IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[11:16]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/")
[12:16]<-- svgvsdyzgjvr xrs>/dev/null")
[16:39]<-- sgvgzs xzs fuyv (>/dev/brain")
[18:21]<-- sgvgzs xzs fuyv (>/dev/brain")
[18:52]<c_kjmn>Question: -A DMI-OUT -i eth0 -s 127.0.0.1 -j DROP This will block spoof attempts from localhost? Secondly is there a better way to do this?
[18:54]<upvzrprvrpdvd>anyone there????
[18:55]<c_kjmn>Yes
[18:55]<upvzrprvrpdvd>you know how to hack a linux server?
[18:55]<c_kjmn>hack is a very broad term
[18:56]<upvzrprvrpdvd>like buffer over flow runescape.com so you can deface the site
[18:56]<c_kjmn>go away
[18:56]<upvzrprvrpdvd>why?
[18:56]<upvzrprvrpdvd>im not going to do it
[18:57]<upvzrprvrpdvd>i just wanna learn how to do it to my friends site
[18:57]<upvzrprvrpdvd>and runescape and him run the same OS
[18:58]<upvzrprvrpdvd>he does it to me all the time and i want to get back at him
[18:58]<upvzrprvrpdvd>why is there 67 ppl in here but nobodys talking?
[19:00]<upvzrprvrpdvd>HELLO IS ANYONE THERE WHY DOESN"T ANYONE TALK???
[19:11]<vzrllysv>aw he left before I could kick him
[19:20]<tdbnzr>hacking and iptables? :P
[19:44]<czysvrfygj>hi
[19:44]<drwygn>bonjour, kristalino.
[19:45]<czysvrfygj>maxine, moin
[19:45]<drwygn>kristalino: excuse me?
[19:45]<czysvrfygj>http://lists.netfilter.org/pipermail/netfilter-devel/2002-March/006987.html <- is it bad ?
[19:50]<wjjmmwjjmlnacnz>What do you mean with "bad"?
[19:51]<czysvrfygj>WoodyWoodpecker, does't this line (with fQDN instead of ip) generate a DNS request for each filtering action ?
[19:52]<czysvrfygj>does it impact performance, etc. ?
[19:53]<c_kjmn>Well, it will always have to look up the FQDN weather it be locally cached or an actual DNS query. (providing iptables will even resolve names which I don't know the answer to that question)
[19:53]<c_kjmn>any lookup would impact proformace
[19:54]<c_kjmn>preformance
[19:54]<wjjmmwjjmlnacnz>kristalino: Don't use a fqdn in iptables.
[19:55]<wjjmmwjjmlnacnz>Only use IPs.
[19:55]<czysvrfygj>WoodyWoodpecker, i think of that since several days, i found no other alternatives :-(
[19:56]<c_kjmn>kristalino: what exactly is the problem?
[19:56]<wjjmmwjjmlnacnz>kristalino: If the fqdn has a static IP, resolv it and place it in the iptables. If not I wouldn't use -d my_fqdn.
[19:58]<czysvrfygj>i explain my problem it's quite easy actually,and i'm stunt that i found no other solutions after googling for hours, 2 days
[20:03]<czysvrfygj>[one public ip let's say 88.12.12.12] ----- [ local area network composed by : [bind server + web server : 192.168.1.1] --- [ web server : 192.168.1.2] --- [ another web server : 192.168.1.3] ]
[20:04]<czysvrfygj>i want my bind / iptables config to be able to serve all my local servers
[20:04]<czysvrfygj>of course with several domains inside each web servers
[20:05]<czysvrfygj>not only subdomains, but i insist, several domains for each web servers
[20:05]<ezd2zzjj>hey guys, what does eth0+ mean?
[20:11]<c_kjmn>kristalino: you want a single iptables config to work on different web servers?
[20:12]<czysvrfygj>C_Kode, nop, i'll do only NAT on the server that has the public ip @.
[20:13]<c_kjmn>Your using NAT and you want iptables to block any port 80 requests that arn't to a domain name listed in bind?
[20:13]<c_kjmn>bind should do that. It won't resolve a domain to that IP address if it's doesn't exist
[20:14]<-- __zxzys xzs fuyv>127.0.0.1")
[20:16]<czysvrfygj>C_Kode, what do you mean ? of course bind can, but the outside (the internet) only knows about one single address ...
