IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[18:23]<asvjzd>+Usually the first patch release is stable.
[18:24]<asvjzd>+Except 2.6.15, where they broke USB.
[18:25]<zj20>+did they? I haven't run into that yet.
[18:25]<zj20>+I guess there went my uptime :)
[18:26]<zj20>+ 10:25:49 up 136 days, 12:50, 5 users, load average: 0.00, 0.00, 0.00
[18:26]<asvjzd>+Broke means most USB devices failed, not that it was unstable.
[18:26]<asvjzd>+It was only unusable :P
[18:26]<zj20>+You can tell, I don't use USB much.
[18:27]<zuynm>-hmm, that could be a problem, because my modem is connected via USB with CDCEther module...
[18:27]<asvjzd>+Maybe it doesn't fail :-)
[18:28]<asvjzd>+2.6.15.y where y>2 should be okay.
[18:28]<zj20>+I did deploy some 2.6.15.6's which have USB storage devices. No problems seen AFAIK.
[18:28]<asvjzd>+Anyway, it's not that channel. :-)
[18:30]<zj20>+afk, ttyl (as opposed to TTL :) )
[18:37]<zuynm>-I'll be back... if USB works with my new kernel... :)
[19:03]<axzjjvnm>+seriously guys
[19:03]<axzjjvnm>+how do I get REDIRECT to work without having an IP address on that network?
[19:10]<asvjzd>+You'd have to use ebtables and work with MAC addresses.
[19:18]<axzjjvnm>+I think I might have found a different way using MARK and ip route tables....
[19:47]<axzjjvnm>+hmm... no this does the same thing... the syn packets are coming, but aren't being routing, nor being replied to from my router
[19:47]<axzjjvnm>+this doesn't make any sense at all
[19:50]<axzjjvnm>+I've tried DNAT, REDIRECT, MASK+ ip route + ip rule and they all seem to just DROP the packets
[20:17]<axzjjvnm>+where the hell are my packets going
[20:29]<axzjjvnm>+sometimes I hate iptables
[20:46]<lremmjr>+chrooted: what does you rule set look like?
[20:49]<axzjjvnm>+well, right now I have my devices set to an address on the network, and then deleted the local address from the local table like:
[20:50]<axzjjvnm>+ip route del table local local 192.168.8.16 dev vlan1 proto kernel scope host src 192.168.8.16
[20:50]<axzjjvnm>+and made a rule in mangle table which marks it with 100 if it's going to port 443,
[20:51]<axzjjvnm>+iptables -i "$wifi_ifname" -I PREROUTING -t mangle -p tcp --destination-port 443 -j MARK --set-mark 100
[20:51]<axzjjvnm>+and I have an ip rule which tells it to use table 100 when a packet is marked with 100
[20:51]<axzjjvnm>+doh
[20:52]<axzjjvnm>+why can't advaned routing be easy in linux?
[20:54]<axzjjvnm>+I think there's something special about table local
[20:56]<axzjjvnm>+it seems like the local table is the only one that will let me put in a rule that's of type local... if I put it anywhere else, the packets get dropped
[21:02]<axzjjvnm>+I wonder why -j DNAT --to-destination 127.0.0.1 isn't working
[21:11]<lremmjr>+chrooted: use REDIRECT instead
[21:14]<axzjjvnm>+REDIRECT isn't working
[21:14]<axzjjvnm>+it does the same thing
[21:14]<lremmjr>+what does the rule look like?
[21:14]<axzjjvnm>+ 12 720 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 443
[21:15]<axzjjvnm>+I see the syn packets come in, but nothing goes out
[21:15]<lremmjr>+so why are you redirction traffic to the lo for?
[21:16]<axzjjvnm>+well, I need the packets to end up going to a program on the firewall
[21:16]<axzjjvnm>+right now they are just disapearing
[21:16]<axzjjvnm>+and without the rule, they just pass though to the box I'm firewalling
[21:16]<lremmjr>+that would be an input rule that you are playing with?
