IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[10:07]<faccau>I am having issues tring to allow all forwarding on ppp interfaces on my machine (trying to run pptpd on it). All I want to change in my firewall script is simply make it so all ppp interfaces can talk to each other. I have ip_forward enabled, and have accept on the ppp+ interface for the FORWARD, INPUT, and OUTPUT - what am I missing?
[10:30]<fyguw_drgau>lokkju: Is it that you are trying to share the connection to internal client?
[11:06]<czlcyzc>how can i measure connections sessions on a iptables based firewall? im problery looking for some number in /proc?
[11:17]<rlraxne>you mean established connections which are being tracked by the conntrack module ?
[11:21]<czlcyzc>yes
[11:24]<czlcyzc>is it /proc/net/ip_conntrack ?
[11:24]<czlcyzc>and i could get the number in realtime by doing cat /proc/net/ip_conntrack |wc -l ?
[11:30]<rlraxne>yeah i think so
[11:36]<czlcyzc>Apachez: but this is only connections that the conntrack module is tracking what about all the connections it dosnt track?
[11:41]<mmjmn>hi
[11:41]<drwygn>bonjour, dmode.
[11:41]<mmjmn>bonjour
[11:41]<drwygn>niihau, dmode.
[11:41]<mmjmn>i need some advice
[11:42]<mmjmn>j'ai besoin d'aide
[11:42]<mmjmn>can someone help?
[11:43]<rlraxne>Capkirk: what about them ?
[11:43]<rlraxne>Capkirk: its only connections it tracks which occupies memory
[11:45]<czlcyzc>Apachez: i want to track all connections on a firewall not only those who conntrack takes care off
[11:46]<mmjmn>ok, i have setup a proxy server, changed client pcs to new ip range and configured to proper proxy ip etc... my prob is since that all client pcs do not have direct internet connection, they cannot connect to an external pop3/smtp server... is there a way to handle this?
[11:46]<rlraxne>Capkirk: netstat -an ? :P
[11:46]<rlraxne>i mean packet which wont get tracked by conntrack is really in no use
[11:48]<czlcyzc>Apachez: they still take up kernel memory
[11:51]<mmjmn>anyone?
[11:52]<mmjmn>please heeeeeelp!
[11:53]<czlcyzc>dmode: relax :)
[11:55]<rlraxne>Capkirk: if they are not being tracked and does not exist in a wait state in netstat they they dont take up any kernel memory
[11:57]<mmjmn>i'm cool
[13:59]<sfurm_>Hey guys, is it possible to block out certain packets / parts of packets (eg. 05 49 27 59)
[14:01]<pjspjzj>Squad_: maybe using hitcount
[14:01]<pjspjzj>Squad_: but i am not sure
[14:02]<sfurm_>eh
[14:02]<sfurm_>Link
[14:03]<drxdr>hi
[14:03]<drwygn>niihau, yahya.
[14:03]<drxdr>what is niihau ?
[14:04]<drxdr>anybody knows what is NAT T
[14:05]<drxdr>anybody ?
[14:07]<drxdr>is NAT T supported by iptables ?
[14:07]<drxdr>anybody ?
[15:05]<vjdmd>hi guys, i'm resurrecting a project that i haven't looked at in a while. it uses the iptables QUEUE target to intercept incoming connections and flash dialogs up to the user offering to block the connection once from that host, always from that host, or accept it once or forever as well as an advanced window where you can just create normal rules based on the parameters of that connection.. thing is, i need to think of a good way to organ
[15:05]<vjdmd>ise all these rules, does anyone know of anything 3rd party which i can use to organise my rules?
[15:08]<vjdmd>any other good ideas welcome too.. i've just got to the stage where i can see all the estabished connections by parsing /proc/net/tcp and map the to the processes which are using them using the /proc/[0-9]+/fd , and it of course catches the incoming connections that aren't established.. i'm just a bit stuck on making it truly useful with proper organisation of the ruleset etc..
