IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.87 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-16
Pages: 1
[00:08]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[00:37]<myrunfyvj>hello, I want to route depending on domain, can I do that?like, iptables -t nat ... etc... -d www.domain1.com -j something, and -d www.domain2.com -j somethingelse... I've read some pages that say that can't be done, I like your opinion please, thanks
[00:40]<rlraxne>are the domains different ips ?
[00:42]<rlraxne>i guess reversed proxy is the way to go
[00:42]<rlraxne>internet <-> firewall <-> reversed proxy <-> multiple webservers...
[01:10]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[02:04]<myrunfyvj>Apachez, no, the domain is one IP, I was using virtual hosts for that, but now they want to add another server behind the linux(router) and I have to route some domains to one server and others to a different server
[02:27]<myrunfyvj>Apachez, not sure if reverse proxy is what I want
[03:02]<pzjxy2yvnm>Hey guys
[03:02]<pzjxy2yvnm>is there any way to ban a host with iptables
[03:02]<pzjxy2yvnm>eg. aol.com
[03:03]<pzjxy2yvnm>or ips beginning iwth 172.*.*.*
[03:03]<bfyssnwq>Prohibited: yes.
[03:04]<pzjxy2yvnm>how ? I have tried just *.aol.com, and it didnt seem to work
[03:59]<nwysvw>hi loves
[05:34]<sxzfzdzz6>hi all
[05:34]<sxzfzdzz6>i am a real noob at iptables
[05:35]<sxzfzdzz6>I set a DROP policy on all chains...
[05:35]<sxzfzdzz6>and then wanted to allow pinging
[05:35]<sxzfzdzz6>so I tried this...
[05:36]<sxzfzdzz6>iptables -A INPUT -p icmp -j ACCEPT
[05:36]<sxzfzdzz6>and...
[05:36]<sxzfzdzz6>iptables -A OUTPUT -p icmp -j ACCEPT
[05:36]<sxzfzdzz6>but pings are blocked (along with everything else)
[05:37]<sxzfzdzz6>what am i doing wrong?
[05:38]<sxzfzdzz6>hello?
[06:24]<mrrynfmr>cj: where's maxine?
[08:37]<hnppp[y]zn>a quick question about wildcards in addresses.. can I use a wildcard in a hostname - for example if I wanted to add a rule that matched *.comcast.net , would that be possible?
[08:50]<xzzm__wzzn>Hellf[i]re: nope sorry you cant ... unless maybee you knew there excact subnet mask and use that instead
[08:52]<hnppp[y]zn>shame
[08:52]<hnppp[y]zn>thanks
[08:55]<hnppp[y]zn>one hostname would have been a bit easier than tracking down the ranges.. of course, having a firewall checking the reverse-dns of every ip that connects doesn't sound that brilliant either.
[08:56]<hnppp[y]zn>have a good night... or whatever it happens to be where you are.
[13:41]<ajmnsxnlxnzm>i want to packet forwarding.. i had edited /etc/sysctl.conf.. and my /proc/sys/net/ipv4/ip_forward has 1.... i am still not able to forward packets.. is there any rule that i need to set with iptables to get it working ?
[13:41]<ajmnsxnlxnzm>infact iptables is stopped.. :)
[13:41]<pzjxy2yvnm>hey guys I am trying to upgrade from MySQL 3 to mySQL 5, but
[13:41]<pzjxy2yvnm>http://pastebin.ca/89508
[13:41]<pzjxy2yvnm>(CentOS)
[13:42]<pzjxy2yvnm>oi
[13:42]<pzjxy2yvnm>http://pastebin.ca/raw/89508
[13:57]<rlraxne>Prohibited: ehm... this is #iptables not #mysql :)
[13:57]<pzjxy2yvnm>oh rofl
[13:57]<pzjxy2yvnm>Sorry xD
[14:21]<rlraxne>any comments on my kernel parameters, perhaps someone have other suggestions for performance ? http://www.tbg.nu/iptables.txt
[14:39]<ajmnsxnlxnzm> /sbin/iptables --table nat --append POSTROUTING -out-interface eth0 -j MASQUERIADE ....Warning: wierd character in interface `-out-interface' (No aliases, :, ! or *).....Bad argument `eth0'
[14:51]<rlraxne>its either -o or --out-interface
[14:51]<rlraxne>you wrote -out-interface missing one - in the beginning
[15:49]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[17:45]<zjgvzzvggvjz>hi
[17:45]<zjgvzzvggvjz>how set NAT timeout for one IP-ADDRESS ?
