]<mrrynfmr>does that file exist?
[05:12]<zn_m>with make clean the message is the same
[05:12]<zn_m>no
[05:13]<mrrynfmr>I just checked, had the same problem with 4.0.3 versus 4.0.4, but make clean fixed it
[05:13]<zn_m>i runed make clean with sme error
[05:13]<aa>s/runed/ran/
[05:14]<mrrynfmr>make clean also gave an error?
[05:14]<zn_m>the same
[05:14]<mrrynfmr>try rm *.d
[05:14]<zn_m>in where?
[05:14]<mrrynfmr>iptables source dir
[05:15]<zn_m>there arent any *.d files
[05:19]<zn_m>i see i have to go build 1.3.3
[07:52]<-- wgrvwsygc wrs puy>3) bad = 1;")
[08:48]<-- wgrvwsygc wrs puy>3) bad = 1;")
[10:38]<hggc>Hi I have a box that is bridging some interfaces connected to other servers. Traffic from en to those servers passes this bridge. I want this 'bridge' to monitor traffic (detect portscans bi-directional detect ssh distionary attacs etc). How whould i best do this?
[10:44]<hggc>o yes, what i want ofcourse is to trigger some actions based on the detected situtaions. (block specific incomming IPs if they are scannning me. shut down an interface if it appears to be hacked and starts scanning others etc)
[11:08]<rrffnn>Henk: whats the speed of the box that should do that?
[11:09]<rrffnn>and of course what amount of percent of the cpu can you spare for the filtering process?
[11:11]<rrffnn>you definately need ebtables for this and for such kind of thing you need at least a 600Mhz Athlon to to that kind of stuff exclusively for filtering, probably 1GHz
[11:11]<hggc>callee, the box is fast enough (p4 3ghz) but it's passing a lot of traffic and i don;t want things to slow down.
[11:11]<rrffnn>Henk: 100MBit or more?
[11:11]<hggc>callee, Gbit
[11:12]<rrffnn>forget it, switch over to routing instead
[11:12]<drwygn>callee, I didn't have anything matching it, switch over to routing instead
[11:12]<rrffnn>you box will be too slow
[11:12]<rrffnn>at least for peak traffic
[11:13]<hggc>callee, what will routing do for me to make it faster ?
[11:13]<rrffnn>Henk: it will make it way faster, of course the routing part will require more cpu power, but filtering will be way faster
[11:14]<rrffnn>your box is sufficient for routing and iptables filtering.
[11:14]<hggc>callee, what kind of filtering would i apply if i use routing ? (and i'm not completely sure how to set up routing for this situation)
[11:15]<rrffnn>and its much simpler to filter on the ip level than on the ethernet level as there are more cases to look for#
[11:16]<hggc>ah but i'm currently not even considering ebtables. Iptables it working for me (i can e.g block a port using the forward chain)
[11:16]<rrffnn>Henk: i cannot tell you either for i do not know your setup. the rules you need to apply are dependent on the setup either however detection of portscanning is possible with the ipt_recent module
[11:16]<rrffnn>Henk: a bridge cannot be filtered with iptables
[11:17]<rrffnn>if you bridge 2 interfaces, the kernel does nothing but forward anything, regardless of your ruleset
[11:17]<hggc>callee, no but the individual interfaces in a bridge can using physdev
[11:19]<hggc>callee, ok let me explain a bit on the situation that will clarify things
[11:20]<rrffnn>ok do that
[11:24]<hggc>the box is actually a xen host running a bunch of virtualised servers. these servers have network interfaces that are just like real nics to the host. The host has all these interfaces and its own eth0 in a bridge. traffic passes the host's bridge. I can use iptables to control this flow like this: iptables -I FORWARD -p icmp -m physdev --physdev-in veth1 -j REJECT
[11:25]<hggc>the above statement will reject all pings from the virtual server to the ouside world
[11:25]<hggc>(this actually works i just tried it to make sure )
[11:26]<rrffnn>the psysdev module seems new to me, must be some experimental stuff
[11:26]<rrffnn>even google only revealed 2 relevant matches

Back to #iptables
Or go to some related logs:
#cisco
#gentoo
#gentoo
#gentoo
#gentoo