| |
| |
| |
|
Page: 1 2
Comments:
<0> greetings
<0> is it likely that i have to patch iptables to allow my router to forward gre traffic?
<0> and/or the kernel?
<1> no, just forward protocol 47
<0> hmm. ok.. i don't quite understand that..
<1> but unless you're running a newer kernel that includes ip_nat_pptp you may need to patch to allow it through a restrictive firewall
<0> well, i think it's just my firewall in the way.. on the router..
<1> ***uming you're working with pptp
<0> yes i am :)
<1> in that case, you want your kernel to have pptp conntrack/nat support
<0> true true
<1> I'm pretty sure it's included in newer kernels, but you'll probably have to patch if your kernel is old
<0> the router is actually kernel 2.4.26 hehe.. slackware 10..
<1> that'll probably need patching
<0> just the kernel?
<1> that patch may or may not require a patch to iptables itself - as a conntrack helper module, I'm thinking probably not
<0> nice
<0> so can i specify -p 47 with iptables?
<0> as oppsoed to -p tcp or -p udp?
<1> yes
<0> good stuff
<1> I think you can even say -p gre
<0> wicke
<0> d
<2> i want to forward all trafic from the internet to an internal ip. the thing is, my adsl modem already has nat on it, and has a forwarding rule to an ip on my local lan. now i'm implementing a linux firewall host with 2 nic's, and i dont know how to pull it off... where should the modem forward go to? firewall out interface? because if it goes to the ip address as it used to, it doesnt even show in the logs?
<3> iptables -A FORWARD -p tcp -i $INET_IFACE --destination-port 21 --destination 192.168.0.144 -j ACCEPT
<3> what does this do?
<3> or what does the --destination field stand for?
<3> if the packet is for xxx then accept?
<4> it accepts TCP packets headed for 192.168.0.144:21
<3> ok, how do i tell it to forward all packets to port 21 to that ip?
<4> you need to do that in the nat table, using DNAT
<3> can you tell me the ip command?
<4> iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destionation 192.168.0.144
<3> if i just type the rule on the promt will it be in effect?
<4> yes
<3> yes yes!
<3> you rule!
<5> danieldg: Did you take a look at that link I left last night?
<5> danieldg: how ugly was it? :-)
<4> the one from the recent module?
<5> yeah
<3> danieldg, have a big one on me:)
<3> byes
<4> is this the one you're talking about - http://snowman.net/projects/ipt_recent/ ?
<5> no... hang on, I'll see if I can find it still -- I left a pastebin link
<5> http://slackware.pastebin.com/542819
<5> That's what I worked up last night, and it functions as desired -- except for one thing
<5> I need a way to send packets arriving on port 113 to every host in the LAN and just let those rules decide whether they p*** or not
<0> you need a vpn or a bridge?
<0> or both?
<4> why not have a bunch of rules in PREROUTING and match there?
<4> hmm, you'd have to have a separate IDENT_DST for each internal IP
<5> danieldg: hmmm...
<5> yeah
<5> wheels are turning though
<4> then take anything from that source and DNAT it...
<5> Okay, this is definitely do-able for a small LAN - I don't see a good way to do it for more than three or four hosts though
<5> (which is fine for me) :-)
<4> yeah, you'd probably want to add a conntrack helper for a larger number of hosts
<5> Ideally, that would be the way to go - if I knew how, I'd definitely write a helper module
<1> I tried to do just that several years ago, but my C foo just isn't up to it
<4> how complicated are helper modules?
<0> will the following commands forward gre packets? iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
<0> iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
<1> no
<0> do i need to forward them to a specific destination?
<1> iptables -t nat -A PREROUTING -p 47 -i $INTERNAL -j dnat --to-destination $SOMEOTHERBOXSIP
<0> cool ok
<1> err -j DNAT
<5> trappist: I told rob0 last night - as soon as I get done with grad school (not computer related), I'm going to learn C
<1> robw810: I'm gonna learn C as soon as I run out of other things to do, so it probably won't happen
<5> hehe
<0> trappist, do i need a forward rule too?
<5> Well, there IS that saying about "the best laid plans"
<1> voidy: you want that forward rule to allow the traffic
<0> trappist, just that prerouting rule? no forward rule?
<1> voidy: you need both, unless you ACCEPT everything in FORWARD
<0> cause usually t forward a port, i would create a forward rule to accept it and then a dnat rule..
<0> true
<0> so.. for outgoing connections to a microsoft vpn.. do i need to dnat out of my lan to the ip of the vpn server too?
<1> no, the masquerade rule should handle that
<0> good good
<1> oh, you'll also want to say iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT so the conntrack helpers will work
<0> righto
<0> hi guys
<0> i'm having trouble with my pptp connection
<0> i can see gre packets being sent out on the router.. using tcpdump.. but all the packets coming back are tcp syn's and ack's.. my firewall rules should be allowing gre traffic.. but the vpn server seems to just drop the connection quiote shortly after connecting..
<6> describe the topology? Are the rules being incremented?
<6> anything being logged?
<7> what kind of iptables setting would stop it from making out going connections?
<8> stop what making connections?
<7> for instance, the computer can't do name resolution anymore
<8> allow established and related packages
<8> connections even
<7> for output?
<8> do you disallow all output?
<7> it doesn't look like i've put in any policy for OUTPUT
<8> default policy is to accept
<7> hmm
<8> iptables -L
<7> http://pastebin.com/544213
<8> are we talking about the machine or a nat behind that machine?
<7> the machine
<7> the machine itself can't seem to make connections itself, but i can connect to it
<8> Chain OUTPUT (policy ACCEPT)
<7> right
<7> so theoretcially it should be working fine
<8> yes
<8> and im off to bed
<8> need to wake up in three hours
<8> dont wanna be up second night in a row
<7> wow
<7> cya
<7> =\
<7> good luck
<8> imsomnia
<8> but anyways the machine should be able to make connections
<8> try to tcpdump stuff
<7> OK, go to sleep :P
<8> laters
<0> hi guys, i don't seem to have a PREROUTING or POSTROUTING chain in iptables.. should this work?
<0> iptables -nL POSTROUTING
<0> need modules doh
<9> voidy: you probably don't have the NAT or MANGLE table
<0> you're giht :)
<0> oops
<0> right*
<7> iptables defaults to policy DROP?
<6> JViz: no
<6> BTW "iptables -L" is useless. Post your "iptables-save".
<10> how can i implement UPNP on a linux router
<10> its for directIM, with either aim or gaim(i think it's working now in beta2)
<11> yo
<11> what's the true about upnp ?
<12> good morning
<13> good evening
<12> :)
<13> ;-)
<14> SI
<15> is there any channel for linux advance routing ...
<15> anubody ?
<16> yahya: ##Networking , #iproute
<14> yahya: irc.lartc.net
<14> erm
<14> irc.oftc.net
<14> #lartc
<17> anybody ...is there any channel for linux advance routing ?
<17> i have following rule
<17> <17> ip rule add fwmark 1 table t0
Return to
#iptables
or
Go to some related
logs:
#mysql
#css
loadwinproCD,LOOP_SET_FD
+bittorent-gui +font
saving random seed gentoo shutdown
awk strip quotes
gtk-engines-qtpixmap setting
#gimp
external amplifier ubuntu
codecs for totemplayer
|
|