[17:49]<vyrn-vnzsr>timeout?
[17:53]<zjgvzzvggvjz>vice-versa yeap
[17:55]<zjgvzzvggvjz>vice-versa if timeout from client for gateway > 200 seconds -> close nat for client
[18:03]<rlraxne>you could alter the keepalive thingys
[22:24]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[23:09]<mjzyfnj>Hi all... I must forward incoming packets with --dport 80 in -i eth0 to my internal server 192.168.2.1
[23:09]<mjzyfnj>ops eth2 in fact
[23:09]<mjzyfnj>eth0: 10.0.0.1
[23:09]<mrrynfmr>second URL in topic is a nice howto
[23:10]<mjzyfnj>eth1: 192.168.2.1
[23:10]<mjzyfnj>eth2: 200.xxx.xxx.xxx
[23:11]<mjzyfnj>danieldg, I`ve tryied a lot of things but nothing work :( but I`ll take a look at second URL on topic :D
[23:26]<rlraxne>you need to act on -t nat -A PREROUTING
[23:27]<rlraxne>dorileo: you could take a look at http://www.tbg.nu/iptables.txt for ideas
[23:29]<mjzyfnj>Apachez, thanks I`ll take a look
[23:31]<mjzyfnj>danieldg, thank you.... worked just like a charm :D
[23:33]<mrrmre>Anyone have any ideas why this script isn't working: /sbin/iptables -t nat -A PREROUTING -p $3 --dport $2 -j DNAT --to-destination $1
[23:35]<mrrmre>it was working at one time, but now its not
[23:39]<vyrn-vnzsr>MagMaz: what's changed?
[23:40]<mrrmre>vice-versa: not sure, I rebooted and flushed iptables to make sure everything was back at the default, and still no go
[23:44]<mrrynfmr>MagMaz: is /proc/sys/net/ipv4/ip_forward 1?
[23:45]<mrrmre>danieldg: yup
[23:46]<mrrynfmr>does it give an error, or just not work?
[23:46]<mrrmre>just doesn't work
[23:46]<mrrynfmr>any other rules in iptables-save|grep ^- ?
[23:46]<mrrmre>I try to connect from another machine and it just sits there
[23:47]<mrrynfmr>make sure the other machine is _not_ behind the same NAT as $1
[23:47]<mrrmre>yeah, I know
[23:48]<mrrmre>there's four lines, would you mind if I paste them?
[23:48]<mrrynfmr>4, I suppose it's short enough
[23:48]<mrrmre>-A PREROUTING -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.5.130
[23:48]<mrrmre>-A POSTROUTING -o eth0 -j MASQUERADE
[23:48]<mrrmre>-A FORWARD -i ! eth0 -j ACCEPT
[23:48]<mrrmre>-A FORWARD -s 192.168.5.130 -p tcp -m tcp --dport 5900 -j ACCEPT
[23:49]<mrrynfmr>what is the policy for FORWARD?
[23:49]<mrrmre>ACCEPT
[23:50]<mrrynfmr>I'd double-check that, and see where the connections are dying using a packet sniffer
[23:50]<mrrmre>I checked the policy before I told you ;) but I'll get out a packet sniffer
[23:58]<mrrmre>Hmm.. it is forwarding, but my laptop isn't sending a responce to the syn packets
[23:59]<mrrmre>which is quite odd, as it works when it's not going through NAT
Pages: 1
