IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.87 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-08-02
[00:37]<-- svgvsdyzgjvr xrs>/dev/null")
[00:46]<rlsymns>so pastebin is not working for me
[00:46]<rlsymns>root@server01:/home/apsides# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[00:46]<rlsymns>iptables: Unknown error 4294967295
[00:46]<rlsymns>any ideas?
[00:47]<dnzjzdsvnz>um..well..
[00:48]<dnzjzdsvnz>it's unknown :D
[00:48]<rlsymns>lol
[00:48]<rlsymns>how about the rule? does it look wrong?
[00:49]<dnzjzdsvnz>not really, no..looks a-okay.
[00:49]<dnzjzdsvnz>Weird.
[00:49]<rlsymns>i googled the error number too, not much help
[00:49]<dnzjzdsvnz>I didn't even know iptables could output such errors :P
[00:49]<rlsymns>haha
[00:49]<rlsymns>great!
[00:49]<rlsymns>a first
[00:50]<dnzjzdsvnz>hrm. What distro and/or iptables? self-compiled? Package-management?
[00:50]<dnzjzdsvnz>stock kernel or no?
[00:50]<rlsymns>slackware, custom kernel
[00:50]<rlsymns>self compiled
[00:50]<dnzjzdsvnz>hmmh.
[00:51]<rlsymns>i double checked all my modules too
[00:51]<rlsymns>all seems good
[00:51]<dnzjzdsvnz>hmh. Slackware goood. Usually. I have no idea :P
[00:51]<rlsymns>i'm spamming in ##slackware too now
[00:51]<rlsymns>we'll see
[00:54]<zj2wow0>apsides: what kernel version?
[00:54]<rlsymns>2.6.17.4
[00:54]<zj2wow0>There were some changes to x_tables and such in 2.6.17 - how did you do the config? menuconfig or oldconfig from older 2.6?
[00:54]<raympu>grep this number in your source file
[00:55]<rlsymns>i used menuconfig from a blank
[00:55]<raympu>and then send me the source file it match
[00:56]<rlsymns>i'll just redo my kernel
[00:56]<rlsymns>no big
[00:56]<zj2wow0>apsides: iptables 1.3.5?
[00:56]<rlsymns>robw810: indeed
[00:58]<zj2wow0>hmmm, make sure you've got all the necessary netfilter stuff enabled
[00:59]<raympu>4294967295 is habitually defined as the MAXINT
[01:06]<-- rjrvcxrrr xrs fuy>http://www.jpg.com")
[01:07]<rlsymns>i'm going to recompile with all iptables/nf stuff as y instead of m
[01:07]<rlsymns>see how that pans out
[01:44]<rlsymns>sweet
[01:44]<rlsymns>no mods, all compiled in...works fine
[01:44]<rlsymns>it must have not been loading one of the mods i needed
[04:37]<-- yvzn2zf xzs fuyv>Pronounce like It-Ree-Ball")
[04:42]<srmvxnbfrmnw>All right, need some help.
[04:42]<srmvxnbfrmnw>Two existing sites: 10.0.0.0/24, and 10.0.1.0/24
[04:43]<srmvxnbfrmnw>Connected together through a point to point T1 line
[04:43]<srmvxnbfrmnw>I'm adding a 10.0.2.0/24 site, connected to 10.0.1.0/24 via OpenVPN instead of a P2P T1
[04:44]<srmvxnbfrmnw>Initially, all I had to do to get 0.0/24 talking to 1.0/24 and vice-versa was throw in a single route on each computer
[04:44]<srmvxnbfrmnw>So, what do I need to do in order to have 2.0/24 access 0.0/24?
[04:45]<srmvxnbfrmnw>Routers are all at .1
[04:45]<srmvxnbfrmnw>And 2.1 can ping 1.10
[04:45]<srmvxnbfrmnw>But 2.200 can't ping 1.10
[04:45]<srmvxnbfrmnw>10.0.1.0 * 255.255.255.0 U 0 0 0 tun0
[04:46]<srmvxnbfrmnw>Even though it has the correct routing table entry
[04:46]<srmvxnbfrmnw>Ideas? Better ways to do this..?
