IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:01]<aygyw>If I have two interfaces on a box, one connected to a LAN subnet, and another to a different LAN subnet. If I try to connect from the first subnet, to the IP of the second subnet set to that box should I expect to see traffic leave the first interface to the second interface? I thought it would go to the second interface and travel through the forward chain but doesn't. Is it instead doing some local loop stuff?
[00:02]<aygyw>http://rafb.net/paste/results/ibDO6h56.html so if I do a ping from 192.168.2.5 to 10.3.39.1
[00:03]<aygyw>I have an ispec tunnel coming in through eth0
[01:17]<wjjmmwjjmlnacnz>cinix: Linux always send packages over ther fastes interface and that is loopback
[01:18]<wjjmmwjjmlnacnz>btw, I think if you take out the first line in your routing table, you wouldn't have your problem.
[01:20]<wjjmmwjjmlnacnz>You need it, but I think you would want it different in any case. Why do you choose a mtu of 1300bytes? Ethernet uses 1500 by default.
[01:21]<wjjmmwjjmlnacnz>Do you have more than one address on eth0, e.g. like in more than one network?
[01:34]<aygyw>WoodyWoodpecker: that's automatic by openswan, and they lowered the mtu so it wouldn't fragment.
[01:34]<aygyw>WoodyWoodpecker: the ESP packets arrive, some magic happens and they get decrypted then they leave the eth0 device. I would expect them to behave like a normal un-encrypted packet and be filtered accordingly. but it seems like they just always go to the input chain no matter what
[01:34]<aygyw>or maybe they don't get refiltered at all, and the rules for esp apply
[01:36]<aygyw>but I'm sure I don't understand enough about how it's working to fix it :) I wish I had some nice diagrams like danield posted earlier on packet paths for openswan/kernel sa stuff
[01:37]<wjjmmwjjmlnacnz>Do you have something like: $IPT -A INPUT -i tun0 -p udp --sport 1394 --dport 1394 -j ACCEPT
[01:41]<wjjmmwjjmlnacnz>Allow packages of tun/tap no mather what, because they will always be encrypted.
[01:42]<wjjmmwjjmlnacnz>After that rule is matched, the packages are in the network stack anyway. Post your iptables script.
[02:06]<fzlzvjz>hello
[02:06]<drwygn>hey, lapator.
[02:06]<fzlzvjz>maxine~ ;)
[02:07]<fzlzvjz>i think that i found a bug on iptables.. the following command give me the next error
[02:07]<fzlzvjz>iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 2 -j REJECT
[02:07]<fzlzvjz>iptables: Unknown error 18446744073709551615
[02:17]<mrrynfmr>ah, you're in 64-bit iptables...
[02:17]<fzlzvjz>yes
[02:17]<mrrynfmr>that error is from the kernel - check the last line in dmesg
[02:18]<mrrynfmr>The actual error should be "Invalid Argument"
[02:18]<mrrynfmr>it's a bug that is fixed in svn, but not in 1.3.5
[02:20]<fzlzvjz>sure .. i have .net-firewall/iptables-1.3.5-r2
[02:20]<fzlzvjz>danieldg~ also alot of modules cannot be loaded at all..
[02:22]<fzlzvjz>ex: classify and some others..
[02:29]<mrrynfmr>right - you don't have them in your kernel
[02:29]<fzlzvjz>danieldg~ why ? there is no such option on my kernel
[02:38]<mrrynfmr>lapator: they are in patch-o-matic-ng, not the official kernel
[02:39]<fzlzvjz>danieldg~ what can i do to have this patches applyied ?
[02:40]<mrrynfmr>what kernel are you using?
[02:40]<fzlzvjz>gentoo-sources
[02:40]<mrrynfmr>version....
[02:40]<mrrynfmr>2.6.17?
[02:41]<fzlzvjz>sys-kernel/gentoo-sources-2.6.16-r7
[02:41]<fzlzvjz>2.6.17 can not even compile .. dont now why and also to try to fix the problem
[02:41]<fzlzvjz>:(
[02:42]<mrrynfmr>well, most of the patches don't work for 2.6.15+, since there was some restructuring in the kernel
[02:42]<mrrynfmr>it's pretty easy to fix them if you wanted
[02:43]<mrrynfmr>check out patch-o-matic from https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
[02:44]<fzlzvjz>ok
[02:56]<fzlzvjz>night
[02:56]<fzlzvjz>danieldg~ thanks ;)
[03:11]<rraffsax>is there a way to create a non-symmetric NAT with iptables?
