IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[15:32]<mnvyf2funs>hi can anybody tell me how do I configure a dual ISP solution? i'm kind of stuck here
[15:35]<zj20>Sure, http://www.ssi.bg/~ja/ and the nano.txt there.
[15:39]<mnvyf2funs>thanks rob0
[16:16]<-- svgvzsdyzgjvz xzs>/dev/null")
[18:04]<pyznpyzxvnzbfu1>i have a question :) (doesn't everyone?) i'm moving my sites from one network to another (just one IP), how can i accomplish something like DNAT to bounce requests coming in on the old IP to the new server? it's an entirely different network.
[18:18]<cgjw>hello
[18:18]<pyznpyzxvnzbfu1>hi
[18:18]<cgjw>i have a problem
[18:20]<cgjw>kernel: MASQUERADE: Route sent us somewhere else.
[18:20]<cgjw>?
[18:21]<pyznpyzxvnzbfu1>i don't know
[18:21]<cgjw>:)
[18:21]<cgjw>:(
[18:22]<pyznpyzxvnzbfu1>know, did you google?
[18:23]<cgjw>yes
[18:23]<cgjw>but nothing useful
[18:24]<pyznpyzxvnzbfu1>http://lists.netfilter.org/pipermail/netfilter/2005-January/057933.html
[18:33]<cgjw>thanks!
[19:10]<zj20>FirefighterBlu3: /topic, "having NAT issues?"
[19:20]<zj20>Oh, and a better idea: DNS. Shorten your TTL before the move, you only have to worry for $TTL seconds.
[20:28]<pyznpyzxvnzbfu1>rob0, yeah, i already set my TTL low last week. some people appear to have my old IP hardcoded somewhere or i missed a domain .. and i need to redirect things
[20:28]<pyznpyzxvnzbfu1>the problem i'm seeing is that i've done dnat/masq/ipv4 forward and packets don't seem to be getting to the other network
[20:46]<zj20>As http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html (the URL in /topic) explains, you must also do SNAT. DNAT and SNAT. Note also that all such forwarded connections will be logged at the new site as having come from the old site.
[20:47]<pyznpyzxvnzbfu1>yes, well MASQ is similar to SNAT, just a little different.
[20:49]<zj20>Yes, and I'm not sure it can take the place of SNAT in this context. Anyway it's generally not recommended with static IP addresses.
[20:51]<pyznpyzxvnzbfu1>i see the packets leaving my external interface rewritten properly, but they don't make it to the new machine on the west coast.
[20:51]<pyznpyzxvnzbfu1>so everything -seems- to be functioning right according to tcpdump. the packets just aren't getting out
[20:54]<pyznpyzxvnzbfu1>i suspect something is fishy in state tables because while port 80 bouncing isn't working, port 25 started working while i was out at lunch
[21:22]<rrr2rfm_>i 'm trying to find a good rule for port 25 to receive incoming emails
[21:23]<rrr2rfm_>now, i can send outgoing email
[21:24]<rrr2rfm_>do i need to open this both TCP and UDP ?
[21:25]<pyznpyzxvnzbfu1>normal smtp only travels over tcp
[21:25]<pyznpyzxvnzbfu1>it's stateful
[21:26]<sgnzcm_bzsvzzm>how would you go about blocking outbound SMTP ?
[21:27]<sgnzcm_bzsvzzm>(to prevent abuse of a receive-only mail server)
[21:31]<rrr2rfm_>Sneaky_Bastard: i don't understand your question
[21:31]<zj20>Sneaky_Bastard: what kind of abuse do you have in mind?
[21:31]<rrr2rfm_>i don't want to block, i want to receive email outside of my local network
[21:34]<rrr2rfm_>FirefighterBlu3: so there is no need to open this port on UDp ?
[21:34]<vzrllysv>jcabald_: no
[21:34]<pyznpyzxvnzbfu1>corrent
[21:35]<pyznpyzxvnzbfu1>correct rather.. ^_-
[21:35]<zj20>jcabald_: http://danieldegraaf.afraid.org/info/iptables/ , see "Example rulesets".
[21:51]<rrr2rfm_>rob0: ok i had the ggod line, but the poblem is not in this, i think i have to purchase one of dynDNS service to relay my email to my linux host server
[21:51]<rrr2rfm_>ggod = good ^
[21:54]<zj20>So you're not talking about iptables, you are talking about configuring your MTA.
