IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:10]<ryys>iptables -t nat -A OUTPUT -d ordbogen.com -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080 <- this rule only seems to affect the machine it's entered on, and not the clients using it for NAT, ideas?
[00:11]<pyznpyzxvnzbfu1>are you trying to redirect to squid?
[00:12]<pyznpyzxvnzbfu1>try PREROUTING and REDIRECT instead of OUTPUT and DNAT
[00:15]<ryys>FirefighterBlu3: not to squid, to an ssh-tunnel bound on 8080
[00:16]<ryys>what's the difference between DNAT and REDIRECT?
[00:17]<rnryv>Riis: DNAT for distant machines, REDIRECT for localhost
[00:18]<pyznpyzxvnzbfu1>REDIRECT is a short form of -j DNAT --to 127.0.0.1
[00:22]<ryys>FirefighterBlu3: well i want outgoing traffic to tho host:80 to get put into localhost:8080
[00:22]<ryys>*the
[00:23]<pyznpyzxvnzbfu1>yes, try using PREROUTING instead of OUTPUT
[00:25]<ryys> iptables -t nat -A PREROUTING -d ordbogen.com -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080 this is where ve got from man'ing a bit
[00:25]<ryys>but still only works on the "router"
[00:27]<ryys>FirefighterBlu3: we tried iptables -t nat -A PREROUTING -d ordbogen.com -p tcp --dport 80 -j REDIRECT --to-ports 8080 aswell
[00:28]<rnryv>Riis: use apache as reverse proxy ;-))
[00:29]<ryys>Regit: that's a mess :)
[00:30]<ryys>obviously, as opposed to my leet iptables skills :)
[00:30]<ryys>I refer to them as "controlled stabs in the dark followed by frantic stabbing in the dark"
[00:31]<rnryv>:)
[00:31]<rnryv>how ordbogen.com is resolved on the computer ?
[00:31]<ryys>Regit: what do you mean? by DNS
[00:31]<ryys>or to what it is resolved?
[00:32]<rnryv>now itpables will apply -d IP not name
[00:32]<rnryv>you could have a local resolution problem like ordbogen.com is localhost
[00:32]<ryys>yes I know, it's reverse DNS'ed to sasha.coolsms.dk
[00:33]<rnryv>ordbogen.com : is local ?
[00:33]<rnryv>or web server behind the box
[00:33]<ryys>Regit: no, it's an external adress
[00:33]<ryys>also the "scam" works on the router-box
[00:34]<ryys>just not on the clients that use the router box as gateway/NAT host
[00:34]<rnryv>Riis: have you authoeize IP->localhost:8080
[00:34]<rnryv>I mean is filtering ok ?
[00:34]<ryys>filtering?
[00:35]<ryys>Regit: localhost:8080 is and ssh-tunnel
[00:36]<rnryv>NAted box---Router--localhost:8080
[00:36]<rnryv>try iptables -I INPUT -p tcp --dport 8080 -j ACCEPT or something like that
[00:38]<ryys>ok my net-setup is a mess: Clients (192.168...) ----- (192.168.0.1) NAT'ing linux box (10.0.0.2) ----- (10.0.0.1) DSL-modem/Router (212.242.210.229)
[00:38]<ryys>Regit: I have no firewall-rules on the nat box
[00:38]<ryys>it just NATs
[00:38]<rnryv>ok
[00:39]<ryys>we should have blackboards on IRC, much faster than ASCII oneline-drawing :)
[00:40]<rnryv>:-)
[00:41]<rnryv>Riis: sorry, my brain has stopped a few hours ago
[00:41]<snnfn_>plz I need help ... I installed a sniffer in my machine ... but now I can't make ping to public IP inside my network from outside, why???
[00:41]<rnryv>try a tcpdump on loopback to see if something reach the ssh tunnel
[00:42]<snnfn_>http://pastebin.com/766192 this is my firewall
[00:46]<ryys>Regit: maybe I need to put it in the mangle chain and not nat?
[00:52]<snnfn_>when I try to put my rule ... iptables change my address
[01:10]<ryys>we need some alert experts in here :) we're lost
[01:14]<sgnzcm_bzsvzzm>rob0: I was AFK for your earlier reply
[01:14]<sgnzcm_bzsvzzm>we want to block all outbound SMTP
[01:15]<sgnzcm_bzsvzzm>we think the mail server might be exploited in some fashion
[01:15]<sgnzcm_bzsvzzm>or possibly one of the CGI's
[01:15]<sgnzcm_bzsvzzm>as there has been absurd process loads that stop when we turn off SendMAIL
[01:46]<-- svgvzsdyzgjvz xzs>/dev/null")
[03:33]<axzjg>when i use a PREROUTING rule
[03:33]<axzjg>it says
[03:34]<axzjg>iptables: No chain/target/match by that name
[03:34]<axzjg>must something be enabled in kernel?
[03:57]<d9e>chron: exact line?
[03:58]<axzjg>i found the problem
[03:58]<axzjg>heh thanks anyways
[03:58]<axzjg>i forgot -t nat ;0
[04:02]<axzjg>is all i'm gonna need to port forward
[04:02]<axzjg>iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination <destination> -p tcp --dport 22
[04:02]<axzjg>?
[04:02]<axzjg>is that usually the minimum?
[04:04]<axzjg>do i also need to allow outgoing?
[04:22]<-- arfvyr xrs fuyv (>xgl")
[04:43]<zj20>Sneaky_Bastard: You should consider that machine compromised unless/until proven clean. No attempts to block it from sending spam can be trusted.
[04:48]<sgnzcm_bzsvzzm>maybe so
[04:49]<sgnzcm_bzsvzzm>we don't know that it *is* sending spam, believe it or not
[04:49]<sgnzcm_bzsvzzm>some inept client of ours is running it
[04:55]<zj20>ugly.
[05:32]<axzjg>http://www.rafb.net/paste/results/mT6epe95.html
[05:32]<axzjg>take a look towards way bottom
[05:32]<axzjg>next to the POSTROUTING nat rules
[05:32]<axzjg>i'm trying to forward ports to that class B ip on my network
[05:32]<axzjg>i don't know why it's not working
[08:43]<-- vrfyggas xrs fuyv>/sys/power/state")
[09:29]<-- sgvgzs xzs fuyv (>/dev/brain")
[09:38]<qzgvjuzysa>http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg <= i have a few questions about this image...
[09:38]<qzgvjuzysa>1) Is it correct ?
[09:39]<qzgvjuzysa>2) There are no arrows in this image, is it possible for a package coming from an application to go to the forwarding chain ?
[10:14]<ryys>good morning
[10:16]<qzgvjuzysa>Riis: morning
[10:21]<qzgvjuzysa>from experience i know that a lack of answer either means there is no one here that know it, or the question is unclear ....
[10:25]<ryys>Qantourisc: I can't tell you really, I have a better picutere for you though
[10:25]<qzgvjuzysa>Riis: that would be splendid ...

Back to #iptables
Or go to some related logs:
#netbsd
#ubuntu
#netbsd
#macosx
#gentoo