IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.87 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-09-02
[00:00]<pypj_>hey thanks!
[00:02]<pypj_>what is the bloody difference between the two
[00:02]<pypj_>i can't believe it didn't see it in the man page though
[00:03]<pypj_>it right below it
[00:03]<pypj_>just shows you huh
[00:03]<pypj_>open your buffers fifo_!!!
[00:54]<rsufrj>hi. can't get -m recent to work
[00:54]<rsufrj>tried this:
[00:54]<rsufrj>iptables -A INPUT -p tcp -dport http --syn -m recent --name http_conns --update --seconds 10 --hitcount 1 -j DROP
[00:54]<rsufrj>I expected it to limit 1 http connection per 10 seconds
[00:54]<rsufrj>but it doesn't
[00:55]<rsufrj>what's wrong?
[00:55]<zj2wow0>Is that the only rule you have?
[00:56]<rsufrj>no, but it's placed correctly in the chain, if that's what you mean
[00:56]<rsufrj>that's the only -m recent rule
[00:57]<zj2wow0>iptables -A INPUT -p tcp --dport http --syn -m recent --set --name http_conns -j ACCEPT
[00:57]<zj2wow0>after the rule you have
[00:57]<zj2wow0>Bear in mind: I don't think you really want what you think you want, but...
[00:58]<rsufrj>ok, I tried to place it first in chain... iptables -I INPUT 1 ......
[00:58]<rsufrj>doesn't work either
[00:58]<zj2wow0>the --update rule must be first, the --set rule second
[00:58]<rsufrj>what do you mean that I don't want what you think I want?
[00:59]<rsufrj>I didn't insert a --set rule because of what the tutorial above says
[00:59]<zj2wow0>It doesn't matter - if it works for you, then fine
[00:59]<rsufrj>"This match is true if the source combination is available in the specified list and it also updates the last-seen time in the list. "
[00:59]<rsufrj>it doesn't work
[01:00]<zj2wow0>Yeah, but if the list doesn't exist because you didn't create it, then what?
[01:00]<rsufrj>ops, true embarassing
[01:01]<zj2wow0>:)
[01:01]<zj2wow0>Good luck; I'm heading home :)
[01:01]<rsufrj>however, the doc doesn't specify that --set creates the list and --update doesn't
[01:02]<_synrnx>$IPTABLES -t nat -A CHECK_RECENT -m recent --update --seconds 15 -m limit --limit 2/second --limit-burst 5 -j ULOG --ulog-prefix "[RECENT DROP]: "
[01:02]<_synrnx>$IPTABLES -t nat -A CHECK_RECENT -m recent --update --seconds 15 -j DROP
[01:02]<_synrnx>im thinking I shouldnt use the --update on the LOG rule
[01:03]<_synrnx>probably not a big deal but unnecessary i think
[01:05]<_synrnx>i basically use this method so that if i want to limit consecutive hits on another port i just need to add it to the 1st rule with the multiport match--> http://rafb.net/paste/results/hzwoXl23.html
[01:05]<_synrnx>its sorta like a pre-filtering
[01:06]<_synrnx>i still may drop it later on even if it passes that test
[01:08]<rsufrj>oki... I added a --set after the --update, it works, but the iptables counters for the DROP (--update) rule I typed above are set to 0, although abviously new conns are being dropped because of it
[01:08]<rsufrj>no, sorry wrong, I forgot to erase the -I INPUT 1 I inserted before to test
[01:08]<rsufrj>everything's ok, thanks.
[01:13]<_synrnx>i wonder what ! --update or ! --remove does
[01:14]<_synrnx>! --rcheck makes sense
[01:15]<rsufrj>I guess that remove just searches for IP in list, if it doesn't find it then it removes it
[01:15]<rsufrj>xD
[01:16]<rsufrj>no, maybe it makes more sense, if it affects its return value
[01:16]<rsufrj>by the way, I haven't used multiple -m in single rule, but what does it do? AND or OR the results??
[01:22]<mcz>any of you ever use the ROUTE target for iptables? I'm getting "Unknown arg `--gw'" which the man page says is valid. but I don't see a ipt_ROUTE module, maybe thatis why?
[01:24]<mcz>I guess I should use the mangle/-j MARK method, but I saw the ROUTE target there in man page and it looked like it did just what i wanted to do, :)
[01:30]<drvvx>ROUTE target is in pom
[01:31]<mcz>what is "pom"?
