| |
| |
| |
|
Page: 1 2 3
Comments:
<0> Presumably each side uses this router as the default gateway, right?
<1> No, only PC uses it as a default gateway.
<1> Just ***ume that I don't have access to 192.168.0.17 (let's call it PC0)
<0> ok, the 192.168.0.0/24 are just going to 192.168.0.18, right?
<1> Let me sum up the problem: PC (192.168.1.2) wants to ping PC0 (192.168.0.17) via router (192.168.1.1,192.168.0.1), and this should be accomplished using NAT.
<1> I'm a bit tired, so again (0.1 replaced by 0.18 - I want to avoid mistakes): Let me sum up the problem: PC (192.168.1.2) wants to ping PC0 (192.168.0.17) via router (192.168.1.1,192.168.0.1), and this should be accomplished using
<1> +NAT.
<1> F*king client
<1> Once more: Let me sum up the problem: PC (192.168.1.2) wants to ping PC0 (192.168.0.17) via router (192.168.1.1,192.168.0.18), and this should be accomplished using NAT.
<0> PC's default route is 192.168.0.18?
<0> "iptables -vt nat -nL" might be interesting, are the packet counters being incremented?
<1> rob0: Yes, PC's default route is 192.168.0.18
<1> On router, I just tried "iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE"
<1> No success
<1> and, yes, eth0 is connected to 192.168.0.0/24
<0> that *was* going to be my question :)
<2> danieldg: You daredevil. ;)
<1> rob0: The PREROUTING packet counters are increased, but not the POSTROUTING packet counters.
<1> Note, there is no rule for PREROUTING
<0> 240.0.0.0 :)
<1> Sorry, not being a netwroking guy, I don't get what you mean.
<0> 22:12 -!- danieldg [i=daniel@about/networking/240.0.0.0/danieldg] has joined #iptables
<0> That's a reserved range for multicast.
<3> yeah, it's not my IP
<1> OK, not related to my problem.
<3> rob0: it's a netmask, the number of bits = the access in ##networking
<0> ah ... I see
<1> I'm now firing up another machine on 192.168.0.0/24. Just to see if the ping problem is particular to 192.168.0.17.
<1> No, it doesn't seem to.
<0> Way up above I said something about "nothing block[ing] it in filter / FORWARD."
<1> filter/FORWARD is empty
<0> policy?
<1> I see: DROP.
<0> hahahaha
<1> newbie problems ...
<1> :-)
<1> Now, it works.
<0> Now you are "a networking guy." :)
<3> well, the state match works in 2.6.16, but everything is INVALID
<3> for ipv6, that is. IPv4 works fine
<1> rob0, thanks for helping me with this problem!
<0> yw feklee_
<4> Hello
<4> I'm having some problems implementing a firewall with iptables
<4> Allow me to post my simple firewall on my website
<4> http://nickv111.is-a-geek.com:8080/firewall
<4> What's happening is that I can no longer ping myself and I lose my connection to my network
<3> you're dropping things before you accept them
<4> Oh
<4> So I need to reverse it
<3> iptables rules are evaluated in order
<3> yes
<4> So, it drops the packet, then accepts any of the remaining packets - of which there are none
<3> also, you need to allow packets back in
<3> right
<4> So, if I accept, and then drop, won't it drop all of those packets which I just accepted?
<5> nickv111: dont be silly
<3> no, both accept and drop stop a packet from going any further
<5> there already accepted ....
<4> Okay
<5> DROP & ACCEPT are terminating Rules ..
<4> I didn't know that
<4> Let me try it.
<3> add -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT at the start
<5> -j MARK and -j RETURN are nor terminating rules ... =)
<4> Back
<5> s/nor/not/
<4> What is state?
<5> to check for a state ...
<4> I'm sorry, I'm quite new to iptables, and I'm just learning the dynamics
<3> state is how you use connection tracking
<5> e.g) Established , Related , NEW or Invalid
<5> danieldg: spot on =)
<3> the tutorial in the topic explains it pretty well
<5> best thing about Conntrack & States ... you can determine if something is NEW reguardeless of its Protocol
<5> .e.g, a SYN Packet via TCP iis generally a NEW Packet ... but what identifies a UDP packet as being new or the First ?
