IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.46 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-04
[18:33]<2jz2j>next ?
[18:33]<mrrynfmr>does it work?
[18:33]<2jz2j>what to work ?
[18:36]<2jz2j>what i must add to my firewall to make the connections to the 10.1.1.1:22 to be redirected to 10.1.1.2:22
[18:37]<mrrynfmr>the DNAT and SNAT rules...
[18:37]<2jz2j>danieldg: the command that you told me about -i eth0 -o eth0 -j ACCEPT .. whats is for ?
[18:38]<mrrynfmr>accepting the redirected connection
[18:41]<2jz2j>danieldg: not working
[18:41]<mrrynfmr>pastebin the iptables-save output now
[18:42]<2jz2j>ok
[18:43]<2jz2j>http://pastebin.ca/78788
[18:45]<2jz2j>what do you suggest..
[18:46]<mrrynfmr>looks like it should be working
[18:48]<2jz2j>nope its not
[18:48]<mrrynfmr>run tcpdump or ethereal somewhere
[18:49]<mrrynfmr>you should see the packets being send from .2 to .1, and then back from .1 to .2
[18:49]<2jz2j>ok i will give it a try
[18:49]<2jz2j>thanks any way.. if i dont fix it until night ill be back
[18:50]<2jz2j>thanks anyway ;)
[19:30]<oz2rg>i am having issues trying to get a nat machine to redirect http connections to the internal webserver, here is a iptables -L and iptables -t nat -L of the rules: http://pastebin.ca/78823 i am throughly lost
[19:33]<oz2rg>anyone have any suggestions on why forwarding http to the internal address doesn't work
[19:35]<vyrn-vnzsr>maxine: show ruleset
[19:35]<drwygn>Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
[19:36]<oz2rg>http://pastebin.ca/78829
[19:45]<jjxggdq1|wjzc>Orban: try iptables -t nat -A PREROUTING -d "server ip" -p tcp --dport 80 -j DNAT --to "internal ip"
[19:46]<oz2rg>Johnny23|work, what if that changes because the linux machine is on dhcp?
[19:46]<jjxggdq1|wjzc>Orban: then that's a problem, :P
[19:46]<oz2rg>could i specify an in interface instead?
[19:47]<jjxggdq1|wjzc>Orban: not sure, in other rules it can be done, I can try it, once sec
[19:48]<jjxggdq1|wjzc>Orban: I'm getting iptables v1.3.5: host/network `eth1' not found
[19:48]<oz2rg>eth1 is my WAN interface
[19:49]<oz2rg>i was thinking i would change it to iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.57.2
[19:49]<oz2rg>instead of matching the -d "serverip" i'd match the --in-interface
[19:49]<oz2rg>but that doesn't work
[19:50]<oz2rg>and even specifying the ip i get a connection refused
[19:51]<jjxggdq1|wjzc>Orban: hmmmm, once sec
[19:53]<oz2rg>here is a more concise view of just the basic nat rules and then the one -t nat rule for http
[19:53]<oz2rg>http://pastebin.ca/78844
[19:55]<jjxggdq1|wjzc>Orban: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to "internal ip" worked for me
[19:55]<oz2rg>hmm... not working for me
[19:55]<jjxggdq1|wjzc>Orban: are you running apache on both comps??
[19:55]<oz2rg>no
[19:55]<oz2rg>just the internal
[19:57]<jjxggdq1|wjzc>Orban: if you ran a script to set your rules etc, I'd clear out iptables and just setup the basic nat and that rule to test, other then that I really don't know, should work fine
[19:57]<oz2rg>Johnny23|work that last pastebin i posted was the cleaned out version of iptables...
[19:59]<jjxggdq1|wjzc>Orban: why the -m tcp??
[19:59]<oz2rg>i dunno, iptables added that
[20:02]<oz2rg>hang on rebooting the router...
[20:05]<jjxggdq1|wjzc>Orban: here is the script I ran for my setup(very basic on a test server), I have ftp and http running on router and on the internal pc, therefore the port specifications
[20:05]<jjxggdq1|wjzc>http://pastebin.ca/78852
[20:06]<jjxggdq1|wjzc>Orban: I'm out for lunch, I'll be back in a bit, hope that helps
[20:06]<oz2rg>thanks i hope it does too
[20:11]<-- rzns xrs fuyv ("f>Ubuntu =)")
[20:12]<oz2rg>no it doesn't and here is my ruleset now, i just copied yours fixed the ips and executed
[20:14]<oz2rg>http://pastebin.ca/78860
[20:19]<vyrn-vnzsr>Orban: you're not running a http daemon on the nat box correct?
[20:19]<oz2rg>nope
[20:19]<oz2rg>i get a connection refused right now when i try to connect to 80
[20:19]<vyrn-vnzsr>iptables -D INPUT 1
[20:20]<vyrn-vnzsr>get rid of that rule, it's for the local machine
[20:20]<oz2rg>k
[20:21]<oz2rg>i still don't see why this isn't working
[20:23]<vyrn-vnzsr>Orban: iptables -t nat -nvL does it show any packets on the port 80 rule?
[20:24]<oz2rg>no
[20:24]<oz2rg>that would infer that the rule is never getting attempted correct?
[20:25]<vyrn-vnzsr>Orban: correct
[20:25]<vyrn-vnzsr>Orban: you're trying to connect from outside your LAN right?
[20:25]<oz2rg>yes
[20:25]<oz2rg>i sshed to my sf.net account and i am trying to links http://myip/
[20:26]<vyrn-vnzsr>cat /proc/sys/net/ipv4/ip_forward is that 1 or 0?
[20:26]<vyrn-vnzsr>brb, gotta step out of da cube for a few....
[20:26]<oz2rg>1
[20:30]<oz2rg>and i am connecting through the box right now, just can't get the forwards to work coming back in
[20:47]<vyrn-vnzsr>Orban: back, any luck?
[20:47]<oz2rg>nope
[20:48]<oz2rg>i am about to just go to my old faithful, freebsd for these kinds of things, but i like gentoo... but iptables isn't liking me
[20:49]<vyrn-vnzsr>Orban: hang tight, let's start with some basics, can you connect to the http server from the nat box using wget or links?
[20:49]<oz2rg>yse
[20:50]<vyrn-vnzsr>Orban: try wget --server-response --spider http.server.ip
[20:51]<oz2rg>i get a 200 ok response
[20:51]<vyrn-vnzsr>good
[20:53]<vyrn-vnzsr>so you're public ip is dynamic correct?
[20:53]<oz2rg>yse
[20:54]<vyrn-vnzsr>do you know what it currently is?
[20:55]<oz2rg>yes
[20:55]<oz2rg>24.174.165.6
[20:56]<oz2rg>when i try the wget --server-response --spider 24.174.165.6 i get a connection refused
[20:58]<vyrn-vnzsr>Orban: I get 200
[20:58]<oz2rg>...
[20:58]<vyrn-vnzsr>Orban: browser shoes a simple login form, correct?
[20:59]<oz2rg>yes...
[20:59]<vyrn-vnzsr>*Shows even
[20:59]<vyrn-vnzsr>then it appears it's working
[20:59]<oz2rg>then why does sf.net's links give me a connection refused
[21:00]<vyrn-vnzsr>sf.net's?
[21:01]<oz2rg>sourceforge.net, i have a shell there
[21:01]<oz2rg>maybe they wisened up and blocked outgoing 80 stuff on their shells
