| |
| |
| |
|
Comments:
<0> hi all
<0> how can I rewrite the destination address from a outgoing packet?
<0> I want if is to 172.x.x.x go to 200.x.x.x
<1> DNAT
<0> in the local box ?
<1> nuny: you'll need to DNAT the packet in POSTROUTING; see the tutorial linked in /topic for examples
<0> are you telling me to DNAT in a local box, behind a true NAT ?
<1> If I'm understanding you correctly, yes - but I may not be...
<0> I've a app that has hardcoded to go to 172.x.x.x ... but this is in a network outside here
<0> so I need to go to 200.x.x.x when the destination in a packet is 172....
<1> In other words, if a packet is sent to 172.10.10.5, and you want it to go to 200.15.43.8, then you DNAT everything going to the 172 address to the other address
<1> If you're needing to redirect the entire address cl***, then I'm not sure - I've never had to do that, but I think there's a netmap option somewhere... seems to me like the best option is to fix (or replace) the broken app
<0> right
<0> I got it
<0> I tried with snat
<1> So it works now?
<0> badbly
<0> I tried with
<0> iptables -t nat -D POSTROUTING -p tcp --dst 172.20.0.0/16 -j DNAT --to-destination 201.20.146.130
<1> -D deletes the rule
<0> yeah
<0> iptables -t nat -A POSTROUTING -p tcp --dst 172.20.0.0/16 -j DNAT --to-destination 201.20.146.130
<0> iptables: Invalid argument
<2> DNAT->SNAT
<0> unknow arg
<0> --to-destination
<1> Hmm... this needs to be done in PREROUTING... Sorry, I'm preoccupied with hardware issues right now
<0> no problem
<3> I have two accesses to the Internet from my linux router, how can I redirect automatically from Internet 'A' to Internet 'B' if A failures?
<4> I'm trying to use IP tables to block an entire domain. As it stands, people can still reach subdomains. Do I have to declare all subdomains or can I "cheat" like I can in hosts.allow? This is what I have right now... iptables -I FORWARD -s 192.168.1.0/24 -d yahoo.com -j REJECT
<5> you can't cheat
<5> you are really blocking by IP, iptables is looking up those IPs for you with that rule
<4> daneildg: hmmm, so I need to figure out which netblock belong to yahoo and block with that?
<5> sure, that would work
<4> daneildg: do you have a better suggestion for me?
<5> no
<5> other than maybe using a proxy
<4> squid perhaps? I can look into it. Thank you for your help.
<6> ah ****..anyone know a socket method or something to allow me to spoof source address? I typo'd a rule and it drops all packets now
<7> Spoofing a source address is easy enough, but you won't get anything back.
<7> It's SNAT in OUTPUT.
<7> (nat table of course)
<8> how do i clear /proc/net/ip_conntrack?
<7> Kernel < 2.6.14: unload the drivers. Otherwise, http://netfilter.org/projects/conntrack/
<8> im still having trouble clocking any traffic from port 50000 on a computer on my lan with my router's iptables
<8> i have these 2 rules
<8> -I INPUT -d 10.10.0.2 -p tcp --dport 50000 -j DROP
<8> -I INPUT -s 10.10.0.2 -p tcp --sport 50000 -j DROP
<8> that should work right?
<7> "on a computer on my lan" ... no. See the man page, description of builtin chains. You need FORWARD for that. And probably only --dport OR --sport, depending.
<8> well
<8> if the traffic is going through the router, it will be INPUT at some point correct?
<7> Not correct.
<8> -I FORWARD -d 10.10.0.2 -p tcp -m tcp --dport 50000 -j DROP
<9> how can i route some real ips
<9> i have route so i can have internet but no one can connect to my real ips
<9> hi ..how can i route my traffic to allow conections form uotside to my lan ips
<10> Greetings.. anyone alive ?
<10> Setting up an iptables script for a NAT router/FW box... if I understand it right, iptables processes packets from the top of the rules, going thru each till it hits a match, then does whatever the match rule says.. Now, should masqurade rules be at the top, then?
<11> hi, please I need help: I want to know the ip address of a box connected to my lan, but I can't access it via console (no monitor and keyboard)
<12> hi, AoE has an registered Ethernet type of 0x88A2 does that mean -p 162 ?
<12> surely it doesn't they don't mean they have been given protocol number 34978?
<13> hello all.
<13> i'm looking for a secure way to allow p***ive connections to my ProFTPd server.
<13> i'm using CentOS with APF.
<13> what's the right way to do it with APF ?
<8> how can i do a not?
<8> like --dport !80
<8> ?
<14> yep
<8> ok
<8> so i need to chain a bunch of rules together
<8> basically i want them to be able to get to 80,443,5190 but nothing else
<8> -A FORWARD -s 10.10.0.2 -p tcp -m tcp --dport !80 -j REJECT
<14> u can try -m multiport
<14> if am not misstaken..
<8> well
<8> what i need is:
<8> -A FORWARD -s 10.10.0.2 -p tcp -m tcp --dport !80 --dport !443 --dport !5190 -j REJECT
<8> but is that possible?
<14> no
<14> check about the multiport module
<8> ok
<14> iptables -m multiport -h
<8> oh awesome
<8> ok
<8> -A FORWARD -s 10.10.0.2 -p tcp -m multiport --dport !80,!443,!5190 -j REJECT
<14> i think only the firs "!" will be necessary
<14> My kernel isnt supporting iptables by the moment
<14> to check for u
<8> ouch
<8> heh ok
<8> it will error if its bad
<8> ill try it
<14> =)
Return to
#iptables
or
Go to some related
logs:
#asm
libexif.zip
unrecognized mount option uid
kde dcop sendSession
Fedora ssh x11 cannot open display
gadmintools
gentoo revdep-rebuild php5 mysql
#php
openzaurus checkversion kernel
gentoo ati-remote
|
|