IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.86 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-13
[00:18]<-- svgvsdyzgjvr__ xr>/dev/null")
[00:47]<snvv>finally got a solution
[00:49]<vyrn-vnzsr>sett: and that is?
[00:50]<snvv>$IPTABLES -t nat -A PREROUTING -d 10.18.1.161 -p tcp --dport 8000 -j DNAT --to-destination 192.168.1.102:8000
[00:50]<snvv>$IPTABLES -A FORWARD -p tcp -i eth1 -d 10.18.1.161 --dport 8000 -j ACCEPT
[00:50]<wyrdyrr>anyone here familiar with tc?
[00:50]<bfyssnwq>xinming: many people disklike generic ''anyone'' questions...
[00:52]<wyrdyrr>Blissex2: hm, sorry, I just wonders, it seems, that tc can only control the egress traffic, not the ingress traffic. So I wonder, how can the ingress traffic be controlled.
[00:52]<bfyssnwq>xinming: there are lots of discussions of this online.. But the basic reason is that Netfilter is not telekinetic :-)
[00:53]<bfyssnwq>xinming: a PC can control the speed at which it sends packets, but it cannot control the speed at which another computer sends packets.
[00:54]<bfyssnwq>xinming: except indirectly, and that sometimes works a bit. Thus there is in ingress shaping discipline, but it is very crude.
[00:56]<wyrdyrr>Blissex2: hmm, but the problem begins... If I have an Adsl, There are 2+1 computer in LAN, And I want to devide my download speed into max/2, and also do this to upload speed.
[00:56]<bfyssnwq>xinming: fat chance for the download speed.
[00:57]<wyrdyrr>If I can only control the upload speed, if someone is downloading some big file with maximum speed other people in lan will also be un-accessable to the internet...
[00:58]<wyrdyrr>Blissex2: what does fat chance mean please?
[00:58]<bfyssnwq>xinming: it means ''extremely unlikely''
[00:59]<bfyssnwq>xinming: but you can do _something_. It may even work.
[00:59]<bfyssnwq>xinming: what ingress does is not shaping, but policing. Policing works by deleting packets.
[00:59]<wyrdyrr>Blissex2: hmm, but some some software can control the speed... the explicit example is amule... :-)
[01:00]<bfyssnwq>xinming: so you continue to receive 100kb/s say, but only 50kb/s actually reach the target PC. eventually the IP stack on the target PC thinks there is congestion and throttles. But this does not work well if you have lots of connections.
[01:00]<wyrdyrr>Blissex2: hmm, I know, since iptable can drop package... can iptable control this?
[01:01]<bfyssnwq>xinming: sure, those download programs control download speed, because they can tell to the server how fast to send stuff. Because they request each block at a time.
[01:02]<bfyssnwq>xinming: I have written a very nice, well commented, fully documented alternative to WonderShaper, where comments in the source explain quite a lot of what happens. http://WWW.sabi.co.UK/#sourcesSabishape you can have a look at the ingress section at the bottom.
[01:02]<wyrdyrr>Blissex2: thanks, I'll read it now.
[01:04]<wyrdyrr>Blissex2: Is that your home?
[01:05]<bfyssnwq>sort of...
[01:05]<wyrdyrr>Blissex2++ It's useful. :-)
[01:06]<rwjfw>hey guys. i recently changed my ISP and went from having a static IP to a dynamic one. since then, i've been getting a ton of identical messages in my IP table log file. i was wondering if anyone could help me understand what these entries mean and what should i do about them?
[01:07]<rwjfw>i can paste the entry here or on the net if someone can help me
[01:07]<bfyssnwq>axolx: if it is 3-4 lines OK here.
[01:07]<rwjfw>IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:09:12:80:d8:54:08:00 SRC=73.90.62.1 DST=255.255.255.255 LEN=378 TOS=0x00 PREC=0x00 TTL=255 ID=20446 PROTO=UDP SPT=67 DPT=68 LEN=358
[01:07]<rwjfw>that's what gets logged. i get one of those every 5 seconds, if not more often
[01:08]<wyrdyrr>Blissex2: do you use ext3?
[01:08]<rwjfw>the SRC ip is from my ISP
[01:09]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/")
[01:10]<bfyssnwq>axolx: that is fine. Port 67/68 is DHCP.
[01:10]<bfyssnwq>xinming: I use 'ext3' only under MS Windows. For Linux I use JFS.
[01:10]<rwjfw>Blissex2: yeah. but what are all those hits? and why am i getting so many?
[01:10]<wyrdyrr>Blissex2: thanks, I use xfs :-)
[01:10]<bfyssnwq>axolx: because it is a broadcast, and DHCP clients and servers broadcast their packets.
[01:11]<rwjfw>but if i see them in my log, doesnt that mean that im blocking those packets?
[01:12]<bfyssnwq>axolx: probably, depends on which firewall script you got and how it is configured.
