IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:00]<mrrynfmr>does your laptop have this box as its default gateway?
[00:02]<mrrmre>no, this laptop is on one end of a tunnel
[00:03]<mrrynfmr>well, then that's the problem
[00:03]<mrrmre>hmm?
[00:03]<mrrynfmr>the responses won't come back over then tunnel
[00:03]<mrrynfmr>you'll have to SNAT the packets too
[00:03]<mrrmre>its not sending a syn/ack anywhere though
[00:03]<mrrynfmr>it is - did you sniff on the laptop?
[00:04]<mrrmre>yes, I just did a capture on the ANY interface to check if it was sending them back someplace else
[00:04]<mrrynfmr>maybe you have rp_filter on the laptop?
[00:04]<mrrynfmr>or the laptop's firewall is in the way
[00:05]<mrrmre>no firewall on the laptop
[00:05]<mrrmre>I think you're right about it not sending back through the tunnel, but I find it odd that I didn't capture anything at all
[00:06]<mrrynfmr>either way, the fix is to do SNAT on the firewall
[00:06]<mrrynfmr>the second URL in topic has an example
[00:06]<mrrmre>ok, thanks for your time :)
[00:10]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[00:34]<2rfju>if I only have two network interfaces in my server... can I configure transparent bridging and still be able to run a webserver on the server?
[00:35]<mrrynfmr>yes
[00:36]<mrrynfmr>just configure the IPs and such on the bridge interface
[00:36]<2rfju>cool.. and on top of that.. could I also bridge some clients from the internal net, and route some client through a NAT?
[00:37]<mrrynfmr>an interface can only be on one bridge at a time
[00:37]<mrrynfmr>you can do NAT to (or from) (or between two) a bridge
[00:39]<2rfju>I have several external ip adresses, but unfortunately not enough ;). so some should be transparently bridged through the server, while the others should use NAT through the server
[00:39]<mrrynfmr>that's possible
[00:40]<2rfju>good... reduces the needed network cards from 4 to 2 ;)
[00:40]<mrrynfmr>you'll have to configure the IPs manually on the server - put both external and local IPs on the bridge interface
[00:41]<mrrynfmr>3 cards might be a cleaner solution, but 2 will work
[00:43]<2rfju>adding another card could be possible. you mean two cards on the internal side or two on the external side?
[00:44]<mrrynfmr>two on internal - one bridged, and one routed
[00:44]<mrrynfmr>then you'll be able to run a DHCP server for the routed interface
[00:44]<mrrynfmr>and the interal IPs won't be able to leak out across the bridge
[00:48]<2rfju>they are on the same switch anyways.. to stop the potential leak-out problem, I could block/allow by mac adress
[00:48]<mrrynfmr>ok, the two should be fine
[00:48]<mrrynfmr>s/the/then/
[00:49]<2rfju>I wonder why I haven't considered bridging one part and nat'ing the other part earlier... I always thought I had to buy a separate switch to create one natted net and one dmz.. well, let's try to implement it.
[00:50]<mrrynfmr>you'll have to do your NAT rules by IP, not by interface, but otherwise it should be just like a normal NAT
[00:54]<2rfju>ok, then I'll be reading iptables-tutorial.frozentux.net for the next few hours..
[00:54]<2rfju>never implemented a nat, so I have to first read all the stuff about it
[02:19]<wd0v>hey
[02:20]<wd0v>i have a question, im trying to forward port 80 from one ip to another ip, but i dont want to listen to all ips on a device, i want to do it only on a certain ip and im not sure how to do that
[02:20]<wd0v>any suggestions?
[02:23]<-- dyrnnprd wrs puyv> i mean the other left <-")
[04:04]<zdzpzzfzgn>Hello all
[04:05]<zdzpzzfzgn>question about routes
[04:05]<zdzpzzfzgn>if I have a wan, lan, and dmz networks...
[04:05]<zdzpzzfzgn>lan and dmz both sucessfully get out thru the wan to the web
[04:05]<zdzpzzfzgn>and web/mail type stuffs is being correctly forwarded to the lan
[04:06]<zdzpzzfzgn>how would communication between the lan and dmz work?
[04:06]<zdzpzzfzgn>is it a route configuration? or nat?
