IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.84 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-04
[13:23]<axzjg>what would be better than logging with iptables?
[13:23]<axzjg>logging every packet that is
[13:23]<axzjg>nothing really right? iptables logging every packet should be accurate?
[15:00]<mnp2dvn>hi
[15:00]<mnp2dvn>can someone help me in getting irc working with my iptables config ??
[15:03]<mnp2dvn>i just need to open 2 ports for the dcc functionality
[16:59]<2jz2j>lo
[16:59]<2jz2j>how can i forward ex: port 22 from 192.168.0.2 on the 192.168.0.1 machine ?
[17:00]<mnupj>hello, can i have some help plz?
[17:02]<2jz2j>deufo: if i can i will help you .. go on
[17:02]<mnupj>i used a iptable rule generator from here
[17:02]<mnupj>http://easyfwgen.morizot.net/gen/
[17:02]<mnupj>and i ran the script it generated
[17:03]<mnupj>but when i nmap my own comp, it makes no difference :(
[17:03]<2jz2j>what do you want to do.. ?
[17:05]<mnupj>i want to know y it doesn't make a difference
[17:05]<mnupj>i apply those rules and i get the same result as when i set all chains to accept
[17:06]<2jz2j>deufo: try an online portscanner like grc.com
[17:06]<mnupj>but i'm behind a router
[17:08]<2jz2j>deufo: try at list quicktables.. i fount it more usefull than that
[17:08]<vyrn-vnzsr>maxine: hi sweetie!
[17:08]<drwygn>vice-versa: excuse me?
[17:08]<mnupj>wats quicktables?
[17:08]<vyrn-vnzsr>maxine: yes you
[17:08]<drwygn>i heard i was the bot? or a pocket calculator
[17:08]<2jz2j>http://qtables.radom.org/
[17:08]<vyrn-vnzsr>maxine: forward port
[17:08]<drwygn>rumour has it forward port is iptables -t nat -A PREROUTING -p tcp --dport $port -j DNAT --to-destination $destip; see http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[17:09]<vyrn-vnzsr>borbo: ^^^^^
[17:09]<2jz2j>vice-versa: ok ;)
[17:12]<2jz2j>vice-versa: ex: if i want all the machines on my network to be able to connect to a fileshare program that wants to have open some ports what i must do
[17:12]<2jz2j>?
[17:31]<vyrn-vnzsr>maxine: bot or pocket calculator?
[17:31]<drwygn>vice-versa: wish i knew
[17:31]<vyrn-vnzsr>lol
[17:31]<vyrn-vnzsr>maxine: you take it in the ass don't you?
[17:31]<drwygn>vice-versa: i don't know
[17:59]<2jz2j>anyone give me some help on making the 10.1.1.2:22 to make it the default ssh server on 10.1.1.1/0 ? the server machine is the 10.1.1.1. any idea ?
[18:06]<2jz2j>anyone please ?
[18:06]<mrrynfmr>what do you mean by "default ssh server"?
[18:08]<2jz2j>ex: if someone runs: ssh $my_ip to connect to the 10.1.1.2 ssh server insteed of mine..
[18:09]<mrrynfmr>not sure why you would want that...
[18:10]<mrrynfmr>anyway, it can be done, with a DNAT and SNAT rule on the default gateway
[18:10]<mrrynfmr>second URL in topic should help
[18:10]<2jz2j>danieldg: can you give an example cause i try some rules without success ..
[18:11]<2jz2j>danieldg: that rules i used..
[18:11]<mrrynfmr>you need two rules: one DNAT and one SNAT
[18:12]<mrrynfmr>and this must be done on the default gateway of 10.1.1.1/24
[18:12]<2jz2j>sure.
[18:12]<2jz2j>can you tell me what are the correct commands ?
[18:12]<2jz2j>mine ip 10.1.1.1
[18:12]<2jz2j>other ip 10.1.1.2
[18:13]<2jz2j>and internet. 62.74.160.80 but it is not static
[18:14]<2jz2j>danieldg: can you ?
[18:14]<mrrynfmr>what have you tried?
[18:15]<2jz2j>iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.1.1.2
[18:16]<2jz2j>iptables -t nat -A POSTROUTING -p tcp --dport 22 -j SNAT --to-source 10.1.1.2
[18:16]<mrrynfmr>the SNAT source needs to be the IP of the firewall
[18:16]<2jz2j>when you say the ip of the firewall?
[18:17]<2jz2j>10.1.1.1 ?
[18:17]<mrrynfmr>the IP of the machine running the iptables command
[18:17]<2jz2j>so the 10.1.1.1
[18:18]<2jz2j>i do that but it still cant connect
[18:18]<mrrynfmr>where are you trying from?
[18:18]<2jz2j>i am trying to connect from the 10.1.1.2 via : ssh 62.74.160.80
[18:19]<mrrynfmr>and it has 10.1.1.1 as default gateway?
[18:19]<2jz2j>yes.. the 10.1.1.2 can access internet
[18:20]<jjxggdq1|wjzc>borbo: try iptables -t nat -A PREROUTING -d 10.1.1.1 -p tcp --dport 22 -j DNAT --to 10.1.1.2
[18:20]<mrrynfmr>that's the same rule he already has...
[18:20]<jjxggdq1|wjzc>danieldg: no it's not
[18:20]<2jz2j>Johnny23|work: ok
[18:20]<mrrynfmr>Johnny23|work: ok, what's the important difference?
[18:21]<jjxggdq1|wjzc>danieldg: -d 10.1.1.1
[18:21]<mrrynfmr>which he doesn't want - since that'll only make it work for packets going to 10.1.1.1
[18:22]<jjxggdq1|wjzc>danieldg: if it works its a start
[18:22]<2jz2j>Johnny23|work: it not working.
[18:22]<mrrynfmr>borbo: do you have other rules in POSTROUTING?
[18:22]<2jz2j>nope
[18:22]<mrrynfmr>maxine: show ruleset
[18:22]<drwygn>Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
[18:23]<mrrynfmr>borbo: then how are you doing NAT?
[18:23]<2jz2j>danieldg: MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
[18:23]<2jz2j>sorry i thought that you say PREROUTING
[18:24]<mrrynfmr>does that rule have an interface on it?
[18:24]<2jz2j>in * , out ppp0
[18:24]<mrrynfmr>ok. and the SNAT rule is right after that? only two rules?
[18:25]<mrrynfmr>are you blocking stuff in FORWARD?
[18:25]<2jz2j>ok wait to pastebin
[18:26]<2jz2j>the iptables-save output is without the DNAT SNAT that i add afterwards.
[18:27]<mrrynfmr>afterwards? you mean it's not there right now?
[18:27]<2jz2j>i do /etc/init.d/iptables restart.
[18:29]<2jz2j>http://pastebin.ca/78775
[18:29]<2jz2j>there is..
[18:30]<2jz2j>now i must add the other rules to make 10.1.1.2:22 to be access insteed the 10.1.1.1:22
[18:30]<mrrynfmr>iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
[18:30]<mrrynfmr>or look at the logs to see everything you were dropping
[18:32]<2jz2j>danieldg: ok i do that command.
