IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.88 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-08-07
[00:01]<anncysv>so... i should add the command you have given me to one of the firestarter scripts?
[00:02]<mrrynfmr>no
[00:03]<mrrynfmr>fix firestarter so it doesn't add the logging rules
[00:03]<anncysv>no? :(
[00:03]<mrrynfmr>or set up logging so it doesn't go to your console
[00:09]<igku2us>dan is there any tools you know of that i can use to scan a network for gateways?
[00:09]<igku2us>i can ping another ip on the network from my virtual machine \o/
[00:09]<igku2us>so it's routing out onto 87.106.13.x at least
[00:21]<asvygus->http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp_2.html, if i'm not entirely wrong these iptables rules are wrong if vlan1 and vlan2 is supposed to be isoloated from eachother?
[00:30]<wrdvd>any iptables gurus here?
[00:31]<mrrynfmr>no, they're all in #iptables :)
[00:32]<wrdvd>:)
[00:33]<wrdvd>let me ask my question daniel
[12:38]<nlmv>Hi! I want to set up iptables. Just to have a look at an example script (and trying that), I tried "iptables -t raw -L". I got the following error message "iptables v1.3.5: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)" - Any idea, what's missing?
[12:57]<slnnmdg>well, I'd guess for the table named 'raw'
[13:00]<nlmv>SpeedyG: I've found the desciption of this table in the man page, so this seems to be an internal table; probably some kernel patch is needed? Which?
[13:01]<bummxddr>epdv AFAIK there are no internal table called raw
[13:03]<slnnmdg>hmz, iptables -L -t raw shows me tables
[13:05]<bummxddr>let me check
[13:06]<nlmv>SpeedyG: I'm using 1.3.5, so it should not be a version problem. Seems I need some module (don't know which) or a kernel patch.
[13:06]<bummxddr>it shows prerouting and output table
[13:10]<nlmv>I've just found out: "# CONFIG_IP_NF_RAW is not set" :-(
[13:10]<nlmv>Thank You, guys :-)
[14:18]<asvygus->any paste links?
[14:30]<ayffnzdrax>in /var/log/firewall, I have DROP entries that show the SRC & DST IP addr as my machine for DPT=53,
[14:31]<ayffnzdrax>I am allowing DNS udp/53, why is it that other machines can query DNS on this box but it drops packets from itself??
[14:33]<ayffnzdrax>I do notice that "OUT=lo" any other DNS packets are on "OUT=eth0"
[14:33]<rlraxne>usually you allow stuff to/from lo interface
[14:33]<rlraxne>that is when unix speaks with itself
[14:33]<rlraxne># So Filter can speak to itself (ie. when logserver is unreachable).
[14:33]<rlraxne>iptables -A INPUT -i lo -j ACCEPT
[14:33]<rlraxne>iptables -A OUTPUT -o lo -j ACCEPT
[14:33]<ayffnzdrax>Apachez: I agree, and my rules have been in place for weeks or more
[14:34]<asvygus->http://pastie.caboo.se/7526 <-- could somebody familiar with iptables look at the comments and questions i've made and kindly reply?
[14:35]<rlraxne>Astinus-: you need established aswell
[14:36]<asvygus->yep that was one of the questions really :)
[14:36]<ayffnzdrax>Apachez: I am missing rules for "lo"
[14:37]<ayffnzdrax>thanks
[14:37]<asvygus->Apachez: offtopic: was the roborally game ever completed? :)
[14:38]<ayffnzdrax>question.. I block everything then follow with allow rules.. should these rules for local interface be anywhere particular? or just anywhere following my initial block ruleset?
[14:41]<asvygus->what happens to packets which do not match any rule?
[14:42]<rlraxne>Astinus-: ohh, thats like years ago :)
[14:42]<asvygus->:)
[14:42]<rlraxne>no unfortunately not... we had a "proof of concept" which we got our degree for
[14:42]<rlraxne>like a 3d demo, game engine, network code etc
[14:42]<rlraxne>so the game was up and running through the game engine
[14:43]<rlraxne>but we never had time to connect the game engine with the 3d engine
[14:43]<rlraxne>we also constructed a cad software in order to be able to easily create all objects
[14:43]<asvygus->nice ;)
[14:49]<ayffnzdrax>I placed them after my drop rules, it's working fine thanks Apachez
[14:50]<ayffnzdrax>is anyone else dropping packets from entire networks? is there a better way to do this?
[14:51]<ayffnzdrax>for a while I was blocking 8[0-5].0.0.0/8 then I found I have actually web clients who have customers in those networks .. go figure :)
[14:51]<rlraxne>like ipranges you mean ?
[14:52]<ayffnzdrax>yep
[14:52]<rlraxne>check the RESERVED list at http://www.tbg.nu/iptables.txt
[14:53]<slnnmdg>yeah, I was wondering what that list is for, IP's that can't connect to your external interface or something like that?
[14:54]<rlraxne>you can put in banned ips in that list if you wish
[14:54]<rlraxne>in my case that list is reserved ips which should not exist on the internet
[14:55]<rlraxne>so therefor im dropping such traffic
[14:55]<slnnmdg>everything that comes to OUTSIDE_DEVICE from those ip's are dropped you mean?
[14:56]<rlraxne>in my case yes
[14:56]<slnnmdg>ah
[14:57]<rlraxne>dropping spoofed addresses
[14:58]<slnnmdg>what is the best way for a firewall to allow ftp-access btw?
[14:59]<rlraxne>incoming ftp ?
[14:59]<rlraxne>or allowing outgoing ?
[15:00]<slnnmdg>incoming
[15:03]<ayffnzdrax>I have some win-server on the network where I colocate that fill my firewall log with SPT=67, and 32767, I'd like to NOT log these
[15:04]<ayffnzdrax>I notice you have INPUT,OUTPUT,FORWARD (only ones I have) and you have RESERVED, NETBIOS and others.. is this how I stop logging port 137 etc?
[15:05]<rlraxne>SpeedyG: just forward tcp 21 and the range your server uses for passive ftp
[15:05]<rlraxne>tcp 21 if you use default but you can use any port as login for ftp
[15:05]<slnnmdg>the range for passive has to be forwarded as well?
[15:05]<rlraxne>yup
[15:05]<rlraxne>since passive is like the login port initiated by the client
[15:05]<slnnmdg>hmz, then I guess I finally know why I can't connect passive to my server :)
[15:05]<rlraxne>active ftp (using default): client -> server tcp 21, server -> client tcp 20
[15:06]<slnnmdg>yeah, 20 is forwarded
[15:06]<rlraxne>this is of course bad if the client uses a firewall which wont return that incoming 20 to the client (if using iptables this can be fixed with conntrack_ftp and use RELATED)
[15:07]<rlraxne>passive ftp (using default): client -> server tcp21, server response with "eyh yo brotha, use 1234 for data", client -> server tcp1234
[15:07]<ayffnzdrax>Apachez: for SpeedyG what about insmod ip_conntrack_ftp kernel module?
[15:07]<ayffnzdrax>oh.. I see you got it
[15:07]<slnnmdg>os iptables -A prerouting -t nat -p tcp -dport 2000:3000 -j DNAT --to server_ip
[15:07]<slnnmdg>s/os/so/
[15:08]<rlraxne>SpeedyG: and a rule in FORWARD which will allow that traffic
[15:08]<rlraxne>in your prerouting you should add ip and interface aswell
[15:09]<slnnmdg>hmz, /me logs and tries it later... no time atm. got to go
[15:09]<slnnmdg>thanks Apachez :) i'll be back with some more questions later I guess ;)
