| |
| |
| |
|
Page: 1 2
Comments:
<0> here guys ?
<0> how can i make my pc to connect to host 2 when a software asks to connect to host 1 ???
<1> use DNAT in the nat table OUTPUT
<0> [lets say i type in: lynx library, which lets say has ip XXX, but i want it to think, ip of library is YYY]
<1> why not just put that in /etc/hosts?
<0> so, how i make this linux system, when asks data from ip XXX, never connect XXX but the specified YYY i know ?
<0> because hosts method wont work
<0> its not just a domain/host
<0> its more complex
<0> and my english is bad
<1> iptables -t nat -A OUTPUT -d X -j DNAT --to-destination Y
<0> does tyhis take over all outgoing requests for host X to go to host Y, all protocols and ports ?
<1> yes
<2> Note, this only works for a process running on the iptables machine itself, not for traffic forwarded between other machines.
<0> didnt work
<0> can i use FQDN in X and Y ?
<0> or just IPs will work ?
<1> it will resolve it to an IP before inserting the rule if you use FQDN
<0> what if i want to resolve it live any time requested ?
<2> FQDN is okay as X but not as Y.
<2> iptables -t nat -A OUTPUT -d X -j DNAT --to-destination `dig +short Y.fqdn`
<0> so, the host i ask to visit, can be resolved live ?
<0> Y is static
<0> iptables -t nat -A OUTPUT -d Domain-Name-Dynamic-IP -j DNAT --to-destination Destination-IP-Static
<0> is ok ?
<0> ???
<1> looks good to me
<3> hello
<3> ipt_ROUTE when used with --oif eth1 --gw 123.123.123.123 is performing the wrong arp requests, if the destination ip was 231.231.231.231 then it arps for 123.123.231.231 instead of for the gateway of 123.123.123.123, anyone got any ideas?
<3> hello
<3> ipt_ROUTE when used with --oif eth1 --gw 123.123.123.123 is performing the wrong arp requests, if the destination ip was 231.231.231.231 then it arps for 123.123.231.231 instead of for the gateway of 123.123.123.123, got any ideas?
<4> Any suggestions why portage seems to want to use exactly the opposite of what I put in my USE flags?
<4> oops.
<4> Wrong window. My apologies.
<5> :)
<5> hazard: what are your use flags?
<4> Well, an example I'm seeing a lot of is -ipv6 showing up as +ipv6, and the opposite for doc.
<5> there should be no plus
<5> just regular and -
<5> hrmm
<3> so anyone know about ipt_ROUTE?
<3> is anyone even here?
<1> I'm here, but I've never used ipt_ROUTE, so I can't help
<3> eh thats ok
<3> i worked around it :)
<3> ebtables wrocks :)
<1> yes, that would be a good workaround :)
<3> heres hoping :)
<3> didnt work danieldg :(
<1> I've never done this either, but can you just mark the packets with iptables and use iproute to do the routing, instead of the ROUTE target?
<3> didnt think of that
<3> thanks
<1> hope it works
<3> so do i
<3> can you have more than 1 mark on a packet at a time...
<1> no
<3> didnt think you could...
<3> cause i need to mark the connections to make sure they have the right source ip address
<3> gonna have to fix ipt_route...
<1> why not just use -s for the source address?
<3> i do
<1> I don't understand what you're using the mark for
<3> i have 2 adsl links
<3> i use connection marking to ***ign the correct ip address to each packet as packets being transimitted are send out different adsl links with spoofed source addresses
<1> can't you use that same mark to route?
<3> no because i use nth to decide which adsl link the upstream packet will use
<3> hmm... actually
<3> you gave me an idea...
<3> thanks :)
<6> My old router had a tab called "special applications", it was basically port triggering. This allowed me to do something akin to port forwarding, but I didn't have to specify an internal IP address, just incoming port(s) and internal port(s). Does iptables have this functionality, if so what's it called? Is there any documentation on it?
<1> I'd have to hear more about the feature and how it's triggered
<6> I'm not sure, from what I understand it works by knowing that there is an outgoing connection on the port, and then opens it for connections. The only thing I could find was this: https://lists.netfilter.org/pipermail/netfilter/2005-December/064239.html
<1> you might be able to create something similar using the recent module if it's for a limited number of ports (one rule for each port) - but why not set up static port forwards?
<6> Because I've got more than one PC on my network that wants to use stuff like BitTorrent, or certain games. Which use a large number of ports (~2000 ports)
<1> hmm, from that message, it looks like you might have to run a daemon that adds rules dynamically
<1> bittorrent is just one port/machine, what applications use 2000 ports?
<6> Several games I have require a range of 55000-57000 to be open.
<1> you can open that range in 1 rule
<6> With something to this effect? iptables -A INPUT -p TCP --dport 55000:57000 -i ${WAN} -j ACCEPT
<1> You'd want to NAT the connections, not accept them into INPUT (unless the firewall is also doing the game)
<6> I see...I'm understanding this a little better now. Thanks
<7> danieldg: I've been meaning to play around with the recent module in an attempt to do something similar to what he's wanting, but with identd with respect to IRC
<7> I just can't find the time
<1> robw810: I just wrote something like that
<7> I know there's oidentd that can essentially do what I'm after, but still...
