IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.76 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-19
[19:37]<igvzxzgvnz>So that's a yes, assuming no other rules get to it first?
[19:39]<vyrn-vnzsr>yes, if it's a local inbound packet, as in not forwarded
[19:40]<igvzxzgvnz>Cool, thanks.
[19:40]<vyrn-vnzsr>np
[20:46]<-- rfnw0z xrs fuyv (>Hoovey")
[21:27]<bummxddr>where will i find the list of new features available at iptables
[21:40]<czysvrfygj>hi
[21:40]<drwygn>what's up, kristalino.
[21:40]<czysvrfygj>hello
[21:40]<czysvrfygj>moin maxine
[21:41]<czysvrfygj>is it possible to do NAT with ipv6 ?
[21:44]<wjjmmwjjmlnacnz>yes
[21:45]<czysvrfygj>what is the name of the module ?
[21:47]<czysvrfygj>kernel module
[21:47]<wjjmmwjjmlnacnz>I don't know. I just know it is possible. AFAIK you will get a complete network from your ISP and either you NAT or just have each computer on the WAN. I read something about 64bit is network, 64bit is host. 64bit host is more then you will _ever_ need, so you don't really need NAT.
[22:02]<rlraxne>not true
[22:02]<rlraxne>already they are wasting ranges with ipv6
[22:02]<rlraxne>same mistake as with ipv4
[22:02]<rlraxne>i mean, boeing for example have their own /8 range
[22:02]<rlraxne>why the f**k should they have 1/256th of all ips in the world ?
[22:03]<rlraxne>so just because you have 198210809182 bit addressing doesnt help if there are idiots who are giving away way too large ranges instead of having a strict policy from the beginning
[22:16]<dnzjzdsvnz>ipv6 will give the world 360 sextillion addresses. That's 667 billion addresses per square millimeter of the world :P If they manage to use all those up, I'm worried.
[22:20]<wjjmmwjjmlnacnz>Simens has a _few_ class A nets. There should be a rule, that firms pay if they don't use the addresses. In Japan they are fighting for single addresses and they have more then they will ever need.
[22:21]<wjjmmwjjmlnacnz>I mean '' some firms/institutions have more then they will ever need. ''
[22:23]<afnxnztnah>hi everybody
[22:23]<afnxnztnah>i need a little help with a iptables line
[22:24]<afnxnztnah>i wanna now what do this line in the output of iptables -L
[22:24]<afnxnztnah>DROP all -- anywhere anywhere state INVALID,NEW
[22:26]<dnzjzdsvnz>AleXerTecH: output or input table?
[22:26]<dnzjzdsvnz>it basically will drop all packets that are invalid, as well as new connections
[22:32]<afnxnztnah>DerJamster, its correct that drop the new connections ?
[22:32]<afnxnztnah>im having troubles here with
[22:32]<afnxnztnah>two machines
[22:33]<afnxnztnah>one machine sees perfectly the other, but the other doesnt reach the machine 1, neither with a ping
[22:38]<dnzjzdsvnz>AleXerTecH: well
[22:38]<dnzjzdsvnz>AleXerTecH: I have no idea what exactly you want to do :)
[22:40]<dnzjzdsvnz>Or how your network is set up.
[22:43]<zznszzyj>hi...
[22:43]<zznszzyj>is possible to block msn and icq file transfer ?
[22:47]<dnzjzdsvnz>ccesario: file transfer only?
[22:47]<zznszzyj>yes
[22:49]<dnzjzdsvnz>ccesario: basically you need to block any ports after 1024 from getting opened for new outside connections. leave only the ports of your server apps open.
[22:50]<dnzjzdsvnz>the iptables are on a router or the box directly?
[22:51]<zznszzyj>on router
[22:52]<zznszzyj>but if I block ports after 1024 ... maybe this can cause problems with other applications
[22:52]<dnzjzdsvnz>What kind of other applications?
[22:53]<zznszzyj>ftp ?
[22:53]<drwygn>ftp is, like, a protocol that uses port 21, but also establishes some data connections that need special handling. Modprobe ip_conntrack_ftp and ip_nat_ftp to make it work (use nf_conntrack_ftp if you're using the new nf_conntrack in 2.6.16)
[22:53]<dnzjzdsvnz>ccesario: ftp uses port 20.
[22:53]<dnzjzdsvnz>ccesario: also, you can use passive ftp when the client is firewalled.
[22:53]<zznszzyj>passive mode.
[22:53]<zznszzyj>yes
[22:53]<dnzjzdsvnz>yep :>
[22:53]<zznszzyj>:)
[22:54]<zznszzyj>I will try
[22:54]<dnzjzdsvnz>iptables -i yourinternetinterface -A FORWARD -m state --state NEW -j DROP
[22:54]<dnzjzdsvnz>put that below all rules in the FORWARD table that take care of some special listening apps in your local net
[22:57]<zznszzyj>DerJamster, weel ... but I have $IPTABLES -A FORWARD -j ACCEPT -m state --state ESTABLISHED in my firewall
[22:58]<dnzjzdsvnz>sounds good :) Put my line below that one.
[22:58]<zznszzyj>ok
[23:02]<zznszzyj>thanks
[23:02]<zznszzyj>I'm testing :)
[23:31]<-- svgvsdyzgjvr xrs>/dev/null")
[23:38]<afnxnztnah>how can i know what its blocking a ping to a machine ?
[23:40]<afnxnztnah>i dont understand
[23:40]<afnxnztnah>the machine gets connected
[23:40]<afnxnztnah>with dhcp
[23:40]<afnxnztnah>if a make a ping from the machine she reachs, but if i do a ping to the machine, i never reach :(
[23:44]<wjjmmwjjmlnacnz>AleXerTecH: for proto echo-request echo-reply; do $IPT -A INPUT -i <?> -p icmp --icmp-type $proto -j DROP; done
[23:44]<wjjmmwjjmlnacnz>Basically you only need echo-reply to drop, but it is common to drop both, or use --icmp-typ any if you are paranoid.
[23:45]<wjjmmwjjmlnacnz>btw, you don't have to limit echo-request and echo-reply, because Linux (and Solaris) limit it in the source code.
[23:50]<afnxnztnah>im going to post the iptables -L output in pastebin
[23:55]<afnxnztnah>http://pastebin.com/752505
[23:55]<afnxnztnah>WoodyWoodpecker, DerJamster , here is http://pastebin.com/752505
[23:59]<afnxnztnah>???
