IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.75 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-31
[03:41]<zzwffzdnz>!seen maxine
[03:42]<mrrynfmr>died in the netsplits on 20060719
[03:42]<zzwffzdnz>:\
[04:16]<rlraxne>vice-versa: i have updated http://www.tbg.nu/iptables.txt basically speed optimizations (normalized stuff from custom chains out to the main chains, like the preroute_tcp and forward_tcp stuff (the rule which looks for a jump into custom chain is more specific now))
[04:27]<rrsjg__>I'm trying to forward traffic from one interface to another to send traffic across a VPN tunnel. For the life of me I can't seem to figure it out.
[04:28]<mrrynfmr>iptables doesn't forward traffic; the route table does that
[04:28]<mrrynfmr>iptables just allows/denys it
[04:28]<rrsjg__>Well, thats more information than I had before. Do you know what kind of route I would need to set up?
[04:29]<rrsjg__>route add -net 192.168.2.0 netmask 255.255.255.0 gw tun0 ? or something like that
[04:29]<mrrynfmr>do you want all traffic to go through the tunnel?
[04:29]<mrrynfmr>or just a specific destination net?
[04:29]<rrsjg__>basically just my IP phone. IP 192.168.1.100
[04:29]<rrsjg__>err 2.100
[04:29]<mrrynfmr>I think that command looks right then
[04:30]<rlraxne>if its possible try to set ACCEPT as default policy for your iptables
[04:31]<rlraxne>so you know that the routes etc is alright
[04:31]<mrrynfmr>you can also use 'ip route get' to test the routes
[04:31]<rlraxne>and then enable logging to see exakt in which chain and for which protocol + port/range you need to allow traffic so your ip phone works
[04:32]<rrsjg__>Alright. Ill look into it a bit more and then get back to you guys. Thanks for the help.
[04:41]<rrsjg__>That didn't seem to work. I feel like im in over my head with this whole routing thing :-/
[04:43]<mrrynfmr>what is the output of 'ip route get 192.168.2.100'?
[04:44]<rrsjg__> 192.168.2.100 dev eth1 src 192.168.2.12
[04:44]<rrsjg__> cache mtu 1500 advmss 1460 hoplimit 64
[04:44]<mrrynfmr>ok, it's still being routed via eth1
[04:45]<mrrynfmr>try 'ip route add 192.168.2.0/24 dev tun0'
[04:47]<rrsjg__>It is saying no such device for tun0. I just ran ifconfig and it clearly exists though.
[04:48]<mrrynfmr>is it up?
[04:48]<rlraxne>otherwise it shouldnt be visible in ifconfig ?
[04:48]<rrsjg__>yes. because I see it when i just do ifconfig with no options. But i tired ifconfig tun0 up (no errors) and then ran the route again and still got the erro
[04:49]<mrrynfmr>hmm
[04:55]<rrsjg__>I think I'm gonna just set up Asterisk to Asterisk to get around the need for the routing. Its probably overkill but I think it will work.
[06:39]<azvydus>I've got two LAN interfaces in a server. I need IP Forwarding enabled to forward from a LAN interface to the internet. How do I prevent traffic from going between the two LAN interfaces?
[06:40]<oz2rg>block dstip to the oppsosing lanif if coming from one lanif
[06:41]<azvydus>Which chain would that fall under?
[06:43]<oz2rg>i believe that would be PREROUTING...
[06:54]<azvydus>... Do iptables rules not work with multiple IP addresses? I've got eth1:1, eth1:2, etc. Iptables spits out warnings about "wierd characters in interface"
[06:54]<mrrynfmr>you can't use :1 interfaces
[06:54]<mrrynfmr>just use eth1
[06:54]<mrrynfmr>eth1:1 doesn't really exist
[06:56]<mzsrcj>my iptables default action is deny, and i wanna open port 80 for my http apache server, does this line look right? -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT my website wont load, my httpd.conf file shows its listening on port 80
[06:57]<mrrynfmr>MrSako: check for other rules above that one
[06:57]<mzsrcj>could i make a pastebin and could you look at it?
