IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.77 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-05-25
[19:31]<wrf_>yes... i'm reading...
[19:32]<wrf_>do you want me to run on the inner or outer if?
[19:33]<aa>huh?
[19:34]<wrf_>eth1 is connected to the internet, eth0 is local...
[19:35]<aa>oh, if == interface :)
[19:35]<aa>eth1
[19:35]<aa>tcpdump -i eth1 proto not icmp (or something like that)
[19:35]<aa>I've never been good with tcpdump filter syntax
[19:36]<wrf_>well, that filter is not accepted...
[19:36]<aa>so read the docs and see what the *real* syntax is for filtering out ICMP requests
[19:36]<wrf_>according to the man pages icmp is not in the list of protocols...
[19:36]<aa>maybe just pick up port 53
[19:37]<wrf_>that might work...
[19:37]<aa>tcpdump -i eth1 port 53
[19:37]<aa>and run that dns request
[19:37]<zzwffzdnz>tcpdump -i eth0 icmp
[19:42]<wrf_>well tcpdump -i eth1 port 53 won't throw any output....
[19:43]<wrf_>(in running a ping request on the xp to google.com)
[19:47]<aa>try eth0?
[19:50]<dzffrsdj># iptables -A INPUT -p tcp -m multiport ! --dports 22,80,10000,31337,6667,7020,7021,21,25 -j DROP
[19:50]<dzffrsdj>iptables v1.3.3: multiport does not support invert
[19:50]<dzffrsdj>Try `iptables -h' or 'iptables --help' for more information.
[19:50]<dzffrsdj>wtf
[19:51]<tdbnzr>multiport
[19:52]<aa>mrplasmo: did you read iptables -h? the man page?
[19:53]<wrf_>http://pastebin.com/737392
[19:53]<aa>mrplasmo: looks like you can't list ports not to be dropped
[19:53]<aa>mrplasmo: so drop everything and then allow those ports
[19:54]<aa>xal_: and you're not getting *anything* on eth1 ?
[19:56]<wrf_>no, running the ping on xp brings nothing if i listen to port 53 on eth1
[20:00]<wrf_>i tried firestarter once and the xp was accessing just fine....
[20:00]<wrf_>but I don't want to use firestarter....
[20:00]<zj20>$ host rdns2.prima.com.ar. rdns2.prima.com.ar.
[20:00]<zj20>;; connection timed out; no servers could be reached
[20:00]<zj20>'course, it could be denying me because I'm outside their networks.
[20:01]<wrf_>rob0: http://pastebin.com/737406
[20:03]<dzffrsdj>how do I drop everything
[20:06]<zj20>mrplasmo: easiest: pull the plug. :) Otherwise: a -j DROP rule with no restrictions.
[20:07]<zj20>xal_: show ruleset
[20:07]<drwygn>Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
[20:09]<wrf_>rob0: http://pastebin.com/737426
[20:09]<zj20>RH-Firewall-1-INPUT is a sure sign of trouble :)
[20:09]<drwygn>I think we just lost a wing!
[20:10]<zj20>RH-Firewall-1-INPUT?
[20:10]<drwygn>I think we just lost a wing!
[20:10]<zj20>haha
[20:11]<zj20>xal_: Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL".
[20:11]<zj20>The instruction was explicit.
[20:11]<wrf_>http://pastebin.com/737432
[20:11]<wrf_>sorry
[20:11]<wrf_>i read it late...
[20:13]<zj20>ok, I guess I don't understand the problem. The iptables machine is able to resolve DNS names?
[20:13]<wrf_>yes, just fine...
[20:13]<wrf_>the other pc is not able to resolve dns...
[20:13]<wrf_>it can ping outside without issues...
[20:14]<wrf_>so forwarding is working...
[20:16]<aa>xal_: xen?
[20:16]<drwygn>rumour has it xen is running on the 10.10.10.100 box, correct
[20:16]<aa>maxine: forget xen
[20:16]<drwygn>cj: I forgot xen
[20:16]<zzwffzdnz>maxine ?
[20:16]<drwygn>yes, Rawplayer?
[20:16]<wrf_>cj: what!?
[20:16]<aa>xal_: are you using xen?
[20:16]<wrf_>virtualization?
[20:16]<wrf_>no
[20:17]<zj20>xal_: line 12: the FORWARD chain is not being hit
[20:18]<zj20>lines 16 and 18: those should come before the infamous RH-Firewall-1-INPUT chain.
[20:19]<wrf_>before 14?
[20:20]<ayvyfvna>Does anyone know how to specify a range of subnets with an ip chain rule? (I know how to specify a range of ip's within a subnet [iptables -A INPUT -p tcp -s 10.1.0.0/24], but I want to allow all ip's from 10.1.0.0/24 to 10.4.0.0/24, without specifying four different rules.) Is this possible?
[20:23]<zj20>xal_: in fact a single rule, -I RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT, could replace both. (Not to suggest I condone the use of such names as RH-Firewall-1-INPUT, of course.)
[20:24]<wrf_>:D
[20:25]<zj20>civiltec: there's a lot of space between 10.1.0.0 and 10.4.0.255. You want all of that?
[20:25]<zj20>That's 3 /16's and one /24.
[20:26]<ayvyfvna>rob0, actually not - ultimately, I would prefer only 10.1.0.0 to 10.1.0.255, 10.2.0.0 to 10.2.0.255, etc.
[20:26]<wrf_>rob0: I'm running this script upon startup: http://pastebin.com/737456
[20:26]<zj20>Two of the /16's could combine into a /15. So that's 3 rules you need.
[20:26]<wrf_>is there a way to get rid of the script and integrate what you say and make all work directly at startup?
[20:27]<zj20>civiltec, okay, those are separated /24's, you need 4 separate rules.
[20:27]<zj20>Consider the use of a user chain for things like this.
[20:27]<ayvyfvna>rob0 - okay, that's what I thought - just wanted to make sure there wasn't a more elegant way of doing it...... user chain?
[20:27]<crumyj>when i do systen-config-securitelevel and i open port 22 it work but when i do whit this /iptables -A INPUT -p --dport 22 -j ACCEPT dont work i mean it dont open.... why?
[20:30]<zj20>civiltec: in the future consider making your RFC 1918 netblocks adjacent. For instance, if you had 10.1.0.0/24 and 10.1.1.0/24 that could be addressed as 10.1.0.0/23.
[20:31]<zj20>Simple subnetting.
[20:35]<wrf_>rob0: I'm looking at my /etc/sysconfig/iptables and ti already has a -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[20:37]<zj20>Ah yes, line 26 in http://pastebin.com/737432
[20:38]<wrf_>exactly...
[20:40]<wrf_>i added 16 and 18 through an iptables command not long ago...
[20:40]<wrf_>those don't seem to help much...
[20:40]<zj20>Then you almost certainly have a resolver client problem on the client machine, that's all I can guess.
[20:41]<zj20>what OS is it?
[20:41]<wrf_>here i'm on a fc5
[20:42]<wrf_>the other pc is an xp....
[20:42]<wrf_>but as I said before... last week I tried firestarter and everything worked just fine...
[20:42]<zj20>The XP is the one forwarding but not resolving names.
[20:43]<wrf_>yes, xp can access internet through fc5 but it can't resovle...
[20:43]<wrf_>(it does have the dns set up)
[20:43]<wrf_>to the same addresses I have in resolv.conf
