IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-06-18
[15:06]<mnrw>hi, anyone good in tc qdisc bandwith shaping?
[15:09]<sxzmnwzfcnz>http://lartc.org/
[15:10]<sxzmnwzfcnz>#lartc on irc.oftc.net
[15:10]<drwygn>#lartc on irc.oftc.net is, like, supposed to
[15:10]<mnrw>the channel is empty.
[15:10]<mnrw>I'd creat the script giving me errors
[19:41]<jdy> Here's what I'm looking for. I have bridged xen server running VMs. I would like to use squid to cache downloads. if I use iptables -t nat PREROUTING....-j REDIRECT to proxyport, would that work with bridging?
[19:45]<tdbnzr>Read about it a couple of days ago. Let me see if i can find the url...
[19:47]<vyrn-vnzsr>omi: iirc you would -j DNAT --to squid.server.ip:port
[19:49]<vyrn-vnzsr>omi: for example it could be something like iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 -p tcp --dport 80 -j DNAT --to 192.168.1.100:3128
[19:54]<jdy>vice-versa: thanks, but does bridging happen before packets get routed?
[20:00]<vyrn-vnzsr>omi: you may want to look into ebtables, ebtables enables basic ethernet frame filtering on a Linux bridge
[20:08]<jdy>yes, I was thinking of that as well
[20:10]<jdy>some time ago I heard a rumour that there is a hack for iptables such that you can compile in iptables rules such that they become part of the kernel or a module.. Anyone familiar with this?
[20:19]<vyrn-vnzsr>omi: I haven't, sounds interesting though...guess this would be to prevent iptables kernel space rules from being modified or tampered with?
[20:45]<jdy>yeah, that is the idea
[20:46]<jdy>similar to how people do not like modules in certain cases, even if the system is compramized, user won't be able to load some rootkit module
[22:04]<zj20>omi, that's about worthless as a defense tactic. An attacker who has gained root shell can install a kernel more to his liking, if he feels too cramped in the one you provided. It's not a realistic argument for disabling modules in your kernel.
[22:15]<wjjmmwjjmlnacnz>rob0: That is when you need a RBAC most, but nobody cares to use one at all.
[22:36]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[22:42]<2punpjwo1>ok..i'm told this is the place to come for help on ipforwarding
[22:43]<2punpjwo1>how do i get a computer hooked to eth1 to share my internet access?
[22:44]<vyrn-vnzsr>nat
[22:47]<vyrn-vnzsr>bluefox83: see the NAT, (Network Address Translation) Introduction, section in http://iptables-tutorial.frozentux.net/iptables-tutorial.html
[22:47]<2punpjwo1>i don't suppose there is an easy way to do this..that tutorial is huge o.o
[22:48]<vyrn-vnzsr>sure, buy a broadband switch/router
[22:48]<2punpjwo1>i have one, i hate the damned thing cus the configs never work right
[22:49]<vyrn-vnzsr>exactly
[22:49]<2punpjwo1>are there any tools for helping to build the right configs?
[22:49]<vyrn-vnzsr>you'll never be able to control and or fix things though if you don't understand how they work. So the tutorial is a good thing
[22:50]<2punpjwo1>i mean, i'm not building a corporation network, just two computers linked together
[22:50]<2punpjwo1>vice-versa, i have two hours to get it working, i can tinker later
[22:50]<vyrn-vnzsr>bluefox83: fare enough, there are some links to a few scripts in the tutorial that will get you started
[22:51]<vyrn-vnzsr>bluefox83: what distro are you using?
[22:51]<2punpjwo1>debian
[22:52]<2punpjwo1>debian unstable
[22:52]<2punpjwo1>os[Linux 2.6.16-1-k7 - Debian testing/unstable] up[25 minutes] cpu[AMD Sempron(tm), 1333.586 MHz (2669.79 bogomips) at 58.0°C] xchat[Version: 2.6.1]
[22:53]<2punpjwo1>not very happy about that uptime...i bumped my computer and everything froze..only way to fix it was to shut the power supply off :(
[22:54]<vyrn-vnzsr>bluefox83: your public ip static or dynamic?