[20:17]<c_kjmn>kristalino: I guess I'm misunderstanding your intentions
[20:18]<c_kjmn>What exactly are you intending to block/unblock?
[21:01]<czysvrfygj>C_Kode, nothing
[21:21]<-- ges wes ludv ("ge>blah; cat blah | sed -e 's/[^fmrt]//g' -e 's/r/f/' -e 's/^f/r/' -e 'y/mt/tm/'")
[21:57]<czysvrfygj>C_Kode, WoodyWoodpecker any ideas ?
[21:57]<tdbnzr>T.ex
[21:57]<tdbnzr>ops
[21:58]<c_kjmn>kristalino: as I noted earlier. I'm not clear on what your attempting to complish.
[21:59]<czysvrfygj>C_Kode, NATing webservers
[21:59]<c_kjmn>What does FWDN's have to do with NAT?
[21:59]<c_kjmn>FQDN
[22:01]<czysvrfygj>isn't it clear ?
[22:01]<c_kjmn>No.
[22:02]<c_kjmn>You want iptables to load balance?
[22:03]<czysvrfygj>i want that myexample.com go to 192.168.1.1 and mysecondexample.com go to 192.168.1.2 and mythirdexample.com go to 192.168.1.1 and myfourthexample.com go to 192.168.1.2 and foo.myexample.com go to 192.168.1.1
[22:04]<c_kjmn>You don't need iptables to do that, you need apache.
[22:04]<rlsymns>add multiple host entries into DNS that point each host to the IP you want, then use vhosts in apache
[22:04]<c_kjmn>Use Apache on the server that has the 88 address and have it hand the connections off to the right server.
[22:05]<czysvrfygj>C_Kode, nop, that just what i want to avoid. All servers (web + bind) are inside local networt
[22:06]<c_kjmn>Well, what your attempting is a bad setup
[22:06]<czysvrfygj>apsides, that's not enought because all ip are local.
[22:06]<czysvrfygj>C_Kode, is it bad to have a dmz ?
[22:08]<rlsymns>is the server in the DMZ is not hardned it's less secure to put it in DMZ
[22:08]<rlsymns>is=if
[22:08]<c_kjmn>No. DMZ has nothing to do with it. Trying to have iptables direct http connections by FQDN is whats bad
[22:09]<czysvrfygj>how to configure a DMZ then ? That's what i'd like to do actually, but with differents domains.
[22:10]<czysvrfygj>and each web servers has many domains name.
[22:10]<rlsymns>that's a whole tutorial in 1
[22:10]<c_kjmn>Does your web servers actually generate enough traffic to have seporate servers serve them rather than vhosting all sites?
[22:10]<c_kjmn>separate.
[22:10]<czysvrfygj>C_Kode, yes.
[22:11]<czysvrfygj>apsides, how that "in 1" ?
[22:11]<rlsymns>kristalino: setting up a DMZ is a whole section of itself in iptables
[22:11]<c_kjmn>kristalino: I still say Apache is your answer.
[22:12]<czysvrfygj>C_Kode, apache is not all what i need. I need all kind of other services (svn, ftp, ssh, etc.). And each domain should point to the right pc inside the lan.
[22:13]<rlsymns>kristalino: with only 1 external IP you will need to differentiate http requests by port
[22:14]<czysvrfygj>apsides, i know. But i'd like to differenciate requests by FQDN instead of by ports
[22:14]<c_kjmn>kristalino: I suggest your part with some cash and get a larger subnet. Then you can route properly
[22:14]<czysvrfygj>for example ssh myfourthexample.com should ssh to 192.168.1.2
[22:14]<czysvrfygj>C_Kode, something i already know...
[22:15]<c_kjmn>kristalino: ok, balance all across each and load-balance all
[22:16]<rlsymns>kristalino: okay then. read about iptables -m string
[22:16]<rlsymns>good luck on that though
[22:17]<czysvrfygj>C_Kode, _how that ?
[22:17]<czysvrfygj>apsides, thanks :)
[22:17]<c_kjmn>setup the vhosts on all 3 servers and use something like ... what is the filesystem called. uni-something

Back to #iptables
Or go to some related logs:
#python
#gentoo
#gentoo
#ubuntu
#gentoo