[15:09]<zzzj>How can i change the iptables rules without resetting the counters ?
[15:09]<vjdmd>it's all python based, using ipqueue for the netfilter queue stuff, and twisted for communication with the daemon and gui
[15:10]<vjdmd>don't know :/
[15:28]<2rfju>voidy, what is exactly the problem with rule organisation?
[15:30]<vjdmd>i just need to figure out how best to represent it in data structures, the code will then write itself :)
[15:32]<2rfju>well... if your code is desktop-based, then performance shouldn't be much of a problem, why not simple parse iptables-like rules one by one?
[15:32]<2rfju>if you need the best performance, try aho-corasick matching, as used in snort
[15:34]<vjdmd>well, the performance isn't such an issue, intuitiveness in coding is though..
[15:34]<vjdmd>i'll look into the aho-corasick stuff right now
[15:41]<2rfju>but it might be overkill for maybe 100 rules or less, also because you have only to consider port numbers, not text strings as in snort
[15:45]<vjdmd>i was just thinking that, not really so fussed about the syntax, or even interpreting the current rules as the program will take over the rules completely
[15:47]<vjdmd>i'm still interested in this algorithm, but not for any pragmatic reason :)
[16:06]<rlraxne>voidy: http://www.tbg.nu/iptablest.txt or what are you thinking about ?
[16:08]<vjdmd>that's a 404 for me,
[16:10]<vjdmd>Apachez, you sure that URL's correct?
[16:11]<vjdmd>how come it.nu and they all speak norwegian or something?
[16:12]<vjdmd>how come it's a .nu domain i mean
[16:13]<vjdmd>Apachez?
[16:14]<rlraxne>http://www.tbg.nu/iptables.txt
[16:14]<rlraxne>its correct once i spell it right :P
[16:14]<vjdmd>:)
[16:34]<2rfju>apachez, nice list of reserved netblocks... I probably merge that with my iptables script ;)
[16:35]<zzzj>How can i change the iptables rules without resetting the counters ?
[17:27]<vjzznyz>how do I specifically accept dns replies in OUTPUT-table?
[17:29]<2rfju>torgeir, do you have a DNS server running?
[17:29]<2rfju>just allow source port 53
[17:29]<vjzznyz>doesn't work
[17:29]<vjzznyz>-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
[17:30]<vjzznyz>-A INPUT -p udp -m udp --dport 53 -j ACCEPT
[17:30]<vjzznyz>and
[17:30]<vjzznyz>-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
[17:30]<vjzznyz>-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
[17:30]<vjzznyz>still blocks
[17:31]<2rfju>have you confirmed that dns replys really come from sport 53?
[17:32]<vjzznyz>no..so how to filter it then?
[17:32]<vjzznyz>that was my guess as well
[17:53]<vjzznyz>balou: found a solution.. set query-source address * port 53;
[17:53]<vjzznyz>in /etc/bind/named.conf.options
[19:18]<vzrllysv>BillieGDJoe: please turn that off.
[19:31]<hexrbyte>hi
[19:34]<hexrbyte>i'm trying to learn iptables
[19:35]<hexrbyte>and i've been looking for an option like "quick" in netbsd's ipf
[19:35]<hexrbyte>hm
[19:36]<hexrbyte>i want it to stop processing the rules after jumping to a target
[19:37]<hexrbyte>but i dont want to write two rules for each match...
[19:37]<fyguw_drgau>HEXaBYTE: what does quick do?
[19:38]<fyguw_drgau>HEXaBYTE: can you give an instance?
[19:38]<hexrbyte>an example:
[19:39]<hexrbyte>iptables -t mangle -A FORWARDING -p tcp -d XXX.XXX.XXX.XXX -j MARK --set-mark Y
[19:39]<hexrbyte>if it matches, it will mark the packet

Back to #iptables
Or go to some related logs:
#css
#gentoo
#gentoo
#gentoo
#netbsd