IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:09]<-- svgvsdyzgjvr xrs>/dev/null")
[03:53]<dffnw>-is there a stateful failover solution for iptables?
[03:54]<2rfju>+good question..
[03:55]<2rfju>+I don't know
[03:55]<2rfju>+but maybe another one does
[03:57]<dffnw>-yea, I haven't been able to figure it out searching, theres lots of talk but no real solution
[03:58]<2rfju>+definition-wise, what do you mean exactly? one firewall, two possible routes, or two redundant firewalls?
[04:00]<2rfju>+the mailing list might be able to help
[04:00]<dffnw>-well, I am going to use vrrp for to setup virtual gateways and point static routes at them, but I wanted to keep track of established connections when it failed over to the other box
[04:00]<dffnw>-I'll probably give that a shot
[04:01]<2rfju>+most people seem to be asleep right now
[04:01]<2rfju>+its 3 o'clock in the morning in central europe *g*
[04:02]<dffnw>-didnt think about that, I'll try again tomorrow and maybe post to the list
[04:08]<2rfju>+gn8
[12:31]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[13:13]<-- svgvsdyzgjvr_ xrs>/dev/null")
[15:37]<2rfju>hi
[16:31]<-- sgvgzs xzs fuyv (>/dev/brain")
[17:30]<snnfn_>I have a linux router with 2 interfaces: the internet interface , and the private interface, in the private interface I control the public addresses clients, they have a router, when I try to make ping to this router from outside, I can't make it, but when I try to make ping to the host without a router the ping works ???? any suguest
[18:42]<rrvrrry>I have a small home network behind a router that cannot do traffic shaping. My linux box has an ftp server. The ftp server is killing network performance. Is there a quick and dirty way to get a linux box to have a bandwidth ceiling (either total, or for a protocol, or for a port), or do i have to teach myself the intricacies of htb?
[18:56]<wjjmmwjjmlnacnz>seele_: The router either drops icmp-echo-request and/or icmp-echo-reply or does not forward them at all.
[18:56]<wjjmmwjjmlnacnz>gavagai: q&d is what the name says.
[18:57]<snnfn_>WoodyWoodpecker, look 208.35.102.13
[18:57]<snnfn_>WoodyWoodpecker, but from the server the ping works, and if I change the client router and put a PC the ping works
[18:59]<wjjmmwjjmlnacnz>gavagai: There are application what can do traffic shaping within userspace.
[18:59]<dnvrss>i'm using iptables 1.3.3 and the rule: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -o ppp0 -j MASQUERADE. ip_forward is 1, but still i can't share internet connection, is my rule correct?
[19:00]<wjjmmwjjmlnacnz>seele_: ping doesn't work
[19:00]<drwygn>I can't find doesn't in the DNS.
[19:00]<snnfn_>WoodyWoodpecker, yes
[19:00]<snnfn_>WoodyWoodpecker, but look 208.35.102.5
[19:00]<wjjmmwjjmlnacnz>seele_: yes what
[19:01]<snnfn_>WoodyWoodpecker, is client without router
[19:01]<wjjmmwjjmlnacnz>Devass: are you dropping packages before you are natting?
[19:01]<snnfn_>WoodyWoodpecker, http://pastebin.com/710815
[19:01]<dnvrss>WoodyWoodpecker no, there is only that rule
[19:01]<snnfn_>WoodyWoodpecker, nop
[19:02]<wjjmmwjjmlnacnz>seele_: *.5 is replying
[19:02]<dnvrss>WoodyWoodpecker all chains ACCEPT
[19:02]<snnfn_>WoodyWoodpecker, look 208.35.102.11 other router brand
[19:02]<wjjmmwjjmlnacnz>Devass: that is crap anyway. Set default policy to DROP
[19:02]<dnvrss>WoodyWoodpecker for what chain?
[19:02]<snnfn_>only the clients without router works, the server can identify the router clients ???
[19:03]<wjjmmwjjmlnacnz>try this first, if it works, build it larger/complexer: $IPT -t nat -A POSTROUGING -o ppp0 -j MASQUERADE
[19:03]<wjjmmwjjmlnacnz>Devass: for all default/fallback
[19:03]<wjjmmwjjmlnacnz>$IPT -P {INPUT,OUTPUT,FORWARD} DROP
[19:04]<wjjmmwjjmlnacnz>But I don't know if iptables is able to do this like bash, so if not just write 3 rules
[19:04]<dnvrss>no problem
[19:04]<wjjmmwjjmlnacnz>the router clients?