[06:59]<mzsrcj>http://mrsako.pastebin.ca/107808
[06:59]<mzsrcj>right now its pretty basic and i dont see what coudl be wrong
[07:02]<mzsrcj>btw port 10000 isnt workigng either
[07:02]<mzsrcj>but the ssh one is working
[07:05]<mrrynfmr>MrSako: looks fine to me
[07:06]<mrrynfmr>is the HTTP server on the same host as this firewall?
[07:06]<mzsrcj>yes
[07:06]<mzsrcj>everything that this firewall is for is all one one machine
[07:06]<mrrynfmr>do any of the rules have nonzero counter in iptables-save -c?
[07:08]<mzsrcj>?
[07:08]<mzsrcj>im really new to this
[07:08]<mrrynfmr>run iptables-save -c
[07:08]<mrrynfmr>look at the counters of the rules (stuff in [])
[07:09]<mzsrcj>only ones with 0:0 are the FOWARD ones
[07:09]<mrrynfmr>ok... it should be working then
[07:10]<mrrynfmr>actually, you should have a state rule in there
[07:10]<azvydus>danieldg: I've been messing around with rules for a while. I can't stack the traffic from going between interfaces... Could you give me an example of stopping the forwarding of traffic between two interfaces:?
[07:10]<mrrynfmr>MrSako: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[07:10]<mrrynfmr>Artimus: block it in FORWARD; -i eth1 -o eth2 -j DROP
[07:11]<azvydus>danieldg: I don't have an eth2...
[07:11]<azvydus>That's why I ran into trouble the first time
[07:11]<azvydus>I've got multiple IP's bound
[07:11]<mrrynfmr>that's an example...
[07:11]<mrrynfmr>oh
[07:11]<mrrynfmr>you'd have to use IPs
[07:11]<mrrynfmr>-i eth1 -o eth1 -s IPRANGE1 -d IPRANGE2
[07:12]<azvydus>I did that, but without devices options
[07:12]<mrrynfmr>that'll work
[07:12]<azvydus>They can still ping...
[07:12]<mrrynfmr>are the pings even going through the firewall?
[07:12]<mrrynfmr>they might be pinging directly
[07:12]<azvydus>How could they?
[07:13]<azvydus>172.16.0.1 should not be able to ping 172.16.1.1, correct?
[07:13]<mrrynfmr>by pinging one another...
[07:13]<mrrynfmr>I think linux will send ICMP reroutes
[07:13]<mrrynfmr>not sure - try a packet sniffer to see if they're going through
[07:14]<mrrynfmr>(of course, those ranges can ping one another if you have a 255.255.0.0 netmask, but I was assuming /24)
[07:14]<azvydus>...
[07:14]<azvydus>I was always told that 172.16.0.1 and 172.16.1.1 (etc) could not ping, reguardless of subnets
[07:15]<mrrynfmr>that's wrong
[07:15]<azvydus>alright, subnetting it is
[07:22]<mzsrcj>when i tried to apply the thing with the related and establish states i got this error
[07:22]<mzsrcj>Applying iptables firewall rules: iptables-restore: line 28 failed
[07:22]<mrrynfmr>hmm. try modprobe ipt_state
[07:22]<mrrynfmr>what kernel?
[07:23]<mzsrcj>im not sure what kernel it is, its CentOS 4
[07:23]<mrrynfmr>uname -a
[07:23]<mrrynfmr>that'll tell you the kernel
[07:23]<mzsrcj>Linux vps.gofastgaming.com 2.6.8-022stab070.9-smp #1 SMP Thu Apr 20 10:35:42 MSD 2006 i686 i686 i386 GNU/Linux
[07:24]<mrrynfmr>does /proc/net/ip_conntrack exist?
[07:24]<mzsrcj>no
[07:24]<mrrynfmr>modprobe ip_conntrack
[07:25]<mzsrcj>ok, it didnt return anything
[07:25]<mrrynfmr>does /proc/net/ip_conntrack exist now?
[07:26]<mzsrcj>no
[07:26]<mrrynfmr>:/
[07:26]<mzsrcj>and apparently it doesnt exist anywhere on the machine :{
