IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.79 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-12
[19:40]<mnvyf2funs>vice-versa: i have 3 nics, with 2 of them connected to internet connections
[19:41]<mnvyf2funs>I want to split outgoing traffic
[19:41]<mnvyf2funs>send port 1194 on eth1 and port 1195 on eth2
[19:42]<vyrn-vnzsr>yea I remember all this, but I don't know what you decided to try to accomplish your load balancing
[19:42]<mnvyf2funs>vice-versa: this is what i did
[19:43]<mnvyf2funs># iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 1
[19:43]<mnvyf2funs># ip rule add fwmark 1 table ligacao1
[19:43]<mnvyf2funs># ip route add default via 172.16.0.200 dev eth1 table ligacao1
[19:44]<mnvyf2funs>in fact, the traffic goes out by the correct interface, as I want to, but it gets lost on the way
[19:44]<mnvyf2funs>this I don't know why :-(
[19:45]<vyrn-vnzsr>did you look at the article I gave you the url for at all?
[19:45]<mnvyf2funs>yes
[19:45]<vyrn-vnzsr>ok
[19:46]<mnvyf2funs>do you have any hint? i'm stuck with this for 2 days :/
[19:48]<vyrn-vnzsr>nope, sorry...
[19:49]<vyrn-vnzsr>devilblues: are you just pulling this by the seat of your pants or are you actually following some article or howto on this?
[19:49]<vyrn-vnzsr>s/pulling/doing/
[19:51]<mnvyf2funs>i'm following it, the funny part is that is works fine with lan machines that are behind the router, with PREROUTING option
[19:51]<mnvyf2funs>but it doesn't work on the router itself
[19:51]<vyrn-vnzsr>got a link to what it is you're following?
[19:52]<mnvyf2funs>this problem is beyond the howto, i guess
[19:52]<vyrn-vnzsr>perhaps
[20:30]<bfzevuz>hmm, im trying to forward eth0:5000 to 192.168.1.1:80 on eth1, why is this not working? iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5000 -j DNAT --to 192.168.1.1:80
[20:41]<vyrn-vnzsr>Blaztur: cat /proc/sys/net/ipv4/ip_forward ?
[20:41]<drwygn>hmmm... cat /proc/sys/net/ipv4/ip_forward is that 1 or 0?
[20:42]<vyrn-vnzsr>lick me maxine
[21:44]<fnw>Here is a directo question: Are there still problems with combining MARK and SNAT in netfilter?
[21:44]<fnw>Can i set it up so i MARK by source and then i just NAT by mark?
[22:16]<snvv>could anyone help? I want to forward 10.18.1.161:8000 to 192.168.1.102:8000 how do I manage that with iptables?
[22:17]<fnw>iptables -t nat -A PREROUTING -s whatever -d 10.18.1.161 -p tcp --dport 8000 -j DNAT --to-destination 192.168.1.109:8000 I think
[22:18]<snvv>wow
[22:18]<fnw>Yeah... and i cant fix this shit...
[22:18]<fnw>>)
[22:19]<fnw>I want to know if i can do this: Three uplinks: use mangle to mark destinations corresponding to each uplink, use the nat table to SNAT each marked packet
[22:20]<fnw>Complexity in the NAT table would be minimal... just, if mark x SNAT to A, if mark y SNAT to b ... and such.
[22:20]<fnw>Is that possible?
[23:07]<snvv>lex it refuses to work: iptables -t nat -A PREROUTING -s 10.18.0.0/22 -d 10.18.1.161 -p tcp --dport 8000 -j DNAT --to-destination 192.168.1.109:8000
[23:14]<fnw>sett, Still ... its somewhre in the vicinity of that
[23:14]<snvv>strange it does not even add a rule
[23:15]<snvv>and does not give out an error
[23:15]<fnw>AH...
[23:15]<nnnnnn>I can't seem to find good information on what I"m trying to do: setup a dedicated firewall box w/ iptables that does NOT do 1:1 NAT
[23:15]<fnw>Well then it did work... youre just missing something
[23:15]<nnnnnn>the public IP's must be assigned to the servers that sit behind the firewall
[23:15]<fnw>ee99ee, ive no idea what 1:1 NAT means
[23:15]<nnnnnn>1-to-1 NAT.... static NAT mapping
[23:15]<nnnnnn>public.ip -> private.ip using DNAT
[23:16]<fnw>He... i didnt know there were alternatives to that... i wonder what "dynamic" nat would mean
[23:16]<nnnnnn>lol
[23:17]<fnw>You want the servers inside to keep their external addresses?
[23:17]<nnnnnn>yes
[23:17]<fnw>Ah... wouldnt that work with an ipip tunnel?
[23:17]<nnnnnn>what is that
[23:17]<drwygn>that is correct
[23:17]<nnnnnn>(googles...)
[23:17]<fnw>Check the LARTC
[23:18]<nnnnnn>okay... will that still allow me to do filtering based on iptables rules?
[23:18]<fnw>ee99ee, another way ALSO... make an ethernet bridge... perhaps this is the simplest way
[23:19]<nnnnnn>well yeah... but I'm not able to do layer-3 filtering then, am I?
[23:19]<fnw>I think you are
[23:19]<fnw>Arent you?
[23:19]<fnw>Anyhow... here i am answering... who answers me?
[23:20]<nnnnnn>haha
[23:20]<fnw>maxine, Do you know if there is any problem in using MANGLE with MARK and then NATING based on mark?
[23:20]<drwygn>lex: wish i knew
[23:20]<fnw>Gadr
[23:21]<fnw>MANGLE?
[23:21]<fnw>Buuu
[23:21]<fnw>:(
[23:22]<nnnnnn>so when you guys setup dedicated firewalls for placing in front of servers that provide services to the world.... you just use 1-to-1 NAT in doing so?
[23:29]<fnw>ee99ee, yeah... its simple... im not shure it would be too useful to do it any other way... you do it exactly the same with pix firewalls as far as ai know
[23:29]<fnw>Or at least on deployments where ive been
[23:29]<fnw>ee99ee, i mean... the only argument against NATing the DMZ would be the DNS?
[23:30]<fnw>So if anyone knows if there is any problem in using MANGLE with MARK and then NATING based on mark, please tell me so.
[23:30]<nnnnnn>yes... well, the problem is these are cPanel servers
[23:30]<nnnnnn>so if you add a local address to a cPanel server, it adds that IP to the DNS zone when it creates/edits it
[23:30]<nnnnnn>if you add the public IP, it will be a) unroutable b) won't add the right entries in httpd.conf
[23:30]<fnw>AH... id go for the ethernet bridge
[23:31]<fnw>All modern distros have it by default (rhel, youd have to get it from rhn)
[23:31]<fnw>Ive used it and its pretty cool
[23:31]<nnnnnn>I can actually do it with a PIX... PIX has a neat little thing that let's you "alias" an internal to a external... it actually changes the DNS response... so the server will respond with its private IP, and the pix will rewrite the DNS response before it sends it out w/ the public IP
[23:32]<fnw>ee99ee, What does the cpanel people do?
[23:32]<nnnnnn>huh
[23:50]<snvv>lex, what could be the reason of iptables executing without errors and still no rule added when iptables -L
