IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:08]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[05:05]<prufwrd[w]>Hi all!
[05:06]<prufwrd[w]>Is it possible to have a rule that says something like "If an incoming packet has a port number 2511, change it to port 22" without using NAT?
[05:07]<mrrynfmr>no, that's pretty much the definition of NAT
[05:07]<mrrynfmr>you could write a mangle match to do that if you really wanted
[05:07]<prufwrd[w]>Hmmm. Now I need to understand NAT rules.
[05:07]<mrrynfmr>problem is the returning packets
[05:07]<prufwrd[w]>Ah, of course.
[05:08]<mrrynfmr>yeah, if you're just trying to avoid understanding NAT, well, understanding is easier then hacking around it ;)
[05:08]<prufwrd[w]>Maybe it's just better if put the SSH server on 2511.
[05:09]<prufwrd[w]>I've been working with Fedora Core for a while writing simple INPUT rules, but haven't touched the hard core routing stuff.
[05:09]<prufwrd[w]>(Well, RH_Firewall_1_INPUT rules, of course :-)
[05:09]<mrrynfmr>a simple
[05:09]<mrrynfmr>REDIRECT rule is all you need
[05:09]<mrrynfmr>if it's on the local host
[05:10]<mrrynfmr>tutorial in the topic has a section on REDIRECT iirc
[05:12]<prufwrd[w]>Righto, I've been paging through the tutorial - it's rather verbose.
[05:12]<prufwrd[w]>But full of good stuff.
[05:17]<sdgracvyjg>what kind of hardware specs do all your dedicated firewall/router/gateways have?
[06:51]<svjdldnn>When I do an iptables -L, I just get headings - no rules.
[06:51]<svjdldnn>Does that mean I managed to wipe out my ruleset?
[06:51]<mrrynfmr>probably
[06:51]<svjdldnn>Where is the file on a Debian system?
[06:52]<mrrynfmr>no specific place - depends on the firewall packages, or where you put it
[06:52]<svjdldnn>I did try to add some rules, and then did an iptables-save.
[06:52]<mrrynfmr>iptables-save just outputs the ruleset to stdout
[06:52]<mrrynfmr>did you save it to a file?
[06:52]<svjdldnn>ah okay
[06:53]<svjdldnn>no, didn't save it.
[06:53]<mrrynfmr>well, then you'll have to redo it
[06:53]<svjdldnn>If I add in iptables -t nat -A PREROUTING -p tcp --dport 5900 -i ppp0 -j DNAT --to 192.168.1.20
[06:53]<mrrynfmr>use iptables -t nat -vL
[06:54]<svjdldnn>and then enter iptables -L, it's still empty
[06:54]<mrrynfmr>iptables -L implies iptables -t filter -L
[06:54]<mrrynfmr>and you're using -t nat for that rule
[06:55]<svjdldnn>okay one sec, let me try this again
[06:55]<svjdldnn>aha, there is some data there, thanks daniel!
[06:55]<mrrynfmr>yw
[06:56]<svjdldnn>Here is the output:
[06:56]<svjdldnn>pebble:~# iptables -t nat -vL
[06:56]<svjdldnn>Chain PREROUTING (policy ACCEPT 439 packets, 24041 bytes)
[06:56]<svjdldnn> pkts bytes target prot opt in out source destination
[06:56]<svjdldnn> 2 120 DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:5900 to:192.168.1.20
[06:56]<svjdldnn> 0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:5900 to:192.168.1.20
[06:56]<svjdldnn> 0 0 DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:3283 to:192.168.1.20
[06:56]<svjdldnn> 0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:5900 to:192.168.1.20
[06:56]<svjdldnn> 0 0 DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:5900 to:192.168.1.20
[06:56]<svjdldnn>Chain POSTROUTING (policy ACCEPT 13 packets, 1194 bytes)
[06:56]<svjdldnn> pkts bytes target prot opt in out source destination
[06:56]<svjdldnn> 5 264 MASQUERADE all -- any ppp0 anywhere anywhere
[06:56]<svjdldnn> 0 0 MASQUERADE all -- any ppp0 anywhere anywhere
[06:57]<svjdldnn>Chain OUTPUT (policy ACCEPT 10 packets, 1002 bytes)
[06:57]<svjdldnn> pkts bytes target prot opt in out source destination
[06:57]<svjdldnn>pebble:~#
[06:57]<svjdldnn>However, I still can't reach the VNC server.
[06:57]<mrrynfmr>looks like a lot of duplicates. And please don't paste long stuff in here, use a pastebin
[06:57]<svjdldnn>k, sorry
[06:57]<mrrynfmr>the VNC server is on 192.168.1.20. Where are you testing from?
[06:58]<svjdldnn>Trying to reach it from an Internet host
[06:59]<svjdldnn>The nat box has a ppp connection
[06:59]<svjdldnn>so I was trying to redirect anything from ppp0 to the internal vnc machine
[06:59]<mrrynfmr>the rules look correct, and there have been two attempts since you inserted them
[06:59]<svjdldnn>hmm
[07:00]<mrrynfmr>is the port open on 192.168.1.20?
[07:00]<svjdldnn>no firewall - it's just a windows box running a vnc server
[07:00]<mrrynfmr>also, can 192.168.1.20 access the internet?
[07:00]<svjdldnn>yes, it can, slowly...
[07:01]<svjdldnn>Is vnc finicky about low bandwidth?
[07:01]<mrrynfmr>slightly. It should still connect and look like it's working
[07:01]<mrrynfmr>it'll just be slow
[07:03]<svjdldnn>is there a standard name for the iptables file?
[07:03]<mrrynfmr>not that I know of. I put mine in /etc/network/iptables
[07:04]<mrrynfmr>then have /etc/network/interfaces run iptables-restore in a pre-up command
[07:09]<svjdldnn>not seeing anything there
[07:10]<mrrynfmr>that is the file where I stored the output of iptables-save
[07:22]<rvnffnf_>Does iptables -F flush all the rules in the nat and mangle tables?
[07:23]<mrrynfmr>no
[07:23]<mrrynfmr>use iptables -t nat -F
[07:23]<rvnffnf_>ok
[15:45]<-- svgvsdyzgjvr xrs>/dev/null")
[17:48]<srdnc>hello
[17:48]<rlraxne>between... anyone who knows if netfilter/iptables works better/faster on a routing/firewallingonly box if you enable the preemptive/realtimeos thingies in 2.6 kernel ?
[17:49]<srdnc>i have a problem.. when i run iptables firewall script my box freezes(internet connection) .. but on the other machine works fine.. all normal
[17:50]<srdnc>does anyone know what could be the problem here?
[17:50]<srdnc>it freezes when script is flushing rules in the filter table.
[18:32]<wjjmmwjjmlnacnz>Apachez: Not that I know about. I only noticed more performance if I have _lots_ more I/O on a preemptive router.
[18:32]<wjjmmwjjmlnacnz>samek: You use iptables -F ?
[18:33]<rlraxne>WoodyWoodpecker: oki tnx
[18:36]<srdnc>WoodyWoodpecker: yes

Back to #iptables
Or go to some related logs:
#gentoo
#netbsd
#blender
#gentoo
#netbsd