| |
| |
| |
|
Comments:
<0> Is there a trick to getting ftp to work? I used modprobe ip_conntrack_ftp then : iptables -t nat -A PREROUTING -p tcp --dport 20:21 -j DNAT --to-destination $FTPIP
<0> But it no workee
<1> modprobe ip_nat_ftp
<2> hello
<2> anyone around here ?
<2> there was a nice feature in ipchains to test rules (ipchains -C), is there anything doing the same with iptables .. I searched and found nothing ...
<1> what do you mean by testing rules?
<2> well, I d like to know exactly what rule will match a given packet ..
<2> I just made a new ruleset with a custom chain and I would like to be sure it behaves the same as the old one
<1> I wrote a perl program that does that; there's nothing builtin that will do it unless you use the TRACE target
<2> k, but even with trace, you still have to send the packet yourself ..
<2> am I right ?
<1> yes
<1> what did -C do?
<2> apprently, you specified a packet and it answered what rule it would have matched
<2> no packet to send yourself
<1> that's what my program does
<1> asks you stuff about the packet and tells what rules match
<1> one rule per table that matches, that is
<2> how does it work ? it reads the different chains and then does it all without calling iptables ?
<1> yes
<1> http://daniel.6dns.org/info/iptables/
<1> it reads the iptables-save output
<2> ok, thx .. I ll look at that
<2> good night
<0> danieldg: I just got back to my house. I got your note on the modprobe ip_nat_ftp. Thanks.
<3> Hi there... there's some rule that prevent listing ftp directories contents? I have a problem here that I can connect (using ftp clients) but cant get the dir content
<3> Someone knows something about it ?
<4> I work in an ISP. Need to make a linux router for NAT. Need to nat all my clients[internal ip] to a [valid ip]internet.
<4> how can i ***ign an ip from a pool of ips to one user?
<5> socram: filter on source when you write SNAT rules
<5> add multiple rules : -s CLIENT1_NET -j SNAT --to IPCLIENT1
<4> that will be some static rules, can't you ***ign, for example: -s client_network/24 -s j SNAT --to IPCLIENT_network/24 ??
<6> hey all
<6> I'm not sure if this is 100% an iptables issue
<7> socram: netmap
<6> i have the usual setup. cable into cable modem, cable modem into eth0, eth1 into lan
<6> eth1 more precisely into a router that also has wireless
<6> I'm having problems with that router obtaining/retaining an ip address
<6> sometimes it'll obtain the address, but lose it sometime later (usually several hours) and i cannot renew the ip address
<6> so i'm not exactly sure how to troubleshoot that issue
<7> thats not iptables issue
<6> any idea how to troubleshoot?
<6> that router gets the ip from the iptables box
<7> it might be that router issue
<7> which router is it?
<6> wrt54g v5
<6> i suppose that i could troubleshoot by using a static IP address
<6> but i'm beginning to suspect the motherboard or the network card
<8> blahblahblahblahblah
<6> ashica, something to add?
<8> just added it
<6> ashica, just being a haraami?
<4> in this example: iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160, what is the TTL for the ***igned ip? how long till it's relseased?
<1> it's per-connection
<9> RE
<4> danieldg, how's that? i can't find any explanation on the tutorial... i've more less 30 clients that will be nated with a pool of 15 valid ip's. should i worry about this TTLs?
<1> TTL for what?
<1> it's a round-robin
<4> i believe every ip ***igned to the client by snat has a ttl or expiration time, am i right?
<1> I don't think so; each new connection has a mapping which is stored in the conntrack table for that connection
<1> so each new connection is given a new SNAT source
<4> now, suppose my 15 ips are in use, any new request for snat will map an already in use ip, right? so i'll have 2 clients snated to 1 valid ip.
<1> yes
<1> you'll have 1 client snated to many valid IPs too
<6> danieldg, you here/watching?
<6> does anyone know if gentoo's genkernel (with its default config) supports iptables?
<10> more chances in #gentoo
<11> hi
<11> 3 (80.239.200.102:3000) - Your 19960 port is not reachable. Please review your network config.
<11> iv st my router : iptables -A INPUT -p tcp -i eth0 --dport 19960 --sport 1024:65535 -m state --state NEW -j ACCEPT , but still gettin error from emule :3 (80.239.200.102:3000) - Your 19960 port is not reachable. Please review your network config.
<1> nir\: why include the --sport stuff?
<4> nir\, dnat port 19960 to your emule box
<4> that's how you get high id.
<12> hello this is my firewall http://pastebin.com/591348, i need to get the information about the bandwidth usage per user, I put iptables -xnvL |grep 00:02:44:88:55:A8, but I only neet the counter number ... how can I get this?
<1> use awk or something
<12> danieldg, hello daniel ... how can use awk? ... axample please
<1> awk '{print $2}' should get the bytes field
<12> danieldg, thanks ... works!!
<13> Hi.. I'm trying to set up and learn some basic iptables, and i've been following the guide on the gentoo-wiki. However, I'm wondering about a few lines
<13> http://arch.pastebin.com/591400
<13> What do they do?
<1> sets the policies for the filter table
<13> Which means? *cough*
<1> if no rule matches a packet, then it will do whatever is in the defuault policies - in this case, be accepted
<13> That's not a good thing, is it?
<1> depends. It's good for OUTPUT, but I usually have INPUT and FORWARD set to DROP
<13> Ah.
<13> Ok.. the rules I've got should work fine, then.
<13> Thanks a lot!
<13> Gah, wait, so whenever someone sends a packet to ports ranigng from 5 to 952, it accepts?
<1> no, those are counters, not port numbers
<13> bit counters?
<1> packet and byte
<13> Awesome. Makes sense.
<13> Thanks a lot!
<13> *poof*
<0> More bridging problems. I dnat port 1000 in prerouting.
<0> I see the packet cross br-dmz and hit br-apps.
<0> But I don't see it go out the interface vif16.0
<0> I confirmed vif16.0 is on the bridge
<0> I used tcpdump to watch br-apps and vif16.0. Only br-apps gets the packet.
<0> Is there a tool I can use to determine where the packet goes after br-apps?
<0> Note that iptables only shows the packet coming into prerouting. I believe that is correct since once I dnat it, it is handled by conntrack. I believe the packet immediately proceeds to the routing table. Route sends it to br-apps (which is where I last see it)
<0> Okay... this is weird. conntrack doesn't show the connection being dnat'd. It does not exist at all.
Return to
#iptables
or
Go to some related
logs:
#css
installing fonts on ubuntu
chkconfig --list ubuntu
#web
client-error-not-found printer ubuntu
gentoo Error: API mismatch: the NVIDIA kernel module has the version
#perl
suse reiserfs 3030
iptables -t nat -m tcp -p tcp -A PREROUTING --dport
can't use string as a hash ref irssi
|
|