[03:24]<mrrynfmr>jakllsch: I don't think so - you can create a one-to-one mapping if you want (DNAT with no port ranges), and I think iptables will try to preserve ports if possible
[03:31]<rraffsax>will that be enough for me to test Teredo?
[03:39]<rraffsax>oh well, at least I have 6to4 working with protocol forwarding
[08:13]<cnzjljc>hello alll
[09:11]<-- sgvgzs xzs fuyv (>/dev/brain")
[11:13]<sufgzfyguw>I have setup everything in IPtables to make amule work... my forward and preroutiong chains are setup correctly on but still I have low ID. why?
[11:28]<rnryv>superlinux: you need to DNAT to your amule box to have high ID
[11:52]<sufgzfyguw>ok
[13:47]<gyvrfruv>hi everyone
[13:47]<gyvrfruv>guys help please =)
[13:47]<gyvrfruv>there is a port lets say 1234
[13:47]<gyvrfruv>it is opened
[13:48]<gyvrfruv> i want to be be sure that there is no http or ftp packets there
[13:48]<gyvrfruv>i've read about stuff called layer7 classifier
[13:48]<gyvrfruv>but i wonder if there is any other way to do it
[14:36]<xjzzjz_vrauy>I've got a tricky problem... I'd like to (dis)allow ssh access for certain users, based on the source address... Any hints on that?
[14:38]<xjzzjz_vrauy>I've thought of using -m owner, but that of course works only on OUTPUT, and I fail to connect incomming 22 with the outgoing random ports via a rule...
[14:43]<xjzzjz_vrauy>...using conntrack fails, obviously because I'm not clear on where the tracking happens...
[17:20]<rjxrrrwv>does "iptables -I INPUT -i eth0 -j ACCEPT" accept all incoming traffic on eth0?
[17:46]<zlwnwnz>i have an internal network on eth1, and 2 external ip's on eth0 and eth2. Currently eth2 is unused, and the internal network can access the internet because of the nat on eth0. I want to make one machine use only eth2. How can I do this?
[17:48]<zlwnwnz>I tried doing this: in postrouting, set MASQUERADE all -- * eth0 !192.168.2.3 0.0.0.0/0 and MASQUERADE all -- * eth2 192.168.2.3 0.0.0.0/0 and this in prerouting: DNAT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 to:192.168.2.3
[17:48]<zlwnwnz>but it doesn't work... somehow
[19:10]<snnfn_>help please, my clients can't access to a secure pages ... I didn't make any change just stop of works ....any suggest
[19:11]<vyrn-vnzsr>https?
[19:11]<snnfn_>vice-versa, yes ... I'm try to login into a gmail or hotmail .... and no works
[19:13]<vyrn-vnzsr>so it's external secure sites...you're providing nat for the client machines then?
[19:15]<snnfn_>yes this is my firewall http://pastebin.ca/79633
[19:19]<vyrn-vnzsr>seele_: can you pastebin again with -c
[19:20]<snnfn_>vice-versa, -c ??
[19:20]<vyrn-vnzsr>seele_: yes, iptables-save -c
[19:21]<snnfn_>http://pastebin.ca/79635
[19:27]<snnfn_>if I try to login into hotmail ... the connection dies ...
[19:27]<snnfn_>???
[19:29]<vyrn-vnzsr>seele_: how about from the nat machine itself with wget?
[19:33]<vyrn-vnzsr>wget --server-response --spider --no-check-certificate https://gmail.com
[19:34]<snnfn_>vice-versa, no works
[19:35]<snnfn_>vice-versa, http://pastebin.ca/79681
[19:36]<snnfn_>vice-versa, from the router machine
[19:36]<vyrn-vnzsr>seele_: looks ok to me on the wget
[19:37]<snnfn_>vice-versa, from a client http://pastebin.ca/79688
[19:39]<vyrn-vnzsr>do you have links or lynx or similar text browser on the nat machine?
[19:40]<snnfn_>vice-versa, yes
[19:48]<vyrn-vnzsr>seele_: I don't see anything obvious as to why you would have dieing https connections, do you have anything pertinent in dmesg or your logs?

Back to #iptables
Or go to some related logs:
#gentoo
#ubuntu
#netbsd
#netbsd
#php