IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[10:53]<rzrrygus>the client connects thru a router and then thru my firewall then onto the server
[10:53]<sgnzcm_bzsvzzm>an iptables firewall
[10:53]<sgnzcm_bzsvzzm>using linux ?
[10:54]<sgnzcm_bzsvzzm>are you using NAT ?
[10:54]<rzrrygus>iptables on redhat
[10:54]<rzrrygus>now the thing is...
[10:54]<rzrrygus>on the server sde...the ip of the firewall is showing...and not his source ip
[10:54]<rzrrygus>should i be using NAT or not?
[10:57]<rzrrygus>cause currenly im using DNAT and SNAT ( not sure why im using both ) i dont really understand the rule that is in to be honest
[10:58]<sgnzcm_bzsvzzm>Destination NAT ... Source NAT, AFAIK
[10:59]<sgnzcm_bzsvzzm>unfortunately for you, I only use GUI tools to configure NetFilter
[10:59]<rzrrygus>heh
[10:59]<sgnzcm_bzsvzzm>so we can hope that somebody in here will help you
[10:59]<drvvx>neither me
[10:59]<rzrrygus>ah ok
[11:00]<drvvx>^t
[11:00]<ajgm1zm>Arcainus: are your servers behind firewalls has private IP only?
[11:00]<ajgm1zm>DNAT is basically to translate the destination address and SNAT is the reverse of it
[11:00]<rzrrygus>jond3rd, client is external...other things are by me (fw and server)
[11:01]<drvvx>the man got nice sentences about that
[11:01]<ajgm1zm>Arcainus: that other things behind your firewall, do they have public IP ?
[11:01]<rzrrygus>its as if the firewall is translating the client ip to the firewall's ip
[11:01]<rzrrygus>jond3rd, yes
[11:01]<ajgm1zm>then why are you using DNAT ?
[11:02]<ajgm1zm>or SNAT ?
[11:02]<drwygn>well, SNAT is for changing the source IP (similar to MASQUERADE, and slightly faster) and used to create a NAT
[11:02]<rzrrygus>so i should take out the SNAT and DNAT
[11:02]<ajgm1zm>what made you decide to use NAT rules ?
[11:03]<rzrrygus>someone said that i should use them
[11:03]<rzrrygus>heh
[11:03]<rzrrygus>oh dear
[11:03]<rzrrygus>i think im going to kill someone for this
[11:03]<ajgm1zm>no, not yet, maybe he's right
[11:03]<ajgm1zm>but that depends on your setup
[11:03]<ajgm1zm>you should know why you need to DNAT and SNAT
[11:04]<ajgm1zm>basically they will translates IP's and ports
[11:04]<rzrrygus>client - router - router - fw - server
[11:05]<ajgm1zm>that's a classic/common setup
[11:05]<ajgm1zm>Arcainus: what services are you running on server?
[11:05]<rzrrygus>jond3rd, http
[11:06]<ajgm1zm>and server has public IP right?
[11:06]<rzrrygus>the client can connect and see the server
[11:06]<rzrrygus>yes, public ip
[11:06]<ajgm1zm>then you don't need to DNAT
[11:07]<ajgm1zm>a simple routing will do the trick and firewalls/iptables will just block/allow traffic going to http port
[11:07]<rzrrygus>ah ok
[11:10]<mygm2j2>Hey guys im new to iptables (comde from pf background) I have to configure a 3 subnet network, where can i find examples on this and good tutorials?
[11:12]<rrffnn>http://iptables-tutorial.frozentux.net/iptables-tutorial.html
[11:13]<rrffnn>see topi
[11:13]<rrffnn>see topic
[11:13]<mygm2j2>im reading that
[11:13]<mygm2j2>suppose I will just play around and ask any specific questions.
[11:15]<rrffnn>good idea
[11:15]<rrffnn>you can also look at the "advanced linux routing and traffic control howto" @ lartc.org
[11:16]<rrffnn>if they arent down again
[11:25]<ajgm1zm>anyone here played with IPtables clusters ?
[12:28]<-- wgrvwsygc wrs puy>3) bad = 1;")
[14:56]<cjdndzsvnz_>hi all, how do i get the source port of a FORWARD rule ? i can see the destination with iptables -L but can't get source port, i use firestarter to setup my rules
[15:52]<-- svgvsdyzgjvr xrs>/dev/null")
[16:15]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[16:47]<mrrynfmr>Codemaster_: it's probably unspecified (as in, any); you can see the actual rule with iptables-save
[17:39]<-- zzlvzjs-v77 xzs f>/dev/audio; sudo cat /dev/urandom > /dev/mem #whatever floats your boat")
[18:26]<cjdndzsvnz_>danieldg, thnxs, indeed iptables-save shows it.... i think I need to write my rules parser again lol
[19:20]<zj2wow0>'/c
[20:05]<sfrc->hi ;)
[20:05]<sfrc->need some help guys, cant access my firewall/vpn server 192.168.111.1 iface from my vpn client net 10.8.0.x
[20:06]<sfrc->see the packets get rejected as ALL_ELSE rule in messages
[20:06]<sfrc->i can access any machine behind the firewall however so its not a routing issue
[20:12]<sfracjgn>slak-, wanna create a vnet with me(pptp)
[20:12]<sfracjgn>:)
[21:51]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[22:09]<zzgyjgnzy>Hi there!
[22:10]<zzgyjgnzy>I've a problem I wish you help me with
[22:10]<zzgyjgnzy>I'm redirecting traffic from B to C
[22:11]<zzgyjgnzy>using DNAT
[22:11]<zzgyjgnzy>iptables -t nat -A PREROUTING -d destIP -p tcp -j DNAT --to-destination toIP
[22:11]<zzgyjgnzy>That's the rule on B box
[22:12]<zzgyjgnzy>and everything is great so far
[22:12]<zzgyjgnzy>but when I use the same rule on C box to redirect, It just doesn't work
[22:14]<zzgyjgnzy>Let me remake the state: I'm redirecting using alias IP traffic coming from A to B, to C, and coming from B to C, to an external source
[22:14]<zzgyjgnzy>so I DNAT twice
[22:15]<zzgyjgnzy>Anyone on that side? :-S
[22:17]<zzgyjgnzy> :-(
[22:20]<drvvx>you may have to SNAT on C the replies (from external) in order to have B recognize its sent packet coming back
[22:21]<drvvx>you can check that looking at the src/dst IP on each interfaces on C & B
[22:21]<drvvx>I mean sniffing
[22:25]<zzgyjgnzy>Uhm, I don't understand the SNAT part
[22:25]<zzgyjgnzy>The situation is this:
[22:26]<zzgyjgnzy>I have to reach a pc which is conected to C
[22:26]<zzgyjgnzy>I'm on A box
[22:26]<zzgyjgnzy>and I can reach C box DNAT'ing on B box to C
[22:26]<zzgyjgnzy>matth: is it ok so far?
[22:27]<drvvx>I think I get it from your first explanation
[22:27]<zzgyjgnzy>great, I'm not so clear most of the times, my head is a mess >.<
[22:28]<zzgyjgnzy>matth: So, could you explain me again the SNAT part ?

Back to #iptables
Or go to some related logs:
#netbsd
#gentoo
#iptables
#gentoo
#python