IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[01:42]<czrrr>If I use iptables entries like this: iptables -A INPUT -j ACCEPT -p tcp --destination-port 22, can I go wrong? are there any extra options I need, or will that be good enough for allowing ports then denying all afterwards like so: iptables -A INPUT -j DROP -p tcp?
[01:42]<czrrr>I allowed ESTABLISHED and RELATED as well
[01:50]<zjdsvnz>drop all first then allow what you need
[01:51]<zjdsvnz>how do i get files in userspace/extensions/ to be included? i tryed make expearmental but no luck
[01:51]<zjdsvnz>its not using patch-o-matic
[01:53]<czrrr>Romster: Er, doesn't that cause *everything* to be dropped?
[01:53]<czrrr>Romster: The rules are applied in order, n'est pas?
[01:55]<zjdsvnz>if you drop first it rejects all packets then you allow some afterwards
[01:55]<zjdsvnz>unless you want togot he un-orthordox method of allowing all then droping others.
[01:55]<zjdsvnz>togo the*
[01:57]<czrrr>Hmm, I'll have to look into it. Thanks dude!
[03:03]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[03:34]<-- sgvgzs xzs fuyv (>/dev/brain")
[04:07]<-- dyrnnprd wrs puyv> i mean the other left <-")
[05:23]<dygnzrfn>how can I filter out icmp traffic quickly? I've never used iptables
[05:27]<mrrynfmr>iptables -I INPUT -p icmp -j DROP
[13:12]<-- dyrnnprd wrs puyv> i mean the other left <-")
[14:51]<2rfju>hi
[14:51]<fzjfjrya>Could someone help me figure out the right nat rules for the following situation ?
[14:52]<fzjfjrya>I have an AP which laptops connect to, it issues out ips via dhcp 192.168.0.15 to 192.168.0.254 (/24) and gives a default gateway of 192.168.0.14 (the ap)
[14:53]<fzjfjrya>the default gateway of the ap is 192.168.0.1 (my linux router) plugged in via it's bridged interface
[14:53]<fzjfjrya>I need wifi clients on the 192/24 subnet to be able to access stuff on the 10/28 subnet (local machines on a switch, of which the linux router is connected to 10.0.0.1)
[14:54]<fzjfjrya>so far the wifi clients can ping stuff on the 10/28 range, but can't create a tcp session
[16:09]<ugvyvfnm>hi
[16:09]<ugvyvfnm>what does "-s 0/0" mean in iptables rules?
[16:12]<oz2rg>it means the rule matches any source ip address
[16:12]<ugvyvfnm>ok, got it
[16:17]<2rfju>I don't understand why this is used so often... you can leave it away
[16:27]<ugvyvfnm>why?
[16:29]<oz2rg>because without the rule, it doesn't even attempt to match the source ip address, with the rule it just attempts to match the source ip it to something that any ip address would match to
[16:30]<vyrn-vnzsr>in other words, unnecessarily overhead...
[16:31]<vyrn-vnzsr>s/unnecessarily/unnecessary/
[16:33]<ugvyvfnm>i see
[17:54]<mnvyf2funs>hi I'm stuck with a problem: I have to 2 internet connections, and I want to redirect traffic based on destination ports to another interface, using mangle options, but it doesn't work. anybody can help?
[18:05]<vyrn-vnzsr>devilblues: another interface, in the same machine?
[18:06]<mnvyf2funs>yes
[18:06]<mnvyf2funs>i have 3 nics
[18:06]<vyrn-vnzsr>third nic is LAN
[18:06]<mnvyf2funs>yes
[18:06]<mnvyf2funs>one for lan
[18:06]<vyrn-vnzsr>are you using NAT?
[18:07]<mnvyf2funs>yes
[18:08]<vyrn-vnzsr>so you want to route incoming packets to a NATed boxen on the LAN based on destination port
[18:08]<vyrn-vnzsr>maxine: forward port
[18:08]<drwygn>forward port is iptables -t nat -A PREROUTING -i $inetInterface -p tcp --dport $port -j DNAT --to-destination $destip; see http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[18:09]<mnvyf2funs>no, I want to load balance the outgoing traffic. I want to send one port (1194) to a interface and another (1195) to another interface
[18:12]<mnvyf2funs>it works well with the machines that are inside my lan, with -A prerouting
[18:12]<mnvyf2funs>but it doens't work on the router, with -A OUTPUT
[18:13]<mnvyf2funs>see?
