IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[01:22]<wjjmd>FWIW you should be able to REJECT UDP. It would result in an "ICMP port unreacable" repsonse from netfilter to the originating host.
[01:28]<wjjmmwjjmlnacnz>Woody: Yes, that is what REJECT acutally does. And "port-unrechable" is the default, but you can not use it as default policy.
[01:29]<wjjmmwjjmlnacnz>For tcp connections you would use -j REJECT --reject-with tcp-reset
[01:56]<antns>hi
[01:59]<antns>Is it possible to delay packages for x ms using iptables?
[02:00]<zj20>hmmm, not sure. Interesting idea, though. I think there are some targets which can have a similar effect. I've never played with them.
[02:00]<antns>ok :)
[02:03]<jdzzatt>Hi. I am trying to setup a linux box with 2 internet connections but I can't get it to work. I keep getting "Network is unreachable" when using ip route add default via. does anybody know what I could be doing wrong?
[02:06]<zj20>omarc55: http://www.ssi.bg/~ja/#routes (requires patched kernel, patch is here)
[02:09]<jdzzatt>version 2.6.9-1.667smp requires this patch?
[02:11]<jdzzatt>thats odd since this was working before (with an old connection) now they got a new connection and it doesn't want to work.
[02:11]<zj20>http://www.ssi.bg/~ja/#routes-2.6
[02:12]<zj20>oh I guess it depands how you want to use it. If you only want one default gateway and the other one merely reply to connections received, you don't need the patch.
[02:13]<jdzzatt>yeah. what I was doing was, having both connections running. all tcp traffic would go through eth1 and all udp traffic through eth2
[02:13]<jdzzatt>and I can't get that to work, I am stuck on that command. and I know the device is up, I checked with ifconfig. and I can ping the gateway.
[02:15]<zj20>Hmmm, I would think with a protocol split like that you'd have to use -t mangle -j MARK and ip rule ... fwmark.
[02:15]<zj20>(I've never tried that.)
[02:15]<jdzzatt>yeah, thats what I was doing.
[02:18]<jdzzatt>but do you know why I could be getting that error?
[02:25]<zj20>"ip route list ; ip rule list" might have some ideas.
[04:14]<jdzzatt>I have the 2 internet connections running at the same time. but now I can't split traffic, anybody know how to send udp data via eth1 for example and tcp data via eth2, all incoming eth0?
[04:14]<mrrynfmr>maxine: multiple uplinks
[04:14]<drwygn>danieldg: i'm not following you...
[04:14]<mrrynfmr>maxine: multiple uplink
[04:14]<drwygn>danieldg: sorry...
[04:15]<mrrynfmr>anyway, I think that can be done directly with iproute, using multiple routing tables
[04:17]<jdzzatt>I am using ip route to setup just the udp table, do I need another table for the tcp?
[04:18]<mrrynfmr>I think it can be on the main table, if that has a default route going out eth2
[04:18]<mrrynfmr>you may have to turn of rp_filter or something
[04:18]<mrrynfmr>s/of/off/
[12:03]<zzwffzdnz>mogguh
[13:15]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[13:48]<ffrsmjmuac>whats to command to reject all ports but 22, 80, 1000, 31337, 6667, 7020, 7021, 21, 25?
[13:50]<adnf[2usd]>plasmoduck => maybe !
[13:51]<adnf[2usd]>! --dports ...
[13:51]<adnf[2usd]>or ! --sports
[13:51]<adnf[2usd]>with -m multiports
[13:51]<adnf[2usd]>something like that
[13:52]<ffrsmjmuac>iptables 22, 80, 1000, 31337, 6667, 7020, 7021, 21, 25 -j ACCEPT?
[13:52]<ffrsmjmuac>what do I have to type exactly
[13:53]<adnf[2usd]>You didn't say precisely what you want to do :)
[13:53]<adnf[2usd]>inbound trafic?
[13:53]<adnf[2usd]>outound?