<5> nontheing really ... so you can use state matching to work it out what is what , and which is which =)
<4> Well, now network works
<4> Thanks
<5> no probs
<0> How much net would a network work if a network could work nets?
<5> nickv111: if you are new , and want to explore the possibilites
<5> try playing arround with a few iptables scripts allready out there
<4> Well, I wanted to originally use Linux with iptables as our router, but my parents wouldn't really let me :(
<5> rob0: all of em =)
<5> nickv111
<5> why not ???
<4> I don't know. They just wanted to get a netgear
<5> try http://hwfirewall.sf.net
<5> nickv111: they run GNU Linux anyways ... lol
<5> most of the DSL / Router / Firewalls from netgear doo
<4> Really? Sweet! Know of any good exploits that I can run on them to mess with them?
<5> they even come with a little Yellow Slip saying this uses GPL and LGPL software
<6> how do i get iptables stats (-L -v) into mysql?
<5> lol
<5> nickv111: not currently ...
<5> but give it a little bit of time ...
<5> i have some for much older models
<4> I can understand why a company like that would want to sell routers with Linux. No licensing issues, nothing to buy, just do a little porting, and the software aspect is done
<7> money for nothing... as the song goes
<5> nickv111: yup , then you make the client agree to the GPL
<5> by opening this box and using the product ...you are adhearly aggreeing to the terms of the GPL ... blaa ablaaa blaaa
<6> i have 64 ips i need to count packets/data transfer on
<6> whats the easiest to do it?
<6> have an input and output -j ACCEPT for each one?
<5> SkramX: how evry you feel nessacry
<5> SkramX: alomost yes
<4> Only problem is that the firewall script is making dns not work. For example, I can ping yahoo.com's ip address, but I can't ping yahoo.com
<5> but put them in a USERCHAIN ...
<6> hard__ware: any other way?
<6> whats a userchain?
<5> a Custom ... Chain ... not built in INPUT / OUTPUT
<6> so what does it go by?
<5> iptables -N INPUT_COUNTERS
<6> can I see an example?
<6> hard__ware: then what
<5> then add rules accrdomgly
<6> like
<6> ?
<6> iptables -A INPUT_COUNTERS -d 70.86.X.X -j ACCEPT
<6> ?
<5> iptables -A INPPUT_COUNTERS -d {COUNTED_IP} -j RETURN
<5> Ja ... pretty much
<5> i prefer -j RETURN for counters
<6> whats the difference between RETURN and ACCEPT?
<5> cuz generally you want to do other stuff with the data .... then just accept
<5> -j ACCEPTS .... accepts the packet right there and then
<4> hard__ware, danieldg: For some reason, my firewall script is killing my dns. Anything I need to do to fix that?
<5> RETURN , makes it fall back to INPUT to continue its traversall accross the rules
<5> nickv111: Ja
<5> all depends really .... take a look at http://hwfirewall.sf.net =)
<4> Okay
<5> try useing that firewall script ... it well help enlighten you on the possibilites
<5> SkramX:"what exactly do you neeD ?
<4> hard__ware: Very well, then
<4> hard__ware: Oh, you're the author
<5> Ja ... =)
<6> hard__ware: I want to montior bandwidth per ip.
<5> bandwidth ... or just packet and data count ?
<6> whats the dif between data count and b/w?
<5> lots really ...
<5> bandwitdh is more realtime stats ...
<5> count is just a total over time
<5> not really current ...
<6> Welp.
<5> bandwidth is more like what iptraf shows
<6> Either is fine.
<5> lol ok
<6> never heard of iptraf, hrmm
<5> all good give it a go ..
<6> all good?
Return to
#iptables
or
Go to some related
logs:
#css
#fedora
#qemu
can't get faux columns to work
grep cfgpro
apc undefined symbol: zend_block_interruptions
mylex dac960 ubuntu
#openzaurus
pdo_mysql cannot find mysql header
unmerge orphans
|
|