IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.76 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-09
[01:32]<mrrynfmr>make sure you didn't have a typo
[01:33]<tyajgmzyus>k...-L works
[01:34]<tyajgmzyus>no typos
[01:34]<tyajgmzyus>still won't woprk
[01:34]<tyajgmzyus>No chain/target/match by that name.
[01:34]<mrrynfmr>what rule gives you that?
[01:34]<tyajgmzyus>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[01:36]<tyajgmzyus>hmm...
[01:36]<tyajgmzyus>only rules with -m state set this off
[01:37]<mrrynfmr>does /proc/net/ip_conntrack exist?
[01:37]<tyajgmzyus>no
[01:37]<mrrynfmr>oh!
[01:37]<tyajgmzyus>./proc/net/netfilter does
[01:37]<tyajgmzyus>naa..not it
[01:38]<tyajgmzyus>So how do I get that int the kernel?
[01:38]<mrrynfmr>just making sure - there's not a /proc/net/nf_conntrack
[01:38]<tyajgmzyus>nothing about conntrack
[01:38]<mrrynfmr>the ip_conntrack module provides that file
[01:39]<mrrynfmr>I would say it's not in the kernel, but you said CONFIG_IP_NF_CONNTRACK=y
[01:39]<tyajgmzyus>ok..need to find that then
[01:39]<tyajgmzyus>yeah
[01:39]<mrrynfmr>only thing I can think of is a wierd bug which requires it to be a module
[01:40]<mrrynfmr>but that's not likely, and it would probably be fixed by now
[01:40]<tyajgmzyus>it's definately =y
[01:40]<tyajgmzyus>O.M.G.
[01:40]<tyajgmzyus>LOL
[01:41]<mrrynfmr>looking at the wrong .config?
[01:41]<tyajgmzyus>no
[01:41]<mrrynfmr>what happened then?
[01:41]<tyajgmzyus>When I last compiled my kernel, I copied the kernel and system.map into the boot dir without first motuning the boot partition
[01:42]<tyajgmzyus>mounting
[01:43]<tyajgmzyus>rebooting box
[01:44]<tyajgmzyus>lessee if that fixes it
[01:45]<tyajgmzyus>it did indeed. :D
[01:45]<tyajgmzyus>lol
[01:45]<tyajgmzyus>I have an ip_conntrack in proc
[01:46]<tyajgmzyus>and my rule finally took
[01:46]<tyajgmzyus>Thanks a million daniel
[01:46]<mrrynfmr>you're welcome :)
[01:47]<tyajgmzyus>Yeah..the box was still booting on the old kernel that was still on the boot parition
[01:47]<tyajgmzyus>gah
[01:47]<tyajgmzyus>lol
[01:48]<tyajgmzyus>What's wierd is that if I mounted the boot parition, it STILL said that the kernl files were the latest ones I'd compiled..
[01:48]<tyajgmzyus>moutning and recopying fixed it
[01:55]<tyajgmzyus>my firewall works. :D
[01:56]<tyajgmzyus>deny all, accept established related, and allow on http, https, mysql and ssh
[05:49]<-- gjmrm9ww xrs fuyv>http:www.devmatrix.org")
[06:17]<zrgan>I installed arnos-firewall script today on a new gentoo install and I got nothing but error messages from iptables. The error message was "iptables: Unknown error 4294967295" Google seems to tell me that this is a generic "fallback" message that could be any number of things, so how do I troubleshoot it?
[06:20]<mrrynfmr>find what rule triggers it
[06:21]<mrrynfmr>btw, that error message has been fixed in development versions of iptables
[06:22]<zrgan>well the problem seems to be that EVERY rule triggers it
[06:22]<mrrynfmr>ok, give me one rule that triggers it
[06:22]<zrgan>brb, I'll have to find it again
[06:29]<zrgan>$IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \
[06:29]<zrgan> -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Scan :"
[06:30]<zrgan>the variable names in the rule are supplied by the script
[06:30]<mrrynfmr>try splitting that rule up, see which part gives you the error
[06:32]<mrrynfmr>try iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5
[06:35]<zrgan>it seems its the logging part of the rule that doesnt work
[06:36]<zrgan>if I go through my configuration and disable logging, then the firewall itself seems to work ok
[06:36]<zrgan>ive got it down to only two of those errors now, just with that minor change
[06:36]<mrrynfmr>I was just asking for a simple test
[06:36]<mrrynfmr>run iptables -A INPUT -j LOG
[06:37]<mrrynfmr>does that work?
[06:37]<zrgan>no, that doesnt work
[06:37]<mrrynfmr>OK. Then the problem is with the LOG target
[06:37]<mrrynfmr>do you have an ipt_LOG module?
[06:38]<zrgan>no, I dont, I just tried to modprobe it and it failed
[06:38]<zrgan>I bet if I fix that then that will fix the logging issue
[06:38]<mrrynfmr>yep
[06:39]<mrrynfmr>I'd just compile *everything* in the iptables section as a module
[06:39]<zrgan>ok, thanks for the help, Ive used this firewall script before and it worked great
[06:39]<zrgan>will do, thanks again
[06:40]<zrgan>and you said the error messages are more meaningful in the devel version?
[06:40]<mrrynfmr>yes. Do you want the patch that fixes it?
[06:41]<mrrynfmr>very simple mistake - overwriting errno
[06:42]<zrgan>is the patch posted on a web site?
[06:42]<mrrynfmr>svn diff -r 6587:6588 https://svn.netfilter.org/netfilter/trunk/iptables
[06:43]<zrgan>tanks again
[06:43]<zrgan>thanks even
[07:40]<wgyw>can anyone tell me the best way to forward all icmp traffic from one machine to another machine behind it
[07:41]<wgyw>iptables -A forwarding_rule -i $WAN -p icmp -d $PC -j ACCEPT
[07:41]<mrrynfmr>that will just allow the traffic to be forwarded
[07:41]<wgyw>i was trying this, $WAN is the outside interface while $PC is the destination
[07:41]<wgyw>hmmmm
[07:41]<mrrynfmr>it won't forward it for you
[07:41]<wgyw>ahh
[07:41]<mrrynfmr>you want to add a DNAT rule
[07:42]<wgyw>iptables -t nat -A prerouting_rule -i $WAN -p icmp -j DNAT --to $PC
[07:42]<wgyw>?
[07:42]<mrrynfmr>yes
[07:42]<wgyw>hmm those should do it then?
[07:42]<mrrynfmr>I think so
[07:43]<wgyw>hmm ok thanks danieldg
[10:25]<adnyn>how do i block the IP of the users try to connect to my box via ssh?
