| |
| |
| |
|
Page: 1 2 3
Comments:
<0> no I don't
<0> :(
<0> and now I have:
<0> CONFIG_IP_NF_MATCH_CONNMARK=m
<1> why when i type restart iptables does not know this eth interface ?? etho:1
<2> eth0
<1> the iptables sayd weird character in interface 'eth0:1' no aliases, :,! or *
<1> yes i create a virtual interface with the name eth0:1
<1> but on ip[tables im creatin a rule using that interface but ... he just dont know what is that
<1> etho 10.1.1.x and eth0:1 10.1.2.x
<1> what should i do?
<3> is there a how to about what options to set in the kernel for iptables ? or something like that
<4> debiankid: create vlans
<4> aliases dont work in iptables
<1> thanks
<5> Blue-Steel: what particularly are you wanting to know? Don't the help items in menuconfig and friends answer those questions?
<3> well im new at iptables... i mean .. i want to start somewhere... but dont know exactly what to compile in the kernel
<5> What I do: make EVERYTHING remotely netfilterish sounding a module. :)
<3> humm .. so you compile most of it as mods?
<5> I only put essential drivers for booting in the kernel. Anything else I use or MIGHT use, module.
<3> may i ask why ? i mean ... in your opinion why mods for iptables
<6> some modules can take parameters that you can change when you insert them
<5> Modularity is wonderful. Load what you need when you need it, unload if you don't (although I am not a stickler for the unloading.)
<3> i see. are thee any mods that i should always keep in mind to use . i mean something that even as an extra its good to have
<5> Actually in a properly set up system you won't know nor care. When you use a rule which needs a module which isn't loaded, iptables loads it.
<3> humm .but it must be configured in the kernel already right ?
<5> you have to have the modules configured in your .config and available where modprobe(8) can find them.
<3> so what if i use them all compiled staticly ? will i have more work to setting up iptables? i mean .. the fact that they are compiled will it force me to configure the matching iptables options ?
<5> Do what you want. Reboot whenever you want to change something. I just don't run my systems that way.
<3> yes i know my fate if its all static
<3> with iptables.. do we change many things often because we have to, or its optional ?
<5> I guess some folks think that "built-in" is "faster".
<5> If the driver is already loaded when you make a rule that needs it, fine.
<5> If not loaded, iptables tries to modprobe it.
<3> seems good idea as mods.
<5> I think so, but I am biased. :)
<3> may i ask what OS are you running with iptables?
<5> Various Slackware releases.
<3> and kernel ?
<5> ranging from 2.4.18 through 2.6.15.
<5> The 2.4.18 has been up for 3.6 years.
<3> uptime ?
<3> 3.6 years ?
<5> yes
<3> with no reboot
<3> eheh
<3> are u in that website that monitors the biggest uptime ?
<5> It's a Celeron 400, which at that time was not junk :)
<3> there's a 5 year box there
<3> wow !
<5> We are in the Linux counter project uptime stats, like 3rd or 4th place there.
<3> eheh :) c00l
<5> Actually the highest of the "stable" 2.4.x kernels. (2.4 became stable around .17 IMO.)
<3> in your experience. what would be your advice for someone that is just starting with iptables. (other then just rtfm)
<5> http://counter.li.org/reports/uptimestats.php : 1293.9 2.4.18-grsec-1.9.4 Intel Celeron
<5> Learn TCP/IP basics and routing, routing, routing. Know what a subnet mask means.
<3> do you have any manual or know of any about those tcpi/ip basics ? something that you consider proper for my level (maybe something in your bookmarks)
<5> hmmm, that is a GOOD question and I wish I could answer it for you. :( No. But, I can say ...
<5> ... I learned a lot by playing with openvpn and user-mode Linux.
<5> You can make a virtual Internet on a single machine if you wish.
<3> well.. im using vmware .. so i kinda have my virtual lan sort of speaking ..
<7> rob0, u do some traffic shaping ?
<5> nope, not me.
<2> :)
<8> okay
<8> how can i somewhat easily to bandwidth monitoring/tracking
<8> via iptables.
<8> or whatever
<8> ???
<7> have read some article before about iptables featuring traffic monitoring
<8> anyidea where>
<7> i think in linux.com
<7> havnt bookmarked it :(
<8> http://howtos.linux.com/search.pl?query=iptables
<7> mmm
<7> naybe not
<7> maybe faqts.com !