[21:55]<rrr2rfm_>what is MTA on earth right now ??
[21:58]<pyznpyzxvnzbfu1>MTA, mail transfer agent
[21:58]<pyznpyzxvnzbfu1>sendmail, qmail, postfix, etc
[22:00]<rrr2rfm_>ok but that's mean my configuration sendmail file isn't correct ?? maybe i have to tell this file that there is a host outside...
[22:02]<rrr2rfm_>it is not the subject of this channel, so i leave from here, But THANKS a lot for your help
[22:02]<rrr2rfm_>FirefighterBlu3: rob0: THANKS
[22:13]<vrf>i got a linksys rotuer on 192.168.1.1 and i want my RAQ box to take the traffic from that one and make a local network on 10.0.0.0/24 - Are there any examples out there on how to do this?
[22:13]<vrf>I will then disable DHCP on my linksys and create a DHCP server on my RAQ box.
[22:18]<pyznpyzxvnzbfu1>in simple form you need to do the following: NAT your 10.0.0.0/24 network, using SNAT or MASQUERADE. b) you need to enable forwarding between interfaces (check /etc/sysctl.conf)
[22:24]<vrf>Now i just need that in iptables commands hehe
[22:27]<pyznpyzxvnzbfu1>google :)
[22:27]<pyznpyzxvnzbfu1>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[22:28]<pyznpyzxvnzbfu1>edit /etc/sysctl.conf, change forwarding to 1, sysctl -p
[22:28]<pyznpyzxvnzbfu1>enable stateful forwarding; iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[22:29]<pyznpyzxvnzbfu1>assuming eth0 is your 192.168.1.x interface and eth(n) is your 10.0.0.0/24 interface
[22:29]<vrf>Okay linksys router is 192.168.1.1 now disabled with DHCP.. Now eth0 should be 192.168.1.2 and eth1 10.0.0.1 - Now how do i forward the traffic from the linksys over to the 10.0.0.1 network?
[22:29]<pyznpyzxvnzbfu1>you can get quite a bit more detailed obviously
[22:30]<pyznpyzxvnzbfu1>your linksys knows how to send traffic to 192.168.1.2 on it's own, it doesn't know, nor does it need to know about 10.0.0.0/24 if you're masquerading it
[22:30]<pyznpyzxvnzbfu1>(or SNAT)
[22:32]<vrf>okay.
[22:34]<vrf>so:
[22:34]<vrf>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[22:34]<vrf>iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[22:34]<vrf>don't we need anything about eth1 ?
[22:35]<zj20>What do you mean, "We"?
[22:40]<vrf>don't i
[22:40]<zj20>:) I guess I don't get the whole logic of what you're doing.
[22:46]<zj20>The NAT isn't necessary if you set up a static route on the Linksys, which is probably not difficult.
[22:47]<vrf>i wanna use my Debian box as router.
[22:47]<zj20>My rule of thumb is: if you're wanting to NAT one RFC 1918 netblock to another, you're probably doing something wrong.
[22:48]<zj20>What's the function of the Linksys router then? Is it just a switch?
[22:49]<vrf>it's doing the PPOE work to my ISP.
[22:50]<zj20>ugh
[22:51]<zj20>So give it a static route to 10.0.0.0/24
[22:51]<vrf>yes, that's what i want. And then im going to setup a DHCP server.
[22:52]<zj20>None of the 10.0.0.0/24 hosts are plugged into the Linksys LAN ports, are they?
[22:53]<vrf>no
[22:53]<vrf>and the Linksys's DHCP server has been disabled.
[22:55]<zj20>Static route and you're good to go, won't need much of a firewall, being already behind the Linksys.
[22:56]<vrf><vaq> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[22:56]<vrf><vaq> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[22:56]<vrf>so is fine?
[22:56]<zj20>Or, if you want one anyway, just a simple one, some examples are here: http://danieldegraaf.afraid.org/info/iptables/
[22:57]<zj20>You're not understanding me I guess.
[22:58]<vrf>hmm no
[22:58]<zj20>19:45 < rob0> The NAT isn't necessary if you set up a static route on the Linksys, which is probably not difficult.
[22:58]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[22:58]<vrf>http://danieldegraaf.afraid.org/info/iptables/nat

Back to #iptables
Or go to some related logs:
#gentoo
#gentoo
#gentoo
#netbsd
#gentoo