IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.88 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-02
[16:31]<mnp2dvn>hi all
[16:31]<mnp2dvn>is iptables also a proxy ?
[17:37]<sgjjld>do i need any patches to use htb? (kernel 2.6.x)
[17:42]<rnryv>snoopy: should not
[18:13]<rvdrv>snoopy: no just kernel recompile and full support for htb
[18:15]<sgjjld>atmat: thank you, and do you know that patch-o-matic contains layer7 or do i need apply patches 1 by 1?
[18:16]<rvdrv>don't know.
[18:18]<sgjjld>thx, anyway ill find how it works (i hope so) :)
[18:20]<rvdrv>nice kick hehe
[18:20]<rvdrv>s/kick/nick :P
[18:20]<vzrllysv>snoopy: layer 7 is a separate patch set
[18:20]<sgjjld>ok now i know everything
[18:24]<vzrllysv>awesome. tell me.
[19:24]<_srd-->hey i have a box with 3 eths in it...192.168.1.7, 0.7, and an external IP....i am trying to use iptables to let machines on the 192.168.1.0 network forward through and talk to machines on the 192.168.0.1 network....
[19:24]<_srd-->but i cant seem to make it work
[19:25]<_srd-->is it just a a simple iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT something like that, or am i missing something?
[19:25]<_srd-->like, i need boxes on the 192.168.1.0 network to be able to VNC through the iptables machines and connect to clients on the 192.168.0 net
[19:28]<xzzm__wzzn>_Sam--: yes
[19:28]<xzzm__wzzn>iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
[19:28]<rwpr>can you do multinet via -s 0.0.0.0/0,0.0.0/1...
[19:28]<xzzm__wzzn>iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
[19:28]<rwpr>_Sam-- : lol.. quit following me around
[19:28]<_srd-->hah!
[19:28]<rwpr>gesus!
[19:29]<_srd-->hard__ware : whats odd is that from the 1.0 network i can ping hosts on the 0.0 through the iptables box....
[19:29]<_srd-->but if i try to VNC through it to a host on the 0 network...it dont work
[19:29]<xzzm__wzzn>_Sam--> did you add a 2 rules or just 1 ?
[19:29]<zj20>If ping works you might have some other issue, like a client firewall.
[19:30]<xzzm__wzzn>Ja, or possible even other filters on localhost
[19:30]<_srd-->i have both rules in there
[19:31]<_srd-->and same thing...i can ping, but not vnc or other
[19:31]<xzzm__wzzn>like iptables -t mangle / -t nat and rp_filter
[19:31]<_srd-->i do have -t mangle
[19:31]<_srd-->that could be doing it?
[19:31]<zj20>show ruleset
[19:31]<drwygn>Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
[19:31]<xzzm__wzzn>rules possibly in tehre , yes
[19:32]<_srd-->http://sam.pastebin.com/753783
[19:33]<lmj>hello the chan
[19:33]<lmj>I activated something crazy for me, do you know why my /var/log/message is FULL of "Jun 2 18:19:47 netstation kernel: IN= OUT=eth0 SRC=xx.xx.xxx.xxx DST=xx.xx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50372 DF PROTO=TCP SPT=50182 DPT=6881 WINDOW=2032 RES=0x00 ACK FIN URGP=0" how i can stop to log them please ?
[19:34]<xzzm__wzzn>although , if the corect routes exist on the local host, and it is set to IP Forward for all interfaces, and as long as people are on the "right side of the network" are connected to there respected subnet
[19:35]<xzzm__wzzn>rpfilter should then be ok ...
[19:36]<_srd-->sorry, this is the output from iptables-save: http://sam.pastebin.com/753787
[19:37]<xzzm__wzzn>well doesnt appear to be anything else ... especially not mangle or nat table
[19:38]<xzzm__wzzn>_Sam--> is the router / gateway also going to be a proxy ? or has it got multiple ip's or maybee even a subnet ?
