IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.87 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-19
[01:17]<dnzjzdsvnz>Heyas. Question: Is it possible to only(!) change the destination or source port of a package/connection, without changing the addresses whatsoever. The main problem is: the adress isn't a fixed ip.
[01:17]<dnzjzdsvnz>i.e. whatever enters the router with a destination port of X, should get sent out on the other side with a dest port of Y.
[01:18]<dnzjzdsvnz>I've searched myself to death on this, and all I've found are ways of doing this if the destination/source IPs themselves are also specified
[01:53]<s19g>DerJamster: the port isn't fixed, either?
[01:54]<s19g>DerJamster: so you want some lookup table? 80->8080; 23->2023; 443->443
[01:56]<dnzjzdsvnz>s34n: no. port is fixed..port..66 for example should become port 67.
[01:56]<s19g>DerJamster: is it always n+1?
[01:57]<s19g>or is the translation different for ech port
[01:57]<dnzjzdsvnz>s34n: different. actually, two certain ports need to become a certain third port.
[01:57]<dnzjzdsvnz>6667 and 6668 must become 6669
[01:58]<s19g>for proxy?
[01:58]<s19g>no...
[01:59]<dnzjzdsvnz>kinda. my iptables router is 192.168.0.4/192.168.1.1. My WAN gateway is 192.168.0.1, the box that is sending the packets is 192.168.1.2
[01:59]<dnzjzdsvnz>and the iptables is forwarding..all it now also needs to do, is to change the dest port of some packets. not the dest ip tho
[02:01]<dnzjzdsvnz>I'm sure there is -some- way to do it via QUEUE, but that means I'd have to go down and do some C programming :P
[02:24]<-- sgvgzs xzs fuyv (>/dev/brain")
[04:49]<aryjpws>i need some help with portforwarding i am not sure do i use iptables or "ip route " ?
[04:52]<aryjpws>do i use "ip route " to port forward or iptables ?
[04:55]<mrrynfmr>second URL in the topic has a nice howto
[04:58]<aryjpws>danieldg, i am really confused if i should use to portforwarding rules or one
[04:59]<mrrynfmr>one will do (DNAT) if the host you are forwarding to has the iptables box as its default gateway
[04:59]<mrrynfmr>otherwise, you need two (DNAT and SNAT)
[05:00]<aryjpws>danieldg, i ave 2 subnets 2.x and 1.x apache is running on 2.x
[05:01]<aryjpws>and internet is flowing from 1.1 to all the subnets
[05:01]<aryjpws>where do i put a forwarding rule on 1.1 ?
[05:01]<aryjpws>or on 1.1 and 2.x gateway wich is 1.10 ?
[05:01]<mrrynfmr>just on 1.1 will do
[05:02]<aryjpws>http://img417.imageshack.us/my.php?image=mylanblack9zq.jpg danieldg thgis is the topology ... i have put a rule on 1.1 but the page won't display on the wan
[05:03]<mrrynfmr>try on the internet
[05:03]<mrrynfmr>it won't work on the LAN without some hacking
[05:03]<mrrynfmr>the easiest way is for the LAN to just use the internal IP
[05:03]<aryjpws>it is working from the lan
[05:04]<aryjpws>i need it to work from the net aswell
[05:04]<mrrynfmr>what rule did you use?
[05:05]<aryjpws>on 1.1
[05:05]<aryjpws>on the web application for the gateway router
[05:06]<aryjpws>i put
[05:06]<aryjpws>singelport forwading
[05:06]<aryjpws>port 80
[05:06]<aryjpws>tcp prtocol
[05:06]<aryjpws>and ip adress
[05:06]<aryjpws>192.168.1.10
[05:06]<aryjpws>i wantedto put 2.3 but no option
[05:09]<aryjpws>danieldg, shouldi disable anonymous wan reqests ?
[05:09]<aryjpws>danieldg, shouldi disable #block anonymous wan requests " on 1.1 ?
