IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:14]<vdlnwzyvnz>+how can i specificy a port range with --dport
[00:14]<vdlnwzyvnz>+--dport 100:200 ?
[00:19]<tdbnzr>+yes
[00:36]<-- svgvsdyzgjvr xrs>/dev/null")
[01:27]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/")
[05:14]<pnfm>+iptables trivia! :P
[05:14]<pnfm>+iptables -A FORWARD -i eth2 -p tcp --dport 3389 -d 192.168.150.2 -j ACCEPT
[05:14]<pnfm>+say I have that for example with an ISP on eth2
[05:15]<pnfm>+my lans on eth0 and 1 would fail because of the default drop rule. they wouldn't fit and would not be forwarded, right?
[05:15]<mrrynfmr>+I think so
[05:15]<pnfm>+or does it come in thru eth0, see the IP @ eth2, move to eth2, and come in thru eth2?
[05:16]<mrrynfmr>+no, that is not what happens
[05:16]<pnfm>+lol sounds silly but I wanted to be sure
[05:16]<pnfm>+good.
[05:17]<pnfm>+ok but wait danieldg
[05:18]<pnfm>+if the ip @ eth2 is being accessed by a domain name....
[05:18]<pnfm>+would my lan go thru the firewall to the router and come back in eth2?
[05:18]<pnfm>+ignore the domain name
[05:18]<pnfm>+that's irrelevant
[05:18]<mrrynfmr>+if the router supports that (most don't)
[05:19]<pnfm>+well i'm just wondering the route path
[05:20]<mrrynfmr>+your network: LAN --> iptables_box --> router --> internet ?
[05:20]<pnfm>+if the default gateway is on the router.... does it go thru the firewall, to the router, and come back to the firewall?
[05:20]<pnfm>+danieldg: that's an accurate description
[05:21]<mrrynfmr>+does iptables_box have a public IP on eth2?
[05:21]<pnfm>+yes
[05:21]<mrrynfmr>+then iptables_box would _not_ be forwarding packets sent to its public IP
[05:21]<mrrynfmr>+it would accept them as coming in eth[01]
[05:22]<pnfm>+uhm......
[05:22]<pnfm>+i missed something in my description
[05:23]<pnfm>+eth2:ALIAS is bound on the iptables box and forwarding to a mock "DMZ" where all the webservers and such are
[05:23]<pnfm>+so i'm really looking for an external ip from my lan that is on the iptables box. this ip gets forwarded to another LAN.
[05:24]<mrrynfmr>+maxine: snat needed
[05:24]<drwygn>+well, snat needed is forwarding a connection to a host where the return packets do not pass through the iptables machine, you must change the source address with SNAT (or MASQUERADE) or the connection will fail. See http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[05:24]<pnfm>+danieldg: i have SNAT
[05:24]<mrrynfmr>+I think that URL has a description of what you are trying
[05:24]<pnfm>+it's just that when I ran my script last time I had to remove it and put the only one back because I couldnt reach the mailserver from the lan
[05:25]<pnfm>+*other one back
[05:25]<mrrynfmr>+do you just have one SNAT rule?
[05:25]<pnfm>+the snat rule would resemble the following:
[05:25]<pnfm>+iptables -t nat -A POSTROUTING -o eth2 -s 192.168.254.150 -d ! 192.168.0.0/16 -j SNAT --to-source 207.190.97.30
[05:25]<mrrynfmr>+is that the only rule you have?
[05:26]<pnfm>+only one per server
[05:26]<pnfm>+what is messing me up? my specification of interface?
[05:26]<mrrynfmr>+read that URL and the explaining text maxine pasted; you need another SNAT rule
[05:27]<pnfm>+danieldg: ok I'll take a look.
[05:29]<mrrynfmr>+hmm: that page has a slight error; you can't use -i in POSTROUTING...
[05:33]<pnfm>+danieldg: do you mean that OUTPUT rule?
[05:34]<mrrynfmr>+no, the POSTROUTING one
[05:34]<pnfm>+what's wrong with my postrouting rule?
[05:34]<mrrynfmr>+iptables -t nat -A POSTROUTING -p tcp --src $LAN_RANGE --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP
[05:35]<mrrynfmr>+nothing's wrong with it. You just need another one
[05:35]<pnfm>+so for each server I'm forwarding to I need that postrouting rule?
