IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-04
[21:01]<vyrn-vnzsr>sounds like there is some filtering going on perhaps
[21:01]<vyrn-vnzsr>ya, ya
[21:01]<oz2rg>ok well... thanks
[21:02]<oz2rg>now to expand upon the rules some
[21:02]<vyrn-vnzsr>can you connect to say google.com?
[21:02]<oz2rg>yes
[21:02]<oz2rg>err...
[21:02]<oz2rg>dunno
[21:02]<oz2rg>already d/ced, no issue though
[21:02]<vyrn-vnzsr>ok
[21:02]<oz2rg>i have another shell account i can use
[21:02]<oz2rg>thanks
[21:03]<vyrn-vnzsr>np, enjoy you're Gentoo
[21:03]<oz2rg>what is a rule i can add to allow people internal to connect to the external ip?
[21:04]<oz2rg>so i don't get a connection refused when trying to connect locally through my dyndns.org url
[21:05]<vyrn-vnzsr>iptables -t nat -A POSTROUTING -o ifWAN -j MASQUERADE replace ifWAN with your forward facing interface, ie eth0 eth1 ??
[21:06]<vyrn-vnzsr>oh wait, I read that wrong
[21:09]<vyrn-vnzsr>is you box is doing the nat for them?
[21:09]<oz2rg>yes
[21:10]<vyrn-vnzsr>dns too?
[21:10]<drwygn>vice-versa: I can't find the machine name "too?"
[21:10]<oz2rg>yes
[21:10]<oz2rg>dhcp, identd, rsyncd, the works
[21:10]<vyrn-vnzsr>maxine: you take it in the ass don't you?
[21:10]<drwygn>wish i knew, vice-versa
[21:10]<vyrn-vnzsr>hehe
[21:12]<vyrn-vnzsr>perhaps put the dyndns.org in your hosts file with the LAN ip
[21:12]<oz2rg>will that still allow the redirects like http back to the respective host
[21:13]<vyrn-vnzsr>should have no adverse effect
[21:13]<vyrn-vnzsr>you can always just try... ;)
[21:14]<oz2rg>cause right now one of my internals, trying to go to either the hostname or the ip of the ifWAN gets a connection refused
[21:20]<vyrn-vnzsr>Orban: well you would want your "internals" to stay internal would you not?
[21:20]<oz2rg>but i want them to access the external ip address and all the services it will be masking
[21:21]<oz2rg>because the some of the internals are laptops, and i want them to have one url to go to, not one if they are internal and one when they are external
[21:21]<vyrn-vnzsr>well the DNS solution will work a treat then
[21:22]<oz2rg>but if i dns them to the internal ip of the router, then they get connection refused
[21:24]<vyrn-vnzsr>dns them, you mean use the nat box to provide dns?
[21:25]<oz2rg>yes, and if i place the external hostname and map it to the nat box, it doesn't redirect back internally to the webserver
[21:28]<vyrn-vnzsr>just so we're clear, you now have the some.domain.tid in question in your hosts file on the nat box with the LAN ip?
[21:28]<oz2rg>yes
[21:28]<vyrn-vnzsr>from a client box, does ping some.domain.tid return your LAN ip now?
[21:29]<oz2rg>yes
[21:29]<vyrn-vnzsr>can you connect ok just using the ip address itself?
[21:31]<oz2rg>no
[21:31]<oz2rg>it times out
[21:31]<vyrn-vnzsr>well then something else is going on here
[21:31]<oz2rg>i added a rule to `iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to 192.168.57.2` to redirect it back to the 192.168.57.2
[21:32]<vyrn-vnzsr>huh?
