| |
| |
| |
|
Page: 1 2 3
Comments:
<0> re
<1> Wb.
<0> ty :)
<1> Np :p
<0> BBQ turkey ... yum
<0> tecnico: -j DROP shows as "filtered", as would a DNAT where the destination port is not open. -j REJECT shows as "closed".
<2> tnx
<0> tecnico: re: your morning Q: why so many rules?
<1> I've got a set of re-named switches (http://students.washington.edu/~tsnoozy/rename). Anyone here is free to give me feedback on the switch names :). rob0, if you could review the list, the second set of questions will be based on the renamed syntax.
<2> rob0: not that many rules.. it's a virtual memory or something similar problem
<2> setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 10140) = -1 ENOMEM (Cannot allocate memory)
<2> write(2, "iptables: Memory allocation prob"..., 36iptables: Memory allocation problem
<0> ai2097: will there be a quiz later? :)
<1> Kind of ;)
<1> Naturally, you'll have access to that list.
<3> I just finished a shorewall 3.0.4 install, and get iptables: Unknown error 4294967295 - ERROR: Command '/sbin/iptables -A reject -p tcp -j REJECT --reject-with tcp-reset" failed -- I am using iptables v1.3.5
<2> what am I missing for dns resolution if I already have something like: -A OUTPUT -p udp -d $ispdns --dport 53 -j ACCEPT && -A INPUT -p udp -s $ispdns --sport 53 -j ACCEPT ?
<2> is there such a thing as "-A reject" ? just asking.. I don't know
<3> good question, shorewall sure thinks so... I have the identical setup (config-wise, and version-wise) on two machines.. doesn't work on the second, although kernel configs are also identical
<3> There *must* be something different I don't know about
<1> tecnico: Yyyes, but "reject" would be a user-defined chain in that case.
<3> ai2097: There isn't a single indication in my configs, but I should triple check
<2> just guessing: .. have you compared if you have all same modules loaded on both ? ipt_REJECT ??
<3> ai2097: Otherwise, it isn't something dumb like a kernel module, is it?
<3> tecnico: I will check...
<2> tnx. ai2097
<1> iptables -L reject
<1> That will answer your question as to if you have a "reject" chain or not :p.
<3> ai2097: ipt_reject modules don't exist on either as per lsmod... iptables -L reject shows many rules on the working box
<1> Well, then, there's your answer. It is, in fact, using a chain called "reject."
<1> Which is a really bad name for a chain (confusion with -j REJECT, something completely different).
<3> ai2097: interesting.. it isn't in my configs
<1> Egonis: If you don't have the REJECT module loaded, that command will still fail though.
<3> ai2097: is it plainly called ipt_reject?
<1> ipt_REJECT.
<1> But iptables should load it automagically for you.
<2> the script that launches iptables but not iptables itself ... right ?
<3> I have a module called 'CONFIG_IP_NF_TARGET_REJECT' loaded as 'M' in .config, but modprobing ipt_REJECT finds no module... yes, I just compiled my kernel
<1> iptables + kernel should automagically load the right module, unless something screwy is going on.
<2> Egonis: did you do "make modules_install" ??
<3> tecnico: ... yes... :)
<1> Actually, I take that back.
<2> ai2097: I'm saying that 'cause i just tried it
<3> I see no module for it... lsmod shows a schmackload of ip_ and ipt_ modules loaded
<2> Egonis: type: /proc/net/ip_tables_targets
<1> iptables + my kernel automagically loads the modules I need -- but I have kernel module auto-loading enabled.
<2> Egonis: type: cat /proc/net/ip_tables_targets
<1> modprobe | grep "REJECT"
<2> Egonis: you should see REJECT in there
<1> s/modprobe/lsmod/
<2> again... I'm just guessing that may help
<3> aha..... the box that works has 'REJECT', the one that doesn't... well, doesn't
<3> but they have identical configs
<1> Apparently not :p.
<3> :)
<2> Egonis: my module is in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.ko
<1> "modprobe ipt_REJECT" will find it if it's installed right.
<2> tru
<2> true
<1> locate ipt_REJECT.ko will find it if it's -not- installed right ;).
<3> how do I specifically compile THAT module?
<2> it should be in the netfilter area
<1> make menuconfig
<3> yeeah.. okay, :)
<1> networking -> networking options -> network packet filtering
<3> thank you all for your help
<3> I just wish I wasn't recompiling on a PII
<3> lol
<3> can't I just make the .ko manually?
<0> Rule of thumb: if you don't know what a module is and the help text doesn't recommend against it for some reason, if you can make it as a module, Just Say M.
