IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[00:28]<-- dvxn|syzzzyus xzs>http://www.bagdadsoftware.de")
[00:47]<-- gjmrm9ww_rwrd xrs>http:www.devmatrix.org")
[03:41]<rsmw>hi
[04:11]<rsmw>how do i disable the nat
[04:11]<rsmw>the kernel rule for doing nat
[05:21]<svnrfvx>im trying to port forward but its not working on my client .. this is what i have http://rafb.net/paste/results/2vCPFJ29.html
[08:46]<mzsrcj>is a FTP server a TCP or UDP network protocol?
[08:50]<lnvmuj>tcp
[09:05]<mzsrcj>in my /etc/sysconfig i have 2 files that look the same content wise, one called iptables and one called iptbales.save. which one is the one i need to edit to modify my iptables?
[14:41]<-- gjdys__ wzs puyv>http://www.canon-europe.com/Support/Software/Linux/registration.asp")
[15:28]<-- 2yd2nzy xrs fuyv>http://iownmymusic.org/ http://iownmydvds.org/ .")
[17:26]<-- sgvgzs xzs fuyv (>/dev/brain")
[19:08]<afnw>Er - if I@m having NAT problems with say, an ATA, would forwarding all ports over 1024 to it fix it, d'ya think? :)
[19:15]<rlraxne>you mean a phonebox which is behind your firewall ?
[19:27]<rlraxne>hmm... in iptables... if i create a custom chain with only one rule... that will be a bad idea performancewise in iptables right? i mean since that will give us a -j JUMPTOCUSTOM + DROP IF MATCH + RETURN IF NOT MATCH instead of just -j DROP IF MATCH ?
[19:35]<vyrn-vnzsr>does seem a little unnecessary...esp. if there is only ever going to be one rule in the custom chain
[19:46]<rlraxne>oki... thats good enough for me to remove that custom chain then and do the whole match in INPUT/OUTPUT/FORWARD instead :)
[22:18]<cydj>Hi, I have a question about a box running iptables to NAT connections. I suspect it will have 5k connections open. How much RAM would be required? (The machine is 3.0Ghz/1G RAM) would this be adequate ?
[22:27]<vyrn-vnzsr>kimo: yes
[22:27]<vyrn-vnzsr>cat /proc/sys/net/ipv4/ip_conntrack_max
[22:27]<cydj>I would need to change this right /
[22:28]<vyrn-vnzsr>that's the maximum number of connection tracking entries that can be handled simultaneously by netfilter in kernel memory
[22:28]<vyrn-vnzsr>kimo: what is it now?
[22:29]<cydj>sorry I dont have access to the server now
[22:30]<cydj>it's probably 16376 (RHEL default)
[22:31]<cydj>I wouldnt need to change that, right!
[22:31]<djzvgg>i have a web server on the local network. i need to be able to view the webpages from inside the LAN using the same ip as i would externally. i've tried setting up a firewall rule to translate requests for my external IP on port 80 from LAN to the local ip, but so far i'm not getting any love. if anyone can tell me what iptables rule to make this happen, it would make my day
[22:32]<vyrn-vnzsr>systems with 1GB or more of RAM, the default CONNTRACK_MAX value is 65536 (but can of course be set to more manually)
[22:32]<cydj>vice-versa: either values seem to big right! No need to change. Thanks though ...
[22:33]<rlraxne>isnt it 65535 ?
[22:33]<vyrn-vnzsr>kimo: ya, that's plenty for your needs, sorry thought that would be obvious ;)
[22:33]<rlraxne>and isnt 65k largest value that attribute allows ?
[22:34]<cydj>Apachez: 65k is the largest ... :) How would I know .. I'm just a poor soul, not an iptables guru ;)
[22:34]<vyrn-vnzsr>ya typo, no it can be tweaked for more afaik
[22:35]<cydj>one more tough-for-me networking issue
[22:36]<cydj>I have two real IPs. Is it possible to send requests through IF1 (using forged IP of IF2) and receive all downloads (replies) through IF2 ?