[05:36]<pnfm>+as long as I want to reach it from my other lan?
[05:37]<mrrynfmr>+yes. You could just have one rule that covers all servers
[05:37]<mrrynfmr>+iptables -t nat -A POSTROUTING -p tcp --src $LAN_RANGE --dst $DMZ_RANGE -j SNAT --to-source $LAN_IP
[05:39]<pnfm>+I think I understand
[05:39]<pnfm>+I have 2 DMZs and 3 LANs in this network
[05:39]<pnfm>+the DMZs will never need to talk to each other
[05:39]<pnfm>+so I just need 6 rules, 2 for each LAN, eh?
[05:40]<mrrynfmr>+yes
[05:40]<mrrynfmr>+maxine: snat needed
[05:40]<drwygn>+snat needed is forwarding a connection to a host where the return packets do not pass through the iptables machine, you must change the source address with SNAT (or MASQUERADE) or the connection will fail. See <dmz example> for an example rule, or http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[05:40]<mrrynfmr>+maxine: dmz example
[05:40]<drwygn>+dmz example is iptables -A PREROUTING -p tcp --dport $PORT -j DNAT --to-destination $SERVER_IP; iptables -A POSTROUTING -s $LAN_RANGE -p tcp --dport $PORT -d $SERVER_IP -j SNAT --to-source $IPTABLES_LAN_IP
[05:41]<mrrynfmr>+good, it works
[05:42]<pnfm>+so this rule.... it mangles the packets so when it see's on from the LAN it makes me keep talking via the LANs? or what exactly is it doing?
[05:42]<pnfm>+argh this goofy laptop is messing up my typing
[05:43]<pnfm>+** it mangles the packets so when the firewall sees a request from the lan to an external IP it's forwarding to it SNATs to the LAN IP of the webserver?
[05:44]<pnfm>+^^ god I hope that makes sense.... I'm just trying to figure out exactly how it's manipulating the packets
[05:44]<mrrynfmr>+if the firewall sees a packet from the LAN to your external IP, it changes the source to itself, and destination to the DMZserver
[05:45]<mrrynfmr>+maxine: dmz example =~ s/-j DNAT/-d $GLOBAL_IP -j DNAT/
[05:45]<drwygn>+OK, danieldg
[05:45]<mrrynfmr>+maxine: dmz example
[05:45]<drwygn>+dmz example is iptables -A PREROUTING -p tcp --dport $PORT -d $GLOBAL_IP -j DNAT --to-destination $SERVER_IP; iptables -A POSTROUTING -s $LAN_RANGE -p tcp --dport $PORT -d $SERVER_IP -j SNAT --to-source $IPTABLES_LAN_IP
[05:46]<pnfm>+ok so the variables in that line are 1) lan i'm coming from, 2) DMZ range of webservers, and 3) $LAN_IP= LAN IP of the firewall?
[05:46]<mrrynfmr>+yes
[05:46]<mrrynfmr>+cj: is it possible to get a list of the terms maxine knows?
[05:46]<pnfm>+and that would be the LAN_IP that is on the same network as the DMZ, right?
[05:47]<mrrynfmr>+yes, although it doesn't _have_ to be, but that makes it much clearer
[05:47]<pnfm>+because if so, then this makes total sense now. :)
[05:48]<pnfm>+doesnt have to be? it could be any LAN ip on the firewall as long as it is NOT an external IP?
[05:48]<mrrynfmr>+it could be any external IP, or the firewall's LAN IP
[05:48]<mrrynfmr>+but that's more confusing
[05:48]<pnfm>+just any IP that the firewall owns, huh
[05:49]<mrrynfmr>+yep
[05:49]<pnfm>+okay. for clarity though it makes most sense to use the ones on the DMZ network
[05:49]<pnfm>+*networks
[05:49]<mrrynfmr>+you just need the packets to get back there, so the firewall can turn around and give them to the real sender
[05:49]<mrrynfmr>+agreed
[05:49]<pnfm>+I dont think we're here to enter an obfuscated iptables rules contest
[05:50]<pnfm>+:)
[05:50]<mrrynfmr>+maxine: obfuscated iptables rules contests are fun!
[05:50]<drwygn>+OK, danieldg.
[05:50]<pnfm>+lol

Back to #iptables
Or go to some related logs:
#macosx
#cisco
#gentoo
#gentoo
#blender