<2> if it's just a module.. you can do make modules
<1> -> ip: netfilter configuration -> packet filtering (turn on) and REJECT target support (M)
<2> it'll be quick
<1> make modules && make modules_install
<1> rob0: Ready for the questions :)?
<0> I'll try
<1> rob0: The network configuration is here http://students.washington.edu/~tsnoozy/setup
<1> "port-forwarding" should read "packet forwarding" :p.
<0> ok
<1> rob0: Mind if I ask the questions PM? Don't want to flood the channel out (or give the questions/answers away to anyone else who might participate) :).
<0> ok
<2> how can I prefix a rule to the top of the list already in place ?
<1> -I
<1> (versus -A)
<2> tnx
<4> i know this almost offtopic, but: how can i see the size of a packet with tcpdump? or where is the packet size information in the output?
<1> I don't use tcpdump directly, but AFAIK, it just grabs packets and dumps them to a file. You then use something like ethereal to actually -look- at the data. *shrug*
<4> ai2097, no ethereal in openwrt
<4> and its supposed to run in it
<1> Scanning the manpage, tcpdump isn't geared towards displaying detailed packet information -- that's a job for a different program. Tcpdump's job is to filter and save packets.
<1> But, you can try "-v" (or -vv, or -vvv) which might give you the length information you're looking for.
<5> -j DNAT when applied to prerouting should mangle the sourceip for the destination right?
<4> ai2097, if it saves packets, then something that uses that information does nothing more than tcpdump, just data threatment
<4> i can do that, i just want to know where that data is
<4> the packet size
<1> AFAIK, the packets are saved in pcap format.
<5> "$IPT -t nat -A PREROUTING -p tcp -i $EXIF --dport 4000 -j DNAT --to-destination $XEDON" Is there any conceivable reason why that would take all incoming packets on 4000, and convert their apparent source address to that of my external ip?
<6> whats do i need to do to totally disable my firewall and still have net access(ned to test a couple of things ) tried iptables -X -F -Z -F -t nat but still no access at all
<0> oneforall: from the firewall machine or from a NAT client?
<0> You need to reset the default policies (-P) to ACCEPT
<0> (might)
<7> RST
<8> hey...can i use iptables, like it was a proxy???
<8> h3h3h3
<7> Damn... didn't work
<8> FIN
<7> ;-)
<8> =X
<7> ack_syn: please explain...
<8> ...here i have a p2p network ...so i want to route my internet using the port 6588...
<8> and i wanna know if i can do it with iptables
<8> i know i can use just the -nat ...but i wanna use iptables like it was a proxy
<8> sorry...but my english is poor =| try to understand me
<0> iptables can route your traffic to a proxy, but it's not a proxy
<8> hum
<7> :-)
<8> so i'll have to use squid =|
<8> i dont know how 2 use squid =| and i dont find good texts about it =S
<1> squid == HTTP.
<1> Define what you mean by "proxy"
<8> ok
<8> i'll try
<8> look...the machine A is the server of INTERNET...i wanna route it (the internet) to the machine B, using the porte 6588
<8> i wanna just do it
<8> but...using iptables
<8> is it easy to understand?
<1> I'll try an example to see.
<8> kk.
<8> ps.: its a per 2 per network
<1> 1.2.3.4 is on the Internet. 2.3.4.5 is your IP address. Machine 192.168.0.1 is your router. Machine 192.168.0.2 is the one with port 6588 open.
<9> Port Forwarding...
<1> Nielsen: That's where I'm going.
<1> You want 1.2.3.4 to connect to 2.3.4.5 on port 6588, and have that connection show up on 192.168.0.2?
<8> nopz
<8> i'll try to explain again
<8> 1.2.3.4 (ppp0) is on the NET... 192.168.0.1 is mine address of eth0 (my router)...so i want that the 192.168.0.2 connect in the NET using my port 6588
<8> right?
<1> You want INSIDE computers to connect to OUTSIDE computers on port 6588?
<8> i want that the computer in my network, connect the internet using the port 6588 in my computer
<8> i want to use iptables like a proxy
<8> u know?
<1> That would be NAT/Masquarade.
<8> nopz
<8> yes
<8> but
<8> using the port 6588
<8> for http and etc
<1> ... Er... I think you could do that technically, but I don't think it would actually work on the network?
<8> Hum
Return to
#iptables
or
Go to some related
logs:
installer script aquabou gimp
canon pixma i4000R drivers
how to send a magic packet
iptables http acccept
ubuntu edgy synaptic lock version broken
#perl
phpmylibrary error arr
wesw02
rmdir tws
k-ramba bar
|
|