[19:38]<xzzm__wzzn>External ... Public IP's = )
[19:39]<_srd-->the iptables box has three interfaces, the 0 network, the 1 network, and external public IP
[19:39]<xzzm__wzzn>are you doing snat ?
[19:39]<xzzm__wzzn>masq ?
[19:39]<_srd-->it was setup to do masq
[19:39]<xzzm__wzzn>ok ...
[19:40]<xzzm__wzzn>well if still no go ... is other end winxP ?
[19:40]<xzzm__wzzn>if so , is winxp firewall enabled ?
[19:40]<xzzm__wzzn>you may need to add a custom rule
[19:40]<xzzm__wzzn>and half the time the custum rules dont even work = P
[19:40]<_srd-->the other hosts, which i can ping, but not connect to....area all XP hosts with the XP firewall set fine to allow VNC -- the work fine if i vnc from a host on the same net
[19:41]<_srd-->so, my host is on the 1 network...i can ping hosts oon the 0 network...but i cannot connect to them on any ports
[19:41]<xzzm__wzzn>ahha ... but that is allot different ;-)
[19:41]<xzzm__wzzn>same net ... should be ok
[19:41]<_srd-->i just said that."the work fine if
[19:41]<_srd--> i vnc from a host on the same net"
[19:41]<xzzm__wzzn>i know ...
[19:41]<xzzm__wzzn>im just saying thats not good enough
[19:42]<_srd-->obviously not or i wouldnt be here :)
[19:42]<rwpr>-s wont take multiple networks?
[19:42]<rwpr>why is that
[19:42]<xzzm__wzzn>XP firewall has a tendency to do stuff differently on a Lan then Traffic from other Lans arriving at it's own LANs IP
[19:44]<xzzm__wzzn>disable firewall on a XP host
[19:44]<xzzm__wzzn>then test
[19:45]<xzzm__wzzn>if it works ... get a 3rd party FW software for the MS Boxens
[19:45]<_srd-->same thing...just did.
[19:45]<_srd-->still doesnt work
[19:45]<xzzm__wzzn>hmmm really ?
[19:45]<rwpr>yo
[19:45]<rwpr>how can i do multiple networks via single -s switch?
[19:45]<_srd-->both networks can ping the other hosts fine
[19:45]<_srd-->bot not connect to them
[19:45]<_srd-->from the 0 i can ping 1 hosts, and vice versa
[19:46]<sgnzcm_bzsvzzm>XP firewall has a tendancy to make security professionals incapacited from either extended wretching or uncontrollable spasmodic laughter.
[19:47]<sgnzcm_bzsvzzm>"firewall"
[19:47]<xzzm__wzzn>a1fa: use iprange
[19:47]<sgnzcm_bzsvzzm>I suspect it's actually a subtle DoS attack on Security Pros
[19:47]<rwpr>iprange?
[19:47]<xzzm__wzzn>a1fa: if there are very consecutive ...
[19:48]<rwpr>module
[19:48]<rwpr>they are all networks
[19:48]<xzzm__wzzn>if not ... maybee something simular to ippool
[19:48]<rwpr>$IPTABLES -A INPUT -i $UNTRUSTED -s $TRUSTEDSPOOF,$DMZ1SPOOF,$DMZ1SPOOF,$DMZ2SPOOF,$MANAGEMENTSPOOF,$WIRELESSSPOOF -j DROP
[19:48]<rwpr>spoofing
[19:48]<xzzm__wzzn>yes ... NetFilter POM Modules
[19:48]<sgnzcm_bzsvzzm>damn, nobody laughed at my satire :(
[19:49]<xzzm__wzzn>Sneaky_Bastard: i was
[19:49]<xzzm__wzzn>=P
[19:49]<rwpr>no
[19:49]<sgnzcm_bzsvzzm>oki :p
[19:49]<sgnzcm_bzsvzzm>ty