[04:30]<vyrn-vnzsr>wm0t: are you using iptables for anything atm, ie nat, on the ip your want to redirect from?
[05:35]<wd0v>no vice-versa
[05:35]<wd0v>nothing
[08:25]<-- sgvgzs xzs fuyv (>/dev/brain")
[08:50]<-- dyrnnprd wrs puyv> i mean the other left <-")
[10:09]<zzzsx1d|wzc>icmp isnt effected by tcp/udp rules right?
[10:29]<zzwffzdnz>no
[10:29]<zzwffzdnz>erm..
[10:29]<zzwffzdnz>yes i mean
[11:32]<zsxrmjw>anybody see something wrong with this rule (-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT) and the logging rules (-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT]: " --log-tcp-options --log-ip-options
[11:32]<zsxrmjw>-A LOG_ACCEPT -j ACCEPT
[11:32]<zsxrmjw>because nothing is being logged
[11:43]<rlraxne>why do you have both -p tcp -m tcp?
[11:43]<zsxrmjw>Apachez, lol not sure.. I'm trying to follow a howto to learn IPtables..
[11:43]<rlraxne>take a look at http://www.tbg.nu/iptables.txt for ideas
[11:44]<rlraxne>i would do i something like
[11:44]<rlraxne>iptables -N LOG_ACCEPT
[11:44]<zsxrmjw>Apachez, ok thanks
[11:45]<rlraxne>iptables -A RESERVED_DROP -m limit --limit 2/s --limit-burst 10 -j LOG --log-prefix "f=RESERVED a=DROP " --log-level 7
[11:45]<rlraxne>errr
[11:45]<rlraxne>iptables -N LOG_ACCEPT
[11:46]<rlraxne>iptables -A LOG_ACCEPT -m limit --limit 2/s --limit-burst 10 -j LOG --log-prefix "f=LOG_ACCEPT a=ACCEPT " --log-level 7
[11:46]<rlraxne>iptables -A LOG_ACCEPT -j ACCEPT
[11:46]<rlraxne>and then
[11:46]<rlraxne>iptables -A INPUT -p tcp --dport 25 -j LOG_ACCEPT
[11:46]<rlraxne>the -N creates your custom chain
[11:46]<rlraxne>perhaps you are missing that part ?
[11:47]<rlraxne>and then I use limit in the log part to not flood the logengine with packets (like if someone tries to DoS me or so)
[11:47]<zsxrmjw>perhaps.. I'll have to take a look when I can log back in.. :) apparently I messed something up.. good thing I made sure that my firewall will reset every 5 min while I'm playing around learning it
[11:47]<zsxrmjw>Apachez, good idea
[11:48]<rlraxne>the packets will still be dropped/accepted but the logentry what is happening is being pushed back to max 2 lines/sec with a allowed burst of 10 lines the first secon
[11:48]<zsxrmjw>Apachez, nice
[11:51]<mzglrg>Is this the coorect place to enquire about iproute2 and mutiple routes?
[11:52]<rlraxne>no idea
[11:52]<rlraxne>but you could ask your question and see if you gets any response :P
[12:06]<-- svgvsdyzgjvr xrs>/dev/null")
[12:06]<zsxrmjw>anybody know what communicates over port 1047 ?
[12:08]<rlraxne>to tcp 1047 ?
[12:08]<rlraxne>i think its windows thingy
[12:08]<rlraxne>rpc or whatever its cALLED
[12:09]<zsxrmjw>ya.. tcp .. a million DROPPED logs from it.. everything is being logged .. just something is #$@# up in my syslog config because its all being dumped to the console for some reason instead of the log file
[12:09]<rlraxne>if its on a local windows box you can use tcpview from sysinternals.com so see which service is using that port on your computer
[12:10]<rlraxne>rshadow: maybe you have that loglevel thingy ?
[12:10]<rlraxne>or is missing it ?
[12:10]<rlraxne>level 7 will only dump to the syslog
[12:10]<zsxrmjw>well I'm sshing from a windows box to a linux box
[12:10]<rlraxne>if you have default level ehh 3 i think it will be dumped to the screens aswell

Back to #iptables
Or go to some related logs:
#gentoo
#cisco
#gentoo
#blender
#gentoo