IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.87 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-09
[01:42]<rjvxyrrduax>is there a way to save nat tables before boot?
[01:42]<rjvxyrrduax>err, shutdown
[01:43]<rjvxyrrduax>if the boot is fast enough i'd like semi-idle connections to not notice
[01:43]<lnlvn>iptables-{save|restore} will do that for you
[01:43]<lnlvn>oh, i misunderstood
[01:43]<lnlvn>nevermind
[01:53]<zj20>I've had ssh sessions survive reboots of an intermediate router. It should work that way normally, I suppose depending on your rules.
[01:53]<rjvxyrrduax>hmm
[01:54]<rjvxyrrduax>i'm using MASQUERADE at the moment, not much more
[02:41]<zj20>nothingmuch: try SNAT
[02:52]<rjvxyrrduax>rob0: i can't, my IP can change occasionally
[02:56]<zj20>when it does your semi-idle connections will notice :)
[02:56]<zj20>You can script a rewrite of your SNAT rules, too.
[03:51]<rjvxyrrduax>sorry, back
[03:51]<rjvxyrrduax>rob0: i meant that i'd rather have my semi idle connections drop every reboot than having to write a script to pick up ip changes
[03:51]<rjvxyrrduax>i reboot maybe several times over 2-3 days once a year or so when I'm upgrading the kernel and tinkering
[03:52]<rjvxyrrduax>but my ip changes roughly once per 3 months ;-)
[03:55]<zj20>wow, that would be bad. Long enough to get used to an IP address, but not static. Mine is nominally dynamic (I get a 1-hour DHCP lease!) but never changes.
[03:56]<rjvxyrrduax>yeah
[03:56]<rjvxyrrduax>they were real assholes too
[03:56]<rjvxyrrduax>i had a $$$ account with a "static ip" before
[03:57]<rjvxyrrduax>they also advertized DHCP access, as opposed to pptp or l2tp
[03:57]<rjvxyrrduax>which is pretty standard here (Israel)
[03:57]<rjvxyrrduax>turns out that you can have dhcp
[03:57]<rjvxyrrduax>and you can have a static IP
[03:57]<rjvxyrrduax>just not at the same time =P
[05:50]<x9v0c>hello
[05:51]<rjvxyrrduax>hello
[05:51]<x9v0c>how goes it
[05:51]<rjvxyrrduax>goes it well being thinks I for self =)
[05:51]<x9v0c>hmm
[05:51]<x9v0c>sounds like double talk to me
[05:51]<x9v0c>lol
[05:52]<rjvxyrrduax>maybe
[05:52]<x9v0c>how you do that
[05:52]<rjvxyrrduax>learned it from the telly
[05:52]<rjvxyrrduax>soap operas
[05:52]<x9v0c>lol
[05:52]<x9v0c>no i mean make your name go over there with a thought
[05:53]<rjvxyrrduax>oh
[05:53]<rjvxyrrduax>type /me
[05:53]<x9v0c>oh thats right
[05:53]<rjvxyrrduax>but that's not a thought
[05:53]<x9v0c>i havent been on here forever
[05:53]<rjvxyrrduax>that's an action
[05:53]<rjvxyrrduax>.oO( this is a thought )
[05:53]<x9v0c>whats the thought one
[05:53]<rjvxyrrduax>it's just a thought bubble =)
[05:54]<rjvxyrrduax>anyway, iptables troubling you?
[05:54]<x9v0c>nope
[05:54]<x9v0c>im a student in network administration and security so i got it covered
[05:54]<x9v0c>just thought i would come in and see what the flavor was
[05:55]<rjvxyrrduax>well, i came in a few hours ago to ask if MASQUERADE tables could be kept between boots
[05:55]<rjvxyrrduax>people suggested SNAT
[05:55]<x9v0c>lol
[05:55]<rjvxyrrduax>and aside from that it's been pretty quiet
[05:55]<x9v0c>shhh
[05:55]<x9v0c>they might hear us
[06:01]<x9v0c>howdy cyzar
[06:04]<x9v0c>welcome
[06:07]<x9v0c>fine then
[06:09]<a-ko>is there a way to have iptables display the interface on rules in -L?
[06:10]<ajgm1zm>A-KO: include -v
[06:10]<a-ko>nice, thanks
[07:16]<dzzasvnz>hi. what ports do i need to forward in my gateway/firewall so lotus domino webmail users can access it from the internet? is it port 80 alone or 80 and 25?
[07:20]<snpcpjsvnz>hello
[07:20]<drwygn>hola, selkfoster.
[07:20]<snpcpjsvnz>this rule iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP it's okay ?
[07:33]<mrrynfmr>selkfoster: it really depends on what you want to do. That'll drop packets with all flags set. btw, these are already marked as INVALID by the conntrack code
[07:34]<snpcpjsvnz>ahh
[15:29]<ryys> iptables -t nat -A OUTPUT -d ordbogen.com -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080 <- this rule only works for my router alone, and doesn't work for the NAT'ed clients on the LAN. Can I change it to work for both, or do I need a second rule for NAT'ed packets from the LAN?
[15:33]<adjzlxjus>Riis: quote from man iptables "nat: [...] OUTPUT (for altering locally-generated packets before routing)"
[15:34]<ryys>Amorphous: hmm, yeah. I was wondering if ANY of the nat-chains includes both locally generated, and NAT'ed packets
[15:34]<adjzlxjus>i guess POSTROUTING does that
[15:34]<ryys>or just which contains the Masqueraded/NAT'ed ones, so I can setup a similar rule for them
[15:36]<adjzlxjus>but i guess you want to reroute the packet after it got changed... not sure if POSTROUTING does that
[15:37]<ryys>well I guess I should just pick it up after it's been masq'ed
[15:37]<adjzlxjus>i guess PREROUTING contains those that are not localy created
[15:37]<ryys>but have they been NAT'ed yet at that point
[15:37]<ryys>maybe I need a seperate rule, not even in the nat table?
[15:38]<ryys>just putting postrouting in there gives a syntax error
[15:38]<ryys>iptables is not very verbose
[15:38]<adjzlxjus>you know where your nat rule is, right? that should answer the question if they are NATed yet...
[15:39]<ryys>actually no...
[15:40]<ryys>theres nat, mangle and what other tables?
[15:40]<adjzlxjus>Riis: they are all listed in man iptables
[15:40]<adjzlxjus>filter is the 3rd
