| |
| |
| |
|
Page: 1 2 3
Comments:
<0> ok, so use 169.254.10.0/24, with the public IP
<1> danieldg, -A POSTROUTING -s 169.254.10.0/24 -j SNAT --to-source 63.245.100.1 ??
<0> seele_: yes
<0> |lostbyte|: did you get the output?
<1> danieldg, ok and for the public Ip inside my network ?
<0> does the machine actually have the IP?
<1> danieldg, -A POSTROUTING -s 63.245.100.15/24 -j SNAT --to-source 63.245.100.15 ???
<2> danieldg: I am all messed up ! now i cannot ssh into the machine cause of some host_key miss match.
<0> seele_: no, just no rule at all then
<2> danieldg: I am on slackware.
<0> |lostbyte|: that happens when you have an IP change
<0> |lostbyte|: remove the entry in ~/.ssh/known_hosts
<1> danieldg, ok then I remove the MASQUERADE
<2> danieldg: ah ! ok.
<2> danieldg: will have to run, be back in approx 25 mins. :)
<3> RE
<4> hi
<4> I've a problem: I've a DNAT that got many connection now I've removed the DNAT rule but syn still hit my port, can I bind a service to that port if packet try to reach the old machine behinde the nat ?
<4> I dunno how iptables works with old rules
<1> danieldg, take a look http://pastebin.com/638615
<0> seele_: you need to remove the MASQUERADE line
<1> danieldg, yes i know ... and my client still with internet?
<0> what about it?
<1> danieldg, ok
<1> danieldg, if i test the IP of one client appear the wan IP ... no works
<1> danieldg, look http://pastebin.com/638671
<0> ok, you're testing this with something that you *aren't* proxying?
<1> danieldg, yes
<1> danieldg, I have two Ip's in m y server x.x.x.x = wan - eth1 (internet) IP , and the y.y.y.y = public server IP -eth0 (LAN)... I need to connect one user with public IP inside the lan without being poxyed this are my rules http://pastebin.com/638671
<0> seele_: ok, so add an ACCEPT rule in PREROUTING for their IP
<0> (before the proxy rules)
<1> danieldg, -A PREROUTING -s 0.0.0.0/0 -d 63.245.100.15 -j ACCEPT
<0> wrong direction, add one with -s for that IP
<1> danieldg, ok
<1> danieldg, look http://pastebin.com/638783
<0> seele_: before, not after
<1> danieldg, ok it works thanks
<4> if I've a daemon that set some dnat rules and after some time remove these rules how long does it takes to take effect ?
<0> immediately for new connections
<0> old connections are never changed
<4> never ?
<4> so if I bind a service to the port that was dnatted and the rule doesn't exist anymore the service is unreachable ?
<0> no, it's reachable
<0> just any existing connections that were DNATed are not interrupted
<4> oh ok
<4> so new syn are dropped ?
<4> so it's normal to see many ESTABLISHED connection in /proc/net/ip_conntrack with timeout of about 360000 ?
<0> yes
<5> hi
<5> how can I drop all the 85.XXX.XXX.XXX subnet?
<6> Mitu: ?
<5> yes
<1> bye everyone
<7> I just need to block any 200.96 ips
<7> anyone can give the jus the command
<0> -I INPUT -s 200.96.0.0/16 -j DROP
<7> thanks :)
<8> any rrdtool people here?
<8> with rrdtool, if i have a couple graphs, is there a way to make a graph that is all those, combined? does that make sense?
<9> hello all
<9> in kernel 2.6.16, can i customize the iptables modules names ? like change xt_state to be ipt_state ????????
<0> m0dY: no
<9> oh
<9> why's that ?
<0> Xtables is the new layer3-independent netfilter framework
<0> I suppose you could customize the names, if you wanted to rewrite parts of the kernel
<9> yes, i want if some progy called the module ipt_state it finds it as if it's the original name of the module
<9> danieldg: how could this be done !?
<0> change the program
<9> can't be :)
<0> iptables autoloads the module just fine
<0> you should never need to modprobe ipt_state
<9> yup i know that
<9> know APF ?
<0> no
<9> http://www.rfxnetworks.com/apf.php
<0> ok
<0> so? just sed s/ipt_state/xt_state/g
<9> ?
<0> what's the problem?
<9> # Loading Kernel Modules
<9> ml ip_tables 1
<9> ml ipt_state 1
<9> ml ipt_multiport 1
<9> etc...
<0> so, change them
<9> this is in the main loading script..
<9> if i do, it doesn't see the module at all
<0> is it looking in net/ipv4/netfilter?
<0> grr
<0> don't bother loading them at all
<9> http://pastebin.com/639169
<0> just remove the whole ml thing except for ip_conntrack_irc and ip_conntrack_ftp
<0> even that will be broken if you use nf_conntrack
<9> so i just remove the changed modules
<0> yes
<0> from that file, not the modules themselves :)
<9> ok im building a new 2.6.16 now, ill test this as soon as it's up
<9> danieldg: lol, yes i know :D
<0> if you use IPv6 and don't use NAT, nf_conntrack is very useful
<9> i dun use both
<9> by the way, what about nf-hipac
<9> is it moving ?
<0> don't know
<9> i mean if is there anything new make me inject it into my kernel ?
<0> I haven't used it, so I don't know what it needs
<9> http://www.hipac.org/
<0> yes, I've seen it before
<9> i c
<10> I'm trying to route data between subnets with ubuntu 5.10. Do I need IP forwarding to be installed ?
<0> yes, it probably needs to be enabled
<10> Do you know the package name ?
<0> it's not a package
<0> echo 1 > /proc/sys/net/ipv4/ip_forward
<0> that's it
<10> This is all new to me mate....
<10> That enables it ?
<0> it's a kernel setting (sysctl). That enables it
<10> I see
<10> Thank you
<8> any good howtos on ip forwarding?
<8> i have regular -j DROp and stuff working.
<8> ?
<8> any good howtos on ip forwarding?
<8> ?
<9> SkramX: hold on will get you a good one
<9> SkramX: this was my best in doing some basic routing http://yolinux.com/TUTORIALS/LinuxTutorialNetworkGateway.html
<8> well, just forwarding
<8> okay lemme look
<9> now, any body knows how to deal when your box have many connections in the TIME_WAIT state ?
<9> doing #netstat -anp|grep -c TIME_WAIT .... gives about 1600
<9> ?! :(
<11> hi
<3> RE
<12> is there any good software for good firewall reports
<13> what kinda reports?
<13> you can use cacti to graph anything
<13> cacti / mrtg
<12> i see
<13> i prefer cacti
<12> u mean this: http://www.cacti.net/
<13> yes
<13> you can make custom scripts and graph templates and so on
<12> it looks nice and interesting
<13> yes, its a bit confusing at the begin
<13> but ive had so much usefull info from servers with it
<13> like i monitor apache and mysql services with it
<13> cisco routers
<13> and so on
<13> almost everything
<13> even the temperature of our serverroom
Return to
#iptables
or
Go to some related
logs:
#php
skype read error res handle = 22
#linux
Temporary failure in name resolution emerge xorg-x11
#math
ubuntu can't find stdio.h
start-stop-daemon sleeping
babo.it
Aqudacity
codepoetica
|
|