IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.74 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-28
[12:53]<dnzjzdsvnz>well, I have no idea when you want to receive them and when not, so..
[12:54]<iae-2od>thanks, np :)
[12:55]<afnw>crash3m|wrk: Thought you were up all night? ;)
[13:18]<-- svgvsdyzgjvr_ xrs>/dev/null")
[13:59]<zzzsx1d|wzc>Alex, still up
[14:00]<afnw>crash3m|wrk: Good lad. iptables. Fix.
[14:01]<afnw>:P
[14:20]<2nvrrdn>think you got what it takes to win? go to http://mldesigners.com/betgame/ to prove your worthiness!!
[15:25]<rlraxne>shoot
[15:26]<rlraxne>bu ftp you mean that you have a ftp server which you want other to access through your wall ?
[15:26]<rlraxne>bu=by
[15:31]<rlraxne>one way would be
[15:31]<rlraxne>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[15:32]<rlraxne>iptables -A PREROUTING -t nat -i ${OUTSIDE_DEVICE} -p tcp -s 0/0 --sport 1024:65535 -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}
[15:33]<rlraxne>iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp -s 0/0 --sport 1024:65535 -d ${SERVER_IP} --dport 21 -m state --state NEW -j ACCEPT
[15:33]<rlraxne>this will just allow outbound connections and allow inbound tcp port 21
[15:33]<rlraxne>for passive ftp you need to forward the passive range aswell, for example if your passive range is 3000->3099
[15:34]<rlraxne>iptables -A PREROUTING -t nat -i ${OUTSIDE_DEVICE} -p tcp -s 0/0 --sport 1024:65535 -d ${OUTSIDE_IP} --dport 3000:3099 -j DNAT --to ${SERVER_IP}
[15:34]<rlraxne>iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp -s 0/0 --sport 1024:65535 -d ${SERVER_IP} --dport 3000:3099 -m state --state NEW -j ACCEPT
[15:34]<rlraxne>you can take a look at http://www.tbg.nu/iptables.txt for ideas
[15:35]<rlraxne>what about it ?
[15:50]<afnw>http://www.ex-parrot.com/~pete/upside-down-ternet.html # ha
[16:11]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[16:43]<pgzgmzjaap>hi, how i allow multicast?
[17:59]<c_kjmn>yes. established are allowed. I think I need to allow incoming ports > 1024 from ftpserver
[18:25]<drvvx>with passive ftp why would you need a helper module ?
[18:25]<drvvx>you just allow incoming tcp/20 don't you ?
[18:31]<drvvx>well basically if your FORWARD policy is DROP, you need a -i eth0 -o eth1 -p tcp --dport 20:21 -j ACCEPT and a -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT, and the PREROUTING rule if you nat
[18:32]<drvvx>but I disagree with the --sport 20:21 --dport 1024:65535, I don't like that way doing it. netfilter provides nat helpers and statefull filtering
[18:32]<drvvx>(just to be clear)
[18:36]<drvvx>yeah but that's a good way to learn about how ftp works and sucks in design ;)
[18:37]<drvvx>that could be fixed replacing it with sftp tough
[18:39]<drvvx>just gives to those windozes users winscp for instance
[18:39]<drvvx>It looks like worth the try
[18:40]<drvvx>you don't know about that app ?
[18:40]<drvvx>I thought about your customers
[18:41]<drvvx>no I'm speaking about the client app
[18:41]<drvvx>the server one is SSH/sftp-server
[18:41]<drvvx>and of course runs under *nix
[18:43]<drvvx>never tested that
[18:45]<drvvx>looks strange to me though as sftp-server is the "ftp" backend using SSH for transport
[18:46]<drvvx>I do not see the logic by coupling proftpd and sftp-server
[18:48]<drvvx>getting an UNIX account and having an sftp access is something different
[18:49]<drvvx>but you don't have to if you use sshd/sftp-server
[18:51]<drvvx>I prefer having 22 open to outside than 20&21+nat helpers
[18:54]<drvvx>that is something different, I mean you cannot say SSH sucks I'll switch to a VPN solution
[18:55]<drvvx>well you probably have good reasons for setting up a VPN
[18:56]<drvvx>read it again
[18:58]<drvvx>admin panel ? you mean a web interface ?