[21:32]<oz2rg>it was just connection refused because the nat box wasn't expecting a connection on the internal interface
[21:33]<oz2rg>so i added a rule to it so when its getting a connection on the ineternal interface to DNAT it to the webserver ipaddress
[21:33]<vyrn-vnzsr>ok, I think I see what you're doing wrong. The some.domain.tid should be 192.168.57.2 in the hosts file
[21:33]<oz2rg>but there are multiple services masqed by the some.domain.tid, that internally refer to multiple machines
[21:35]<vyrn-vnzsr>aye, it gets messy
[21:35]<oz2rg>and to think this is all to make doing this whole network thing easier for my wife
[21:35]<oz2rg>and her laptop
[21:36]<vyrn-vnzsr>hehe
[21:40]<vyrn-vnzsr>Orban: so how complicted does this get?
[21:40]<vyrn-vnzsr>how many services/servers we talking about here?
[21:41]<oz2rg>vnc/x forwarding, http, https, remote desktop
[21:41]<oz2rg>really simple...
[21:42]<znmnmd>can someone explain what exactly 'table full' means in my syslog
[21:44]<vyrn-vnzsr>remedy: cat /proc/sys/net/ipv4/ip_conntrack_max ?
[21:45]<vyrn-vnzsr>Orban: and she needs all these services?
[21:45]<oz2rg>well some are for me... but she likes the rmeote desktop and http
[21:45]<oz2rg>digital photo album and such
[21:47]<oz2rg>oh and i cant forget the cvs, and ssh
[21:47]<oz2rg>hmm wonder if i can setup multiple subdomains under the dyndns domain and then just add local hosts for them...
[21:48]<vyrn-vnzsr>Orban: well I was going to suggest that
[21:48]<vyrn-vnzsr>damn this phone!!!!
[21:48]<oz2rg>heh, i hate phones... period, all phones
[21:49]<znmnmd>vice-versa: yea, conntrack seems to have exceeded max
[21:49]<znmnmd>is it ok just to put a bigger number in ip_conntrack_max?
[21:49]<vyrn-vnzsr>remedy: you nating for client boxen on this?
[21:49]<vyrn-vnzsr>what is it now?
[21:51]<znmnmd>yes natting for about 3 boxes and serving as a router for another 2 with external interfaces
[21:51]<znmnmd>20000 is what ive put in there
[21:52]<vyrn-vnzsr>remedy: I would think that should be more than enough for just 3 boxes, check for a trojaned computer on the lan sending out ridiculous amounts of netscans etc.
[21:52]<oz2rg>or bittorrent can use alot
[21:53]<znmnmd>yea one box runs a torrent client, i've rate limited it to an extent
[21:53]<znmnmd>ive a feeling it would be this
[21:54]<vyrn-vnzsr>yes, time to have a peek with tcpdump or similar tool
[21:54]<oz2rg>ethereal is great at analyzing large dump files also
[22:04]<vyrn-vnzsr>grrr, some asshat stole my pastry out of the fridge
[22:04]<vyrn-vnzsr>That's ok, the next one in there is going to have lots of X-lax topping on it! Should know who the culprit is by the end of the day.
[22:05]<jjxggdq1|wjzc>hey vice
[22:05]<vyrn-vnzsr>hey
[22:06]<jjxggdq1|wjzc>I see Orban's problem has been fixed
[22:06]<jjxggdq1|wjzc>or well it was always working, it was just his shell
[22:06]<oz2rg>ya
[22:06]<vyrn-vnzsr>yea, just a matter of getting some dns stuff ironed out now
[22:25]<oz2rg>vice-versa, i was just thinking about it, linksys routers which run linux/iptables have the ability to do what i need them to
[22:26]<oz2rg>but the reason i don't want one runnign is it doesn't ahve the ability to monitor traffic flow/dump traffic
[22:26]<oz2rg>i bet there is a rule in there that allows for the internal to external mapping i want
[22:39]<oz2rg>thought they were there by default
[22:41]<oz2rg>hell, nowadays anyone that sells a service belongs to that list
[22:41]<oz2rg>except the services that you arn't locked into
[22:42]<oz2rg>computer service, whoever you purchased it from your locked into... they know and they treat you that way
[22:45]<vyrn-vnzsr>ya the list is getting bigger every day
[22:46]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
