IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.86 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-08-06
[02:33]<gvdf_rgmd>I just need a quick little rule that will allow me to block DHCP Offers at the router...
[02:33]<gvdf_rgmd>I tried -i eth0 -p udp --dport 67:68 -j DROP
[02:33]<mrrynfmr>maxine: block port
[02:33]<drwygn>hmmm... block port is iptables -A INPUT -p tcp --dport $port -j REJECT; use FORWARD if it's for machines behind the firewall
[02:33]<mrrynfmr>you probably want OUTPUT, if this rule is on the DHCP server
[02:34]<gvdf_rgmd>no, this rule is on the router
[02:34]<gvdf_rgmd>I have 2 networks
[02:34]<gvdf_rgmd>my dad's, and mine
[02:34]<gvdf_rgmd>my dad's network runs dhcp, but I don't want it bleeding over into my network (which for some reason, it is)
[02:34]<mrrynfmr>are they bridged?
[02:34]<gvdf_rgmd>I have my own dhcp server
[02:34]<gvdf_rgmd>no, they're not
[02:35]<mrrynfmr>it shouldn't be able to leak. Checked the cables?
[02:35]<gvdf_rgmd>about to now...
[02:36]<gvdf_rgmd>cables seem ok...
[02:37]<gvdf_rgmd>that's weird
[02:37]<mrrynfmr>the networks are on different switches?
[02:37]<gvdf_rgmd>a managed switch
[02:37]<gvdf_rgmd>so, yes
[02:37]<gvdf_rgmd>it doesn't do vlans, it's more of a partitioning scheme
[02:37]<gvdf_rgmd>they're on seperate partitions
[02:38]<mrrynfmr>you're sure that is working correctly then?
[02:39]<gvdf_rgmd>yeah, they're all partitioned correctly...
[02:40]<gvdf_rgmd>wait a sec... damn, I may have just b0rked something. I'll be back
[02:40]<gvdf_rgmd>thanks
[02:47]<igku2us>hi i'm having problems with a rule i've added
[02:47]<igku2us>it was working but now it doesn't seem to be
[02:47]<igku2us>they're listed in iptables -l
[02:47]<igku2us>i've tried flushing and re-adding to no avail
[02:47]<igku2us>can anyone help?
[02:48]<mrrynfmr>what's the rule, and what's the problem
[02:51]<igku2us>ok i have a vmware server running on a machine and i wanted to forward a port to it
[02:52]<igku2us>81 on the host to 80 on the virtual machine that has an ip of 172.16.208.128
[02:52]<igku2us>on the server i set the following rule
[02:52]<igku2us>iptables -t nat -A PREROUTING -p tcp -i eth0 -d 87.106.13.213 --dport 81 -j DNAT --to 172.16.208.128:80
[02:52]<igku2us>iptables -A FORWARD -p tcp -i eth0 -d 172.16.208.128 --dport 80 -j ACCEPT
[02:52]<igku2us>in iptables --list it's showing
[02:52]<igku2us>but i can't telnet to port 81 on 87.106.13.213 :(
[02:54]<gvdf_rgmd>danieldg, well, apparently, unless there's another wireless adapter in my house I don't know about (there isn't) dhcp is somehow leaking through my router
[02:54]<gvdf_rgmd>if you have a suggestion I'll try it, otherwise, I think I'm gonna wait on it...
[02:55]<gvdf_rgmd>and using -j reject on port 67 and 68 isn't working either... for some odd reasson...
[02:55]<mrrynfmr>it's not going through your router
[02:57]<gvdf_rgmd>ok, so then I just have to track down a rogue cable somewhere?
