IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.78 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-17
[12:10]<zsxrmjw>Apachez, let me double check
[12:10]<rlraxne>thats why i have that --log-level 7 in the end of my log rules :P
[12:11]<rlraxne>you could probably config the syslog deamon to handle this properly aswell
[12:11]<rlraxne>like if loglevel (whatever iptables uses by default if log-level is not explicitly written) and from process iptables then log only to disk
[12:13]<zsxrmjw>Apachez, ya.. what I really need to do is dump syslog and put syslog-ng on the machine.. I understand syslog-ng configuration better
[13:07]<rrsn_xnn_>It is necessary to configure ip_forwarding to use NAT??
[13:12]<lzf0zrn>case: yes
[13:12]<rrsn_xnn_>:)
[13:39]<zzzsx1d|wzc> can someone give me the iptables command to allow all ICMP?
[13:58]<rlraxne>crash3m|wrk: iptables -A INPUT -p icmp -j ACCEPT
[13:58]<rlraxne>that will allow all sort of icmp
[13:58]<rlraxne>but usually you should limit it to echorequest, echoreply, timexceeded and destinationunreachable
[13:59]<rlraxne>http://www.tbg.nu/iptables.txt scroll down to "INPUT_ICMP" and "OUTPUT_ICMP" to take a look
[13:59]<zzzsx1d|wzc>Apachez, outgoing ICMP is whats broken
[13:59]<rlraxne>then look at OUTPUT_ICMP at the link I gave you ;)
[14:00]<zzzsx1d|wzc>ty
[14:00]<rlraxne>there are also some kernelparameters (in the same link) regarding icmp which you should take a look at
[14:00]<rlraxne>like redirects and such
[14:03]<zzzsx1d|wzc>*sigh* no such luck
[14:04]<rlraxne>what does cat /proc/sys/net/ipv4/icmp_echo_ignore_all
[14:04]<rlraxne> tell you ?
[14:04]<zzzsx1d|wzc>0
[14:04]<rlraxne>hmm
[14:05]<rlraxne>perhaps you should try some logging on icmp ?
[14:05]<rlraxne>-A INPUT -p icmp -j LOG -j LOG --log-prefix "f=RESERVED a=DROP " --log-level 7
[14:05]<rlraxne>err
[14:05]<rlraxne>-A INPUT -p icmp -j LOG --log-prefix "INPUT_ICMP " --log-level 7
[14:05]<rlraxne>-A OUTPUT -p icmp -j LOG --log-prefix "OUTPUT_ICMP " --log-level 7
[14:05]<zzzsx1d|wzc>thanks
[14:06]<rlraxne>i mean to debug that the icmp actually hits your box
[14:06]<rlraxne>maybe they are filtered before
[14:06]<rlraxne>or some kernelparameter is disallowing them or such
[14:09]<zzzsx1d|wzc>huh, when I run tethereal and ping, I can see the requests hitting the machine
[14:09]<zzzsx1d|wzc>are iptables rules evaluated from the top down?
[14:13]<zzzsx1d|wzc>wtf, its blocking EVERYTHING
[14:14]<rlraxne>maybe you should take a look at your rules ? :P
[14:14]<rlraxne>perhaps you are just appending rules instead of clear the chains ?
[14:14]<rlraxne>take a look at http://www.tbg.nu/iptables.txt for hints :P
[14:15]<zzzsx1d|wzc>heh
[14:15]<zzzsx1d|wzc>the rules APF sets up are a little more complex I believe
[15:10]<2sdyvx>is it possible to define iptables rules that apply only to a given process?
[15:16]<2sdyvx>ah with owner match
[15:36]<wg2_cgjws>o/
[16:04]<algyzjg>hey all :) im just a noob in iptables, and i have a little problem..
