IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:00]<s19g>grrr... no network under knoppix. let me try again
[00:19]<s19g>vice-versa: ok. with a working network I can ping google ip but not name
[00:19]<s19g>and wget tell me "Temporary failure in name resolution"
[00:25]<vyrn-vnzsr>so what are you using for dns servers?
[00:26]<vyrn-vnzsr>s34n: ^^^
[00:35]<s19g>vice-versa: separate linux servers
[00:36]<s19g>or did you mean addresses?
[00:36]<s19g>I can ping the ip of the dns servers from the private network
[00:41]<vyrn-vnzsr>s34n-bbl: lemme know when you're back, i'm out for a bit to gnaw on a steak
[02:22]<rlraxne>is it possible to select two or more protocols at once or do I need some patch for iptables to do that ?
[02:23]<rlraxne>like
[02:23]<rlraxne>-p tcp,udp --sport 1024:65535 ?
[02:24]<mrrynfmr>use two rules
[02:26]<-- fzvzfcuzn xzs fuy>http://iownmymusic.org/ http://iownmydvds.org/ .")
[02:28]<rlraxne>hmpf
[03:22]<rlraxne>is icmp affected by a keep state rule that allows established,related ?
[03:22]<rlraxne>or will I still need additional rules to allow the icmp replies ?
[03:25]<mrrynfmr>ICMP replies are established or related
[04:57]<rlraxne>any comments from you gurus on my iptables setup ? http://www.sqlpaste.com/?entry_id=1421
[06:09]<gvyap>hello
[06:12]<gvyap>I want to be able to route to different intranet servers depending on the url address, but this doesn't work: iptables -t nat -A PREROUTING -p tcp -d nvf.sytes.net --dport 80 -j DNAT --to 192.168.0.1:80
[11:50]<usg>hi there
[12:24]<rlraxne>http://www.tbg.nu/iptables.txt any comments ? :P
[15:16]<aryjpws>whats the difference of NAT on the OUTPUT chain and after that on the POSTROUTING chain ?
[15:31]<rlraxne>depends on your needs
[15:31]<rlraxne>if you nat on output then only traffic originating from the box itself will be nated
[15:32]<rlraxne>but if you nat on postrouting then basically all traffic will be nated (that is traffic that matches your nat rule like "-s 192.168.0.0/24 -d externalip" or similar)
[15:42]<aryjpws>whats the dif?
[15:42]<aryjpws>Apachez,
[15:42]<aryjpws>would the postrouting be used if the box was acring as a router ?
[15:42]<aryjpws>acting*
[15:52]<rnmrsqn66n>yes, only the postrouting. output would only be used for locally generated traffic, not for traffic passing over the box.
[15:53]<rlraxne>best practise would be to use the nating in postrouting no matter what
[15:53]<rlraxne>that is because postrouting chain is part of the nat table
[15:53]<rlraxne>-t nat -A POSTROUTING
[15:54]<rlraxne>that is why for example you need two rules in order to perform a port forward through the wall
[15:55]<rlraxne>first a -t nat -A PREROUTING rule which will alter the packet to internal adress and port it should be sent to and then a -a FORWARD rule which allows the packet to pass the wall
[15:59]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[16:27]<rmurrrg>anyone about
[16:27]<rmurrrg>if i have a box that i cant enable ipv6 in the kernel.. but have access to the firewall, will forwarding protocol 41 to another box with ipv6 enabled work?
[16:28]<rmurrrg>or does the firewall box need an ipv6 tcp stack
[16:42]<rlraxne>hmm
[16:42]<rlraxne>i guess it needs a stack to function at all
[16:42]<rlraxne>unless you can bridge the traffic some way
[16:43]<rlraxne>like sending the whole ethernet frame back and forth
[17:43]<[lyguw]>AMDevolution linux # iptables -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 8004 -j ACCEPT
[17:43]<[lyguw]>iptables: No chain/target/match by that name
[17:43]<[lyguw]>i dont understand this, can someone tell me what this means please?
[17:44]<mrrynfmr>do you have ip_conntrack module loaded?
[17:44]<mrrynfmr>what kernel?
[17:44]<[lyguw]>gentoo 2.6.17
[17:44]<mrrynfmr>do you have the xt_state module?
[17:44]<[lyguw]>yes
[17:44]<[lyguw]>i have all of them
[17:45]<mrrynfmr>and /proc/net/ip_conntrack exists?
[17:45]<rlraxne>[Linux] looks like bad syntax ?
[17:45]<[lyguw]>danieldg, yes
[17:45]<rlraxne>iptables -A INPUT -i eth0 -p udp --dport 8004 -m state --state NEW -j ACCEPT
[17:45]<[lyguw]>i dont really understand the syntax.
[17:46]<mrrynfmr>see if that works - the other syntax was fine though, I thought
[17:46]<rlraxne>Append the rule to INPUT chain, traffic coming from eth0 protocol udp destination port 8004 with the state = new will be accepted
[17:46]<[lyguw]>AMDevolution net # iptables -A INPUT -i eth0 -p udp --dport 8004 -m state --state NEW -j ACCEPT
[17:46]<[lyguw]>iptables: No chain/target/match by that name
[17:47]<mrrynfmr>try iptables -A INPUT -i eth0 -p udp --dport 8004
[17:47]<[lyguw]>AMDevolution net # iptables -A INPUT -i eth0 -p udp --dport 8004
[17:47]<[lyguw]>iptables: No chain/target/match by that name
[17:47]<mrrynfmr>iptables -L INPUT
[17:48]<[lyguw]>AMDevolution net # iptables -L INPUT
[17:48]<[lyguw]>Chain INPUT (policy ACCEPT)
[17:48]<[lyguw]>target prot opt source destination
[17:48]<[lyguw]> all -- anywhere anywhere
[17:48]<mrrynfmr>do you have xt_tcpudp ?
[17:48]<[lyguw]>i think so.
[17:48]<[lyguw]>let me check
[17:49]<[lyguw]>yes i do have it
[17:49]<mrrynfmr>what version of iptables? 1.3.5?
[17:50]<[lyguw]>oh
[17:50]<[lyguw]>erm
[17:50]<[lyguw]>it works now.
[17:50]<[lyguw]>modprobe xt_tcpudp
[17:50]<rlraxne>what was the diff
[17:50]<rlraxne>ohh
[17:50]<rlraxne>:)
[17:50]<mrrynfmr>oh yeah
[17:50]<mrrynfmr>that autoloading was slightly broken
[17:50]<[lyguw]>AMDevolution net # lsmod
[17:50]<[lyguw]>Module Size Used by
[17:50]<[lyguw]>xt_tcpudp 2752 1
[17:50]<[lyguw]>xt_state 1664 0
[17:50]<[lyguw]>ip_conntrack 38708 1 xt_state
[17:50]<[lyguw]>nfnetlink 4504 1 ip_conntrack
[17:50]<[lyguw]>iptable_filter 2112 1
[17:50]<mrrynfmr>might want to report that as a bug - I thought it was fixed in 2.6.17
[17:50]<[lyguw]>ip_tables 9624 1 iptable_filter
[17:50]<[lyguw]>x_tables 9348 3 xt_tcpudp,xt_state,ip_tables

Back to #iptables
Or go to some related logs:
#gentoo
#blender
#gentoo
#gentoo
#netbsd