IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.79 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-27
[17:39]<afnxnztnah>im going to test from there
[17:40]<afnxnztnah>vice-versa, doesnt work :(
[17:42]<vyrn-vnzsr>AleXerTecH: check the rule counters again with iptables-save -c any changes?
[17:42]<afnxnztnah>vice-versa, WORKS!
[17:42]<afnxnztnah>finally
[17:43]<afnxnztnah>but, why it doesnt work from my own machine ?
[17:43]<vyrn-vnzsr>did you change anything?
[17:43]<afnxnztnah>nop
[17:43]<afnxnztnah>:S
[17:43]<afnxnztnah>its just works :S
[17:43]<vyrn-vnzsr>Think about your question for a second
[17:44]<vyrn-vnzsr>and the fact it works from elsewhere
[19:42]<fggyw|wjzc>Greetings
[19:42]<fggyw|wjzc>I have a question :) ... I want to use iptables to DNAT POP3/SMTP traffic from the internet to an internal host. How would I accomplish that?
[20:07]<fggyw|wjzc>anyone know where I can find a list of acceptable alpha values for tcp --dport?
[20:12]<fggyw|wjzc>Does IPTABLES translate alpha values (eg tcp --dport http) from services?
[20:19]<bfyssnwq>Fenix|work: what about trying it? :-)
[20:20]<fggyw|wjzc>Blissex2, I am going to try it... just don't want it to explode in my face hehe ...
[20:20]<fggyw|wjzc>I'm actually quite new to configuring netfilter nativly... usually use something in front like shorewall.
[20:21]<dnzjzdsvnz>Fenix|work: it's worth it. :>
[20:21]<fggyw|wjzc>Blissex2, since you're here... mind if I ask a simple question?
[20:22]<bfyssnwq>Fenix|work: you can try :-)
[20:22]<dnzjzdsvnz>and no, I don't think it translates those. At least I've never read that -anywhere-.
[20:22]<fggyw|wjzc>if I DNAT POP3/SMTP ... the response from the mail server will come back through the same box no?
[20:23]<fggyw|wjzc>I have mail traffic that I want to do the following :: Internet <---> DMZ <---> Internal
[22:05]<ssvnvn>Hi! Verifying this be enough to redirect all outbound traffic to go via port 9080?
[22:05]<ssvnvn>(I got ip_forwarding on, eth0 on WAN side and eth1 on LAN side.)
[22:05]<ssvnvn>*nat
[22:05]<ssvnvn>:PREROUTING ACCEPT [0:0]
[22:05]<ssvnvn>:POSTROUTING ACCEPT [0:0]
[22:05]<ssvnvn>:OUTPUT ACCEPT [0:0]
[22:05]<ssvnvn>-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9080
[22:05]<ssvnvn>COMMIT
[22:25]<afnw>Hello everyone :)
[22:25]<afnw>Ooh, 'ello trappist. is lkf down for any reason in particular?
[22:27]<afnw>Anyway - to cut to the chase. I'd like to have NAT on my internal network, which works fine, but then I want to have say, one box, which is on an external IP. I have a /29, and I've followed an FAQ, which gave me the setup, as per http://server.alexsmith.org/firewall3.sh - thing is, if I set an internal box to 212.159.53.202, and its gateway to 212.159.53.201, it.. er.. "doesn't work" - ie, the packets don't go anywhere, not even to the gateway. Any ide
[22:31]<afnw>Whoops - I fear thay may have gotten snipped at some point..
[23:03]<sw__>hello, i have iptables 1.3.5-r1 and i get "getsockopt failed strangely: No such file or directory" when trying to append a rule... is this problem based upon iptables?
[23:05]<fyguw_drgau>.
[23:08]<fyguw_drgau>sw__: as the netfilter suggests... If the address is out of pool.. U get get sockoptd error..