[21:17]<axzjjvnm>+that REDIRECT is in the PREROUTING on the nat table
[21:18]<lremmjr>+you are not routing if the packet is for the firewall it's input packet
[21:18]<axzjjvnm>+actually that REDIRECT rule is just letting the packets pass through to the other machine, it was the DNAT rule that was dropping the packets
[21:20]<lremmjr>+you said '<chrooted> well, I need the packets to end up going to a program on the firewall' that's an input not a routed packet
[21:20]<axzjjvnm>+basically, what I want is: if the packet is to port 443, deliver it to the firewall instead of letting it pass through, otherwise let everythnig pass through to the box being firewalled
[21:21]<axzjjvnm>+that's normally easy assuming that my firewall and the box being firewalled both have seperate IP addresses, but in my case, I can only use one address
[21:22]<axzjjvnm>+I thought it was possible to do in linux, but it turns out that maybe I was wrong
[21:22]<lremmjr>+you're going to allow access to port 443 on your firewall from the outside?
[21:23]<axzjjvnm>+right
[21:23]<lremmjr>+not smart but it's your system
[21:23]<axzjjvnm>+the two networks I'm routing are actually two sub subnets being proxy arp routed
[21:25]<axzjjvnm>+and then you're going to ask my why I don't use briding instead of proxy arp, and the reason is because I'm using wpa on one of the devices and linux's bridging code doesn't seem to support that
[21:25]<lremmjr>+i could be wrong here but you should just be able to accept the packet in the input talbe and be fine
[21:26]<lremmjr>+wasn't going to ask that at all. :)
[21:26]<axzjjvnm>+most people ask me that
[21:27]<axzjjvnm>+if I accept it on the input table, it's just going to get routing to the other machine which isn't listening on port 443, so my webbrowser gets a RST reply
[21:28]<lremmjr>+i'm not sure my firewall only have access via direct keyboard and mouse
[21:28]<lremmjr>+let me try something here
[21:31]<lremmjr>+ok i just tried a test and it worked here fine
[21:32]<lremmjr>+make sure your INPUT rule is before your routing rules and 443 should stop at your firewall
[21:34]<lremmjr>+worked here
[21:34]<axzjjvnm>+does your firewall have the same ip address as the machine you are trying to route to?
[21:37]<lremmjr>+doesn't matter. your firewall should DNAT all traffic that is not destine for it. so if your input statements are before the forward statements it should be caught
[21:38]<axzjjvnm>+so what does your rule look like?
[21:39]<lremmjr>+you rule should look something like this iptables -A INPUT -p tcp -ddport 443 -j ACCEPT
[21:40]<lremmjr>+you rule should look something like this iptables -A INPUT -p tcp -dport 443 -j ACCEPT
[21:40]<lremmjr>+i'm not doing the same thing you are and i ws testing something else
[21:41]<lremmjr>+if the input rule is before your forward rules it should be caucht as iptables read the rules in a top-down
[21:49]<-- mzvv_j xzs fudv (>http://www.daphne-emu.com")
[22:19]<tjgd[]_>-hi
[22:20]<tjgd[]_>-I've not upgraded my kernel or iptables in sometime, but today when trying to restart iptables I've started getting the following error message: Applying iptables firewall rules: iptables-restore v1.2.11: Couldn't load match `comment':/lib/iptables/libipt_comment.so: cannot open shared object file: No such file or directory
[22:21]<tjgd[]_>-the error is self explainatory, but I can only find this lib referred to in versions 1.3 and above of iptables?
[22:21]<tjgd[]_>-why/what would start this error occuring?
[22:28]<tjgd[]_>-google appears to give me no useful results either
[22:29]<tjgd[]_>-lsmod shows ip_tables is loaded
[22:30]<zj2wow0>+Have you edited your iptables-save ruleset recently?
[22:30]<tjgd[]_>-hmm .. yes
[22:30]<tjgd[]_>-hence the restart
[22:30]<zj2wow0>+ding ding ding
[22:30]<tjgd[]_>-thanks .. I'll go look
[22:30]<zj2wow0>+You probably added some comments, right?
[22:30]<tjgd[]_>-right
[22:30]<tjgd[]_>-bad for mnot to
[22:31]<tjgd[]_>-bad form not to add comments
[22:31]<tjgd[]_>-got it
[22:31]<zj2wow0>+and your kernel config doesn't build the comment modules
[22:31]<zj2wow0>+:)
[22:31]<tjgd[]_>-thanks rob8
[22:32]<tjgd[]_>-10
[22:32]<tjgd[]_>-:o
[22:32]<tjgd[]_>-damn .... that's gotta be the most factually correct and least helpful error message ever :)

Back to #iptables
Or go to some related logs:
#python
#gentoo
#azureus
#blender
#netbsd