[22:36]<rlraxne>kimo: I use these settings http://www.tbg.nu/iptables.txt and my firewall box uses approx 16meg of ram
[22:36]<rlraxne>even when im performing heavy bittorrent operations at 100/100 mbit/s :)
[22:37]<cydj>16M !! It's amazing how effecient this stuff can get. Thanks a lot
[22:37]<rlraxne>and i use conntrack max at 65k etc
[22:38]<vyrn-vnzsr>you can also tweak how long stale tcp connections hang around too if need be
[22:39]<vyrn-vnzsr>think the default is for something like 5 days
[22:39]<rlraxne>yeah
[22:39]<cydj>! wow
[22:39]<rlraxne>any ideas from where that value is originating ?
[22:40]<vyrn-vnzsr>I do, but I just stood up to go get supper, and I'm freaking starving....so when I'm back I'll continue
[22:41]<cydj>any idea about that 2 IP question!
[22:43]<rlraxne>i mean is it for compliance with pigeon protocol ? :P
[22:43]<rlraxne>5 days is even more than enough for pigeon protocol :P
[22:43]<rlraxne>kimo: not unless you use bgp
[22:43]<rlraxne>depending on how you mean with 2 ips
[22:45]<cydj>does this configuration even has a name, so I can google for it ?
[22:49]<rlraxne>multi-homing is the usual name of using two or more connections
[22:49]<rlraxne>but sending data on one interface and assume to get that on another is not according to ethernet standards
[22:50]<rlraxne>that is because when nic1 sends data the router/switch will connect its sourceip with sourcemac
[22:50]<rlraxne>and the receiving side will send data back to the sourceip (now put in the destination ip field)
[22:50]<djzvgg>can anyone please help me out?
[22:50]<cydj>and if the originating source IP is forged?
[22:51]<rlraxne>when the router after all hops receives this frame it will see that this ip is located on interfaceX and send packet that way
[22:51]<rlraxne>when it arrives to the switch the switch knows which mac is on which interface
[22:51]<rlraxne>so your nic1 will get the data back
[22:51]<rlraxne>even if you forge the ip the router will pick up the mac source which was being used
[22:52]<rlraxne>a better idea is then to distribute the load on outgoing traffic
[22:52]<rlraxne>however this will only work for traffic that originates from your network
[22:52]<rlraxne>if you need 2x100Mbit and loadbalance between them i think its a better idea to use link aggregation also named 802.3ad
[22:53]<rlraxne>that will make the two lines act as one
[22:53]<rlraxne>max speed will still be 100mbit for a single transmission
[22:53]<rlraxne>but the load will be spread among the lines which interacts in the link aggregation based on flow
[22:53]<cydj>the thing is, I have a satellite connection that downloads too fast, but uploads through a modem!! And another uploader friendly DSL line. I wanted to upload over DSL and get replies over satellite
[22:54]<rlraxne>usually 802.3ad have different modes on how to decide which line to use for a single transmission like sourceip, destip, sourceip+destip, sourcemac, destmac or source+destmac
[22:54]<rlraxne>i dont think you can do it that way
[22:54]<cydj>ahh
[22:55]<rlraxne>that is because if you isp has setup their network correctly they will in the accesswitch not allow bad ips
[22:55]<rlraxne>like ip 1.2.3.4 will only be allowed to exist on interface 10
[22:55]<cydj>they probably will not :)
[22:55]<rlraxne>if someone on interface 10 tries to send a packet with sourceip 1.2.3.2 it will just be dropped
[22:56]<majz2yg>When I startup my PPTP-based VPN, a bunch of iptables are being loaded, but I cannot really figure out where they're being loaded from. Any tips on finding such?
[22:56]<rlraxne>second, their peeringpartners will most likely have bgp filters which makes a check that a packet from your isp network cannot reach their peering/transit partners network if it has wrong sourceip which not belongs to this isp's iprange according to the routing tables
[22:57]<rlraxne>so ip-spoofing works only locally if the equipment is badly configurated
[22:57]<cydj>ahh .. I get it, too bad
[22:58]<cydj>thanks a lot :)
[22:58]<rlraxne>np
[22:58]<rlraxne>another solution is if you do bgp/ospf routing against your isp
[22:58]<rlraxne>but then you need an AS number from ripe aswell as iprange, but then you wouldnt use satelite and stuff most likely if you already had AS etc :P
[22:59]<cydj>what's an AS?
[22:59]<rlraxne>Autonomous System
[22:59]<rlraxne>an id number which identifies an isp on the internet

Back to #iptables
Or go to some related logs:
#gentoo
#debian
#cisco
#suse
#gentoo