IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.86 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-18
[00:12]<vyrn-vnzsr>vanquish: you're not misinterpreting what -Z is supposed to do are you?
[00:12]<vyrn-vnzsr>vanquish: it zeros out packet and byte counters for the chains, not tables
[00:13]<vrgfuysx>vice-versa: explain
[00:13]<vrgfuysx>say i want to zero the INPUT chain
[00:13]<vyrn-vnzsr>vanquish: try it with -vZ you'll see
[00:13]<vrgfuysx>vice-versa: i'll see what? so far, it hasn't worked
[00:27]<vyrn-vnzsr>vanquish: what's you're default policy for input now?
[00:32]<vyrn-vnzsr>vanquish: ? ... anyhow assuming it's ACCEPT, this will do what you're expecting to see on the default policy rule counters
[00:33]<vyrn-vnzsr>iptables -Z INPUT && iptables -P INPUT DROP && iptables -P INPUT ACCEPT && iptables -nvL INPUT
[00:48]<vrgfuysx>vice-versa: you are absolutely right, it worked
[00:48]<vrgfuysx>vice-versa: can you explain why please?
[00:49]<vyrn-vnzsr>vanquish: I don't think you have to actually change the default policy, I'm thinking just setting it will work to
[00:50]<vyrn-vnzsr>iptables -P INPUT ACCEPT && iptables -nvL INPUT
[00:50]<vrgfuysx>your right
[00:50]<vyrn-vnzsr>vanquish: as for explaining it, I can't really, like you I thought that was how it was supposed to work
[00:51]<vrgfuysx>vice-versa: well i really appreciate your help
[00:51]<vrgfuysx>vice-versa: do you think its bug worthy? seems like just a misconception
[00:53]<vyrn-vnzsr>vanquish: misinterpretation I think, what tripped me up was when I first started working with iptables I used a base script that set default policies and thus the counters zeroed, hence me thinking that was how it worked
[00:53]<vrgfuysx>lucky for me then
[00:53]<vrgfuysx>vice-versa: thanks a lot
[00:53]<vyrn-vnzsr>ya, like you I wasted an entire afternoon on it a while back
[00:54]<vyrn-vnzsr>vanquish: np
[01:32]<vrgfuysx>admittedly a newbie question, but can i wildcard interfaces? i.e. eth*
[01:32]<vrgfuysx>i know i can't eth*
[01:32]<vrgfuysx>do i just leave it eth?
[01:34]<vrgfuysx>hmm nope
[01:34]<vrgfuysx>anybody?
[01:39]<rlraxne>just dont mention it
[01:39]<rlraxne>and it will act on all interfaces
[01:41]<duz2>vanquish: eth+
[01:42]<vrgfuysx>murb: many thanks
[03:35]<vrgfuysx>i'm looking at a script, and i come across ${VAR%.*}
[03:35]<vrgfuysx>what does that do?
[03:35]<vrgfuysx>(iptables script)
[03:36]<mrrynfmr>no idea - try asking #bash
[03:36]<vrgfuysx>heh
[03:40]<vrgfuysx>ah
[03:40]<vrgfuysx>wow guys you should read up on it, super cool stuff
[03:41]<vrgfuysx>apparently you can do string operations on variables by such
[03:41]<vrgfuysx>http://tldp.org/LDP/abs/html/refcards.html#AEN16986
[03:41]<vrgfuysx>for referece
[03:41]<vrgfuysx>check out string operations
[06:59]<suzpran>is it possible to set a iptables rules to drop a tcp connections if no activity after certain period of time ?
[07:01]<mrrynfmr>you could lower the timeouts in /proc/sys/net/netfilter/
[07:01]<mrrynfmr>or look at the conntrack match
[07:02]<suzpran>danieldg: that means it happens to every tcp connections ? with tat? not specific machine?
