IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-08
[13:06]<vzynm>well it seems that you know some about iptables
[13:06]<qzgvjuzysa>does it support redundant internet ?
[13:06]<vzynm>maybe you can tell me why my PREROUTING is not working lol
[13:06]<xzzm__wzzn>Qantourisc: no not currently , but in my new release it will , expected by the 4th Quarter
[13:06]<qzgvjuzysa>:)
[13:07]<fyguedrgau>Qantourisc, cab u explain the problem ur facing .. Pls
[13:07]<qzgvjuzysa>linuzmanju: ? i don't understand. ..
[13:07]<xzzm__wzzn>tried: you explain too plz ... a) what your need to do, b) what it ant doing / errors ?
[13:07]<xzzm__wzzn>brb
[13:08]<qzgvjuzysa>a) set up a router b) find time
[13:08]<fyguedrgau>Qantourisc, what is the problem ur facing wit the prerouting ?
[13:08]<qzgvjuzysa>i haven't started yet ... how can i have a problem ?
[13:09]<fyguedrgau>Oh.. I heard ui saying some PREROUTING issue
[13:10]<vzynm>basically
[13:10]<vzynm>the PREROUTING isn't routing the packets
[13:10]<vzynm>from the external interface $EXT_IF
[13:10]<vzynm>to that class B ip address
[13:10]<qzgvjuzysa>ow, yes but thats solved by finding a better image of what tables iptables run trough
[13:11]<vzynm>http://www.rafb.net/paste/results/mT6epe95.html
[13:11]<vzynm>look on the way bottom
[13:11]<vzynm>basically that small PREROUTING rule
[13:11]<vzynm>is not routing from the router to the destination (class B address)
[13:13]<fyguedrgau>u mean the DNAT rule?
[13:13]<fyguedrgau>$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to-destination 172.16.0.102
[13:13]<fyguedrgau>?
[13:14]<vzynm>yea
[13:14]<vzynm>that
[13:14]<vzynm>er i tried eth0 and eth1
[13:14]<vzynm>and it has no affiliation with the port knocking rules
[13:14]<vzynm>because i tried different ports as well
[13:14]<vzynm>and the port knocking isn't enabled either, it's commented when it jumps at the bottom
[13:15]<fyguedrgau>Well.. Lest consider te above rule.... The packets coming with the destination address of.. eth1 will be forwarded to 172.16.0.102
[13:15]<fyguedrgau>now.. there r few criterias for it to wrk
[13:15]<vzynm>ok wait let me re write the rule
[13:15]<fyguedrgau>sure
[13:17]<vzynm>http://www.rafb.net/paste/results/5eCI1688.html
[13:17]<vzynm>look at it now
[13:17]<vzynm>$EXT_IF = eth0 = WAN
[13:17]<vzynm>and 172.16.0.0/24 is actually $DMZ_NET
[13:17]<vzynm>so that's eth2
[13:18]<vzynm>and there is another interface eth1 which $INT_NET is 10.0.0.0/24 (but i don't see the relevance in me telling you this, but just incase ;-)
[13:18]<vzynm>and when someone connects, it will log
[13:18]<xzzm__wzzn>tried: so have you got a matching Forward Rule ?
[13:18]<vzynm>er
[13:18]<vzynm>look at line 277
[13:18]<xzzm__wzzn>e.g. , -i WAN -o INTF_ON_Subnet for 172.16.0.102
[13:19]<vzynm>oh
[13:19]<vzynm>so like -A FORWARD -i WAN .... blah
[13:19]<vzynm>?
[13:19]<xzzm__wzzn>Ja ,,,
[13:19]<vzynm>Ah
[13:19]<vzynm>i will try that now heh
[13:19]<xzzm__wzzn>=)
[13:20]<vzynm>should that forwarding rule
[13:20]<vzynm>go before or after prerouting?
[13:20]<xzzm__wzzn>its -t filter FORWARD rule
[13:20]<vzynm>oh
[13:20]<xzzm__wzzn>so where ever you load your Forward rules really
[13:21]<xzzm__wzzn>or -t filter {User_Defined_Table}
[13:21]<vzynm>do i have to specify -t filter?
[13:21]<vzynm>isn't that default?
[13:21]<xzzm__wzzn>nope .... -t filter is the default
[13:21]<vzynm>alright
[13:21]<xzzm__wzzn>but i was pointint out it has nothing to do with -t nat -t mangle
[13:22]<vzynm>yea yea
[13:22]<vzynm>hehe
[13:22]<xzzm__wzzn>which contain prerouting
[13:22]<vzynm>i understand
[13:22]<vzynm>i am trying this right now, hopefully it works
[13:22]<fyguedrgau>tried, now ssh from DMZ network to outside is not wrking?
[13:22]<xzzm__wzzn>ok ... you going from inside
[13:23]<vzynm>no if you look at the rules
[13:23]<xzzm__wzzn>sorry thought you were going 443 --> in from wan
[13:23]<vzynm>i'm just trying to get 443 to work
[13:23]<vzynm>the new rules*
[13:23]<vzynm>i'm doing just regular port forwarding
[13:23]<vzynm>anything that requests 443 on the wan interface
[13:23]<xzzm__wzzn>ok but you said you tried form the DMZ
[13:23]<vzynm>to go to the DMZ ip
[13:24]<xzzm__wzzn>ahah from external source ?
[13:24]<vzynm>oh maybe i understood something wrong
[13:24]<vzynm>yea
[13:24]<xzzm__wzzn>ok good ... just making sure
[13:24]<xzzm__wzzn>reprint rules
[13:24]<vzynm>so write that forward rule right?
[13:24]<fyguedrgau>tried, then Its not the way i guess... If i were u.. I would have done something like this
[13:24]<vzynm>o
[13:25]<vzynm>i'm just trying to get whatever hits the external interface on 443
[13:25]<vzynm>to hit the DMZ ip
[13:26]<xzzm__wzzn>tried: reprint rules in pastebin after you have made your changes
[13:27]<xzzm__wzzn>also pastebin iptables -nvL
[13:27]<fyguedrgau>iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d <extn if IP> -p tcp --dport <PORTLIST> -j DNAT --to 172.16.0.26
[13:27]<fyguedrgau>tried, in ur case
[13:27]<fyguedrgau>tried, try
[13:28]<vzynm>ok can you guys see
[13:28]<fyguedrgau>iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d <extn IP> -p tcp --dport 443 -j DNAT --to <internal ip>:443
[13:28]<vzynm>https://69.108.99.8
[13:28]<vzynm>no not working
[13:29]<fyguedrgau>nope...
[13:29]<vzynm>here let me paste the update