[19:04]<wjjmmwjjmlnacnz>The clients behind the router maybe?
[19:04]<dnvrss>WoodyWoodpecker is there major changes from 1.2.11 to 1.3.3?
[19:04]<wjjmmwjjmlnacnz>seele_: Just trace the icmp request till you find out where it hangs, it isn't that hard.
[19:05]<snnfn_>WoodyWoodpecker, the ping drops in the eth0 my input interface
[19:05]<snnfn_>WoodyWoodpecker, http://pastebin.com/710953
[19:05]<wjjmmwjjmlnacnz>If minor release change there have to be somewhat larger changes, yes, but I don't care to much about changes other than bash'es
[19:06]<wjjmmwjjmlnacnz>seele_: stop your fw and see if that is the reason it won't forward etc.
[19:06]<dnvrss>WoodyWoodpecker because i was using that rule with debian sarge, then i upgrade it to debian testing and it stops working
[19:06]<wjjmmwjjmlnacnz>Then you know your rules are wrong
[19:07]<wjjmmwjjmlnacnz>Devass: Did you try mine?
[19:07]<dnvrss>WoodyWoodpecker not now, cause the box is not here
[19:09]<wjjmmwjjmlnacnz>Start from scratch and do not build rules to complex in the beginning. If they work extend them. If you really know what you are doing, write them extended from scratch.
[19:10]<rrvrrry>WoodyWoodpecker, but can those applications limit a server?
[19:10]<wjjmmwjjmlnacnz>And you don't really have to use -d 0/0 as well as -s 192.168.0.0/24 if you only have on network 192.168.0.*/24
[19:10]<wjjmmwjjmlnacnz>private networks are not routable
[19:10]<rrvrrry>and what are those applications
[19:10]<dnvrss>WoodyWoodpecker ok, but is there something with my rule?
[19:10]<dnvrss>WoodyWoodpecker ok, but is there something wrong with my rule?
[19:10]<wjjmmwjjmlnacnz>gavagai: no app can limit a server, it can only limit the amount of traffic to/from a server.
[19:11]<wjjmmwjjmlnacnz>^^ or a specific protocol, user etc.
[19:11]<wjjmmwjjmlnacnz>gavagai: What applications are you talking about?
[19:11]<rrvrrry>well i don't understand the difference, but ok
[19:11]<rrvrrry>proftpd is what i need to leash
[19:11]<wjjmmwjjmlnacnz>Devass: no, you rule should be good, but try without -s and -d
[19:11]<rrvrrry>it spikes every few seconds and takes ALL my bandwidth
[19:12]<rrvrrry>even though i have set its configuration file to control its bandwidth, that does not work very well
[19:12]<wjjmmwjjmlnacnz>gavagai: I know there are userspace applications available that can limit a specific --dport
[19:12]<wjjmmwjjmlnacnz>and either in engrees or degrees
[19:13]<wjjmmwjjmlnacnz>gavagai: ftp isn't good anyway
[19:14]<rrvrrry>i'm aware of the arguments against ftp but it is the best option here
[19:14]<rrvrrry>and the only ftp user has shell /bin/false so i'm satisfied with the level of security
[19:17]<wjjmmwjjmlnacnz>gavagai: Maybe shaperd is what you are looking for.
[19:21]<rrvrrry>cool, googling that
[19:31]<dffnw>is there a stateful failover solution for iptables yet?
[21:49]<rrxvy>hi
[21:49]<drwygn>hola, jaXvi.
[21:49]<rrxvy>hola maxine
[21:49]<rrxvy>hablais spanish aquí?
[21:50]<rrxvy>:p
[21:52]<rrxvy>well i'll try in english
[21:52]<rrxvy>i'm doing something known in iptables redirecting all http traffic
[21:53]<rrxvy>something like this: $IPT -t nat -A PREROUTING -i $IF_WIFI -s $WIFINET -p tcp --dport 80 -j DNAT --to 10.1.1.1:8080

Back to #iptables
Or go to some related logs:
#suse
#gentoo
#gentoo
#gentoo
#blender