IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-17
[08:18]<vyrn-vnzsr>/etc/init.d/vsftpd start
[08:18]<jsdvd>Shutting down vsftpd: [FAILED]
[08:18]<jsdvd>Starting vsftpd for vsftpd: [ OK ]
[08:19]<jsdvd>i tried this :
[08:19]<jsdvd>[root@SILICON_SPACE ~]# service iptables status
[08:19]<jsdvd>Firewall is stopped.
[08:19]<jsdvd>does that mean there is no firewall setup?
[08:20]<vyrn-vnzsr>more or less
[08:20]<jsdvd>so what the heck is wrong with ftp if its not firewall
[08:21]<zj2wow0>Are you running vsftpd out of inetd or in standalone mode?
[08:22]<jsdvd>no idea
[08:22]<jsdvd>winscp works
[08:24]<jsdvd>bu i need to allow people to login to their domains and modify stuff
[08:28]<jsdvd>i may have comment errors
[08:29]<jsdvd>do i want to enable stanalone mode?
[08:36]<vyrn-vnzsr>osity: try it....you may have better luck with this in #vsftpd channel
[08:36]<jsdvd>noones talking in that channel...
[08:36]<jsdvd>almost time for bed anyway
[08:37]<jsdvd>thanks for the tips!
[08:37]<vyrn-vnzsr>np
[16:19]<srgvjsxw> any of u guys here comfortable with -m layer7
[16:19]<srgvjsxw>i tried mking a custom protocol using somthing like this
[16:20]<srgvjsxw>^(c= IN IP4) (192\.168\..*\..*$)|(10\..*\..*\..*$)|(172\.(16-31)\..*\..*$) i was trying to look into the message body of a SIP packet
[16:20]<srgvjsxw> so when i do this iptables -A INPUT -m layer7 --l7proto sdp -j DROP.. it should drop the packet which has the above mentioned regex in the application layer right..
[16:20]<srgvjsxw>but it doesnt do it.. wht am i doing wrong..
[16:23]<srgvjsxw>guys...
[16:28]<srgvjsxw>l7 filter guys... helpppppp
[18:13]<vrv_>does anyone know what the 1, 2 means in the following rule set ?
[18:13]<vrv_>iptables -t filter -I FORWARD 1 -p tcp --dport 53 -j ACCEPT
[18:13]<vrv_> iptables -t filter -I FORWARD 2 -p udp --dport 53 -j ACCEPT
[18:14]<vrv_>it doesn't make realy sence to me ...
[18:33]<vyrn-vnzsr>tat_: -I FORWAD 2 will insert said rule as the second rule in the FORWARD chain of the filter table
[18:57]<-- rjrvcxrrr xrs fuy>http://www.jpg.com")
[19:01]<frrrrfrm_prrruyr>Good Morning Everyone
[19:03]<frrrrfrm_prrruyr>I've got a linux box setup that I wish to have as a router. I put two nics in it. One pulls dhcp from my ISP and the other I set a static IP (eth1 to be used as the lan). I configure the client computer with a static ip on the same subnet and can access the server but not the internet. Is there a iptables rule that I would have to setup to route traffic from eth1 to the internet via eth0?
[19:05]<tdbnzr>forward
[19:05]<tdbnzr>maxine: forward
[19:05]<drwygn>forward is the chain in the filter table which handles packets with both origin and destination not bound on the iptables machine.
[19:05]<tdbnzr>maxine: forward?
[19:05]<drwygn>forward is the chain in the filter table which handles packets with both origin and destination not bound on the iptables machine.
[19:10]<vyrn-vnzsr>maxine: forward port
[19:10]<drwygn>forward port is iptables -t nat -A PREROUTING -p tcp --dport $port -j DNAT --to-destination $destip; see http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[19:10]<vyrn-vnzsr>Frazzled_Penguin: ^^^^^^
[19:11]<frrrrfrm_prrruyr>Oh... sorry, I didn't realize that was meant for me :)
[19:12]<vyrn-vnzsr>Frazzled_Penguin: ya the tutorial has good pointers on nat
[19:14]<frrrrfrm_prrruyr>Yeah I'm checking it out right now. But I guess what is confusing me is that it looks like it requires that I forward to either an IP or port number. Since eth0 is set for dhcp I don't know what the ip will be, or it might change. Or am I just completely confused?
[19:14]<tdbnzr>maxine: forwarding
[19:14]<drwygn>TmBerg: excuse me?
[19:14]<tdbnzr>bh
[19:16]<mrrynfmr>maxine: forwarding is see <forward port> or <DNAT>
[19:16]<drwygn>OK, danieldg.
