| |
| |
| |
|
Page: 1 2
Comments:
<0> can anyone help me get iptables working on 64bit linux dist?
<1> matth_: thanks!
<0> qzio help!
<1> doesn't debian default kernel have iptables built in from start?
<2> yes
<1> turi: there you go!
<0> doesnt work
<0> :l
<0> iptables won't work
<0> says module wrong version
<3> if i was using -j dmz with a local network of 10.0.0.0/24, would the dmz jumping automatically create a network for dmz?
<3> like 10.0.1.x
<4> -j is a jump target, which must either be a user chain (create it with "iptables -N dmz"), or one of the special builtin targets, or a target extension. In a word, no. See the man page.
<3> ah so ther eis no builtin target
<3> for dmz
<3> so dmz's can only be created wiht a chain of rules?
<5> dmz means nothing.
<3> just tryin to create an environment
<3> where a "side" of the network
<3> can't see the other
<3> but is able to route through one host
<5> if that's just about routing you have to play with the FORWARD chain
<3> alright thanks
<3> wait
<3> if i were to put one network on 10.0.0.0
<3> and another on 10.0.1.0
<3> and those 2 networks were on the same switch
<3> wouldn't they be able to see each other regardless of what i do with iptables?
<3> i have another nic if that helps in making a dmz easier
<4> With a /23 netmask they would :)
<5> you can use VLAN tagging
<4> Describe what you want to do and why, maybe we can suggest things ... yes like VLAN.
<3> that might be what i'm looking for
<3> one sec let me show you
<4> DMZ, like keeping external services separate from your internal network?
<3> http://en.wikipedia.org/wiki/Image:Demilitarized_Zone_Diagram.png
<3> i have alot of computers
<3> 1 a router, 1 which runs an important service
<3> and a few other clients
<3> i want the 1 that runs service and few other clients not be able to see each other
<3> well if the 1 that runs the services can see the other clients, but not vice versa, that would be a bonus
<3> but i'm guessing if one can see the other, then it goes vice versa?
<4> Um, generally your externally-accessible machine[s] (DMZ) would be accessible by LAN clients, but the DMZ would not be able to get into the LAN.
<3> then that's not a dmz
<3> that's just 2 routes
<3> unless thats what a dmz really is
<4> :)
<4> You decide what you need, labels don't matter.
<3> let me carefully read what dmz says
<3> well i'm not sure if i NEED this
<4> You probably don't.
<3> but it is good experience, incase the term dmz every comes up somewhere, then i'd know how to set it up ;-)
<4> yes
<3> ah you know what
<3> i already do have a DMZ set up
<3> heh
<3> i thought the concept of DMZ is so that neither DMZ or the client side can see each other
<3> but it's only one way, DMZ not being able to see clients
<3> which is basically 2 routes heh
<3> and this is where my DMZ venture ends peacefully
<4> Right. The idea being that DMZ hosts are potentially more vulnerable, so a successful intruder there can't get in.
<3> and a little thing i do
<3> with my third NIC card
<3> is connect that into the DMZ like an idiot
<4> It helps if you have other IP addresses you can use, like at least a /29 netblock.
<3> well the first is 10.0.0.0
<3> then there's another router
<3> 192.168.1.0
<3> different subnets
<4> I meant real IP addresses, not RFC 1918 ones. There are plenty of those to go around. :)
<3> oh
<3> how does it help?
<4> Each DMZ machine can have its own IP address, no NAT.
<3> i don't understand
<4> I set one up recently, try this: "nmap -sP 70.142.174.120/29". One of those is a DSL router, one is a firewall controlling access to LAN and DMZ, 3 are DMZ hosts.
<3> oh that is nice
<3> i can do that? the isp will allow?
<4> .125 is the firewall ... you would only see SSH open on that one.
<4> .121-.123 are the DMZ
<3> i don't understand how that works
<4> These people paid their ISP for business service and the /29 netblock.
<3> doesn't the ISP only give you one IP?
<4> For home users, generally so.
<3> yea, i was getting freaked out
<3> lmao
<3> so basically since i am a home user
<3> i can't do nothing like that, correct?
<3> just confirming lol
<4> pretty much, although I'm sure your ISP would like to sell you more services. :)
<2> you could buy static ips tunneled with encryption :)
<3> hmm
<3> you mean home ---encrypted---> ISP ---> internet
<3> ?
<2> vpn
<3> ok i see
<3> well that's not a bad idea
<2> I do it for example
<3> but i'd rather just manually encrypt every protocol
<2> yeah but it's only encrypted in the tunnel to the external isp
<4> The IP is at a colo site in Atlanta
<2> i have one static ip from my isp and four static ips from a different service provider
<2> vpn with ipsec, no bandwidth limitation
<4> I use openvpn for mine.
<2> same here :)
<3> i don't get where the tunnel is going to
<4> openvpn != ipsec
<3> i understand it starts from home but ends where?
<3> just to the isp, right?
<2> no
<2> it ends at the third party provider
<2> you're right rob0, my bad
<4> The host I'm using for IRC is a colo box in Atlanta. I connect via openvpn to it, and it proxy ARP's that IP address for me.
<2> I got confused, I'm all new to tunneling and so on
<4> Ipsec could do it too, I'm sure.
<3> ok yea i already knew something like that was possible
<3> i just misunderstood heh
<2> yeah, I think I meant aes/3des as encryption though
<3> so basically
<3> you would do this if you had fear that the main ISP was sniffing
<3> ?
<2> or if you need more ip adresses?
<3> i see
<4> You can even do openvpn without encryption. I don't, but it's possible.
<3> then what's the point of that?
<3> lol
<2> well I have a tunnel mostly for reversing hosts to use at ipv4 irc networks :)
<4> The point being that it's just a convenient way to get more IP addresses ... IF you have access to a colocated box with IP addresses to spare.
<3> bbl router restart
<3> well i have this third nic
<3> doing absolutely nothing now
<3> wonder what i can use it for
<6> somebody can explain me this http://arch.pastebin.com/715254 nmap -sU -p 1-2000 139/udp closed netbios-ssn 445/udp closed microsoft-dn ?
<2> udp state new?
<2> :)
<6> this doesnt work that way?
<2> you might want to try with --state NEW,ESTABLISHED
<7> can someone tell me the basic 2-3 lines for ip masquerade
<7> to get it working
<8> jeffrin: yes
<8> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
<8> where eth0 is the iface connected to inet
<9> hello. my school does not allow connections to dports 6667-7000, that blocks me from most irc servers.
<9> also, to the best of my recollection, only a few destination ports are forwarded out to the internet.
<9> so, i have decided to set up a lame little proxy, that will allow me to irc from school:
<9> iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 70.
<9> 49.183.28 --dport 80 -j DNAT --to-destination 204.92.73.10:6667
<10> maxine: snat needed
<11> snat needed is forwarding a connection to a host where the return packets do not p*** through the iptables machine, you must change the source address with SNAT (or MASQUERADE) or the connection will fail. See http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
<9> yes
Return to
#iptables
or
Go to some related
logs:
#perl
#debian
at line 2: Duplicate entry 'localhost-mail' for key 1
raidhotremove +suse
#perl
#perl
.fluxbox/startup debian
#linux
#debian
mysqlserviceagent
|
|