[01:12]<rwjfw>im pretty sure im not allowing any packets through the DHCP ports. should i open those ports given that my IP is dynamically assigned?
[01:15]<bfyssnwq>axolx: well, ''dynamically assigned'' means ''supplied by DHCP'' usually (except for PPP).
[01:29]<wyrdyrr>Blissex2: for ingress qdisc, what will happen if there are too many connections?
[01:30]<bfyssnwq>xinming: does not matter unless you hit kernel limits. It ignores connections, if just looks at interfaces and packet rates.
[01:31]<wyrdyrr>how much is the limit normally?
[01:33]<wyrdyrr>Blissex2: from your words, does that mean, ingress qdisc will be passed to kernel, But without ingress qdisc, It will send directly to the program...
[01:33]<bfyssnwq>xinming: no....
[01:34]<bfyssnwq>xinming: there is a very nice explanation here: http://lartc.org/howto/lartc.qdisc.terminology.html
[03:39]<mmajgym>How do I forward traffic on port 443 to an adjacent IP
[03:39]<mmajgym>iptables -t nat -A POSTROUTING -p tcp --dport 443 -j DNAT --to 192.168.116.63:443
[03:39]<mmajgym>doesnt seem to work (i did SNAT not DNAT)
[03:45]<zj2wow0>myconid: you need a rule to allow that trafic through the FORWARD chain now
[03:46]<mmajgym>I have forward as allow
[03:46]<mmajgym>iptables -A PREROUTING -t nat -j DNAT -p tcp --to-destination 192.168.116.63:443 --dport 443
[03:47]<mmajgym>that worked.
[03:47]<mmajgym>and it claims to pass traffic..
[03:47]<mmajgym>but it doesnt
[03:47]<mmajgym>well atleast back to my browser
[03:50]<zj2wow0>HUH? Back to your browser?
[03:50]<mmajgym>Im trying to forward port 443.. im testing it with a browser.. that doesnt make senes?
[03:51]<zj2wow0>Is there an https server running on 192.168.116.63?
[03:51]<mmajgym>thats the idea
[03:51]<zj2wow0>and are you testing it from within the same network?
[03:51]<mmajgym>nope.. externally
[03:52]<zj2wow0>Okay, that's good - otherwise I was going to refer you to second /topic url :)
[03:52]<mmajgym>:)
[03:52]<zj2wow0>Did you add the forward rule?
[03:52]<mmajgym>I added:
[03:52]<mmajgym>iptables -A FORWARD -p tcp -i eth0 -o eth0 -s 192.168.116.63 --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[03:52]<mmajgym>iptables -A FORWARD -p tcp -i eth0 -o eth0 -d 192.168.116.63 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[03:52]<mmajgym>but iptables says they arent passing any bits
[03:53]<mmajgym>(iptables -L -v
[03:53]<mmajgym>)
[03:53]<zj2wow0>One of those interfaces won't be eth0
[03:54]<mmajgym>thats all the interfaces I have
[03:55]<mmajgym>this machine is 192.168.116.10
[03:59]<zj2wow0>Okay, if I understand correctly, you're going to need to SNAT traffic coming back from .63 through that box to .10
[03:59]<zj2wow0>(that's assuming all port 443 traffic is aimed directly at you, none goes directly to .63 without your DNAT'ing it
[04:00]<mmajgym>the idea is my pix forwards ports 443 to .10
[04:00]<mmajgym>and I want to forward .10 to .63
[04:00]<zj2wow0>Wouldn't it be easier to reconfigure the PIX?
[04:00]<mmajgym>you'd like to think that
[04:01]<mmajgym>just take my word on the fact I cant
[04:01]<zj2wow0>hehe
[04:01]<zj2wow0>Okay, in this setup, yes, you'll need to DNAT first and then SNAT the return traffic. Think like a packet for a moment:
[04:01]<mmajgym>either i suck at pix, or you can only forward to a single destination per extenral IP on a pix
[04:02]<mmajgym>im sure both
[04:03]<zj2wow0>10.10.10.15 requests port 443 at 192.168.116.10, which then sends it to 192.168.116.63; Then .63 responds to 10.10.10.15, but when 10.10.10.15 receives the packet, it discards it because it was expecting a reply from 192.168.116.10, not .63
[04:04]<mmajgym>yea
[04:04]<zj2wow0>Your PIX plays an intermediate role in there, probably doing DNAT/SNAT too, but that's irrelevant here
[04:06]<sara>i have a program thats not doing what it should be doing.
[04:06]<mmajgym>I need to route my vehicle to the store to get ice cream for the woman before she loses her packets...
[04:06]<sara>i set a output IP for the exit
[04:06]<sara>but its sitll not playing ball
[04:06]<mmajgym>robw810: what do i type into ipt to make it go :)
[04:06]<zj2wow0>skac: shut up