<9> hi
<9> i have a problem with Dnat i think :)
<9> i have the follow rule for this
<9> iptables -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.2.5 -d 192.168.2.1 --dport 10002 -j DNAT --to 192.168.3.1:10002
<9> iptables -A FORWARD -p tcp -s 192.168.2.5 -d 192.168.3.1 --dport 10002 -j ACCEPT
<9> but i get this
<9> kernel: rein: IN=eth1 OUT= MAC= SRC=192.168.2.5 DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57705 DF PROTO=TCP SPT=60588 DPT=10002 WINDOW=5840 RES=0x00 SYN URGP=0
<10> i'm using DNAT to redirect traffic via the squid box, but all my squid logs are showing the router as the source address, any way around this?
<11> Have a rule before the forward one, igraltist?
<9> thats mean its change the destiation but the next step is blocking
<9> Sarah, no
<9> mean you i have to give the localhost first the permission?
<10> any clues? :(
<5> Sarah: you're up early :)
<9> hmm the prerouting is the first role then forward
<10> this is the suspect rule, 192.168.1.1 is the router and 192.168.1.2 is the squid box: iptables -t nat -A PREROUTING -i eth0 -p tcp -s ! 192.168.1.2 -d ! 192.168.1.0/24 --dport 80 -j DNAT --to 192.168.1.2:3128
<10> the squid log on 192.168.1.2 just says all requests come from 192.168.1.1 :(
<5> That's the drawback of dnat+snat
<11> rob0, I haven't slept
<5> almost dawn :)
<11> Yeah lol
<10> rob0: i'm not using snat though ?
<11> Been busy >.<
<5> I'm going to bed soon, GMT-6 here.
<11> Ah hehe
<10> oh i get what you mean, it has to say that address so it is returned to the router so the connection can return?
<5> yes, like the "NAT issues" page in /topic.
<10> well i didn't understand i was using snat! </noob>
<10> so ultimately there's no fix?
<9> oi i have you the snat for dnat :)
<9> you =use
<5> well, why are you donig NAT from one RFC 1918 (private) network to another?
<5> why not just route it?
<10> you have a point
<10> i've just been reading up on transparent proxying, and all the docco uses REDIRECT or DNAT
<5> you have a 192.168.2.0/24 and a 192.168.3.0/24 on separate interfaces?
<5> and is this machine the default gateway for both subnets?
<10> i didn't realise you weren't speaking to me, but i think i can get it working with the ROUTE mangle target and then do the redirect on the squid box itself :P
<0> good morning
<12> mornin
<0> I have a problem, I have applied the patch-o-matic, I have recompile my kernel, but I still have problems with connmark
<0> [root@gestor ~]# /sbin/lsmod | grep conn
<0> ipt_connmark 5888 4
<0> ip_tables 26880 8 ipt_layer7,ipt_MARK,ipt_connmark,ipt_CL***IFY,ipt_length,ipt_physdev,iptable_mangle,iptable_filter
<12> what problems?
<0> /sbin/iptables -t mangle -A ms-prerouting -j CONNMARK --save-mark
<0> Error: iptables: No chain/target/match by that name
<12> uhhmmmm
<12> what is ms-prerouting?
<0> the name of a chain:
<0> /sbin/iptables -t mangle -N ms-all
<0> /sbin/iptables -t mangle -N ms-all-chains
<0> /sbin/iptables -t mangle -N ms-prerouting
<12> /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
<12> 09:19 < shanky> /sbin/iptables -t mangle -A ms-prerouting -j CONNMARK --save-mark
<12> somehow that just looks plain wrong
<12> why would you need to mark packets in a custom chain?
<12> you mark them in PREROUTING and use them in a custom chain
<12> use them = use the mark
<0> [root@gestor ~]# /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
<0> iptables: No chain/target/match by that name
<12> uhmm
<12> CONNMARK = MARK ?
<0> what do you mean?
<12> show me your script
<0> a minute, I have to use pastebin.ca
<0> because I'm trying to use MasterShaper, and it's a really big script
<0> http://pastebin.ca/39423
<0> the really odd to me is that it seems that iptables can use connmark:
<0> /sbin/iptables -t mangle -A ms-prerouting -j CONNMARK -h
<0> CONNMARK target v1.3.4 options:
<0> --set-mark value[/mask] Set conntrack mark value
<0> --save-mark [--mask mask] Save the packet nfmark in the connection
Return to
#iptables
or
Go to some related
logs:
unexpected token TI-basic
home/.dmrc file is being ignored gentoo
#fedora
ppoeconf
Azureus java.lang.OutOfMemoryError: Java heap space
rename world of warcraft
html2ps emerge
451 unable to exec qq+qmail scanner
#web
#perl
|
|