IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-09
[15:42]<adjzlxjus>Riis: another quote from the man page "DNAT: This target is only valid in the nat table, in the PREROUTING and OUTPUT chains[...]"
[15:42]<ryys>Amorphous: I mas abeut to qute that
[15:42]<ryys>DNAT and REDIRECT both only work in PRE and OUT
[15:43]<ryys>so I guess I need to pick them up in PRE somhow?
[15:43]<adjzlxjus>yes
[15:43]<adjzlxjus>Riis: i also think that you do want to catch them before they are nated
[15:43]<ryys>Chain FORWARD (policy DROP)
[15:43]<ryys>target prot opt source destination
[15:43]<ryys>DROP all -- anywhere 192.168.0.0/16
[15:43]<ryys>ACCEPT all -- 192.168.0.0/16 anywhere
[15:43]<ryys>ACCEPT all -- anywhere 192.168.0.0/16
[15:43]<ryys>that's kind of a weird setup isn't it?
[15:43]<adjzlxjus>i mean the NATing the outgoing connections will have
[15:44]<ryys>I mean the DROP statement is meaningless?
[15:44]<adjzlxjus>no the accept statement ins meaningless
[15:44]<adjzlxjus>this ACCEPT all -- anywhere 192.168.0.0/16
[15:44]<adjzlxjus>will never be reached as the packets are already droped
[15:45]<ryys>for simple NAT'ing i just need the second right
[15:45]<adjzlxjus>by the first rule
[15:45]<ryys>so I just loose the last one right
[15:46]<ryys>hmm, nope, that killed NAT
[15:49]<ryys>maybe I need to de something in mangle/FORWARD ?
[15:50]<adjzlxjus>Riis: you need to remove the drop rule as the packets from the internet are already de-MASQed
[15:50]<adjzlxjus>it should not have worked
[15:52]<adjzlxjus>Riis: and use the DNAT rule with the routes private ip in nat-PREROUTING
[15:52]<adjzlxjus>s/routes/routers/
[15:53]<adjzlxjus>Riis: this helps me to know how the packets flow: http://www.docum.org/docum.org/kptd/
[15:54]<ryys>Amorphous: routers private ip, meaning the adress it sends NAT'ed packets on?
[15:55]<ryys>Amorphous: or the one it receives the packets on?
[15:56]<ryys>Amorphous: got it
[15:57]<adjzlxjus>ok
[15:57]<ryys>and it works :) yay
[16:03]<ryys>Amorphous: thanks a bunch
[16:03]<adjzlxjus>np
[17:01]<snnfn_>danieldg, are you there??
[17:20]<snnfn_>please help... this is my firewall rules http://pastebin.com/770002, and this are my interfaces http://pastebin.com/770006, I need to make ping from outside of my network to a public Ip inside my network like (208.35.102.13) but I can't make it .... any suggest?
[17:23]<snnfn_>If I make a traceroute to this address the connectio dies in my intput interface .... the extrange thing is that I can make ping to my public address in my other interface 208.35.102.1
[17:23]<snnfn_>please help
[17:34]<lfulcn>hello, I have a rule that does NAT on incoming ssh trafic to a local machine, on a custom port
[17:35]<drvvx_>(totally OT) does anyone knows of some solutions to get from a linux router the processus that has attempted a connection on a windows one ?
[17:35]<lfulcn>this works ok, but now I would like to change the ssh port to a non standard port (say 65001), and this does not work, any clues why ?
[17:39]<lfulcn>more precisely : 'iptables -i eth1 -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination $LOCAL_IP:54159' works fine, and when changing --dport to 65001 it fails
[17:40]<drvvx_>what does "it fails" mean ?
[17:41]<drvvx_>did you bind sshd on local_ip to correct port then ?
[17:41]<lfulcn>for example when telneting from outside on 65001, trafic seems blocked, nothing happens
[17:41]<lfulcn>yes it is bound on the correct port, I can ssh with --dport 22
[17:42]<lfulcn>(or from the router to $LOCAL_IP:54159 also)
[17:43]<drvvx_>but you changed that to 65001
[17:43]<drvvx_>so you have to check that your sshd on local_ip is listenning to 65001
[17:44]<drvvx_>or I misunderstood what you wanna do
[17:45]<lfulcn>I thought --dport 22 + $LOCAL_IP:54159 meant that the port in TCP headers was rewriten from 22 to 54159
[17:46]<lfulcn>isn't it the case ?