[19:00]<drvvx>FYI, ssh can forward port
[19:00]<drvvx>oki see ya, I stop the offtopic discussion for now then ;)
[19:01]<drvvx>my belly want to make me think that food time now here even if it's only 18h (france)
[19:02]<drvvx>s/that/that's/
[19:02]<drvvx>well oki you eat early then ;)
[19:14]<zjgvzzvggvjz>hi
[19:14]<zjgvzzvggvjz>how block all actions on one IP to my subnet ?
[19:15]<zjgvzzvggvjz>iptables -A INPUT -p all -s 10.0.1.23 -j DROP
[19:15]<zjgvzzvggvjz>not work aka
[19:15]<zjgvzzvggvjz>;/
[19:21]<faccau_wzc>I am trying to get iptables working with poptop (pptpd) on a debian system, and I just can not seem to get the rules correct. I have one interface all the way open, and if I come in on that interface, the pptp connection goes just fine. However, if I come in on my public interface, then it looks like GRE packets from the client to the server are being dropped. iptables and poptop/pptpd are on the same machine. I am currently allowing tcp po
[19:21]<faccau_wzc>rt 1723 and protocal 47 through on the external interface... ideas?
[21:30]<r2rfajd2>I'd like to allow all incoming connected to a particular server, is this anywhere near correct?
[21:30]<r2rfajd2>iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out vlan2 -p tcp -d 209.66.67.135 --dport 1:65535 -j ACCEPT
[22:16]<wjjmmwjjmlnacnz>jbalcomb: If you don't have limited port ranges in use, don't use --dport 1:65535.
[22:16]<wjjmmwjjmlnacnz>You need statefull connection tracking, so add something with -m state --state ESTABLISHED,RELATED.
[22:16]<wjjmmwjjmlnacnz>And you need it in both directions btw.
[22:17]<afnxnztnah>hi everybody
[22:17]<afnxnztnah>i finish my script :D
[22:18]<afnxnztnah>its in http://pastebin.ca/104240
[22:18]<afnxnztnah>what do you think about ?
[22:18]<afnxnztnah>the coments are in spanish
[22:20]<r2rfajd2>WoodyWoodpecker: I do have something already, is this good for the other direction?
[22:20]<r2rfajd2>iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out vlan2 -m state --state ESTABLISHED,RELATED -j ACCEPT
[22:21]<afnxnztnah>i cant get the pings out of my machine
[22:21]<wjjmmwjjmlnacnz>jbalcomb: You need the same identical rules for -phy-in eth0 -phy-out vlan2 as well as for the -phy-in vlan2 -phy-out eth0
[22:21]<afnxnztnah>but if i do a ping to my machine, it works
[22:21]<wjjmmwjjmlnacnz>pings are ICMP
[22:21]<wjjmmwjjmlnacnz>You use -p tcp
[22:21]<afnxnztnah>WoodyWoodpecker, for the input table ?
[22:22]<wjjmmwjjmlnacnz>Depends. If you want to forward it, then use -A FORWARD.
[22:22]<afnxnztnah>WoodyWoodpecker, i want make pings from my machine
[22:23]<wjjmmwjjmlnacnz>Then use -p icmp --icmp-type ...
[22:23]<wjjmmwjjmlnacnz>echo-request and echo-reply
[22:24]<wjjmmwjjmlnacnz>You don't have to limit echo-reply on linux and solaris, it is limited by default to 5/sec I think.
[22:24]<wjjmmwjjmlnacnz>Or 10/sec .... I don't know for sure.
[22:24]<afnxnztnah>done
[22:24]<afnxnztnah>perfect
[22:24]<afnxnztnah>thanks :D
[22:24]<wjjmmwjjmlnacnz>Wait.
[22:25]<wjjmmwjjmlnacnz>Show me the ruleset.