[16:04]<algyzjg>im currently trying to tunnel traffic over my laptop, ie from eth0 to eth1, therefore i created a rule: "iptables -A FORWARD -s 192.168.4.2 -d 0/0 -i eth0 -o eth1 -j ACCEPT", so that the machine connected to eth0 (.4.2) can ping other machines in the network connected to eth1 (.2.x) but appearently it doesnt work, it says "network is unreachable".. i know im doing something wrong, but i cant figure out what, so thanks in advance for tips&help
[16:04]<algyzjg> :)
[16:06]<rlraxne>are they different networks ?
[16:06]<algyzjg>yupp
[16:06]<rlraxne>then you need some postrouting to nat the traffic back and forth
[16:06]<algyzjg>ah :o
[16:06]<rlraxne>otherwise it will leave your internal net unaltered
[16:06]<rlraxne>sure that works
[16:06]<rlraxne>but there will not come any packets in return
[16:06]<rlraxne>and that will be a slight problem :P
[16:07]<algyzjg>hehe.. so i have to create some new routes on the client in each network?
[16:08]<rlraxne>naaa
[16:09]<rlraxne>basically just something like
[16:09]<rlraxne>iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
[16:09]<rlraxne>this will fix the ipaddressing
[16:09]<algyzjg>ah, ic, let me try that
[16:09]<rlraxne>and then allow the traffic through forward
[16:10]<rlraxne>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[16:10]<rlraxne>iptables -A FORWARD -i ${INSIDE_DEVICE} -p tcp --sport 1024:65535 -m state --state NEW -j ACCEPT
[16:10]<rlraxne>iptables -A FORWARD -i ${INSIDE_DEVICE} -p udp --sport 1024:65535 -m state --state NEW -j ACCEPT
[16:10]<rlraxne>iptables -A FORWARD -i ${INSIDE_DEVICE} -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
[16:10]<rlraxne>the first one will fix the source address so the packet can leave your internal network and then find its way back
[16:10]<algyzjg>ic
[16:11]<rlraxne>the est/rel rule is to allow packets through the forward chain which already is established etc
[16:11]<rlraxne>and the last three is to allow outbound connections from your internal network
[16:11]<rlraxne>so if you only want to allow outbound tcp port 21 then you can use
[16:11]<rlraxne>iptables -A FORWARD -i ${INSIDE_DEVICE} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
[16:11]<-- sgvgzs xzs fuyv (>/dev/brain")
[16:12]<algyzjg>ic.. well, i see that i have to read more about that :)
[16:12]<rlraxne>the sourceport thingy is not necessary depending on how high security you like
[16:12]<rlraxne>you can take a look at http://www.tbg.nu/iptables.txt for ideas
[16:12]<algyzjg>ok thanks.. im just playing around anyway, so no security worries :)
[17:09]<mzglrg>i need to set up multiple ISP's going through a FW(iptables) to server on LAN, do I need to use iptables -t mangle?
[17:38]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[17:38]<rlraxne>nope
[17:38]<rlraxne>to my knowledge mangle should only be used to change options of the packets
[17:38]<rlraxne>like QoS stuff
[17:51]<s19g>vice-versa: I'm back :-)
[17:52]<vyrn-vnzsr>s34n: hi there
[17:54]<vyrn-vnzsr>s34n: get your nat issues resolved?
[17:57]<s19g>vice-versa: no
[17:57]<s19g>still no dns working over nat
[17:57]<s19g>it's making me scratch my head
[17:58]<vyrn-vnzsr>s34n: was dns resolving problems was it not?
[17:59]<s19g>vice-versa: most recently, I can ping IP adresses across the NAT, but not names
[17:59]<s19g>from the NAT server itself, dns works just fine
[17:59]<vyrn-vnzsr>what are you using for dns servers?
[18:04]<vyrn-vnzsr>(on the client nodes that can't resolve)
[18:05]<s19g>vice-versa: I'm using a server that sits 2 hops away on the public side
[18:20]<vyrn-vnzsr>s34n: as as test try using 4.2.2.2
[18:24]<s19g>vice-versa: as a dns server?
[18:24]<vyrn-vnzsr>yes, on a client node
[18:27]<s19g>vice-versa: vice-versa no luck
[18:28]<s19g>ok. I got it.
