IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:25]<-- svgvsdyzgjvr__ xr>/dev/null")
[01:20]<rrfmj_mg_rrgr>hello
[01:20]<drwygn>hi, caldo_de_cana.
[01:20]<rrfmj_mg_rrgr>I'm trying to configure an internal network (with http://gentoo-wiki.com/HOWTO_setup_a_home-server), but I can't get this iptables line to work: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[01:20]<rrfmj_mg_rrgr>it says: iptables: No chain/target/match by that name
[01:32]<svjgyvx>I have ComputerA that connects to ComputerB via OpenVPN using tun0 interface and it can contact ComputerC. I would like to make an iptables rule that only lets ComputerA contact ComputerB and C but nothing else. I've tried using iptables -A INPUT -i tun0 -s 192.168.6.0/24 -d ! 192.168.0.45/32 -j DROP on ComputerB. This doesn't seem to work I can access other computers. Am I totally off? ...
[01:32]<svjgyvx>...I don't want to restrict ports, just restrict access for a particular network to a single computer. Thanks.
[01:33]<svjgyvx>Mind you ComputerA resides on 192.168.6.0/24 and is the OpenVPN client linux box. Computer C is 192.168.0.45
[03:58]<dnpysvjpnfns>hm sorry... where can I check my iptables rules?
[03:58]<mrrynfmr>maxine: display ruleset
[03:58]<drwygn>i think display ruleset is "iptables-save -c" or "iptables -vnL; iptables -t nat -vnL; iptables -t mangle -vnL"
[03:58]<mrrynfmr>is that what you mean by "check"?
[03:59]<dnpysvjpnfns>yeah
[03:59]<dnpysvjpnfns>I think -L is enough
[03:59]<dnpysvjpnfns>thanks
[03:59]<mrrynfmr>usually it is. -v will give more info (like interfaces) so I always use it
[04:03]<dnpysvjpnfns>oh I c
[04:11]<dnpysvjpnfns>gtg
[05:49]<-- zzlvzjs-v77 xzs f>/dev/audio; sudo cat /dev/urandom > /dev/mem #whatever floats your boat")
[06:08]<tyajgmzyus>Anyone wanna get some $$ to config my firewall? I give up. I surrender. Iptables has defeated me.
[06:09]<tyajgmzyus>Even with a config program..I don't understand what all of this stuff is..
[06:11]<tyajgmzyus>Reminds me of setting up modems in Windows 3.1...ugh
[09:59]<rzrrygus>morning
[10:25]<rzrrygus>ello
[11:41]<quyegjs>morning
[11:41]<quyegjs>``iptables -A INPUT -p icmp -m TRACE'' fails to load with "cant find trace module"
[16:04]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[16:59]<urfd_ajn>hi all
[16:59]<urfd_ajn>is there some firehol user, i need little help
[18:27]<mz_srcj>http://www.linuxquestions.org/questions/showthread.php?t=462084 can anybody help me?
[19:34]<wyrdyrr>anyone here can tell me, which software do I use to limit the bandwidth for each machine in LAN? hmm, I have a LAN, with over 8 computers using. and some people would really use bittorrent... which takes up all bandwidth, and make others un-accessiable to the Internet...
[19:34]<mrmmuac>what is the difference between the state and the conntrack modules?
[19:34]<mrmmuac>or rather, wrt to state matching on RELATED,ESTABLISHED,NEW,INVALID.
[19:35]<mrmmuac>i know conntrack has more information exported
[19:35]<mrmmuac>but when it comes to simple state matching?
[19:35]<mrmmuac>is it better to just use state? better to use conntrack because it might be more efficient?
[19:35]<mrmmuac>better to use conntrack because it might be used later on and thus it would not make sense to also load state?
[19:37]<mrrynfmr>I've always used --state; I think conntrack just gives more information (two more states, and the ability to match on the expiration and other fields)
[19:39]<mrmmuac>so no performance difference?
[19:39]<mrmmuac>also, no problem when loading both?
[19:39]<mrrynfmr>I'm pretty sure there is no problem loading both. conntrack might be a hair slower than state because it can check more.