[23:08]<fyguw_drgau>does it happen with only one perticular rule.. Or any rule.. u try to append
[23:08]<sw__># /sbin/iptables -i ppp0 -t filter -A INPUT -p tcp -d 88.73.209.108 -m multiport --sports 1024:65535 --dports 6880:6889 -j ACCEPT
[23:10]<sw__>i'm currently setting up my if-up/down.local scripts and the only rule that gets loaded is: $IPTABLES -t filter -A INPUT --protocol tcp --dport 113 -j REJECT
[23:11]<afnw>Hrm, I was hoping this would be a lot easier. :)
[23:11]<fyguw_drgau>sw__: dont mnetion.. -t filter
[23:11]<fyguw_drgau>try it without that
[23:11]<fyguw_drgau>what is that ur trying to block anyway. in plain english
[23:12]<sw__>i gonna try to make the rule as easy as possible
[23:13]<fyguw_drgau>try something like this...
[23:14]<sw__>/sbin/iptables -A INPUT -p tcp -m multiport --dports 6880 -j ACCEPT <- didn't work for me
[23:14]<fyguw_drgau>same error?
[23:15]<sw__>yes, but the command is wrong
[23:15]<sw__># /sbin/iptables -A INPUT -p tcp --dport 6880 -j ACCEPT <- worked
[23:15]<fyguw_drgau>hmmm
[23:15]<fyguw_drgau>Check the modules that are loaded..
[23:15]<fyguw_drgau>lsmod | grep -i ipt
[23:17]<sw__>/sbin/iptables -i ppp0 -t filter -A INPUT -p tcp -d 88.73.209.108 --dport 6880:6889 -j ACCEPT <- did work too, checking modules
[23:18]<sw__>mhm, i nearly never compile modules, they are all inline: # lsmod
[23:18]<sw__>Module Size Used by
[23:18]<sw__>nvidia 4549652 20
[23:19]<fyguw_drgau>is it a customized kernel...
[23:19]<fyguw_drgau>?
[23:19]<fyguw_drgau>compiled from the source?
[23:19]<sw__>gentoo-sources
[23:20]<fyguw_drgau>what abt the .config file.. did ya take it from.. /proc/config.tgz?
[23:20]<fyguw_drgau>or configured on ur own?
[23:21]<fyguw_drgau>anyways..
[23:21]<sw__>http://rafb.net/paste/results/HnWYSd70.html <- my own config
[23:22]<fyguw_drgau>what is that ur trying to Accept?
[23:22]<sw__>< > recent match support <- could it be this?
[23:23]<fyguw_drgau>well.. As i understand the -m match to work perfectly.. It needs to have..
[23:23]<fyguw_drgau>ipt_multiport module loaded
[23:23]<fyguw_drgau>i mean -m multiport
[23:25]<fyguw_drgau>ur kernel config.. looks fine for me..
[23:25]<fyguw_drgau>U have compiled most of the needed ones
[23:26]<fyguw_drgau>can u explain what is that ur trying to block... anyways?
[23:26]<fyguw_drgau>in plain english
[23:26]<fyguw_drgau>Sorry .. block=accept
[23:27]<sw__>i try to block everything(incomming), exept bittorrent-in, and reject those port 113 identd- requests
[23:28]<fyguw_drgau>well if i were u.. I would have done something like this..
[23:28]<fyguw_drgau>iptables -t filter -A INPUT -s 0.0.0.0/0 -d <ur IP> -p tcp --dport <the ports to accept> -j ACCEPT
[23:29]<sw__>looks good :D
[23:29]<fyguw_drgau>and before that.. there will be a rule to block.. the --sport
[23:29]<sw__>ahh
[23:29]<fyguw_drgau>if needed
[23:30]<fyguw_drgau>well may be its more sophisticated to have something like tht.. But depends.. u know Freeworld..
[23:30]<sw__>well its more an religios thing with those <= 1024-ports :)
[23:31]<fyguw_drgau>:)
[23:31]<fyguw_drgau>anyways
[23:31]<fyguw_drgau>bye
[23:31]<sw__>http://www.linuxarkivet.se/mlists/netfilter/0605/msg00099.html
[23:32]<sw__>t touch it :)
[23:32]<fyguw_drgau>lol.. I wish i could.. Aint a programmer :(
[23:33]<fyguw_drgau>he funny thing is, initially I didn't set the NO_SHARED_LIBS flag and iptables started up and gave me help, etc. But when I tried to set up a chain, it
