| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> my side of vpn has a internal address 192.168.0.x and the other side only accept packets from 172.20.1.100 (not a real ip address, but an alias). How can i nat this packet to enter in the tunnel with the ip source 172.xx.x and make its return ok
<1> Is there a "easy" way to drop/kill a NATted TCP connection from the conntrack hash?
<2> Burnys: thats gonna be hard
<2> are you running 2.6 or 2.4 kernel?
<0> 2.4
<0> but its not hard to change
<2> no need to change
<0> ok
<2> then you might have some luck
<2> because in 2.6 kernels ipsec packets travel prerouting chain only once
<2> and thats when they are crypted
<2> google "iptables netmap"
<0> rza then with kernel 2.6 its easy ?
<2> no
<2> i mean in 2.6 its almost impossible
<0> http://www.shorewall.net/netmap.html
<0> in kernel 2.4 isnt possible?
<2> http://www.nimlabs.org/~nim/dirtynat.html
<2> yes it is possible
<2> do you listen at all what i say?
<0> so so
<0> i got it
<0> =)
<0> rza: resuming: I need to patch the kernel2.4 with patch-o-matic to enable NETMAP and configure?
<2> i presume so
<3> Hi guys !
<3> how to remove all rules from the table ?
<2> iptables -F && iptables -F -t nat && iptables -X
<2> and set default policies to accept
<4> hi how can i map an ipaddress which is behind NAT?
<5> map? like nmap?
<4> no no
<4> s/map/get
<5> from where?
<4> through DNS
<4> from outside
<4> i am outside of the NAT and i want to get the ip which are behind of NAT
<5> I'm not sure I understand correctly... just request the DNS entry
<4> is there any tutorial about it?
<4> bcos' i am totally new to it
<5> what are you trying to do?
<4> ok
<4> now i am outside of the network, for example cybercafe,it uses NAT...so i know their public ip address
<4> but i want to get their internal address
<5> you can't connect to an address behind a NAT unless you are also behind that NAT or it is port forwarded
<4> ok
<4> how can i know which port are forwarding?
<5> if it's a cybercafe, they probably aren't forwarding any ports at all
<4> i see, here i am not clear with port forwarding ....is that portmapping?
<4> using port number to route to the specific host?
<5> publicip:portno ==> privateip:portno
<5> where privateip is chosen by the NAT router
<4> i see
<4> so i have to use packet crfting tool like hping
<4> and guess the internal ip
<4> right?
<5> er, how would that help?
<5> the internal IP isn't routable on the internet, it won't get there
<4> bcos' i want to connect to some boxes which are behind the NAT..i totally don't know the ip-address..and which port are forwarding
<5> what you are trying to do is impossible
<4> i see
<4> but if i have root acess on the gateway
<4> i can do it right?
<5> well, then you just have it proxy your connections
<4> proxy my connections mean?
<5> you can set up the port forwards or just connect from a shell on the gateway
<4> me(outside)======G/W(NAT)=======host(internal)
<4> ok after that
<4> please carry on
<4> thanks
<4> sorry for my bad english
<0> can anyone help me with iptables netmap to make rules to convert a entire network 192.168.0.0/24 in a single address 172.20.1.100 before enter the ipsec tunnel?
<6> lo all
<6> does ip_conntrack_ftp module works with FTPS (secure FTP) ?
<5> evildead: probably not, wouldn't it have to decrypt the stream to get the PORT commands?
<6> so there isnt any solution to do connection tracking on ftps traffic ?
<5> not that I know of
<6> ok thanks
<0> rza hi
<7> hello, RX = incoming data, TX= outgoing data ? (just checking)
<8> yes
<7> thanx :)
<7> just checking my current flat internet with iftop :)
<9> how would i go about locking uses from useing IRC
<9> but allowing others?
<10> WTF?
<9> OUTPUT on dport 5000:9000
<9> for GUID of 'foo,bar,blah,poo,oof' uses
<9> but allow the GUID of 'blah'due'asdasd'asdasdasd'
<9> for example
<9> so 'untrusted' group can't OUTPUT on dport 5000:9000
<11> re
<9> and trusted group can
<12> I find that most solutions which require OUTPUT filtering can better be implemented in meatspace, i.e., tell the users what's prohibited and whack them hard if they break the rules.
<12> You could also change privileges on known IRC client software, but this of course wouldn't prevent a user from installing her own, or using some scripted language.
<9> well i am just trying to make it hard for them
<9> there is tom on there, and he is new, he keeps connecting on my ipv4 address, but i want to incurrage him to use the ipv6 address
<9> there is a --uid
<9> part of iptables i beleive.
<5> --uid-owner, part of the owner module
<9> yep!
<9> iptables v1.2.10
<9> is my version of iptables.
<9> will that have the owner module?
<5> try it
<10> surely
<9> modprobe iptables_owner?
<5> it depends more on the kernel than the iptables version
<9> 2.4.26
<5> (it'd be ipt_owner)
<9> ah thx
<9> and no bitching about the age of my kernel i _know_ its vunrable
<9> danieldg: loaded fine
<10> ashica, http://www.faqs.org/docs/iptables/matches.html#TABLE.OWNERMATCH
<9> thanks kokoko1
<10> don't mention it, perhaps I love your kernel version :)
<9> :|
<10> its slack?
<9> yeah
<9> 10.0.0
<9> going to update it sometime soon
<10> cool :)
<9> just not got around to it.
<9> its got that crappy, localhost kernel crash exploit
<9> thats getting on my nervs.
<9> phearing someone will run it.
<10> there will be a README.initrd in CD2, just follow it and you gota 2.6.x kernel in just 5 minutes
<9> i know how to do kernel updates mate =o
<9> lol
<10> heh, I know you are a slacker :)
<9> i am learning iptables, i know 'pf'
<9> and ipfw
<10> and every slacker knew these things :)
<9> x)
<10> i'm also using slack 10.0 with 2.6.15.2 kernel
<9> i am not keen on the 2.6.x kernel range
<10> damn its a rock solid box from last 2 years, no need to update to never version
<9> i stick with 2.4 for gw's and stuff.
<9> 15.2 hasn't been around for 2years fool
<10> heh sound like Pat :)
<9> pft
<9> i rember when i talked to pat
<10> 2.6.15.2
<9> lol
<9> well lets be correct, i said 'hi'
<10> however slack 11 will be 2.6.x by default
<9> meh.
<9> i am still on 10.0.0
<10> same here :)
<9> my gw just needs a kernel upgrade, and thats secure.
Return to
#iptables
or
Go to some related
logs:
enlightenment nm-applet
1394raw kernel
.mac jmpnz
zengolfer
self-sodomy
umbuntu change permissions
#gentoo
#web
#fedora
php html scraping
|
|