IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:02]<luzu2zzvjz>hello, I've a computer with 2 ethernet cards with interfaces card0 -> eth0 (internet) & eth0:0 (intranet)card1 -> eth1 (intranet) - okay so now I would like to connect another computer to eth1, I would like to get it access to the internet and also to the intranet, but about the intranet I am not so sure how should I do it, or is it even possible as it seems I can't use the same subnet
[00:02]<slycn>so, I'm still at a loss understanding the difference between ASSURED and ESTABLISHED
[00:03]<mrrynfmr>ASSURED: packets have been seen from both directions
[00:04]<mrrynfmr>ESTABLISHED (kernel TCP code): TCP connection is in the "ESTABLISHED" state, as defined by the RFC
[00:04]<mrrynfmr>ESTABLISHED (--state match): same as ASSURED
[00:04]<slycn>oh, I c, ta
[00:08]<luzu2zzvjz>I was earlier trying to use this computer as a gateway by using just on ethernet card, but it turned out that iptables doesn't understand eth0:0 as separated interface (someone explained the reason here)
[00:08]<luzu2zzvjz>on=one
[00:09]<mrrynfmr>eth0:0 doesn't really exist; iptables just checks the interface itself
[00:09]<luzu2zzvjz>yeah, it's some sort of alias or something
[00:10]<mrrynfmr>each card should have its own interface
[00:10]<mrrynfmr>forget that last statement - true, but worthless
[00:10]<drwygn>danieldg, I didn't have anything matching that last statement - true, but worthless
[00:11]<luzu2zzvjz>so, when I have 2 cards, the gateway stuff works
[00:11]<mrrynfmr>Lucubrator: it should work, you just can't use -i eth0 or -o eth0 anywhere
[00:12]<luzu2zzvjz>but the last thing is the intranet where this computer is connecting as eth0:0
[00:12]<mrrynfmr>I really dislike how ifconfig does multiple IPs...
[00:13]<sara>yeah me too
[00:13]<luzu2zzvjz>so when other pc connects to this pc's eth1, it connects through eth0 to internet, but is there a chance I could get it to connect to the intranet through eth0:0
[00:14]<sara>danieldg: thanks with the iptables example :)
[00:14]<luzu2zzvjz>that's the last thing I am trying to solve :/
[00:14]<mrrynfmr>Lucubrator: if you have two subnets for each side of the LAN, sure
[00:14]<mrrynfmr>(one subnet per side, that is)
[00:16]<luzu2zzvjz>yeah, it didn't even allow me to do it other way :)
[00:17]<luzu2zzvjz>I used 10.0.2.0 for eth1 and 10.0.1.0 for eth0:0
[00:17]<mrrynfmr>does eth0 also have the inet IP?
[00:18]<luzu2zzvjz>yeah, it has the external IP which is fetching fron dhcp server
[00:18]<luzu2zzvjz>*it is
[00:20]<mrrynfmr>well, if you have routes for all the IPs, and only MASQUERADE for conections going outside the network, it should work fine
[00:23]<luzu2zzvjz>I am not sure if the route stuff is configured in any other way than it is as default
[00:23]<mrrynfmr>it should be fine by default
[00:24]<luzu2zzvjz>so does this mean, that when I do a ping on machine 10.0.1.1 -> 10.0.2.1 it should work?
[00:24]<mrrynfmr>yes
[00:25]<luzu2zzvjz>and the only thing I have needed is the basic forwarding commands?
[00:25]<mrrynfmr>define what you used for those commands
[00:29]<luzu2zzvjz>I first used just FORWARD to and from a certain intranet IP, because it didn't allow me to use interfaces
[00:29]<luzu2zzvjz>but I thought that it isn't clever way to do it
[00:29]<mrrynfmr>why not?
[00:29]<luzu2zzvjz>dunno, it was just too easy :)
[00:30]<mrrynfmr>just make sure source and destination are both in 10.0.0.0/8, and it's local network traffic
[00:31]<luzu2zzvjz>but what about the traffic to and from the internet then? how to conf it aside those intranet forwards?
[00:31]<mrrynfmr>allow all traffic to the internet from LAN IPs, and allow ESTABLISHED back
[00:31]<mrrynfmr>(and RELATED)
[00:33]<luzu2zzvjz>iptables -A INPUT -d 10.0.2.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT?
[00:34]<mrrynfmr>no
[00:34]<mrrynfmr>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[00:34]<luzu2zzvjz>oops :/ sorry
[00:35]<luzu2zzvjz>is that working in both ways with that same line?