[01:31]<drvvx>http://netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-ROUTE
[01:32]<mcz>netfilter.org needs a search option, :)
[01:32]<mcz>thanks
[01:34]<mcz>incidentally, unrelated issue, I was rewriting my firewall script and was wondering if doing stuff like this is sane:
[01:34]<mcz>iptables -A PREROUTING -t nat -j DNAT -m multiport -p tcp -i $DMZ_IF -d $TUNNEL --to $REI_INT:22 --dports 22,80,443
[01:34]<mcz>essentailyl just aggregating multiple port forwarding rules into one rule if they all end up at the same place
[01:35]<mcz>my testnig faile dmiserably, though, and I had to revert to old script before I messed up our network for too long, :)
[01:35]<rsufrj>bye, night people, and thanks again for helping.
[01:37]<drvvx>dkr: you better use -m multiport, see the man for more info
[01:37]<mcz>I did
[01:38]<mcz>incidentally, -m mport didn't work as the man page indicated it would. I had to spel out multiport(even after symlinking or copying the library to the shorter name)
[01:39]<drvvx>what's in the man does not reflect your conf
[01:40]<mcz>that turns out to be a distro issue. my debian server has ipt_mport, but not my ubuntu or fedora boxes
[01:41]<olggmraggws>hi. i run iptables on a linksys router. for along time, i've used rules such as:
[01:41]<olggmraggws> iptables -v -A INPUT -i ppp0 -p tcp -m tcp -m multiport --dports 445,554,901,111,4899,1080,8000 -j DROP
[01:41]<olggmraggws>after a recent firmware upgrade, that same rule now reports:
[01:41]<olggmraggws> DROP tcp opt -- in ppp0 out * 0.0.0.0/0 -> 0.0.0.0/0 tcp multiport dports 445,554,901,111,4899,1080,8000
[01:41]<olggmraggws> iptables: Unknown error -1
[01:41]<olggmraggws>any advice what to do / where to start looking?
[01:42]<mcz>-pm tcp? shouldn't that be -p tcp
[01:42]<mcz>er, -m tcp
[01:43]<mcz>oh, nevermind, -m tcp is just redundant because -p tcp already loads the tcp module. obviously not source of the problem
[01:44]<tdbnzr>OpenMacNews: Tried without -v?
[01:44]<olggmraggws>TmBerg: sure. w/o "-v" it still fails, but simply reports:
[01:44]<olggmraggws>Unknown error -1
[01:44]<mcz>-vv ? :)
[01:45]<olggmraggws>dkr:
[01:45]<olggmraggws>DROP tcp opt -- in ppp0 out * 0.0.0.0/0 -> 0.0.0.0/0 tcp multiport dports 445,554,901,111,4899,1080,8000
[01:45]<olggmraggws>iptables: Unknown error -1
[01:46]<olggmraggws>many/most of my other rules still fire ok .... e.g.:
[01:46]<olggmraggws> iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 135:139 -j DROP
[01:46]<olggmraggws>is fine.
[01:46]<olggmraggws>did, perchance, recent updates/changes to iptables change anything with multiport/dports options?
[01:46]<mcz> The exit code is 0 for correct funcâ€
[01:46]<mcz> tioning. Errors which appear to be caused by invalid or abused command line parameters cause
[01:46]<mcz> an exit code of 2, and other errors cause an exit code of 1
[01:47]<mcz>oh, but return code is different from printing out -1. what is return code?
[01:47]<mcz>echo $? after the itpables command
[01:48]<olggmraggws>dkr:
[01:48]<olggmraggws>% echo $?
[01:48]<olggmraggws> 1
[01:48]<mcz>"other erro", of course, lol
[01:48]<olggmraggws>( /me feels picked on by the universe today ... snifff ... sob ...)
[01:49]<mcz>try it without multiport: perhaps try the same command to drop --dport 445
[01:49]<mcz>that will at least confirm whether that is part of the problem
[01:49]<olggmraggws>dkr:
[01:49]<olggmraggws> iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 445 -j DROP
[01:49]<olggmraggws>works fine. hmmm ...
[01:50]<olggmraggws>i'm no expert by any stretch ....but do i remember correctly that multiport is a 'module' that needs to be loaded, or some such?
