IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.85 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-11
Pages: 1
[02:09]<fg-fgduzygg>hi there. i'm trying to setup a wireless router running iptables to allow wireless clients to access only one machine that hosts a website, and nothing else on the same subnet. altogether i'd like to still be able to ssh into that router, still from the same subnet. i'm trying to do something with the FORWARD chain, but i can't get it to work.
[02:09]<fg-fgduzygg>what i have understood is that the FORWARD chain affects packets going through the router used as a gateway (=> wireless client to web server in my setup). On the other hand, the packets directly addressed to or originating from the router (as for an ssh session?) should be unaffected.
[02:09]<fg-fgduzygg>can someone tell if this interpretation of iptables is right?
[02:16]<fg-fgduzygg>hmm... ok there's something dumb in my question, and the router is not working as a gateway across a same subnet... i'm gonna isolate the clients on a different subnet, nevermind.
[03:29]<czrrr>If i want to use iptables to block everything apart from SSH access, how do i recognise the client side of the connection? it uses a random port, doesn't it?
[03:30]<mrrynfmr>maxine: state rule
[03:30]<drwygn>hmmm... state rule is iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; do the same for FORWARD and OUTPUT if you plan to filter those; also see <invalid state>
[03:30]<mrrynfmr>that will recognise them
[03:34]<czrrr>Awesome, thanks
[03:34]<czrrr>I'm new to all this
[03:58]<czrrr>When you use --state ESTABLISHED,RELATED does that refer to anything related to the ports you have already allowed, or do you need to specify?
[04:01]<mrrynfmr>related is for things like FTP Data connetions, or IRC DCC
[04:45]<gymee0z>what is it that makes my tables get filled when using bittorent clients?
[04:45]<mrrynfmr>conntrack tables?
[04:46]<mrrynfmr>probably the immense number of connections bittorrent uses?
[04:46]<gymee0z>aha
[04:46]<mrrynfmr>especially if you use azureaus's UDP thing
[04:46]<gymee0z>so theres nothing to do?
[04:47]<mrrynfmr>increase /proc/sys/net/netfilter/ip_conntrack_max
[04:47]<mrrynfmr>or get more RAM, so the default is higher ;)
[04:49]<gymee0z>aha!
[12:10]<dndya>anybody knows why when i set default policy to drop on the forward rule and after that open some ports on the forward chain with -s ip and -d ip i still cannt connect?
[12:11]<dndya>something like iptables -P FORWARD DROP
[12:11]<dndya>; iptables -A FORWARD -s xxx.xxx.xxx.xxx -d xxx.xxx.xxx.xxx -p tcp --dport 1352 -j ACCEPT
[12:12]<dndya>after that i cannot connect from -s to -d
[12:13]<dndya>any ideas?
[13:04]<vyrn-vnzsr>memic: are you trying to do port forwarding?
[13:27]<dndya>vice-versa no
[13:27]<dndya>its routing
[13:27]<dndya>but i got it
[13:27]<dndya>forgotten RELATED,ESTABLISHED
[13:27]<dndya>%(
[13:27]<vyrn-vnzsr>aye
[16:15]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[16:43]<-- sgvgzs xzs fuyv (>/dev/brain")
[17:58]<czrrr>My IPtables won't accept the --state arg, do I need to compile it myself or something?
[17:58]<czrrr>This is on CentOS 4.3
[18:01]<duz2>krang: do you have -m state first in the command line?
[18:01]<duz2>i mean in front of the --state
[18:02]<czrrr>Ah, no I don't. That'll be it then
[18:02]<czrrr>thanks!
[19:33]<-- 2funn xrs fuyv (">home")
[19:37]<ucrse>hi
[19:38]<ucrse>i have problem with connlimit
[19:38]<ucrse>it is not working
[19:38]<ucrse>when i put this in my iptables $IPT -I FORWARD -s 192.168.1.2 -p tcp --syn -m connlimit --connlimit-above 10 -j DROP
[19:38]<ucrse>i have iptables: No chain/target/match by that name
[20:54]<byffyngdjjn>pessoal, alguém tem experiência em fazer redundância de links aqui com iptables ?
[21:09]<usg>hi folx
[21:15]<-- zzlvzjs-v77 xzs f>/dev/audio; sudo cat /dev/urandom > /dev/mem #whatever floats your boat")
[21:37]<-- gjmrm9ww xrs fuyv>http:www.devmatrix.org")
[22:25]<nxysv>hi.i have a linux gateway doing ipmasq. local network can go internet via gateway. i can connect gateway from outside. but gateway cant go internet itself.
[22:26]<nxysv>i think i did something wrong at rules.
[22:26]<nxysv>http://pastebin.ca/85204 these are my ruleset
[22:26]<nxysv>can u help me please
[22:32]<nxysv>nobody help me?
[22:41]<byffyngdjjn>eXiSt, you can ping from gateway to ouside ?
[22:42]<gymee0z>anyone have a clue why my basic iptables rules dont work in kernel >= 2.6.17
[22:44]<nxysv>BillieGDJoe no i cant
[22:44]<nxysv>BillieGDJoe thats the problem
[22:45]<nxysv>please help me
[22:45]<nxysv>i couldnt find the reason
[22:45]<nxysv>:(
[22:47]<nxysv>$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
[22:47]<nxysv>i added this rule but still i can
[22:47]<nxysv>t
[22:47]<nxysv>:)
[22:48]<nxysv>it can ping itself
[22:49]<byffyngdjjn>try iptables -A INPUT -i lo -j ACCEPT
[22:50]<nxysv>it is already there
[22:50]<nxysv>http://pastebin.ca/85204 these are my ruleset
[22:50]<nxysv>BillieGDJoe
[22:54]<nxysv>please help me:(
[22:56]<byffyngdjjn>eXiSt, without the rules, you can get out with the gateway ?
[22:57]<gymee0z>http://gidzz0r.se/brandvaegg
[22:57]<nxysv>i tried it but i couldnt
[22:57]<nxysv>it is strange
[22:57]<gymee0z>whats wrong with that script (only in kernel 2.6.17 or higher)
[22:59]<zjdsvnz>how do i get iptables to compile userspace modules? i;'ve been googline and reading the manuals but no luck, iptables compiles but misses the userland stuff, and it is pointing to the right kernel source.
[23:03]<byffyngdjjn>eXiSt, if without the rules, still you cant go out, then there a problem with your network
[23:33]<czrrr>is there a way to get iptables to show which packets it has dropped?
[23:33]<byffyngdjjn>krang, -j LOG
[23:33]<czrrr>BillieGDJoe: thanks dude
[23:34]<byffyngdjjn>krang, before the DROP rule
[23:34]<byffyngdjjn>:)
[23:34]<czrrr>:-)
[23:35]<czrrr>BillieGDJoe: So i need to duplicate each drop rule with LOG instead of DROp, yes?
[23:36]<-- svgvsdyzgjvr__ xr>/dev/null")
[23:36]<byffyngdjjn>krang, yes, you need to put a LOG rule before the exactly DROP rule ...
Pages: 1
