IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.74 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-05
[21:11]<fzlzvjz>lo
[21:12]<fzlzvjz>i am trying to make use of l7-filter.. i succesfully add a rule " iptables -I INPUT -m layer7 --l7proto rar -j REJECT"
[21:12]<fzlzvjz>but i can download rar files..!
[21:12]<fzlzvjz>i am missing something ?
[21:13]<fzlzvjz>in my dmesg i get "layer7: This is some protocol I can't handle."
[21:30]<nnjsrmysv>does iptables or the linux kernel for that matter by default accept fragmented packets?
[21:50]<snnfn_>pls help, can't access to some pages ... like www.cualesmiip.com, hotmail.com (login), gmail.com (login) .... any suggest?
[22:11]<snnfn_>please help my clients can't establish https connections across my linux router ...
[22:11]<snnfn_>I don't have port blocking or porxy server .... only routing
[22:13]<snnfn_>this are my firewall rules http://pastebin.ca/79830
[22:21]<wjjmmwjjmlnacnz>seele_: Try $IPT -t nat -A POSTROUTING -p tcp --tcp-options SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[22:21]<wjjmmwjjmlnacnz>or no, only on OUTPUT
[22:22]<wjjmmwjjmlnacnz>seele_: Try $IPT -t nat -A FORWARD -p tcp --tcp-options SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[22:22]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[22:22]<wjjmmwjjmlnacnz>Or something simullary, just try some stuff like this.
[22:23]<wjjmmwjjmlnacnz>But the first is definitely wrong, btw.
[22:31]<snnfn_>WoodyWoodpecker, ok
[22:32]<snnfn_>WoodyWoodpecker, error, Unknown arg `--tcp-options'
[22:52]<zzzfygxjs>hi
[22:53]<zzzfygxjs>a dbout
[22:55]<zzzfygxjs>i have a transparent proxy in bridge mode, ebtables + iptables + squid. there is two gateways, is there any way for taking the traffic to the 10.0.0.0 form a gateway and the rest of the traffic to the other? thanx
[22:55]<zzzfygxjs>*from
[22:57]<zzzfygxjs>i have done by an static route in one router but the proxy doesnt redirect traffic to the 10.0.0.0 net
[22:59]<zzzfygxjs>dnat?
[22:59]<drwygn>well, dnat is for doing port forwards, see <forward port> or http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html
[22:59]<zzzfygxjs>ok
[22:59]<zzzfygxjs>thx
[23:02]<zzzfygxjs>mmm, the dnat rule for redirect lan traffic, must be set before the transparent proxy rule? i mean the order is important?
[23:03]<2yzznmzrmyj>Is it possible to allow based on MAC address? I have tried, but appears not to work.
[23:03]<zzzfygxjs>wrong layer i suppose
[23:04]<2yzznmzrmyj>-A INPUT -m mac --mac-source 00:A0:D1:24:F5:00 -j ACCEPT
[23:08]<zzzfygxjs>iptables -t nat -A PREROUTING -p tcp -d 10.0.0.0/8 -j DNAT --to-destination 10.0.1.254
[23:09]<zzzfygxjs>would this rule take the lan traffic to the gateway 10.0.1.254 ?
[23:12]<wjjmmwjjmlnacnz>seele_: It is -p tcp-option I just wrote the rule in like 5 sec (I have very limited time atm)
[23:12]<wjjmmwjjmlnacnz>seele_: And I don't promise that this will help, just the first thing I would do.
[23:20]<zzzfygxjs>in a bridge whats better for selecting how to toute between two gateways, dnat? or mark paquets and doing iproute2?
[23:20]<zzzfygxjs>*route
[23:21]<vyrn-vnzsr>bigredradio: iptables -nvL do you have any hits on the packet counter for that rule?
[23:24]<wjjmmwjjmlnacnz>carlinhos: use u32 filter with tc
[23:26]<zzzfygxjs>mmm, looks good, thanks
[23:30]<zzzfygxjs>looking at lartc ... looks the very best complicated thing i have ever seen
[23:31]<zzzfygxjs>u32 ...
[23:31]<zzzfygxjs>uff
[23:35]<zzzfygxjs>mm split access seems what i need, but because of im using a bridge i have only one logical nick and the two gateways is on the same subnet, is it posible?
[23:35]<zzzfygxjs>*are
[23:39]<-- svgvsdyzgjvr_ xrs>/dev/null")
[23:41]<ayffnzdrax>help .. I need a rule that allows only traffic to and from a specific IP
[23:47]<2yzznmzrmyj>killermach -A INPUT -p tcp -m tcp -s 192.168.1.1
[23:48]<2yzznmzrmyj>killermach: oops. Forgot something
[23:48]<2yzznmzrmyj>-A INPUT -p tcp -m tcp -s 192.168.1.1 -j ACCEPT
[23:48]<ayffnzdrax>that will only send outbound traffic from my server to me then?
[23:48]<ayffnzdrax>and how to stop all inbound traffic except from me
[23:49]<ayffnzdrax>someone php-holed there way into running a service on my box.
[23:49]<ayffnzdrax>tahnk you for your help btw.. this is a pain
[23:50]<2yzznmzrmyj>killermach: That will allow incoming traffic from 192.168.1.1. All others should be blocked.
[23:50]<ayffnzdrax>bigredradio: I also want to stop all outbound traffic off the server except traffic to me
[23:51]<2yzznmzrmyj>If you need to limit outgoing traffic, then -m tcp -d 192.168.1.1
[23:51]<2yzznmzrmyj>match tcp traffic where destination is 192.168.1.1
[23:54]<ayffnzdrax>well that locked me out..
[23:55]<ayffnzdrax>waiting to see if my cronjob will drop the tables and let me back in
[23:55]<ayffnzdrax>if not.. have to drive to the datacenter
[23:56]<ayffnzdrax>ok.. I'm in again
[23:56]<ayffnzdrax>but rule locked me out also
[23:57]<vyrn-vnzsr>yup, in situations like that one should test with -j LOG imo