[00:35]<mrrynfmr>yes
[00:35]<tyajgmzyus>Hello, I'm back
[00:36]<tyajgmzyus>Any takers on my offer from last night?
[00:36]<mrrynfmr>then you need iptables -A FORWARD -s 10.0.0.0/8 -j ACCEPT
[00:36]<luzu2zzvjz>for the intranet yeah
[00:37]<luzu2zzvjz>I was just looking for the /n postfixes on the google :P
[00:37]<mrrynfmr>CIDR
[00:37]<tyajgmzyus>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT is giving me an unknown error and a very long number...any ideas?
[00:37]<tyajgmzyus>OUTPUT does it too
[00:37]<mrrynfmr>Ticondrius: what kernel?
[00:38]<tyajgmzyus>2.6.14-hardened-r8 Gentoo
[00:38]<luzu2zzvjz>danieldg, thanks - now it gives me something which I was trying to find :)
[00:38]<tyajgmzyus>Iptables 1.3.5
[00:38]<mrrynfmr>is CONFIG_NETFILTER_XT_MATCH_STATE=m
[00:38]<mrrynfmr>if not, you need to go enable it
[00:38]<tyajgmzyus>lemme check
[00:39]<tyajgmzyus>I've compiled just about everything for iptables right into the kernel itself
[00:39]<mrrynfmr>ok, then it'd be =y :)
[00:39]<tyajgmzyus>yup..I know
[00:39]<tyajgmzyus>Just an iptables noob. :P
[00:40]<tyajgmzyus>I'm just trying to get a good solid wall up on my webserver...nothing fancy like NAT
[00:40]<mrrynfmr>hmm.. wait... xtables was in 2.6.16,not 2.6.14
[00:40]<tyajgmzyus>yes
[00:40]<mrrynfmr>is there a CONFIG_IP_NF_MATCH_OWNER?
[00:41]<mrrynfmr>oops
[00:41]<luzu2zzvjz>danieldg: iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT;iptables -A FORWARD -s 10.0.2.0/24 -j ACCEPT ? or shall I dump them to same command?
[00:41]<mrrynfmr>CONFIG_IP_NF_MATCH_OWNER?
[00:41]<mrrynfmr>CONFIG_IP_NF_MATCH_STATE?
[00:41]<mrrynfmr>grr
[00:41]<tyajgmzyus>owner and state = y
[00:42]<mrrynfmr>Lucubrator: I'd put them in the same command, but really your choice
[00:42]<mrrynfmr>Ticondrius: any errors in dmesg?
[00:42]<tyajgmzyus>no
[00:43]<mrrynfmr>that "Unknown Error ###" means "Invalid Argument" - bug in iptables, been fixed in svn
[00:43]<tyajgmzyus>svn?
[00:43]<luzu2zzvjz>danieldg: does the same command mean that I do this -> iptables -A FORWARD -s 10.0.0.0/16?
[00:43]<mrrynfmr>subversion, the source control system that iptables uses
[00:43]<tyajgmzyus>oh...
[00:43]<mrrynfmr>Lucubrator: yes, that combines the other two rules
[00:44]<tyajgmzyus>lemme see if there's a fix in portage
[00:44]<mrrynfmr>Ticondrius: it's a simple patch, I can tell you the revision if you want
[00:44]<mrrynfmr>anyway, that error comes from the kernel
[00:44]<luzu2zzvjz>danieldg, and it isn't any way more efficient to define just those 256 sized area separately?
[00:44]<luzu2zzvjz>*areas
[00:44]<slycn>now, when I started to look into ASSURED/ESTABLISHED I was actually doing it because of the "pickup feature" and tcp-window-tracking-patch. I found a .ps about latter but it's rather confusing... :/ . can anybody try to exaplain to me what pickups means and how it effects connection tracking? the issue raised after a post of a guy saying that an ssh connection survived from his lan to a server after powercycling his linux fw
[00:44]<tyajgmzyus>oh..so the kernel itself needs the patch
[00:45]<mrrynfmr>Lucubrator: no, it's more efficent to define it this way
[00:45]<mrrynfmr>Ticondrius: no, it's an iptables patch
[00:45]<slycn>and he had rules in the FORWARD chan to accept RELATED,ESTABLISHED
[00:45]<mrrynfmr>Ticondrius: iptables was overwriting errno by accident
[00:45]<tyajgmzyus>for the iptables ebuild?
[00:45]<luzu2zzvjz>danieldg, okay thanks for your patience :)

Back to #iptables
Or go to some related logs:
#netbsd
#gentoo
#php
#gentoo
#php