[17:46]<drvvx_>did you check the man about what you are writing ?
[17:46]<lfulcn>sure
[17:47]<lfulcn>also checked the site in /topic but I can't find an example looking like what I want to do :)
[17:47]<drvvx_>you want to access an sshd on your lan from the net at a non standard port on your router don't you ?
[17:48]<lfulcn>yes, and the sshd on the lan also runs on a non standard port
[17:48]<lfulcn>(because I have two sshd, one for the lan and another for the outside)
[17:52]<lfulcn>--dport 54159 + --to-destination $LOCAL_IP:54159 does not work either
[17:53]<lfulcn>what confuses me is that it works ok with --dport 22 :)
[17:58]<lfulcn>maybe that's an ssh issue.
[18:02]<drvvx_>yep as I said you gotta check your sshd is properly listenning to the right port
[18:02]<drvvx_>you can use netcat for testing purpose
[18:02]<drvvx_>like, on the local_ip you do "nc -l -p 54159"
[18:02]<drvvx_>on the router you put the DNAT rule you wrote
[18:03]<drvvx_>and telnet from inet to router:54159
[18:03]<drvvx_>you may talk with netcat
[18:03]<lfulcn>thanks for the tip i did'nt knew that
[18:06]<jjxggdq1|wjzc>setting up iptables, any help would be appreciated, http://pastebin.com/770104
[18:07]<uzj2jzjs_>Johhny23|work: ${WAN} is empty
[18:08]<uzj2jzjs_>(perhaps)
[18:09]<uzj2jzjs_>try echo ${WAN}
[18:10]<jjxggdq1|wjzc>lol, I was being stupid, had set export WAN=eth1 but then I rebooted before the last command I tried
[18:10]<jjxggdq1|wjzc>:P
[18:13]<lfulcn>ok I can talk with netcat listening on port 123 with --dport 22 and --to-destination $LOCAL_IP:123 from the outside (telnet $ROUTER_IP 22)
[18:13]<lfulcn>but not with --dport 23 or anything else, so the problem lies in my routing setup
[18:24]<zyacbl>Hello. I am trying to redirect all traffic with dest IP XX & dest port YY to destination port ZZ port YY. XX is an IP on my server. ZZ is an IP on another server of mine. is this possible with iptables?
[18:25]<zyacbl>i meant IP ZZ, not port ZZ
[18:27]<lfulcn>rickBL: iptables -i eth1 -t nat -A PREROUTING -p tcp --dport YY -j DNAT --to-destination ZZ
[18:27]<zyacbl>this is what I came up with:
[18:27]<zyacbl>iptables -t nat -A PREROUTING -d X -p tcp --dport Y -j DNAT --to-destination Z
[18:27]<zyacbl>iptables -t nat -A POSTROUTING -d Z -p tcp --dport Y -j SNAT --to-source X
[18:28]<lfulcn>rickBL: replace -i eth1 with your external interface
[18:28]<zyacbl>ya
[18:28]<zyacbl>do i really need only one?
[18:28]<zyacbl>will the requesting client be OK with receiving the tcp packet from a server it didn't orginally send it to?
[18:28]<zyacbl>i meant, do i really need only one rule?
[18:29]<lfulcn>yes, but I don't think you need the POSTROUTING stuff
[18:30]<zyacbl>where is XX in your command?
[18:31]<lfulcn>it is implicit if you specify the external interface with -i
[18:32]<zyacbl>hey dude, resend any messages
[18:32]<lfulcn>XX is implicit if you specify the external interface with -i
[18:32]<lfulcn>i guess you also have to enable forwarding in the kernel
[18:32]<zyacbl>but i have IPs on here i dont want to redirect
[18:34]<zyacbl>?
[18:34]<lfulcn>you can use -d so
[18:34]<zyacbl>ok let me give it a shot
[18:34]<zyacbl>the only thing i dont understand, like i said before
