| |
| |
| |
|
Page: 1 2
Comments:
<0> Hello
<0> I've just setup an iptables enviroment with 2 external connections (two different isp's) and 1 lan connection which shoudl be natted. All incomming connections work
<0> but ive lost the ability for clients ont he lan to go online, coudl somebody take a looka the results of iptables-save ?
<1> I would have already looked if it had been pastebinned.
<0> sory i worked it out
<2> Whats is flag SF/SF?
<2> -s
<3> hi
<3> i'm having trouble with something
<3> my system is running debian etch
<3> i did modprobe ipt_MASQUERADE, iptable_nat ip_nat
<3> and echo 1 > /proc/sys/net/ipv4/ip_forward
<3> then iptables -A FORWARD -i eth0 -j ACCEPT
<3> i would like all traffic from eth0 to go to ath0
<4> syamajala: That's a matter of your routing table, not of your iptables ruleset.
<3> hmm ok
<3> because on systems that are connected to the hub that eth0 is connected to when i try to do ping www.google.com it doesn't work
<3> it just sits there...
<3> but i can ping google from the system running iptables
<4> syamajala: Ok, provided your routes are ok: It is not enough to modprobe ipt_MASQUERADE, you have to actually activate it.
<3> yeah i tried doing
<3> iptables -A POSTROUTING -o ath0 -j MASQUERADE
<3> but i get iptables: No chain/target/match by that name
<4> iptables -t nat -A POSTROUTING ...
<4> MASQUERADE belongs to the nat table, not to the filter table (which is the default unless you specify something else with "-t")
<3> hmm ok
<3> still can't seem to ping google from the other systems
<2> -s
<4> You told those systems behind eth0 that your iptables-box is their gateway to the internet?
<3> yeah
<3> my main firewall is 192.168.0.1 eth0 on this system is 10.0.0.1 and ath0 is 192.168.0.3
<3> so i setup dhcp on this system to set the default gw to 10.0.0.1 and dns to 192.168.0.1
<3> doh
<3> i know whats wrong
<3> works
<4> What was it?
<3> i copied my dhcpd config from another system i setup a while ago and the ip address for that dns server was different
<4> Ah ok. :)
<3> thanks a lot
<4> np
<3> bye
<5> for ip forwarding, if regular filtering works, do i need to do anything special?
<5> ??
<6> Question: y is iptables 1.3.4 doesn't know the match type is "iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark 1"
<7> what error?
<6> no chain/target/match by that name
<7> works without the -m mark --mark 0?
<6> no
<7> try removing each one to see why it doesn't work
<6> it's the MARK chain what doesn't exist....
<6> the -j MARK
<6> hummmm
<7> do you have the ipt_MARK target?
<7> er, module
<6> looking into it
<6> this one"CONFIG_IP_ROUTE_FWMARK or CONFIG_IP_NF_MATCH_MARK, CONFIG_IP_NF_TARGET_MARK, or CONFIG_NET_SCH_DSMARK
<6> the only one i'm not having is ip nf conntrack mark
<7> CONFIG_IP_NF_TARGET_MARK
<1> "no chain/target/match by that name" means the driver is missing, yes
<6> is it this module? ipt_MARK.ko
<7> yes, I think so
<6> it's already loaded
<7> but the command works if you remove -j MARK --set-mark 1?
<1> iptable_mangle?
<6> iptable_mangle is up 2
<1> ipt_tos?
<6> danial: no, the "missing one" is the table MARK, it can't jump to mark
<7> le_mackeux: so the command works without the jump, right?
<6> daniel: if it set it to jump to input without the --set-mark, it's ok
<6> reb: one sec, i'll look into the kernel for tos
<6> ro: ip_nf_match_tos, is in the kernel, ip_nf_target_tos, is 2
<1> I think you need ipt_mark, too
<1> lowercase==match extensions, UPPERCASE==TARGETS
<6> ipt_mark and ipt_MARK are modules and loaded
<1> You have iptable_mangle, ipt_tos, ipt_mark and ipt_MARK, but that command fails? Then I am stumped.
<6> lol, so am I
<6> ipt_tos isn't module though, it's into the kernel
<6> and so is mangle
<6> i can't list MARK table, it simply doesn't exist :S
<7> it's not supposed to
<7> it's a target
<6> ok, didn't know it
<6> is there any problem with those kernel ext, to be into the kernel instead of modules?
<1> I don't know, I always and only use modules.
<6> perhaps you're running debian?
<7> le_mackeux: what kernel version?
<6> 2.6.15-r1
<1> <== Slackware or slamd64, no Debian.
<6> ok
<6> ether of you are using qos with the tos bits ?
<6> hold your answer, i need to reboot with a new kernel.
<6> brb
<1> le_mackeux: not me
<7> me neither, but I just tested that rule, and it works as-is with my kernel
<6> i'm back, sorry for the delay
<7> did you get the responses?
<6> nop
<7> < rob0> le_mackeux: not me
<7> < danieldg> me neither, but I just tested that rule, and it works as-is with my kernel
<6> tks
<6> it's working now
<7> what did you change?
<6> don't really know
<6> i recompiled my kernel with the modules into the kernel, a kernel ext not modules, and that's it
<6> i don't think i added something that wasn't either modules or already into the kernel
<6> and bingo :D
<6> qos is fully running, my packet marking, the packet sorting, the output queue :D :D :D
<6> i love qos now, after spending more then 20 hours learning it, i finally manage ti handle it and set it up nicely :D
<8> what is the best iptables module to block p2p ??
<9> hi all
<9> I'm a n00b to iptables, so forgive the stupid question... does ordering matter with iptables rules?
<7> yes, rules are evaluated in order
<9> ah... that would explain some things :)
<9> I ***ume there's a way to re-order the rules?
<7> use -I or -R options
<9> gotcha. ty danieldg.
<10> Hi everyone ! :) I got an issue... i issue am iptables comand that i think should be blocking connections to port 443... but when i try to connect, i still get the same, the webserver takes the conection on port 443... may anyone help on this please ? iptables -A INPUT -p tcp --dport 443 -j REJECT
<10> i tried also with DROP but same problem
<7> Estes2: look for rules above that accept the connection
<10> well, i opened to those hosts for any connection, i just want to block 443 for them
<10> everything else beeing opened
<7> easy fix: use -I instead of -A
<10> lemme check the man
<10> oh, ok
<10> to have it before the other rules
<10> hum
<10> ok, thanks :)
<10> how can i list the rules with their rule number ?
<7> --line-numbers
<10> thanks
<10> yes but...
<10> i have a script that will do this dynamicaly
<10> it's a failover system
<10> so
<10> sometimes i want this rule up
<10> sometimes i want it down...
<10> and so if i specify a rule number
<7> you could add and remove it with a script
<10> hum
<7> -D doesn't need a line number, you can specify a rule there
<10> hum, interresting
<10> ok, and when using -
<10> -I
<10> let's say i specify rule #2, what will happens to the old rule #2 ? will it become #3 ?
<7> yes
<10> ...and so increment every rule number ?
<10> ok
<10> great
<10> thanks :)
<11> RE
<0> Hello
Return to
#iptables
or
Go to some related
logs:
firefox disable mouse gestures
wiki wtfrog
#ubuntu
#css
#gimp
debian disable xscreensaver
#linux
snmp pakage in centos
perl flush STDIN
b44 invalid module format
|
|