[09:40]<p-nut>Hey guys, would anyone know how to route traffic from one network card to the next? eg. I have a wifi nic I want to use as an access point, but dont know how to route the traffic from ath0 (the card) to eth0 and out to the net. Any ideas?
[09:50]<p-nut>anyone?
[10:06]<-- xjjvnd xrs fuyv (>Hoovey")
[11:54]<suzpran->anyone knows how to set tcp timeout using iptables? seems like ipchain -M -S
[12:08]<rlraxne>ipchain is not iptables :P
[12:08]<rlraxne>which tcp timeout ?
[12:08]<rlraxne>there are a couple of them
[12:09]<rlraxne>they are merged to one proc attribute in 2.6
[12:09]<rlraxne>but in 2.4 they are in different places
[12:24]<suzpran->2.6
[12:25]<suzpran->tcp connection time out if idle for certain period of time
[12:41]<l|nux>is there any way to forward all tcp ports to another computer ?
[12:43]<duz2>yes
[12:44]<-- svgvsdyzgjvr xrs>/dev/null")
[14:30]<rzrrygus>hey guys
[14:31]<rlraxne>hi
[14:31]<rzrrygus>ow you doing?
[14:32]<rzrrygus>im trying to figure out my firewall rulez here and i need soome help :|
[14:32]<rlraxne>shoot
[14:34]<rzrrygus>i got a ftp site, firewall and a client
[14:34]<rzrrygus>not the client connects thru the firewall to ftp
[14:34]<rzrrygus>s/not/now
[14:35]<rzrrygus>the client can connect to the ftp fine...but cant do any data transfers, because the ftp server sees the firewall's ip and not the clients
[15:09]<rlraxne>install ftp_conntrack or whatever its called
[15:11]<duz2>ip_conntrack_ftp
[15:50]<wg2_cgjws>hi :)
[15:52]<rlraxne>hi
[16:11]<rzrrygus>modprobe ip_conntrack_ftp
[16:11]<rzrrygus>i have that in
[16:18]<gzzm>Guys I am having a nightmare with dnat. And yes I have read the url in the .topic. This works fine: iptables -A PREROUTING -t nat -p tcp -d $NET_IP --dport 443 -j DNAT --to $DC_IP:443 But this does not. iptables -A PREROUTING -t nat -p tcp -d $NET_IP --dport 1700 -j DNAT --to $DC_IP:22 (note the port translation)
[16:19]<gzzm>help?
[16:20]<vyrn-vnzsr>Arcainus: there is also ip_nat_ftp for active, (non-PASV), ftp support too
[16:20]<rzrrygus>hhmmmm
[16:24]<vyrn-vnzsr>nard: so you can add the rule it's just not working as expected?
[16:26]<gzzm>vice-versa, yep.
[16:28]<gzzm>I also have a FORWARD rule for both services. iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT and iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 1700 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[16:28]<gzzm>but a syn packet never gets to the target IP on port 22. the 443 rule works fine.
[16:30]<vyrn-vnzsr>nard: does it work if you use the default port?
[16:31]<vyrn-vnzsr>nard: I take it you can ssh from the nat box to the host in question ok right?
[16:32]<gzzm>yea, i can ssh into the target box from the nat box, however testing it on a non-translated port will be tricky as TCP:22 is ssh on the nat.
[16:36]<vyrn-vnzsr>nard: not really, the packet should get forwarded before it hits the INPUT chain
[16:36]<gzzm>oh, it actually looks like there is something else wrong with my f/w script. if i flush all chains, and add only the one rule it works
[16:46]<vyrn-vnzsr>nard: if it's not obvious to you what's wrong with the rules pastebin the output from iptables-save -c
[16:51]<rzrrygus>its not only my ftp that's doing it, its other traffic as well
[16:55]<gzzm>vice-versa, paste into channel window?
[16:57]<vyrn-vnzsr>NO
[16:57]<vyrn-vnzsr>nard: pastbin site
[17:02]<vyrn-vnzsr>nard: http://www.pastebin.co.uk/
