IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[22:00]<rlraxne>but you could try to set all INPUT OUTPUT and FORWARD to policy accept
[22:00]<wg2_cgjws>it's for the good of science
[22:00]<wg2_cgjws>for science porpouses ;D
[22:02]<wg2_cgjws>Apachez, ok
[22:02]<wg2_cgjws>all set to policy ACCEPT
[22:02]<wg2_cgjws>packet doesn't seem to reach POSTROUTING
[22:02]<wg2_cgjws>maybe it's something with racoon .. spd and stuff ?
[22:06]<rlraxne>no idea
[22:06]<rlraxne>postrouting should not be touched if the vpn is locally on your iptables box
[22:13]<wg2_cgjws>lan ---> vpn box 1 (with iptables) [=== tunel ===] vpn box 2 ---> lan
[22:14]<wg2_cgjws>packets are coming from the left lan
[22:14]<wg2_cgjws>and 'freezes' at vpn box 1
[22:14]<wg2_cgjws>not reaching that !@*(&!*#( postrouting
[22:14]<wg2_cgjws>:)
[22:18]<rlraxne>what does iptables -L -n tells you ?
[22:18]<rlraxne>or iptables -L -n -t nat and iptables -L -n -t mangle ?
[22:35]<czlcyzc>can anyone explain what this rule does :
[22:35]<czlcyzc>$IPTABLES -t nat -A POSTROUTING -o $WAN -j SNAT --to $WANIP
[22:42]<mrrmre>Capkirk: it rewrites the source address of packets going out $WAN to $WANIP
[22:43]<czlcyzc>MagMaz: yeah i realize that now :)
[22:43]<czlcyzc>thanks
[22:43]<mrrmre>np :)
[22:43]<czlcyzc>im trying to find out what i need to configure a DMZ on my firewall
[22:44]<czlcyzc>i have eth0 which is wan i have eth1 which is LAN and eth2 which is suppose to be DMZ
[22:45]<czlcyzc>i do not wish to use DNAT because i have /29 for my DMZ
[22:45]<mrrmre>not sure exactly, sorry
[22:46]<czlcyzc>ok
[22:56]<fzzdf>i just switched from an ipcop box to a custom configured iptables setup, and everythign is working *except* connections to an ftp server on the internal network. passive connections just don't seem to work, and i can't figure out what i'm missing?
[22:59]<czlcyzc>have you loaded the ftp nat helper modules?
[23:00]<fzzdf>no i haven't... i'm running on a fresh ubuntu server install. would they already be there, or do i need to compile them?
[23:01]<czlcyzc>paryl: they will problery be there allready
[23:01]<fzzdf>what are they named?
[23:02]<czlcyzc>ip_conntrack_ftp
[23:02]<fzzdf>hmm, it's already loaded
[23:02]<czlcyzc>ok
[23:03]<byffyngdjjn>guys, this makes me remember something
[23:03]<fzzdf>i read somewhere that i had to accept port 1024, which i did
[23:03]<byffyngdjjn>I have a lan with uses transparent proxy with iptables + squid ...
[23:03]<czlcyzc>you need to have established... for the chain in which the ftp rules are in
[23:03]<byffyngdjjn>but, the ftp traffic dont go outside the lan ... (data)
[23:04]<czlcyzc>like $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[23:04]<byffyngdjjn>i tried ftp_conntrack module without sucess ... any ideas :
[23:04]<byffyngdjjn>]?
[23:04]<czlcyzc>show us your ftp rulez
[23:05]<fzzdf>is there a no-flooding rule here? do i need to use pastebin?
[23:06]<-- svgvsdyzgjvr xrs>/dev/null")
[23:06]<vyrn-vnzsr>yes pastebin it please
[23:07]<czlcyzc>always use pastebin :)
[23:07]<fzzdf>http://pastebin.ca/90553
[23:08]<rlraxne>no need for conntrack_ftp
[23:08]<rlraxne>conntrack_ftp is only helpful for active ftp sessions which are initiated from the inside to outside
[23:08]<czlcyzc>ok but it isnt enought to DNAT port 21 to internal ip is it?
[23:09]<czlcyzc>what about data channels?
[23:09]<rlraxne>what are you trying to do
[23:09]<fzzdf>i read that passive data channels are port 1024?
[23:09]<rlraxne>is it a ftp server on the inside ?
[23:09]<rlraxne>then forward tcp 21 to inside
[23:09]<byffyngdjjn>paryl, 1024 or more ... random
[23:09]<rlraxne>allow outbound to tcp port 20 (usually taken care by nat and est/rel rules)
[23:09]<fzzdf>yes, it's on the inside
[23:10]<rlraxne>and also forward the passive ftp range from outside to inside which you have setp your ftp server to use
[23:11]<fzzdf>i'm not sure how to forward those :\
[23:11]<czlcyzc>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth0 -j DNAT --to 192.168.1.195:21
[23:11]<fzzdf>i thought prerouting *was* forwarding it to the inside?
[23:12]<czlcyzc>it is
[23:12]<fzzdf>but i have this: iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 21 -j DNAT --to 192.168.1.195
[23:12]<fzzdf>isn't that essentially the same?
[23:13]<czlcyzc>-d 1.2.3.4 <---? whats that?
[23:13]<fzzdf>sorry... censored ip :)
[23:13]<czlcyzc>ah ok
[23:13]<czlcyzc>yeah maybe its the same then
[23:14]<fzzdf>that same scenario is working for everything else... all other servers
[23:14]<fzzdf>it's just the passive ftp that isn't working
[23:14]<czlcyzc>ok then you must do as Apachez told you forward a range of ports above 1024 to that internal ftp server and make it use those ports for passive transfer
[23:15]<czlcyzc>sec
[23:16]<czlcyzc>iptables -t nat -A PREROUTING -p tcp --dport 6000:6012 -i eth0 -j DNAT --to 192.168.14.114
[23:16]<czlcyzc>fx
[23:17]<czlcyzc>and make ftpserver use 6000-6012
[23:17]<vrgfuysx>Can i get someone to confirm/reproduce a bug for me?
[23:17]<vrgfuysx>Chain OUTPUT (policy ACCEPT 3825K packets, 2461M bytes) // iptables -Z OUTPUT // Chain OUTPUT (policy ACCEPT 3826K packets, 2461M bytes)
[23:17]<vrgfuysx>if no rules are listed in the output chain
[23:20]<rlraxne>they will still match for accept
[23:20]<rlraxne>or do you mean that -Z didnt have any affect ?
[23:20]<vrgfuysx>-Z did not have any effect
[23:21]<rlraxne>try without OUTPUT ?
[23:21]<rlraxne># Flushing the chains.
[23:21]<rlraxne>iptables -F
[23:21]<rlraxne>iptables -X
[23:21]<rlraxne>iptables -Z
[23:21]<rlraxne>for i in `cat /proc/net/ip_tables_names`
[23:21]<rlraxne>do
[23:21]<rlraxne> iptables -F -t $i
[23:21]<rlraxne> iptables -X -t $i
[23:21]<rlraxne> iptables -Z -t $i
[23:21]<rlraxne>done
[23:21]<srggd>Applying iptables firewall rules: iptables-restore: line 22 failed
[23:21]<srggd> [FAILED]
[23:21]<srggd>is that bad?
[23:22]<rlraxne>edit the file and look at what line 22 is ?
[23:23]<srggd>but its not /sbin/iptables-restore

Back to #iptables
Or go to some related logs:
#cisco
#gentoo
#gentoo
#gentoo
#gentoo