IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.86 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-26
[01:00]<drnfvr_>iptables works from top to bottom, and terminates on the first rule that matches, right? so a catch-all block rule goes at the very bottom?
[01:01]<raympu>something like a "default rules" ?
[01:02]<raympu>yup, in the very bottom
[01:02]<drnfvr_>acidfu: yes. i want to block all packets not explicitly permitted.
[01:02]<drnfvr_>incoming, at least
[01:03]<raympu>I think that habitually people set the default policy to block
[01:03]<raympu>and then explicitly accept packets
[01:03]<rlraxne>default rules should be handled by the default policy
[01:03]<rlraxne>which should be set to drop
[01:04]<rlraxne>however it can be a good idea to log packet as last entry
[01:04]<rlraxne>but log them along with limit to not flood the logengine
[01:12]<drnfvr_>Apachez: what do you mean? care to explain?
[01:14]<wjjmmwjjmlnacnz>He means to say, that if NO rule matches, the default rule (or fallback rule) is matched in any case.
[01:14]<wjjmmwjjmlnacnz>And he tells you to -j log --log-level ..... before you -j DROP things.
[01:15]<wjjmmwjjmlnacnz>s/things/packets/
[01:15]<rlraxne>mjelva_: http://www.tbg.nu/iptables.txt
[01:16]<raympu>in combination with something like -m limit --limit 3/second
[01:16]<wjjmmwjjmlnacnz>Oh yeah forgot to copy+paste that :D
[01:17]<raympu>Apachez, are you a netfilter developper ?
[01:20]<rlraxne>nope
[01:21]<raympu>ok
[01:23]<drnfvr_>what is the iptables equivalent of packetfilter's 'keep state'?
[01:23]<drnfvr_>(allows replies to outbound connections etc)
[01:23]<raympu>you maybe mean -m state
[01:24]<-- svgvsdyzgjvr xrs>/dev/null")
[01:24]<raympu>which access to the connection state to know the state of each packets
[01:25]<raympu>ESTABLISHED, NEW, INVALID and RELATED
[01:25]<wjjmmwjjmlnacnz>Apachez: Are your tcp revc/send windows randomly choosen because they are bigger than my untouched ones?
[01:25]<rlraxne>na
[01:25]<rlraxne>its 8 meg or something
[01:25]<wjjmmwjjmlnacnz>And btw, should I change the values on hosts too?
[01:25]<rlraxne>so they looked like a good idea to test
[01:25]<wjjmmwjjmlnacnz>So randomly.
[01:26]<wjjmmwjjmlnacnz>Ok, just wanted to check.
[01:26]<rlraxne>thats why i hope that 2.8 kernel will have autotuned stuff
[01:26]<rlraxne>since im a bit tired of having to fiddle around with parameters from mid 80's which are useless today when we have 100mbit aswell as 1gbit ethernet
[01:27]<wjjmmwjjmlnacnz>True.
[01:28]<wjjmmwjjmlnacnz>My echo /proc/* stuff for iptables is lots to long to remember from scratch :-/
[01:34]<rlraxne>i have nothing against that the use has options to change settings
[01:34]<rlraxne>im just a bit "angry" that the default settings are fucked up for today needs
[01:44]<wjjmmwjjmlnacnz>Well, then hope that we don't have to wait for ever that 2.8 arrieves @ www.kernel.org
[02:37]<drnfvr_>strange. i've set the default INPUT to DROP, but i can still ping the box. is this expected behaviour?
[02:47]<mrrynfmr>mjelva_: yes, if you have other rules above it
[02:48]<drnfvr_>danieldg: all my rules are below it.
[02:48]<mrrynfmr>um... the policy is always the last one
[02:48]<drnfvr_>policy should be at the very end?
[02:48]<mrrynfmr>doesn't matter. It gets acted on at the end
[02:48]<drnfvr_>okay.
[02:48]<mrrynfmr>put it at the top, yes
[02:49]<drnfvr_>that's what i've seen done in all the configs i've reviewed
[02:49]<drnfvr_>so that's what i did.
[02:49]<mrrynfmr>anyway, you must have another rule that's accepting the pings
[02:49]<drnfvr_>i think it's openwrt having some standard rules, that aren't flushed
[02:49]<drnfvr_>seems to me that not all rules are flushed
[02:57]<rlraxne>the "policy" is what the very last rule should be
[02:58]<rlraxne>so looking on matches the policy rule is always executed last
[02:58]<rlraxne>so in your case you probably have something like iptables -A INPUT -p icmp -j ACCEPT or similar in your code
[02:58]<rlraxne>you can check your current settings with iptables -L -n
[02:58]<rlraxne>and iptables -L -n -t nat
[02:59]<mrrynfmr>adding a -v will show more useful information, btw
[03:01]<rlraxne>yeah counters
[03:02]<mrrynfmr>and interfaces :)
[03:14]<drnfvr_>thanks, Apachez
[03:15]<drnfvr_>i figured it out. seems OpenWRT stores rules in two different files. one for default ones which "shouldn't be touched", and one for users to edit.
[10:43]<mzglrg>anyone know how to trace a packet that has been routed with 'ROUTE' in the mangle table
[10:43]<rlraxne>trace?
[10:45]<mzglrg>do you have an example of TRACE
[12:22]<mzglrg>can anyone tell me what happens to a packet after it has gone through -t mangle ROUTE
[12:27]<rlraxne>mangle route ?
[12:27]<rlraxne>sounds like a custom chain of yours ?
[12:46]<zzjzzzru>hi, i'm having massive problems on a routing server i get tons of "ip_conntrack: table full, dropping packet", but when i check the conntrack table "cat /proc/net/ip_conntrack | wc -l" it never has more than about 400-700 connections. i already tried raising the limit to various amounts but no diff. and the amount of traffic on all nic's is absolutely normal (quite low)
[12:47]<zzjzzzru>even bringing the nic's down and up again doesnt help. the only thing i can do is reboot. but i somehow need to find out the reason to fix it. any ideas anyone?
[12:51]<rlraxne>whats your /proc/sys/net/ipv4/ip_conntrack_max
[12:51]<rlraxne>?
[12:51]<zzjzzzru>16384 atm
[12:52]<rlraxne>hmm
[12:52]<rlraxne>you could try to up it
[12:52]<rlraxne># Maximum limit of ip_conntrack
[12:52]<rlraxne>echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
[12:53]<zzjzzzru>as i said it doesnt make a difference :(
[12:53]<rlraxne>http://www.tbg.nu/iptables.txt works for me
[12:53]<rlraxne>100/100 connection
[12:54]<zzjzzzru>are there any related settings that i may have missed to adjust?
[12:56]<rlraxne>check the txtfile
[13:34]<-- gjdys_ wzs puyv (>http://www.canon-europe.com/Support/Software/Linux/registration.asp")
[15:28]<drgau>Hi all geeks
[15:29]<drgau>.
[15:33]<drgau>clear
[15:51]<rlraxne>hi
[15:56]<drgau_>Hi
[15:57]<drgau_>clear
[17:12]<drgau_>clear
