IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.74 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-13
[19:58]<rsr2yf>that's the other way
[19:58]<rsr2yf>i don't want to expose services
[19:59]<vzrllysv>iptables -t nat -A PREROUTING -i <device> -j DNAT --to-destination <ip>
[19:59]<vzrllysv>will redirect all traffic
[19:59]<rsr2yf>i want to share network
[19:59]<vzrllysv>oh
[19:59]<rsr2yf>not redirect everything to the natted network
[20:00]<rsr2yf>i am natting cipsec0
[20:00]<rsr2yf>which is the interface created when i loginn using vpn
[20:00]<vzrllysv>iptables -t nat -A POSTROUTING -o <device> -s <local netmask> -j MASQUERADE
[20:00]<rsr2yf>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
[20:01]<rsr2yf>actually i get connected
[20:01]<rsr2yf>and everything should work
[20:01]<rsr2yf>but i cannot visit sites beside google
[20:01]<vzrllysv>probably you need to set up dns
[20:01]<rsr2yf>i did
[20:01]<rsr2yf>host <anything>
[20:02]<vzrllysv>if you, say, ping yahoo.com, what do you get
[20:02]<rsr2yf>works perfectly
[20:02]<rsr2yf>working
[20:02]<rsr2yf>ping yahoo works
[20:02]<drwygn>I can't find yahoo in the DNS.
[20:02]<vzrllysv>what exactly happens if you try to visit yahoo.com
[20:03]<rsr2yf>loading for ever
[20:03]<rsr2yf>ali.com works too :D
[20:03]<[lyguw]>hello i have this error when starting iptables:
[20:03]<[lyguw]> * Loading iptables state and starting firewall ...
[20:03]<[lyguw]>iptables-restore v1.3.5: iptables-restore: unable to initializetable 'filter'
[20:03]<[lyguw]>Error occurred at line: 2
[20:03]<[lyguw]>Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[20:03]<[lyguw]>how can this be resolved?
[20:04]<vzrllysv>[Linux]: sounds like you need a kernel with iptables support (or more of it)
[20:04]<[lyguw]>but my kernel is ok
[20:04]<[lyguw]>i check it and my kernel has iptables support
[20:04]<rsr2yf>any idea ?
[20:05]<vzrllysv>asabil: have you flushed existing rules (maybe from previous attempts) and reloaded with known-good rules?
[20:05]<vzzvym>ipcop 1.4.10 has the following line in rc.firewall
[20:05]<vzrllysv>asabil: is there a proxy involved?
[20:05]<vzzvym> /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN
[20:05]<[lyguw]>trappist, in my kernel everything is enabled.
[20:05]<rsr2yf>trappist, the script flush rules first
[20:06]<rsr2yf>no there is no proxy
[20:06]<rsr2yf>just cisco vpn client
[20:06]<vzzvym>I am tempted to comment it our to avoid a problem with Windows boxes connecting to an internal server
[20:06]<vzrllysv>[Linux]: then possibly you need to rebuild iptables against the source of the running kernel
[20:06]<vzzvym>is that rational?
[20:06]<sara>asabil: ah thank you =]
[20:06]<[lyguw]>ok
[20:07]<vzrllysv>tarvid: that rule will only block invalid traffic. all new tcp connections should start with SYN packets.
[20:09]<vzzvym>trappist, you are correct but I have old win98 boxes which are generating these in an attempt to connect with an internal server
[20:10]<vzrllysv>tarvid: on what port?
[20:11]<vzzvym>5025
[20:11]<vzzvym>a custom app
[20:11]<vzzvym>that's the destination port anyway
[20:13]<vzzvym>Jul 13 11:47:02 webb-router kernel: NEW not SYN? IN=eth0 OUT=eth0 SRC=192.168.0.49 DST=192.168.7.3 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=5025 DPT=2823 WINDOW=5840 RES=0x00 ACK SYN URGP=0
[20:13]<vzzvym>the other way around actually
[20:15]<vzrllysv>in that case I guess either comment the rule or make an exception for your custom app. as an interim measure while you fix the busted app to not generate packets like that :)
[20:21]<vzzvym>thanks trappist
[20:21]<vzzvym>what are you up to these days?
[20:22]<vzrllysv>mostly work. I'm lucky to find a few minutes a week of good personal geek time. you?
[20:22]<vzzvym>about two years ago you were active in the mandrake community
[20:22]<vzzvym>still slogging about. Trying to get net2net ipsec working on ipcop. I must be missing something because the connections never open
[20:24]<vzzvym>abandoned mandrake for Ubuntu, still miss the old crowd
[20:34]<rsr2yf>got it to work
[20:34]<rsr2yf>i don't understand much
[20:34]<rsr2yf>but i had to reduce mtu to 1400
[20:43]<drvvx_>usual IP fragmentation problem I guess
[20:44]<rsr2yf>the natted machine didn't know that the paquets were going to be encapsulated
[20:44]<rsr2yf>i think
[21:01]<[lyguw]>iptables v1.3.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
[21:01]<[lyguw]>Perhaps iptables or your kernel needs to be upgraded.
[21:01]<[lyguw]>why do i get this when my kernel config etc is fine?
[21:01]<[lyguw]>:(
[21:04]<drvvx_># modprobe iptables_filter ? (may be automatic though)
[21:05]<[lyguw]>AMDevolution linux # modprobe iptables_filter
[21:05]<[lyguw]>FATAL: Module iptables_filter not found.
[21:05]<drvvx_>$ grep CONFIG_IP_NF_FILTER /boot/config
[21:05]<[lyguw]>but it's built
[21:05]<drvvx_>I guess that's this one
[21:05]<[lyguw]>AMDevolution linux # grep CONFIG_IP_NF_FILTER /boot/config
[21:05]<[lyguw]>grep: /boot/config: No such file or directory
[21:05]<[lyguw]>errr
[21:06]<drvvx_>/usr/src/linux/.config or whatever
[21:07]<[lyguw]>AMDevolution linux # grep CONFIG_IP_NF_FILTER /usr/src/linux/.config
[21:07]<[lyguw]>CONFIG_IP_NF_FILTER=m
[21:08]<drvvx_>well you need to learn how to compile/install a kernel properly with your distro then
[21:08]<[lyguw]>but i have.
[21:08]<[lyguw]>humf.
[21:08]<[lyguw]>i have no problem with this before.
[21:52]<rmvrganm>When i type #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT i get No chain/target/match by that name.... Do i need anymore arguements?
[22:09]<byffyngdjjn>Advanced, no, there is a problem with your iptables
[22:12]<lnnayw>Advanced: make sure that 'state' is available as a match in your kernel. (cat /proc/net/ip_tables_matches)
[22:15]<rmvrganm>DOh.. I forgot to run #make after I've changed my kernel-config :)
[22:30]<byffyngdjjn>Advanced, no comments ... :)
[22:32]<rmvrganm>BillieGDJoe, I really appreciate that :p
[23:00]<s19g>My nat isn't working with the following config: http://www.rafb.net/paste/results/GpMMt738.html
[23:01]<s19g>from private network I can ping eth1 (private interface) and eth0 (public interface), but I can't ping the next hop on public net
[23:03]<rnryv>is ip_forward enable ?