<7> really?
<7> what's your site address again? I thought I bookmarked it, but I guess not
<1> http://daniel.6dns.org/info/iptables/ident-check
<3> YEAH I GOT IT WORKING :)
<3> thanks daniel :)
<1> SoloFlyer: what did you do?
<3> marked the packets
<3> then used ip rules
<7> danieldg: yes... nice... that's roughly what I was thinking, except I was considering doing it based on the initial outgoing packet
<1> yeah, I didn't know how to swap the source/dest in recent, so I thought that the SYN/ACK would be the best place to do it
<3> danieldg: well it was a little more complicated than that and im only half done but yeah :)
<7> danieldg: well, that looks good - I'll see if I can find time to mess with it this weekend and let you know if I make any progress... :-)
<1> SoloFlyer: ok, glad I could be of help ;)
<3> :)
<1> robw810: looks like --rdest might be better, for matching the outbound packet
<3> its nice just to have someone to talk it though with who can say something more than what the **** you talking about :)
<7> danieldg: probably... we'll see :-)
<7> danieldg: Here's what I'm thinking... I have multiple hosts inside the LAN that use IRC. Have the firewall use rdest set name IDENT_OUT to note the irc server ip and rsource set name IDENT_IN to note the client ip; have all tcp 113 coming in DNAT'd to entire LAN, then a FORWARD rule send them to a custom chain. The custom chain will first check the incoming source address to make sure it's in IDENT_OUT and then the incoming dest to make
<7> That sound right? better idea?
<7> hmm... might require two separate custom chains - one to check each ipt_recent entry
<7> danieldg: seems that only one can be set in a rule - rsource or rdest - not both
<7> danieldg: okay, this works as expected. The only issue is this: I'm not seeing a way to send incoming identd requests to *all* hosts on the LAN (and letting FORWARD chain decide whether they p*** based on recent)
<7> If I DNAT incoming auth to a single host, then it works fine
<7> danieldg: this is what I've got; it's ugly, and you may find it useless, but here it is nonetheless: http://slackware.pastebin.com/542819
<2> robw810: what about that homework? :)
<2> OT: they're apparently giving away vmware now: http://www.vmware.com/download/server/
<3> lol
<3> whats the deal with having a #netfilter and a #iptables on the same irc server?
<2> Generally we lowly users hang around in here, developers are in there.
<3> i see
<2> I'm in there too, lurking mostly.
<3> so why not just call this channel #netfilter-plebs
<2> hey!! Sounds like a plan!
<3> :)
<7> rob0: still not done - got distracted... :-)
<2> Let's get together and overthrow the ops.
<3> lolo
<7> rob0: what do you think about that? Is there something I'm missing that would make what I'm trying to do easier?
<2> Looking, not quite understanding yet :(
<7> I mean, it's trivial to do that for a single host, but not so trivial when done at the firewall/gateway for multiple hosts
<2> Did you try the midentd thing?
<2> (I never did.)
<2> fm:midentd in konqueror
<7> rob0: no, and I'm not going to -- I don't even *need* identd (this is just an intellectual pursuit basically)
<2> oh
<7> :-)
<2> Just something to help you be good and tired in the morning for that exam. :)
<7> I've run across a few (less than five) people who *needed* it due to some screwed up irc server that wouldn't take a REJECT, and I'd like to work something up for them
<7> yep
<7> I'm really surprised that nobody's written a module for it, and if I knew how, I would
<7> For *my* purposes, I'd be happy (and what I've got so far would work) if I could DNAT *all* traffic coming into the firewall on port 113 to *all* hosts on the LAN
<2> yes, it's probably not that difficult, and seeing as the netfilter developers DO use IRC, it's odd.
<7> Specifying a range or multiple ip's in DNAT results in round-robin distribution
<7> As soon as I get finished with grad school and have some time to devote to learning things that matter (hehe), I'm going to take a cl*** on C - I figure I can learn anything else on my own from there
<2> seriously ... grab a book. How will the cl*** help? A book and play with some code. You'll be an expert in no time.
<8> Grab a book and a psychotic software engineer. The latter will gratuitously point out how Wrong and Bad your code is, which is a good thing to learn how to see early on ;)
<7> rob0: A cl*** will help because it will force me to spend at least that much time on learning it -- otherwise, you're likely right
<7> hehe
<2> NEED is the best teacher. :)
<7> very true
<7> That *is* why we learned iptables, right? :-)
<2> yup
<2> s/learned/are learning/ :)
<7> yeah, well, whatever... :D
<7> Well, I'm going to sign off now so I can finish this damn paper and go to bed - it's way too late, and middle school kids are not very forgiving of sleep deprivation ;-)
<7> G'night guys
Return to
#iptables
or
Go to some related
logs:
ubuntu install jedit-devel
wacom intous3 linux driver
compiz ATI Technologies, Inc. 3D Rage IIC AGP
win-psycopg
no DDX module loaded
#kde
php proper jpeg headers
#web
libiec rpm suse
#fedora
|
|