IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.85 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-08-31
[00:01]<afnxnztnah>SiegeX, still dead!, if my client try to go to an ftp it doesnt work, also happens with the RSYNC :(
[00:01]<afnxnztnah>SiegeX, imap, web, an other things works nice
[00:02]<afnxnztnah>SiegeX, including all other ports it works, but the ftp and the rsync dont, and the ftp its one of tye prymary things that my net needs
[00:57]<synrnx>AlexerTech: modprobe ip_conntrack_ftp
[00:57]<synrnx>modprobe ip_conntrack_irc
[00:57]<synrnx>modprobe ip_conntrack_ftp
[00:57]<synrnx>modprobe ip_nat_ftp
[00:57]<synrnx>modprobe ip_nat_irc
[00:57]<synrnx>modprobe those 4
[00:57]<synrnx>put them in your script
[00:58]<synrnx>ftp probably doesnt work because the data channel and control channel for ftp are not the same port
[00:58]<synrnx>the ftp conntrack helper will realize this and allow it through with the RELATED state
[00:59]<synrnx>im out
[01:04]<nxysv>SiegeX
[01:04]<nxysv>$IPTABLES -t nat -A PREROUTING -p tcp -i ppp0 --dport 5555 -j DNAT --to 10.0.1.5
[01:04]<nxysv>IPTABLES -A FORWARD -p TCP -i ppp0 -o eth1 -d 10.0.1.5 --dport 5555 -j ACCEPT
[01:04]<nxysv>this is the nat rule for forwading
[01:05]<nxysv>when i set the $IPT -A tcp_outbound -p TCP -s 10.0.1.5 --dport 1:65535 -j ACCEPT like this
[01:05]<nxysv>i can connect to server
[01:05]<mrrynfmr>maxine: state rule
[01:05]<drwygn>somebody said state rule was iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; do the same for FORWARD and OUTPUT if you plan to filter those; also see <invalid state>
[01:05]<nxysv>but when i set $IPT -A tcp_outbound -p TCP -s 10.0.1.5 --dport 5555 -j ACCEPT like this
[01:05]<nxysv>i can not connect
[01:05]<nxysv>why it can be?
[01:06]<mrrynfmr>do you have a state rule in your ruleset? otherwise you'd have to accept _s_port 5555
[01:06]<nxysv>state rule?
[01:06]<drwygn>well, state rule is iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; do the same for FORWARD and OUTPUT if you plan to filter those; also see <invalid state>
[01:07]<nxysv>$IPT -A INPUT -p ALL -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
[01:07]<mrrynfmr>you don't need the -i
[01:08]<nxysv>$IPT -A FORWARD -i $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
[01:08]<mrrynfmr>yes, that will work...
[01:08]<nxysv>but intif is the local interface i think it must be external interface
[01:09]<nxysv>is it the problem?
[01:09]<mrrynfmr>you can just remove the -i $IF part
[01:09]<nxysv>for forward?
[01:09]<mrrynfmr>yes
[01:09]<nxysv>ok .
[01:10]<nxysv>another question , when i write $IPT -A tcp_outbound -p TCP -s 10.0.1.5 --dport 21,22 ports like this iptables gives error
[01:10]<mrrynfmr>use either --dports 21:22 for a range
[01:11]<mrrynfmr>or -m multiport --dports 21,22 for a set
[01:11]<nxysv>ops
[01:11]<nxysv>thank you very much
[01:11]<nxysv>:)
[01:13]<2zypo>using iptables how would one set a DNZ route to an internal IP what would be the iptables line ?