[19:16]<vyrn-vnzsr>Frazzled_Penguin: oh, here is the monolithic htlm page I thought the last url was, sorry, http://iptables-tutorial.frozentux.net/iptables-tutorial.html
[19:17]<frrrrfrm_prrruyr>Cool thanks :)
[19:19]<vyrn-vnzsr>Frazzled_Penguin: you'll want to use masquerade as opposed to SNAT because of your dynamic ip
[19:19]<frrrrfrm_prrruyr>okay
[19:20]<vyrn-vnzsr>Frazzled_Penguin: they are basically the same, the Masquerade in Netfilter will automatically set the new source IP to the default IP address of the outgoing network interface
[19:21]<frrrrfrm_prrruyr>Sweet, I'm looking into it right now
[19:21]<vyrn-vnzsr>Frazzled_Penguin: you would use SNAT with a static IP instead as it has less overhead.
[19:21]<vyrn-vnzsr>good luck
[19:21]<frrrrfrm_prrruyr>Ah...
[19:22]<frrrrfrm_prrruyr>Thanks :D
[19:28]<vyrn-vnzsr>Frazzled_Penguin: what distro are you using?
[19:32]<frrrrfrm_prrruyr>Debian Linux
[19:32]<frrrrfrm_prrruyr>3.1
[19:34]<frrrrfrm_prrruyr>Okay, I see that I can use "iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000" but how does that know what ethernet adapter to route the data to? When I look at the documentation for the SNAT i see that they have a "-o eth0" switch in there. Would that work in the masquerade line?
[19:45]<mrrynfmr>Frazzled_Penguin: it looks at your route table
[19:45]<frrrrfrm_prrruyr>ah, so it will figure that out on it's own then?
[19:46]<mrrynfmr>the -o eth0 limits the MASQUERADE to the packets going out eth0
[19:46]<mrrynfmr>yes
[19:46]<frrrrfrm_prrruyr>cool, brb, going to give this a shot.
[19:51]<frrrrfrm_prrruyr>I'm back
[19:52]<frrrrfrm_prrruyr>It didn't seem to work. :( I can communicate to the server via the 192.168.6.1 address that I assigned it on the LAN (eth1), I can even talk to the dynamic ip address of the server on eth0, but I can get to anything outside the server.. :(
[19:53]<mrrynfmr>maxine: ip_forward
[19:53]<drwygn>ip_forward is sysctl -w net.ipv4.ip_forward=1 This needs to be done every reboot, so put it in /etc/sysctl.conf (as "net/ipv4/ip_forward")
[19:54]<frrrrfrm_prrruyr>Cool, i'll try that now..
[20:05]<frrrrfrm_prrruyr>I put that line into sysctl.conf and rebooted and it loads fine, but I still get no mojo. Perhaps I have to setup a route?
[20:10]<vyrn-vnzsr>Frazzled_Penguin: so cat /proc/sys/net/ipv4/ip_forward is 1?
[20:11]<frrrrfrm_prrruyr>Yup
[20:11]<frrrrfrm_prrruyr>iServ:/home/iserv# cat /proc/sys/net/ipv4/ip_forward
[20:11]<frrrrfrm_prrruyr>1
[20:11]<frrrrfrm_prrruyr>iServ:/home/iserv#
[20:13]<vyrn-vnzsr>Frazzled_Penguin: iptables -t nat -nvL PREROUTING ? pastbin the output
[20:14]<frrrrfrm_prrruyr>pastbin the output?
[20:14]<frrrrfrm_prrruyr>iServ:/home/iserv# iptables -t nat -nvL PREROUTING
[20:14]<frrrrfrm_prrruyr>Chain PREROUTING (policy ACCEPT 288 packets, 90276 bytes)
[20:14]<frrrrfrm_prrruyr> pkts bytes target prot opt in out source destination
[20:18]<vyrn-vnzsr>Frazzled_Penguin: ya use a patebin site instead of flooding the channel.
[20:21]<vyrn-vnzsr>Frazzled_Penguin: iptables -t nat -A POSTROUTING -o {WAN interface} -j MASQUERADE
[20:23]<frrrrfrm_prrruyr>Okay, Cool. I've pasted the code. :)
[20:24]<vyrn-vnzsr>code?
[20:24]<frrrrfrm_prrruyr>It just returned zero output..
[20:25]<frrrrfrm_prrruyr>Just went back to the command prompt..
[20:25]<vyrn-vnzsr>Frazzled_Penguin: iptables -t nat -nvL PREROUTING ? again
[20:26]<vyrn-vnzsr>Frazzled_Penguin: POSTROUTING rather
[20:27]<frrrrfrm_prrruyr>posted.
[20:27]<vyrn-vnzsr>url?
[20:28]<frrrrfrm_prrruyr>http://pastebin.com/715076
![http://www.jpg.com"](http://www.jpg.com"){kind=link}