[02:57]<mrrynfmr>probably
[02:57]<gvdf_rgmd>is there any way I COULD push dhcp through a router, or would that require a dhcpd repeater
[02:57]<mrrynfmr>you could try unplugging them all, and plug them in one by one to see which one causes the problem, but that's likely to be disruptive
[02:58]<gvdf_rgmd>heh, disruptions are ok, I run the network, my family is at my mercy. though I'll probably try that around 2amish
[02:58]<gvdf_rgmd>thanks
[02:58]<gvdf_rgmd>I appreciate it. so I assume then that DHCP runs with a TTL of 1 on its packets?
[02:58]<mrrynfmr>effectively. It uses broadcast
[02:58]<gvdf_rgmd>ok
[02:59]<gvdf_rgmd>I should remember this, I just tend to second guess myself
[02:59]<gvdf_rgmd>thanks again
[03:07]<igku2us>any ideas then dan? :)
[03:08]<mrrynfmr>InKubus: vmware may be acting wierd with the DNAT rule... try adding an SNAT
[03:08]<mrrynfmr>maxine: snat needed
[03:08]<drwygn>snat needed is forwarding a connection to a host where the return packets do not pass through the iptables machine, you must change the source address with SNAT (or MASQUERADE) or the connection will fail. See <dmz example> for an example rule, or http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[03:10]<igku2us>ok groovy
[03:10]<igku2us>brb gonna have a read
[03:10]<igku2us>thanks dan
[03:17]<igku2us>hmm dan
[03:17]<igku2us>i don't have a postrouting chain?
[03:17]<mrrynfmr>iptables -t nat -vL
[03:17]<igku2us>aha :)
[03:18]<igku2us>iptables -t nat -A POSTROUTING -p tcp --dst 81 --dport 80 -j SNAT --to-source 172.16.208.128
[03:18]<igku2us>look about right?
[03:20]<mrrynfmr>--dst is the IP, not the port
[03:20]<mrrynfmr>otherwise, yes
[03:20]<igku2us>thanks
[03:21]<igku2us>hmm
[03:21]<igku2us>isn't that mixed up?
[03:21]<igku2us>--dst should be the destination surely?
[03:22]<mrrynfmr>destination IP
[03:22]<igku2us>this example uses the lan ip (which i'm guessing was the destination) as the --to-source
[03:22]<igku2us>so you specify the same ip twice?
[03:26]<sym>What is a good nmap line I can use to scan myself on every port? I've never used nmap before. But I wanted to test my iptable rules
[03:27]<mrrynfmr>scanning yourself is usually not the greatest way to test
[03:27]<mrrynfmr>but you could just "nmap 127.0.0.1"
[03:29]<sym>danieldg: I'm scanning from the outside
[03:29]<mrrynfmr>ah
[03:30]<rlraxne>nmap -v -A -P0 ipnumber
[03:34]<igku2us>danieldg: iptables -t nat -A POSTROUTING -p tcp --dst 172.16.208.128 --dport 80 -j SNAT --to-source 172.16.208.128 doesn't seem to be working :(
[03:35]<mrrynfmr>oh - the --to-source needs to be the source of the iptables box
[03:35]<mrrynfmr>(the primary IP)
[03:36]<mrrynfmr>and --dst is the host which was DNATed
[03:36]<igku2us>okies
[03:36]<igku2us>so i should -F before i do this?
[03:37]<igku2us>i can't connect to 172.16.205.128 on port 80 now
[03:37]<igku2us>but i can on 21
[03:37]<mrrynfmr>yes, iptables -t nat -F
[03:38]<igku2us>ok i can connect on 80 now
[03:38]<igku2us>so apply my normal prerouting/forward rules
[03:39]<igku2us>then add the postroute
[03:39]<mrrynfmr>yes
[03:39]<rfygg_fzgrc>hi all
[03:41]<igku2us>still no luck i'm afraid
[03:41]<igku2us>iptables -t nat -A PREROUTING -p tcp -i eth0 -d 87.106.13.213 --dport 81 -j DNAT --to 172.16.208.128:80
[03:41]<igku2us>iptables -A FORWARD -p tcp -i eth0 -d 172.16.208.128 --dport 80 -j ACCEPT
