| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> ok rob0 no problem
<1> how can i redirect a tcp connection in iptables?
<1> i use an ssh tunnel through my proxy at work to pull pop email in
<1> it owuld be nice to have that hit iptables and then bouce the traffic out to my pop server and back to me through the tunnel
<1> is this possible?
<1> ive gotten it to work with programs like jumpgate and redir, but i figured iptables is already installed so why not use it
<2> Alives:
<2> -j REDIRECT
<3> does iptables have anything to restrict outbound connections on a per user basis?
<4> mi
<5> Hallo Guys
<5> Is there any target, for duplicating packet ?
<6> [TEHb]: you can use DNAT with multiple --to-destination arguments
<6> and I could be making this up, but I think I remember a 'tee' target in patch-o-matic. I'm 37% sure of it.
<5> trappist: warn 'invalid argument' on multiple --to arg
<6> lame. that must have changed, because I've used it before.
<6> and I never would have thought of it, but it was in the docs.
<6> from the man page: You can add several --to-destination options. If you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these adresses.
<7> it's been removed I think
<6> so apparently that wouldn't do what you want anyway
<7> -j ROUTE has --tee
<5> ok, then, there is no way to duplicate packets?
<7> --tee can duplicate a packet
<5> danieldg: thanks
<6> so there IS a tee
<6> awesome
<5> danieldg: can't find --tee in the man pages
<6> it's an argument to the ROUTE target
<5> ok, need to check it, thanks
<7> if you don't have it, it's in my manpage - http://daniel.6dns.org/info/iptables/manpage
<6> I don't think the ROUTE has made it to the mainline kernel yet
<7> it's on pom-extra
<8> I have a bridge br-apps that handles 10.1.0.0/16. When the bridge comes up, I want to set the bridge's ip address as the gateway to it's network.
<8> The problem is that once I set the ip address and network for the bridge, I can no longer set the gateway.
<8> Here is part of my /etc/network/interfaces file: http://pastebin.com/581954
<7> onweald_tim: why not use the syntax for bridges instead of manually configuring it?
<8> You mean use brctl?
<7> no
<7> do you want to see my /etc/network/interfaces?
<8> Yes please!
<8> I'm a newbie and trying to learn this, so excuse me as I stumble around.
<7> http://daniel.6dns.org/misc/interfaces
<5> danieldg: there is no ROUTE target support in stock 2.4.29 kernel
<7> [TEHb]: I know; it requires a kernel patch
<5> danieldg: OK. Is there patch for 2.4 kernel?
<7> [TEHb]: I don't know; does the patch-o-matic patch work?
<8> danieldg: bridge_ports and bridge_stp... are those scripts? They don't appear in the man page for "interfaces".
<7> onweald_tim: no, they are part of /etc/network/interfaces, they just haven't been added to the manpage
<5> danieldg: not yet patch my kerne
<7> onweald_tim: /usr/share/doc/bridge-utils/README.Debian.gz
<5> danieldg: hmm, ROUTE target not found even in stock 2.6.15.2 kernel
<5> danieldg: it is too bad, because it is in man page
<7> [TEHb]: it's not in the kernel, and not going in anytime soon
<5> danieldg: if feature require patching kernel, then this feature shouldn't in the man pages
<8> thanks. reading...
<5> danieldg: shouldn't to be in the man page i mean
<7> [TEHb]: maybe that's why it isn't in your manpage
<5> danieldg: no, ROUTE target in my man page
<5> danieldg: but not in the kernel
<5> this is bad
<7> they did that so that the manpage doesn't have to be rewritten in each kernel patch in pom
<5> ok, p***ed
<7> tell the netfilter.org people if it bothers you
<5> danieldg: can you get me link on this patch?
<7> http://netfilter.org/projects/patch-o-matic/pom-extra.html
<5> danieldg: sorry, but i don't use pom
<8> danieldg: I have to head out for a few. But I wanted to say on behalf of all newbies, thanks for all your help. I have jumped on #iptables a lot over the past few weeks and you are always helping people.
<8> We really appreciate it!
<5> danieldg: thanks
<5> :)
<7> [TEHb]: you'll need to get the code with svn from https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng/
<5> oh... svn attack the world, thanks
<6> or grab the daily snapshot
<7> oh, didn't know about the snapshot
<5> trappist: yeah, it is better
<5> trappist: where i can get snapshot?
