IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[14:44]<adnf[2usd]>I just tested the two
[14:45]<adnf[2usd]>:)
[14:45]<ffrsmjmuac>80 isn;t working
[14:45]<ffrsmjmuac>try http://delta9.0xf050.org/phpsysinfo
[14:45]<ffrsmjmuac>none
[14:45]<adnf[2usd]>I got it ..
[14:45]<ffrsmjmuac>sick
[14:45]<adnf[2usd]>here's your server's signature :
[14:45]<adnf[2usd]>Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-16
[14:46]<adnf[2usd]>:)
[14:46]<ffrsmjmuac>:)
[14:46]<adnf[2usd]>so ... 80 was allowed when i performed the test
[17:20]<2ajzgx->Hi. I've got a question. I've setup a box with network bridging between two interfaces. but how do I, with IPtables, deny all traffic on a certain port, between the interfaces?
[17:20]<2ajzgx->I've tried -A INPUT -j DROP -p tcp --dport 3724 (World of warcraft auth port, i want it dead)
[17:20]<2ajzgx->but with no luck
[17:48]<zj20>forward?
[17:48]<drwygn>it has been said that forward is the chain in the filter table which handles packets with both origin and destination not bound on the iptables machine.
[17:48]<zj20>bjornh-: ^^
[17:48]<zj20>except s/forward/FORWARD/
[17:48]<2ajzgx->tried that too.
[17:49]<2ajzgx->I think I did, at least
[17:49]<zj20>CONFIG_BRIDGE_NETFILTER=y ? What kernel version?
[17:53]<wrf_>hi! can anybody tell me how to allow access from my local network to a specific dns server in the internet?
[17:53]<wrf_>i know I have to allow communication to tcp 53 on the server and udp too
[17:55]<wrf_>i've been googling on and off for last week and I haven't been able to found a direct answer that didn't require a 2 hour reading of some documentation, so please, be kind
[17:57]<zj20>There is no such answer available. It depends on your rules. The general approach is to deny everything from outside except for services which are explicitly opened, and replies to connections initiated from inside.
[17:57]<zj20>state rule
[17:57]<drwygn>state rule is iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; do the same for FORWARD and OUTPUT if you plan to filter those
[18:00]<wrf_>/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ?
[18:00]<wrf_>this will allow all communications from outside that have an origin in one created from inside?
[18:01]<wrf_>(I kind of know how things work, but it's been years since I've done this...)
[18:03]<wrf_>my local interface is eth0 and my internet interface is eth1
[18:04]<zj20>unreliable guides
[18:04]<zj20>hang on
[18:05]<zj20>http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html
[18:05]<zj20>one short page.
[18:08]<wrf_>hm... that doesn't seem to do the trick...
[18:09]<wrf_>I have everything set up, forwarding working just fine. I can even get to google if I use the ip...
[18:09]<wrf_>but dns isn't working...
[18:09]<wrf_>i can ping to any address outside my network range...
[18:13]<wrf_>this is what I've done:
[18:13]<wrf_>sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[18:13]<wrf_>sudo /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[18:40]<aa>xal_: are you certain it's a netfilter thing?
[18:40]<aa>what's your /etc/resolv.conf say?
[18:45]<xgssjlxrggs>Hi, are there known issues with the ipt_ROUTE patch and 2.6.17? I'm getting "ip_tables: ROUTE target: invalid size 0 != 40" messages when I try to insert rules that use that target...
[19:00]<wrf_>cj, sorry, i had to go away...
[19:00]<aa>xal_: np here :)
[19:00]<aa>xal_: I'm always here
[19:01]<wrf_>my local resolv.conf is fine... I configured the other pcs to use the same dns servers I have in resolv.conf
[19:01]<wrf_>(the others are win xp)
[19:03]<wrf_>here's my current setup: http://pastebin.com/737279
[19:03]<wrf_>i'm on fc5
[19:05]<aa>xal_: and /etc/resolv.conf?
[19:05]<zzgzg>Trying to setup a forward so that eth0:80 goes to eth1:80, running these commands and no luck:
[19:05]<zzgzg>iptables -A FORWARD -i 10.2.8.54 -o 192.168.2.1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[19:05]<zzgzg>iptables -A PREROUTING -t nat -p tcp -d 10.2.8.54 --dport 80 -j DNAT --to 192.168.2.1:80
[19:05]<wrf_>2 nameservers...
[19:06]<aa>xal_: can you ping them?
[19:06]<wrf_>200.42.97.111 and 200.42.0.111
[19:06]<wrf_>no, they have icmp disabled...
[19:07]<aa>what happens when you run $ host 200.42.97.111 foo.com ?
[19:07]<aa>$ traceroute 200.42.97.111
[19:13]<wrf_>hold on, i'm running tracert on the xp...
[19:17]<wrf_>http://pastebin.com/737318
[19:17]<wrf_>actually it's still running, but i don't think it'll give much more info...
[19:18]<aa>xal_: hmm...
[19:18]<aa>do you have any other systems on the network that can resolve hosts?
[19:19]<wrf_>no...
[19:19]<aa>do you have any other systems on the network that can not resolve hosts?
[19:19]<aa>do you have any other systems on the network?
[19:19]<wrf_>but i'm pretty sure my problem is that the dns can't get a response back to the client....
[19:19]<wrf_>not at the moment...
[19:19]<aa>run tcpdump while issuing that query
[19:20]<wrf_>tcpdump?
[19:20]<aa>heh
[19:20]<aa>which tcpdump
[19:21]<aa>it should probably be /usr/sbin/tcpdump
[19:21]<aa>if it's not installed, get it installed
[19:21]<aa>it's nice for watching packets jump around here and there
[19:21]<zzgzg>Trying to setup a forward so that eth0:80 goes to eth1:80, running these commands and no luck:
[19:21]<zzgzg>iptables -A PREROUTING -t nat -p tcp -d 10.2.8.54 --dport 80 -j DNAT --to 192.168.2.1:80 and
[19:21]<aa>gregn: ask danieldg... he knows about such things
[19:22]<zzgzg>danielg you around?
[19:25]<wrf_>cj: i'm on it
[19:26]<wrf_>oh, apparently I have it...
[19:27]<wrf_>running tcpdump on my inner interface throws a bunch of these:
[19:27]<wrf_>13:27:03.813858 IP 192.168.0.1 > 192.168.0.2: ICMP host rdns4.prima.com.ar unreachable - admin prohibited, length 83
[19:28]<aa>something like proto not icmp
[19:28]<aa>man tcpdump\
[19:28]<aa>s/\\//
[19:28]<wrf_>woah! hold your horses!!
[19:29]<wrf_>what exactly do you need?
[19:30]<aa>run "man tcpdump"

Back to #iptables
Or go to some related logs:
#debian
#macosx
#reactos
#netbsd
#iptables