[13:53]<ffrsmjmuac>I only want to allow those ports inbound
[13:54]<ffrsmjmuac>and reject all others
[13:54]<ffrsmjmuac>do I need to do iptables -P INPUT REJECT ?
[13:55]<adnf[2usd]>iptables -A INPUT -m multiport ! --dports 22,80,...,25 -j REJECT
[13:55]<adnf[2usd]>You can't set default policy to REJECT :)
[13:55]<adnf[2usd]>only ACCEPT or DROP.
[13:56]<adnf[2usd]>you can do -P INPUT DROP and -m multiport --dports 22,...,25 -j ACCEPT
[13:56]<adnf[2usd]>I think ..
[13:58]<ffrsmjmuac># iptables -A INPUT -m multiport ! --dports 22,80,1000,31337,6667,7020,7021,21,25 -j REJECT
[13:58]<ffrsmjmuac>iptables v1.2.11: multiport needs `-p tcp' or `-p udp'
[13:58]<ffrsmjmuac>eth0 is the internet
[13:58]<adnf[2usd]>okay then add -p tcp of -p udp before
[13:58]<ffrsmjmuac>and eth1 is thet ethernet
[13:58]<ffrsmjmuac>where?
[13:58]<adnf[2usd]> iptables -A INPUT -p tcp -m multiport ...
[13:59]<ffrsmjmuac>do I need to do
[14:00]<adnf[2usd]>do you want to manage inbound traffic related to eth0 or eth1 ?
[14:00]<ffrsmjmuac>iptables -A INPUT -m multiport ! --dports 22,80,...,25 -j REJECT
[14:00]<ffrsmjmuac>and you can do -P INPUT DROP and -m multiport --dports 22,...,25 -j ACCEPT
[14:00]<ffrsmjmuac>eth0
[14:00]<adnf[2usd]>it depends on what you want to do with unallowed traffic
[14:00]<adnf[2usd]>reject or drop ?
[14:00]<ffrsmjmuac>whats better?
[14:00]<ffrsmjmuac>security wise
[14:01]<adnf[2usd]>maybe drop
[14:01]<ffrsmjmuac>okay
[14:01]<adnf[2usd]>reject will send a icmp packet back to the sender
[14:01]<ffrsmjmuac>so do the command again but with just drop?
[14:01]<ffrsmjmuac>maybe I should flush all the rules first?
[14:02]<adnf[2usd]>I don't know if you should flush all first but if you have saved them, you can ..
[14:03]<ffrsmjmuac>no
[14:03]<ffrsmjmuac>okay then
[14:04]<adnf[2usd]>then ...?
[14:04]<adnf[2usd]>:)
[14:05]<aynf[juv]>be back later
[14:05]<ffrsmjmuac>I just done iptables -A INPUT -p tcp -m multiport ! --dports 22,80,1000,31337,6667,7020,7021,21,25 -j DROP
[14:05]<ffrsmjmuac>is that all I need to do?
[14:05]<aynf[juv]>it's sufficient
[14:05]<ffrsmjmuac>okay
[14:06]<ffrsmjmuac>thanks
[14:06]<aynf[juv]>don't forget to test :)
[14:07]<aynf[juv]>If your default policy is DROP you have to do -j ACCEPT without "!"
[14:07]<aynf[juv]>If your default policy is ACCEPT so you rule above is correct
[14:08]<aynf[juv]>If your default policy for INPUT is DROP then this rule will not accept those inbound traffic ..
[14:09]<aynf[juv]>the rule has an effect only if the default policy is ACCEPT. :)
[14:09]<ffrsmjmuac>can you test for me?
[14:21]<adnf[2usd]>plasmoduck => allowed for 6667 and 80
[14:43]<ffrsmjmuac>is that all?
[14:44]<ffrsmjmuac>hmm
[14:44]<ffrsmjmuac>how do I undo that rule

Back to #iptables
Or go to some related logs:
#gentoo
#php
#php
#gentoo
#gentoo