<6> [TEHb]: you have to poke around a bit to find it. somewhere on netfilter.org is a directory listing of daily tarballs. I dunno why they make it such a pita to find.
<7> ftp://ftp.us.netfilter.org/netfilter/patch-o-matic-ng/snapshot
<6> there you go
<7> I'll have to add that to my page
<5> 10x!
<5> we need to complain about commiting ROUTE target to stock kernel
<7> it says "Status: Experimental" and it's in "extra" - sounds like it's not really ready for the stock kernel
<6> yeah they move up the chain before they even get submitted, then we hope for acceptance
<6> there's lots of cool stuff in pom that's not ready for the kernel and may never get there
<6> mainline kernel, that is
<6> like, tarpit is hella cool but it breaks nat
<6> or conntrack or something
<5> sorry, but duplicating packets is too simple stuff, and i can't understand, where there can be a problem :)
<6> [TEHb]: maybe a target for that specific purpose should be written, that's not as intrusive as ROUTE
<5> yeah, understand you. ROUTE break normal routing path
<5> ok, if there is no such target, i need to write them.
<6> that's the answer I was looking for :)
<5> (:
<5> and one more comment
<5> i think, all users do that in userspace
<5> using pcap
<6> I don't think pcap is really userspace, strictly speaking, and I'm not sure it duplicates packets either.
<6> that is, the kernel has to put the device into promiscuous mode
<9> allright, im back...the problem i was having with it not accepting the flag was that i had forgotten to put tcp after -p
<9> but now when i run the script with 2>&1 the only thing it tells me is: Bad argument `22'
<9> i took that to maybe mean line 22, but that line is blank
<7> Spudchat: what line produces that error?
<9> im not sure, when i read the script line 22 is blank, thats why im confused
<7> it's not line 22
<7> run with set -x
<9> and i have rules in there for ssh so i though maybe i misentered it
<7> look for a 22 without a --dport before it, or with something like -p --dport 22
<9> allright gimme a second
<9> should it be --sport or just -sport ?
<7> --sport
<9> ah ha!
<7> and --sport is rarely used
<9> ive got one in here
<7> what for?
<10> (you might use --sport in OUTPUT rules if you filter in OUTPUT, which I don't recommend BTW)
<7> even in OUTPUT, you shouldn't need to use --sport if you accept ESTABLISHED]
<11> I use --sport in my FORWARD chain for filtering stuff leaving the LAN
<9> iptables -A INPUT -i eth0 -p tcp ! --syn \ --sport 22 -d $Myip --dport 1020:65535 -j ACCEPT
<9> is the line its in
<9> im very new at iptables by the way
<11> Why would you do that? Just accept ESTABLISHED connections on INPUT
<10> You want to accept incoming ssh? or what?
<11> rob0: looks like he's got that to accept replies to existing ssh sessions
<9> yeah im setting that up for ssh to accept incoming connections
<9> robw810: would this line cover that: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<11> Spudchat: okay, you need that line, yes; but ssh servers run on port 22 by default
<11> Spudchat: you'd need to accept incoming syn packets to port 22, and the EST,REL will cover the rest of the connection
<9> hang on i have something like that
<11> Spudchat: have you read the tutorial in /topic?
<9> no, ive been working with manpages and google
<11> That tute is good
<9> ok ill check that out
<12> acn someone take a look at my iptables script?
<7> pastebin the iptables-save output
<12> ok
<12> thanks
<12> http://www.pastebin.com/582203
<7> ipchains ?!
<12> oh
<12> its from someone else
<12> its an old script
<12> i can change all of that to iptables
<12> :-P
<12> other than that does it look alright?
<7> haven't looked at it, since I like iptables-save output better than script
<12> :-(
<7> I don't see any problems, but I haven't looked that closely
<12> ok
<6> ipchains?!!
Return to
#iptables
or
Go to some related
logs:
html_escape_entities
sloppy focus_mode auto_raise
libtool: link: cannot find the library `/usr/lib/gcc/i686-pc-linux-gnu/3.4.5/
firefox disable mouse gestures
#gentoo
dapper hw_random
xmms stero play
xvampirex
ubuntu chroot permission denied exec
mencoder g3p
|
|