[01:13]<nxysv>$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT i did this
[01:13]<mrrynfmr>maxine: forward port
[01:13]<drwygn>rumour has it forward port is iptables -t nat -A PREROUTING -i $inetInterface -p tcp --dport $port -j DNAT --to-destination $destip; see http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
[01:13]<nxysv>but still i cant connect to box unless i set the rule $IPT -A tcp_outbound -p TCP -s 10.0.1.5 --dport 1:65535 -j ACCEPT
[01:13]<mrrynfmr>brif8: ^^
[01:13]<nxysv>like this
[01:14]<mrrynfmr>eXiSt: is the state rule at the top? move it up in the ruleset
[01:14]<mrrynfmr>it should be before tcp_outbound's jump from FORWARD
[01:14]<2zypo>danieldg: ??
[01:15]<2zypo>eXiSt: where does one show the internal ip address ?
[01:15]<mrrynfmr>brif8: did you see what maxine posted?
[01:17]<nxysv>danieldg http://pastebin.ca/155216
[01:18]<`fyfn_znzlnz>help, i need to open ports 554 and 1755 to listen to music :/
[01:18]<nxysv>could you please check the script what is wrong for state rule
[01:18]<`fyfn_znzlnz>sorry?
[01:18]<2zypo>danieldg: yes I see what maxine posted but is there a ipt -A forward also with the -t nat -A prerouting ?
[01:19]<nxysv>`File_Reaper for ourgoing?
[01:19]<nxysv>outgoing
[01:19]<mrrynfmr>brif8: move line 154 up to line 143
[01:20]<mrrynfmr>brif8: yes, just allow the port in FORWARD. It's not needed if the FORWARD policy is ACCEPT
[01:20]<nxysv>danieldg i think u said it to me
[01:20]<`fyfn_znzlnz>incoming i think...
[01:20]<`fyfn_znzlnz>dunno really
[01:20]<nxysv>154 to 143
[01:20]<`fyfn_znzlnz>it says can't access port 554
[01:20]<mrrynfmr>oops, sorry, yes
[01:21]<mrrynfmr>maxine: allow port
[01:21]<drwygn>allow port is probably iptables -A INPUT -p tcp --dport $port -j ACCEPT; use FORWARD if it's for machines behind the firewall
[01:21]<mrrynfmr>`File_Reaper: I think that'll help you
[01:21]<2zypo>$iptables -A FORWARD -i eth0 -p tcp -j ACCEPT AND $iptables -t nat -A PREROUTING -i eth0 -p tcp -d public_IP -j DNAT --to-destination INT_IP will set an DNZ to INT_IP ?
[01:21]<mrrynfmr>brif8: yes
[01:22]<`fyfn_znzlnz>$port is 554 in this case right?
[01:22]<2zypo>thanks, is this still considered a NAT or not ?
[01:22]<mrrynfmr>`File_Reaper: yes
[01:22]<mrrynfmr>brif8: kind of, since it is translating addresses
[01:22]<2zypo>ok thanks
[01:23]<zzwffzdnz>hmm
[01:23]<zzwffzdnz>with that allow port part
[01:23]<zzwffzdnz>in maxine
[01:23]<zzwffzdnz>it also depends on the policy
[01:23]<zzwffzdnz>if the policy is DROP
[01:24]<zzwffzdnz>you also need -m state --state NEW,RELATED,ESTABLISHED
[01:24]<mrrynfmr>or, just a state rule
[01:27]<`fyfn_znzlnz>:( still no
[01:28]<mrrynfmr>`File_Reaper: are you behind another firewall/nat router?
[01:28]<`fyfn_znzlnz>router yes
[01:28]<`fyfn_znzlnz>firewall, FC's default
[01:28]<mrrynfmr>did you forward the port?
[01:29]<`fyfn_znzlnz>iptables: invalid argument
[01:29]<`fyfn_znzlnz>accept worked
[01:29]<`fyfn_znzlnz>forward did'nt
[01:29]<mrrynfmr>no, forward it on the router
[01:29]<`fyfn_znzlnz>how do i do that?
[01:30]<mrrynfmr>look at your router's documentation
[01:30]<`fyfn_znzlnz>lol, they say linux is not supported :P
[01:30]<`fyfn_znzlnz>win only