[19:40]<mrmmuac>right
[20:11]<wyrdyrr>what's the difference between iptables and iproute2 please?
[20:12]<slran2jdd>man them
[20:12]<slran2jdd>find out
[20:12]<slran2jdd>:)
[20:16]<wyrdyrr>I'll do. :'(
[23:37]<slycn>hi there
[23:37]<slycn>I dont get the difference between ASSURED and ESTABLISHED
[23:37]<mrrynfmr>assured is for UDP
[23:37]<slycn>from chap 7 on the tutorial it seems the two things are really the same...
[23:38]<slycn>I dont really think so, it shows up in the tutorial on the TCP chapter 7.4
[23:39]<slycn>and in no part of the tut there's any reference to ASSURED being related to UDP
[23:39]<mrrynfmr>ok - where are you getting these from?
[23:39]<slycn>also, ASSURED means a connection wont be deleted when the limit is reached, so it definitely is protocol independent
[23:39]<slycn>danieldg: from the turorial mentioned 3 times in the topic?
[23:39]<slycn>tutorial*
[23:40]<slycn>chap 7.x is about the state machine
[23:41]<mrrynfmr>ASSURED is for the conntrack entry itself
[23:41]<mrrynfmr>ESTABLISHED is the state of the TCP connection - it could also be FIN_WAIT or other things
[23:43]<mrrynfmr>there is also the --state ESTABLISHED, which is distinct...
[23:44]<slycn>how isnt the state of the tcp connection about conntrack itself?
[23:44]<slycn>When a connection has seen traffic in both directions, the conntrack entry will erase the [UNREPLIED] flag, and then reset it. The entry that tells us that the connection has not seen any traffic in both directions, will be replaced by the [ASSURED] flag, to be found close to the end of the entry.
[23:45]<slycn>which means a connection will be ASSURED even during FIN_WAIT
[23:45]<mrrynfmr>yes
[23:45]<mrrynfmr>a connection can be UNREPLIED and ESTABLISHED - if it was started before the firewall was up
[23:45]<slycn>so again, what's the difference between ASSURED and ESTABLISHED?
[23:45]<slycn>a connection becomes both as long as traffic in both directions is seen
[23:45]<mrrynfmr>they are different terms
[23:46]<mrrynfmr>they are for different things
[23:47]<slycn>but mean the same thing and "kick in" for the same reason?
[23:48]<slycn>and since I'm asking about the state machine I'm strictly talking about conntrack
[23:48]<mrrynfmr>yes, except for a few edge cases
[23:48]<slycn>let's go on with the edge cases then, ta
[23:50]<mrrynfmr>TCP conntrack has several internal states
[23:52]<mrrynfmr>the transition table is in the kernel source, net/netfilter/nf_conntrack_proto_tcp.c is the one I'm looking at
[23:52]<sara>how do i allow access to port 25 on ip 123.123.123.123 from port 123 on the same IP?
[23:53]<mrrynfmr>-p tcp --dport 25 --sport 123 -d 123.123.123.123 -s 123.123.123.123 -j ACCEPT
[23:53]<sara>in which table?
[23:53]<sara>nat?
[23:53]<drwygn>well, nat is the only thing that requires it iirc
[23:53]<mrrynfmr>you'd probably want that in INPUT, and in OUTPUT if you're filtering there
[23:53]<sara>PREROUTE?
[23:53]<sara>okey
[23:54]<mrrynfmr>don't do filtering in nat table - that's what filter is for :)
[23:55]<sara>i am not doing filtering
[23:55]<sara>i want to do a REDIRECT
[23:55]<sara>so people can access smtp
[23:55]<sara>from a diffrent port
[23:55]<sara>or something like that
[23:56]<mrrynfmr>oh. Then you want to use REDIRECT in nat PREROUTING
[23:56]<mrrynfmr>-p tcp --dport 25 -j REDIRECT --to-port 123
[23:57]<sara>iptables -t nat -I PREROUTING -p tcp --dport 25 -j REDIRECT --to-port 123

Back to #iptables
Or go to some related logs:
#suse
#netbsd
#macosx
#gentoo
#debian