IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.84 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-31
[00:13]<vyrn-vnzsr>Apachez: back....look into /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established value, default is 432000 (5 days)
[00:16]<rlraxne>yeah i know
[00:16]<rlraxne>but why ?
[00:16]<rlraxne>were they drunked when they wrote the net code for linux 1.x ? :P
[00:17]<rlraxne>"hey dude, what shall we set established timeout too?" "hell i dont know!" "eyh your muma!!!" "yo wiggah set it to 5 days ROFL that will make people wonder stuff on irc in 2006" :P
[00:19]<raympu>multi-homing is possible
[00:19]<raympu>only if your isp dont do reverse path filtering
[00:21]<raympu>and they never do reverse path filtering
[00:56]<afnw>Apachez: Yeah - an ATA (either using asterisk with a clever dialplan, or just a hardware ata)
[01:02]<rlraxne>Alex: what was the question again ? :P
[01:02]<afnw>17:05:36 < Alex> Er - if I@m having NAT problems with say, an ATA, would forwarding all ports over 1024 to it fix it, d'ya think? :)
[01:02]<rlraxne>one way is to enable logging and see which ports gets dropped
[01:02]<rlraxne>your ata might use a separate vlan from your isp
[01:02]<rlraxne>then you need to put it outside your firewall
[01:02]<afnw>Why would it be a separate vlan? What would cause that?
[01:04]<rlraxne>is your ata from your isp ?
[01:04]<rlraxne>some isps use separated vlans to prioritize the voip vlan over the "internet" vlan
[01:04]<afnw>No :)
[01:05]<rlraxne>ok then we can rule that part :)
[01:05]<rlraxne>just enable logging and see what your ata is trying to do and allow that traffic ?
[01:05]<afnw>I work for a VoIP provider - it's over our own network. It's using NAT helper stuff built into asterisk, but still drops the incoming after 7 seconds.
[01:06]<afnw>Thing is - it worked for a while, but the NAT thing seems to be the problem. I do have plenty of IPs, so I could bop it on its own, but.. that's not really ideal :)
[01:06]<rlraxne>why not setup the ata to only use a specific port ?
[01:07]<rlraxne>like udp 23223
[01:07]<afnw>I think this one needs a range..
[01:07]<rlraxne>and then forward that traffic to your ata's internal ip ?
[01:08]<afnw>Yeah, I'll give that a go probably..
[01:37]<raympu>Apachez, could you tell me how you get the AS number and network associated with it please ?
[01:38]<vjrmfyrr>troubleshooter [noun]: finding problems and shoot them down
[01:39]<vjrmfyrr>acidfu, fill in a request with your local ip registrar
[01:39]<vjrmfyrr>in europe it's RIPE
[01:39]<raympu>i think Apachez have a more easy and quick way to do it
[01:40]<vjrmfyrr>oh.. I think I missunderstood you, I thought you wanted to know how to get a new as number/ip network
[01:41]<raympu>ah ok, my english is not so good, sorry ;)
[01:45]<vjrmfyrr>do a google search with "autonomous system lookup", that might point to some lookup sites
[01:47]<rlraxne>?
[01:47]<rlraxne>look at www.ripe.net for info on how to obtain an AS number and get an ip range assigned to your AS
[01:47]<raympu>its not what I meant
[01:48]<raympu><Apachez> like your isp is:
[01:48]<raympu><Apachez> ASN: 8452
[01:48]<raympu><Apachez> ASN Name: TEDATA (TEDATA)
[01:48]<raympu><kimo> tedata!! I thought it was NOL
[01:48]<raympu><Apachez> IP address: 196.202.31.61
[01:49]<rlraxne>ahh
[01:49]<rlraxne>www.dnstuff.com
[01:49]<rlraxne>www.dnsstuff.com
[01:50]<rlraxne>and then in the middle "NEW! IP Information"
[01:50]<rlraxne>type the ip and click "lookup"
[01:50]<raympu>and to know all network block attributed to this AS ?
[01:53]<rlraxne>find a looking glass site with bgp option and type
[01:53]<rlraxne>show ip bgp reg _8642_
[01:53]<rlraxne>8642 is the as number you want to check up
[01:53]<rlraxne>i think just reg _8642_ is needed if you select bgp from an options box
[01:53]<rlraxne>or visit
[01:54]<rlraxne>http://bgp.potaroo.net/cgi-bin/as-report?as=AS8642
[01:54]<rlraxne>to see that in a more easy readable version
[01:55]<raympu>thanks a lot Apachez
[01:55]<raympu>:)
[01:56]<rlraxne>np
[01:58]<vjrmfyrr>hm I should start to learn something about routing protocols.. thats the internet-related subject I know the least about
[02:03]<rlraxne>a full bgp table takes something like 180 meg or so
[02:03]<rlraxne>so at least 256 meg is needed in the router if its going to hold a full bgp table
[02:03]<rlraxne>256 meg or so
[02:46]<wgzggac>well... the other machine can see the internet through the gateway, ping other, resolve hostnames, etc, but with some remote hosts it simply doesn't work... it waits for response until timeout... someone here suggested updating the kernel, I'm using the latest 2.6 and the problem persist... any idea ?
[02:48]<wgzggac>by the way, here is what I'm using... http://deadbeefbabe.org/paste/1355
[03:09]<rlraxne>add logging rules in the bottom to see what happends
[03:27]<mzsrcj>ok im in a very messed up situation, i was messing with my iptables through webmin, i accndelty set my port 10000 to "do nothing" whoich should be accept, port 10000 is the webmin port, luckily the ssh port is open and i can login via ssh as root
[03:27]<mzsrcj>bassicaly i need to know how to disable the firwall so i can go back into webmin and fix it
[03:29]<rlraxne>the quick and dirty way:
[03:29]<mrrynfmr>well, the easiest way is to restore a blank ruleset like this one: http://daniel.6dns.org/info/iptables/empty
[03:29]<rlraxne>iptables -P INPUT ACCEPT
[03:29]<rlraxne>iptables -P OUTPUT ACCEPT
[03:29]<mrrynfmr>or you can run those commands
[03:30]<rlraxne>but that will allow all packets back and forth
[03:30]<mzsrcj>so just type those into the command line?
[03:30]<mrrynfmr>don't forget iptables -F after those
[03:30]<rlraxne>but might be good enough for you to login the webmin and fix your bad thing and then change the default back to DROP
[03:30]<rlraxne>no need for iptables -F
[03:30]<rlraxne>unles syou have some droprules of course
[03:30]<rlraxne>but yeah
[03:30]<mrrynfmr>webmin might make drop rules
[03:30]<mzsrcj>alright thanks im going to try it now
[03:30]<rlraxne>iptables -P INPUT ACCEPT
[03:30]<rlraxne>iptables -P OUTPUT ACCEPT
[03:30]<rlraxne>iptables -F
[03:30]<rlraxne>iptables -X
[03:30]<rlraxne>iptables -Z
[03:31]<rlraxne>that will set default to allow all traffic and delete your current rules from memory
[03:31]<mzsrcj>the input output thing worked
[03:31]<mzsrcj>thanks
[03:31]<mzsrcj>i was about to kick myself in the ass for being so stupid
[03:32]<mrrynfmr>anyone know what happened to maxine (the bot)?
[03:36]<vjrmfyrr>he got fatally wounded
[03:36]<vjrmfyrr>nah, dunno
[03:38]<mrrynfmr>I've asked cj, hopefully it'll be back soon
[03:40]<wgzggac>Apachez: what do you suggest as logging rules for that ? I'm trying this but I get nothing: $IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j LOG --log-level 6 --log-prefix "iptables-nat "