[05:10]<mrrynfmr>look up the help file for that router you are using - I can't help you with it
[05:11]<aryjpws>danieldg, i just want to getthis clear do i have to issue one rule on 1.1 or 2 rules on 1.1 and 1.10 ?
[05:13]<mrrynfmr>if 1.1 is not capable of doing what you want, you need two rules
[05:15]<aryjpws>danieldg, well it won't let me issue 192.168.2.3 it only has a prefix of 192.168.1.x so i put .10
[05:18]<aryjpws>could you help with the syntax to port forward from 1.10 to 2.3 ? with ipatbles is it "ipatables -A forward src 192.168.1.10 -p 80 destinantion 192.168.2.3 "
[05:19]<mrrynfmr>no, case matters - have you read the URL in the topic?
[05:20]<aryjpws>i have read the iptabletutorial but not good enough
[05:31]<rsrg>good nigth
[05:31]<rsrg>how i drop gtalk in my firewall ?
[05:33]<drgrp>I'd imagine you drop traffic to ports 5222 and 5269 just as you would for Jabber.
[05:50]<aryjpws>iptables -A FORWARD -i eth1 -o br0 -p tcp --dport 80 -j ACCEPT des this look ok ?
[05:59]<mrrynfmr>no, you want a DNAT rule, in PREROUTING
[06:01]<aryjpws>why do i ineed a dnat rule ?
[06:02]<aryjpws>in prerouting ?
[06:02]<aryjpws>you mean i need a second rule ?
[06:03]<aryjpws>iptables -A FORWARD -i eth1 -o br0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[06:03]<aryjpws>?
[06:03]<aryjpws>and i need a dnat rule ?
[06:03]<aryjpws>i thiuygh that double nating was bad
[06:04]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[06:05]<aryjpws>danieldg, iptables A PREROUTING -t nat -p tcp -d 192.168.1.10 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.2.3
[06:05]<aryjpws>?
[06:05]<mrrynfmr>yes, without the --state part
[06:07]<aryjpws>so i have to use both rules ?
[06:07]<aryjpws>with out the state part ?
[06:07]<aryjpws>in both of them ?
[06:07]<aryjpws>or do i use the second rule only ?
[06:09]<mrrynfmr>first rule, with state. Second rule, no state. Use both
[06:09]<aryjpws>hmmk
[06:09]<aryjpws>kk
[06:11]<aryjpws> 62.1.109.64 could you take a look and tell me if ist on ?
[06:12]<mrrynfmr>nope
[06:16]<aryjpws>can you try again ?
[06:16]<aryjpws>is it not working ?
[06:16]<mrrynfmr>it is not
[06:17]<aryjpws>others tell me its working
[06:17]<aryjpws>http://62.1.109.64/ are you sure ?
[06:19]<mrrynfmr>yes
[06:19]<mrrynfmr>check it yourself through a proxy
[06:19]<aryjpws>danieldg, could it be because it can handleonly one connectionata a time ?
[06:19]<mrrynfmr>no
[06:20]<aryjpws>why is his guy telling me its working ?
[06:20]<aryjpws>this is really strange
[06:22]<aryjpws>danieldg, does this not mean a cannection ?
[06:23]<aryjpws>look
[06:23]<aryjpws>root@sbox:/proc/net# cat ip_conntrack
[06:23]<aryjpws>tcp 6 22 TIME_WAIT src=62.38.142.19 dst=192.168.2.3 sport=33014 dport=80 src=192.168.2.3 dst=62.38.142.19 sport=80 dport=33014 [ASSURED] use=1
[06:23]<mrrynfmr>yes, that is a connection
[06:24]<mrrynfmr>oopps
[06:24]<mrrynfmr>sorry. it works
[06:26]<aryjpws>kk
[06:28]<aryjpws>did inset a wron adress ?
[06:28]<aryjpws>insert a wrong *