[22:54]<2punpjwo1>dynamic
[22:55]<vyrn-vnzsr>then you'll want to use MASQUERADE
[22:55]<vyrn-vnzsr>start with echo 1 > /proc/sys/net/ipv4/ip_forward
[22:56]<2punpjwo1>it didn't post anything
[22:56]<vyrn-vnzsr>post?
[22:56]<2punpjwo1>i didn't get anything back when i entered that in
[22:56]<vyrn-vnzsr>that's correct
[22:57]<mrrynfmr>you can check by echoing it back out
[22:57]<vyrn-vnzsr>cat /proc/sys/net/ipv4/ip_forward
[22:57]<vyrn-vnzsr>should return 1
[22:57]<2punpjwo1>it did
[22:58]<vyrn-vnzsr>so you have no existing rules now, correct?
[22:58]<2punpjwo1>correct
[22:58]<-- sgvgzs xzs fuyv (>/dev/brain")
[22:58]<2punpjwo1>all i've done is create eth1, that's it
[22:58]<2punpjwo1>there are no rules set up
[22:58]<vyrn-vnzsr>what interface is your WAn connection on?
[22:58]<2punpjwo1>eth0
[22:59]<vyrn-vnzsr>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[23:00]<2punpjwo1>k
[23:00]<vyrn-vnzsr>iptables -t nat -nvL
[23:00]<vyrn-vnzsr>does it show the rule you did previously?
[23:01]<2punpjwo1>yeah
[23:01]<vyrn-vnzsr>iptables -nvL
[23:01]<vyrn-vnzsr>are the default policy rules ACCEPT?
[23:02]<2punpjwo1>yes
[23:03]<vyrn-vnzsr>set up the gateway on the client node to the nat machine and make sure it has dns in /etc/resolve.conf for your isp, or use dnsmasq package or similar if you want the nat machine to provide dns.
[23:04]<2punpjwo1>will this keep this machine from using the net?
[23:05]<vyrn-vnzsr>no
[23:05]<2punpjwo1>k
[23:05]<2punpjwo1>now i get to go find out how to use dnsmasq...
[23:06]<vyrn-vnzsr>bluefox83: you only need it if you want the nat boxen to provide dns
[23:06]<2punpjwo1>vice-versa, i don't know if it needs to or not
[23:06]<2punpjwo1><--new to networking stuff
[23:07]<vyrn-vnzsr>bluefox83: for such a simple nat requirment I would say no, just use your ISPs DNS servers in /etc/resolve.conf if they are fairly constant.
[23:08]<vyrn-vnzsr>on the client node that is
[23:08]<2punpjwo1>you mean the pc that will be connected to eth1?
[23:08]<vyrn-vnzsr>yes
[23:09]<2punpjwo1>ok, that computer is a crappy ass windows machine, and it belongs to my roommates...
[23:09]<2punpjwo1>keep trying to convince them to use linux, but noooooooo
[23:09]<2punpjwo1>what do i do, set their windows machine to use my pc as a gateway?
[23:09]<vyrn-vnzsr>their choice, same as yours is to use Linux.
[23:10]<vyrn-vnzsr>bluefox83: yes, and your ISPs DNS
[23:11]<2punpjwo1>oh crap, my /etc/resolv.conf is empty :X
[23:11]<2punpjwo1>*resolve.conf
[23:18]<vyrn-vnzsr>so your unable to resolve dns names on the debian nat machine?
[23:21]<vyrn-vnzsr>oh damit bluefox83, my bad, it's /etc/resolv.conf
[23:22]<2punpjwo1>oh :)
[23:22]<vyrn-vnzsr>blame it on tab completion...lol
[23:24]<vyrn-vnzsr>bluefox83: so you have your dns nameservers now?
[23:24]<2punpjwo1>yeah
[23:24]<vyrn-vnzsr>you have it working?
[23:25]<2punpjwo1>i dunno, on the phone
[23:25]<vyrn-vnzsr>pizza? :)