[18:42]<mnvyf2funs>any help?
[18:51]<vyrn-vnzsr>devilblues: hmm, look into advanced routing with ip/iproute2
[18:52]<vyrn-vnzsr>I have a link here somewhere..gemme a few to find it
[18:54]<drvvx_>lartc.org ?
[18:57]<vyrn-vnzsr>sysadmin iirc
[19:00]<vyrn-vnzsr>found it, it's not what I was thinking though, it's more fault-tolerance related then outbound traffic load balancing, but it may be of some use...http://www.samag.com/documents/s=9384/sam0201h/
[19:03]<vyrn-vnzsr>actually, fta..."To load balance outbound network connections from the internal network, the CONFIG_IP_ROUTE_MULTIPATH kernel option is used, which allows you to have multiple default gateways. It is set up by removing the default gateway from the /etc/sysconfig/network file and setting up the default gateway using advanced routing features"
[19:04]<drvvx_>I also think of the ROUTE target for bypassing the routing table
[19:11]<bfzsvuz>whats the difference between NAT and DNAT?
[19:12]<sgnzcm_bzsvzzm>NAT is network address translation
[19:12]<sgnzcm_bzsvzzm>DNAT and SNAT are destination and source NAT
[19:13]<bfzsvuz>i thought network address translation meant to manipulate the source & dest addr to forward packets transparently
[19:18]<vyrn-vnzsr>DNAT is a target of NAT which gives you a finer granularity of packet routing to NAT'ed hosts
[19:21]<vyrn-vnzsr>Blastur: and yes you're correct, but it can only do this for established/related connections it knows about.
[19:28]<bfzsvuz>okay, so basically DNAT is a subset of NAT functionality
[19:29]<vyrn-vnzsr>exactly, more specifically a target of....
[19:29]<bfzsvuz>anyway, the question i was gonna ask is, how would I go about if I want to route all traffic coming from a host B to host C, if host B and C is on the same interface? can this be done using iptables alone?
[19:30]<vyrn-vnzsr>so you're using an aliased interface for either B or C?
[19:30]<bfzsvuz>i have this problem, my VoIP box is downloading stuff from an update site, and I want to listen to that traffic, so I need to re-route traffic through a box that can capture network traffic (my current router is a simple home-office router, it has no capturing capabilities)
[19:31]<bfzsvuz>so I thought, instead of doing VoIP -> Internet GW -> Internet, I'd do VoIP -> Capture Box -> Internet GW -> Internet
[19:31]<bfzsvuz>and Capture Box runs iptables
[19:31]<bfzsvuz>though Capture Box only has 1 NIC
[19:34]<mnvyf2funs>vice-versa: doesn't work, running tcpdump i have bad checksums, what does this mean
[19:35]<vyrn-vnzsr>devilblues: huh, what doesn't work?
[19:36]<mnvyf2funs>vice-versa: when i mark the packet to go another interface, it gets rejected somehow leaving my router, with bad chksums
[19:36]<vyrn-vnzsr>Blastur: why not just replace your soho router with the linux (capture box)?
[19:37]<mnvyf2funs>i have multiple internet connections, remember
[19:38]<vyrn-vnzsr>devilblues: yes, yes, but I've no idea what you implemented since that fact was established
[19:38]<bfzsvuz>well, the capture box is my workstation, and other rely on this connection aswell so it wouldn't be fair replacing the connection with my computer (not being online 24/7) :)
[19:38]<vyrn-vnzsr>ic
[19:38]<bfzsvuz>i guess i could put in another NIC in the capture box
[19:38]<bfzsvuz>that would make it a lot easier i guess
[19:39]<bfzsvuz>but it's not impossible to do routing on the same NIC, is it?
[19:39]<vyrn-vnzsr>yup, my next suggestion as iptables does not know how to work with aliased interfaces
[19:39]<bfzsvuz>i can't figure out a logical reason to why it should be impossible
[19:39]<bfzsvuz>okay
[19:39]<bfzsvuz>i'll just do that then
[19:39]<bfzsvuz>*where is that damn screwdriver*
[19:40]<mnvyf2funs>vice-versa: ok from the beginning :)

Back to #iptables
Or go to some related logs:
#gentoo
#blender
#gentoo
#gentoo
#gentoo