IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.79 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-07
[16:59]<vyrn-vnzsr>oh sorry
[16:59]<czrc_jvrc>and now everything in the kernel i guess is right
[17:00]<ygvgfdrgwo7>how could I block access to 139 and 445
[17:00]<czrc_jvrc>the problem is with the rule, that now doesnt work for some weird reason
[17:01]<vyrn-vnzsr>Crak_otak: "No chain/target/match by that name" is usually a sign that there is a required support option missing
[17:03]<vyrn-vnzsr>Crak_otak: make sure you have MASQUERADE target support
[17:03]<czrc_jvrc>i guess so, thanks vice-versa
[17:04]<czrc_jvrc>if you could point me to the right module i will apreciate it
[17:06]<vyrn-vnzsr>grep IP_NF_TARGET_MASQUERADE /usr/src/linux/.config
[17:06]<czrc_jvrc># CONFIG_IP_NF_TARGET_MASQUERADE is not set
[17:06]<czrc_jvrc>you were very right
[17:07]<czrc_jvrc>which module i must compile for adding support for it?
[17:07]<czrc_jvrc>those changes in kernel config are driving me mad
[17:07]<ygvgfdrgwo7>how could I block access to 139 and 445
[17:08]<vyrn-vnzsr>MASQ also depends on NET, INET, NETFILTER, IP_NF_NAT
[17:08]<czrc_jvrc>vice-versa: i've found it already
[17:09]<czrc_jvrc>thanks so much for your help
[17:09]<vyrn-vnzsr>np
[17:09]<ygvgfdrgwo7>could anyone help
[17:09]<vyrn-vnzsr>maxine: show ruleset
[17:09]<drwygn>Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
[17:09]<vyrn-vnzsr>intelmanx86: ^^^^^
[17:09]<ygvgfdrgwo7>me?
[17:10]<ygvgfdrgwo7>post my iptables -vnL
[17:10]<vyrn-vnzsr>sure, and tell us a little about your network configuration.
[17:12]<ygvgfdrgwo7>ok
[17:16]<ygvgfdrgwo7>here gose
[17:16]<ygvgfdrgwo7>10.0.0.0/255.0.0.0 internal
[17:16]<ygvgfdrgwo7>165.165.197.36/255.255.255.255 external
[17:16]<ygvgfdrgwo7>anything else?
[17:17]<ygvgfdrgwo7>139, 445 is samba
[17:17]<vyrn-vnzsr>so you have 2 nics? are you doing nat for clients boxes?
[17:18]<vyrn-vnzsr>and do you have existing rules?
[17:18]<ygvgfdrgwo7>one nice
[17:18]<ygvgfdrgwo7>yes
[17:18]<ygvgfdrgwo7>no nat
[17:18]<ygvgfdrgwo7>my router dose nat
[17:19]<ygvgfdrgwo7>so can you help?
[17:20]<vyrn-vnzsr>so you're using an alias on eth0?
[17:20]<ygvgfdrgwo7>eth0 is eht0
[17:20]<ygvgfdrgwo7>eth0
[17:20]<ygvgfdrgwo7>I mean
[17:20]<ygvgfdrgwo7>but eth0 is pppoe
[17:20]<ygvgfdrgwo7>so ppp0 is 165.165.197.36
[17:21]<vyrn-vnzsr>does you're router not have the ability to block outgoing packets?
[17:22]<ygvgfdrgwo7>yes
[17:22]<ygvgfdrgwo7>never tested it yet though
[17:22]<vyrn-vnzsr>well that's where you should be doing it with your setup imo
[17:23]<ygvgfdrgwo7>umm...
[17:23]<ygvgfdrgwo7>I want host based iptables to take care of that
[17:24]<ygvgfdrgwo7>..
[17:27]<ygvgfdrgwo7>and
[17:27]<ygvgfdrgwo7>vice-versa,
[17:31]<vyrn-vnzsr>hmmm, well what do you have for an existing rule set?
[17:33]<ygvgfdrgwo7>no
[17:39]<ygvgfdrgwo7>and
[17:43]<vyrn-vnzsr>and?
[17:44]<ygvgfdrgwo7>you can help
[17:45]<vyrn-vnzsr>well I've never done anything with pppoe as it pertains to iptables, but I guess you could try iptables -A INPUT -p TCP -i ppp0 --destination-port 139 -j DROP
[17:47]<ygvgfdrgwo7>can you tell me what that would do?
[17:48]<vyrn-vnzsr>what you originally asked for
[17:49]<ygvgfdrgwo7>so any connections from the interface ppp0 will be dropped?
[17:49]<vyrn-vnzsr>on port 139, yes
[17:49]<ygvgfdrgwo7>o cool
[17:49]<ygvgfdrgwo7>thanks
[17:50]<ygvgfdrgwo7>how would I remove that from my iptables rules?
[17:50]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[17:51]<vyrn-vnzsr>iptables -D INPUT -p TCP -i ppp0 --destination-port 139 -j DROP
[17:52]<vyrn-vnzsr>intelmanx86: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
[17:52]<ygvgfdrgwo7>-D removes
[17:52]<vyrn-vnzsr>yes. it's all explained in the url I gave you
[17:53]<ygvgfdrgwo7>it dosent work
[17:53]<ygvgfdrgwo7>that rule you gave me
[17:53]<ygvgfdrgwo7>still allows access
[17:54]<vyrn-vnzsr>from?
[17:54]<ygvgfdrgwo7>I tested it on my ftpd(21) on eth0 and the clients can still connect
[17:54]<ygvgfdrgwo7>changing the syntax of course
[17:55]<ygvgfdrgwo7>iptables -A INPUT -p TCP -i eth0 --destination-port 21 -j DROP
[17:55]<ygvgfdrgwo7>so what is wrong?
[17:57]<ygvgfdrgwo7>and
[17:58]<vyrn-vnzsr>does iptables -nvL show any counters on the rule?
[17:58]<ygvgfdrgwo7>must I restart iptables after I put that rule in?
[17:58]<ygvgfdrgwo7>counters?
[17:58]<vyrn-vnzsr>nope
[17:59]<ygvgfdrgwo7>?
[18:00]<vyrn-vnzsr>yes counters, pkts column in the output at the beginning of the rule
[18:00]<ygvgfdrgwo7>o
[18:00]<ygvgfdrgwo7>checking
[18:01]<ygvgfdrgwo7>0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
[18:02]<ygvgfdrgwo7>and
[18:03]<vyrn-vnzsr>do you have http daemon running to test with?
[18:04]<ygvgfdrgwo7>yes, but I tested it with a ftp client
[18:04]<ygvgfdrgwo7>and it connects
[18:04]<vyrn-vnzsr>try it with http port 80
[18:04]<ygvgfdrgwo7>ok
[18:04]<ygvgfdrgwo7>would it make ia difference?
[18:05]<vyrn-vnzsr>maybe, that's what we're about to find out
[18:05]<ygvgfdrgwo7>dosent work
[18:06]<ygvgfdrgwo7>you must be wrong