[06:04]<ygsvr>Can you guys see anything in this script that might prevent clients from accessing mounts on this machine? I'm using my NFS server for a router as well. http://pastebin.ca/111009
[06:05]<ygsvr>I got this list from a tutorial on linux firewalls. I'm still an iptables newbie ... and I'm pretty sure there's a rule in there which is halting NFS (UDP?) traffic.
[06:06]<ygsvr>Because without iptables rules, and relying on a Linksys to do the routing and gateway, NFS works like clockwork.
[06:33]<vyrn-vnzsr>insta: try adding some logging rules before your INPUT DROP and see if anything obvious arises from that
[06:36]<ygsvr>vice-versa: Something like iptables -A INPUT -j LOG ?
[06:36]<vyrn-vnzsr>yes
[06:37]<ygsvr>... where does this log to?
[06:38]<vyrn-vnzsr>system logger kernel messages
[06:39]<zj2wow0>insta: I haven't looked at your ruleset, but unless you've got the NFS daemons boud to specific ports, *or* you've got someting in userspace to parse rpcinfo -p output after starting the NFS server, and that something alters iptables rules, then nfs is going to be problematic
[06:40]<zj2wow0>RPC uses random (more or less) port assignments, so they won't be consistent between NFS restarts / server reboots
[06:40]<zj2wow0>If that's your problem, you might find this useful: http://howtos.rlworkman.net/NFS_Firewall_HOWTO
[06:42]<mrrynfmr>maxine: NFS uses RPC to find its ports, which are dynamic on each NFS server resart. See http://howtos.rlworkman.net/NFS_Firewall_HOWTO
[06:42]<drwygn>OK, danieldg.
[06:42]<mrrynfmr>oops...
[06:44]<mrrynfmr>maxine: nfs
[06:45]<drwygn>NFS uses RPC to find its ports, which are dynamic on each NFS server resart. See http://howtos.rlworkman.net/NFS_Firewall_HOWTO to make it bind to specific ports
[06:45]<zj2wow0>danieldg: thanks :)
[06:45]<ygsvr>Well, the ruleset that I have should be pretty simple, as far as I can tell
[06:46]<mzsrcj>im trying to execute my iptables script everytime i get this # ./iptables_script
[06:46]<mzsrcj>iptables: No chain/target/match by that name im not sure how or why i get it. but it casues all my ports to close up. i have a cronjob that runs every 5 minutes that opens the ports so im able ot get back in but i dont understand why i cant execute this?
[06:47]<mrrynfmr>figure out which command makes that error
[06:49]<mzsrcj>my script is very basic i dont see what could be wrong with it http://mrsako.pastebin.ca/111065
[06:49]<mrrynfmr>it's likely the problem is in your kernel
[06:50]<mrrynfmr>does dmesg have any information that looks related?
[06:50]<zj2wow0>-p TCP should be -p tcp
[06:50]<zj2wow0>(in the last line)
[06:50]<zj2wow0>and you need to uncomment your EST/REL line
[06:51]<mrrynfmr>what kernel? can you load the ipt_state module?
[06:52]<mzsrcj>ive been having issues with using rules that involve states in it im gonna uncomment that line
[06:52]<zj2wow0>MrSako: unless you fix this line: $IPT -A INPUT -p TCP -m multiport --dports \
[06:52]<zj2wow0>It won't matter - change that TCP to tcp
[06:52]<mzsrcj>so just the tcp should be lowercase
[06:52]<zj2wow0>Yes
[06:53]<zj2wow0>You might have *two* problems - but that's definitely *one* of them
[06:53]<mzsrcj>i just executed again and got the same thing
[06:53]<mzsrcj>oh should i take our the --state NEW part
[06:54]<zj2wow0>oh, yes
[06:54]<zj2wow0>I missed that
![http://www.jpg.com"](http://www.jpg.com"){kind=link}