IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.77 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-08-04
[07:33]<sdgracvyjg>so is it better to use iptables as a module or built right in the kernel?
[07:34]<sdgracvyjg>performance wise
[07:35]<rlsymns>once to module is initially loaded the performance issue is pretty much gone. and modules allow for easier trouble shooting in certain circumstances
[07:35]<rlsymns>to=the
[07:39]<rlsymns>security wise, it might even be more secure to compile it all into the kernel since you'd have no external modules that could be modified by an intruder...but that's pretty bad if it gets that far anyways
[11:06]<-- svgvsdyzgjvr_ xrs>/dev/null")
[11:21]<sjdgjgg_>hello, I have two interfaces, an internal and external, and on the external I want to make it so that anyone who tries to go to a certain public ip, then it gets redirected to a private IP instead, so: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -d 202.154.111.111 -j DNAT --to 192.168.3.51
[11:21]<sjdgjgg_>but it doesn't seem to be working, it ignroes that rule (it's the only iptables rule I have) is that correct?
[11:22]<sjdgjgg_>its only for that one host
[12:07]<efyenee->is there any body?
[12:08]<efyenee->i wanna help
[12:08]<efyenee->:|
[12:12]<rlraxne>yeah
[12:13]<efyenee->see plz
[12:13]<efyenee->FATAL: Module ip_tables not found.
[12:13]<efyenee->iptables v1.3.5: can't initialize iptables table `filter'
[12:13]<efyenee->Table does not exist (do you need to insmod?)
[12:13]<efyenee->Perhaps iptables or your kernel needs to be upgraded.
[12:13]<efyenee->kernel 2.6.17.6
[12:14]<rnryv>alireza-: looks like you've done a "make oldconfig"
[12:15]<rnryv>alireza-: do a "make menuconfig" and activate xt_table and the filtering
[12:15]<efyenee->yep i konw
[12:15]<efyenee->i active xt_table
[12:16]<efyenee->in kernel
[12:16]<efyenee->and compile it
[12:16]<efyenee->with built in
[12:17]<efyenee->:|
[12:18]<rlraxne>is there some docs available for what each module in updated netfilter does ? Like not a whole book about each module but like "xt_module: needed for blbalbla"
[12:19]<efyenee->hmm
[12:19]<efyenee->now what can i do
[12:19]<efyenee->:/
[12:21]<efyenee->brb
[13:26]<nzzzyd>iptables -t filter -i eth0 -A INPUT -p udp --dport 60098 -m limit --limit 3/s -j ULOG --ulog-prefix "Skype"
[13:26]<nzzzyd>this rules
[13:26]<nzzzyd>log all the packes > 3 for second
[13:26]<nzzzyd>is corret ?
[13:34]<dnzjzdsvnz>no, that logs all < 3 for second methinks.
[13:34]<dnzjzdsvnz>you need !
[13:40]<rlraxne>limit will basically limit log entires to max 3 per second
[13:46]<nzzzyd>DerJamster: so i need to log
[13:47]<nzzzyd>all udp that arrive with frequency
[13:47]<nzzzyd>3-4 per second
[13:53]<nzzzyd>anyone could help ?
[13:55]<dnzjzdsvnz>egarim: I told you, use !
[13:56]<dnzjzdsvnz>-m limit --limit ! 3/s
[13:56]<nzzzyd>fuck
[13:56]<nzzzyd>i put
[13:56]<nzzzyd>-m limit --limit !3/s
[13:56]<nzzzyd>and gets error ;)
[13:56]<nzzzyd>iptables v1.3.3: limit does not support invert
[13:56]<nzzzyd>fuck!
[13:57]<dnzjzdsvnz>hmmh.
[13:59]<dnzjzdsvnz>hokay.
[14:00]<dnzjzdsvnz>iptables -t filter -i eth0 -A INPUT -p udp --dport 60098 -m limit --limit 3/s -j ACCEPT
[14:00]<dnzjzdsvnz>iptables -t filter -i eth0 -A INPUT -p udp --dport 60098 -j ULOG --ulog-prefix "Skype"
[14:00]<dnzjzdsvnz>try those two lines.
[14:04]<nzzzyd>wow it works
[14:04]<nzzzyd>i don't known why :D
[14:05]<nzzzyd>the first rule accept all udp connection > 3sec
[14:05]<nzzzyd>and the second log all
[14:05]<rlraxne>between
[14:05]<nzzzyd>but i think that the second should log also the others
[14:05]<rlraxne>why would one use ULOG instead of LOG ?
[14:06]<nzzzyd>Apachez: i store the log in a db
[14:06]<nzzzyd>with mysql
[14:07]<rlraxne>oki
[14:11]<nzzzyd>iptables -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT
[14:11]<nzzzyd>iptables v1.3.3: no command specified
[14:11]<nzzzyd>Try `iptables -h' or 'iptables --help' for more information.
[14:11]<nzzzyd>why i get error ?
[14:11]<nzzzyd>it's the same rule that is in iptables help
[14:31]<nzzzyd>onone...
[15:01]<nzzzyd>iptables -A INPUT -p tcp --syn --dport 60022 -m connlimit --connlimit-above 2 -j REJECT
[15:01]<nzzzyd>iptables: No chain/target/match by that name
[15:01]<nzzzyd>why this ?
[15:14]<vyrn-vnzsr>egarim: missing connlimit support? iptables -m connlimit -h
[15:19]<axzyswwwq>I have a question regarding pppoe in linux, i need to know if tc scales well with it when you have 100's or 1000's of ppp interfaces
[17:47]<wjgs>hey
[17:49]<wjgs>i want to know how a NAT works in practice when it is routing connections, packets etc but i cant find the information any where
[17:52]<rlraxne>in what level ?
[17:53]<rlraxne>NAT itself just means that the sourceip is altered and returning traffic has its destiionip altered
[17:53]<rlraxne>along to that you can have stateful inspection which will use statettables to find out if a returning traffic is valid or not
[17:57]<wjgs>okay can you by "open" a connection to a host create a valid statetable entry for it?
[17:59]<wjgs>by some sort og shady TCP handsacke and a 3th party to control it
[18:00]<rlraxne>the statetable in iptables has ehh 4 states: NEW, ESTABLISHED, RELATED and INVALID
[18:00]<rlraxne>a state a considered NEW when there is no previous entry for it in the statetable
[18:00]<rlraxne>the stattable is basically looking at srcip + srcport + dstip + dstport
[18:01]<rlraxne>so when someone on internal network sends a syn paket to external ip the statetable will consider this syn packet as NEW and store its src+srcport+dst+dstport in the table
[18:02]<wjgs>and if the host wil send the same packet back
[18:02]<rlraxne>when the external ip then replies with an syn+ack it will get a hit in the statetable and the packet will be considered ESTABLISHED
[18:03]<wjgs>and you would have a direct connection with 2 NAT'd hosts?
[18:03]<rlraxne>which if you allow established packets back in it will be allowed and then processed by the postrouting which will switch the destip ip which was your externalip into the internal ip of the server/client who established this connection from inside
[18:03]<rlraxne>well if an external source sends a syn packet to your iptables box that packet will be considered "NEW" unless it already exists in the stattable
