| |
| |
| |
|
Page: 1 2 3
Comments:
<0> RE
<0> 1 april!
<1> ho yeah!
<2> Can u get iptable to dump its config into a file?
<2> to examine the commands?
<3> E-bola2: iptables-save
<2> perfect thanks
<4> hello, I may a bit confused, I have a gateway box with an natted internal network, I am trying to block traffic to 2 specific ip's. the rules may be viewed, http://pastebin.ca/47741
<3> penrod: you need the rules in FORWARD, not INPUT, and they should also go before the ACCEPT rules
<3> oh, and iptables -vL or iptables-save is more useful for viewing rules
<4> ahhh, I shall try that , thanks kindly.
<2> Hmm im using the gShield iptables script
<2> and i have a rule about allowing PPTP vpn that forwards the GRE protocol
<2> but i cant find out where its inserted heh
<3> E-bola2: and the iptables-save output never mentions the protocol?
<2> danieldg: ohh it does
<2> and i found the place now
<2> my problem was i couldnt figure out where int he script the commands was entered hehe
<2> its late here :)
<2> hmm but i still cant get it to work ont he other box
<2> didnt iptables 1.2.3 support protocol 47?
<3> I'm sure you can insert the rule - it supports any protocol number
<3> what error are you getting?
<2> i have duplicate scripts on 2 boxes
<2> a new debian box with a 2.6 kernel
<2> and an old redhat 7.2 with a 2.4 kernel
<2> after running the script ont he old box, the stuff about pptp and gre is missing
<3> the iptables-save output differs? is the script you are using detecting something (or lack of something)?
<2> hmm the order differes
<2> lol god dammit
<2> im so tired
<2> ive been trying to use remote desktop
<2> and not vpn
<2> Hmm k i got my old box all up an running
<2> onyl thing i cant get working is port forwarding to my natted servers behind the box
<2> natting out and ip forwarding works
<3> what DNAT rules are you using (example)?
<2> -A PREROUTING -d 62.66.154.6 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.22.2:25
<2> -A FORWARD -d 192.168.22.2 -p tcp -m tcp --dport 25 -j ACCEPT
<3> you have a -m state rule to let the replies back, right?
<2> it works fine on a new box which i copied the config from
<2> sory?
<2> how woudl that look?
<3> -m state --state RELATED,ESTABLISHED -j ACCEPT
<2> -A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
<2> ya thats there
<2> do u need any special kernel module
<2> opr anything set in /proc/sys/net
<3> and STATEFUL is jumped to from somewhere?
<2> for nat portforwarding tow ork?
<2> -A INPUT -j STATEFUL
<2> -A FORWARD -j STATEFUL
<3> hmm, portforwarding should work fine if outgoing NAT works
<2> outgoing nat works perfect
<2> and i can copnnect form the outside if i open services opnt he firewall box it self
<2> i just cant get it to forward services to other boxes on the natted lan
<3> how are you testing the port forward?
<2> im connecting from an outside box
<2> also nothing is logged
<2> but the connection is really slow to time out
<2> while if i try to telnet to a none open port it gives up right away
<2> hmm more or less
<3> do you have more than one gateway, or is the iptables box the only gateway?
<2> its the only gateway
<2> i originally wanted a box with dual wan interfaces
<2> but cuz of time constraints i used a second box for the new wan
<2> made a new natted lan subnet
<2> and gave the server i wanted to be accessible over the new lan a second lan ip ont he new natted subnet
<2> can it be a problem that the hosts im forwarding to have another default gateway?
<3> yes
<3> then the return packets won't get de-nated
<2> but dont the server see the packet as comming form the nat firewall?
<3> no
<2> umm im pretty sure it does
<3> you can make it that way, but that breaks any kind of logging
<2> if u forward stuff into a nat lan
<2> u will see connections comming from the firewall and not lsited with external ip's
<3> E-bola2: not by default
<2> hmmm my nat setup have always been like that
<2> the nat firewall rewrites the source field
<3> E-bola2: ok, you can make it like that, just add an SNAT rule. But it's considered bad
<2> hmmm but any idea how i can solve my problem?`
<2> letting the server be acceible from both nat's
<2> the 2 nats have 2 different subnets, 2 different gateways and 2 different isp's
<3> have the firewall be the default gateway or use source routing on the server (give it two internal IPs, corresponding to the two external IPs)
<3> or just use SNAT, that's the easy way
<2> i did give it 2 internal ip's
<2> well it can onyl have 1 default gateway
<2> its a windows machine
<3> oh. too bad.
<2> also i would like a more generic solution
<2> that woudl work with any ip device
<3> ok, then the SNAT is probably the best
<2> SNAT = 1 to 1?
<3> that or have one firewall with 3 interfaces - ISP1, ISP2, internal
<3> SNAT = modify the source like you said before
<2> danieldg: ya i wanted the 3 interface firewall setup, but it takes too long to setup
<2> -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 80.196.221.210
<2> isnt that what that line is doing?
<3> that's for outgoing packets
<2> Hmm and what do i need?
<2> for incomming?
<2> can u give an example?
<3> another one: -A POSTROUTING -d 10.0.0.0/24 -j SNAT --to-source fw.internal.if.ip
<2> and what woudl that do?
<2> (sory if im a bit thickheaded)
<3> change the source of incoming connections (those with dest IP=internal) to the firewall
<3> so they will be sent back there instead of to the def. gateway
<2> but then i woudl need to run that on the natted server right? ant not on the firewall it self?
<2> (the rule i mean)
<3> that rule runs on the firewall
<2> ohh so when i contact the port from the outside
<2> the firewall rewrites the packets so the natted server thinks it comes from the firewall?
<3> yes
<2> brilliant, wonder if it will work :)
<3> and it breaks logs, makes mail servers open relays, etc....
<2> the only thing active on this line is a vpn server
<2> no other open ports
<2> -A POSTROUTING -s 192.168.22.0/255.255.255.0 -o eth0 -j SNAT --to-source 62.66.14.26
<2> is what it says currently
<2> so ile change it to -A POSTROUTING -s 192.168.22.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.22.1
<3> no!
<2> hmm interface is wrong
<2> no? what then?
<3> you don't change that rule, leave it there. Add a second one
<2> ohh doh
<2> ye
<2> iptables -A POSTROUTING -d 192.168.22.0/24 -j SNAT --to-source 192.168.22.1
<2> iptables: No chain/target/match by that name
<2> hmm?
<3> need a -t nat
<2> ok added
<2> then since i had already opened and forwarded the ports
<2> i shouldnt have to do anything else?
<3> no, I don't think so
<2> it works!!!!
<2> Weee man u dont know how long this have taken!
<2> Thanks SO much for your help
<3> you're welcome
<2> lol
<2> the windows vpn server ***igns me an ip from the other lan
<2> but it still works
<2> danieldg: Btw if i wanted to use 1 box instaid of 2, what woudl ur aproach be?
<2> Do you think i have to use iproute2 or can i get away with just iptables?
<2> (Meaning a linux firewall with 2 wan interface on different subnets(diff. isp's) and 1 natted lan interface)
<2> not for load balancing, but just using one of the wan links for incomming vpn connections
<3> if you don't need the outgoing traffic load-balanced, I think just iptables should work
<3> however, you might have *all* of your external traffic going out one link
<2> thats fine
<2> as long as the incomming stuff ont he other wan link, can find out to go back over the same link they came from
Return to
#iptables
or
Go to some related
logs:
sistem32 tools
suse mini iso install help
python2.5 importnode
panicou
geekasys
#perl
#perl
getenforce centos3
kamixer
#ai
|
|